Heisenbugs: A Probabilistic Approach to Availability Heisenbugs: A Probabilistic Approach to...
-
Upload
alyssa-kelley -
Category
Documents
-
view
214 -
download
1
Transcript of Heisenbugs: A Probabilistic Approach to Availability Heisenbugs: A Probabilistic Approach to...
Heisenbugs:Heisenbugs: A Probabilistic Approach to AvailabilityA Probabilistic Approach to Availability
Jim Gray Microsoft Researchhttp://research.microsoft.com/~gray/Talks/
½ the slides are not shown (are hidden, so view with PPT to see them all
Outline• Terminology and empirical measures
• General methods to mask faults.• Software-fault tolerance
• Summary
Heisenbugs:Heisenbugs: A Probabilistic Approach to AvailabilityA Probabilistic Approach to AvailabilityThere is considerable evidence that (1) production systems have about one bug per thousand lines of code (2) these bugs manifest themselves in stochastically: failures are due to confluence of rare events, (3) system mean-time-to-failure has a lower bound of a decade or so. To make highly available systems, architects must tolerate these failures by providing instant repair (un-availability is approximated by repair_time/time_to_fail so cutting the repair time in half makes things twice as good. Ultimately, one builds a set of standby servers which have both design diversity and geographic diversity. This minimizes common-mode failures.
Dependability: The 3 ITIES
• Reliability / Integrity: does the right thing. (Also large MTTF)
• Availability: does it now. (Also small MTTR
MTTF+MTTRSystem Availability:if 90% of terminals up & 99% of DB up?
(=>89% of transactions are serviced on time).
• Holistic vs. Reductionist view
SecurityIntegrityReliability
Availability
High Availability System ClassesGoal: Build Class 6 Systems
System Type
Unmanaged
Managed
Well Managed
Fault Tolerant
High-Availability
Very-High-Availability
Ultra-Availability
Unavailable(min/year)
50,000
5,000
500
50
5
.5
.05
Availability
90.%
99.%
99.9%
99.99%
99.999%
99.9999%
99.99999%
AvailabilityClass
1234567
UnAvailability = MTTR/MTBFcan cut it in ½ by cutting MTTR or MTBF
Demo: looking at some nodes• Look at http://httpmonitor/• Internet Node availability:
92% mean, 97% median
Darrell Long (UCSC) ftp://ftp.cse.ucsc.edu/pub/tr/– ucsc-crl-90-46.ps.Z "A Study of the Reliability of Internet Sites" – ucsc-crl-91-06.ps.Z "Estimating the Reliability of Hosts Using
the Internet" – ucsc-crl-93-40.ps.Z "A Study of the Reliability of Hosts on the
Internet" – ucsc-crl-95-16.ps.Z "A Longitudinal Survey of Internet Host
Reliability"
Sources of FailuresMTTF MTTR
Power Failure: 2000 hr 1 hr
Phone LinesSoft >.1 hr .1 hrHard 4000 hr 10 hr
Hardware Modules: 100,000hr 10hr (many are transient)
Software:1 Bug/1000 Lines Of Code (after vendor-user testing)
=> Thousands of bugs in System! Most software failures are transient: dump & restart system.
Useful fact: 8,760 hrs/year ~ 10k hr/year
Case Studies - Tandem Trends Reported MTTF by Component
0
50
100
150
200
250
300
350
400
450
1985 1987 1989
software
hardware
maintenance
operations
environment
total
Mean Time to System Failure (years) by Cause
1985 1987 1990SOFTWARE 2 53 33 YearsHARDWARE 29 91 310 YearsMAINTENANCE 45 162 409 YearsOPERATIONS 99 171 136 YearsENVIRONMENT 142 214 346 Years
SYSTEM 8 20 21 YearsProblem: Systematic Under-reporting
Many Software Faults are SoftAfter Design Review
Code InspectionAlpha TestBeta Test10k Hrs Of Gamma Test (Production)
Most Software Faults Are TransientMVS Functional Recovery Routines 5:1Tandem Spooler 100:1Adams >100:1
Terminology:Heisenbug:Heisenbug: Works On RetryBohrbug:Bohrbug: Faults Again On Retry
Adams: "Optimizing Preventative Service of Software Products", IBM J R&D,28.1,1984Gray: "Why Do Computers Stop", Tandem TR85.7, 1985Mourad: "The Reliability of the IBM/XA Operating System", 15 ISFTCS, 1985.
Summary of FT Studies• Current Situation: ~4-year MTTF =>
Fault Tolerance Works.• Hardware is GREAT (maintenance and MTTF).• Software masks most hardware faults.• Many hidden software outages in operations:
– New Software.– Utilities.
• Must make all software ONLINE.• Software seems to define a 30-year MTTF ceiling.
• Reasonable Goal: 100-year MTTF. class 4 today => class 6 tomorrow.
Fault Tolerance vs Disaster Tolerance
• Fault-Tolerance: mask local faults– RAID disks– Uninterruptible Power Supplies– Cluster Failover
• Disaster Tolerance: masks site failures– Protects against fire, flood, sabotage,..– Redundant system and service at remote site.– Use design diversity
Outline
• Terminology and empirical measures
• General methods to mask faults.• Software-fault tolerance
• Summary
Fault Tolerance Techniques• FAIL FAST MODULES: work or stop• SPARE MODULES : instant repair time.• INDEPENDENT MODULE FAILS by design
MTTFPair ~ MTTF2/ MTTR (so want tiny MTTR) • MESSAGE BASED OS: Fault Isolation
software has no shared memory.
• SESSION-ORIENTED COMM: Reliable messagesdetect lost/duplicate messagescoordinate messages with commit
• PROCESS PAIRS :Mask Hardware & Software Faults• TRANSACTIONS: give A.C.I.D. (simple fault model)
Example: the FT Bank
Modularity & Repair are KEY: vonNeumann needed 20,000x redundancy in wires and switches
We use 2x redundancy.Redundant hardware can support peak loads (so not redundant)
Fault Tolerant Computer Backup System
System MTTF >10 YEAR (except for power & terminals)
Fail-Fast is Good, Repair is Needed
Improving either MTTR or MTTF gives benefitSimple redundancy does not help much.
Fault Detect
Repair
Return
Lifecycle of a moduleLifecycle of a modulefail-fast gives fail-fast gives short fault latencyshort fault latency
High Availability High Availability
is low UN-Availabilityis low UN-Availability
Unavailability Unavailability MTTRMTTR MTTFMTTF
Outline
• Terminology and empirical measures
• General methods to mask faults.
• Software-fault tolerance• Summary
Key Idea Architecture Hardware Faults Software Masks Environmental Faults Distribution Maintenance • Software automates / eliminates operators So, • In the limit there are only software & design faults.
Software-fault tolerance is the key to dependability.
INVENT IT!
} { }{
Software Techniques: Learning from Hardware
Recall that most outages are not hardware. Most outages in Fault Tolerant Systems are SOFTWAREFault Avoidance Techniques: Good & Correct design.After that: Software Fault Tolerance Techniques:
Modularity (isolation, fault containment) Design diversity N-Version Programming: N-different implementations Defensive Programming: Check parameters and data Auditors: Check data structures in backgroundTransactions: to clean up state after a failure
Paradox: Need Fail-Fast Software
Fail-Fast and High-Availability ExecutionSoftware N-Plexing: Design Diversity
N-Version ProgrammingWrite the same program N-Times (N > 3)Compare outputs of all programs and take majority vote
Process Pairs: Instant restart (repair)Use Defensive programming to make a process fail-fastHave restarted process ready in separate environment Second process “takes over” if primary faultsTransaction mechanism can clean up distributed state
if takeover in middle of computation.SESSION
PRIMARYPROCESS
BACKUPPROCESS
STATEINFORMATION
LOGICAL PROCESS = PROCESS PAIR
What Is MTTF of N-Version Program?First fails after MTTF/NSecond fails after MTTF/(N-1),...
so MTTF(1/N + 1/(N-1) + ... + 1/2)harmonic series goes to infinity, but VERY slowly
for example 100-version programming gives ~4 MTTF of 1-version programming
Reduces variance
N-Version Programming Needs REPAIRIf a program fails, must reset its state from other programs.=> programs have common data/state representation.How does this work for Database Systems?
Operating Systems?Network Systems?
Answer: I don’t know.
Why Process Pairs Mask Faults:Many Software Faults are Soft
After Design Review
Code InspectionAlpha TestBeta Test10k Hrs Of Gamma Test (Production)
Most Software Faults Are TransientMVS Functional Recovery Routines 5:1Tandem Spooler 100:1Adams >100:1
Terminology:Heisenbug: Works On RetryBohrbug: Faults Again On Retry
Adams: "Optimizing Preventative Service of Software Products", IBM J R&D,28.1,1984Gray: "Why Do Computers Stop", Tandem TR85.7, 1985Mourad: "The Reliability of the IBM/XA Operating System", 15 ISFTCS, 1985.
Process Pair Repair StrategyIf software fault (bug) is a Bohrbug, then there is no repair
“wait for the next release” or “get an emergency bug fix” or“get a new vendor”
If software fault is a Heisenbug, then repair is
reboot and retry orswitch to backup process (instant restart)
PROCESS PAIRS Tolerate Hardware Faults
HeisenbugsRepair time is seconds, could be mili-seconds if time is criticalFlavors Of Process Pair: Lockstep
AutomaticState CheckpointingDelta CheckpointingPersistent
SESSIONPRIMARYPROCESS
BACKUPPROCESS
STATEINFORMATION
LOGICAL PROCESS = PROCESS PAIR
How Takeover Masks Failures
Server Resets At Takeover But What About Application State?
Database State?
Network State?
Answer: Use Transactions To Reset State!
Abort Transaction If Process Fails.
Keeps Network "Up"
Keeps System "Up"
Reprocesses Some Transactions On Failure
SESSIONPRIMARYPROCESS
BACKUPPROCESS
STATEINFORMATION
LOGICAL PROCESS = PROCESS PAIR
PROCESS PAIRS - SUMMARYTransactions Give Reliability
Process Pairs Give Availability
Process Pairs Are Expensive & Hard To Program
Transactions + Persistent Process Pairs
=> Fault Tolerant Sessions &Execution
When Tandem Converted To This Style
Saved 3x Messages
Saved 5x Message Bytes
Made Programming Easier
SYSTEM PAIRSFOR HIGH AVAILABILITY
Programs, Data, Processes Replicated at two sites.Pair looks like a single system.System becomes logical conceptLike Process Pairs: System Pairs.Backup receives transaction log (spooled if backup down).If primary fails or operator Switches, backup offers service.
Primary Backup
SYSTEM PAIR BENEFITSProtects against ENVIRONMENT: weather
utilitiessabotage
Protects against OPERATOR FAILURE: two sites, two sets of operators
Protects against MAINTENANCE OUTAGESwork on backupsoftware/hardware install/upgrade/move...
Protects against HARDWARE FAILURESbackup takes over
Protects against TRANSIENT SOFTWARE ERRORR
Allows design diversity
different sites have different software/hardware)
Key Idea Architecture Hardware Faults Software Masks Environmental Faults Distribution Maintenance • Software automates / eliminates operators So, • In the limit there are only software & design faults.
Many are Heisenbugs
Software-fault tolerance is the key to dependability.
INVENT IT!
} { }{
ReferencesAdams, E. (1984). “Optimizing Preventative Service of Software Products.” IBM Journal of
Research and Development. 28(1): 2-14.0Anderson, T. and B. Randell. (1979). Computing Systems Reliability. Garcia-Molina, H. and C. A. Polyzois. (1990). Issues in Disaster Recovery. 35th IEEE
Compcon 90. 573-577.Gray, J. (1986). Why Do Computers Stop and What Can We Do About It. 5th Symposium on
Reliability in Distributed Software and Database Systems. 3-12.Gray, J. (1990). “A Census of Tandem System Availability between 1985 and 1990.” IEEE
Transactions on Reliability. 39(4): 409-418.Gray, J. N., Reuter, A. (1993). Transaction Processing Concepts and Techniques. San Mateo,
Morgan Kaufmann.Lampson, B. W. (1981). Atomic Transactions. Distributed Systems -- Architecture and
Implementation: An Advanced Course. ACM, Springer-Verlag.Laprie, J. C. (1985). Dependable Computing and Fault Tolerance: Concepts and Terminology.
15’th FTCS. 2-11.Long, D.D., J. L. Carroll, and C.J. Park (1991). A study of the reliability of Internet sites. Proc
10’th Symposium on Reliable Distributed Systems, pp. 177-186, Pisa, September 1991.Darrell Long, Andrew Muir and Richard Golding, ``A Longitudinal Study of Internet Host
Reliability,'' Proceedings of the Symposium on Reliable Distributed Systems, Bad Neuenahr, Germany: IEEE, September 1995, pp. 2-9