WO2006026403A2 - Method and system for providing transparent incremental and multiprocess checkpointing to computer applications - Google Patents

Abstract

Incremental single and multiprocess checkpointing and restoration is described, which is transparent in that the application program need not be modified, re-compiled, or re-linked to gain the benefits of the invention. The processes subject to checkpointing can be either single or multi-threaded. The method includes incremental page-boundary checkpointing, as well as storage checkpointing of data files associated with applications to ensure correct restoration without the need to restore files for other application programs. Incremental and full checkpoints are asynchronously merged to ensure proper operation while reducing checkpointing delay. By way of example a user-level programming library is described for loading into the address space of the application in conjunction with a loadable kernel module (LKM) or device driver used to capture and restore process state on behalf of the application. These techniques are particularly well suited for use with high-availability (HA) protection programming.

Description

METHOD AND SYSTEM FOR PROVIDING

TRANSPARENT INCREMENTAL AND MULTIPROCESS

CHECKPOINTING TO COMPUTER APPLICATIONS

CROSS-REFERENCE TO RELATED APPLICATIONS

[0001] This application claims priority from U.S. provisional patent application serial number 60/605,026 filed on 08/26/2004, incorporated herein by reference in its entirety.

STATEMENT REGARDING FEDERALLY SPONSORED RESEARCH

OR DEVELOPMENT [0002] Not Applicable

INCORPORATION-BY-REFERENCE OF MATERIAL SUBMITTED ON A COMPACT DISC

[0003] Not Applicable

NOTICE OF MATERIAL SUBJECT TO COPYRIGHT PROTECTION [0004] A portion of the material in this patent document is subject to copyright protection under the copyright laws of the United States and of other countries. The owner of the copyright rights has no objection to the facsimile reproduction by anyone of the patent document or the patent disclosure, as it appears in the United States Patent and Trademark Office publicly available file or records, but otherwise reserves all copyright rights whatsoever. The copyright owner does not hereby waive any of its rights to have this patent document maintained in secrecy, including without limitation its rights pursuant to 37 C.F.R. § 1.14.

BACKGROUND OF THE INVENTION 1. Field of the Invention

[0005] This invention pertains generally to enterprise computer systems, embedded computer systems, and computer systems in general, and more particularly to transparent multiprocess checkpointing and automatic restoration for computer applications. 2. Description of Related Art

[0006] In a number of settings high availability service for complex computer applications is a necessary and nonnegotiable requirement. For example, high availability scenarios include the case of Internet and corporate data centers, financial services, telecommunications, government systems and medical systems. [0007] Providing high availability service generally requires that in the case that an application executing on a first server encounters a failure, for any of a number of reasons, application execution continues automatically on a second server that continues to interact with the client system in response to execution of a failover process. The effort involved in achieving such availability and reliability can be one of the most expensive and time- consuming aspects of application development and can even result in delays in deploying an application.

[0008] Therefore, there is a need for methods, systems and procedures for achieving high availability and reliability through a cost-effective, easy-to-use software infrastructure, rather than through prolonged custom coding, lengthy development time and substantial expenditure.

[0009] Checkpointing is an integral part of high availability which provides for the capture of the complete state of an application process (i.e., periodically), including, but not limited to, its memory pages, stack contents, open files, sockets, pipes, and other state information that is for instance retained in the kernel on behalf of the process. Later on, the application can be restored in the same state as it was when the checkpoint was taken, even when the restoration is performed on a different computer system.

[0010] Traditionally, the problem of saving the state of an application has been approached from within the application, taking advantage of its full knowledge of application internals, data structures, and semantics. However, this approach is highly intrusive, since the application code itself needs to be modified to operate in the desired high availability manner. [0011] Accordingly, checkpointing has been used in various varieties over the years, and more recently, lower level transparent checkpointing has been described using checkpointing software forming a layer between the application and the operating system. For example, William R. Dieter and James E. Lumpp, "User-level Checkpointing for LinuxThreads Programs", In

Proceedings of the FREENIX Track: 2001 USENIX Annual Technical Conference, pp. 81-92, June 2001 , attached hereto as Appendix A and incorporated herein in its entirety, describe a user-level checkpointing library for single-process multi-threaded applications. [0012] However, these checkpointing mechanisms are not amenable for use with high availability services for most applications and suffer from a number of drawbacks. Current forms of checkpointing either require modifications to the application and are thus not transparent, or only work for single-process applications, and do not support transparent incremental checkpointing [0013] The present invention overcomes these shortcomings and provides transparent incremental and multiprocess checkpointing based on a user-level library and a loadable kernel module.

BRIEF SUMMARY OF THE INVENTION [0014] The present invention comprises a method and system to transparently checkpoint and restore a computer application program, which may comprise one or more distinct computer processes. Each of these processes may be single-threaded or multi-threaded. Transparency in this context means that the application program need neither be modified in any way, nor be re¬ compiled or re-linked. [0015] Checkpoints may either be taken as full or incremental checkpoints. In the former case, a single checkpoint is sufficient to restore the whole application, whereas in the latter case, only the differences between two checkpoints are saved and subsequently applied to a previous full checkpoint. [0016] A preferred embodiment of the invention comprises a user-level programming library that can be pre-loaded into the application's address space, plus a loadable kernel module (LKM) that is used to capture and restore the state that is kept in operating system kernel space on behalf of the application.

[0017] In various embodiments of the invention, features are provided that are useful for applications that must be highly available, including but not limited to: [0018] (a) Powerful and transparent checkpointing;

[0019] (b) Checkpointing of single-threaded and multi-threaded application processes;

[0020] (c) Checkpointing of daemonized multi-process applications;

[0021] (d) Checkpointing of general multi-process applications; and [0022] (e) Full and incremental checkpointing.

[0023] According to an aspect of the invention, a method, system, improvement and/or computer program are described for creating incremental checkpoints; creating full checkpoints; and providing for automatic asynchronous merging of incremental checkpoints with full checkpoints at a checkpoint storage location; wherein at least said incremental checkpointing is implemented in user space; and wherein at least said incremental checkpointing comprises page-boundary memory checkpointing. In one embodiment, file storage checkpointing is provided wherein one or more files for an application program can be restored without requiring restoration of files for other application programs. In another embodiment, barrier synchronization using system semaphores is employed. In another embodiment, checkpointing is implemented using a device driver in lieu of operating system kernel modification. In another mode, the state of waiting queues is captured using kernel-level interception of system calls. In one embodiment, the interception is implemented in a kernel module in a multiprocessing environment. In another embodiment, the interception is implemented without a kernel module in a single processing environment. [0024] In accordance with another aspect of the invention, there is described a checkpointing method, system, improvement and/or computer program for checkpointing memory images of processes and data for restoration of the entire process tree/hierarchy. In one mode, the processes can be multi¬ threaded. In another mode, the processes can be single-threaded. In one embodiment, one or more portions of the tree/hierarchy are restorable based on priority of application programs or processes. In one embodiment, the checkpointing is implemented using a device driver in lieu of operating system kernel modification. In another mode, the state of waiting queues is captured using kernel-level interception of system calls. In one mode, the interception is implemented in a kernel module in a multiprocessing environment, in another mode, the interception is implemented without a kernel module in a single processing environment. [0025] In accordance with another aspect of the invention, there is described a checkpointing method, system, improvement and/or computer program for checkpointing memory images of processes and data for restoration of only the first or second level of the process tree. In one mode, the processes can be multi-threaded. In another mode, the processes can be single threaded. In one embodiment, the checkpointing is implemented using a device driver in lieu of operating system kernel modification. In another mode, the state of waiting queues is captured using kernel-level interception of system calls. In one mode, the interception is implemented in a kernel module in a multiprocessing environment, in another mode, the interception is implemented without a kernel module in a single processing environment. [0026] According to another aspect of the invention, a method, system, improvement and/or computer program is provided for checkpointing user- space application memory images and the state that the operating system maintains on behalf of the application. In one embodiment, the checkpointing runs entirely in user space and no modification of the operating system kernel or additional kernel modules is required. In one embodiment, the checkpointing is implanted using a device driver in lieu of operating system kernel modification. In another embodiment, the state of waiting queues is captured using kernel-level interception of system calls. In one mode, the interception can be implemented in a kernel module in a multiprocessing environment. In another mode, the interception can be implemented without a kernel module in a single processing environment. [0027] In the various aspects, embodiments and modes described above, storage checkpointing can be included by providing means for saving N full copies of storage checkpoints; providing a hardlink to a first saved storage checkpoint; and removing the first storage checkpoint when a subsequent storage checkpoint is saved and maintaining the hardlink to the first saved storage checkpoint; wherein a physical copy of said first storage checkpoint is not made when said subsequent storage checkpoint is saved. In one mode, the storage image is synchronized with a memory image at the time a storage checkpoint is saved; wherein each memory checkpoint has a corresponding storage checkpoint. In another mode, the storage image is captured without capturing the memory image of the process.

[0028] In addition to the various aspects, embodiments and modes described above, a template can be provided which defines one or more processes to be protected by checkpointing and which provides for selective restoration. In one embodiment, means are provided for defining one or more processes to be protected by checkpointing and provide for selective restoration.

[0029] Another aspect of the invention is a method, system, improvement and computer program for achieving transparent integration of an application program with the checkpointing library and an underlying high availability protection program, that transparently and automatically injects startup and registration code (which herein shall be referred to as "etJnitQ") into an application program during launch; wherein the checkpoint library gets initialized; wherein said application program automatically registers with said high availability protection program; wherein modification of the application program or application program recompilation is not required; and wherein a custom loader is not required. In one embodiment, unregistration of said application program from said high availability program is monitored and deemed a normal exit.

[0030] Embodiments of the present invention can provide a number of beneficial aspects which can be implemented either separately or in any desired combination without departing from the present teachings.

[0031] Another aspect of the invention is a method, system, computer program, computer executable program, or improvement wherein storage checkpointing is provided. [0032] Another aspect of the invention is a method, system, computer program, computer executable program, or improvement wherein storage checkpointing synchronized with process checkpointing is provided. [0033] Another aspect of the invention is a method, system, computer program, computer executable program, improvement as recited in any of the preceding claims, wherein profiling of running applications is provided to determine optimal policy settings.

[0034] Further aspects of the invention will be brought out in the following portions of the specification, wherein the detailed description is for the purpose of fully disclosing preferred embodiments of the invention without placing limitations thereon.

BRIEF DESCRIPTION OF THE SEVERAL VIEWS

OF THE DRAWING(S) [0035] FIG. 1 is a flow diagram illustrating incremental checkpointing according to an embodiment of the present invention, showing maintaining a page table within a checkpointing library and the incremental checkpointing of only those memory pages modified since the last checkpoint. [0036] FIG. 2 is a flow diagram illustrating claiming a mutex construct to add a process to a barrier according to an aspect of the present invention.

[0037] FIG. 3 is a flow diagram illustrating releasing a mutex construct to release a process from a barrier according to an aspect of the present invention.

[0038] FIG. 4 is a flow diagram illustrating adding threads to a barrier according to an aspect of the present invention.

[0039] FIG. 5 is a flow diagram illustrating waiting at a thread barrier according to an aspect of the present invention. [0040] FIG. 6 is a flow diagram illustrating waiting for other threads to reach a barrier according to an aspect of the present invention. [0041] FIG. 7 is a hierarchy diagram illustrating a multi-process checkpointing configuration according to an aspect/embodiment of the present invention. [0042] FIG. 8 is a flow diagram illustrating processes taking multiprocess checkpoints according to an aspect/embodiment of the present invention. [0043] FIG. 9 is a flow diagram illustrating restoration from multiprocess checkpoints according to an aspect/embodiment of the present invention.

DETAILED DESCRIPTION OF THE INVENTION [0044] Referring more specifically to the drawings, for illustrative purposes the present invention will be described in relation to FIG. 1 through FIG. 9. It will be appreciated that the system and apparatus of the invention may vary as to configuration and as to details of the constituent components, and that the method may vary as to the specific steps and sequence, without departing from the basic concepts as disclosed herein.

[0045] 1. Introduction.

[0046] The present invention is based on a single-process, multithreaded checkpointing method with numerous enhancements and improvements upon, such as incremental checkpointing, improved barrier synchronization, multiprocess checkpointing, storage checkpointing, and the use of a loadable kernel module to capture the state the kernel keeps on behalf of application processes.

[0047] 2. Transparent Preloading Of The Checkpoint Library.

[0048] In order to provide checkpointing to an application, the checkpointing software should be loaded into the address space of the application. In addition, the checkpointing services should be initialized at program startup and shut down at program exit. Traditionally, this process has involved adding custom code to the application, therein necessitating compilation and linking. However, in many situations the end user of a program does not even have access to the source code, so that practice is subject to limited applicability.

[0049] Therefore, an important aspect of the present invention is transparency, wherein, for example, the application program need not be modified in any way to allow checkpointing. More precisely, the application program need not be changed, and therefore, it need not be recompiled. Moreover, the application executable need not be relinked to include the checkpointing code in its address space. The technique utilized to enable checkpointing and initialize the checkpointing library is called transparent preloading. The method is based on the concept of shared libraries, which are supported by all modern operating systems, e.g., Microsoft Windows, Linux, Apple OS X, and others.

[0050] In the present invention, the user-level portion of the checkpointing source code is compiled into a position-independent shared library. This enables either relinking with the application, or more transparently, preloading. By way of example, and not of limitation, the following general sequence of steps illustrates preloading on the Linux operating system in an exemplary embodiment of the invention: [0051] 1. Setting the environment variable LD_PRELOAD to the location of the checkpoint library. For example, if the checkpoint library is named "libetchkpt.so", and is located in directory "/home/chkpt/", then set LD_PRELOAD=/home/chkpt/libetchkpt.so. Additional libraries may need to be appended so that the checkpoint library depends to this path. [0052] 2. Starting the application in the usual way. The checkpoint library is preloaded, and its initialization routine in "JnitQ" is executed before the application executes its "mainQ" function. Also in JnitQ, the checkpoint library registers an exit handler that gets invoked whenever the application calls the "ex/.fj" function, permitting a regular shutdown of checkpointing before the program terminates.

[0053] 3. Interception of any system library calls that the application makes by the checkpoint library if necessary. Examples of such calls are "pthread_createQ", to create a new execution thread, or "mrnapQ", to map a new segment of memory. There are numerous additional library calls similar to these that can be intercepted according to the invention. This interception technique allows the checkpoint library to do its bookkeeping and operation transparently.

[0054] 3. Incremental Checkpointing.

[0055] One method of checkpointing a process is to take full checkpoints each time, for example save all currently used memory pages. Another method, incremental checkpointing, is described in the following. In incremental checkpointing, the size of the checkpoint is minimized by saving only those memory pages that were modified since the last checkpoint. These modified pages are also referred to as "dirty" pages.

[0056] FIG. 1 illustrates an embodiment of the invention for incremental checkpointing. Execution is shown entering from block 10, and block 12 represents checkpointing library maintaining a page table for all pages currently mapped to the process. Any changes to memory segments and pages are tracked and the table is updated accordingly. Write-protecting segments that are write-accessible for the application is depicted as per block 14 as being performed by the checkpointing library. It should be noted that a

SIGSEGV ("segmentation violation") signal will be generated if the process attempts to modify a page in a write-protected segment. [0057] In block 16 the library installs a signal handler for SIGSEGV, which identifies the page that was accessed, looks it up in the page table, and then marks it as "dirty" in block 18. The signal handler then reverts the protection for the page back to the original protection set by the application, so that the write access can be permitted. [0058] In block 20, if it is determined that this is the first checkpoint, the library writes a full checkpoint only once as per block 22, therein forming the basis for subsequent incremental checkpoints. The dirty flags are cleared in the page table as per block 24. [0059] In block 26, when it is determined not to be the first checkpoint, dirty pages are identified via the page table, and written to an incremental checkpoint. After the checkpoint is saved, the dirty flags are cleared and the memory is write-protected again at block 24 before the application threads are released from the checkpoint. [0060] Incremental checkpoints generated in the above manner should be continuously merged with a previous full checkpoint to produce a new valid full checkpoint. Block 28 represents a separate, connected process, so that merging is performed asynchronously in response to the writing of an incremental checkpoint. [0061] By using incremental checkpointing, an application can produce a checkpoint more readily, at the expense of additional processing time for merging checkpoints.

[0062] 4. Semaphore-Based Barrier Synchronization.

[0063] The following is a description of an embodiment of a barrier mechanism according to the invention, which is based on System V (kernel) semaphores and which enables holding multiple processes and all their associated threads in the same barrier. This is an important prerequisite to achieve consistent checkpoints across multiple processes of a single application. [0064] System V semaphores are a synchronization primitive that can be shared across multiple processes. The kernel maintains these semaphores, and provides system calls to create, open, or modify a set of semaphores. These system calls are semgetQ, semctlQ, and semopQ. See the Linux manual for further information. [0065] 4.1 Barrier Setup. [0066] The information needed for the barrier is stored in a data structure that is accessible to all processes via shared memory. The data structure looks somewhat like this (pseudo-code given in the C programming language): typedef struct { int semid; /^* id of semaphore array containing barrier semaphores ^*/ int num_procs; /^* overall number of processes in the group */ int waiting_procs; /* no. of processes that have entered thread info ^*/ int num_threads; /* overall number of threads */ int waiting_threads; /* number of threads waiting at barrier */ } barrier_t; [0067] There is an entry for the semaphore identifier obtained via semgetQ, an entry for the total number of processes participating in the barrier, an entry for the number of processes waiting at the barrier, and entry for the total number of threads participating in the barrier, and an entry for the number of threads waiting at the barrier. [0068] The inventive barrier structure is mapped into the process memory via the following call: barrier = mmap(BARRIER_ADDR, sizeof(barrier_t), PROT_READ I PROT_WRITE, MAP_SHARED | MAP_ANON YMOUS, -1 , 0); [0069] The semaphore identifier in the barrier structure refers to an array of kernel semaphores containing: [0070] one semaphore used as a mutex to synchronize access to the other entries in the barrier structure; [0071] one semaphore used as a barrier for processes to add their current number of threads, and

[0072] n semaphores used as thread barrier semaphores, with n being the number of barriers required to write a checkpoint (in the current implementation, n = 6).

[0073] These n + 2 semaphores are obtained via the following relation: barrier->semid = semget(semkey, N + 2, IPC_CREAT |

SJRUSR I SJWUSR); [0074] 4.2 Barrier Mechanism.

[0075] Now that an example of barrier data structures has been provided, we will now describe various barrier mechanism. [0076] First, referring to FIG. 2, an embodiment of a method for adding a process to a barrier according to the present invention is illustrated. In this example, when a new process starts up, the present invention is generally configured to add the process to the barrier. Execution from entry 30 reaches block 32 representing claiming of the mutex semaphore, followed by incrementing the total number of processes by one in block 34, and block 36 in which releasing the mutex semaphore is represented before exit 38 of this code section.

[0077] FIG. 3 illustrates, by way of example, an embodiment of a method for removing a process from the barrier in response to process termination according to the invention. Here, execution from entry 40 reaches block 42 representing claiming of the mutex semaphore, followed by decrementing the total number of processes by one as per block 44, and releasing the mutex semaphore in block 46 is performed before exit 48. [0078] FIG. 4 illustrates, by way of example, a method according to the invention for incrementing the number of threads of the process in the barrier at the beginning of a checkpoint. Execution from entry 50 reaches block 52 which represents the mutex semaphore being claimed. In block 54 the total number of threads in the barrier is incremented by the current number of its threads. Then the value for the number of processes waiting at the barrier is incremented by one as per block 56. A determination is made at block 58 if all processes have added their threads to the barrier. If all processes have not added their threads to the barrier then mutex semaphores are released as per block 60, and in block 62 a suspend takes place on the process barrier semaphore before exit 64.

[0079] However, if all processes have added their threads to the barrier then the number of waiting processes is reset to zero as per block 66, and the mutex semaphores are released at block 68. Finally, all other processes suspended on the process semaphore are released as given by block 70 prior to exit 64.

[0080] FIG. 5 illustrates, by way of example, an embodiment of a method for waiting at a thread barrier according to the invention. In this example, a thread waits at barrier/. Execution from entry 72 reaches block 74 at which the mutex semaphore is claimed. As per block 76 the number of threads waiting at the barrier is incremented by one. A determination is made at block

78 if all threads have reached the barrier. If not all threads have reached this barrier, then as per block 80 the mutex semaphore is released, and thread barrier semaphore j is suspended at block 82 prior to exit 84 of this section. [0081] In the case where all threads have reached the barrier, then the number of waiting threads is reset, such as to zero, in block 86, the mutex semaphore for the barrier is released as per block 88, all other threads suspended on thread semaphore / are released as given by block 90 and this section of code is exited 84. [0082] FIG. 6 illustrates, by way of example, an embodiment of a method according to the invention by which a single thread per process can execute another barrier operation. In this example, one thread per process waits for all other threads to reach barrier/ by repeatedly executing the process outlined in the figure. After entry 92 the mutex semaphore is claimed at block 94, followed by reading the number of threads waiting at the barrier as per block 96, and releasing the mutex semaphore for the barrier at block 98. A determination is made as per block 100 if the number of waiting threads is less than the total number of threads minus the total number of processes. If determination yields a negative result then this section exits 102, if the number of threads is less than this value then a brief suspension is performed as per block 104 prior to continuing to claim mutexes at block 94. [0083] 5. Multiprocess Checkpointing. [0084] The following is an overview of multi-process checkpointing according to an embodiment of the invention. The description assumes familiarity with the concepts of single-process checkpointing as well as the semaphore-based barrier mechanism as would be known to one of ordinary skill in the art. [0085] 5.1 Setup. [0086] FIG. 7 illustrates an example embodiment of multiprocess checkpointing setup 1 10 according to the present invention. In order to control the synchronous checkpointing of multiple processes in an application process tree, a dedicated process referred to herein as a coordinator 1 12 is placed at the top of each such tree. The root process in every application process tree is coordinator 112, which then forks the top-most root application process 1 14 from which forks two application sub-processes 1 16 and 1 18 then later forks application sub-process 120. After that, the coordinator remains in a server loop waiting for, and processing, messages from application processes. [0087] Each application process connects to the coordinator via two named pipes, for example "FIFOs", 122, 124, 126, and 128. This connection is handled transparently in an interceptor for the forkQ system call. The coordinator, upon receiving a new process registration, sets up its end of the communication channels and enters the new process information in the process table and the shared barrier structure. The information stored for each process includes its pid, parent pid, and communication FIFO file descriptors. The coordinator itself may also connect to an underlying high- availability system, such as via two FIFOs.

[0088] In a manner similar to single-process checkpointing, each process has a checkpoint thread that controls the local single-process checkpoints. In the multi-process case, however, the individual checkpoint threads do not have a timer of their own; instead, they wait for a new signal from the checkpoint thread of the coordinator referred to herein as the "prepare checkpoint" signal. The only checkpoint thread waiting to time out for a new checkpoint is that of the coordinator. Therefore, the checkpoint thread of the coordinator acts as "master", and all other checkpoint threads act as "slaves". [0089] 5.2 Taking Multiprocess Checkpoints.

[0090] FIG. 8 illustrates, by way of example, the taking of multiprocess checkpoints according to an embodiment of the invention. After entry 130 the coordinator sends the "prepare checkpoint" signal as per block 132, wherein all checkpoint threads add the current number of threads in their process to the shared barrier as per block 134. With the barrier now established, each process proceeds to take a single-process, local checkpoint as per block 136. The shared barrier ensures that this is done in a synchronized, memory- consistent way. [0091] Local checkpoints are either saved to disk or to a memory buffer shared with the coordinator. The application processes then send a message to the coordinator, informing it about the location of the checkpoint as depicted in block 138. The coordinator saves the process table at the beginning of its own checkpoint at block 140, then joins (merges) all checkpoints together at block 142 into a single process group checkpoint as a multiprocess checkpoint which is saved by the coordinator at block 144. All threads in the sub-processes are then released from the barrier at block 146 and application execution resumes at block 148. [0092] 5.3 Restoring the Process Tree.

[0093] FIG. 9 illustrates by way of example embodiment of the invention the restoration of the complete process tree. Entry is made at 150 with the application simply launched in the same manner as before, whereafter the process group checkpoint file is passed as a parameter as represented by block 152. Again, the root process becomes the coordinator as given by block 154. The coordinator opens the joined checkpoint file and uses information at the file header to split the file into separate single-process checkpoints. Next, it reads the process tree information from the checkpoint and adds the number of processes to the shared barrier as per block 156. The coordinator then forks a process tree of the same structure as at the time the checkpoint was taken at block 158, using the parent information included in the process table. From there, the individual processes open their local checkpoint files and performs a memory-map restore similar to the single-process case as per block 160. The shared barrier ensures that this operation is performed synchronously. [0094] After remapping their address spaces, all application processes reconnect to the coordinator as per block 162, which removes the outdated process information from its table as per block 164 and waits for incoming process registration messages. At the end of this phase, the communication setup is identical to the time the checkpoint was taken. Once all FIFOs are reestablished, the restore procedure is over, the barrier is released at block 166, and the application processes can continue 168. [0095] 5.4 Fault Detection. [0096] The coordinator can detect the forced disconnection of any application process via the broken FIFO connection. An orderly disconnect from an exiting process includes communicating a disconnect message to the coordinator, so that the coordinator can mark the process as "dead" within its data structure. Only after the coordinator replies to the disconnect request can the application process exit.

[0097] If the coordinator detects a forced disconnect through the process

FIFOs, it kills all other application processes at once, since it must be assumed that the application is in an inconsistent state, wherein it exits itself so that the application can be restored from the last checkpoint. [0098] 6. Checkpoint Kernel Module.

[0099] The checkpoint kernel module in the invention is used in conjunction with the checkpointing library for the following tasks: [00100] (a) Saving and restoring the kernel state of a process;

[00101] (b) Excluding process state;

[00102] (c) Reconnecting the pointers for shared files between parent and children after restore; and [00103] (d) Fixing one-end pipes after restore.

[00104] According to one aspect of the invention the checkpoint kernel module is implemented as a character device driver with a pseudo-device entry in the file system.

[00105] 6.1 Device-driver Interface. [00106] A device driver in Linux can be implemented as a loadable kernel module (LKM), which allows the device driver to be loaded or unloaded from the kernel on demand. This is the preferred mechanism for implementing the checkpoint kernel module. The kernel module can be loaded into the kernel via the command "insmod" and unloaded via the command "rmmod". [00107] The kernel module (device driver) interface to the user-space is preferably implemented using a pseudo character device, such as "/dev/etchkptdev". This device can be created for example by using the tool "mkdevnod", which is provided with the kernel module.

[00108] According to this embodiment of the present invention, character device interfaces including (1 ) open, (2) release (i.e., close), (3) read, (4) write, and (5) ioctl (input/output control) are implemented in the checkpoint kernel module.

[00109] It will be appreciated that the device needs to be opened before it can be used. During the open call a file descriptor is assigned to the caller by the kernel. According to this embodiment every process using the checkpointing library will have to open this device individually. So, if there are 10 processes being checkpointed, the checkpoint device will be opened 10 times. The same holds when checkpointing an application with multiple processes. As with any other file descriptor, the file descriptor referring to the checkpoint device should be closed after use.

[00110] When a read call is issued on the file descriptor referring to the checkpoint device, the invention's kernel module interprets this as a call to read/save process state. When a write call is issued on the file descriptor referring to the checkpoint device, the kernel module interprets this as a call to write/restore process state. Additional details on read and write calls are provided below. [00111] The input/output control (ioctl) call can be issued on the file descriptor referring to the invention's checkpoint device to perform a number of auxiliary operations. The following is a list of these operations, which are described in detail in their appropriate sections:

[00112] (a) ET_CPDEV_IOCTL_REG_PROC - to register a process; [00113] (b) ET_CPDEV_IOCTL_UREG_PROC - to unregister a process;

[00114] (c) ET_CPDEV_IOCTL_FSHARE - to share a file entry;

[00115] (d) ET_CPDEV_IOCTL_FCLOWN - to claim ownership of a file entry;

[00116] (e) ET_CPDEV_IOCTL_FREOWN - to reset ownership of a file entry;

[00117] (f) ET_CPDEV_IOCTL_FGEOWN - to get ownership of a file entry; and

[00118] (g) ET_CPDEV_IOCTL_PLUMB - to fix pipes.

[00119] 6.3 Saving and Restoring Kernel State. [00120] There are components of the state of a process that can only be saved from the kernel space; e.g., the contents of the data buffers of pipes and FIFOs. In addition, some things can be saved more efficiently in the kernel, such as the memory-map state and the file-descriptor state.

[00121] As described above, a read call from the invention's kernel module API is used to save the process state. The save buffer is allocated in user space and is passed as an argument to the read call. If the buffer is not big enough to store the process state, the call returns an error (errno = EAGAIN). In such a case a larger buffer is allocated in the user space and the operation is retried. All this buffer management is wrapped into the kernel module API functions. The invention's checkpointing library asks for state information using an API, which internally allocates the buffer and reads the state from the kernel. [00122] The first few bytes in the buffer passed to the kernel contain the identifier of the type of state that should be saved by the kernel. Currently the following two types are defined as (1 ) File state, (2) Memory-map state. The kernel reads the type information and only returns the specified type of state. [00123] A write call from the invention's kernel module API is used to restore the process state. The restore buffer is created in user space and is passed as an argument to the write call. The buffer management is wrapped into the kernel module API functions. The invention's checkpointing library sets the state using an API, which writes the state to the kernel. [00124] The checkpointing library can save/restore specific state types by using functions provided by the kernel module API, for example it can choose to get the memory-map state independent of the file state. [00125] 6.4 Reconnecting File Pointers. [00126] After a forkQ system call, certain resources are shared between the parent and the child process (e.g., open file descriptors, shared memory segments, semaphores). In the original run of the checkpointed program these resources are still shared because the semantics of forkQ are maintained. However, after restore these resources are separated because the parent and the child restore their state independently. [00127] Thus, the invention's kernel module is configured to reconstruct the situation that existed at the time of the checkpoint. The parent and child process need to share the same files after restore and their file descriptor entries need to point to the same file table entries. The file table entry is where the properties of the file descriptor are stored, for example information such as file position, owner, and so forth. Accordingly, changes made in the parent should be reflected in the child and vice versa.

[00128] The invention's kernel module provides mechanisms for handling these situations. At checkpoint time the processes try to claim ownership of all shared file descriptors one at a time, for example using the kernel module API "chkptdev_door_claim_ownership_of, which internally uses the ioctl

ET_CPDEV_IOCTL_FCLOWN. If no other process has yet claimed ownership for a given file descriptor, the kernel makes the calling process the owner of that file descriptor by recording its information, such as process identifier, file descriptor number, and so forth, in the fjowner struct of the file descriptor, which is shared amongst all other references to the same file. The old value in the fjowner structure is returned so that it can be restored later. If another process has already claimed ownership of the file descriptor, the kernel returns the ownership information. This mechanism designates one process in a group of processes sharing the file descriptor as the owner of the file descriptor. [00129] On restore, the owner of the file descriptor opens the file and restores it, while the non-owners share their file pointer with the owner, for example using the kernel module API "chkptdev_door_share_file", which internally uses the ioctl ET_CPDEV_IOCTL_FSHARE. At this time, synchronization is required between processes such that the owner should have finished its operation before the non-owner tries to share. This is achieved in the described embodiment using the above barrier synchronization in the checkpointing library. The kernel module does not care about synchronizing these operations.

[00130] After the checkpoint is taken the ownership information is reset using the inventions kernel module API "chkptdev_door_reset_ownership_oF, which internally uses the ioctl ET_CPDEV_IOCTL_FREOWN. Ownership information can be obtained using the kernel module API "chkptdev_door_get_ownership_oF, which internally uses the ioctl ET_CPDEV_IOCTL_FGEOWN. [00131] 6.5 Fixing Pipes. [00132] Typical inter-process communication (IPC) using pipes is implemented in such a way that one of the processes closes the reading end of the pipe, while another closes the writing end of the pipe.

[00133] If one process closes one end and the other process closes the other end, then from the perspective of the kernel these are two different files, even though they share the same file system inode. Since the file sharing mechanism (described in the previous section) is implemented at the level of files and not inodes, the processes assume independent ownership of these files, which is not correct because they should point to the same inode. [00134] The file-level sharing in the invention's kernel module would not work in this case because the two ends have their own separate file pointers in the kernel, which are not related except for the inode which both of them share.

Therefore, the invention's kernel module fixes pipes to allow sharing at the inode level. The difference between this and the file-sharing approach above is that one cannot use the kernel as the switchboard to claim ownership, because no empty field exists in the inode structure that can be used to mark ownership.

[00135] To solve this problem, the shared memory hash table data structure in the checkpointing library was modified to allow use as the switchboard. After claiming ownership at the kernel level, a process tries to enter the inode number in the shared memory hash table. The first process to do so becomes the registered owner of the pipe. The other process, although owner of one of the ends of the pipe, is not a registered owner. At restore time the checkpointing library queries the global hash table for registration information for such pipes. In the present case the registered owner does nothing. The other owner uses the kernel module API "chkptdev_door_plumb", which internally uses the ioctl

ET_CPDEV_IOCTL_PLUMB to "plumb" its pipe. During this operation the kernel detaches the current inode from the pipe and attaches the inode for the pipe of the registered owner [00136] 6.6 The Kernel Module API. [00137] The invention's kernel module API is implemented in a shared library that hides the usage of the kernel module from the checkpointing library. The checkpointing library calls generic functions for operations and the kernel module API hides the implementation semantics in those wrapper functions. [00138] The kernel module API library opens the checkpoint device in its _init function, which is automatically called when the process starts up. It closes the checkpoint device in its _fini function, which is automatically called when the process is being shut down. [00139] In addition, the library according to the present embodiment of the invention preferably provides the following APIs:

[00140] MANUAL INITIALIZATION: int chkptdev_door_init(void); [00141] MANUAL SHUTDOWN: int chkptdev_door_exit(void);

[00142] GETTING PROCESS STATE: int chkptdev_door_get_process_state(void **pp, size_t ^*psize, et_excluded_t *pe); [00143] SETTING PROCESS STATE: int chkptdev_door_set_process_state(const void *p, const size_t size); [00144] FREEING PROCESS STATE: int chkptdev_door_free_process_state(void *p, const size_t size);

[00145] PRINTING PROCESS STATE: int chkptdev_door_print_process_state(const void *p, const size_t size);

[00146] GETTING PROCESS FILE STATE: int chkptdev_door_get_process_files_state(void **pp, size_t *psize, et_excludedf_t *pe);

[00147] SETTING PROCESS FILE STATE: int chkptdev_door_set_process_files_state(const void *p, const size_t size); [00148] FREEING PROCESS FILE STATE: int chkptdev_door_free_process_files_state(void *p, const size_t size);

[00149] PRINTING PROCESS FILE STATE: int chkptdev_door_print_process_files_state(const void *p, const size_t size);

[00150] GETTING PROCESS MEMORY-MAP STATE: int chkptdev_door_get_process_memap_state(void ^**pp, size_t *psize, et_excludedm_t *pe);

[00151] SETTING PROCESS MEMORY-MAP STATE: int chkptdev_door_set_process_memap_state(const void ^*p, const size_t size);

[00152] FREEING PROCESS MEMORY-MAP STATE: int chkptdev_door_free_process_memap_state(void ^*p, const size_t size);

[00153] PRINTING PROCESS MEMORY-MAP STATE: int chkptdev_door_print_process_memap_state(const void *p, const size_t size);

[00154] SHARING A FILE: int chkptdev_door_share_file(const unsigned int src_fd, const pid_t src_pid, const unsigned int dst fd, const pid_t dst_pid);

[00155] CLAIMING OWNERSHIP OF A FILE: int chkptdev_door_claim_ownership_of(const unsigned int fd, const pid_t id, char *pstatus, fown_struct_t *powner);

[00156] RESETTING OWNERSHIP OF A FILE: int chkptdev_door_reset_ownership_of(const unsigned int fd, const pid_t id, const fown_struct_t *powner); [00157] GETTING OWNERSHIP OF A FILE: int chkptdev_door_get_ownership_of(const unsigned int fd, fown_struct_t *powner);

[00158] FIXING PIPES: int chkptdev_door_plumb(const unsigned int src_fd, const pid_t src_pid, const unsigned int dst_fd, const pid_t dst_pid);

[00159] 6.7 Device Node Creation Tool. [00160] Once the invention's kernel module of the checkpointing library is loaded, the kernel assigns it a major device number. The device node for the pseudo-device is preferably created using that major number, so that the kernel invokes the checkpoint kernel module if someone opens the checkpoint device. The kernel puts the major number assigned to the checkpoint device driver in the file "/proc/devices". The device node creation tool, called "mkdevnod", reads the major number from there and then uses the system call "mknodQ" to create a pseudo character device with that major number. This approach eliminates the need of having to reserve a major number for the checkpoint device. [00161] 7. Storage Checkpointing.

[00162] In order to capture a consistent state of an application, it is not generally sufficient to merely obtain memory checkpoints. Consider an example in which an application runs for a period of time and takes several memory checkpoints. As part of application processing it writes data to a file located on a storage device. If at some point the application process crashes, the memory image of the application can be restored to the time of the last checkpoint. However, the output file will reflect the situation right before the crash, which would be inconsistent. In some cases, the inconsistency can be remedied by simply resetting the file pointer to its location at checkpoint time; however, if the file was deleted or copied by the application after the last checkpoint, it cannot be recovered by memory checkpointing alone. A solution to this problem involves storage checkpointing, in which for example the contents of files that an application is using are saved along with the associated memory state. [00163] The invention's storage checkpointing solution presented herein is fully integrated with the memory checkpointing described above. The invention saves and restores the files used by a particular application, in contrast to other solutions that checkpoint whole file systems. [00164] 7.1 Taking A Storage Checkpoint. [00165] A couple of conditions are incumbent upon the user in utilizing the invention's storage checkpointing. (1 ) The user specifies one or more directories that should be protected by storage checkpointing and for each directory, and the user indicates if it is on shared storage. (2) The user specifies a directory for the storage checkpoint which is on a shared file system visible to a backup machine.

[00166] The programming according to the present invention is configured to perform a number of aspects in relation to the storage checkpointing. (1a) The programming maintains two checkpoints in memory, including a newer and older checkpoint. (1 b) If the specified checkpoint directory is "/home/alpha", one checkpoint is kept in "/home/alpha/previouschkpt"ar\d one copy in "/home/alpha/newchkpt". (1 c) The files in the older checkpoint are maintained as copies, whereas the newer checkpoint is made up of file copies and links (described below). (2) A complete copy of the designated directories are saved into the specified storage checkpoint directory, such as "/home/alpha/newchkpt", before starting the application. (3) Storage checkpoints are taken at the time of each memory checkpoint. (4) Before taking a new storage checkpoint the last two storage checkpoints are merged into one, for instance the newer checkpoint is merged into the older checkpoint. (5) An "intention log" is created before the merge process commences to indicate future steps, such as what files are to be merged, whereby problems are avoided if merging is interrupted, because merging can be finished in response to the instructions contained in the intention log prior to a restore. (6) Upon merge completion it is known that at least one valid storage checkpoint is available, and a new checkpoint can be taken. Files in the protected directories are compared with those that were checkpointed last time, such as files in "/home/alpha/previouschkpt". All updated files are copied into the newer storage checkpoint directory, such as

"/home/alpha/newchkpt". For all the non-updated files, a link is created by the programming from the newer storage checkpoint to the older storage checkpoint. (7) Files are considered to have been updated when their respective timestamps have been updated (up or down) since the last checkpoint, or if their files size value has changed since the last checkpoint.

[00167] 7.2 Restoring A Storage Checkpoint.

[00168] The method, and programming, according to the present invention is configured for restoring a storage checkpoint. On restoration of a checkpoint, the files in the user-specified directories and those in the newer storage checkpoint directory are compared. It should be appreciated that if the newer storage checkpoint directory is invalid, or empty, then information from the older storage checkpoint directory is utilized. The files that were checkpointed will replace files that have been updated since that checkpoint. [00169] 8. Conclusion.

[00170] In the embodiments described herein, an example programming environment was described for which an embodiment of programming according to the invention was taught. It should be appreciated that the present invention can be implemented by one of ordinary skill in the art using different program organizations and structures, different data structures, and of course any desired naming conventions without departing from the teachings herein. In addition, the invention can be ported, or otherwise configured for, use across a wide range of operating system environments. [00171] Although the description above contains many details, these should not be construed as limiting the scope of the invention but as merely providing illustrations of some of the presently preferred embodiments of this invention. Therefore, it will be appreciated that the scope of the present invention fully encompasses other embodiments which may become obvious to those skilled in the art, and that the scope of the present invention is accordingly to be limited by nothing other than the appended claims, in which reference to an element in the singular is not intended to mean "one and only one" unless explicitly so stated, but rather "one or more." All structural and functional equivalents to the elements of the above-described preferred embodiment that are known to those of ordinary skill in the art are expressly incorporated herein by reference and are intended to be encompassed by the present claims. Moreover, it is not necessary for a device or method to address each and every problem sought to be solved by the present invention, for it to be encompassed by the present claims. Furthermore, no element, component, or method step in the present disclosure is intended to be dedicated to the public regardless of whether the element, component, or method step is explicitly recited in the claims. No claim element herein is to be construed under the provisions of 35 U. S. C. 1 12, sixth paragraph, unless the element is expressly recited using the phrase "means for." APPENDIX A

User-level Checkpointing for LinuxThreads Programs*

William R. Dieter and James E. Lumpp, Jr. Department of Electrical and Computer Engineering

University of Kentucky

Lexington, KY 40506, USA

{dieterjel}@dcs.uky.edu, http://www.dcs.uky.edu/~chkpt

Abstract the process's run time. A process can save its state in a checkpoint to help tolerate system downtime. A multi¬ threaded process has both private state and shared state.

Multiple threads running in a single, shared address A thread's private state includes its program counter, space is a simple model for writing parallel programs stack pointer, and registers. Its shared state includes ev¬ for symmetric multiprocessor (SMP) machines and for erything common to all threads in the process, such as overlapping I/O and computation in programs run on ei¬ the address space and open file state. A multithreaded ther SMP or single processor machines. Often a long checkpointing library must save and recover the pro¬ running program's user would like the program to save cess's shared state and each thread's private state. its state periodically in a checkpoint from which it can recover in case of a failure. This paper introduces the User-level thread libraries are implemented outside the first system to provide checkpointing support for mul¬ kernel using timers to preempt threads when their time tithreaded programs that use LinuxThreads, the POSIX slice is over. Implementing a checkpointing library for based threads library for Linux. a user-level threads package is a straightforward exten¬ sion of a single-threaded checkpointing library because

The checkpointing library is simple to use, flexible, and a user-level multithreaded process is no different from efficient. Virtually all of the overhead of the checkpoint¬ a single-threaded process from the operating system's ing system comes from saving the checkpoint to disk. point of view. User-level threads cannot take advantage The checkpointing library added no measurable over¬ of a symmetric multiprocessor (SMP), however, because head to tested application programs when they took no the kernel is not aware of the threads. Thus it cannot checkpoints. Checkpoint file size is approximately the schedule them to run concurrently on separate proces¬ same size as the checkpointed process's address space. sors. On the current implementation WATER-SPATIAL from the SPLASH2 benchmark suite saved a 2.8 MB check¬ With kernel-level threads, like LinuxThreads in Linux point in about 0.18 seconds for local disk or about 21.55 or lightweight processes in Solaris, the kernel schedules seconds for an NFS mounted disk. The overhead of sav¬ threads and keeps track of their state. Not only must the ing state to disk can be minimized through various tech¬ checkpointing library save and restore the address space niques including varying the checkpoint interval and ex¬ of the process to recover the thread state, but it must also cluding regions of the address space from checkpoints. call the kernel to restart threads during recovery.

Hybrid thread libraries like the one found in Solaris, use both kernel-level and user-level threads. User-level

1 Introduction threads are scheduled to run inside several kernel-level threads, called light-weight processes (LWP) in Solaris. The library usually starts with one LWP per processor.

Computer systems are prone to hardware and software If a user-level thread makes a blocking call and there are failures and the probability that a machine will crash be¬ more runnable threads, the thread library starts a new fore a process finishes running grows in proportion to LWP so the whole process does not need to block. A

*This research was supported by the National Science Foundation hybrid thread library cannot be checkpointed like a user- under Grant CDA-9502645, NFS/EPSCoR under Grant EPS-9874764, threads library because it uses kernel-level threads. the Advanced Research Projects Agency under Grant DAAH04-96-1- 0327, and the Kentucky Opportunity Fellowship. We have tested our checkpointing library on several pro¬ libckp saves files along with the checkpoint to guar¬ grams in the SPLASH-2 benchmark suite in addition to antee they will be the same when the program recovers some simple test programs. The WATER-SPATIAL ap¬ from a checkpoint. Saving copies of all open files guar¬ plication ran with no noticeable overhead other than the antees all the files will exist during recovery and allows time to save a checkpoint. It saved a 2.8 MB check¬ 1 ibckp to handle arbitrary file I/O access patterns, but point to local disk in about 0.18 seconds and to an NFS it can make the checkpoint much bigger. Many scientific mounted disk in about 21.55 seconds. The time to save a programs do not need the extra guarantees if the user is checkpoint to disk is about the same as the time required willing to retain the input and output files and the appli¬ to copy a file of the same size as the checkpoint with the cation only writes to files in sequential order. 1 ibckp cp command. also does not support multithreaded programs.

The rest of the paper is organized as follows. Section 2 Process hijacking uses dynamic executable rewriting to discusses related work and section 3 describes how pro¬ add checkpointing to programs that were not compiled grammers and users use the checkpointing library. Sec¬ with checkpointing support [19]. Process hijacking does tion 4 presents the design and implementation of such a not support multithreaded processes. library. Section 5 describes restrictions on programs us¬ ing the checkpointing library. Finally, section 6 shows MOSLX and epckpt provide kernel-level checkpoint¬ experimental results and performance. ing solutions. MOSIX is a set of kernel extensions which have been ported to BSD and Linux [4, 3]. MOSIX uses a kernel module to provide transparent load balancing and process migration, epckpt is a Linux kernel patch

2 Related work that adds support for processes and process groups [I]. It is in an early stage of development and requires patch¬ ing, recompiling, and installing a new kernel. Neither

Checkpointing is a popular way of providing fault- MOSIX nor epckpt work for multithreaded programs. tolerance for computer systems. Both user-level and kernel-level checkpointing systems have been developed Process migration in general [11, 18] is related to check¬ for single threaded processes, however, ours is the first pointing. Several process migration facilities, like Con¬ to provide support for multithreaded programs. In addi¬ dor and MOSIX, use checkpointing to provide process tion, our system provides this functionality in the form migration. In the case of process migration a process is of a user-level library which makes it easier to use and transported through space to another machine. In check¬ the design is still efficient. pointing the process is transported to a later time on the same or a different machine. The difference is that a

Several other user-level checkpointing libraries for sin¬ process may recover from a checkpoint at a later time gle processes run on multiple versions of Unix [12, when the environment has changed. Resources the orig¬ 14, 16]. libckpt has many features including asyn¬ inal process was using may be unavailable when it re¬ chronous (forked) checkpointing, incremental check¬ covers. pointing, memory exclusion and user-directed check¬ pointing [12]. It has been ported to many different ver¬ Checkpointing for distributed message passing systems sions of Unix. However, l ibckpt does not handle has been heavily studied [8]. Most message passing al¬ multithreaded processes or dynamically linked executa- gorithms work to reduce synchronization overhead and bles. handle in-transit messages. Synchronization overhead and in-transit messages are not issues for multithreaded

Condor is a process migration system designed to use processes. idle cycles in the network [14]. When the system de¬ cides to migrate a process it checkpoints the process on The LinuxHA project [2] is bringing support for high one machine then restarts it on another. Condor runs availability to Linux. LinuxHA's failure detection mech¬ on a number of operating systems including Solaris and anisms could be used with our library to automatically Linux. It neither supports multithreaded programs nor restart programs. Most of the LinuxHA work is fo¬ does it have freely available source code. cused on replicating processes on different machines for fault-tolerance. Replication can offer better guaranteed libckp was developed at AT&T Bell Laboratories bounds on recovery time, but usually requires a dupli¬ to checkpoint Unix processes [16]. In contrast with cate machines to take over for each replicated process l ibckpt, Condor and our own checkpointing library, when a machine fails. Checkpointing only needs extra machines when a machine fails, and then only enough to Checkpoints are automatically stored in prog . chkpt . n replace the failed machines. The program can wait until where prog is the name of the program and n is the the the failed machines are repaired if no machines are checkpoint number. The user can change the default available and the application can tolerate the delay. checkpoint base name with the -b option.

The IEEE Portable Application Services Committee To recover from a checkpoint, the user runs the program (PASC) 1003.1m Checkpointing Restart working group with the recovery option and specifies a checkpoint file. has been developing a standard API for checkpoint¬ For example, ing [5].

% prog - - - r prog . chkpt . n

3 Features runs the prog program, loading the state from the check¬ pointing file prog . chkpt . n.

The checkpointing library we introduce here allows, for An application program can install callback functions to the first time, LinuxThreads programs to automatically save any state not saved by the checkpointing library. be checkpointed. In addition to checkpointing multi¬ For example, we have used callback functions to help threaded programs our checkpointing library provides add checkpointing to the Unify distributed shared mem¬ features that help meet our goals of being simple to use, ory system [9]. Unify processes communicate through flexible, and efficient. UDP sockets, but the checkpointing library does not save their state. To make checkpointing work, Unify makes

Adding checkpointing support to a C program is sure checkpoints are consistent and uses a recovery call¬ straightforward with our checkpointing library. The ap¬ back function to reopen the UDP sockets when it recov¬ plication programmer only needs to add one line to in¬ ers from a failure. clude the checkpoint header file:

A process can install callback functions that will

#include "checkpoint . h" be called before a checkpoint, after a check¬ point, and after recovering from a checkpoint. chkpt-callback_push installs three functions: and one line to call checkpoint initialization in main. a pre-checkpoint callback called before each check¬ point, but after all application threads have been checkpoint_init ( fcargc , argv, NULL) ; stopped, a post-checkpoint callback called after the checkpoint, but before any application thread has been restarted, and a post-recovery callback called after checkpoint.ini t initializes data structures the recovering from a checkpoint. checkpointing library uses to track thread and file state. Passing argc and argv to checkpoint-init al¬ Pushing a new set of callback functions does not remove lows the checkpointing library to read options from the any of the old ones. Instead they are pushed onto a command line. The user can control the checkpoint pe¬ stack. The most recently pushed pre-checkpoint call¬ riod by passing optional command line arguments to the back function is called last. The most recently pushed checkpointing library. The checkpointing library reads post-checkpoint and post-recovery callback functions all the arguments after the "- -" argument. For example, are called first. The program can remove callback functions in any order using the ID returned by

% prog - - - t period chkpt-callback_push. The pushing and popping mechanism simplifies installing and removing callbacks to handle different kinds of state as a program enters dif¬ runs the prog program with a checkpoint period of ferent phases. period seconds. A checkpoint period of 0 disables checkpointing. The user can also pass options to the Our checkpointing library provides memory exclusion checkpointing library by putting the options in the similar to that provided by libckpt [12]. Memory CHKPTOPTS environment variable. The programmer exclusion allows the application to specify regions of can set checkpointing options directly using third argu¬ memory that need not be saved in the checkpoint. Ex¬ ment to checkpoint.ini t. cluding large areas of memory that the application does not need reduces the size of the checkpoint. ments. These segments include the code segment, data segment, heap, stack segment, code and data segments for each of the shared libraries linked with the program, and thread stacks. The checkpointing library uses the

4 Implementation /proc(4) file system interface to find the segments that are mapped into memory.

The difficulty of checkpointing multithreaded programs comes from making sure that the thread library is in a 4.1 Saving a Checkpoint useful state after recovering from a checkpoint. Threads must be carefully restarted in the correct order to match

Figure 1 shows how the checkpointing library takes a the way they were originally created. checkpoint.

The basic idea behind our checkpointing library is sim¬ Manager Main Application Application Checkpoint ple. During initialization the main thread, the only thread that exists when the program starts, starts the checkpoint thread. After initializing itself, the check¬ point thread blocks with a timed wait on a condition variable. When the timer expires or when another thread

calls checkpoint_now the checkpoint thread starts a checkpoint. The checkpoint thread is also responsible for running application callback functions.

To take a checkpoint, the checkpointing library blocks all threads, except the main thread, to prevent any threads from changing the process's state while it is be¬ ing saved. The main thread then saves the process's state (D and unblocks all the remaining threads.

To recover from a checkpoint, the checkpointing library restarts the threads that were running at the time of the © checkpoint. The restarted threads block while the main © thread loads the process's state from a checkpoint. Then (15) [\5) ^15) the main thread unblocks the other threads and they con¬ tinue running from the checkpoint. Section 4.1 and Sec¬ (ΪT) (π) tion 4.2 describe the algorithm in more detail.

The difficulty comes from doing everything in the cor¬ rect order, making sure threads do not try to change the -ZZ3 Running outside signal handler address space while it is being saved, and making sure !Z2 Running in signal handler the process's idea of its state matches the operating sys¬ β-3 Blocked tem's idea of the state. For example the thread library keeps track of the process IDs of all the threads. The checkpointing library must be able to update the thread Figure 1 : Each thread coordinates with the others to save library's copies of the thread process IDs. the process's state. This figure shows how the threads interact.

The process state saved in a checkpoint includes the ad¬ dress space, thread registers, thread library state, signal 1. Checkpoint thread unblocks. The check¬ handlers, and open file descriptors. The checkpointing point starts when either the checkpoint thread's library cannot save every part of the program's state. timed wait expires or an application thread calls The unsaved parts lead to the restrictions described in checkpoint-now. Section 5.

2. Send a signal to application threads. To start

A process's address space is made up of several seg- a checkpoint, the checkpoint thread sends a sig- nal to each of the application threads. Unlike So¬ 15. Wait at barrier. After leaving the barrier all laris, when a thread in Linux receives a signal it threads except the checkpoint thread and manager enters the signal handler for the signal regardless of thread wait at another barrier. the state of the mutex associated with the condition variable [7]. 16. Run post-checkpoint callbacks. The checkpoint thread runs all registered post-checkpoint callback

3. Call pre-checkpoint callbacks. The checkpoint functions while the rest of the threads wait at the thread calls the pre-checkpoint callbacks. barrier.

4. Send a signal to the checkpoint thread. For sym¬ 17. Resume execution. Finally, the checkpoint thread metry the checkpoint thread sends a signal to itself joins the barrier and all the threads leave the barrier, to force itself into its signal handler like all the other restore their signal mask, and return from the signal threads. handler.

5. Block signals and wait. Once in the signal handler every thread blocks all signals and waits at a barrier for the rest of the threads to enter the signal handler. 4.2 Restoring From a Saved Checkpoint

6. Save private thread state. When all threads have entered the signal handler, each thread, except When a program recovers from a checkpoint it starts out the main thread (and the manager thread), saves as a single threaded program. During initialization, the its context to memory by calling sigset jmp(3). checkpoint library restores the program's state as shown Each thread, except the main thread, then blocks at in Figure 2. another barrier.

7. Save signal handlers. The main thread saves the 1. Restart threads. The main thread opens the check¬ process's signal handlers using sigaction(2). point file, reads the saved thread table, and restarts a

8. Wait for other threads. The main thread waits un¬ new thread for each thread in the original program. til all the other threads have called sigset jmp(3) The thread library automatically creates the man¬ and reached the barrier. ager thread when the checkpointing library creates the first thread.

9. Stop the manger thread. The checkpoint thread cannot send a signal to the manager thread when 2. Restore thread stacks. The main thread waits it is signalling all the other threads in step 2 be¬ while the child threads restore their stack point¬ cause the manager thread has no thread ID. In¬ ers. Each thread restores its stack by calling stead the main thread sends a message to the pipe siglongjtnp(3) which causes the thread to re¬ the manager thread normally uses to communicate turn from the sigset jmp(3) call it made when it with other threads. When the manager thread re¬ saved its state in the checkpoint. The threads move ceives the message it blocks until the main thread their stack pointers before the main thread loads unblocks it. the address space because the act of moving them needs to use local variables, which would corrupt

10. Save main thread stack emironmentThe main the stacks if they were loaded first. thread calls sigsetjmp(3) to save its stack en¬ vironment. 3. Wait for the main thread. The child threads wait at a barrier for the main thread to finish restoring

11. Save file state Once the other threads have reached the program's state. the barrier the main thread saves the current file pointer for all open regular files. 4. Get thread ID to process ID mapping. Af¬ ter starting all the threads, the main thread

12. Save address space. The main thread saves the en¬ calls pthreacLchkpt-restart to get the new tire address space to the checkpoint file. thread ID to process ID mapping. The main thread

13. Unblock Manager Thread. The main thread un¬ copies the mapping into an area of memory that will blocks the manager thread. not be overwritten when the main thread restores the address space. pthreacLchkpt.restart

14. Wait at barrier. The main thread waits at the same also sends a message to the manager thread telling barrier as the other threads causing all threads to it to call siglongjmp(3) and block so it will be continue. prepared for its stack to be restored. 5. Load main thread stack. Once all of the child threads and the manager thread have blocked, the main thread restores its own stack pointer. The main thread stack is not necessarily as large as it was when the the program saved the checkpoint. Therefore the main thread recursively calls a func¬ tion until the its stack is as large as it was when it saved the checkpoint. The main thread can tell when its stack is large enough by comparing the address of a local variable to the address of a local variable when it saved its state.

Manager Main Application Application Checkpoint Thread Thread Thread Thread Thread 6. Remap the process's address space The main thread then maps every segment except the main time thread stack into the program's address space from the checkpoint file using mmap(2) similar to the method Condor uses [10]. The checkpointing li¬ brary uses mmap(2) to remap segments because mmap(2) does not cause the data to be loaded im¬

(V) mediately. The operating system demand loads the

Θ contents of the segments when the program ac¬ cesses them.

Θ 7. Restore signal handlers. The main thread restores the signal handlers with sigaction(2).

[9) ® 8. Restore main thread stack pointer The main thread calls siglongjmp(3) to continue execu¬ tion where the program was when it saved the

(Ϊ2) [\2) checkpoint. fl4) 9. Restore file state The main thread opens all the files that were open during the checkpoint and moves the file pointer to its position at the time of the checkpoint.

10. Restore thread ID to process ID mapping. Next the main thread restores the thread ID to process

CZ3 Running outside signal handler ID mapping and unblocks the manager thread by EZ] Running in signal handler calling pthreacLchkpt.post res tart. ES3 Blocked

11. Wait at barrier. The main thread waits at the same barrier as the other threads causing all threads to

Figure 2: Each thread coordinates with the others to save continue. the process's state. This figure shows how the threads interact. 12. Wait at barrier. After leaving the barrier all threads except the checkpoint thread wait at another barrier.

13. Run post-checkpoint callbacks. The checkpoint thread runs all registered post-checkpoint callback functions while the rest of the threads wait at the barrier.

14. Resume execution. Finally, the checkpoint thread joins the barrier and all the threads leave the barrier, restore their signal mask, and return from the signal handler. 4.3 Intercepting Library Functions The checkpointing library intercepts the popen(2) call to keep track of pipes that are open. During recovery the checkpointing library reopens pipes to replace those that existed at the time of the checkpoint. However, the

The checkpointing library takes advantage of dynamic checkpointing library does not keep track of data read linking to intercept some library function calls and sys¬ from or written to the pipe, so data buffered in the kernel tem calls so it can track the program's state. The check¬ may be lost. It also does not handle processes outside pointing library intercepts library functions by provid¬ the main process. The pipe support is only useful if two ing an intercepting function with the same name as threads in the same process share a pipe. the library function. The checkpointing library calls dlsym(3) with the RTLD-NEXT option during initial¬ ization to get the addresses of all the intercepted library functions so the intercepting function can call the sys¬ 4.5 Linux Specific Issues tem version of the function. This method works for sys¬ tem calls as well as library functions because the code to setup and make system calls is part of the C library.

Implementing checkpointing for LinuxThreads pro¬

For example, when the application calls grams is simpler than for Solaris because LinuxThreads pthread_create(3), it gets the checkpointing is simpler than the Solaris pthread library. The Solaris library's version. The checkpointing library records kernel treats threads, lightweight processes (LWPs), and the parameters passed to pthreacLcreate(3) so processes as different entities. Handling the interactions it can use them during recovery. Then it calls the between threads and LWPs in Solaris is complex. In system pthreacLcreate(3) using the address addition Solaris adds some rules about when a process it got from dlsym(3) during initialization. If the can handle a signal that complicate the checkpointing li¬ pthread-create(3) call is successful, the check¬ brary [6]. pointing library updates the number of running threads and returns. Otherwise, it cleans up its thread table and The Linux kernel is less complex than Solaris be¬ passes the error on to the application program. cause the Linux kernel does not distinguish between threads and processes. LinuxThreads creates threads with clone(2) a generalized version of fork(2). Like f ork(2), clone(2) creates a new process, but

4.4 Handling Open File Descriptors clone(2) allows the caller to specify which resources the new process shares with its parent and which re¬ sources the new process copies from its parent. Thus

The checkpointing library uses an array that mirrors the threads in a LinuxThreads program are separate pro¬ kernel's file descriptor table to save the state of open files cesses that happen to share an address space and file de¬ in each checkpoint. To re-open the files during recov¬ scriptors with all other threads. ery the checkpointing library needs the filename, mode, and current offset into each open file. When the pro¬ We had to modify the LinuxThreads library to handle cess opens a file with open(2) the checkpointing li¬ two different problems. First, the thread library stores brary adds an entry in its table for that file descriptor a mapping from thread IDs to process IDs in its data with the filename and mode. If the process calls dup(2) segment. When the checkpointing library reloads the or dup2(2) the checkpointing library links the new file process's address space from a checkpoint, the thread descriptor information to the old file descriptor informa¬ ID to process ID mapping is restored to the mapping tion. When the process closes the file descriptor its entry at the time of the checkpoint, which is out of date for is removed from the checkpointing library's file descrip¬ the restored process. To handle this problem the check¬ tor table. The read(2) and write(2) system calls are pointing library must make sure reloading address space not intercepted. from the checkpoint does not wipe out the thread ID to process ID mapping. After it restarts threads but before

When the process takes a checkpoint the checkpointing it restores the address space, the checkpointing library library saves the current file pointer of every regular file. saves the thread ID to process ID mapping in a region of When the process recovers from a checkpoint it uses the memory that will not be reloaded from the checkpoint. information in the checkpointing library's file descrip¬ The checkpointing library corrects the thread ID to pro¬ tor table to re-open files and seek the file pointer to the cess ID mapping after it restores the process's address position at the time of the checkpoint. space. Second, the thread library uses a manager thread to covery to the state it was in during the checkpoint. One create processes. When a thread creates a new thread simple way to do this is to save the entire file with the it sends a message to the manager thread through a checkpoint [16]. Saving could increase the checkpoint pipe and the manager thread creates the new thread. size a lot if the program uses a lot of large files. The The checkpointing library coordinates with the manager checkpointing library could avoid some of the overhead thread during checkpoints to save the manager thread's by not saving files opened with mode CLRDONLY. As¬ private state. suming the files do not change between when they are opened and when the program finishes using them.

The checkpointing library adds four functions to the thread library to handle its interactions with The other alternative for handling random access files the thread library. The checkpointing library calls would be to log each change made to the file. During re¬ pthread.chkpt-precreate before it saves the pro¬ covery the checkpointing library could undo all changes cess's address space, pthread.chkpt-precreate made since the last checkpoint. The disadvantage of log¬ sends the manager thread a message telling it a check¬ ging changes is that it adds overhead to log every write point is beginning. The manager thread saves its en¬ operation and the log grows with each write between vironment by calling sigset jmp(3) and blocks. The checkpoints. We did not want to add this overhead when checkpointing library unblocks the manager thread by our applications want to use sequential access files. We calling pthread_chkpt_postcreate after saving could reduce overhead by only logging files that are open the checkpoint. with mode 0-RDWR. In our current implementation, an application writer who wants to save random access files

When restoring a process from a checkpoint, the check¬ with a checkpoint could write a callback routine to man¬ pointing library calls pthread-chkpt.prerestart ually save the desired files during a checkpoint. to get a copy of the thread ID to process ID mapping and to send a message to the manager thread telling it to call POSIX threads (and LinuxThreads) do not provide a siglongjmp(3) and block. The thread library saves way to create a thread with a particular thread ID. The the thread ID to process ID mapping in memory that will checkpointing library assumes that the thread library al¬ not be overwritten when the address space is restored. ways assigns thread IDs in the same order. As long as After restoring the address space, the checkpointing that assumption is true, the checkpointing library can library calls pthread_chkpt_postrestart to re¬ guarantee each thread has the same thread ID after re¬ store the thread ID to process ID mapping and unblocks covering by creating threads in the order in which they the manager thread. The pthread_chkpt. calls are were originally created. Currently our checkpointing li¬ the only added entry points to the thread library. brary does not handle programs with threads that exit before the end of the program. If a thread exits early, the thread created immediately after the thread that ex¬ ited early will get the exited thread's ID during recovery.

5 Restrictions This problem could be fixed during recovery by creat¬ ing a thread that exits immediately in place of the exited thread to use up the exited thread's ID. Alternatively we

Our checkpointing library supports programs that access could modify the thread library to allow programs to re¬ regular files sequentially or use signal handlers for sig¬ quest particular thread IDs, but we wanted to minimize nals. At least one signal must be available for the check¬ the changes to the thread library to make it easier to work pointing library. The checkpointing library cannot re¬ with different versions of the thread library. The appli¬ store process IDs and it does not support programs that cations we work with create all the threads they need at randomly access files or communicate with other pro¬ the start and the threads keep running until the program cesses. In most cases, however, the application program¬ exits so it was not a problem for our applications. mer can add recovery code in callback functions to re¬ cover the file or communication state. For example, we During recovery, described in section 4.2, the check¬ are using the checkpointing library to add checkpointing pointing library restarts all the threads and restores the to the Unify distributed shared memory system [9]. process's entire address space from a checkpoint, includ¬ ing the thread library data segment. The checkpointing

Random access reads do not present a problem as long as library assumes that the thread library will function cor¬ the program never writes to the file. General random ac¬ rectly with the newly created threads and the thread data cess files are difficult to handle because the checkpoint¬ structures from before the checkpoint. This assumption ing library must be able to roll the file back during re¬ is not entirely true in Linux and thus the thread library rnust be modified as described in section 4.5. recovering from a checkpoint. For example, assume a thread blocks using pthread_cond.timedwait(3)

The checkpointing library interrupts each thread with a to wait for several seconds and the process checkpoints signal to start a checkpoint. When the checkpointing li¬ while the thread is blocked. The process is killed and brary installs its signal handler, it passes SA_RESTART restarts from the checkpoint several minutes later. After flag to sigaction(2) to tell the Linux kernel to restart recovery, the thread will immediately unblock because interrupted system calls if possible. The application the timer has expired. code must restart system calls that the Linux kernel can¬ not restart. Strictly speaking this behavior is correct because the cur¬ rent time is later than the time for which the thread was

We added nothing extra to support thread cancellation waiting. Applications that have time based events, how¬ functions. The problem with thread cancellation is recre¬ ever, might get a flood of expired timers when recovering ating the threads with the correct thread IDs as described from a checkpoint. We could intercept all calls that have above. Otherwise the checkpointing library would just anything to do with absolute time and adjust the time need minor adjustments to cleanup the canceled thread they see after recovering from a checkpoint, but some after its last cancellation handler is called. programs need to know what the absolute time really is. Instead we leave it up to the application programmer to

We also did nothing special to support thread scheduling write a callback function to adjust any time values that priorities. Handling thread scheduling priorities would need to be adjusted after recovering from a checkpoint. be a matter of logging the calls to the thread scheduling priority calls and reissuing them to restore scheduling priorities during recovery. Support may be added if there is demand. 6 Results

The checkpointing library does not handle interprocess communication, but it does reopen pipes open at the time The checkpointing library adds overhead due to inter¬ of a checkpoint. It cannot make another process use ei¬ cepting calls, overhead due to the checkpointing thread, ther end of the pipe it opens, and it does not save any data and overhead due to saving checkpoints. The check¬ buffered in the kernel. Thus pipes will only be restored pointing library only intercepts thread creation, file if they are used between threads in the same process and open, and file close calls. Unless the program opens no data is buffered in the pipe at the time of the check¬ and closes files often or creates and destroys threads of¬ point. ten that overhead will be low. The checkpointing thread does not add much overhead because it is blocked except

Handling IPC, either between processes on the same ma¬ during checkpointing. chine or on different machines, is difficult in general. Both processes must agree on when they take check¬ points or make assumptions about how deterministic 6.1 Applications they are to avoid inconsistent checkpoints. Otherwise one process could fail and recover from a checkpoint that rolls it back to a state in which it has not sent a message To verify that checkpointing adds little overhead when it on which another process depends. At that point the pro¬ is not writing a checkpoint, we ran several applications gram is in a state which it could not have reached without from the SPLASH2 [17] benchmark suite. SPLASH2 a failure. The second process is in a state that causally is a set of benchmarks designed to test the performance depends on a state that never happened, as far as the first parallel shared memory machines. The benchmarks are process is concerned. In that case the two processes are based on applications and kernels commonly used in sci¬ said to be inconsistent. Issues of consistency have been entific computing. We present the results of running well studied and are beyond the scope of this paper [8]. the BARNES and WATER-SPATIAL benchmarks be¬ Extending our checkpointing library to work for a gen¬ low. The other SPLASH2 benchmarks we ran gave sim¬ eral case with multiple processes communicating with ilar results. pipes or TCP sockets would be non-trivial.

BARNES simulates the gravitational effects of a num¬

The checkpointing library does not intercept or modify ber of bodies in space using the Barnes-Hut algorithm. time related system calls in any way. A program that It uses a tree to represent the locations of the bodies uses absolute time values may behave strangely after in space. WATER-SPATIAL simulates the the interac- tion of water particles using a 3 dimensional grid. We 6.2 Checkpoint Size increased the problem sizes of both applications from the size used in the original SPLASH2 paper [17] to in¬ crease the running time of the benchmarks. For WATER- The size of the checkpoint file is directly proportional SPATIAL we increased the number of particles to 8000 to the size of the process's address space. Most of the instead of 512. For BARNES we used 65536 particles overhead of taking a checkpoint comes from writing the instead of 16384. address space to disk. Figure 3 gives an idea how long a program will take to save a checkpoint depending the

The test machine was a two processor 500 MHz Pen¬ size of the checkpoint and whether it is saving to a local tium III SMP machine with 512 KB L2 cache and disk or an NFS mounted disk. 128 MB of main memory running Linux kernel ver¬ sion 2.2.10 with NFS v2 and glibc2. The file sys¬ The amount of time required to save the checkpoint de¬ tems mounted for the NFS tests were served by an pends on the file system to which it is saved. The figure UltraSPARC-10 running Solaris 5.7. The network over shows times for local disk and NFS. Writing a check¬ which the NFS disk was mounted was a moderately used point to an NFS mounted disk¹ takes much longer than 100 Mb/s switched Ethernet connected by a Cisco Cata¬ writing to a local disk. The figure also shows that the lyst 2924 XL auto-sensing 10/100 Mb/s switch. None of amount of time required to save a checkpoint is directly the machines used in the test shared a port on the switch proportional to the size of the checkpoint. with any other machine.

In this case, the time required to save a checkpoint to the

Table 1 compares running each of the benchmarks with NFS mounted disk can be approximated by the equa¬ and without checkpointing linked for one and two pro¬ tion t_cp — 2.37sec/MB x s — O.βOsec for checkpoints cessors. With checkpointing linked, the program called larger than about 1.3 MB, where s is the size of check¬ the checkpoint initialization code, but did not take any point in MB. The user can use t_cp to decide which check¬ checkpoints. This test shows how much overhead check¬ point interval to use. A simple method is to calculate the pointing adds not including the time to save the check¬ maximum percentage of execution time taken by check¬ point to disk. Table 1 shows that the checkpointing li¬ pointing given t_cp and the maximum address space size brary does not add much overhead when the program is (checkpoint size) of the program. More sophisticated not checkpointing. This overhead is important because methods can determine the checkpoint interval that will the program will spend most of its time running, not minimize the program's expected run time given t_cp and checkpointing. a particular failure rate [13, 15].

In some cases, code with checkpointing linked but not used runs faster than without checkpointing. Changes in the program's memory layout cause this speedup. Link¬ 7 Conclusion ing the benchmark with unused code gave the same ef¬ fect as linking with the checkpointing library.

Our checkpointing library provides checkpointing for

Table 2 shows the amount of time BARNES and multithreaded Linux programs. It adds little overhead WATER-SPATIAL spend taking a checkpoint using a lo¬ except when taking a checkpoint. The overhead that it cal disk or an NFS mounted disk. Most of the time is does add is directly proportional to the size of the ad¬ spent saving the checkpoint to a file. These numbers are dress space. Saving the checkpoint to local disk is much intended to give a feel for how long it takes for applica¬ faster than saving it to an NFS mounted disk. tion programs to checkpoint and how the checkpointing time is spent. In both the local disk and the NFS disk Our checkpointing library combines simplicity for many cases the amount of time spent synchronizing threads programs that meet its restrictions, but enough flexibil¬ before and after the checkpoint is several orders of mag¬ ity that other programs can use it without too much ex¬ nitude smaller than the amount of time spent saving the tra work. Callback function provide flexibility for appli¬ checkpoint to disk. Saving the checkpoint to disk is the cations that have special needs. Features like memory largest overhead of checkpointing. exclusion and user directed checkpointing can reduce overhead when taking a checkpoint. We are considering adding incremental and asynchronous checkpointing to further reduce the overhead of saving a checkpoint.

'The disk with mounted with rsize=8192,wsize=₈192.

Table 1 : This table gives execution times of several SPLASH2 applications. For the "Not Linked" case, the application was run without the checkpointing library linked to it. In the "Linked" case, the checkpointing library was linked to the application, but it did not take any checkpoints. This case measures checkpointing overhead outside not directly related to taking checkpoints. All times are in seconds.

Table 2: This table lists the time required to save checkpoints for several SPLASH2 applications. "Total Time" is the total amount of time to take a checkpoint. "Save Time" is the amount of time required to save the checkpoint to a file. "Sync Time" is the amount of time required for processes to synchronize before and after the checkpoint. All times are in seconds on a run with 2 Processors.

Checkpoint Size (MB)

Figure 3: This graph shows a plot of the time to save a checkpoint as a function of checkpoint size. The line through the NFS data points was fitted using the method of least squares. The latest version of the checkpointing library is avail¬ [9] James Griffioen, Rajendra Yavatkar, and Raphael able through our web site at: Finkel. Unify: A scalable approach to multicom¬ puter design. IEEE Computer Society Bulletin of the Technical Committee on Operating Systems http://www.dcs.uky.edu/~chkpt and Application Environments, 7(2), 1995.

[10] Michael Litzkow, Todd Tannenbaum, Jim Basney, and Miron Livny. Checkpoint and migration of

References unix processes in the condor distributed process¬ ing system. Technical Report 1346, University of Wisconsin-Madison Computer Science, April

[1] EPCKPT: Eduardo Pinheiro Check¬ 1997. point Project Website. Technical report, http://www.cs.rochester.edU/u/edpin/epckpt/. [1 1] Dejan S. Milojicic, Fred Douglis, Yves Paindav- eine, Richard Wheeler, and Songnian Zhou. Pro¬

[2] High-Availability Linux Project Website. Techni¬ cess migration survey. ACM Computing Surveys, cal report, http://www.linux-ha.org/. pages 241-299, September 2000.

[3] Amnon Barak, Oren La-adan, and Amnon Shiloh. [12] James S. Plank, Micah Beck, Gerry Kingsley, and Scalable cluster computing with MOSIX for Kai Li. Libckpt: Transparent checkpointing under LINUX. In Proceedings of Linux Expo '99, pages Unix. In USENIX Winter 1995 Technical Confer¬ 95-100, May 1999. ence, January 1995.

[4] Amnon Barak and Aren La'adan. The MOSIX [13] James S. Plank and Wael R. Elwasif. Experimental multicomputer operating system for high perfor¬ assessment of workstation failures and their impact mance cluster computing. Journal of Future on checkpointing systems. In Proceedings of the Generation Computer Systems, 13(4 — 5):361— 372, International Symposium on Fault-Tolerant Com¬ March 1998. puting, pages 48-57, June 1998.

[14] Todd Tannenbaum and Michael Litzkow. Check¬

[5] Portable Application Standards Committee. Draft pointing and migration of unix processes in the Standard for Information Technology — Portable condor distributed processing system. Dr. Dobbs Operating System Interface (POSIX) Part I: Sys¬ tem Application Program Interface (API) -Amend¬ Journal, pages 40-48,102, February 1995. ment m: Checkpoint/Restart Interface. IEEE Com¬ [15] Nitin H. Vaidya. Impact of checkpoint latency on puter Society, pl003.1m/d2 edition. overhead ratio of a checkpointing scheme. IEEE Transactions on Computers, pages 942-947, Au¬

[6] William R. Dieter and James E. Lumpp, Jr. A user- gust 1997. level checkpointing library for POSIX threads pro¬ grams. In Proceedings of the International Sym¬ [16] Yi-Min Wang, Yennun Huang, Kiem-Phong Vo, posium on Fault-Tolerant Computing, pages 224- Pi-Yu Chung, and Chandra Kintala. Checkpointing 227, June 1999. and its applications. In Proceedings of the Inter¬ national Symposium on Fault-Tolerant Computing,

[7] William R. Dieter and James E. Lumpp, Jr. User- pages 22-31 , June 1995. level checkpointing of posix threads. Techni¬ cal Report CEG-99-004, University of Kentucky, [17] Steven Cameron Woo, Moriyoshi Ohara, Evan Tor- Department of Electrical Engineering, Lexington, rie, Jaswinder Pal Singh, and Anoop Gupta. The KY 40506-0046, http://www.dcs.uky.edu/"chkpt, splash-2 programs: Characterization and method¬ 1999. ological considerations. In Proceedings of the In¬ ternational Symposium on Computer Architecture,

[8] Mootaz Elnozahy, Lorenzo Alvisi, Yi-Min Wang, pages 24-36, June 1995. and Davaid B. Johnson. A survey of rollback- recovery protocols in message-passing systems. [18] Roman Zajcew, Paul Roy, David Black, Chris Technical Report CMU-CS-99-148, Carnegie Mel¬ Peak, Paulo Guedes, Bradford Kemp, John lon University, http://www.cs.utexas.edu/users/ LoVerso, Michael Leibensperger, Michael Bar- lorenzo/papers/Papό.ps, June 1999. nett, Faramarz Rabii, and Durriya Netterwala. An OSF/1 Unix for massively parallel multicomput- ers. In USENIX Winter 1993 Technical Conference, pages 449-468, January 1993.

[19] Victor C. Zandy, Barton P. Miller, and Miron Livny. Process hijacking. In Proceedings of the IEEE International Symposium on High Per¬ formance Distributed Computing, pages 177-184, August 1999.

Claims

CLAIMS What is claimed is:

1. A method of checkpointing an object, process or other component of an application program, comprising: creating at least one incremental checkpoint; creating at least one full checkpoint; automatically and asynchronously merging at least one said incremental checkpoint and at least one said full checkpoint at a checkpoint storage location; wherein said incremental checkpointing is implemented in user space; and wherein said incremental checkpointing comprises page-boundary memory checkpointing.

2. A method as recited in claim 1 , further comprising: providing file storage checkpointing; wherein one or more files for an application program can be restored without requiring restoration of files for other application programs.

3. A method as recited in claim 1 , further comprising performing barrier synchronization of incremental and full checkpoints using system semaphores.

4. A method as recited in claim 1 , wherein checkpointing is carried out using a device driver in lieu of operating system kernel modification.

5. A method as recited in claim 1 , further comprising capturing the state of waiting queues using kernel-level interception of system calls.

6. A method as recited in claim 5, wherein said interception is implemented in a kernel module in a multiprocessing environment or in a single processing environment.

7. A method as recited in claim 1 , further comprising capturing the state of inter-process communication via pipes, FIFOs, and sockets using a device driver in lieu of operating system kernel modification.

8. A method as recited in claim 1 , further comprising capturing process memory map state using a device driver in lieu of operating system kernel modification.

9. A method as recited in claim 1 , further comprising reconnecting kernel pointers for shared files between parent and child processes after restoring from a checkpoint using a device driver in lieu of operating system kernel modification.

10. A method as recited claim 7, 8 or 9, wherein said device driver is implemented as a loadable kernel module in a multiprocessing environment or in a single processing environment.

1 1. A system for checkpointing an object, process or other component of an application program, comprising: means for full memory checkpointing; means for incremental memory checkpointing; and means for automatic asynchronous merging of incremental checkpoints with full checkpoints at a checkpoint storage location; wherein at least said incremental checkpointing is implemented in user space; and wherein at least said incremental checkpointing comprises page-boundary memory checkpointing.

12. A system as recited in claim 1 1 , further comprising: means for file storage checkpointing; wherein one or more files for an application program can be restored without requiring restoration of files for other application programs.

13. A system as recited in claim 1 1 , further comprising means for performing barrier synchronization of checkpoints using system semaphores.

14. A system as recited in claim 11 , further comprising means for capturing the state of waiting queues using kernel-level interception of system calls.

15. A system as recited in claim 14, wherein said interception is implemented in a kernel module in a multiprocessing environment.

16. A system as recited in claim 11 , further comprising capturing the state of inter-process communication via pipes, FIFOs, and sockets using a device driver in lieu of operating system kernel modification.

17. A system as recited in claim 11 , further comprising capturing process memory map state using a device driver in lieu of operating system kernel modification.

18. A system as recited in claim 11 , further comprising reconnecting the kernel pointers for shared files between parent and child processes after restoring from a checkpoint using a device driver in lieu of operating system kernel modification.

19. A system as recited in claim 16, 17 or 18, wherein said device driver is implemented as a loadable kernel module in a multiprocessing environment or in a single processing environment.

20. In a computer system having a mechanism for checkpointing, the improvement comprising: providing page boundary incremental checkpointing with automatic asynchronous merging at a checkpoint storage location; wherein said checkpointing runs entirely in user space; and wherein kernel modification is not required for implementation of said checkpointing.

21. An improvement as recited in claim 20, further comprising: providing file storage checkpointing; wherein one or more files for an application program can be restored without requiring restoration of files for other application programs.

22. An improvement as recited in claim 20, further comprising providing barrier synchronization of checkpoints using system semaphores.

23. An improvement as recited in claim 20, further comprising capturing the state of waiting queues using kernel-level interception of system calls.

24. An improvement as recited in claim 23, wherein said interception is implemented in a kernel module in a multiprocessing environment.

25. An improvement as recited in claim 20, further comprising capturing the state of inter-process communication via pipes, FIFOs, and sockets using a device driver in lieu of operating system kernel modification.

26. An improvement as recited in claim 20, further comprising capturing process memory map state using a device driver in lieu of operating system kernel modification.

27. An improvement as recited in claim 20, further comprising reconnecting kernel pointers for shared files between parent and child processes after restoring from a checkpoint using a device driver in lieu of operating system kernel modification.

28. An improvement as recited claim 25, 26 or 27, wherein said device driver is implemented as a loadable kernel module in a multiprocessing environment or in a single processing environment.

29. A checkpointing computer program, comprising a set of instructions stored on a media accessible by a computer and executable on said computer, wherein said computer program performs the steps comprising: providing page boundary incremental checkpointing with automatic asynchronous merging of checkpoints at the checkpoint storage location; wherein said checkpointing runs entirely in user space; and wherein kernel modification is not required for implementation of said checkpointing.

30. A computer program as recited in claim 29, wherein said computer program performs the steps further comprising: providing file storage checkpointing; wherein one or more files for an application program can be restored without requiring restoration of files for other application programs.

31. A computer program as recited in claim 29, wherein said computer program performs the steps further comprising performing barrier synchronization using system semaphores.

32. A computer program as recited in claim 29, wherein said computer program performs the steps further comprising capturing the state of waiting queues using kernel-level interception of system calls.

33. A computer program as recited in claim 32, wherein said interception is implemented in a kernel module in a multiprocessing environment.

34. A computer program as recited in claim 29, wherein said computer program performs the steps further comprising capturing the state of inter-process communication via pipes, FIFOs, and sockets using a device driver in lieu of operating system kernel modification.

35. A computer program as recited in claim 29, wherein said computer program performs the steps further comprising capturing process memory map state using a device driver in lieu of operating system kernel modification.

36. A computer program as recited in claim 29, further comprising reconnecting kernel pointers for shared files between parent and child processes after restoring from a checkpoint using a device driver in lieu of operating system kernel modification.

37. A computer program as recited in claim 34, 35 or 36, wherein said device driver is implemented as a loadable kernel module in a multiprocessing environment or in a single processing environment.

38. A checkpointing method in a computer system, comprising: checkpointing memory images of processes and data for restoration of an entire process tree/hierarchy or for restoration of only the first or second level of the process tree/hierarchy.

39. A method as recited in claim 38, wherein said processes are multi¬ threaded.

40. A method as recited in claim 38, wherein said processes are non- multithreaded.

41. A method as recited in claim 38, wherein one or more portions of said tree/hierarchy are restorable based on priority of application programs or processes.

42. A method as recited in claim 38, further comprising capturing the state of waiting queues using kernel-level interception of system calls.

43. A method as recited in claim 42, wherein said interception is implemented in a kernel module in a multiprocessing environment.

44. A method as recited in claim 38, further comprising capturing the state of inter-process communication via pipes, FIFOs, and sockets using a device driver in lieu of operating system kernel modification.

45. A method as recited in claim 38, further comprising capturing process memory map state using a device driver in lieu of operating system kernel modification.

46. A method as recited in claim 38, further comprising reconnecting the kernel pointers for shared files between parent and child processes after restoring from a checkpoint using a device driver in lieu of operating system kernel modification.

47. A method as recited in any of claims 44, 45 or 46, wherein said device driver is implemented as a loadable kernel module in a multiprocessing environment or in a single processing environment.

48. A system for checkpointing an object, process or other component of an application program, comprising: programming executable on a computer; said programming including means for checkpointing memory images of processes and data for restoration of the entire process tree/hierarchy.

49. A system as recited in claim 48, wherein said processes are multi¬ threaded.

50. A system as recited in claim 48, wherein said processes are non- multithreaded.

51. A system as recited in claim 48, wherein one or more portions of said tree/hierarchy are restorable based on priority of application programs or processes.

52. A system as recited in claim 48, further comprising means for capturing the state of waiting queues using kernel-level interception of system calls.

53. A system as recited in claim 52, wherein said interception is implemented in a kernel module in a multiprocessing environment.

54. A system as recited in claim 48, further comprising capturing the state of inter-process communication via pipes, FIFOs, and sockets using a device driver in lieu of operating system kernel modification.

55. A system as recited in claim 48, further comprising capturing the process memory map state using a device driver in lieu of operating system kernel modification.

56. A system as recited in claim 48, further comprising reconnecting kernel pointers for shared files between parent and child processes after restoring from a checkpoint using a device driver in lieu of operating system kernel modification.

57. A system as recited in claim 54, 55 or 56, wherein said device driver is implemented as a loadable kernel module in a multiprocessing environment or in a single processing environment.

58. In a computer system having a mechanism for checkpointing, the improvement comprising: checkpointing memory images of processes and data for restoration of an entire process tree/hierarchy.

59. An improvement as recited in claim 58, wherein said processes are multi-threaded.

60. An improvement as recited in claim 58, wherein said processes are non-multithreaded.

61. An improvement as recited in claim 58, wherein one or more portions of said tree/hierarchy are restorable based on priority of application programs or processes.

62. An improvement as recited in claim 58, further comprising capturing the state of waiting queues using kernel-level interception of system calls.

63. An improvement as recited in claim 62, wherein said interception is implemented in a kernel module in a multiprocessing environment.

64. An improvement as recited in claim 58, further comprising capturing the state of inter-process communication via pipes, FIFOs, and sockets using a device driver in lieu of operating system kernel modification.

65. An improvement as recited in claim 58, further comprising capturing process memory map state using a device driver in lieu of operating system kernel modification.

66. An improvement as recited in claim 58, further comprising reconnecting kernel pointers for shared files between parent and child processes after restoring from a checkpoint using a device driver in lieu of operating system kernel modification.

67. An improvement as recited in claim 64, 65 or 66, wherein said device driver is implemented as a loadable kernel module in a multiprocessing environment or in a single processing environment.

68. A checkpointing computer program, comprising a set of instructions stored on a media accessible by a computer and executable on said computer, wherein said computer program performs the steps comprising: checkpointing memory images of processes and data for restoration of an entire process tree/hierarchy.

69. A computer program as recited in claim 68, wherein said processes are multi-threaded.

70. A computer program as recited in claim 68, wherein said processes are non-multithreaded.

71. A computer program as recited in claim 68, wherein one or more portions of said tree/hierarchy are restorable based on priority of application programs or processes.

72. A computer program as recited in claim 68, wherein said computer program performs the steps further comprising capturing the state of waiting queues using kernel-level interception of system calls.

73. A computer program as recited in claim 72, wherein said interception is implemented in a kernel module in a multiprocessing environment.

74. A computer program as recited in claim 68, further comprising capturing the state of inter-process communication via pipes, FIFOs, and sockets using a device driver in lieu of operating system kernel modification.

75. A computer program as recited in claim 68, further comprising capturing process memory map state using a device driver in lieu of operating system kernel modification.

76. A computer program as recited in claim 68, further comprising reconnecting kernel pointers for shared files between parent and child processes after restoring from a checkpoint using a device driver in lieu of operating system kernel modification.

77. A computer program as recited in claim 74, 75 or 76, wherein said device driver is implemented as a loadable kernel module in a multiprocessing environment or in a single processing environment.

78. A checkpointing method in a computer system, comprising: checkpointing user-space application memory images and the state that the operating system maintains on behalf of the application.

79. A method as recited in claim 78, further comprising capturing the state of waiting queues using kernel-level interception of system calls.

80. A method as recited in claim 79, wherein said interception is implemented in a kernel module in a multiprocessing environment.

81. A method as recited in claim 78, further comprising capturing the state of inter-process communication via pipes, FIFOs, and sockets using a device driver in lieu of operating system kernel modification.

82. A method as recited in claim 78, further comprising capturing process memory map state using a device driver in lieu of operating system kernel modification.

83. A method as recited in claim 78, further comprising reconnecting kernel pointers for shared files between parent and child processes after restoring from a checkpoint using a device driver in lieu of operating system kernel modification.

84. A method as recited in claim 81 , 82 or 83, wherein said device driver is implemented as a loadable kernel module in a multiprocessing environment or in a single processing environment.

85. A system for checkpointing an application program on a computer having an operating system, comprising: programming executable on a computer; said programming including means for checkpointing user-space application memory images and the state that the operating system maintains on behalf of the application program.

86. In a computer system having a mechanism for checkpointing, the improvement comprising: providing means for checkpointing user-space application memory images and the state that the operating system maintains on behalf of the application.

87. A checkpointing computer program, comprising a set of instructions stored on a media accessible by a computer and executable on said computer, wherein said computer program performs the steps comprising: checkpointing user-space application memory images and the state that the operating system maintains on behalf of the application.

88. A method as recited in claim 1 , 38 or 78, further comprising: providing storage checkpointing; providing means for saving N full copies of storage checkpoints; providing a hard link to a first saved storage checkpoint; and removing the first checkpoint when a subsequent storage checkpoint is saved and maintaining the hard link to the first saved storage checkpoint; wherein a physical copy of said first storage checkpoint is not made when said subsequent storage checkpoint is saved.

89. A method as recited in claim 88, further comprising: synchronizing a storage image with a memory image at the time a checkpoint is saved; wherein each memory checkpoint has a corresponding storage checkpoint.

90. A system as recited in claim 1 1 , 48 or 85, further comprising: means for providing storage checkpointing; means for saving N full copies of storage checkpoints; means for providing a hard link to a first saved storage checkpoint; and means for removing the first storage checkpoint when a subsequent storage checkpoint is saved and maintaining the hard link to the first saved storage checkpoint; wherein a physical copy of said first storage checkpoint is not made when said subsequent storage checkpoint is saved.

91. A system as recited in claim 90, further comprising: means for synchronizing a storage image with a memory image at the time a checkpoint is saved; wherein each memory checkpoint has a corresponding storage checkpoint.

92. An improvement as recited in claim 20, 58 or 86, further comprising: means for storage checkpointing; means for saving N full copies of storage checkpoints; means for providing a hard link to a first saved storage checkpoint; and means for removing the first storage checkpoint when a subsequent storage checkpoint is saved and maintaining the hard link to the first saved storage checkpoint; wherein a physical copy of said first storage checkpoint is not made when said subsequent storage checkpoint is saved.

93. An improvement as recited in claim 92, further comprising: means for synchronizing a storage image with a memory image at the time a checkpoint is saved; wherein each memory checkpoint has a corresponding storage checkpoint.

94. A computer program as recited in claim 29, 68 or 87, wherein said computer program performs the steps further comprising: providing storage checkpointing; saving N full copies of storage checkpoints; providing a hard link to a first saved storage checkpoint; and removing the first storage checkpoint when a subsequent storage checkpoint is saved and maintaining the hard link to the first saved storage checkpoint; wherein a physical copy of said first storage checkpoint is not made when said subsequent storage checkpoint is saved.

95. A computer program as recited in claim 88, wherein said computer program performs the steps further comprising: synchronizing a storage image with a memory image at the time a checkpoint is saved; wherein each memory checkpoint has a corresponding storage checkpoint.

96. A method as recited in claim 1 , 20 or 78, further comprising: providing a template which defines one or more processes to be protected by checkpointing and which provides for selective restoration.

97. A system as recited in claim 1 1 , 48 or 91 , further comprising means for defining one or more processes to be protected by checkpointing and provides for selective restoration.

98. An improvement as recited in claim 20, 58 or 86, further comprising providing a template which defines one or more processes to be protected by said checkpointing and which provides for selective restoration.

99. A computer program as recited in claim 29, 68 or 87, wherein said computer program performs the steps further comprising: maintaining a template which defines one or more processes to be protected by said checkpointing and which provides for selective restoration; and accessing said template.