U.S. patent application number 11/605184 was filed with the patent office on 2007-03-29 for systems and methods for automatic database or file system maintenance and repair.
This patent application is currently assigned to Microsoft Corporation. Invention is credited to Hanumantha Rao Kodavalla, Artem A. Oks, Martin J. Sleeman.
Application Number | 20070073764 11/605184 |
Document ID | / |
Family ID | 35394801 |
Filed Date | 2007-03-29 |
United States Patent
Application |
20070073764 |
Kind Code |
A1 |
Oks; Artem A. ; et
al. |
March 29, 2007 |
Systems and methods for automatic database or file system
maintenance and repair
Abstract
The present invention relates generally to database and file
system management and, more particularly, to automatic database and
file system maintenance and repair to ensure data reliability.
Various aspects of the present invention relate to responding and
correcting data corruptions at a data page level for all data page
types, as well as to recovery (including rebuild or restore
operations) for various scenarios including, without limitation,
index page corruptions (clustered and non-clustered), data page
corruptions, and page corruptions in the log file.
Inventors: |
Oks; Artem A.; (Bellevue,
WA) ; Kodavalla; Hanumantha Rao; (Sammamish, WA)
; Sleeman; Martin J.; (Redmond, WA) |
Correspondence
Address: |
WOODCOCK WASHBURN LLP (MICROSOFT CORPORATION)
CIRA CENTRE, 12TH FLOOR
2929 ARCH STREET
PHILADELPHIA
PA
19104-2891
US
|
Assignee: |
Microsoft Corporation
Redmond
WA
|
Family ID: |
35394801 |
Appl. No.: |
11/605184 |
Filed: |
November 28, 2006 |
Related U.S. Patent Documents
|
|
|
|
|
|
Application
Number |
Filing Date |
Patent Number |
|
|
10837932 |
May 3, 2004 |
7143120 |
|
|
11605184 |
Nov 28, 2006 |
|
|
|
Current U.S.
Class: |
1/1 ;
707/999.102; 707/E17.005; 707/E17.007 |
Current CPC
Class: |
G06F 11/1471 20130101;
G06F 2201/80 20130101; G06F 16/221 20190101; G06F 11/1469 20130101;
Y10S 707/99953 20130101; G06F 11/1474 20130101; G06F 2201/84
20130101; G06F 11/1402 20130101 |
Class at
Publication: |
707/102 |
International
Class: |
G06F 7/00 20060101
G06F007/00 |
Claims
1. A system for resolving an error encountered by a query engine
during a transaction to a corrupt data store attached to a database
file system (DBFS), said system comprising: a subsystem for
aborting said transaction and attempting a page level restoration;
and a subsystem for determining whether the page level restoration
fails or is unavailable, further comprising: a subsystem for
attempting an index recovery when the failure is for an index page;
a subsystem for attempting a data page recovery when the failure is
for a data page; a subsystem for attempting an emergency repair
when the failure is due to a log page error; and a subsystem for
attempting to restore the entire database when the failure is an
unrecoverable error.
2. A method for resolving an error encountered by a query engine
during a transaction to a corrupt data store attached to a database
file system (DBFS), said method comprising: aborting said
transaction and attempting a page level restoration; and if the
page level restoration fails or is unavailable, then: if the
failure is for an index page, attempting an index recovery; if the
failure is for a data page, attempting a data page recovery; if the
failure is due to a log page error, attempting an emergency repair;
and if the failure is an unrecoverable error, attempting to restore
the entire database.
3. A computer-readable medium comprising computer-readable
instructions for resolving an error encountered by a query engine
during a transaction to a corrupt data store attached to a database
file system (DBFS), said computer-readable instructions comprising
instructions for: aborting said transaction and attempting a page
level restoration; and if the page level restoration fails or is
unavailable, then: if the failure is for an index page, attempting
an index recovery; if the failure is for a data page, attempting a
data page recovery; if the failure is due to a log page error,
attempting an emergency repair; and if the failure is an
unrecoverable error, attempting to restore the entire database.
Description
CROSS-REFERENCE
[0001] This application is a continuation application of U.S.
patent application Ser. No. 10/837,932 (Atty. Docket No.
MSFT-3842), filed on May 3, 2004, and is related by subject matter
to the inventions disclosed in the following commonly assigned
applications, the contents of which are hereby incorporated into
this present application in their entirety: U.S. patent application
Ser. No. 10/647,058 (Atty. Docket No. MSFT-1748), filed on Aug. 21,
2003, entitled "SYSTEMS AND METHODS FOR REPRESENTING UNITS OF
INFORMATION MANAGEABLE BY A HARDWARE/SOFTWARE INTERFACE SYSTEM BUT
INDEPENDENT OF PHYSICAL REPRESENTATION"; U.S. patent application
Ser. No. 10/646,941 (Atty. Docket No. MSFT-1749), filed on Aug. 21,
2003, entitled "SYSTEMS AND METHODS FOR SEPARATING UNITS OF
INFORMATION MANAGEABLE BY A HARDWARE/SOFTWARE INTERFACE SYSTEM FROM
THEIR PHYSICAL ORGANIZATION"; U.S. patent application Ser. No.
10/646,940 (Atty. Docket No. MSFT-1750), filed on Aug. 21, 2003,
entitled "SYSTEMS AND METHODS FOR THE IMPLEMENTATION OF A BASE
SCHEMA FOR ORGANIZING UNITS OF INFORMATION MANAGEABLE BY A
HARDWARE/SOFTWARE INTERFACE SYSTEM"; U.S. patent application Ser.
No. 10/646,632 (Atty. Docket No. MSFT-1751), filed on Aug. 21,
2003, entitled "SYSTEMS AND METHODS FOR THE IMPLEMENTATION OF A
CORE SCHEMA FOR PROVIDING A TOP-LEVEL STRUCTURE FOR ORGANIZING
UNITS OF INFORMATION MANAGEABLE BY A HARDWARE/SOFTWARE INTERFACE
SYSTEM"; U.S. patent application Ser. No. 10/646,645 (Atty. Docket
No. MSFT-1752), filed on Aug. 21, 2003, entitled "SYSTEMS AND
METHOD FOR REPRESENTING RELATIONSHIPS BETWEEN UNITS OF INFORMATION
MANAGEABLE BY A HARDWARE/SOFTWARE INTERFACE SYSTEM"; U.S. patent
application Ser. No. 10/646,575 (Atty. Docket No. MSFT-2733), filed
on Aug. 21, 2003, entitled "SYSTEMS AND METHODS FOR INTERFACING
APPLICATION PROGRAMS WITH AN ITEM-BASED STORAGE PLATFORM"; U.S.
patent application Ser. No. 10/646,646 (Atty. Docket No.
MSFT-2734), filed on Aug. 21, 2003, entitled "STORAGE PLATFORM FOR
ORGANIZING, SEARCHING, AND SHARING DATA"; U.S. patent application
No. 10/646,580 (Atty. Docket No. MSFT-2735), filed on Aug. 21,
2003, entitled "SYSTEMS AND METHODS FOR DATA MODELING IN AN
ITEM-BASED STORAGE PLATFORM."
TECHNICAL FIELD
[0002] The present invention relates generally to database and file
system management and, more particularly, to automatic database and
file system maintenance and repair to ensure data reliability.
Various aspects of the present invention relate to responding and
correcting data corruptions at a data page level for all data page
types, as well as to recovery (including rebuild or restore
operations) for various scenarios including, without limitation,
index page corruptions (clustered and non-clustered), data page
corruptions, and page corruptions in the log file.
BACKGROUND
[0003] While client database platforms (i.e., home and business
desktop computers) use hardware of a quality that is much lower
than on server platforms, even server-class hardware (controllers,
drivers, disks, and so forth) can cause data corruption such that a
read operation does not return what the application wrote to the
data store. Of course, this is clearly a more prolific problem with
client database platforms (as opposed to server database platforms)
for various reasons including without limitation to the increased
probability of a client machine been arbitrary powered off in the
midst of a write operation due to an unexpected power outage, which
in turn leads to torn pages and potential database corruptions. (It
is more common for server database systems to utilize
uninterruptible power supplies to mitigate problems from power
outages.) Media decay is another source of database corruptions,
where the physical storage media quite literally wears out over
time. And yet another source of concern regarding reliability is
the detection and recovery from corruptions caused by the software
errors both inadvertent (e.g., bugs) as well as pernicious (e.g.,
viruses).
[0004] Traditionally maintenance and repair of a databases has
fallen to database managers and the like having a well-developed
skill set and deep knowledge of database systems, or at least to
individuals who are familiar with and regularly use database
systems-by and large persons relatively skilled with regard to
database technologies. On the other hand, typical consumer and
business end-users of operating systems and application programs
rarely work with databases and are largely ill-equipped to deal
with database maintenance and repair issues.
[0005] While the disparate level of skill between these two groups
has been largely irrelevant in the past, a database-implemented
file system for an operating systems--such as the operating system
disclosed in related the U.S. Patent Applications identified
earlier herein in the section entitled "Cross-References"--creates
a scenario where these lesser-skilled end-users will be faced with
database maintenance and repair issues they will largely be unable
to resolve. Thus a business/consumer database-implemented operating
system file system, or "database file system" (DBFS) for short,
must be able to detect corruptions and recover its databases to a
transactionally consistent state and, in the cases of unrecoverable
data loss, the DBFS must then guarantee data consistency at the
level atomic change units to said data are maintained (i.e., at the
"item" level for an item-based DBFS). Moreover, for DBFSs running
by default in a lazy commit mode, the durability of transactions
committed just before an abnormal shutdown is not guaranteed and
must be accounted for and corrected.
[0006] Moreover, while business/consumer end-user will greatly
benefit from automating DBFS maintenance and recovery, database
managers and those of greater database skills will also benefit
from a technical solution for general database maintenance and
repair. It is commonplace in the art for database administrators to
utilize database tools (for example, the database tuning advisor
provided with SQL Server 2000), but these tools do not directly
address reliability but instead provide a means by which backups of
the database are administered and managed-and not in a
mostly-automated fashion, but instead requiring substantial
database administrator involvement, particularly when database
backups are not available or other repair issues arise. Thus an
automated solution to address database reliability would also be
beneficial for database administrators and other skilled database
users. The present invention provides just such a solution.
SUMMARY
[0007] Various embodiments of the present invention are directed a
data reliability system (DRS) for a DBFS wherein the DRS comprises
a framework and a set of policies for performing database
administration (DBA) tasks automatically and with little or no
direct involvement by an end-user (and thus is essentially
transparent to said end-user). For several embodiments, the DRS
framework implements mechanisms for plugging error and event
notifications, policies, and error/event handling algorithms into
the DRS. More particularly, for these embodiments DRS is a
background thread that is in charge of maintaining and repairing
the DBFS in the background, and thus at the highest level the DRS
guards and maintains the overall health of the DBFS.
[0008] For various embodiments of the present invention, the DRS
comprises the following features: (1) responding and correcting
data corruptions at a page level for all page types; and (2)
attempting a second level of recovery (rebuild or restore) for: (a)
index page corruptions (clustered and non-clustered); (b) data page
corruptions; and (c) page corruptions in the log file.
[0009] Certain embodiments of the present invention further
comprise specific functionality for the DRS, including but not
limit to: (i) handling repair/restore data corruption cases; and
(ii) (iii) improving the reliability and availability of the
system; and (iv) keeping a DRS error/event history table for a
skilled third party to troubleshoot database or storage engine
problems if necessary.
BRIEF DESCRIPTION OF THE DRAWINGS
[0010] The foregoing summary, as well as the following detailed
description of preferred embodiments, is better understood when
read in conjunction with the appended drawings. For the purpose of
illustrating the invention, there is shown in the drawings
exemplary constructions of the invention; however, the invention is
not limited to the specific methods and instrumentalities
disclosed. In the drawings:
[0011] FIG. 1 is a block diagram representing a computer system in
which aspects of the present invention may be incorporated;
[0012] FIG. 2 is a block diagram illustrating the structure of the
data reliability system (DRS) in database file system (DBFS)
representative of several embodiments of the present invention;
[0013] FIG. 3A is a block diagram illustrating the attachment of
data stores by a database FPM to a DBFS;
[0014] FIG. 3B is a flowchart illustrating the process by which
corrupted pages are detected and corrected during a database attach
operation for several embodiments of the present invention;
[0015] FIG. 4A is a flowchart illustrating the utilization of a DRS
in a startup/crash-recovery context in accordance with various
embodiments of the present invention;
[0016] FIG. 4B is a table illustrating the errors handled by the
DRS during database attachment;
[0017] FIG. 5A is a flowchart illustrating the utilization of a DRS
in a online operations where the query engine encounters an error
for various embodiments of the present invention;
[0018] FIG. 5B is a table illustrating the errors handled by the
DRS during online operations;
[0019] FIG. 6 is a flowchart illustrating the DRS performing a
restore when a page does exist in a most recent snapshot and there
is a valid transaction log;
[0020] FIG. 7 is a flowchart illustrating the method for bringing a
database back online for certain DRS embodiments of the present
invention where the database cannot be recovered and there is no
usable backup; and
[0021] FIG. 8 is a flowchart illustrating the method for the DRS to
attempt to recover a data page according to one aspect of the
present invention.
DETAILED DESCRIPTION
[0022] The subject matter is described with specificity to meet
statutory requirements. However, the description itself is not
intended to limit the scope of this patent. Rather, the inventors
have contemplated that the claimed subject matter might also be
embodied in other ways, to include different steps or combinations
of steps similar to the ones described in this document, in
conjunction with other present or future technologies. Moreover,
although the term "step" may be used herein to connote different
elements of methods employed, the term should not be interpreted as
implying any particular order among or between various steps herein
disclosed unless and except when the order of individual steps is
explicitly described.
[0023] The above summary provides an overview of the features of
the invention. A detailed description of one embodiment of the
invention follows. For various embodiments described below, the
features of the present invention are described as implemented in
the MICROSOFT SQL SERVER database system (sometimes referred to
herein simply as "SQL") alone or incorporated into the MICROSOFT
WinFS file system for the next generation personal computer
operating system (commonly referred to as "Windows Longhorn" or
"Longhorn" for short), the latter being the primary subject matter
of many of the patent applications cross-referenced earlier herein.
As mentioned above, SQL SERVER incorporates the MICROSOFT .NET
Common Language Runtime (CLR) to enable managed code to be written
and executed to operate on the data store of a SQL SERVER database.
While the embodiment described below operates in this context, it
is understood that the present invention is by no means limited to
implementation in the SQL SERVER product. Rather, the present
invention can be implemented in any database system that supports
the execution of object-oriented programming code to operate on a
database store, such as object oriented database systems and
relational database systems with object relational extensions.
Accordingly, it is understood that the present invention is not
limited to the particular embodiment described below, but is
intended to cover all modifications that are within the spirit and
scope of the invention as defined by the appended claims.
Computer Environment
[0024] Numerous embodiments of the present invention may execute on
a computer. FIG. 1 and the following discussion is intended to
provide a brief general description of a suitable computing
environment in which the invention may be implemented. Although not
required, the invention will be described in the general context of
computer executable instructions, such as program modules, being
executed by a computer, such as a client workstation or a server.
Generally, program modules include routines, programs, objects,
components, data structures and the like that perform particular
tasks or implement particular abstract data types. Moreover, those
skilled in the art will appreciate that the invention may be
practiced with other computer system configurations, including hand
held devices, multi processor systems, microprocessor based or
programmable consumer electronics, network PCs, minicomputers,
mainframe computers and the like. The invention may also be
practiced in distributed computing environments where tasks are
performed by remote processing devices that are linked through a
communications network. In a distributed computing environment,
program modules may be located in both local and remote memory
storage devices.
[0025] As shown in FIG. 1, an exemplary general purpose computing
system includes a conventional personal computer 20 or the like,
including a processing unit 21, a system memory 22, and a system
bus 23 that couples various system components including the system
memory to the processing unit 21. The system bus 23 may be any of
several types of bus structures including a memory bus or memory
controller, a peripheral bus, and a local bus using any of a
variety of bus architectures. The system memory includes read only
memory (ROM) 24 and random access memory (RAM) 25. A basic
input/output system 26 (BIOS), containing the basic routines that
help to transfer information between elements within the personal
computer 20, such as during start up, is stored in ROM 24. The
personal computer 20 may further include a hard disk drive 27 for
reading from and writing to a hard disk, not shown, a magnetic disk
drive 28 for reading from or writing to a removable magnetic disk
29, and an optical disk drive 30 for reading from or writing to a
removable optical disk 31 such as a CD ROM or other optical media.
The hard disk drive 27, magnetic disk drive 28, and optical disk
drive 30 are connected to the system bus 23 by a hard disk drive
interface 32, a magnetic disk drive interface 33, and an optical
drive interface 34, respectively. The drives and their associated
computer readable media provide non volatile storage of computer
readable instructions, data structures, program modules and other
data for the personal computer 20. Although the exemplary
environment described herein employs a hard disk, a removable
magnetic disk 29 and a removable optical disk 31, it should be
appreciated by those skilled in the art that other types of
computer readable media which can store data that is accessible by
a computer, such as magnetic cassettes, flash memory cards, digital
video disks, Bernoulli cartridges, random access memories (RAMs),
read only memories (ROMs) and the like may also be used in the
exemplary operating environment.
[0026] A number of program modules may be stored on the hard disk,
magnetic disk 29, optical disk 31, ROM 24 or RAM 25, including an
operating system 35, one or more application programs 36, other
program modules 37 and program data 38. A user may enter commands
and information into the personal computer 20 through input devices
such as a keyboard 40 and pointing device 42. Other input devices
(not shown) may include a microphone, joystick, game pad, satellite
disk, scanner or the like. These and other input devices are often
connected to the processing unit 21 through a serial port interface
46 that is coupled to the system bus, but may be connected by other
interfaces, such as a parallel port, game port or universal serial
bus (USB). A monitor 47 or other type of display device is also
connected to the system bus 23 via an interface, such as a video
adapter 48. In addition to the monitor 47, personal computers
typically include other peripheral output devices (not shown), such
as speakers and printers. The exemplary system of FIG. 1 also
includes a host adapter 55, Small Computer System Interface (SCSI)
bus 56, and an external storage device 62 connected to the SCSI bus
56.
[0027] The personal computer 20 may operate in a networked
environment using logical connections to one or more remote
computers, such as a remote computer 49. The remote computer 49 may
be another personal computer, a server, a router, a network PC, a
peer device or other common network node, and typically includes
many or all of the elements described above relative to the
personal computer 20, although only a memory storage device 50 has
been illustrated in FIG. 1. The logical connections depicted in
FIG. 1 include a local area network (LAN) 51 and a wide area
network (WAN) 52. Such networking environments are commonplace in
offices, enterprise wide computer networks, intranets and the
Internet.
[0028] When used in a LAN networking environment, the personal
computer 20 is connected to the LAN 51 through a network interface
or adapter 53. When used in a WAN networking environment, the
personal computer 20 typically includes a modem 54 or other means
for establishing communications over the wide area network 52, such
as the Internet. The modem 54, which may be internal or external,
is connected to the system bus 23 via the serial port interface 46.
In a networked environment, program modules depicted relative to
the personal computer 20, or portions thereof, may be stored in the
remote memory storage device. It will be appreciated that the
network connections shown are exemplary and other means of
establishing a communications link between the computers may be
used.
[0029] While it is envisioned that numerous embodiments of the
present invention are particularly well-suited for computerized
systems, nothing in this document is intended to limit the
invention to such embodiments. On the contrary, as used herein the
term "computer system" is intended to encompass any and all devices
capable of storing and processing information and/or capable of
using the stored information to control the behavior or execution
of the device itself, regardless of whether such devices are
electronic, mechanical, logical, or virtual in nature.
Overview of the Data Reliability System (DRS)
[0030] For several embodiments of the present invention, the data
reliability system (DRS) is a thread that maintains and repairs the
database in the background, and thereby guards the general health
of the database file system (DBFS). FIG. 2 is a block diagram
illustrating the structure of the DRS in the DBFS. In the figure,
an operating system 202 providing operating system level services
to a plurality of applications 212, 214, and 216, comprises a DBFS
222 logically coupled to a persistent data store 232. The operating
system 202 further comprises a DRS 242 which is invoked 244 by the
DBFS 222 whenever a page error 240 from among a plurality of pages
234, 236, and 238 in the persistent data store 232 is discovered,
and the DRS 242 then performs repair operations in response to the
page error 240.
[0031] For various embodiments of the present invention, the DRS
may comprise the following features: (1) responding and correcting
data corruptions at a page level for all page types; and (2)
attempting a second level of recovery (rebuild or restore) for: (a)
index page corruptions (clustered and non-clustered); (b) data page
corruptions; and (c) page corruptions in the log file. Certain
embodiments of the present invention further comprise specific
functionality for the DRS, including but not limit to: (i) handling
repair/restore data corruption cases; (ii) improving the
reliability and availability of the system; and (iii) keeping a DRS
error/event history table for a skilled third party to troubleshoot
database or storage engine problems if necessary.
[0032] Certain embodiments of the present invention provide that
the DRS be extensible so that recovery policies and detection
mechanisms may be updated after a DBFS has been released. Several
embodiments are direct to a DRS that run repairs while the DBFS
database is kept online. Still other embodiments are directed to
run with full access to the DBFS store (that is, sysadmin
privileges). Still other embodiments will have the ability to
detect and react to failures in real time. For several embodiments,
DRS repairs will be transactional at the level change units to said
data are maintained (i.e., at the "item" level for an item-based
DBFS). Lastly, for various embodiments repairs will either
completely recover an item or it will back out its changes, and the
DRS will have the ability to continue the recovery/restoration work
even if a reboot occurs half way thru the process.
[0033] For several embodiments of the present invention, the DRS
will subscribe to SQL events so that if SQL fires a general event,
the DRS may intercept it and react (including without limitation
823/824 events). In addition, another aspect of the present
invention is for the database engine to be modified to send
DRS-specific events for error conditions that the DRS is to
specifically handle.
[0034] For various embodiments of the present invention,
corruptions will be detected whenever the DBFS reads or writes
pages from disk, in which case SQL will then generate one of a host
of errors depending on what type of corruption it is and will also
fire specific DRS events to notify it of the specific error
conditions. DRS will receive those errors and place them on in an
incoming queue for processing.
[0035] For several embodiments of the present invention,
ascertaining whether a page is corrupted is accomplished by various
means including, without limitation, (a) examining the checksum for
a page and, if the checksum is invalid, the page is considered
corrupt or (b) by examining the log serial number (LSN) to see if
it is beyond the end of the log file (where an LSN is an integer
that is incremented with each transaction so that if the last
transaction in the log was LSN 432 and a page with a greater LSN is
found then an out of order write error must have occurred. In this
regard, there are four major types of page corruptions that can
effect the operation of a DBFS (in addition to other sources such
as bugs, etc.), and these four types include torn pages, media
decay, hardware failure, and out-of-order writes. Torn pages occur
when a page of data is not correctly written atomically, and thus
any part of the page may be corrupted because during a write only
some of the sectors of a page make it to disk before the failure
event, for example, a power failure or a sector write failure.
Media decay occurs when a data pages bits have been corrupted by
physical media decay. A hardware failure could arise for a variety
of reasons related to the bus, the controller, or the hard disk
device. As for out-of-order write, these errors stem from the fact
that IDE drives cannot guarantee the order of writes to the disk,
especially the IDE drive has write-caching enabled (turned on), and
thus it is possible that writes to the data store may occur out of
order. If a partial series of out of order writes occur but are
interrupted by a power failure, for example, then several errors
may occur, such as the data page being written to disk before the
associated log entry being written for example. While out-of-order
errors can be detected by checking the log sequence numbers (LSN)
on data pages, there is no easy way to do this short of reading
every page.
Page Classes
[0036] For purposes of the present invention, all pages are
classified according to one of the following classes of pages:
[0037] Data pages: a data page is considered to be any page that
has user data on it, which includes clustered index leaf pages.
[0038] Index pages: these pages contain just index information, and
they include both non-clustered index pages as well as non-leaf
pages of a clustered index. [0039] System pages: these pages
include the GAM, SGAM, and Boot pages, and the DRS may attempt page
level restore on these pages even though DRS may have no specific
restoration support for these pages; in any event, if page level
restoration fails then the DRS attempts an emergency repair
(discussed later herein). [0040] Unrecoverable pages: the PFS (Page
Free Space) page or pages from the five system tables
(Sysrowsetcolumns, Sysrowsets, Sysallocunits, Syshobtcolumns,
Syshobts) comprise this class of pages, and DRS would restore the
entire database in this case. [0041] Log Pages: these are pages
that belong to the transaction log, and the DRS will attempt an
emergency repair when they are corrupted (discussed later herein).
Corruption Categories
[0042] For several embodiments of the present invention, the DRS is
designed to resolve three distinct categories of data page
corruptions defined by when the corruption is detected, the three
categories comprising: (1) during database attach; (2) during
normal online operations; and (3) during transaction rollback.
[0043] Database Attach Corruption Detection:
[0044] FIG. 3A is a block diagram illustrating the attachment of
data stores by a database FPM to a DBFS. FIG. 3B is a flow chart
illustrating the process by which corrupted pages are detected and
corrected during a database attach operation. In general, a
database file property manager (DBFPM) 302 manages the attaching
and detaching of DBFS stores 304, 306, and 308. At step 352, when a
DBFPM 302 attaches a store, e.g., DBFS store 304, SQL runs crash
recovery at step 354 to determine at step 356 if there are any
active transactions 324 at the time of the crash in the transaction
log 314 (e.g. any incomplete transactions) and, if so, then SQL, at
step 358, performs crash recovery of the database before
continuing. During crash recovery SQL will normally (a) analyze the
transaction log after the last checkpoint, (b) redo any operations
in the log that it does not find written to disk, and (c) undo any
transactions that have not completed. If there are no errors during
recovery discovered at step 360, then the database is successfully
attached at step 362. However, if an error is discovered at step
360 during crash recovery, SQL will fail the database attach at
step 364.
[0045] This "database attach" scenario is important because it is
invoked every time a store is attached. Stores are attached every
time an operating system (e.g., the Window operating system) starts
as well as every time external drives (e.g., Firewire, USB, etc.)
are attached or detached from the computer. Database attach
scenarios invoke crash recovery and thus the detection of torn
pages (incomplete writes), and thus it is desirable for the DRS to
handle this case because of the potential for a user to physically
remove hardware.
[0046] However, when utilizing a DSR in accordance with various
embodiments of the present invention, the behavior is slightly
different as illustrated by the flowchart of FIG. 4A. First, at
step 402, the DBFPM attaches the DBFS databases and, at step 404,
SQL runs crash recovery and, at step 408, attempts to bring the
database on line. If the database attaches without error from crash
recovery at step 410, SQL will return success and the database will
be attached (online) at step 452. However, if there are errors, the
DRS, at step 412, will evaluate the database to determine if the
database is transactionally consistent.
[0047] A database is inconsistent only if it has experienced a
failure during a transaction rollback, that is, a physical or
logical undo error--or if an unknown error occurred during crash
recovery. If the database is transactionally consistent at step
412, the DRS, at step 414, will delay repairs until the recovery
operation is complete--in other words, the DRS will declare the
state of the database as consistent for the database attach (a
"success") and then waits to begin repairs for the detected
corruptions after the recovery is complete and the database is
attached at step 452 in order to avoid any conflict with crash
recovery.
[0048] Once the recovery is complete and the attach is successful
at step 452, at step 478 if there were delayed repairs then, at
step 480 DRS will begin the repairs and, at step 482, first attempt
to invoke page level restoration for the corruption. If the page
level restore fails or is not possible at step 484, then, at step
486, the DRS will ascertain whether it is due to a failure of an
Index page and, if so, DRS will rebuild the index at step 488. On
the other hand, if the error is in a data page at step 490, then
DRS will attempt data page recovery at step 492. However, if the
DRS determines that the database is inconsistent or has an
unknown/unsupported error at step 490, the DRS will immediately
take the database off line (thereby ending the recovery operation)
and mark the database as "suspect" at step 494 and then, at step
496, attempt an emergency repair.
[0049] FIG. 4B is a table illustrating the errors handled by the
DRS during database attachment.
[0050] Online Operation Corruption Detection:
[0051] FIG. 5A is a flowchart illustrating the utilization of a DRS
in a online operations where the query engine encounters an error
for various embodiments of the present invention. This scenario is
during normal run time use of the DBFS, such as when an end-user is
using the operating system shell to execute a moderately complex
query against the DBFS and, during the execution of that query, the
query engine reports an error. In these online operation situations
when an error occurs the DRS, at step 502, aborts the transaction
to attempt to fix the error. The DRS, at step 504, will first
attempt page level restoration. However, if the page level
restoration is unavailable or fails at step 506, then DRS will
determine the type of page is failing at step 508. At step 510, if
it is a failure of an Index page, then DRS will attempt an index
recovery at step 512. If the failure is a data page at step 514,
then the DRS will attempt a data page recovery at step 516. If the
failure is due to a system or log page error at step 518, the DRS
will attempt an emergency repair at step 520. If the failure is an
unrecoverable error (5 system tables, or PFS page) back at step
518, then the DFS will either automatically restore the entire
database at step 522 or, alternately, prompt the end-user to
restore the entire database.
[0052] FIG. 5B is a table illustrating the errors handled by the
DRS during online operations.
[0053] Transaction Rollback Corruption Detection:
[0054] If an error occurs during transaction rollback, the DRS will
take the database off-line, mark it suspect, and restart the
database in order to invoke crash recovery. The process will then
re-invoke the method for crash recovery corruption detection
disclosed earlier herein.
Recovery Techniques
[0055] As well-known and readily appreciated by those of skill in
the art, transactional consistency pertains to displaying (or
making available) only committed data, as well as committing
(writing to the persistent store and logging the transaction) only
correct data. In this regard, a database is transactionally
consistent as long as all redo and undo requests during crash
recovery are honored. Thus many types of corruption can be present
in data and index pages but yet still be transactionally
consistent.
[0056] Various embodiments of the present invention recognize that
it is often undesireable to perform many of these transactions
on-line and, therefore, these embodiments attempt to perform all
repairs while the database is off-line.
[0057] When a SQL error occurs the DRS will only receive the page
id and the database id. From that information, the DRS will
interrogate the page to figure out exactly what type of page it is.
These embodiments have a recovery mechanisms for data page and
index corruption where the DRS attempts to recover the DBFS items
lost due to that corruption. However there are many other types of
pages that may be lost in the database including GAM, SGAM, PFS,
Boot page, and others. While typical DBFSs do not have a specific
backup and recovery mechanisms for these types of pages, the DRS
will attempt to invoke page level restoration.
[0058] For a page has been corrupted, the DRS will attempt a page
level restoration. Page level restoration will be silent because we
can guarantee to the user that we will lose any data that has not
been committed. The same technique will be applied to pages from
any table, and the method does not change regardless of the type of
page or table being restored. Page level restoration may only occur
if the page exists in the most recent snapshot. Also a valid
transaction log must be available. If the page is not in the most
recent snapshot then we must recover the page using item level
restore techniques known and appreciated by those of skill in the
art (such as a restore from backup operation).
[0059] If the page does exist in the most recent snapshot and there
is a valid transaction log then the DRS will perform the following
actions to restore the page, as illustrated by FIG. 6: (1) at step
602, determine the PageID of the page corrupted; (2) at step 604,
find and copy the corrupted page from the most recent snapshot of
DBFS store; (3) at step 606, apply the on-disk transaction log to
the page by rolling forward the transactions that apply to that
page; (4) at step 608, apply the restored page to the on-line
database; and (5) if there are deferred transactions for the page
being restored at step 610, then we will have to restart the
database at step 612 (so that crash recovery is run and clears the
deferred transactions), otherwise operations continue at step
614.
[0060] In regard to the aforementioned snapshot, VSS (Volume
Shadowcopy Service) provides a way for maintaining point in time
snapshots of certain volumes (e.g., NTFS volumes) as will be
appreciated by those of skill in the art. The VSS snapshots
maintain the shadow copy of a volume by using copy on write, that
is, whenever a disk page is modified, the pre-image of that page is
written to a snapshot storage area of the most recent snapshot.
When TimeWarp is enabled on a machine--which may be the default for
certain DBFSs and their corresponding operating systems--snapshots
are taken at a default rate of twice a day and a maximum of 63
snapshots are maintained. To make use of pre-images stored in the
snapshot, a log is maintained from the time the snapshot was taken
to the current time, and log truncation happens only at TimeWarp
snapshot time so that at all times there is a log from the last
snapshot available. In case there is a page corruption and the page
is available in the latest snapshot, the log can be re-played from
the snapshot to the current point on that page to restore it.
[0061] During TimeWarp snapshots, the DBFS store on the snapshot is
recovered. This makes page level restore impossible for pages that
have been touched by recovery of the snapshot database. To get
around this problem, a SQL Server viewpoint is taken on the
database on the snapshot volume and then the database is
recovered--that is, the DRS has an unrecovered viewpoint on the
database in the snapshot volume and pages in that viewpoint can
always be used for a page level restore.
[0062] For a system, log, or unknown page repair--that is, if a log
corruption occurs or if there are failures that the DRS cannot
correct (e.g. data or index), then DRS will present the user with
the following options: (a) to restore the entire database (store);
or (b) to recover the database in emergency mode.
[0063] To repair the database in emergency mode, it is first
important to recognize the new ability of DBCC to recover from a
corrupt-transaction log and unrecoverable database situations.
Then, if the database cannot be recovered and there is no usable
backup, the following set of actions, illustrated in FIG. 7, will
bring the database back online for certain DRS embodiments of the
present invention: (a) at step 702, set the database to emergency
mode; (b) at step 704, run `DBCC CHECKDB (database, REPAIR.sub.13
ALLOW_DATA_LOSS)` which has special meaning in emergency mode that
(i) forces database recovery to proceed past errors (getting as
much data as possible from the log but leaving a transactionally
inconsistent database), (ii) throws away the corrupt log files and
creates new ones, (iii) runs full database repair to bring the
database to a structurally consistent state (an `atomic`, one-way
operation that cannot be rolled-back or undone, and which is the
only possible way of recovering the database in such a situation
without manually editing files; and (c) now that the database is
physically consistent, the DSR runs the CC on the entire store at
step 706. The successful execution of these steps should guarantee
that the data (the items in an item-based DBFS) will be consistent,
but it may mean that certain applications will be transactionally
inconsistent.
[0064] There are two types of index pages: non-clustered pages and
clustered non-leaf pages. Index pages with data (clustered index
leaf pages) are considered data pages. With this in mind, for
recoverable indexes failures the DRS attempts to repair the index
using offline index rebuild (where the database will be online
during this repair, while just the index will be off line). If the
repair fails the DRS drops the index and attempts to re-create the
index. Then, if that also fails, the DRS will drop the index
altogether or, alternately, disable the index and attempt to
rebuild again at a later time (and perhaps doing so indefinitely
until successful).
[0065] For data page recovery, if the DRS receives one of the
handled errors and determines that the page is a data page then it
will attempt a recovery. This can occur during any state of SQL
server operation (DB attach, online operation, and rollback). As
illustrated in FIG. 8, if the DRS detects a data page error at step
802 then, after attempting a page level restoration at step 804
that fails at step 806, the DRS will: (a) at step 808 determine the
type of page corrupted by receiving a PageID of the corrupted page
and determining the type of page as previously discussed (and given
a data page corruption, the DRS does not have to address other
transactions attempting to access the page); (b) at step 810 get
the range of lost ItemIDs (start a Tx, run DBCC CHECKTable (table,
REPAIR_ALLOW_DATA_LOSS) which returns all index keys from
non-clustered index that don't match the clustered keys, and the
non clustered index keys, contain the ItemIDs so the DRS can
extract those and write those to an internal table; and (c) at step
812, pass the list of ItemIDs & table names to WCC (where the
WCC repairs those ItemIDs (and checks the rest of the store) to
ensure that DBFS is consistent, and commits Tx to allow the DRS to
abort and retry these recoveries. If there is a set of corrupted
pages, the DRS then figures out all the ItemIDs from all the
corrupted pages before handing them off for further processing
(such as by restoring said paged from a backup).
[0066] Since the DRS can guarantee that if page level restores
works no user data will be lost, the DRS need only nominally inform
the user since the user will most likely just notice a slower
response than expected while page level restoration is occurring.
In certain embodiments, the user will not receive any notification
(since this will take seconds at most); however, for other
alternative embodiments, the DRS will make an "event" log entry to
capture the fact that the DRS restored a page. In the worst case
scenario where there is an active transaction outstanding against
the page to be restored, the database will have to be detached and
restarted (so as to run crash recovery), and thus all the
connections to the database will be terminated. Applications should
already be designed with this possibility in mind; however this
could cause badly designed applications to "hang." Thus certain
embodiments of the present invention provide user notification of
the circumstances that may lead to just such an event in order to
allow the user to close all such applications in an effort to avoid
this undesirable outcome.
Sample End-User Experiences
[0067] To illustrate the operation of the DRS, here follows a
handful of situations that generally characterize the user
experience as well as what the DRS is doing user-unseen:
[0068] Index Corruption:
[0069] Abbey is performing a WinFS query to find all the documents
she's modified in the last week. During this query WinFS notices
that it takes a little longer than usual. In fact some of her
subsequent queries are also a little slow. She then notices a small
balloon on her task bar. This balloon reports that a reliability
issue has been found on her machine and please be patience while
Windows repairs the errors. After a short while, another balloon
appears and notifying Abbey that the index was successfully
rebuilt. Abbey is pleased when she notices that her computer seems
to perform better now.
[0070] Behind the scenes the DRS detected and repaired an index
corruption. It took the index off-line (hence the slower
performance), rebuilt it, and then put the index back on line.
[0071] Torn-Page Write:
[0072] During a lightning storm Toby is writing a essay on Adam
Smith for a homework assignment and saving regularly. About 90% of
the way through the essay Toby's entire home loses power. Toby
isn't running on a laptop and doesn't have a battery backup.
Luckily for Toby power comes on again in about 30 minutes. Toby
logs on to the computer and attempts to open his essay. He
scratches his head as it seems to take a little longer than
usual.
[0073] Behind the scenes what has happened is that Toby's essay
document item was corrupted because of a torn page write by his
hard disk drive when the power was lost. When the DBFS restarted,
the DRS detected this data page corruption and attempted a recovery
of the data. The DRS automatically attempted to restore the data
page from the automatic snapshot. Because Toby had been saving his
work regularly there was a copy of the essay in the most recent
snapshot. Therefore, the DBFS was able to restore the corrupted
pages automatically.
[0074] Bit Rot and Sector Corruption:
[0075] Susan loves her digital camera so far she has taken over
5800 photo's of her children in the last 2 years. Of these 5800
she's kept over 3000 pictures in WinFS on her computer.
Unfortunately for Susan her hard disk drive holding these precious
photos has corrupted a small number of sectors on the disk. These
corrupted sectors have now corrupted ten of Susan's pictures. When
Susan attempts to view these pictures she gets an error from the
operating system shell and is prompted to restore these pictures
from backup. Susan follows the prompts, finds her backup media (a
zip drive) and then restores the items from disk.
[0076] Behind the scenes the DBFS is attempting a page level
restore. However because these pictures have not been modified
(ever) they are not in the most recent snapshot, and thus prompting
Susan to put in her backups (for just those items) is necessary for
this particular embodiment.
Conclusion
[0077] The various system, methods, and techniques described herein
may be implemented with hardware or software or, where appropriate,
with a combination of both. Thus, the methods and apparatus of the
present invention, or certain aspects or portions thereof, may take
the form of program code (i.e., instructions) embodied in tangible
media, such as floppy diskettes, CD-ROMs, hard drives, or any other
machine-readable storage medium, wherein, when the program code is
loaded into and executed by a machine, such as a computer, the
machine becomes an apparatus for practicing the invention. In the
case of program code execution on programmable computers, the
computer will generally include a processor, a storage medium
readable by the processor (including volatile and non-volatile
memory and/or storage elements), at least one input device, and at
least one output device. One or more programs are preferably
implemented in a high level procedural or object oriented
programming language to communicate with a computer system.
However, the program(s) can be implemented in assembly or machine
language, if desired. In any case, the language may be a compiled
or interpreted language, and combined with hardware
implementations.
[0078] The methods and apparatus of the present invention may also
be embodied in the form of program code that is transmitted over
some transmission medium, such as over electrical wiring or
cabling, through fiber optics, or via any other form of
transmission, wherein, when the program code is received and loaded
into and executed by a machine, such as an EPROM, a gate array, a
programmable logic device (PLD), a client computer, a video
recorder or the like, the machine becomes an apparatus for
practicing the invention. When implemented on a general-purpose
processor, the program code combines with the processor to provide
a unique apparatus that operates to perform the indexing
functionality of the present invention.
[0079] While the present invention has been described in connection
with the preferred embodiments of the various figures, it is to be
understood that other similar embodiments may be used or
modifications and additions may be made to the described embodiment
for performing the same function of the present invention without
deviating there from. For example, while exemplary embodiments of
the invention are described in the context of digital devices
emulating the functionality of personal computers, one skilled in
the art will recognize that the present invention is not limited to
such digital devices, as described in the present application may
apply to any number of existing or emerging computing devices or
environments, such as a gaming console, handheld computer, portable
computer, etc. whether wired or wireless, and may be applied to any
number of such computing devices connected via a communications
network, and interacting across the network. Furthermore, it should
be emphasized that a variety of computer platforms, including
handheld device operating systems and other application specific
hardware/software interface systems, are herein contemplated,
especially as the number of wireless networked devices continues to
proliferate. Therefore, the present invention should not be limited
to any single embodiment, but rather construed in breadth and scope
in accordance with the appended claims.
* * * * *