Automatic recovery in a real-time, distributed, multiple microprocessor computer system by Anderson, Richard Lewis














Thesis Advisor: R, R. Schell
Approved for public release: distribution unlimited
T19703

SeCuniTV CUASSiriCATlON or this mnaz nvitan 0««a Enfru^)
REPORT DOCUMENTATION PAGE
I. RCPOMT NUMacn 2. OOVT ACCCUION NO.
4. TITLE end Subtlllui










1. WeCl^lCNT'S CATALOG MUMBER
* TY^e OF REPORT ft PERIOD COVERED
Master's Thesis:
December 1980
• . PERFORmMO ORG. REPORT NUMaSR
•. CONTRACT OR GRANT NLMSERC*)
10. PROGRAM ELEMENT. PROJECT TASKAREA * WORK UNIT NUMBERS '





<) NUMBC* OF PAGES
156




l«. DISTRISUTIOM STATEMENT To' "•<• Hoptt)
Approved for public release: distribution unlimited
17. DISTRIBUTION STATEMENT (ol itim mholrmct mttm^ In Block 20. II dlllmrmtt fron KoQCtt)
IS. SUPPLEMENTARY NOTES
IS. KEY WORDS (CoitUnum «• toworoo mido II nocooomy ltd Idmntilf *r UooM num^or)
Fault-tolerance, Automatic Recovery, Reinitialization,
Real-time, Kernel, Segmentation, Dynamic Relocation,
Dynamic Reconfiguration, Restart
20. ABSTRACT (Conllm— on r«r«ra« oldm II notoooatf mtd Id—Ullr kr M«eJr numkot)
This thesis presents an automatic recovery design that
supports the fault-tolerant performance of a real-time,
distributed, multiple microcomputer system. The recovery
mechanism is structured to maintain real-time processing
applications where a record of previous computations is not
required and data loss is tolerable during the period of
recovery. The automatic recovery technique employed is based
on system reinitialization in which the system is restored
DO /°Z, 1473 EDITION Of t MOV •• IS OBSOkire
S/N 010 3*014-6«01 I
SKCUniTV CLAMiriCATlON OF THIS PAOC (Whom Dmtm Kntorod)

to it*s original initialized state and then restarted. The
automatic recovery mechanism has been integrated with a
hierarchical, distributed operating system which supports a
multiprogramming environment, A distinct address space for
each system process, that is preserved by the hardware's
explicit memory segmentation, in conjunction with the
independent kernel and user domains of the operating system
are used to facilitate- dynamic relocation among identical
processor modules. The result is a flexible environment that
supports the dynamic reconfiguration of processors and








Approved for public release? distri'bution unlimited
Automatic Recovery in a Real-time, Distributed,
Multiple Microprocessor Computer System
by
Richard lewis Anderson
Lieutenant, United States Navy
B.S., United States Naval Academy, 1974
Submitted in partial fulfillment of the
requirements for the decree of







Tnis tnesis presents an automatic recovery design that
supports the fault-tolerant performance of a real-time,
distributed, multiple microcomputer system. The recovery
mechanism is stuctured to maintain real-time processing
applications where a record of previous computations is not
required and data loss is toleral)le during the period of
recovery. The automatic recovery technique employed is based
on system reinitialization in which the system is restored
to it's original initialized state and then restarted. T^^e
automatic recovery mechanism has been integrated with a
hierarchical, distributed operating system which supports a
mult ipro!?ramming" environment. A distinct address space for
each system process, that is preserved by the hardware's
explicit memory segmentation, in conjunction with the
independent kernel and user domains of the operating system
are used to facilitate dynamic relocation amon?: identical
processor modules. The result is a flexible environment that
supports the dynamic reconfiguration of processors and






A. FAULT TOLERANCE 11




4. Graceful Degradation 17
5. Safe Sflutdown 16
C. MOTIVATION 19
E. OBJECTIVES 2Z
E. THESIS STRUCTURE 24
II. SYSTEM STRUCTURE 25




2. The Supervisor 27
3. Real-time Processing 28
B. HARDWARE 29
1. Selection 29
2. The 8e86 Microprocessor 29
3. The iSBC 86/12A Single Board Microcomputer. . 31
4. Intel MDS Development System 31
a . Hardware 32

b. Software Utilities 32
c. The iSEC 957A-iSBC e6/12A Interface 35
III. SYSTEM INITIALIZATION 41
A. DESIGN 41
B. SYSTEM GENERATION TIMS 43
C. BOOTLOAD TIMS 45
1. System Activation 47
2. The |ROM-resident Bootload Proffram 50
3. Bootstrap Program Loading 55
4. Bootstrap Program Execution 58
D. RUN TIME 66
1. Tbe Kernel Interface 66
2. The Run-time Loader 69
IV. AUTOMATIC RECOVERY DESIGN 70
A. DESIGN OVERVIEW 7e
B. RECOVERY INTERFACE..'. 74
1. T^e Error Routine 75
a. The Configuration Table 77
b. The Load CPU 82
2. Recovery Activation 83
C. OPERATING SYSTEM REINITIALIZATION 84
1. Tne Bootstrap Program 65
a. Kernel Reinitialization 85
b. Configuration Table Reini tialization. . . .87
2. Kernel Interface 88




2. Dynamic Relocation 93
a. The Compact Compiler Optior. 93
b. Tne Prologue 94
c. The Process Definition Table 97
d. Tne Global Active Segment Table lei
e. The Local Active Segment Table 104
3. The Kernel Loader Process lee
a. The Load CPU 107
b. Swap-in 109
c. Create -process 112
E. RESTART 113
F. APPLICATION PROCESS STRUCTURE 113
1. The Entry Point 115
2. External Variables 116
V. CONCLUSIONS 117
A. SUMMARY OF RESULTS 117
B. FOLLOW ON VORK 118
APPENDIX A: SYSTEM INITIALIZATION IMPLEMENTATION 120
APPENDIX B: BOOTLOAD PROGRAM LISTING 126
APPENDIX C: BOOTSTRAP PROGRAM LISTING 136
APPDNDIX D: KERNEL LOADER LISTING 150
LIST OF REFERENCES 152
INITIAL DISTRIBUTION LIST 155

LIST OF FIGURES
II-l MDS Hardware Configuration 33
II-2 Proposed System Confi^uraton 40
III-l Initialization Sequence 42
III-2 Non-masJcable Interrupt Wiring 48
III-3 Tfie CPU Table 52
III-4 Kernel Initialization Sequence 67
IV-1 Initialization and Recovery Sequence 72
IV-2 Automatic Recovery Sequence 76
17-3 Tne Configuration Table 80
17-4 Start Assembly lansua^e Program 96
17-5 Tfte Process Definition Table 98
17-6 The Global Active Segment Table 102
17-7 Tte Local Active Segment Table 105
A-1 Simulated Kernel Listing , 123
B-1 MES Connected Bootload Program 126
B-2 Non-MDS Connected Bootload Program 131

ACKNOWLEDGEMENT
I would lils.e to acknowledge and tJian^fe my tresis advisor
It. Col. Roger R. Schell for his encouragement and guidance
in this thesis research. His advice and suggestions often
provided the needed incentive required to overcome difficult
o^bstacles.
I would like to thank Professor Tien ?. Tao and the
students and staff of the Naval Postgraduate School Solid
State Laboratory. Their assistance in hardware-related areas
was invaluable during my research effort.
A special note of appreciation goes to my wife Marianne





Automatic fault recovery is the alJility of a computing
system to continue its specified logical performance after
isolating failed physical components. This thesis presents a
simple recovery technique that incorporates system
reinitialization in a real-time, distri"buted multiple
microcomputer environment. The automatic recovery mechanism
is designed specifically to support image processing
applications where a record of previous computation is not
required. The recovery mechanism uses a dynamic relocation
algorithm as a means of reconfiguring the system as
reinitialization from a standard initialization state is
performed
.
The automatic recovery system mechanism, developed "by
this thesis, is designed for a class of real-time systems in
which the loss of a segment of data is tolerable. Because
the loss of previous computations are not a dominant factor
for recovery in this type of system, automatic fault
recovery is simply a task of reinitializing the system and
continuing execution.
This thesis uses a flexible initialization mechanism
designed "by Ross [20] as the basis for an automatic fault
recovery scheme based on system reinitialization. The
reinitialization algorithm establishes a defined system
10

state (in particular that of the original initialization),
with a different physical configuration. After
reconfiguration, to eliminate faulty components, the
reinitializaton mechanism allows the system to continue the
performance of its logical prescriljed tasks in a normal
manner.
A. FAUIT TOLERANCE
Automatic system recovery is part of a "broader area
entitled fault-tolerance. Although this thesis deals
primarily with the concept of system recovery it is
necessary to "briefly identify and define the other areas
tbat are Included under the notion of fault-tolerance. By
presenting a picture (or a model) of fault-tolerance, with
specific rules relating to individual system requirements, a
clear and concise reasoning can "be developed for automatic
system recovery.
Fault-tolerance is the architectural attritiute of a
computer system that allows the system to continue it's
specific logical tasks when the system's physical components
suffer various kinds of failures. A fault-tolerant loiric
machine is capable of returning from an error state to a
state of normal specific behavior thus assuring the survival
of the information processing activities. Fault-tolerance






Fault detection requires that the existence of a fault
"be realized. This is accomplished by a detection mechanism
that observes some symptoms of the machine that indicates an
error has occurred. Fault diasrnosis takes place once a fault
is detected. The error conditions are analyzed to isolate
the fault cause. Steps are then taken to limit the adverse
effects on the system and initiate the correct recovery
measures. Finally, fault recovery involves specific actions,
such as dynamic reconfiguration of the physical components,
to secure continued system operation in a normal state or
possibly a degraded mode depending on the recovery mechanism
implemented.
The presence of fault-tolerance features in a system is
a unique attribute. Durin? normal (fault-free) operation
fault-tolerance does not provide any performance advantages
and in a fault-free machine would be superfluous. With the
increase in technical knowledge, computing machines are
becoming larger and more complex. As fault-free devices are
not a reality the the necessity of fault-tolerance in a
computing system becomes more and more apparent. In the
fault prone-physical implementation, fault-tolerance is the






Recovery techniques are incorporated into systems in
order to cope with failures. A failure is an event at which
the system does not perform according to specifications.
Failures can have numerous causes, tut in a computing
system, most generally, are the result of either hardware,
software or user errors. In order to deal effectively with
failures additional components and algorithms must \5e added
to the system. These components and algorithms attempt to
ensure that faults , or occurrences of erroneous states,
result in limited damage to system computations. Ideally
they remove the faults and restore the system to a "correct"
state from which normal processing can continue. The
additional components and algorithms required in a system to
cope with failures are called recovery techniques or
mechanisms.
Numerous recovery techniques have "been developed, as
there are many iinds of failures. The particular recovery
mechanism employed in a computer system is dependent on the
type of hardware a system uses, the software and data
structures involved, system applications and many more
important individual system design characteristics.
Consideration as to the degree and priority of system
recovery is also necessary. Certain systems, such as missile
tracking computers, must perform real-time recovery
completely to a correct state , while a large data hase
13

machine migtit be required to recover to a previous correct
state thus only preserving the data in its files. In an
isolated environment, such as an unmanned spacecraft, system
recovery techniques mi<?ht involve graceful degradation. In
such a system, failed physical components and tne lack of
spares may require reconfiguration of the system in order
for computation to continue in a degraded mode. Recovery
mechanisms also encompass a decree of fault anticipation.
Such techniques involve continued recording of data
computations, or "checfcpointin^" , in order to have a recent
correct state to recover to. Often redundancy plays a large
role in recovery techniques where a system with a faulty
physical component will simply switch to an identical
component which is either performing in parallel or is a
haclcup spare. Many systems, such as nuclear reactor control
systems, use a recovery technique that involves Just a safe
shutdown once a serious fault has "been discovered.
No single recovery technique or series of recovery
techniques can cope with every possible fault. Many
different kinds of recovery procedures have "been developed,
each technique with its own particular advantages and
disadvantages, hut each enabling a system to deal
effectively with different kinds of failures in different
environments
.
The recovery techniques considered in the following
sections do not encompass all possible schemes of automatic
14

fault recovery and are by no means the only categorization
of recovery tnechanisms . Instead some of the more widely used
techniques are discussed and the kinds of recovery they
provide, as related to real-time systems, are briefly
described.
1. Backup
Automatic fault recovery incorporating a backup
technique is designed to return the system to a previors
(presumably correct) state once a fault is detected and
diagnosed. To accomplish this task the state of the system
is periodically recorded. This recording or "check pointing"
provides the most recent correct state of the system and
establishes a point from which the system can be restarted
and be expected to function normally if all faults have been
corrected.
In real-time systems where execution times are
critical backup recovery provides a minimum restoration
period when program functions are dependent on previous data
computations. Additionally checkpointing, in conjunction
with a backup recovery mechanism, is applicable in systems
where data loss can not be tolerated. Depending on the
extent of checkpointing, a copy of critical data can be
continually maintained on auxilary storage and restored if





Reinitialization recovery mecnanisms are salvation
programs [25j that restore the system to a valid state? that
of the initialized system immediately prior to its original
execution. Reinitialization recovery basically performs
bacfeup recovery to a permanently recorded system state (that
of the initial system) without any facility for
cfceckpointinff. Because no data recording is done
reinitialization techniques do not provide for the recovery
of data other than that provided during system
initialization.
Real-time systems that can tolerate intermittant
losses of data are best suited for the recovery technique of
reinitialization. Data loss in such a system becomes simply
a function of the time required for reinitialization. In
applications such as image processing the data loss is
tolerable due to large amounts of relatively similar input
information and the acceptable disruption in processing due
to occasional faults [19]
.
o. Redundancy
Redundant recovery techniques employ multiple
components or modules, to perform the identical task in
parallel. The recovery mechanism Is initiated if a
disagreement occurs between modules at the end of task
computation. There are several basic approaches to redundant
fault recovery, but all methods essentially involve the"
16

sutjstitlution of a faulty module with one that functions
properly. Hybrid redundancy [19] is a form of redundant
recovery that involves a majority vote of the outputs of
several modules. Disagreeing modules are replaced with
spares (under control of agreeing modules) automatically. A
similar approach termed duplex recovery [19] involves the
comparison of the outputs of only two modules. If
disagreement occurs diagnostic routines identify the faulty
unit and it is replaced or disabled.
The majority of real-time systems developed in the
past, and especially those which operate in an isolated
environment (no human maintainance available) have employed
redundancy to some degree. Redundant systms provide the time
response required for time-critical functions and because of
their parallel computations data loss is usually not a
result. The disadvantages to redundant recovery systems is
realized in the overhead required to run identical multiple
systems. With the increase in technical knowledge, real-time
systems are becoming larger and more complex. The additional
effort and expense required to incorporate automatic
redundant fault recovery techniques is often not desirable.
4. Graceful Degradation
Graceful degradation, or degraded recovery, returns
the system to a fault-free state, but with a reduced
computing capacity [l] . Graceful degradation often involves
backup recovery or reinitialization to restore the system,
17

but faulty components are not replaced.
P.eal-time systems, operating in an isolated
environment, often employ a form of degraded recovery if
spares are not available or have been depleted. This form of
recovery, involving reconfiguration of system components,
allows a system to continue performing it's normal logical
tasks, but usually at a reduced rate. Recovery using
graceful degradation can result in the loss of data if the
nonreplaceable component is some form of memory.
5. Safe Shutdown
Safe shutdown is the limiting case of graceful
degradation [ij . It is carried out when the system computing
capacity falls below a minimum acceptable threshold. This
form of "recovery" is a fail-safe method that is employed
usually as a last resort. Safe shutdown allows a system to
be halted before it causes severe damage to components or
data and in some cases Jeopardizes human life.
The use of a safe shutdown scheme in a real-time
system does not provide any significant advantages other
than the avoidance of catastrophic consequences in a
critical computing situation. Military weapons systems
controlled by a real-time system would be an instance where




Tne Solid State Laboratory at the Naval Postgraduate
School is presently conducting research in the area of image
processing. Under the direction of Professor T.P. Tao,
research and development of "smart sensors" for missile
guidance, radar, satellite surveillance and other image
processing applications [22] is progressing. The smart
sensor platform will require on-hoard data processing of
large quantities of collected image data. To provide the
required computing power to process this sisinif icantly large
amount of data in real-time, a multiple microprocessor
system performing asynchronous parallel processing is teing
developed [2], To control this computer system an operating
system, using the Multics [16] concepts of seementation in
conjunction with Tweed's [18] design of virtual processors,
has been developed and is presently in the implementation
stage. The basic microcomputer operating system design was
developed "by O'Connell and Richardson [15] and is based on
the structure of a hierarchical security kernel. O'Connell
and Hichardson provided a flexible operating system design
that is fundamentally configuration independent and
adaptable to a spectrum of systems. The real-time version of
this "family" of operating systems was refined and
implemented by Wasson [23] and Rapantzikos [17]
.
One of the primary goals of the Naval Postgraduate
School project, directed toward development of a smart
19

sensor platform, is fault-tolerance. Dynarric reconfiguration
within a multiple microprocessor computer system, due to
periodic maintenance checfes or failure of specific
components, is the basis for extended performance, if not
survival in such a system. The ability of the smart sensor
platform to detect faulty processors or memory segments,
diagnose the problems and then perform dynamic
reconfiguration (if required) and automatic recovery is a
necessity for the system in its projected, . isolated
operating environment.
The operating system design of Wasson is logically
organized into a hierarchy that separates the user
application processes from the kernel. This modular, layered
design lends itself to dynamic reconfiguration where
processes can be relocated amon? physical processors.
Additionally the system initialization technique proposed by
Ross [20] provides a basis for an automatic recovery
mechanism that vill reinitialize the system on a new
physical configuration after the detection of faulty system
components.
D. OBJECTIVES
This thesis is intended to focus primarily on the area
of dynamic reconfiguration and automatic recovery of a
real-time, distributed, multiprocessor system in a
fault-tolerant environment. Using the system initialization
20

mechanism design of Ross [20], as a basis for system
reinitialization, and the synchronization primitives
developed hy Wasson [23] and Rapantzikos [17] , for process
coordination, this thesis provides an automatic recovery
mechanism specifically designed for a real-time,
multiprocessor computing system.
Fault-tolerant computer systems in the past have used
fault detection and reconfiguration mechanisms which dealt
with components at the level of simple devices such as
flip-flops and adders. With todays LSI and VLSI technology,
it is no longer appropriate to he concerned with such small
suhunits. The unit of fault detection and reconfiguration
should te on the scale of processor/memory [24]
.
In order to accomplish fault-tolerance functions on the
processor/memory scale new methods of detection and recovery
have "been developed. Software controlled fault-tolerance is
a method that nas been successfully implemented in such
experiental systems as SIFT [24], FTMP [3] and Plurihus
[12] . Fault tolerance is accomplished as much as possible by
programs In these systems rather than the conventional
hardware methods traditionally used. This includes error
correction, detection, reconfiguration and prevention of a
faulty unit from having an adverse effect on the system as a
whole. This modularization (processor/memory) of system
components allows fault detection to be based on modular
performance. Detection becomes simply an algorithm performed
21

by a system monitor tiiat determines the correct functioning
of a module. The monitor evaluation can be performed using
various methods. In SIFT [24] a two out of three vote of
processor/memory computation determines a faulty module.
Recovery techniques in such a system consist of a monitor
algorithm that simply eliminates a failed module by marking
it as faulty and replaces it with a spare if available. It
is the primary objective of this thesis to design a recovery
technique that is software controlled. The use of Intel's
iSBC 86/12A Single Board Microcomputer with on board RAM
provides the processor/memory module configuration necessary
for such an algorithm-based recovery mechanism.
Dynamic reconfiguration is usually encompassed in an
automatic recovery scheme and essentially involves the
automatic reconfiguration of a system in order to eliminate
the faulty components. The objective of a modular automatic
recovery design, incorporating dynamic reconfiguration, can
be realized based on the concepts presented by Schell [21]
.
The ability to bind and unbind the physical resources to the
logical resources of a system creates an environment
supportive of dynamic reconfiguration. This in conjunction
with an automatic recovery technique, controlled primarily
by the system software and designed specifically for a
real-time, multiple microcomputer system, is the primary
objective of this thesis.
Several designs for system recovery have been developed
22

in recent years. Although specific techniques have "been
employed, enormous problems still remain to be solved for
parallel processors and distributed processing [25] . It is
the additional ^oal of this thesis to provide some solutions
to the dilemmas facing fault recovery in parallel processing
sys terns.
The real-time, ima^e processing project under
.development at the !^aval Postgraduate School provides an
enviroment that lends itself to a simple fault recovery
technique. Complete system reinitialization after dynamic
reconfiguration is a feasible fault recovery method provided
the time for system reinitialization does not significantly
degrade performance. With the LSI and VLSI technology used
in the image processing environment the recovery time will
not be a significant factor. Due to the enormous amount of
continued input information a few frames not processed
during reinitialization will result in only temporary loss
of the ima^e and will not significantly degrade performance
[2,19].
This thesis deals primarily with only one aspect of
fault-tolerance, that of fault recovery. Cne must assume
that fault detection and diagnosis have been performed prior
to fault recovery and that the system recovery mechanism has
been initiated as a result of a detected fault. It is on




The introduction Just presented is designed to provide
tne reader with a brief loot at fault-tolerance as it
applies to computer systems and in particular to the
development decisions on which an automatic recovery
technique is based. Chapter II will describe the hardware
architecture of the nultiprocrssor system designated for the
automatic recovery mechanism and the support utilities that
enhance the hardware performance. Chapter III will provide a
detailed account of system initialization and how the
initialization mechanism was implemented on the system
hardware. Chapter IT will outline the automatic recovery
desi/en as it relates to the operating system and the
hardware employed by the system. The final chapter presents
conclusions and observations that resulted from this thesis
effort and suggestions for further research. Four appendices
are also provided that sive detailed descriptions of the





To use tue multiple microprocessor environment
effectively for real-time image processing the application
pro^rrams must be partitioned and distriliuted amon^ the
microprocessors. The operating system required to manage
such a multiple microcomputer system must coordinate
inter-process communication and synchronization.
Additionally the operating system is taslred with the
management of system resources which include I/O and memory
management
.
The distributed operating system designed by Wasson [23]
and Rapantzikos [17] supports the multiple microcomputer
environment. It provides control for a large number of
asynchronous processes and is designed to manage the
resources of a multiple microcomputer system. The operating
system is structured as a hierarchy, supporting kernel and
supervisor domains. Segmentation of memory [16] facilitates
the sharing of inter-process data while at the same time
isolating the address space of those processes that require
no interference. The concept of virtual memory, where each
process is provided with its own address space, as supported




Tiie kernel manages all pnysical processor resources
providing the user with an environment that is relatively
hardware independent while the supervisor provides the
interface between the Icernel and application processes.
Inter-process communication and synchronization is
accomplished using eventcounts and sequencers [18] and to
ensure expeditious handling? of time-critical processing
requirements a preemptive, priority scheduling mechanism is
Incorporated.
The operating system is designed to control a sroup of
multiprocessors which share a single system bus or possibly
a set of up to four "clusters" of such microcomputers [22].
In order to limit the bus usage to a minimum, and thus
provide increased performance, copies of the kernel are
physically distributed to each microprocessor's local
memory. This allows for high-speed access to kernel
functions without over-burdening the shared system bus.
The distribution of the operating system kernel
necessitates its execution by every processor. Thus the
kernel design incorporates a scheduler that will allow each
CPU to provide its own scheduling. This leads to an
operating system that has no concept of master-slave control
but, is dependent only on system-wide synchronization
variables to maintain system coordination and regulation.
1. The Kernel
The kernel uses the concept of two-level traffic
26

control to manipulate system resources. Multiplexing of tne
physical processors amongst the more numerous virtual
processors is accomplished Ij the Inner Traffic Controller.
It is at this lowest level of the kernel that the hardware
of the physical machine is interfaced. At the higher level,
the Traffic Controller, virtual processors are multiplexd
among the larger number of partitioned application
processes. At this upper level of the kernel the
inter-process communication and synchronization primitives
are made available to the user application processes to
solve the complex (application independent) system-wide
synchronization of parallel processing.
2. The Supervisor
In the multiple microprocessor operating system
family, proposed by O'Connell and Richardson [15] , the
supervisor level of the system is designed not only to
provide the kernel interface, but to support such functions
as file management. The modified real-time subset of this
operating system family. Implemented by Wasson [23] and
Rapantzikos [17] for image processing, incorporates the
supervisor only as a "gate" to the kernel. The supervisors
gate is simply an interface to the kernel for the
application process. The gate provides a single entry point
to the kernel in which all user programs can access the
synchronization primitives. This allows the supervisor level
and application processes to be independent of the kernel
27

Implementation details and maintains tiie hieracnical design
of the system.
3. Real-time Processing
In tne isolated environment of tfte smart sensor
platform, real-time processing involves time-critical
computations. Real-time systems must be controlled by
operating systems tiiat ensure time-critical processing is
given immediate attention when required.
The image processing programs of the smart sensor
system are partitioned into separate processes and
distributed among individual microcomputers. The ability of
each processor's kernel to schedule the image processing
functions assigned to it is accomplished by a
priority-driven preemptive scheduling technique which
provides for expeditious handling of processes which perform
time-critical operations. Additionally the distribution of
the application processes among the physical processors
local memories allows the same advantages as the
distribution of the fcernel . Performance is increased in the
real-time environment by reducing system bus accesses for
program instructions and data. The placement of all
executable code and unshared data in local processor memory






The microprocessor cnosen to support tue real-time
image processing project was the Intel B036. Significant
advantages over comparal)le microcomputers were realized in
the final selection of the 8086 for the multiple
microprocessor design. Performance specifications, past
experience with other Intel products, and especially the
software and peripheral equipment support all added up to an
off-the-shelf, immediately available microprocessor that
could te easily interfaced to the image processing project.
2. The 8086 Microprocessor
The Intel 8086 is a 16 hit, HMOS technology
microprocessor. It has a 5 Megahertz (MEZ) clock rate and
can address a full megabyte of primary memory. To provide
high execution speed the 8086 architecture incorporates
instruction pre-fetch which allows for the overlapping of
instruction fetch and instruction execution cycles.
The 8086 uses memory segmentation to divide the one
megabyte of accessible memory into logical units. A segment
can range anywhere up to 64 kilo-hytes in length and can he
placed anywhere within the one megabyte address space of the
8086, provided the segment "base hegins at a 16 byte boundary
[4]. Although segmentation allows for the logical division
of memory into an independent set of contiguous locations it
must he emphasized that the segment houndry length is not
29

enforced "bj the hardware. Since the 8086 does not support
explicit segment boundries, segments at the nardware level
may te disjoint, partially overlapped or fully overlapped.
To support the operating system, the design constraints must
ensure segments of an individual process never overlap. The
mechanisms to achieve this are presented ty Ross [20]
.
To obtain the effective address of a particular
memory location the 8086 uses a base address and an offset.
The base address must be a multiple of 16. In order to
address the full megabyte of memory the 8086 performs a left
shift of four bits on the base address, zero-filling the
four lower-order bits. Once the base address has been
shifted the address offset from the instruction counter
register is added to the base value forming a 20-bit
effective address.
The 8086 processor has direct access to four
segments at any one time [4] . Their base addresses are
contained in four segment registers depending on the segment
use. The Code Segment (CS) register contains the base
address of the code segment from which instructions are
fetched. The Instruction Pointer (IP) register provides the
offset from the CS value to the next executable instruction.
The Staclc Segment (SS) register maintains a pointer to the
base of the staclr segment. The Tata Segment (DS ) register
contains the address of the current data segment and the
Ultra Segment (ES) register provides an additional segment
30

address tiiat is typically used for external or scared data.
3. The iSBC 86/12A Single Board MicroconrDUter
Tne iSBC 86/12A is a complete microcomputer platform
[4]. It contains a 5MHZ 8086 processor, 32 ltilo-"bytes of
random-access memory (RAM), 8 iilo-tytes of electrically
programmaljle read-only memory (EPROM), programmable serial
and parallel I/O interfaces, a programmable interrupt
controller, a real-time cloc^ and an interface to the Intel
Multibus for interconnnection to other devices [11] .
The iSBC 86/12A provides the basic hardware support
required for a multiple processor operating system. The
Multibus interface provides each processor with the ability
to independently access a Global shared memory segment. The
8086 processor provides a built-in semaphore instruction
which allows individual CPUs to set a lock on the system
bus, and thus control global memory access. The iSBC 86/12A
also can be configured to provide preempt interrupts
(between processors) by connecting the parallel I/O ports to
the Multibus interrupt lines. Finally the EPROM can be
programmmed to contain the bootstrap program that will
intialize the system.
4. Intel MPS Development System
Program development for the real-time multiple
microprocessor project was accomplished usin? the Model 230
Intellec Series II Microcomputer Development System (MDS)
[4] . The hardware and software support provided by the MIS
31

was a significant factor in the original choice of Intel's
8086 CPU and iSBC 86/121 single "board corrputer for use in
the system.
a. Hardware
Secondary storage for the multiple microcomputer
system was not available and therefore the MDS system with
its floppy disc file storage, as shown in Figure II-l, was
used to simulate secondary storage for the iSEC 86/12As.
This was particularly important during system initalizati on
and reinitialization. Since the Multibus was not connected
to secondary storage all disc accesses were accompli5hed
through the single iSBC 86/12A connected to the MDS via a
serial port link. System I/O was coordinated hy a "bootstrap
program in the case of initialization or by a run-time
loader process during system execution. Essentially the iSEC
86/12A connected to the MDS was required to execute a loader
process, when disc I/O was required, loading data into a
global memory buffer. The other single beard processors
could then accomplish their individual rremory loading by
accessing the global memory buffer. It should be noted that
this simulation of secondary storage by the MDS is only
required until a hard disc is installed and interfaced to
the Multibus.
b. Software Utilities
The MDS software support provided by the





















the selection of the Intel products used in tne multiple
microcomputer system. The utility programs provided were
used extensively in the system generation phase to create
the operating system and the initialization programs.
The PL/M-86 compiler [7] provided the necessary
support to allow system proffrairmin^ to he accomplished in
tne flexible, high-level language of PL/r^-se [5] . The
language is totally reenterant as reenterant code is
essential for the kernel code tnat is snared by the user
processes. The PL/M-86 compiler offered four modes of
operation that allowed the programmer to select the degree
of segmentation during translation. The compact mode of
compiler operation was used primarily during the system
generation as it afforded the most flexible use of the
segmented address space during process relocation.
The LINK86 [6] utility program was used to
combine the separately developed and compiled program
modules into a single, relocatable object module. The
linking ability provided by this utility routine allowed the
programmer to develop small manageable program modules that
could be debugged and maintained separately and then bound
into a single module prior to loading.
The L0CS6 [6] support program produces an
absolute object module from the input relocatable object
module. This utility routine provides the programmer with
the ability to locate object modules at any location in the
34

one megabyte of addressable memory space.
Finally 0H86 [6J was used to convert an object
module to a nexadecimal, ASCII formatted, object file. Tbis
utility program provided formation of an object module in
nexadecimal, tnat could be easily manipulated once loaded
into primary memory. The format of the hexadecimal file was
such that a simple program within the kernel could read and
relocate the object file. The same program of the kernel
also converted the hexadecimal module baclc to a "binary
object module. This was necessary in order to allow normal
execution of the file.
c. The iSBC 957A-iSBC 86/12A Interface
The iSBC 957A Intellec-iSBC 86/12A Interface and
Execution Pacitage [9] contains the hardware and software
required to interface an iSBC 86/12A Single Board Computer
with the Intellec Microcomputer Developement System (MDSK
Recall that the system bus (Multibus) that is used by the
iSBC e6/12As was not connected to any sort of secondary
storage. In order to simulate secondary storage for the
system one of the iSBC 86/12AS was connected to the MES and
the iSBC 957A interface package I/O routines were used to
access the MDS floppy disc drives.
The iSBC 957A interface package contains
software utility programs that were used extensively in the
research and developement environment of this thesis. The
iSBC 957A package system I/O routines interface with the

ISIS-II operating system running on tne MDS . The routines
can be activated by PL/M-86 high level language procedure
calls where the iSBC 957A procedures are declared external
in the PL/M-86 program. This allows programs executing in
the ISBC 86/12A to perform I/O with the MDS floppy discs.
Additionally the iSBC 957A interfaces with the iSBC S6/12A
monitor providing the use of the monitor commands for
program debugging on the iSEC 86/12A.
,
An iSBC 957A system I/O procedure is first
called in the bootload phase of system initialization. The
bootload program calls the routine LOAD [9] to load the
bootstrap program, stored on disc, into a buffer in main
global memory. This allows all the remaining processors
access to the bootstrap routine. The LOAD process requires
five parameters to be passed to it. The first argument
passed is a pointer to an ASCII string containing the name
of the file on disc to be loaded. The next parameter passed
to the LOAD routine is a word containing the value of zero?
this argument has no effect as it serves only as a
placeholder. This parameter is followed by a word that acts
as a switch. This argument is set by the programmer and.
indicates that control be either returned to the calling
program or that contol be transferred to the program just
loaded. The next argument is a pointer to a pointer in whicn
the starting address of the loaded program is placed. The
final argument passed to LOAD is a pointer to a word in
36

which the monitor can place a status code indicating a
nonfatal error has occurred during the LOAD routine.
The iSBC 957A systerr I/O procedures are also
used in the bootstrap process of systerr initialization.
During the bootstrap program the OPEN, READ and CLOSE [9]
routines are called to read a hexadecimal object file
containing tne base layer of the operating system into a
buffer in global primary memory. The OPEN procedure locates
the specified file to be read, on disc, and then initializes
ISIS-II tables and buffers in the Intellec system. Five
parameters are passed to tne OPEN routine. The first
argument is a pointer to a word in which the monitor stores
the active file transfer number (AFTN). This number is used
to identify the file to other iSBC 957A system I/O
procedures. The next parameter is a pointer to an ASCII
string containing the file name. Following the pointer to
the file name is a word containing tne access mode for which
the file is being opened. This argument identifies the file
attribute as read, write or read and write. The next
parameter is a word containing a file number that is used
only if line editing Is taking place (this argument was not
used). The final argument is a pointer to a word in which
the monitor could pass a status code if a nonfatal error
occurred during tne OPEN routine.
The READ procedure is called by a PI/M--86
program to transfer up to 4096 bytes of data from an open
37

file to a memory location specified ty the calling program.
The first argument passed to READ is a word containing, the
active file transfer number (this will be the same file
number assigned in the open procedure, if OPSN and READ are
used in conjunction). The next parameter is a pointer to a
buffer to which data of the open file is to be transferred.
A word containing the number of bytes to be transferred is
the next paramenter passed to READ. This argument is
followed by a pointer to a word in which the actual number
of bytes transferred is placed upon completion of the READ
procedure. The final argument passed to READ is a pointer to
a word in which the monitor will return a status code in
event of a nonfatal error during HEAD routine.
A call to the CLOSE procedure will cause the
ISIS-II operating system to delete the tables and buffers
that were allocated when the specified file was opened. The
arguments that are passed to CLOSE include the word
containing the active file number (the same as assigned in
OPEN) and a pointer to a word in which the monitor can
return a status code should a nonfatal error occur during
the CLOSE routine.
The only other iSBC 957A procedure used was the
EXIT [9] routine. This procedure allowed a FL/M-86 program
executing on the iSBC 86/12A to return to the monitor if it




Although the ISBC 957A system I/O routines were
also used in the run-time loader process to load the
application processes and by the loader process in tne
operating system for system reinitialization it must "be
emphasized that tne iSBC 957A package was used only to
simulate an environment. The lack of a hard disc for system
secondary storage necessitated the use of the iSBC 957A
software and hardware to simulate the required auiilary
storage. Future plans for system design (see Figure II-2)
include the connection of a hard disc to the Multibus for
secondary storage. When this occurs the simulated
environment will be eliminated as will be the requirement





























System initialization is the method used to get an
operatinfi" system loaded and running on a computer system. A
simple system initialization mechanism has "been designed ^y
Ross [20] that can he used with a variety of hardware and
operating system configurations. During system initalizati on
Ross outlined three phases that must he accomplished,
sequentially, in order to get an operating system loaded and
running on a computer system. First, a core image of t^-e
operating system is created. This is known as system
generation time. It normally is done on a separate
development computer system and consists primarily cf
developing the operating system and initialization code. The
next phase of initialization is hootload time. This is the
point where the lowest level of the operating system is
actually loaded into the primary memory and its system
parameters and tables are initialized. Finally when the
operating system programs are running normally the
initialization sequence is considered to have entered the
run time phase.
The initialization mechanism involves three separate
loading functions as shown in Figure III-l. The hootload














and is used to load into global memory a "bootstrap program.
THis program is fiOM-resident so that it may te activated by
a "bootload" switch. The bootstrap proffram, loaded hy the
bootload program, also runs on the bare system hardware and
will be used to load the base layer of the operating systen
into primary memory and start it running. The final loading
function is part of the distributed operating system and is
loaded into each processor during the bootload phase along
with the base layer of tne operating system. This loader Is
used during run time to load the remainder of the operating
system and tne application programs and to prepare them to
be scheduled and run.
Implementation of Ross' system initialization design was
the first effort of this thesis with the premise that the
initialization technique would be the basis for system
reinitialization. This section deals primarily with the
specific implementation of the initialization design as it
applies to the operating system of Wasson [23] and
RapantzilEOS [17] and the Intel iSBC 86/12A Single 5oard
Microcomputer.
B. STSTSM GENERATION TIME
The development of the operating system and
initialization tasks takes place at system generation time.
This is the first step of initialization and takes place
prior to the bootload and execution phases. Program
43

development during system generation was accomplished almost
entirely on the Intel Microcomputer Development System
(MDS). The use of the ISIS-II operating system in the MCS
system with, its supportive utility programs, provided a
flexitle environment in wnich to accomplish system
generation tasics. The complexity of the bootload and
run-time phases was significantly reduced by use of the MDS,
in conjunction with the ISIS-II operating system, to
compile, lini, locate and debuj? programs during the system
generation phase.
In the initialization design ty Ross [20], several
assumptions were made at system generation time that greatly
simplified hootload and run time development. Although some
of these assumptions will not hold in the following chapters
concerning automatic recovery techniques, for the purpose of
system initialization alone this discussion will malfe the
same initial assumptions that Ross does. These assumptions
permit extensive preliminary processing to be done in the
more flexible atmosphere of system generation thus relieving
later phases, wnich occur in much less supportive
environments, of the preparatory processing that they would
otherwise be required to perform.
The key assumption at system generation time is that the
initial hardware and software configurations are known. This
allows initial memory allocation decisions to be
accomplished (prior to loading and execution) in the
44

supportive atmospiiere of tne Intel MDS. The significance of
knowing the initial configuration is realized in the atility
of the system developer to allocate memory on a fflol)al or
local scale. As was pointed out in the section descritirg
the operating system, it is highly desirahle to place as
many programs in local memory as possible in order to
eliminate "bus contention. Only shared, writable segments
should he allocated to global memory.
System generation is viewed as a sequence of events,
beginning with program design and ending with the creation
of the load module or core image to be loaded. This thesis
will concentrate on the specific implementation
considerations of the initialization scheme rather than the
design methodology. A detailed examination of system
generation events and the choices made throughout the
development of the initialization design is discussed by
Ross [20],
C. BOOTLOAD TIME
The system initialization mechanism was designed to
commence operating once a "bootload switch" was activated.
This in turn causes a Jump to the first instruction of the
bootload program which is contained in read-only memory
(ROM). The bootload program is a small simple program that
runs on the bare hardware and is located in each
microcomputer's ROM. The bootload program serves two
45

purposes. It's primary function is to load a "bootstrap"
program from secondary storage (i.e., a hard disk) which
will then he executed to continue the majority of system
initialization. Proceeding in this fashion allows the
ROM-resident hootload program to remain small and relatively
simple. Secondly the hootload program serves to uniquely
identify each physical processor. Each microcomputer's copy
of the bootload program differs only in that it contains a
unique serial number that identifies the physical processor.
This unique processor number is placed in a global CPU
table, during execution of the bootload program, and will be
used by the bootstrap program to identify the physical
processors during the remaining phases of system
initialization.
A time-sequence of activities taices place during
bootload time, beginning when the bootload switch is
pressed, and ending when the operating system kernel is
loaded and running. In this particular system the operating
system, as was described previously, is distributed to each
single board computer and therefore must te loaded into each
computer's local memory. Therefore, each microcomputer's
bootload program must be activated as it is the
responsibility of each individual CPU to load its own system
programs. Activation of all the processor bootload programs
can be accomplished simultaneously using a simple bootload




In the implementation described by this thesis,
using one to eight iSBC 86/12A single board microcomputers,
it is necessary to indicate to every iSIC 86/12A when to
begin executing the ROM bootload program. This was
accomplished during development in the form of a simulated
bootload switch. In the experimental environment the INTR
button on the iCS 80 Chassis [lej served to simulate the
bootload switch. Depressing this button places a hardware
interrupt on the system Multibus which can be received by
all iSBC 86/12AS plugged into the iCS 82 Chassis. Interrupt
number two is the Multibus interrupt line activated by
pressing the INTR button. All iSBC 86/12AS can be jumpered
to acknowledge this interrupt by wiring the incoming
Multibus interrupt line (post E71) to the 8e86 non-masiable
interrupt line in the interrupt matrix (post E89) [11]. Note
that to maS:e the non-masiable interrupt active, the ground
wire (between post S87 and S89) must be disconnected. Figure
III-2 shows the correct wiring. The non-maslcable interrupt
on the 8086 has been used to start the system initialization
mechanism due to the disabling of the maskable interrupts
when the iSBC 86/12A is in the monitor. The initialization
routine commences with all boards, except the MDS-connected
ISBC 86/12A (as noted below), in their respective monitors.
Only the non-maslcable interrupt is capable of interrupting
47











the 8086 CPU in this state.
When all ISBC 86/12A boards have their interrupt
matrix modified as outlined ahove it is possible to commence
the bootload phase, causing all iSBC 86/12A's to execute the
bootload program, load the operating system kernel, and
commence kernel execution, by simply pushing the INTR button
on the iCS 80 Chassis. The bootload program is the interrupt
handler. The four byte non-maskable interrupt vector, that
will be loaded with the address of the entry point to the
bootload program, is the third interrupt vector in the
interrupt table [4j (interrupt 2; address efc)00:000a to
0000:000B). Activation of the non-maskable interrupt on the
8086 causes an unconditional, indirect jump to the bootload
program via the non-maskable interrupt vector.
System design calls for the bootload program to be
ROI^-resident, but to facilitate debugging in the
experimental environment, it was located in RAM. During this
development period the iSBC 86/12A monitor command, LOAD
[9], was utilized to download the bootload program from the
^!DS floppy disc prior to activation of the initialization
mechanism. Recall that only one iSBC 86/12A was connected to
the MDS in this simulated environment, thus allowing only
that particular single board computer to be loaded using the
monitor LOAD command. This in turn, required that the
bootload program, once loaded, be placed in all the
remaining iSBC 86/12AS by tne monitor MOVE [9] command as it
4:9

was impossible to load the individual iSBC e6/l2A's memories
directly. Additionally, all interrupt vectors were required
to be preset to the bootload program entry address before
the initialization routine could be activated.
Pinally the MDS-connected iSBC e6/12A was required
to have exited it's monitor before the non-maskable
interrupt would function properly. This requirement was the
result of MDS interference during the interrupt sequence. To
free the iSBC 86/12A, connected to the MDS, of it's monitor
it was necessary to start the 8086 CPU executing
instructions from RAM. The program executed for this purpose
was in the form of a loop at the beginning of the bootload
module. When interrupted the CPU then functions identically
to the remaining processors. Note that all the other ISBC
86/12AS were interrupted while in their respective monitors
and functioned normally, thus they required no looping
mechanism.
It is necessary to emphasize that the above sequence
of events is required only in the experimental environment
when placing the bootload program in RAM. When the debugged,
final version of the bootload program Is located in EPROM
the steps involved above will not be applicable.
2. The ROM-resident Bootload Program
The bootload routine is a small, simple program that
will be EPROM resident (see Appendix B) . The first function
of the bootload process is to determine the "Bootload CPU".
50

The Bootload CPU will serve as the master or controlling CPU
throughout the bootload and run time loading pnases. lonile
the bootload programs in all CPUs are identical, the
Bootload CPU will execute some sequences of instructions
that the other processors will not. The PL/M-e6 language
provides a built in procedure known as lockset [5] that
permits to programmer to implement a software lock (viz., a
busy wait). This procedure uses a variable located in glottal
memory to control the bus access. In order to designate the
Bootload CPU, a deliberate race condition is entered as all
processors begin execution of the bootload program. Eac& CPU
attempts to set a software lock, using a global variable
(CPU$TBL$LOCK) , and then enter a table in global memory
known as the CPU Table (CPU$TABLE), snown in Figure III-3.
The built in procedure Lockset with it's global parameter
(CPU$TBL$LOCK) is used to resolve the conflict of multiple
simultaneous access attempts to the CPU Table. Thus only one
CPU at a time can access tne CPU Table and the first CPU to
do so becomes the Bootload CPU.
After entering the CPU Table (CPU$TABIE) eacn
processor will fill in entries in the tatle and then unlock
the l)us to allow the other CPUs access. The CPU Table is
Indexed according to logical CPU numbers where the Bootload













after the Bootload CPU, and enter the CPU Tahle, hecomes
logical CPU 1 and so on.
Once a processor has sained control of the bus using"
tne glohal bus loclt variable (CPU$TBL$LCCK) , and accessed
the CPU Table (CPU$TA2LE) the first action performed is for
the CPU to enter its serial number (CPU$ID). Recall that
this serial number is different for each ROM-resident
bootload program and tnat this number uniquely identifies
every physical processor in the system. Next a counter,
(CPU$TOTAL), is incremented in order for the Bootload CPU to
ieep track of the number of physical processors present in
the system. Each CPU is identified additionally by a logical
CPU number, (LOG$CPU^ID) , that identifies it, as mentioned
before, according to its sequence of entry into the CPU
Table. The next set of instructions executed in the bootload
program increments a logical CPU number {LOG$CPU$NUM) . This
fflobal variable will be used by the next processor, to f^ain
access to the CPU Table, and will serve as an index into the
CPU Table. Finally the software lock on the system bus is
released and the identical sequence of entries into the CPU
Table is performed by the next processor to gain access to
the bus. This continues until all physical processors have
accessed the CPU Table and made the appropriate entries.
Upon completion the CPU Table (CPU$TABIE) will contain each
individual processors unique serial number (CPU$ID) entered
according to the sequence of CPU Table access. This allows

the processor to te identified by a logical, as well as a
pnysical, CPU number. Additionally tne Bootload CPU will
have recorded the total physical CPUs it counted in the
system in it's own CPU total (CPU$TQTAL) field in the CPU
Table. Note that the CPU Table contains a mailbox (CPU$MAIL)
entry and an acknowledgement (CPU$ACE) entry for each
processor. These entries in the CPU Table will be used later
in the bootstrap program for system synchronization.
After completion of the above sequence the Eootload
CPU will execute another PL/M-86 built-in -procedure called
TIME [5]. This untyped procedure causes a time delay in
multiples of 10a microseconds based on a 5 MEZ clock and the
8086 CPU cycle time, without interruptions. In the bootload
program the Bootload CPU will execute a time delay of 10
milliseconds. This delay will allow all the other processors
the time necessary to access the CPU Table before the
bootload CPU commences its actual loading action.
The hardware configuration for system development,
as described in the hardware section, allows for only one
iSBC 86/12A to be connected to the MDS (using the iSBC
957A-iSBC 86/12A interface and execution package). This
means that only the single board CPU with this connection
can access the disc files. This simplifies the bootload
programs by eliminating the need for a complex
synchronization method to allow tne processors to snare the
disc, but neccessi tates a controlling or Bootload CPU to
54

serve as the main access to disc files for all CPU's.
because the Intel hardware dictates this particular
configuration, it is necessary to designate the 86/12A
single hoard microcomputer connected to the MDS and thus
the disc files, as the "Bootload CPU". In order to default
the particular processor with the MDS connection as the
Bootload CPU a time delay has heen added to the instructions
of the hootload procedure, BOOTIOAB^INTR (in the hootload
program), of all CPU's except the MDS connected iSBC 86/121.
This added time delay in all the processsors, except tne
Bootload CPU, is executed as the first instruction upon
entering the hootload program, thus allowing the iSBC 86/12A
connected to the MDS to access the CPU Table (CPU^TAEIE)
first and become the Bootload CPU. It should he emphasized
that this and the unique physical CPU number are the only
difference in the bootload programs loaded to the various
physical processors and is dependent on the hardware
configuration. Note that with a hard disc, serving as
secondary storage, connected directly to the Multibus (i.e.,
all processors are capable of disc access) the need for the
default delay will be eliminated as any CPU can serve as tne
Bootload CPU.
3. Bootstrap Program Loading
The next function of the bootload program is to load
* bootstrap program. The bootstrap program (see Appendix C)
contains the actual instructions that will load the base
55

layer of the operating system. Ey perf ormiiii? the
initialization in this sequence, the hootload routine
remains small and the primary goal, of a simple EPRCM
resident hootload program is achieved.
The hardware conf iarura tion, as described in the
previous section, allows for only one iS3C 86/12A to he
connected to the MDS and necessitiates this CPU to be the
Bootload CPU. Because the Bootload CPU is the only processor
that can access the disc files, it must load the files
containing the Bootstrap program and the operating system
into global memory buffers and then allow the other
individual CPU's to execute or load the files as required.
The bootstrap program is loaded by tae Bootload
CPU using a 957A I/O procedure called LOAD [9]. As was
previously described in the nardware section, this utility
procedure requires that five parameters be passed to it. The
first argument is a pointer to an ASCII string of the file
name of the file to be loaded. In this case the bootstrap
program (BTSTRP). The next parameter, Irnown as the bias, is
not used for this implementation. Following this is a
parameter called the switch. This is set to allow the LOAD
procedure to return to the bootload program. The next
argument is a pointer to the starting address of the loaded
program (BTSTRP) which is assigned to the variable
ST$BTSTRP$ADR. The last pramenter passed is a status
variable for error codes. The Bootstrap program's location
56

in eloTsal memory is predetermined ai system veneration thus
tne tootstrap program loaded usin^ tne iSBC 957A LOAD
procedure is a file created ty L0C86 which is in executalJle
format (viz., not a hexadecimal file.)
Having successfully loaded the Bootstrap program
into global memory the Bootload CPU will transfer control,
with an unconditional jump, to the starting address of the
Bootstrap program. This (transfer of control takes place
using a PL/M-e6 Indirect Procedure Activation [5] (i.e.,
simply a call with a pointer). The iSBC 957A LOAD procedure
automatically placed the start of the bootstrap program in
the start address parameter ( ST$BTSTHP$ADR) when it loaded
the Bootstrap program. The call, using this hootstrap start
address (ST$BTSTRP$ADR ) , simply sets the CS and IP registers
of the Bootload CPU to the starting address of the bootstrap
program, puts the parameters to te passed, LOG$CPU$ID, the
address of CPU$TABLE and the address of CPU$TBL$LOCK, on the
staclc and then executes an unconditional Jump. This
transfers control from the EPROM "bootload program in the
Bootlaod CPU to the bootstrap program Just read in from
disc.
While the Bootload CPU is executing the instructions
to load the bootstrap program, the remaining processors must
enter a wait state. Since the bootload programs are
executing on bare hardware the operating system
synchronization mechanisms are not available. The solution
57

to CPU synchronization has been to implement a software
spinlock in the SPROM resident bootload program called
CPU$WAIT. This procedure allows all CPU's except the
Bootload CPU to wait in the Bootload program until they are
instructed by the Bootload CPU to transfer control to the
bootstrap program. The indication for a particular CPU to
jump to the bootstrap program, as the Bootload CPU did with
a pointer call, will be the placement of the bootstrap start
address in the CPU's mail box. Once the processor sees it's
mailbox no longer contains the initialized null value it
will transfer control from its own EPROM bootload program to
the bootstrap program. Note that the bus lock must be set
each time a particular CPU accesses The CPU Table
(CPU$TABIE), in the spinlock procedure CPU$WAIT, and then
released when the CPU exits. This allows the spinloclc to
function normally in all CPU's with every processor getting
a chance to check its mailbox periodically. If this weren't
the case one CPU could lock the bus and enter a permanent
wait state (in CPU$WAIT). With the bus locked the Bootload
CPU would be unable to gain access to the CPU Table
(CPU$TABLE) to signal the processor in the CPU$VAIT
procedure to transfer control to the bootstrap program. The
result would be a deadlock condition.
4. Bootstrap Program Execution
The bootstrap program, created at system generation
time, will load the base layer (kernel) of the operating
58

system from disc into primary memory (see Appendix P). As
outlined in tne previous discussion concerning the operating
system, the kernel will be distributed to all physical
processors and thus each processor will need to execute the
bootstrap program to load it's individual kernel. The
Bootload CPU, now executing in the bootstrap program will
coordinate the fcernel loading among processors and will also
do the actual disc access for all CPUs,
The actual entry point to the bootstrap module is
the procedure BOOT$STRAP. Since the bootstrap program is not
linked to the bootload program the address of the procedure
BOOT$STPAP must be the start of the bootstrap module. The
entry point must be a procedure as the transfer of control
from the bootload program to the boostrap program is a
procedure call (ie., call by pointer) which passes
parameters. The parameters passed are required by the
Bootload CPU to maintain control of the initialization in
the bootstrap program. The parameter LCG^CPU$ID identifies
each processor as it enters the bootstrap program. The
parameters containlns the address 4vof CPU$TAELE and
CPU$TBL$LOCK (pointers) are used to address based variables
[5], CPU^TABLE and CPU$TBL$LOCK, which function identically
as they did in the bootload program.
The first action of the Bootload CPU, in executing
the bootstrap program, will be to read into a global memory
buffer (KERNEL$BUrFER) the hexadecimal file containing the
59

"base layer of the Icernel. This is accomplished usin^, as was
previosly descrihed in the hardware section, the iSBC 957A
Interface Pacica^e System I/O procedures [9] in conjunction
with the ISIS-II operating system. The first procedure
called is OPEN [9] . This procedure essentially locates the
kernel file on disc and assigns to it an active file
transfer number (KERNEL$AFTN ) . The next ISBC 957A procedure
called is READ [9] . This routine identifies the open file hy
its active file transfer number (KERNEL^AFTN ) and then reads
a maximum of 4096 hytes from disc to the global memory
buffer (KERNEL$BUFFER) . After doin^ so READ returns the
number of bytes transferred in the word TRANS and updates a
file marker according to the number of bytes actually
transferred. The Bootload CPU will continue to execute the
iSBC 957A READ procedure in the bootstrap program until the
bytes transferred are less than the maximum bytes allowed
for transfer (4096) indicating the end of file has been read
and loaded into the kernel buffer (KERNEL$BUEEER ) . Finally
the procedure CLOSE [9] is called allowing the ISIS-II
operating system to perform the actions necessary to close
the file with the previously assigned active file transfer
number (KERNELUETN )
.
The kernel file just read into the kernel buffer
(lERNEL^BUEFER) , by tne Bootload CPU, is a hexadecimal file
created during system generation time by CH86 [6] . When the
kernel file is transferred to the kernel buffer it remains
60

in its hexadecimal format. The procedure !IEAD$HEX$FIL£ will
convert the hexadecimal object file (the kernel^ into its
binary (executable) representation and load it at the
address specified in the hexadecimal file. READ$EEX$FILE is
executed by the target CPU to load the kernel into it's
local memory after being signalled to do so by the Bootload
CP^T. This method of loading the kernel file as a hexadecimal
file was used due to the documentation available, by Intel,
with respect to hexadecimal data records. Ross [20j also
provides a detailed eiplaination of hexadecimal record
format. Documentation concerning binary object files was
less clear than the hexadecimal documentation and did not
provide for easy relocation during the bootstrap loading
sequence.
Since the Bootload CPU was the. first processor to
transfer control to the bootstrap program and is the only
processor executing in the bootstrap program at this point,
it calls the procedure HEAr$HEX$FILE as soon as it has
completed loading the kernel file and passes to it the
address of lERNEL^BUFJER. READ$HEX$riLE now loads the kernel
file located in global memory into the local memory of the
Bootload CPU. Note that the location of the kernel file in
local memory is determined at system generation time.
All other processors are still executing the EPROr
bootload program, waiting to be signalled by the Bootload
CPU via their respective "mailboxes". The Bootload CPU will
61

determine the number of remaining processors waiting to load
tne kernel file by setting the Bootload CPU (logically 0)
processor count equal to the total CPUs {TOTAL$CFUS) minus
one (the Bootload CPU doesn't count itself). The Bootload
CPU now signals each CPU in turn to load its kernel
(converting hexadecimal to object) and then waits in a
spinlock until that particular processor has completed that
portion of the bootstrap program that loads the kernel into
local CPU memory. The signal placed in the target CPUs
mailbox is Just a pointer to the procedure BOOT$STRAP (in
global RAM) which allows the target processor to identify
the start of the bootstrap program and transfer control to
that address with a pointer call.
The system initialization mechanism is designed to
handle kernel files that differ according to individual
CPU's assigned functions. For this reason the Bootload CPU
allows only one CPU to load the kernel at a time. This
allows the Bootload CPU to check which CPU a particular
kernel is targeted for and then send the appropriate signal
for loading. If the kernel loaded for all processors was
identical then the Bootload CPU could signal all the
remaining CPUs, simultaneously, and the loading of the
kernel could proceed* in parallel. Note that in the
particular implementation used for development by this
thesis the kernel loaded was identical for all CPUs, but the
loading was accomplished sequentially to remain consistant
62

witn tne overall design.
As in tne bootload progran the l300tstrap routine is
executing on tare hardware and thus no synchronization
mechanisms are available for process coordination. To
provide process synchronization a spinlock identical to that
used in the bootload program was implemented. The procedure
WAIT$CPU allows the Bootload CPU to enter a wait state after
signalling a particular processor to transfer to the
bootstrap program and load its icernel. When the target CPU
has completed loading its kernel it signals the Bootload CPU
via the acknowledge flag (CPU$ACK) in the CPU Table
(CPU$TABLE). The Bootload CPU then continues to the next
logical CPU and repeats the signalling action until all
processors, as indicated by the total CPU count
(TOTAL$CPUS) , have loaded their respective kernels.
As each processor completes its bootloading task it
will enter a wait state by calling the procedure CPU$WAIT.
Each CPU will remain in this wait state, executing a
spinlock, until all processors have completed their
respective bootloading tasks. When the loading of the kernel
file has been completed by all processors the Bootload CPU
will signal all CPUs to perform an unconditional Jump to the
start location in their respective kernels. This is
accomplished by the Bootload CPU setting the acknowledge




Since the Icernel is not liniced to the bootstrap
program tne transfer of control from the bootstrap program
to the icernel is accomplished by an indirect procedure
activation (viz., a call by pointer). Luring tne previous
execution by all CPUs of the procedure RBAD$E2XFILE, where a
kernel was loaded into each CPU's individual local memory,
the Code Segment (CS) and Instruction offset (IP) were
obtained for each individual kernel. The CS and IP
constitute the entry point (start address) of each
particular CPU's kernel.
A bootstrap pointer variable (MEM$5CS IP^PTR) is
employed using the PI/M-86 language AT attribute [5j to
perform the necessary transfer of control to the kernel. The
AT attribute locates a two word structure (KCSI?) at the
address of the pointer variable (MEM$KCS IP$PTR) . Effectively
this allows the four byte location in memory reserved for
the pointer variable (MEM$KCSIP$PTR) to be accessed two
bytes (a word) at a time. Immediately prior to the call by
pointer (usin^ MEM$KCSIP$PTR) the first word, of the two
word structure, (KCSIP.SEG) is set equal to the kernel code
segment (CS) that was determined by the procedure
READ$HEX$FILE. The second word (KCSIP.OFP) is set to reflect
the kernel instruction pointer (IP). Since the two word
structure (KCSIP) uses the identical location in memory as
the bootstrap pointer variable (MEM$KCSIP$PTR) the result is
to establish the kernel entry point in the bootstrap pointer
64

variable. This allows a pointer call (usine MEM$KCS IP$PTR)
to transfer control from tne bootstrap program to tne start
of the kernel module.
The pointer call will also pass parameters to the
kernel, In particular the logical CPU identification
(LOG$CPU$ID) and the physical CPU identification
(PHTS$CPU$ID)
. These ar/?uments are required by the kernel
processes in order to identify individual processors. The
transfer of control to the kernel is executed by all
processors, including- the Bootload CPU, after the Bootload
CPU has signalled that the loading of the kernel is
complete.
It is necessary to keep all processors in a wait
state in the bootstrap program and transfer control to the
kernel in mass. Should CPUs be allowed to Jump directly to
their particular kernels immediately after completion of
kernel loading, hut prior to completion of kernel loading "by
all CPUs, the global shared variables used by the kernel
could be, and most probably would be, altered. These shared
variables are "loaded" as part of each kernel, and
therefore, would revert to their initialized values. The
fflohal shared kernel variables provide for process
synchronization and inter-communication and require the
presence of all CPUs and respective processes, assigned at
system generation time, to function correctly. Allowing
processors to transfer intermittently to their kernels would
65

lead to improper initialization of the operating system and
erroneous execution.
D. RUN TIME
Tne transfer of control from the bootstrap program to
the ternel, \sj each physical processor in the system, marlrs
the termination of the hootload phase and the start of the
run-time phase of system initialization. Curing run-time all
the user's application processes will be loaded from
auxiliary storage by a kernel process called the run-time
loader. Unlilce the bootload and bootstrap programs, that
were required to execute on the bare hardware of the system,
the run-time loader will be supported by the kernel
functions to facilitate synchronization during the loading
of the application programs.
1. The Kernel Interface
The entry into the Icernel requires that the
parameters passed from the bootstrap program (LOG$CPU$IL and
PHTS$CPU$ID) be removed from the stack and that the
environment of the kernel be established to ensure proper
performance of the operating system. This is accomplished by
a special kernel interface set of instructions called the
Intialization sequence (see Figure III-4) that is located in
the Inner Traffic Controller (ITC) Scheduler module [23] of
the kernel.




;establish STACK STRUCTURE FOR PASSED









?RESER7E MEMORY IN THE KERNEL FOR TEE





; begin the itc scheduler segment in the kernel
scheduler segment
;begin the kernel initialization sequence
;establish the ease of tee stack-structure
MOV BP,SP
;SET UP STACK USING BP AS A BASE POINTER AND




MOV CL, [BP] .PARM2
MOV ES:PHTSCPUID,CL
JJUMP TO THE KERNEL INITIALIZATION PROGRAM
JMP KERNEL-INIT





into tne kernel is the start address of tne ITC Scheduler
module. All processors will execute the initialization
' sequence, at the start of the ITC Scheduler, once transfer
from the bootstrap program is complete. The start of the
'I
Initialization sequence is in effect a special entry point
into the kernel which is used for initialization only and
thus executed only once. All other entries to the ITC
Scheduler consist of calls to specific procedures within the
module, and therefore, never encounter the initialization
sequence.
The first set of instructions in the initialization
sequence will allow the parameters passed from the bootstrap
program (LOG$CPU$ID and PHYS$CPU$ID) to te popped off the
present stack and stored under identical names reserved in
the kernel's Processor Data Segment (PRLS) [I7j . The PPDS is
a per processor data segment that will he utilized by the
kernel for specific processor identification. Having
completed the transfer of parameters from the bootstrap
program, the initialization sequence will then jump to a
special initialization program [17J to establish the correct
execution environment for the kernel. The initialization
program is tasked with initializing the kernel data
structures. Specifically the initialization program will
cause the idle process to be initialized to running and the
kernel loader process will be reflected as ready in the
Virtual Processor Map (??M) [23,17] . Once the proper kernel
68

environment nas teen establisned, norrral kernel execution
can commence. This just requires a transfer of control from
the special initialization program to the kernel ITC
Scheduler that then schedules the loader process, since it
is on the highest priority, ready virtual processor.
2. The Run-time Loader
The Run-time Loader is a kernel process that will be
employed to load the application programs from secondary
storage. Because the Loader process has a higher priority
than the Idle process (the lowest priority- always) and
since no other processes are yet defined in the system, the
jump to the ITC Scheduler at the end of the "bootload phase
appears to the kernel as a preempt interrupt of the idle
virtual processor. This preempt causes the higher priority
Loader process to be scheduled and run on each physical
processor.
The kernel Loader process will have the benefit of
the operating system primitives provided ty the kernel. In
particular the ITC Advance and Await [23J procedures will
provide for process synchronization and communication during
the loading sequence of the application processes.
The details of the Run-time Loader process will be
postponed until the next chapter since a significant portion
of the mechanism is incorporated in the automatic recovery
routine. Once the concepts of system reinitialization nave
been presented in Chapter IV, the kernel loader process will
be described in detail.
69

IV. AUTOMATIC RECOVERY DESIGN
This chapter presents an automatic recovery design that
is based on system reinitialization. The irechanism for
system initialization, described in the previous chapter,
has heen modified to form an automatic system recovery
routine that integrates with a hierarchical, distributed
operating system to support fault-tolerent operation. First
a brief overview of the design is presented and then a
detailed description of the automatic system recovery
mechanism is described.
A. DESIGN OVERVIEW
Automatic recovery begins once a system has detected and
diagnosed a component failure. It is the responsibility of
an error routine (for the purpose of this discussion
encompassing both error detection and diagnosis functions)
to indicate the particular component that has generated the
system failure. Once the failure has been isolated, by the
Identification of it's source, it is then the recovery
mechanism's responsibility to perform the operations
necessary to return the system to a normal, fault-free
state.
The automatic recovery technique employed in this design
results in a complete reinitialization of the system
70

establishing a predefined initialized state. Upon completion
of the automatic recovery routine, the system will have
returned to a state identical to that of the original
"bootstrapped system and will "be prepared to hegin normal
execution. Many of the techniques used for automatic system
recovery were previously employed in the initialization
routine described in Chapter III. For this reason it is
possible to incorporate the automatic recovery mechanism
with the initialization routine to provide an overall design
that includes hoth system initialization and automatic
system recovery.
System initialization and automatic recovery perform the
same hasic functions; that of complete system restoration.
For initialization the restoration of the system hegins from
a "cold start" with the activation of a hootload switch,
while the automatic recovery process is initiated hy an
error routine to restore or reinitialize the system. As
Figure 17-1 shows, after initialization or automatic
recovery has commenced the hasic tasks performed are
identical. First a "bootstrap program is invoked, executing
on the hare system hardware, to load the kernel. This is
followed "by a transfer of control from the bootstrap program
to the kernel where an operating system loader routine will
be engaged to load the application processes. The
distinction between the initialization sequence of events
















on the fact that initialization is exemted only once,
establishing the system configuration for the first tirre,
while automatic recovery involves continued reconfiguration
and reinitialization for the lifetime of tne system.
The contrast hetween ini tializinp' the system for the
first time and subsequent reinitialization during automatic
recovery is distinguished hy the potential loss of system
components, due to incorrect performance, during automatic
system recovery. Additional taslcs must "be employed during
reinitialization, that are not applicable during
initialization, to compensate for tne loss of system
components. These tasks must specifically deal with system
reconfiguration and process relocation in order to return
the system to an initialized state that will allow continued
normal, fault-free performance.
Complete reinitialization Involves reloading, from
auxiliary storage, all system processes from the lowest
level of the operating system to the user's application
programs. The requirement for complete reloading of the
system results from the fact that all modules are physically
connected "by a primary, shared bus (the Multibus [4]) ard
any faulty component can potentially affect all system
modules and data. The automatic recovery mechanism is
designed to deal with faulty components on the module level
of processor and local memory. Speclfially the design calls
for the use of the iSBC 86/12A Single Board Microcomputer to
73

l5e employed as the system component that will >5e
reconfie'lired during system reintialization.
Elimination of a particular module during automatic
system recovery, due to incorrect or faulty performance,
will require that the individual processes which were
assigned to that module he relocated. The loss of a module
as a result of automatic system recovery will require
reloading of the system processes on a new hardware
configuration, thus taslcing the reinitialization routine
with memory management during process reloading and
relocation.
The real-time recovery tasks developed in this design
can he expanded to afford fault-tolerance to a wide spectrum
of multiple computer systems. The flexible system
environment created through the use of dynamic
reconfiguration supports a variety of multi-processor
functions. The concepts involved in the automatic recovery
mechanism provide the hasis for f ault-tolerent computing hy
allowing continued normal system operation after the
elimination of faulty components.
B. RECOYERT INTERFACE
Once automatic system recovery commences the
fault-tolerence routines involving error detection and
diagnosis are assumed to have heen completed. As was aleuded
to previously, this thesis does not attempt to identify any
74

specific error routines. It is of no consequence to the
recovery mechanism how errors were determined, only that
they have teen diagnosed. Although specific error detection
mechanisms are immmaterlal to the automatic recovery
routine, it is necessary for the interface between the
routines to encompass communication and syncnronization in
order to estatlish a smooth transistion into the recovery
routine. The interface to the recovery mechanism is the
responsibility of the error routine and serves the purpose
of establishing a predetermined, consistant system state
that will always allow automatic system recovery to proceed
correctly eacn time the routine is invoked.
1. The Error Routine
This section briefly outlines the error routine
requirements necessary to support automatic system recovery.
As was previously mentioned, it is beyond the scope of this
thesis to develop the specific error routine mechanism. This
section siiould serve only as a possible example for future
development of the error procedure.
The system error routine is required to establish a
previously known system state for the interface into the
recovery process. This state will simply be defined as the
state of the system prior to loading (bootstrapping) the
system processes. Additionally the error routine will be
required to have performed it's defined task; tnat of
eliminating the faulty module. In this design, that will
75

entail ftalting tne faulty processing module (iSEC e6/12A'* so
that is can no loneer participate in systerr execution.
Tne error routine is assumed to te executing on all
modules once a fault is detected. An error routine diagnosis
program will tiien determine ttie faulty module. Tftis could te
as the result of a two out of three vote or a test program
that indicates the faulty module. In any case the specific
faulty module is identified.
Since the improperly functioning module has heen
previously determined, the error routine is simply required
to halt the faulty processing unit and then initiate the
recovery process. The operating system's preempt interrupt
provides a relatively straight-forward way for the error
routine to eliminate a faulty module. First the error
routine will estahllsh the idle process [23] as the highest
priority process capable of execution on the faulty
processor unit. This is just a matter of altering the
priority in the faulty CPU's Virtual Processor Map [23]
causing the virtual processor dedicated to the idle process
to he the highest priority. Then the particular processor on
which the error routine is executing must send a preempt
signal to the faulty processor module that will force the
faulty module to run the idle process. This will effectively
make the improperly performinar module unavailable to any
other processes. The idle process, running on the faulty
module, will then he required to check a system wide error
76

table, indexed tj logical CPU numter. to determine if a halt
should "be executed. The error routine will have previously-
set tne nalt fla^ for the faulty processing unit and the
result will he the elimination of the failed module from
participation in system execution.
Additionally in the event the faulty module nas
failed completely (i.e., the CPU is unahle to execute the
idle process), the error routine is tasted with physically
disabling the module from the system. This can he
accomplished hy incorporating in the error routine a
hardware "disable" mechanism that will eliminate the faulty
module from system interaction.
Once the error routine has eliminated tne faulty
module from the system it will perform a sequence of taslrs
that will establish the interface environment for the
automatic recovery mechanism. Specifically the error routine
will be required to reinitialize the Configuration Table
(see Figure 17-2) and then transfer control to the bootstrap
program. The Configuration Table is a modified version of
the CPU Table designed to support both initialization and
reinitialization and will be employed by the bootstrap
program in the same manner as described in Chapter III.
a. The Configuration Table
The Configuration Table is a global record
structure that will be used primarily to record memory usage
























snown in Figure 17-3, turee basic structures comprise the
Configuration Table. The first, called the CPU Total, will
be reinitialized by the error routine to reflect the number
of fault-free processors available to the system at the time
of automatic recovery. Because the error routine has
knowledge of the total processors in the system prior to
automatic system recovery, either from the initialization
routine or from a previous execution of the automatic
recovery process, it can determine the number of properly
functioning modules to enter in the CPU Total structure
after performing elimination of the faulty module.
The next structure in the Configuration Table is
a multiple entry record that is indexed by logical CPU
number. The first fields in this structure are identical to
the same CPU Table fields described in Chapter III. The
error routine will be responsible for reinitializing the
unique physical proressor serial numbers for each fault-free
processor in the system. This essentially involves allowing
each processor to access the Configuration Table, one at a
time, to enter it's CPU identification number much in the
same fashion as the processors were numbered in the bootload
program during system initialization. As in the bootload
program the logical numbering of the CPUs in the
















1 2 • • • 13 14 15
\
GLOBAL MEMORY MAP





Tiie Configuration Table will also contain a CPU
mailbox and a CPU acknowledge entry for each logical
processor in the system. Tftese entries will be used during
the bootstrap program for CPU synchronization as was the
case in the bootstrap program described previosly. Note that
the CPU Table used for system initialization in Chapter III
is incorporated in the Configuration Table. This allows the
system initialization routine to use the Configuration Table
structure in the same manner as the CPU Table and provides
compatibility between the initialization programs and the
automatic recovery routine.
Additionally, the Configuration Table will
include a local, per processor memory map and a global
memory map that will be used to support the memory
allocation mechanism used for reinitialization. To
facilitate the recording of memory usage during automatic
recovery, memory has been logically subdivided into pa^-es of
256 bytes in length. The global and local memory maps in the
Configuration Table are bit maps that will reflect the
memory utilization of the system as reloading of the system
processes proceeds. Specifically each processor will
represent it's 32 kilobytes of local memory using a 16 byte
"bit map. As shown in Figure 17-3, a 16 byte array is
associated with each logical processor number in the
Configuration Table structure. Additionally the global
memory map, shown in Figure IV-3, will consist of a 384 byte
81

array wiiicn will allow tiie memory allocation meciianism ttie
capability of accounting for the one mega"byte of addressa'ble
memory minus the possible el^ht module local memories. Note
that although the module memory of each iSBC 86/12A can be
divided between local and global memory the real-time system
design dedicates all iS2C 86/12A memory (32 kilobytes) to
local memory to be used by the 8086 CPU. As a result no
global memory will reside on any of the iSBC 86/12AS. This
means that all global memory will be provided by separate
dedicated memory boards.
The Configuration Table is a static structure
that is created at system generation time based on the
maximum number of modules to be employed in the system and
the maximum amount of memory to be utilized. Once the error
routine has zeroed all entries in the Configuration Table,
then entered the total CPUs available to the system in the
CPU Total field and reintialized all the processor's unique
ID numbers, it will be required to reload the bootstrap
program.
t. The Load CPU
The Load CPU serves as the coordinator of the
automatic recovery routine, performing similar duties as
that of the Bootload CPU described in Chapter III. The title
of Load CPU is assigned to the first CPU to access the
Configuration Table during tne reinitialization of the
unique physical processors serial numbers. The Load CPU is
82

logical CPU numter zero in tne Configuration Tatle. Since
the reinitialization of the physical processor numbers is
accomplished in a random fashion, any one of the fault-free
CPUs remaining in the system is capable of bein^ the load
CPU.
The error routine will taslr the Load CPU with
the job of reloading the bootstrap program into Global
memory. Recall that as in Chapter III, the primary tasli of
the bootstrap program executed during automatic system
recovery, is to load the feernel.
2. Recovery Activation
The error routine will activate automatic system
recovery by allowing the Load CPU to transfer control from
the error program to tne bootstrap program it Just reloaded
into global memory. All remaining processor modules will
enter a wait state in their respective error programs. Note
that this sequence of events is identical to the action that
took place in the bootload program for system
initialization. All CPUs, eicept the Load CPU, will enter an
active spinlock in their respective error routines waiting
for a signal from the Load CPU in the form of the bootstrap
address, before transferring control to the bootstrap
program. The error routine wait state is the consistant
state all processors (except the Load CPU) will enter during
the recovery routine interface and is the state from wnich
system reinitialization will always commence.
83

The Load CPU will transfer control to the Just
loaded bootstrap program using an indirect procedure
activation (viz., a call by pointer) in the same fashion as
the Bootload CPU did in system initialization. The
parameters passed to the "bootstrap program will include a
pointer to the Configuration Table, a pointer to a global
bus lock variable that is used to control access to the
Configuration Table and the logical processor identification
number. Once the Load CPU has transferred control to the
bootstrap program and passed the parameters Just described,
automatic system recovery will commence.
C. OPERATING SYSTEM REINITIALIZATION
Automatic system recovery commences from a predetermined
state established during the interface to the automatic
recovery routine. The purpose of this defined state is to
create a consistant environment from which the
reinitialization process can always be^in correctly. The
previous discussion described the interface state that was
determined by the error routine. It is in this state that
the first part of reintialization, that of the kernel,
"begins.
The reinitialization of the kernel is accomplished using
a bootstrap program that performs the identical tasks as the
bootstrap program described in Chapter III. All processor
modules, under the control of the Load CPU, will have the
84

opportunity to execute me global bootstrap program in order
to load their respective Icernels. Once the Load CPU has
transferred control from the error routine to the bootstrap
program the actual process of reinitialization will begin.
1. The Eootstrap Program
The primary task of the bootstrap program is to
reload the kernel. The first processor to enter the Global
bootstrap program will be the Load CPU. Recall that all
remaininfr processors are waiting in their respective error
routines until the Load CPU signals it is their turn to
transfer to the bootstrap program and load their individual
Tcernels.
a. Kernel "Reinitialization
The distributed kernel is reinitialized by the
bootstrap program which loads each processor module's (iSBC
86/121) local memory with the required kernel processes. The
bootstrap program will perform identically to the bootstrap
program described in Chapter III, loading in logical
sequence each module's kernel. The details of this portion
of kernel reinitialization are related in Chapter III and
thus only a brief overview, highlighting the bootstrap
program's tasks, will be presented in this section.
The Load CPU, executing in the global bootstrap
program, will be tasked to reload each individual module's
distributed kernel into a global memory buffer. Once this is
accomplished the Load CPU will determine the particular
as

module designated for tne kernel just loaded. Usin^ the
kernel's desismated module identification (affinity) the
load CPU will signal the target processor desired, "by
filling in the target CPU's mailbox in the Configuration
Table with the address of the bootstrap program. After the
target processor detects that it's mailbox has been filled,
it will exit it's wait state in the error routine program
and transfer control to the bootstrap program. The target
CPTT will then proceed to reload it's kernel file from the
global buffer into it's own local memory with the result
being a reinitialized kernel. The target processor then
signals the Load CPU, via it's acknowledge entry in the
Configuration Table, that it has completed reinitializing
it's own kernel. The Load CPU will then reload the next
kernel from secondary storage in the same fashion. This
sequence of events is continued, under control of the Load
CPU, until all system modules have had their respective
kernels reinitialized.
Upon completion of the kernel reinitialization
routine the Load CPU will signal all processor modules by
setting it's own acknowledge flag in the Configuration
Table. This will force all processors to execute an indirect
procedure activation (a call by pointer) to transfer control
from the bootstrap program to each modules respective
kernel. This Jump to the kernel will be accomplished in the
same fashion as outlined in Chapter III, only the parameters
86

passed to trie kernel in tnis instance will le of a differert
variety. In additon to the logical CPU identification of
eacft particular processor performing the control transfer,
the arguments will include the location of the Configuration
Table (a pointer) and it's global bus lock variable. Note
the unique physical processor serial number is not required
to be passed as a parameter as it is contained in the
Configuration Table.
b. Configuration Table Reinitialization
During the reloading of the distributed kernel
each individual CPU has the responsibility of reinitializing
the Configuration Table to reflect the memory pages
allocated to it's own kernel. Additionally, the Load CPU is
tasked with reinitializing the global memory map to identify
the memory reserved for the Configuration Table and the
global bus lock variable used to control access to the
Configuration Table.
Since the bootstrap program executes on the bare
system hardware (viz., with no operating system support^ as
did the bootstrap program of Chapter III, the memory
allocation mechanism of the kernel is not available to
distribute and record memory usage. This does not present a
difficult memory mapping problem, during reinitialization of
the kernel, as the programs and data structures loaded by
the bootstrap program can all have constant locations in
memory. The ability to locate these programs and data
87

structures at absolute addresses is realized by the fact
that these processes will be the first reinitialized
programs. This means that all the old system code can be
over-written.
Each module is responsible for recording, in the
Configuration Table, the local memory pages allocated for
the kernel it reloads. Since the location and size of the
kernel are known, after an individual module has reloaded
it's kernel, it is a simple matter to reinitialize the
Configuration Table to reflect the memory pae-es in which the
kernel resides.
The Load CPU is responsible for reinitializing
the global memory map to reflect the memory allocated to the
Configuration Table and it's global bus lock variable. This
action is accomplished as the first set of instructions the
Load CPU executes in the bootstrap program. The Load CPU
first indexes through the global memory map setting the page
entries for the Configuration Table and it's bus lock
variable to unavailable and all the other page entries to
free. Note that the convention used to indicate a free page
in the bit map is a one, while zero indicates a page has
been allocated. This allows an all zero setting to indicate
a full memory map while non-zero entries indicate remaining
free pages are available for allocation.
2. Kernel Interface
The transfer of control from the bootstrap program
88

to the kernel, of all system processors available to the
system (I.e., not eliminated by the error routine), will
proceed in the same fashion as described in Chapter III. The
sequence of events executed to interface from the bootstrap
program to the kernel will be presented in this section, but
the detailed mechanism involved will be left for the reader
to review in chapter III.
Recall that tne transfer of control to the kernel
is executed by all processors after reloading of the kernel
(by all modules) is complete. This procedure was required to
allow the kernel to commence execution properly with all
kernel processes and synchronization structures established
in a consistant state.
Once the Load CPU has signalled all CPUs to
transfer to their respective kernels the reinitialization of
the distributed kernel can be considered complete. The next
sequence of events will entail the reinitialization of the
application processes. In order to support the relocation
routine that will be employed to reload the application
proceses the address of the Configuration Table and it's
controlling global bus lock variable must be passed to the
kernel. Additionally, the logical CPU identification of each
processor must be passed to the kernel during individual CPU
control transfers. This will ensure the logical
identification of each module in the system and facilitate




Tne parameters mentioned above are passed to tue
kernel on the stack of the bootstrap program. The kernel
interface sequence of instructions will be required to
remove the parameters passed to the kernel on the stack and
designate locations in the Processor Data Segment (PRDS)
[17] for these structures. Additionally the kernel interface
sequence will he required to establish the correct kernel
environment for execution by transferring control to a
special reinitialization program that will reinitialize the
data structures used by the kernel. Hecall tliat the kernel
interface sequence of instructions occur in the ITC
Scheduler of the operating system [23J . The readers
attention is directed to the detailed description of the
kernel interface initialization sequence in Chapter III.
This procedure performs the identical function as the kernel
interface initialization sequence used during automatic
system recovery.
.
D. APPLICATION PROCESS REINITIALIZATION
The reinitialization of the users application processes
employs a kernel loader process. It is the responsibility of
the kernel loader process to reload the application
processes once the distributed kernel has been reinitialized
and has restarted execution. Essentially the kernel loader
process performs a reinitialization of the application
90

processes, esta^blishins a tcnown correct state (that of the
original initialized system) from which the system can
restart execution of it's logical tasks.
Reinitialization of the user's application processes
begins with each physical processor commencinff execution in
it's own Irernel loader process. The sequence of instructions
executed, once the kernel initialization has "been completed,
to allow the kernel loader process to run are summarized by
Wasson [23] . Essentially they entail reinitializing the
Virtual Processor Map [23] of every kernel to reflect the
loader process as the highest priority process ready to run
on any processor. This has teen accomplished hy the
reinitialization of the kernel data structures during
reloading. This ensures that all processors will load and
run their loader processes first once kernel execution
commences ,
The reinitialization of application processes involves
reloading the application programs usine a new system
configuration in which faulty modules have teen eliminated.
Since faulty components are eliminated on the module level
of processor and memory (i.e., an iSBC 86/12A) those
application processes assigned to a faulty module are
reassigned, during reinitialization, to a module that is
functioning properly.
The ahility to reassign the application processes during
reinitialization to different modules (once a module is
91

eliminated) is based on the use of identical modules. Since
all processor and local memory units are tne same (i.e., all
are iSBC 86/12As) the application processes are capahle of
executing on any module. Note that specific applications
programs may impose restrictions that will not allov
reassignment to Just any available module. These
restrictions misht be due to the length of a program (i.e.,
it is too lar^e to be reassigned to a module that already
has processes assigned). In this case a spare module might
be assigned if available. The specific restrictions imposed
by an application process concerning its reassignment will
be discussed later in the chapter.
1. Segmenta ti on
The ability of the reini tilization routine to
reassign the application processes to different modules
during automatic system recovery is dependent on the use of
segmented memory. Segmentation allows each application
process to have a defined address space that can be
specified by a distinct group of segments in memory. Shared
segments can exist in the address space of multiple
processes for the purpose of inter-process communication,
while individual processes can be isolated from other
processes by using unique segments that are not shared.
Segmentation of memory is supported by the Intel
hardware associated with iSEC e6/12A module. Recall that the
one megabyte of addressable memory available to the 8086 CPU
92

provides segments up to 64 kilobytes long [5] . Although
explicit segment boundaries are not enforced, the use of a
segment manager to allocate memory, based on a predetermined
pa^e size and segment length, will allow the manlp\:latlon of
a processes address space. This, in turn, will support
dynamic relocation.
2. Dynamic Relocation
Reassigning the application processes, during
reinitialization, is made highly flexible if the ability
exists to relocate the segmented address space of the
processes. The capability to relocate the application
processes facilitates reloading these processes at different
locations in a newly assigned module's local memory or in
global memory, thus utilizing available memory effectively.
The automatic relocation of the application processes,
during reinitialization procedure, is known as dynamic
relocation.
a. The Compact Compiler Option
Dynamic relocation is made possible if no
absolute memory addresses are contained in a processes
address space. The ability to dynamically relocate the
application processes, during reinitialization, is
facilitated by using the compact option of the PL /M-86
compiler ['?] . Ill code compiled usin^ the compact compiler
option is placed in either a code, data, stack or optional
user defined memory segment depending on its use. Because
93

only tiiese four segments are allowed {I.e., all code is
compacted into one of the four segments) the segments remain
unchanged during the lifetime of program execution. This
means that the Code Segment (CS), Data Sefrment CDS), and
StaclE Segment (SS) registers of the 8086 CPU are fixed and
thus not changed during program execution. Consequently all
code references are reflected as offsets from the CS , DS, or
SS registers and no absolute addresses are entered in a
processes address space. The placement of offsets in the
object code, by the utility locator routine (I0C86) at
system generation time, facilitates relocation of a process
during reinitialization in that the absolute address of all
segments of process can be changed by altering the 6086 CS,
DS, or SS registers.
b. The Prolosrue
All Intel object files, created using the
PL/M-86 utility routines [6], invoice a program prologue at
the start of execution. This prologue is designed to
establish the address space of the program to be executed by
setting the appropriate registers in the 8086 CPU. The
prologue will differ depending on how the program was
compiled. Por the automatic system recovery design, the
compact compiler option was employed as it provided the mcsX
flexible environment for dynamic relocation.
Since all code compiled with the compact option




and SS registers are required to be set only once as they
remain unchanged during program execution. The program
prologue of a compact compiled program will set the CS, DS,
and SS registers prior to program execution. In order to
relocate the application processes, compiled using the
compact option, the program prolcsue for a process must be
avoided so that the 8086 CPU registers can "be set to reflect
a possible new process location after reinitialization. This
can be accomplished by creating, essentially, a new program
prologue (in the form of an assembly language program, as
shown in Figure 17-4) that will not set any of the 8086 CPU
registers. The function of this "Start" program for each
application process will be simply to perform a short jump
to the start of the actual entry point address of the
application process. This allows the 8086 CPU registers that
define the address space of a process, during execution, to
be set to reflect a possible new location of the application
process.
The simple start assembly language program will
allow the normal program prologue of the application
programs to be by-passed (i.e., no CPU registers are set).
As Figure IV-4 shows this is accomplished using Just the
offset of the start address of the application program. This
short jump to the application program entry point, using
only the address offset, facilitates pro^rram relocation by




; INITIALIZE THE APPLICATION START ADDRESS









t MOVE TEE APPLICATION START ADDRESS
; INTO TEE AX REGISTER AND DO A SHORT JUMP








c. The Process Definition Tatle
The manipulation and relocation of a process'
segmented address space, during reinitialization of the
application programs, is primarily supported hy a global
data structure called the Process Definition Tahle (PCT), as
defined by Ross [20]. This structure is created by the
system programmer at system generation time and identifies
the address space of every application process that will be
loaded (or reloaded) to run on the system. Since the address
space of every application process is known, prior to
commencing system execution (viz., all segment sizes have
been established for the run-time, static environment), the
PDT entries can be predetermined at system generation time.
The primary function of the PET is to associate
a group of segments with each application process, thus
establishing a unique address space for each application
process. The PDT is reloaded into global memory at the same
time that the reloading of the kernel is accomplished. The
kernel loader process then uses the PDT to recreate the
application processes as reinitialization is performed.
The PDT, as shown in Figure IV-5, is a static
structure, the size of which is predetermined at system
generation time as a function of the number of application
process to be used in the system. The PDT is Indexed by
logical process number which will identify the processes to


























































the PDT, called Processor Configuration r^appin^ (PCM), is an
array that determines the configuration of the system. This
array serves to associate, or map, specific logical
processors to individual application processes and is
indexed, in decreasing order, hy the number of modules (iSEC
86/12As) available to the system during the reinitialization
routine. The Processor Configuration Mapping entries
establish a processor affinity, for a particular application
process, as a function of the total processor modules
remaining in the system during automatic system recovery.
The ability to dynamically reconfigure the
system using the logical CPU affinities designated in the
Processor Configuration Mapping is based on the use of
identical modules (viz., the unique physical identification
of a module is not necessary). For example consider a system
which originally consists of ei^ht modules (i.e., ei^ht iSBC
86/12As). The modules are simply assigned to application
processes by a logical number between zero and seven in the
PCM entry that reflects eight modules are available for
system use. Once a module fails, the remaining seven modules
are reassigned application processes based on the logical
entries in the PCM and the predetermined configuration for
seven available processors in the system.
The processor affinities for a particular
application process are established at system generation
time by the system programmer and must be carefully
99

coordinated to ensure continued system operation as the
processors are diminished. Note that a Erinimum number of
processors is usually required to sustain correct system
operation and this number is reflected by the last entry of
the Processor Configuration Mapping (VCf^) array.
Additionally the PDT will contain an entry for
the process priority (PPIORITT). This will be used by the
Icernel to establish a preempt priority during system
execution. Following tnis will be a process register entry
{PROC$REG) that can be used to establish any 8086 CPU
register settings (other than the segment registers) during
the reinitialization of the application processes. In most
cases only the Instruction Pointer (IP) will be set and all
the other register values will be reinitialized to a null cr
zero setting.
The last entries in the PDT establish an
individual application process' unique address space {?kS).
These entries will consist of an array in which the first
three entries will be dedicated to the Code Segment (CS),
Data Segment (DS) and Stack Segment (SS), respectively, of
an application process. The remaining entries will be used,
as required, to provide the identification of any external
shared segments that exist in a particular application
process' address space. The maximum number of external
segments are fixed at system generation time and are a
function of the application processes and their
100

requirements. The entries in the address space array of the
PDT will be unique logical numbers that will identify
individual segments in another global data structure, used
during reinitialization, called the Global Active Segment
Table (GAST). This structure will be described in the next
section .
The last field of tne Process Definition Table
(PDT) is a bit map identifying an individual segment's
attributes. In particular this bit map uses a zero (0^ to
signify if a segment is only readable (R) and a one (1) to
mark a segment as readable and writable (R/W). A segment
attribute will be required by the segment manager in the
Irernel to determine whether a segment is to be relocated in
global or local memory during reinitialization.
d. The Global Active Segment Table
The Global Active Segment Table (GAST) is a
global data base structure employed by the kernel loader
process to reinitialize the application processes. It
performs essentially the same function as the GAST described
by Moore and Gary [14] in their memory manager design; it
provides a listing of each individual active segment used in
the system (for the run-time, static system design all
segments are considered to be active). The GAST identifies
the auxiliary storage address of every segment used by the
system application processes and associates a logical
number, corresponding to the GAST index, with every segment
101

estal3lished in memory ty the systems programmer.
The GAST, as shown in Figure IV-6, is created,
as was the PDT» at system generation time and reload with
the iernel. The size of the GAST is determined by the
maximum number of application processes in the system and
the maximum number of authorized segments per process
address space.
The GAST is indexed by segment number. The
logical index of eapn segment in the GAST will be entered in
the PDT at system veneration time to allow each segment in
an application process' address space to be identified. This
convention will provide the segment manager process, in the
Icernel loader, with the ability to access each individual
segment in the system for reloadinar durine* process
initialization.
The secondary disc address of a segment will be
contained in the first field of the GAST (riSC$ADrR). This
absolute disc address will be used by the kernel loader
process to reload the segment during application process
reinitialization. A null entry for the dislc address
indicates that the segment (e.g., a data buffer) must be
allocated main storage, but has undefined initial contents.
The Global Address field (GLOBAL$ACDR) of the GAST will be
used to indicate if a segment resides in global memory. If

















in global memory. If the field is null then tiie segment must
be located in local memory.
The CPU Local Active Segment Table Entry
(CPU-LASTS) is used as a connected processor list. The field
is an array structure wnicn is as large as the maximum
number of processors originally allocated for the system.
The entries in this field provide an index into each
processor's Local Active Segment Table (LAST) and will be
used by the segment manager in the Irernel loader process to
manipulate segments during process reinitialization. The
length of segment is contained in the Size Field (SIZE) of
the GAST. This entry is used by the segment manager process
of the kernel loader to allocate the appropriate amount cf
memory for the segment during the reloading of application
process reinitialization.
e. The Local Active Segment Table
The Local Active Segment Table (LAST) is
employed during reinitialization for the purpose of memory
allocation in the same fashion that Moore and Gary [14] used
it in their Memory Management Unit. The LAST (see Figure
IV-7) is a processor-local data base in the form of an array
that records the local memory location of all segments
reloaded on a particular processor module. The index into
the LAST is reflected in the GAST's connected processor list
(CPU LASTE) for each individual segment in the system. The













manager routine to locate segments previously reloaded that
must "be moved to global memory due to their heing shared and
writable.
3. The Kernel Loader Process
Reinitialization of the application processes begins
once all processor modules have entered the kernel Loader
process (see Appendix D) . Recall tnat the kernel nas been
reinitialized so that once it starts execution, the Loader
process, being tne highest priority process ready to run,
will be the first Jcernel process executed. Since the logical
processor number of every CPU was passed, when control was
transferred from the bootstrap program to the kernel, all
modules maintain their logical Identity. This means that one
particular CPU still has the title of Load CPU. It is this
processor unit that will coordinate application process
reinitialization during automatic system recovery.
The Kernel Loader process is required to reload the
application processes sequentially according to their entry
in the Process Definition Table. Reloading of the individual
applications processes one at a time (viz., not
simultaneously) is necessary primarily due to hardware
limitations. In particular, as described in Chapter III, not
all processors will have access to secondary storage thus
requiring the Load CPU to perform system I/O using a primary
memory global buffer that the remaining CPUs can access.
106

a. Tne load CPU
The Load CPU will execute some instructions in
the Icernel Loader process that the other processors will
not. In particular the Load CPU will have the responsihili ty
of sequentially indexing through the Process Definition
Table (PDT) identifying each application process and the
physical module into which it will "be reloaded. The
association of a processor and an application process to "be
reloaded .is accomplished usin^ the Processor Configuration
flapping field (PCfl) of the PDT. Recall that this mapping is
hased on the number of physical CPU's available to the
system at the time of reintialization. The mapping
configuration of the processors includes all combinations of
processors from the maximum available down to the minimum
required to continue correct system execution. The Load CPU
will not do the actual reloading of the application process,
but will signal (via the ITC Advance procedure [22] ) the
processor module associated with the process* in the PDT, to
perform the task. Note that although the automatic recovery
mechanism is based on tne use of identical processor
modules, future expansion of the design might include
special processors (i.e., a Multiply CPU). It would then te
necessary to use the Configuration Table to identify a
specific physical processor and it's associated logical
number.
The particular processor signalled by the load
107

CPU is a function of tne mapping configuration associated
with an applications process in the PCT and the numher of
CPUs available to the system during reintiali zation . Note
that if the processor required to reload the application
process is the Load CPU, the reinitialization of that
particular process is performed hy the Load CPU. After
accomplishing the reloading, the Load CPU will just index to
the next process in the PDT.
Once the Load CPU has determined the CPU
affinity (the processor associated with a process through
the configuration mapping) for a particular process, and
signalled (via ITC Advance) the target modules loader
process, the Load CPU will enter a wait state ^The
reintialization of the application processes uses the ITC
eventcount synchronization procedures of Advance and Await
[23]). The Load CPU will remain in a wait state until the
target processor signals (hy an advance on the Load CPU's
eventcount) it has reloaded, and thus reinitialized, the
assigned application process. This sequence of events is
repeated until all applications processes listed in the PLT
are loaded into the modules they have heen assigned to.
While the Load CPU is indexing tnrough the PDT,
signalling the appropriate CPUs when it is their turn to
reinitialize a particular application process, the remaining
processors will have entered a wait state in their
respective kernel loader processes. This synchronization is
les

similar to that performed in Chapter III, only the more
flexible kernel eventcount primitives are now available to
support processor communication. Once a processor, other
than the Load CPU, has completed the reinitialization
process, it will return to a wait state, remaining in that
state until signalled to reinitialize another application
process or until system restart is executed,
bl Swap-in
The Swap-in procedure is called by the kernel
loader process to reload, from secondary stora,?e, an
application process. Swap-in is designed to reload a
specific segment in the address space of a process and
return the start address of that relocated segment. Moore
and Gary [14] originally developed the Swap-in routine for
their memory management unit and it is a modified version of
their design that is used in the Kernel Loader Process.
The ability to incorporate a portion of the
Memory Management Unit designed by Moore and Gary is the
result of the fact that the Memory Management Unit design
and the Automatic System Recovery mechanism are based on the
same family of distributed operating systems originally
developed by O'Connell and Richardson [15]. The hlerarchal
design of the operating system provides a significant
advantage in that it is relatively hardware independent and
thus compatibility between systems is feasible.
When signalled (by an eventcount advance) to
109

reload an application process, tne target CPU will te
N required to sequentially index tnrough tne address space of
that process in the PDT. Swap-in will be repeatedly called,
by the target processor's Kernel Loader, to reload each
individual segment in the process' address space. Each tirre
Swap-in is called it is passed the logical segment number in
the PAS array of the PET. Recall that the logical segment
number is used to index into the GAST . Swap-in will be
required to use the logical segment number index, in the
GAST, to determine the segments absolute disc address on an
auxiliary storage device (i.e., a hard disc).
Once Swap-in has established a secondary storage
address, it will move the targeted segment into primary
memory. The procedure for determing if local or global
memory should be allocated is defined by Moore and Gary
[14], In particular three conditions can be encountered
during the invocation of Swap-in. The segment can already be
located in global memory, the segment can te located in one
or more local memories or the segment may not have been
previously reloaded during this activation of the automatic
recovery routine.
If the segment has not been previously reloaded
(i.e., the GAST Global Address and the CPU LASTE fields are
null) then the segment is reloaded in local memory as
defined by the process affinity and the appropriate entries
in the GAST's connected processor list (CPU LASTE) and the
110

LAST are made. If the segment nas been previously reloaded
into global memory (as evidence of the GAST reflecting a
global address) then it is not necessary to reload the
segment. Only the GAST and the LAST need to be updated.
Finally if the segment already resides in one or more local
memories, it must be determined if the segment is writable.
This is accomplished using the PDT Read/Write bit map. If
the segment is writable and located in another modules local
memory (as reflected by the GAST's connected processor list?
CPU LASTE) it must be moved to global memory wftere it can be
shared and the global address in the GAST filled in. If the
segment is only readable then is may be allocated local
memory and the LAST updated.
Once the memory space has been allocated for the
segment, as determined by the size field in the GAST,
Swap-in will reload the segment and update the Configuration
Table memory maps; returning the segment location to the
kernel loader process. The loader process will then enter
the segment's location in the Process Parameter Blocic (P?B).
The PPB is a local data structure that is used to record all
the locations of the segments in the process' address space
reloaded by Swap-in.
The sequence of events executed, once Swap-in is
called, will be repeated until the Loader Process has
indexed completely throuf?h the PAS array or until a null
entry is discovered in the PAS indicating ail the process
111

segments have been reloaded. The Loader Process will then
call Create-process, passing the locations of the segments
just loaded, to complete the reintialization process,
c. Create-process
The Kernel Loader process will call tne
procedure Create-process to culminate the reinitialization
of the application processes. The Create-process routine is
an operating system (ternel) routine designed hy Wasson [23]
and implemented "by Rapanziios Cl7j . Essentially it
reinitializes entries in the process' stack segment that
define the process' address space. The process' stack is
then used hy the kernel to establish a particular
application process' run-time environment.
Create-process will be passed the address of the
Process Parameter Block (PPB) each time it is activated by a
particular CPU Loader process. Recall that the PPB is a
local data base used to record tne locations of all segments
in the application process' address space. The Stack Segment
(SS) for each application process will be created using the
PPB and the PDT processor register array (PROC$REG). Once
Create-process has reestablisned a process' address space
and reinitialized the register values on tne application
process' stack it will place the process in a wait state.
All processes are recreated in a wait state by
Create-process waiting for a system start event (i.e., an
Advance on the system start eventcount [17]). Control will
112

then return to the kernel Loader process.
E. RESTART
Once the Load CPU has indexed completely through the PET
the taslr of application process reintialization is complete.
The Load CPU is then required to restart the system so that
normal, fault-free execution can resume. This is
accomplished ty the Load CPU performing an Advance [17] on
the system start eventcount. Recall that all application
processes are recreated ty Create-process suspended in a
wait state waiting for the system start eventcount to "be
advanced. After this event takes place all processors will
resume normal operation by executing the highest priority
application process assigned.
F. APPLICATION PROCESS STRUCTURE
In order to facilitate dynamic relocation during the
automatic system recovery process, some restrictions must te
imposed on the structure of the applications programs. It is
the purpose of this section to outline these restrictions
and additionally provide some insight into their requirement
in order that the applications prograrrmer might better
perform his programming tasks.
Each application process is determined by a segmented
address space that can be defined by unique code, data, and
stack segments (usin^ the compact compiler option [7]).
Since these segments are unique (viz., not shared) a scheme
113

for segment sharing, to facilitate inter-process
communication and synchronization is required.
Shared segments are created, at system generation time,
hy adding additional segments to a process' address space.
These external segments are then reflected in the PUT,
associated with each particular application process,
depending on process communication and synchronization
requirements. The external segments of each process will he
reloaded during process reinitialization and as a result of
the procedure Create-process, their locations will he placed
in the unique stack segment of each individual application
process. The stack of each process is, in effect, a unique
description segment that contains pointers to all segments
in a particular application process' address space. Hardware
segmentation then allows the stack segment of an application
process to he employed as a parameter list of pointers as
descrihed helow.
When system automatic recovery occurs, all application
processes are recreated by the reintiali zation routine ard
thus the external shared segments, as well as the unique
code, local data and stack segments, are updated to reflect
any changes in segment location. This results in a newly
created stack segment that will reflect the reinitialized
address space of an application process.
114

1. The Entry Point
The restriction placed on the structure of an
application process is directed at the entry point or start
address of the intial procedure. When the kernel activiates
a particular application process it will use the staclc
segment of the process to set the code and data se^nent
registers of the 8086 CPU. Since there are not enoUf?h
physical registers to allov all external segments in a
process to be set, a scheme must be devised so that the
process can reference all it's external segments.
The convention to do this exploits the entry point
to the application process. This will take the form of a
procedure in which the external segment locations will be
passed as pointers. Requiring the application process start
address to be a procedure entrance will permit the process
to use the preset external system pointers on the process'
stack to define the formal procedure parameters of the
application program. Note that the stack pointer (SP) is set
(as defined at system generation time) to indicate the first
external segment pointer on the stack.
The applications programmer need only be concerned
with parameter ordering in the applications process. The
burden of parameter organization, in terms of stack
structure, rests with the system programmer at system
generation time. Specifically tne systems programmer is
required to make the appropriate entries in the Process
115

.j Definition Table (PDT) to provide tne logical ordering of
the external pointers in the formal parameter list of the
application procedure.
2. External Variables
The external segment pointers, contained in the
formal parameter list of tne application procedures are
declared as FL/M-e6 pointer variables. The applications
programmer is then required to use these pointer variables
to reference PL/M-86 based variables [5] . This action will
result in the process' external segment base aadresses being
used as pointers for addressing the external shared data
structures employed in the application process for




A. SUMMART OF RESULTS
Tiiis tiiesls Has focused on a tecnnique for automatic
system recovery designed to provide the fault-tolerant
operation of a real-time, distributed multiple microcomputer
system. The initialization mechanism developed by Ross [2e]
was implemented and tested as the first phase of the thesis
effort and proved to be a solid base from which
reinitialization could be accomplished. To support the
reinitialization routine, which employed complete reloading
of the system processes, a method of dynamic relocation
exploiting the Intel hardware was developed. This lead to
the ability of the system to dynamically reconfigure after
tne elimination of a faulty system module.
The fundamental concepts developed as the result of the
research efforts of this thesis provide the basis for
fault-tolerance in a system where temporary data loss is a
tolerable condition. The ability to completely reinitialize
the system while eliminating faulty components is a
desirable attribute in many real-time systems. The automatic
system recovery design presented in this thesis is the basis





This thesis addressed only one aspect of
fault-tolerance; that of fault recovery. As the introduction
revealed, the elements of fault-detection and
fault-diagnosis are usually included in a fault-tolerant
corrputer design. Research concerning fault detection and
fault diasrnosis will provide a challenging area for
follow-on work. Specifically the error routine discussed in
Chapter IV must be developed to support the automatic system
recovery me-chanism. Only with fault detection and diagnosis
routines incorporated will the automatic recovery routine
provide complete fault tolerance for the multiple
microcomputer system.
Dynamic reconfiguration in the automatic system recovery
design revolves around the processor/memory module (the iSEC
86/12A). Further research might specifically investigate tne
separate reinitialization of only faulty memory. The logical
extension of the recovery mechanism lends itself to the
possibility of saving the fault-free portions of memory in
the form of the PDT and GAST. These data bases would then
allow the error routine to eliminate specific sections of
faulty memory and record the memory removed. This, in turn,
would allow a reduced reloading requirement and thus a more
expeditious execution of the automatic system recovery
routine.
The automatic recovery design presented by this thesis
118

provides a basis for fault recovery. Furtner development of
the design could proceed in numerous directions with the
concepts of dynamic relocation and reconfiguration
facilitating a variety of specialized designs. For eiarrple,
an expansion of the automatic recovery mechanism might
include checfc-pointing, where data processed prior to a
system failure could le saved; thus reducing the
reintialization requirements. The automatic recovery
mechanism might also te used in conjunction with otner
recovery techniques. In particular reinitialization might le
used in a system that employs redundancy. A specific group
(i.e., cluster) of faulty microcomputers could la
reinitialized to eliminate tne faulty module while a
parallel cluster is substituted to perform the identical
compulations.
The automatic system recovery mechanism was developed to
integrate with a distributed hierarchical operating system.
The original distributed operating system kernel
implementation developed by Wasson [23] was not specifically
designed to incorporate fault-tolerance. Although this
thesis attempted to provide the interface to the operating
system the continued development of the kernel will
necessitate additional follow-on work to ensure a compatihle




APPENDIX A. SYSTEM INITIALIZATION IMPLEMENTATION
A. OBJECTIVES
This appendix is provided to furtner acquaint tne reader
with the system initialization mechanism presented in this
thesis. To demonstrate the initialization capability-
provided by the program listings in Appendix S and C, a test
program was developed to simultate an operating system
kernel. (The test program was required as the previous
kernel implementation was not specifically designed to
interface with the recovery mechanism). The simulated kernel
was then loaded by multiple iSEC e6/12A single board
computers in the same fashion as described in Chapter III,
using the same hardware support outlined in Chapter II.
B. THE SIMULATED KERNEL
The simulated kernel program in Figure A-1 was loaded by
all iSBC 86/12AS and was used to demonstrate the ability of
the initialization mechanism to transfer control to the
kernel and then commence system execution. The demonstration
called for each ISBC 86/12A to have a CRT connected to it's
serial I/O port. Once all simulated kernels were loaded and
execution transferred to each particular iSBC S6/12A kernel,
the simulated kernel caused the logical CPU number and the
unique physical CPU ID of each processor module (iSBC
120

86/12A) to be displayed on their respective CRTs.
C. DEMONSTRATION ENVIRONMENT
The demonstration environment for loading the simulated
kernel included all the hardware support descri"bed in
Chapter II, tut due to limited resources only a maximum of
three iSBC 86/12A5 were used instead of the eisht planned
for. This required two hootload programs similar to the
listing in Figure B-2 (only the unique physical IDs will
differ) and a hootload program (used for the MDS-connected
iSBC 86/12A and thus the bootload CPU) identical to the
listing in Figure B-1
.
D. SYSTEM ACTIVATION
For demonstration the bootload programs were placed in
RAM, as described in Chapter III. To initially load all
three iSBC 86/12A boards with their respective bootload
programs the iSBC 957A-iSBC Se/12A interface and execution
package was employed. In particular the monitor command LOAD
was executed to load an individual bootstrap program into
the MDS-connected iSBC 86/12A'5 local memory. Once this was
accomplished the monitor MOVE command was used to move the
bootstrap program to the appropriate iSBC 86/12A. (Note that
since the local memory of one iSBC S6/12A cannot be
addressed by another iSBC 86/12A the equivalent global
address of a particular iSBC 86/12A local memory was used to
move the code. Also the MOVE command aoes not alter any code
121

to reflect a new location; It only provides an explicit
transfer of code). Additionally tne monitor MOVE command was
employed to move the four bytes of the "bootload interrupt
vector to the designated iSBC e6/12A, a^ain using the glohal
address.
The process of loading an individual tootload program
and it's interrupt vector into local memory of the
MDS-connected iSBC 86/12A and then moving that code to the
identical spot in the targeted iS£C 86/12A (using its global
memory for that location) was repeated for botn iSBC
86/12A's not connected to tne MDS. Finally the bootload
program for the MDS-connected iSBC 86/12A was loaded and the
initialization mechanism was activated, using the simulated
bootload switch: the INTR button on tne iCS-S0 chassis. Note
that it was necesary to start tne MDS-connected iSBC 86/12A
executing a loop, as the MDS interfered with the
non-masfcable interrupt, but that all other iSBC 86/12A5























































It — EH |i^
II -^ E-t « M
Si ft »-• cj o
CO i-i M pq pq
t> OP-.Z33 •« EH 0^»-»O pu, cj « E-t ft 00—-
t-3 tx:: o h4 e-i CO n
cvi <oft ..^ co'^si
CJ !-• CeJ CO SJ P5 to
1-t CO cc rt (jq cv ft ••»Ci5>-WW II PQ r-<2 —
owe-«E-t z; sj< —
•-• » Kaft«>^ ««; s> X <
W •-• H^ -< CJ « w <x;->-'Z
CD l-»t-lt-<CO— <«s to w
ft ZZt-iE-tpc E-i WviPqO f-ti—iz!=3<«J'—»••« O E-t^-'—oz: t-i(x,3:K« PL, >Mi-4^
OS f^ ^ e-(Cj •*.<;««; e-(.«ppi-ii-i
to M E-t E-t (jq Cs^-'Wftau SS'^ oo
• t-^ >-•>-'£-• OM6-((5gcj OPQ — y^CO
MP»4 PQW3PCiE-ill &q M (*) —'^—-^Z •« — —. pc;ft3 WrtE-it-ipcJqc;
K XO •" 5(-*— :=W«Ph—- o:=!>-<)-t<t;<M WO Prl ^^"w-M- ftO<2td ftftPQOMW
Isel ac E- OCJ—' p£)OKi-»C0»* WW COCJO
>* cocociJ OCCCJ —' f^i Cri cjCJaq^Ww.-.
ft»» pp zsico oeu Mcsi<: oo E-^E-tx
Wft 1-1CV2Z rt WkJ-^^Ii: ec;cr:caMS3:35qZO t-i t>eJi«iUi p^.. Wi-iE-^U PhOhP^WOOK
p=;z: pd-^Jwcs-i'v << w
-:}. WW W www CO<ft3:P-ie-' co«»t-:ift^-4ft£-i
» «X! « pcjp::;« i-iKO E-«C3 i-^x;oOft»-lO
jt pq < <<< ffiCJWoOO u:www«*j<o
Jt ZX ft ftftft E-iWftQO EHpCftftOOS-t-4V)-CjOOO &H ft W (I^
5i. oftWWWW»-D Z«-E-t 2
.;{. w&a«ft(::»ft\0 W\C3 w
a- pq 2 o
fHCvJCvjcvicv iHcviCvjo^icvjcvi








































































































£3 CO OO E-t z
6-« Eh <«;


























































-< < <M ^ !-:«000WWW
PS p^ pc;
< ^ «4
33 SG ••' 33O CJ -"iH OWW r-t W
E-« E-« E-»O » O CDO O £-• O
1-4 1-4 ca h-)





















tH C\J CVi CV2




















o oO ^ »-^ z
1-4 C5 w H V^W CO CD »
C3 S f^ »
Pk cvi o \U ••> *- tad i/v A
W''~^'^~» ^^ V3 OO Oe; HH « >- >•> 31O CJ »-^ •• ^ n M w
1-4^-"^ c>- a PU O M
>-^« rt »-» o >_^ < M
< •< ^ w X (^ S
« K m O 6^ » z w
o mo o e-t r> DC .* I—
(
h4
o www O we^ w ^
z: £-•£-• e-< Si £-••-• z ZK CDS O 1-4 CD XJ « «
» O O O H 1-^ o w w wK < M Sd
^^ i^t-4 1-4 t-i o ••.!-» t-4H •-4h4 h4 Q h:1»-» oZ •<'«1 «*JO Z •<<*« z »














3: •*t<incoc^cooi'S>«H CV2 CO\ to to tn to en tfi -^ rt* '"J* ^
•-^
(x,
tf^ CO T-f CO
to tH a) r-»
CM
(23 K ac PC
« Sl CO CMM «-• CO .H
CS) S S) !5)
(S Qki S <S)
z
II li II 11
H Eiq (U -^ £-•
C<J M tvJ CO •<
t—» 1—1 »—t *—
'
H^
to to 00 « 1—
I
•• M O PU.
z tSl «J < U3 « « z:
o t-4 M w cj < pc:
»—
«
CO « « < W M
6h •< < 6h«
< -1 en 5: CO
z: w e-" w CO *s 00
« « z 1^ 2: w « 1
o < <<mEDz c3 z:
P«* 6-1 < z: t-t \
z M CO »-• HH »-5 pii ^-4
t-4 Z « < Ph
•< *J «H
(I4

















































A4 z: t-^ >«
2: \C3ZM 0>-tU (^
z:«
to -I w
CO •-• £-• M
1 1 i-»
z: CO PO PL)\ t-H H, z:
•^ CO m
p^ KH
» » « «• a- a- a-
» » }(• a- a-
» > it a- a-
» a- it it a-
» 5{- it it a-
» » it vt a-
» ^ it a- a-
» ^ it » »
a x- it >c Jt
































e^ » it a- a-





















H^ «• it a- a- » • » ««<& Ji- it a- t—
•
a- »-^ H-4 pq EHe a- » a- 6-t a- < •< e-tO
w » * {"-• S« a- «3 a- z z >* 6HM z: » « 1-4 t-5 a- P5 a- P5 « PP -ov
t—
I
» * » i-a i-J a- •< ik M U^ M ;=)
Pm ED » * P=i < -*; a- 1-4 it EH 6-t « W Ph
Ph » it W PU p:S a- it X X 3 cj C->
» it &-• W W a- t*4 a- pq W EH «q
» CO «• z £-• e-« a- a- v>- ••






a- a- P^ pq r> CD «
•«1 s- * » « i-A H^ a «! a- &H 6-t p:; p^pq
* t—
«
* W P^ K a- e-t a- s« >-t E- E-t
K t-^ it- fe-t * 6H a- ««j a- pp P^ CO Z
CO 6-» .;j. « » >-' CEl :* a- n a ••1—
•
•
!C- •< it pq C3 * a- \^ •— pq
e- K- i>^ «• < P^ « P* a- k4 a- z: 00 E-t PL,
« iS- CJ * -vA-pli t-t C_) a^ <! a- CD >—{>-
*•>
a- w a- »—
t
P4 Eh V>W » PQ a- H-J z pq PP t-q
m M » «=) » W-p:^ CAj C3 a- a- WiO- t-q t-i





» •«< * P4 to pq u * C5 a- pq Pu, «x3 t-t z:
1-5 » E-t * e-t t/vw K^ a- a- 6-1 6-1 tA-W
< •• » ««5 «• wp:» £-• CO e-* a t-4 •a- ww tA-ca CD
t—i « **• « -ov < P-. a- «< a- =3 C5 CD CL, (JL^
6-«0 a- * Eh E-< W a- Z a- P< p^
t—
•
z: » »-^ ^ t-^ CO CO PLt « a- p:! » CJ M 0>-'
>^ Z w a "C «• a- W it
» t— CD * a- pq a- 6-t » M P4
JS- Pk « « a- ><; a- Pi «
» z » i-a a- < a- w a- •«J •<
* t-4 »-4 it a- k5 a- a- M t-q
i^ m » a- CJ » a-
a- w V>- »• a- M a- it P^ P^
















* »• « a a- a- a a- a it a- a a a-
)( * a- a- a a-
* » • «» » tt a a-
» a- H^ a a- a- a-
» » << a- a- a m a-
Ji- * z a a- a- w 1 z »
K- » rt a- « a> O E-i < a-
«• » M a- a- a- o o o *
Hr » e^ •a a' a- M o a-
» » X a' a- a- pq C3 a-
» it w » Jt a- z (^ a-
* » a- * a> »-t w o a
» » •"^ a » a Pi s a-
» a- VJ a- a- a CO £h « a-
» » o a- «• a < a-
» a- 6-t » a- » «) Ph H^ • it
» » «< a a- -a o := T. a-
tt » E-t a- a- a z o «ja-
» en * Ui a a- a- •—• CO »-H «a-
» » » •> ••« a> a- a- CO E-i o a
» « » >-. pcj a- a- a -i^ « o a
« C3 » « W a> «• a E-. « < w a-
3i- O * e-H £-• » a- a l-H O (X, 01 «.
* W a- z z » a- a- «*; « a- • ««
* O a- W t-i a a- a- 3s -xj CO Pia- » »\
» o a •o » a- a HH < a % X 5a
M- 0=: a- a 04 * a- •a- c w w 0=: jt tH IS) CSi
«- P^ a- CJ a a- a- E-* K &H Eh a SJ Sl^
» » £-«'- a- a- a- Sr* CO a \ \
* z: a- »-• CO » » a- CO e- £h a- •«« >*
* M a * t3 » a- a ». CO ««: o a <—
V
>'>- >^
» 6-t a- CO £-• » a- a- o « K o a- » H^ t-^ !-:»
«• en a- -«q .« a- a- •a- Pi Z E- pq a »—
1
f-1 1-^ <
a- t« a- CO e-"
«
a a- a- o w a w «C < P5
« CO a- -«{ CO « a- a- a CO o M a- C3 » •• « p:: W
» a- f-t •o » a- a « z 3= a- P. w ;*) « W £h
* o * pq >-• 3! a a- a' «t: OHH EH a CJ E-< e-.g_e-.i-i
«• \ » -p=; • *> a- » a O Pi Eh a w >i >H i-H t-t i-:j
» •-• a M e-.--- t^ a a- a H^ cj} «xj w a- Eh pq « H^ i-i
» a- 5: z w < •a a- a EH O E-t* 1—
t
» <«j a- «U W cj 2 •a a- a- o o -• » a- < n C3
» tN a- z -e^ « a a- a- o -< « o a- 3: »—
t
<
* iD * W M »-H M a- to a- a pq o z w a ^w <n- K^ >H
«• a> a- 1-^ 2: > Eh a- H a- a- 1 »-^t-i X a- &q C3 (*i o
» a- »-t «5 CO X a- m a- a Z Eh w a P^ P4 w «;
» O a- Pm Z - w •a C3 a- a- o o 5: a j^ CJJ p. w
a- « a- ^-'W CO a o a- a- z o <J cia a P» w pci >- «
» V5 a- W »^ -«J M a- M a- a- iX) ce; z a W ^ £-. O vv t-4
* -• a- « H-t H-t « a c:) a a w o < a o t—
I
CO «J Eh H^
* a- :=> f^ pq t=5 a o a- a ac cqo >t o < Eh W O n
» h4 a- O^—' O y. « » a Eh £h rc « w a p:; :» pq CC Z Z
» << a- M W w Pi a- a 1—
«
ehp^ o a Pi
» 2 a- O &q psj o A* a- a- < to z » w
« « a- O « P=! • •Ik o • •k a- 1-4 a a- :» M hhP^ »-H a • « pi
3f> H a- « < «J Q cc; £-• :'<• < a- -a -yv CO i-H ^ e-t » Eh «!
Jt 6-" it P^ t-^ H^ < (Xi •—
(
a o a- a O 1 =3 £h (K z a 1— M
» X * O CJ) O X a o a- a- Pk 1 «x} z Eh o a- < O
» M a- •• w &a 1-^ • • P4 a- i-^ a- a- o CJ C3 t/J o a^ :» w
>t a- P»o« e-. •a a- it a w o
&^ 55- » -«; Pi t—t o a a it •a CDO » a- o Z X z. a- a- it a Pi
w s- a ») w w w a- a- it a O
•-> »• » a a- a a-








rH CM CV C\i .-i CV
m CD JN 00 as*






^ ">vw ^'^ ^ \ "^ "V
6H ^ «• » »• !C- :{ »•«•;{• it *
n * iX it
h^ < » w z it
t-4 » it w it9 P4 » Pi PC 1 »
z » Pi (ii^ EH p; it
£-• «• 5: z »-• W it
z: « » t-H '^ac »
to Jt >~> • 5i Eh it
03 \ * « O it
P>4 » Z Z » CO M Pi II itM Eiq » UM CO it
6-* CD PC W «• CO to >H Eh itM P^ Eh E-> » W CO -:; Hi it
CO C3 » < HH JJ it
^-t t»<! * CJ K <0 it
z c t-^ ><• -< £h EH itworn » to »-H it
&q z * t-H Z P3 CO it
m t-^ »^ \ » CO w Pi it
6H /\ .-1 3- ^ CO PC pti t-^ 2: it
CO V ««J » < 6h >^C3 it
• m. < 2: M * w "-^ it
•"-^ PC « 1-^ p: it CJ> to l-H E3 it
t-» t-H Z tD » •-H P^ «• • •k
» X >* <; HH * C\2 M Z * CM •»W m 5: H * tH W < < * ^ «—
»
PP W Crt )( \ »-J 0^ « r^
CO C3 t-H * CO m t-H Q s; » B^ •>
—
.»-^ M c/a P4 "V, PC * 00 ^ CO -«J -< it Pi M
^v >M W >-H M C/2 « Pi a- £h >- « • it &
» « l-J «; pi 'to «• Z W ffi M C5 W K- PS
< pq 51 0-^ W Ui EH -»• C3 Pi e- Eh * Pm ^AZ WE-" G p:; • «k \ t—
•
«• Pi p: -*; «• w w
H-* « W D < t-H >H » < * Z P^ Pi Eh * Eh M
Ph —> r> P^ WM 1-^ 3B * Z pq to it Z pq
CO ?-i /\ Ph z; C3 < < W W » Eh &q -«;* Oi it l-H Eh
« v << Oi z w H^J => * Eh 35 < Eh it -uv
0-«1 <Sj Pm p; p« t-H « t—
»
Pi «• CD Eh h4 M PS t-H it M
Eh pa O*-' hH w ««; Ph >•« PC a- pq < !x: Eh < \0^ OS Pi
p=: -< E-« p:; CO II <S» 3« * • en CO :» M- CD C3
t*j vv >-^ W w p::o e-1 * N W i-H Eh it « e^
CJ £-t fx4 en W P4 -^ cr> Eh ci II z if PS ce CD to < it M 'N^00 w« to ^^ Eh l—t < (=) M * Eh C3 W «• EHM Z Ph Pi w X H-l ^>e] » z K^ 5: P:^ to it •^ W
«o -«3 1-^ M |J^ CJ «• » «• PS *-t w PS it Pi w toH 11 Eh M E-i p:: pq m w '^ \ ••> «• Eh s **J CJ W pt) it Pi tH «Q esi c/^ Eh < Q Pi hJ Eh «• Z W PC Eh it >iO t-to 6-" W t>d CO 6H pti Z PC t/^- H-t «• l-H 0S W pq Eh Z » • • pq
z: ^q < pq ^^ Eh VV t-H < Eh h-3 < iC t/V Z Pi M it PS ^& -«:i-4 t-H WOO CO pq :» «• t-H l-H tD to it Eh t-H
PU »-lfi4 W W a: Pi » EH Eh w «• -tj E-. io :» Ph a P>i it Z W
o e-<w M 3t — pq u \ pq -co- • •> • •k :=> » <5 i-H «; l-H it t-H w H^
»<:) •-• fnf l-t ts z Pi * h4 >. PC PS it w PS l-H
n Z « PC 2 » f*i Pi z p:; it Eh t-H Eh Ph to »-< |j^ it < PC
e-« -H 6-t :» « w ^«v HH M C3 « Eh i-H CO it -^ t-^ S —
-• to EH * PC Eh t-H it P)





















c\i cvj to Til to CO to to w w r-l CM CM CO
CO <*< m CO c- 00 CT> <SJ tH w to ^ in CO
"V. i-t »H fH .H 1-» .H tH C>J 00 CV2 CM CM CM CM
1-4























































» -4 i_ O
«< \ :» w £-.
6-tE-» pi }{.
z o o —
^
P3 E-t Pm rH n
CJO PS + CJ
CD O .•« 2; O
Ps • ^ z: z: 3 -«5 z
ej'-^H-c:»z o >-'W
1^'— » ZZi/V !-» z *c
«
-tizrooiow s 6-tfxi Mt-4
cjo«tjoi-«D:r3p^ ox w '—t-tZOW (i, fw CJ O £-• 00 <Si
cowi-^CJ^cjejw f=P z»~s
>-C3E-t«jfx,-ir)- zs "- :si w<St-<
33 Pl^ O O CJ CiJ W O <SJ W Z! rH ^-'
pLiOOt-^ 03GM pa II -•M M
«/vpq6H^4^-^E-t II Eh B-i t^ O TLMci50< II o me-"(-i
ooeHOcjiiEH wcot-i M**: e-*
o-t-^zPP»-« zz:cj»-t-</v £-t6H,H
H-t^-' Piq>-^ ci (=> W S O ED < w I-;ZWZIMOhhZZhJ&P^ Ml:3ll(-»
C3i-:i5t5t-»»-4-vn-pe3-(/v-uvPHCj ospu •<
PPCdPCJ -DOSCDh^CJW OCJt-tCJ.-h^^-^
E-t^O^EHPnCJfXifH 0«« f5 l-l
WEHzeHwcjzoe-'ta^oox- o z»«;
cowh-twiowt—(wwi—tH^Q^»v O pq^N.cj««»
» C3 ca c5 CD o
a.a4a.pH*05t0PHjj-pM z




















































































-< O PS W O
Eh O ft Ph K W
CO t-4 < Eh II CO
—'CC X ft
Eh Eh EhO O rt W
HH »-H CO PP Eh ft
< ««J Eh KH < »
:» 1^ O »-t ft W '^
•*A O < Z ft
PS CD PP 2: CD PS
&q p^ H-j £_
Eh CJ 6h D COZ W P^ O EhW ft CO CJ £h ^ .^
• -> ft W ftO « «a; H- EH Z













CVi CV CV2 CVi CVJ C\J C\i to '^ ^t^ to to
^- CD a ca t-i cv to

















t^ "v. z\« »
» 6-"w w PM
-*» «
MOi o
l-aSo MM - CJ z\
nw o»
h^ « H-»
t^m PU &-• •
-<•< :d uj
me^ E-. 00
-uv PU w z:
•-40 =3 X
fii m w w
u PS s
2: c^ » 34 Eh






ps n Pn »
(^ 2 z w
i«) H-l frH
« w \
fXi C5 » CO M »\ w z
A4I-4 &-• z
'<'-' ««1 OQ (=1
« « M cj 2: C^ SJ Oi (M
£-•« m w i:^ X'j
CO ^ CJ E3 '«*<
e<v>. • «b PU Ph
d, « 1 ej CJ
« &-• M
o o^ Eh z ZO pq
o CO HH >< -< w mm 3: 33
2: oe-i VV- « E-" c^-s 35 '^l^9 £-«pq dJt^ ••k •—
1
a> s sj CO
p^ VK < e-" r-» z *H ta is 3
u PuiE^ rtO iS l-H IS S SI
1-9 :cco H^ (140 z
m E5 6-« pq w » II II II It
El •-> »-^ z h4 \ H-l
i-i m) t-i M l-H M » u *— Eh
z » << m •*J ac DQ CO Cs3 N CO «<
»-» \o 2: ei » •" H-t 1—t »-• ^—
'
i-^
6h CO to CO PC HHU z » oz • • w « PU
P4 H \ OH • •^ z CO <«]•«) ^ «) pii 2:
»-» i-i « W CJ w (X
« H z »-• CO Pc; oci «< « p^ CJM -uv H 6-1 •< -*! 6H
t^ << «1 CO CO z: CO
t-« 2: m E-< H M < CD
»« « A Z H-4 2: Z (xi 1
x: -< ^ « rsHH z:
Pm E-i < 2: H^ \
z W CO »-H H-l « K^
CVi CNi .HCVJ rH »-4 fi Z pes X C^ P^ P^
<o 00 -*? *t CO
00 H > 2: «H !S) P«4
1 k)y to -«*« lO CO c^\ •«<< •* ^^ '^ »
f^ z
P4 z: H






















o »-l Z Pe<
2: E-4 1-H ••
ft ^^ ••
C3 -? tH CO
p^ H-t Pm 00


























































































































































































































































K ::>d P-,3 CJ O
































































































































b^ 1 z a-






CO Eh « a-
<«j a-
<x3 pm )-) • a-3 2: a-
z cj < a-
•-H CO H-4 PCS a-
CO Eh ca ft.
»« pd a-
En K -< Pd it
i-i p^ a, ».
» w it z z it it it ««? ft a- • •^
it it » 1-4 » it a- SB < to Pi a- » «\
» it •0 a> » it •-• <c a- S X S
» « it PC Ph a- it it w ac « a- .H <S S)
(
* PL> it » it it £H 34 E- Eh j(. SJ Cii ^
«• it £-•-— it 5 it £h CO «. N
X
it 2: it »-• CO it it it CO £-. Eh «• • «h >-
3- w it SK ^3 a- » it '^ c«:j -03 X- *—
»
>-« ?« l-»
» E-t it CO £-• a- a- a- D ft OS * ft ft M ft
K* CO it • ««J .• » it a- Pi Z E- » a- t—
t
ft ft <
X- >- it CO 6^ ft it it a- u w * »r>- •< -q PS
» CO it < CO « a- it a- CO w a- E3 » • p:; « M
it it -• •o » it a- ft z 33 a- Pi W Pq W W £h
it » ocj {>-> :» a- it a- < rs HH Eh «• C_) Eh Eh £h Eh i-H
» \ * »« • «k a- it a- Pi Eh a- w >H >H t-H t-H hA
» 1—
•
» Kj e-.*^ h-) it it it ha < w a- 6-t pq pn hA hA
* ;j. 2: zac < it it it « e-- a- 1—
•
» < it < w z it it it ft •-• :d it -< ft c5
» C>- it z -e-t pci a- it it ««i ft cj a- :* f-H <
-:} iD 'A- w w - 2^ a- CO it a- pq z w a- «
—
^A-M >H
s Oi it t^ 2: :» £-• a> M it a- 1 t-^ HH X «. w D Ph ft
it it t-» < CO X a- w it a- z E- w a- pc; Pi <yv <
» a- Ph z • W a- C3 it a- 002: a- D p^ M
it pq •~' ^--M CO it ft A- a- Z "*S ft Jt wp; pH p:;
it to it M M -si M it w » a- pq Pd z a- M Eh Eh -OV t-A
a it -• it « t-i »-t « a- )»• * w < a- t-H CO < EH hA
o it
S"
515 Cm pq n » 3- a- m >^ a- < Eh M 3
z: it M it ft>—
^
ft a- K a- a- El 1 E-. K « w a- PC SB PP ^z. Z.
r-t it < it M M a Pi :<• «• 1—
•
1 £-• ^ E2 a- f:^
s> it z it &q M a- a- a- < 1 CO z a- M
d* » « it PC! « • •^ »m. a- M it a- :z 1 w ka Pi hH a- • • Pd
CJ » M » pq ^ < pl pcj 6-* a- •< a- a- w 1 CO l-l «? £h iJ. Eh -*;
e-< » £-• it Ph H^ 1^ >< Oh 1—
t
it A- a- t=> 1 C3 Eh « z a- •— h5
t-H » X it 000 X it a- a- Pa < z &-« a- •««;
z » w it .. M eq hA • • » it t-* a- a- C3 CO Oit > PIQ
•—1 {f it ft ft ft 6- it a- a- 1 a- ^r- ft
6-^ » a- •< ft t—
t
ft it it a- 1 »
* it z X Z a- it a- * (^
&q it » t-4 w w w a- it a- 1 a-
•-» « * a- it » 1 it
« W « » a- fr a^ it «• a- { b it it it it it
•-•







t-( CVJ CM CVi .H CV «H CM
m CD £>- CD en <si iH 00\ tH i-H r-i
>-4
C14


















































































< C3 PPO Z
1-4 ^




























































CV CV CO -^
to "i* lO CO
to to to CO CVJ cu
Uj O^ S l-H OJ
























































































































































































































































































•-• II 6-t £-•2 O
« o s e-«
l-H H-l O WW C_> C3
OC3 P4













< 2: « P4 (=» w ^
oo««soi-»:r):=3P^






























W O O •*< II Q
C30E-tooiie-4 t>dcot-i
Ot-^zpcjl-t 2S:cJi-hW
^wW v_^0« M O O CD2W5:!jqoi-t z:zh.;cdp<
i^i ea (Tk C3«t=>t-^cjw
eH««50-«JE-«P^0P^PQ o»«»WeH2&-.WOZ06-«PMOO
















































































































P*l O * <
CO
P:J 3
00 O Ci P4
CO «? O oM O K W-
p:S t-3 Pi OQ £-• O
(=) O Ph »-)
&q .* «q o <>-'
><-^ ?q PU MW « 2: 6-t H-i
t—t <«; W CO PP
?-< w- p:! Hi £h -«j
pq !=5 CJ e-t O E-t
P-. O O W
w o pij ^ pq CD \
£h W-PL< O P< *
-co ffii w o
Eh O P< f*< X W
CO »-^ < e-t II CO
6-t 6-t El O O cc; W
H-» t-t CO pq 6-1 Q
««5 < 6-t 1-^ «*} «•
:» 3t o I—t P^ <A- ^^
•t/v O < 2: Ph
« C3 « 2: D P:^W Ph t-s 6-1
6-1 o e-t s COZ W pL. O Eh
CO O 6-t Pq '^W O
»• E-i 2\ CO W
CV2 to N CVi CVi CVi CV2 CVi M tn rn -^ to to w «
C- CD Oi <s «-• rvi CO '^ in
C\2 W l^J CO to CO CO CO CO
CO C^ CD






























































































o o « o
»H ca OT c\j
CO iT)
z » o z
a w as m
Ph «SJ Oi TiH
^ IS S CO
tH SI "SJ CS»O Qd S) <S)
il li II II
P4 ps) P4N Csl CvJ
z
cvi csi r-tW «-l








I—• I—I t—t >—
'
to CO CO PCH O O
Csl ^ < t*} < Pi
i-< M « CJ W «
t/3 « pc; <« M
-«S < 6h
< CO to Z
pq E-«w p<q «:
« Z I-:? Z z fti<
-< m D »-« o
61 *j z: j-^oW to »-1 t-l «O Z « JKJ r1 P4O O << <'^

























































































































































vv CjJ ••» «5 sfi
O iw (=1 0=! ^
e-i (a « w
< C»i O E-t >-•
E-t tH 3b t-i M
CO '-^ 1-4 1-^
• (XJ'-v <
Z M X pq «
E-t Ph W Z W
Ph PM O O El
< t3 Z ft t-tw pq t-i w »-^
1-4W "PiW h4 Ph cr!
z w t-t e-t X
m z »co E-tW PS CO "(Tt-x


































































































p:: Ph <^& < "<
pq
CJ pq WO PS rt •«
p; < •< z
Ph h4 H^ PiqO O Ph




















































































































































































































































































































































































































































































































































































r^CViC^JI^i THCViWCVJ r-l c\j



























































































































































































h4 PP DW Pi
It OWO « EHO CJ WW < CO
H-1 W









HH MW «x$ ? ZW 3: O l-H
tO"-" Z PiW « COO ^4 CJ
6-, pq -< E-,
< •-•









































C>J CM CVJ to r^ to CO CO CO CM
-*
w
m CO C^ 00
CM CM CM CM CM
S> n-» CM CO
CO CO CO CO
138

» it ii it it it X- it it if it it it ^
it it it it
it it it CO it
» it it 1 C3 it
» it it 6h it
» it it «*{ it
» M it it \ Eh it




» « it it )-^ piQ it
» 1:14 it it «; •it
» CO it it -• -*5 it
» it it pq CO it k
» w it K- W CO it ««> ••> <—«.
» KO it !t CO W it ^—«. >—» ,—*
» 6- « it it 2: it N ^ 03
» H it it f^ it Ph CC Pm
» it it P3pci it W Ph <S)
» e-' it ^ it e-o it « Csi ^
» £-• it it it w it CJ •"O
,
it
» CO z it * « it pq O^-^z .L
» OS H-l it « it Eh &a it < z^---*:-—
M
» w « it • «« « it it 05 «x5 EC -—PS
» E-« PL, it it CO EH it 00 Pm'-- 33 C?
» it z « it PS z •it j>- — S) ^ f»i
» < it M H it W-i it CO ^ -Ci M
» « ^ it CJ) it « « X- 10 ••«^
» ««! » • •« !t i: p^ it 'vt< --^Z M P4
» W « it IS « it CD it CO W ««;CD Z PS
» w it Pl< X- zo it C\2 ^:» < P^
» CO it II it Eh it ^^ ^Jj^-.«i5
» CO t3 it p; it C/^ » Si «x;pq > ,—
» e-« a- -—
^
<< it £h« it V >3—'iiQ PS
» • it K w it CD W it -"^ 'wi-^ 33
» P^ ^i St rH it Px CO it :» < 1-3 :»
» Eh fH it ca •l/V it Eh it -*; P> -< <i! vn-
» o\ it Eh it CD it Eh 1-3^-' 33 > Eh
» U3 it S3 it • it • m* -< ^-'CC>-'^-'^3
» 00 it • » z 3- CV2 it "^ pt; CD PS »
» 33 it ««»— «< !t 33 »H it M 33 t-H tu
» • it pci n » CJ '^ it CD W CO 3: ^3 MO
» •-» Pt» B-> it -u <— •" 2 it »-H U3 it t^ Eh ^ ^-^ »—» >..^ ;2
» X CO « it w W «M it 1 P3 OU it -«3 .-.>-t •—• »-H t—1 1—» M
» 3B -• CJ it • m^ •*4< it :» it t» QPQ l-H t-H l-H >—•
» it o-' » « PC it It it •—
-
P4 CJO CD it
» piQ H I^ it H E-t (S Cj\ it i H m it w 0—
>
CO CO CO CO ^
» Z X tu it p:i >- «—< it Z CO it OS :» re < < < <
» h-4 6-. e- it & m Eh II it l-H HH it CD ^-' «_^>w^—"^-^
» e-i it & » 1 Eh « w •-• pa (n, (xi PC,
o > Pm Z it w « PL, »>—
.
it 1 C3 W it W CD HH •«;<•«! -a5
o » 000 » -< z s it ffi it )-H 33 33 33 tC
2: » « vt X »-H CD .* it »:{ 6h it •< CO CDC3 •-
PL4 it (Ki 1 6-« CO » « >_^ « it » >* K>'< -«/VW -»A-W ft
< it < S-. « W it 0^ M :i- "< it cc! ?H ^ • it Ph 6hEh Eh £h pc:
« » tG eho it M -» w 33 it 1 £hO CO it iq W CD CD CD CD
El » »-H (X, -J it •• « t-H &-• CJ •it :» 1 i-i - W it • • fH PS 0000*
(A it w •-^ CO it « •< 33 D -uv it w 1 -» 6-.^ it (^ <««; w
&< a- 61 1 '-'O CO it < H^ » P-i Eh > Eh 1 HH « kJ it pe; t-:^ ka H^ h^h3 »-? Eh
it t=> e^^iq it cc EH CD it 1=3 1 Eh -a^ it 000 h3_» H^ h3 C3
it » -. z: it CJ W 000 it CD P^ > it 3> 1:4 » .< ^ < <
m it it -wv« Pi it it v>« 00 CD
£-• it •it en it it ^ n
it it CD Z it * CD Z
» it it M it it »
^it it it it
p:i H it it ) • it it it it it » n • it it it rt
PL4





«-l CV2 CVJ C\2 C\i tH CV2 CVJ ^i OJ C\i C\7 CV2










» •-* a- »
» m a- » »^->.
Ji- jt <—^^—>v
» PC a- \ V
» Ph tf. II
it a II II \
» •< a- PEJ »
» a- •«k PC! P=i
»• w a- e* « w
» •-• a- z PS PS PS PS
* a- •< « pci W ra
» w a- P3 W W 1=)
» « a- 61 W w
» M a- Z W W 1-^
» m . a w (-5 »-:» -•
* Eh CO a- w •-• 1—t w PS
» H a- P4 W P»4 PM
» ph oi a- M
!} •-• a- •—
>
1-4 H^ W \ PS
» a- w w z a
» £-•««• Z Z P= PS
» « a- PS PS « W w PS
* a- Pi • W W bd C5 w
* pc; a- w W Ud « ««; 'v. w
» W P^ «• 6- w CO -a- \ Pk
» cc a )—
t
>-. Z CO CO a PS
» e- a- •> pq w «qo w Eh &-
» \a- 1-4 (ii W 1^ - • •k z: PS Eh CO
i^ -• a- ««4 '-^ PS 0^ \ PS Eh
it E-« a- t» *H V N V tx; K PS pp
» 2: * w ^p'w.^^.^Q <
» WW -a E-» PCJ ««; < •< s (^ PS EH ••> n
» &-t a- •< • 6-, g_ e-. 6-.V \ PS .^-s EH •- z
» -< CO a- 6-1 pa PL, < ««3 < w W <~- -~-w
JJ CO »-. a- CO " ••• W WQ « « tiM >-• CSJ W h4
» CO to «• ^wO w » £-« 1-4 hA w < '^-^ < a-
» w a W P5 e-" M z CO W pq W »^ f^ e- CO C5 1^ >• \
» z:«< * pa <D >^ ^ t—
•
2: e-> Sr*^ < •< -«j CO CO ^ -co
» c- «• C5 :» m >-i >-l >M -. « « 1—
•
»H CV CO w 2: > Eh
» « iD a- pqpL.OmpqpqWPi*' (X c3 z: -w <
» ooi a W 1-^ w e-t 6-1 PL,— CO CO CO PS CO Eh
a- « a U ««3 P4 CO —^ .^—»*-«. HH H-
<
00 2: 2: 2: pc; • •k << {3 CO
» p:JO a- t» 6-« -c a a a ^ >-« PS C G; O) m Eh ^—' ••>
» « wpq a p:; v>-« cu pq •_^<>-"_^ P- PS PS C\i •< PSQ » o CO a P^ 6-« PL, w .H (>J CO P<Pli II II II PS w Eh PSO a- pci z »-• a- *{ w CJJ C3 ci •<W w £h CO qS
s: * P< < a .. 6h CO CO CO CO CO PS W PS PS PS Eh& > PS
Pk » w w a- pc; CO t-t c«a 2: 2: z: 2:2:0 t-4 E-. t-i &^ e-te^ Eh EhWW
<j a w m x a^ CJ P^ PL4 Ph :3 sj E> Eh wM «• Pk &^e- jt ed w w &a (jq t/vww Pi )^ Pi & Ph
61 a- W D a- Pd PS (Xi (-4 CO t5 C3 6h II >-4 Eh PS
CO a- &H o^K a- M < "^ W < 00 c/'j CO CS -< S Eh
fr« a CO e-»6-« 5t- Wh^ h4 coo 2: 2: 2: • •n CS3 .• h-? COO a- E-« Cst-i * (U (=) « 1-4 EhO a pq :» a- PC? W W * z a- Z a -*5 P4
pq a a- 6-«f-4 'VO w \o W ^N^O
E-<» a- CO
oa- a- £-• Z
»» a- (^ w
•-aa a











.H CVJ CM CVi to « to W cvi to CO CM CM
z: 00- CD <S rH cvi CO '?*< in to C^ CO o> ca












«• j{- ;:• «•«•;:- Jt X- t—t
* * i-»
«• * w
» • X- E3
» i >- * (X, *
» z I (a a *-^
» &3 O 6-. O 5$ .-^ W
» -^ o o i: «• « EH
» •-4 O M «• Eh >H
* Ph to W 51 Jt P^ pq
)i- -«; «• W •>
» -1 w ^ K^ * Ui k4 i"^
» w -«; -a; a- -< \
» i2 »M^ O H- m3 M £h
» « zo o a- ^-4 pci £hO n
)f W« H^J t^ «• V>- 3 >- Eh 6h
»- W t3 C5 * •-4 Eh pqw • •« w
» fe" u^ it « s W »—»» h4
» W co^ * Eh & :»c! P, Eh P^
» tx; 2 »-i D >f » « >-- p:1 2:
» e-* KH au P-, jf. PC! Eh << pq
» 6-t o * Eh CO w •• > »
» V3 » * eu C3 pi PS w
» O CD c/2 « «• w --^ PUM Eh Eh Pm
» •< Pl,^ -< it l-l a) OEh P4 W ^ •*!
» o o ei ^ «• PQ ^.^ Z W CO pq PS
» »-5 3 C= Jt- Eh PC • I—
I
tkd Eh
» woo* w £h W » ^~» CO
» ^*-0 W H-t JJ- E3 PL, E-i P^ C:>, 2;£h
» SJ «SX 6^M. (X| w >- H-l PS
«• PIQ P4 M it- t-4 pq^^ w z
» II < a- » PQ -• I-) •i» w-pq
3t- "— Oh * » £h p:^ << • pq « C3 \ \
» t>* « := » t-H wi-H 2: M Eh WPm ••k P^ «—
^
a-
H- H^&q Ph £-• * tyv PS ^ •</> WM 6HPL4 -
—
<
» H^C*, O < JJ- 9 W Ph CD 3 EH pa ZO cc WEh »
» ^ Ph PC is- Pui Eh P^ P^ Z pliq HH «*_^ Eh ««J PL,
» o o o e-< it «» •z. t-H CO PL, P4
» Hs pq ^ ij. V)- PiQ HH « •«_* -c P< w w i-q
» C5 O O » Eh W Ph pq « p^ •> la P^ z
» O >- 1-4 •< * >H (1^ CO PS =3 l-H to Eh <^
» h4 pci e-i o » ^ Pq -< PC U:: E-tfiH CO D >H a:
» '-"O o t-4 a- >—
»
PS pq Eh PhO PL, pq >-4eH
» 2:0 * M « Eh P< WC3 Ui Eh
» OM pq * PC l-H Ph W W-» Pi PS w W '—
V
CSJ
» C^ 2: Eh* WWl-4 M w t-H EH 2: i-q A-
» M » S t-J pq I-) CO CO W «*; •>—* pq II
» h4 33 2: * P4 p-,m < pq 2: Eh
«• < £-, < a- e-t Eh t-i Eh « Ph <s» CO CO P5
n » •aj PQ « » WWw w w- Wt-H ^.^ Eh 2: 1—I »—
•
o » Ph >-• * PC CUS s ^ =3 2: CO »« w-
z *
s
1-^ h4 « a- a, f^ fit pq p^ wo Eh e<i z CO D
p^ » £-•0 « a- »-4 Eh 2: W < ^^ w ^ p.
< » e^ Ql, a- •• wo
p< » w -«} M a- PL4 w H H EH w
6-t * w pq h4 Ph a- <«» p::; PS PS C) —
CO «- £-• h4 •*; a- ea "< -1 -i PhO
e-» * o w 6h « a- EH t-4 •-:) 1-4 t-« 1^
a » o m z o=! E-ia- CO




6h » p:^ \l-H







»H CVi CV2 CVi CVJ CVi
CO
°P1










































































































































































































































































CO t-4 EhO O <


















































































































































CO CO to to CO CO CO
C«- 00 Oi Gi T-4 CVi CO
CO CO «0 C^ £>- £>- C-
n ^ -^ '^ ^ '^ cococo














z « HH •» 2: \ •—
t
hH e « .^^ Eh H «•
< *J t<4 » M z: <













>-• tn 6- W- X 2:
(x; w to M :3 El •«» paw HH Pk w •-, Z »m to « PC
2: m e-« U *-• ^-^ t-t z << • m.H & C; h40 Pi *—
^
2: M P. *> M EH >H HH CiJ « CO «
u m W z « Z W \
t-:) Eh a 1-4 OJ to • HH P. CD
<< • «k « m w^ z: CO p; Pi h4
^"^ « II » •««t « :=5 PB) < Eh c_> w
.-» « X Eh Pi • «k 2: a CO 1-4
»-4 •• Eh 1-4 Eh W- w H *> ••Ik h4 Eh PS P4
.•hd Z l-H C> 94 z 1-4 p:;--^ pq pa Eh
CO w < P^ Eh 1-4 «J W r-t Eh PC W-
Eh C3 2: f^ CJ 1-4 (=4 pq f»^ • 03, II £hZ Pt,H4 w X e, •< w- Ph m 33 P^
I—
«
W eh ;=> fcH m w \ Pi •-4 » 6h ud
W>-4 Pk \2: (=»:»»• pa o»\« •-4
» »-:»« » ^4 3- C3 -40 6H » w,^ < h4 *>
1-4 •< £H Oi • 1-^ z 1-4 tiq CO z 1-4 w Pi w •< pa
»—
1
6h-(/v O'-^ Eh M W- t-4 t-4 Eh £H 1—
•
:3 pa t-4 CJ 3 1-4
pc, 00 2: Z»-l C3 < =3 « PM z m Pi t-4 pq
e- (i^ 3i :3KH Ph Piq CJ W p; Eh P4 )—
«
•<
X Z P»4 u > W II \ M pa w ««1 • £h EhW Cj 1-4 W w W- •«3 EH X tt HH PC jsd C3 '-- z ^^ w-
fl^ E-.>^ h4 & •« X S i^ t:^ P«4 •< C^ pL, h4 « := 5t-
£-•
-< P^ Sj W S3 h4>— 6-4 HH P*
^ T-< W h4 3: h4 to *tS « •< Ph X C3 pa e» «/> « pa
» CO own 1 •~-' '^ ^ h4 z VI CJ &q h4>— :=> •• t-4
z ii M 6H Zh4 O * » P«« <C3 w t-H HH £-1 P4 Pi SJ t-< -\
« bc3 -•M PL) Pi Pi Q Eh Ph » t-4 P^ <S )(H rro 1-4 PL, Z w W \ < t-4 « w to w II 1 >—
'
M Oh^ ^^^0 to « wpj 1-4 •* W •< X i^ Eh z X J=) pa
z t-4 W h4 w Eh t-4 « l-H '"^ h4 Z Pi &i4 Ui i-H pa Pki CO
W>v WW Ph i-^W- PC Ud •-H * -4 M (*< Si t»< Eh « cc Pb) h4 Pi EC C^ 1-4
aot- C3h4 PQ ^4 W -< ^^ •< 1-4 —'t—i pq CO w-k4 EhwO CO V" pa
o Eh P-. •-. Eh < pq Eh w :* 3« t-4 W U4 •-HO -< pa -4 1-4 Eh
o c/^ pa W Eh6h Z PC OS M h4 It- pq PC < w 1-4 w-pc; w »-H *
n O^ w ^ .« to WW M Eh t-4 pq z 2 PP\ Q Eh pq 1-4 t-i pq h4 pa z < \
PU ^D C30 1-4 Eh biit ee << Eh >< p=; t-H •*; P4 Eh pi :»
"i cx, Z * Pi Ph » < P«4 CJ W E- fe pa Z El EH Z W
« i^O(-^OM"v.oO'v. • «i *; < M v>- Z h4 h4 :» ••» •-• -WW pa Ud h4
6-» S> • •^ h4 « C33 h4
CO > z it Pi Pm » *; z * Pi Pi
»
<













10 T*! ID <*< >st« -* >* coco cv CO CO -si^ CO CO CO CO














pc; Eh C3 \\ w \ PL. JC-
It
pa
E- n; H-» . PS
(ti »-•« !=)
t-t p.^ 6-1 t^
:* ><w oa
El M PM
pqW 2; •</>- CO < t^
CJ -«S (=t &H
-«> « ««5 fcri w ti.
CO Ci W -(A- Zi •<
CO « z: fu PCW fc: H Eh
2: Pui z z: CO
1/VH • «k i-J Pd \ HH £h
£-• <—
»
W W P^ «• w \
pa -^ 2 H^ 6H » »-
H^ ^a PCS t-H z 2: P- ffl
PU >.^ W P«« H-t -< t=^
z: W « «A- ^
:0 X Pk cS z 2:
2:
ac w P4 1-1
pa
PL,
(^ ^ Ph 03 PU •<_' s^ < p:i pa p:^
< » H^ Eh pc; \ « C^ !SJ '-O <D
« v»» •M »-a Eh Eh 01 ^ ^
6h pe: f^ Z 1=) W PU CO 0) Cd
VJ t«»> < »-H « H-l •«^ • «% z UV w ca
El 00 K pa l-H CO P4 (2:; P4 £h iH
»-< be: CD l-H pa HH
A w z pq >ci CO *«.O mo E-i -c) W 11 II (^ m pa m 33 EC
z: £-*=> w Sd «a If) s s pa
(X. 6-t CO Eh e-« Pm Eh •wv « pa s ro cv
< D S CJ M P^ z: Eh z CO S) c^ ;a
« Ji. Ml 2:« CO pt, pa CO » (SJ S C\i <Sl
6H Eh 11 Hi) eho pa • • z: 2: w z
va E> ««s M PS to P4PH C3 Eh «• II II II II




>-3 H^ \ 1—
t
o (=) CO CO )-) pq pa pa .»—
»
6h
o » Z * » «: m Csl N CsJ CO <





&H (=» c/i CO CO p= t—
•
u z • (*] « A4
p£; pa • •« Z C^ «< < tid '<p=J z:
*-3 p> ^ pa pa pa «
pci » z )—
1
CO pu « < pd pa
w w » Eh ««5 < £h
)-^ «< -«5 CO CO z: CD
»-4 z: pa Eh pa cia < ou
(U f« « zM z: z p=j 1
2: < <«j m CD t—
»
C5 2:
Pm Eh << z; i-:i \
z pa CO »-H t-H ce ^
CV2 CO CO WW CVJ M tH »—
•
P» Z « X Ti< PL, PL.
(O < ««< CD
GO pa >. z: cvi s Pm
1 t-aS m CD c^ CD O) (S tH W s





















o Eh « ••
2: •< ••X ^ 1HCOM HH PhCD



















































2:\ ••« 35 I*-" X
«• '-^ «{ pq H






CO t-^ M ••k^^* it «
• C3 « w e-i II ««>>.^ ••> <<
< e-to • •> w ca oi mH >-Ph .—
*
H E-t en ^-1
33 2: M « Z 33 P3 >» 2: •wv
• «« •—
»
CD 3 PP X 6-1
p:i X •-j^
—
• •k « W EhCSM (x: M s « W X 33
DS Oi H 1-4 V^' < s>
« l-H EH 33 » M t-^
(=1 •• •• «*;33 » pe « « II M ffi
•«J « « H^ :* gu w (X4 < •< •«J
» H c << CJ £-* &H (-» »^ IK cj «•« ft;
* « 2: K M C3 » • • CJ o«
a- w CJ « « w w z w
» Z *! w «=JO« w
ii- —
•
H 6-1 P) OEi n
» tr: C3 Z w
» W W pq M pt)
» m (=:^
i» «;
* «^ H\ \ft;
fHCViCViCViCO .HM^iCVltOtOCM
tH c^i to -^ :d c^ a^cnci^ojio^
1^1-5





» << w »
» s »
» «/i WW ji.
» « M M » ••h
» < W «<H-i ». CJ>
» M (3 6- W Ph H- t—
t
» KZ « • » •^ V
» ««: EH « K- m
» E-« e-t ts- w » !=>
» HHCtJ 1-4 W Pm ii- A4
» H CO »-3 P^ »
» •P^ 2OPQ » *—
V
» z:p-4 HH m » «
» •<» « p^ » Eh
» pcipq « 2 >« >- » PL|
» ca •< « « » W
tf> <D» u &^ «» * Ph • •k •k
$K nfid M 2 z;
-a- HH K Q
» pu ^ 01-. (*? «• » Eh p:^
» z: z: « z:
»
PES >H <-^
» et^M >->-» X- EH PC) :%
» *«;i: « 00 -C t^ M. a^ P4 »
» n -«5 » w ^—^ pa p::
» E-l H^ P^ • « S- co S > Eh Eh
» CO < z: M Eh X- S >H pL,
» &^« pa H^ h^ ?{. * s pq W
» 00 2: »-t w * p:: s> Piq y-i
» 0^ (^ t-^ {{• Eh r-4 CO ca
» « •^ i-H pq « O^ »—
'
Eh P5
» -«j X >«4 35 a- w « » • •fc •> » P. ^
» pq< W 6- » P«4 £h n PSM H/VW »>
» S ac t-^ » PM Pu. pci cc pq P4 - »-t z: pa •
» e-«z M -«? 2 3- C3 W 6H 0-^ w Eh PM
» H-t pq z: HI » PQ • <*< :* :» z :^(xi pcj z: PH Eh
» («4 Z S3 H-. ^ •v_^ p::ph HH Eh •< PP >H
» 00 i-i Eh M :J Piq pilO ^ « * PS P»i P< «/vo PP
» » W h5 »• « EHpq « Eh p- Eh p< Pmw z: pa
{f^ E^et w z« -» «. O Z P4 p< pi» p^ Or-t pa to Z'^
» «<< t^ HH < Ps, ». « -• Eh W£h W PS'-'O z: -< pa M
» «<o •-• X K- W W z CO z Pui Eh pc: p^ h4
» P^O Pm H X )( CJ P< CO 1—
•
»-4 l-H fUH-*: •
-pa
» hJ pa BG 1*1 » <o WP:;-uV W tH pa £h Eh
» » t/J X ^-» 32 « Pi « pq pu, » (I4 n »H :r>3: CO P< >- *
jj' •-4 •-• w P4 Pi^pq » fu 6h P4 Cx) Eh pa < p:i >H -pq Q —
» I—
t
H^) EC •-•« W » Ph OS p::; CO p:: CO pcj oz: PP -< EH Z: PS Q
» Pn (^H1 c:> Eh w » • • WW Eh <<£-•< < DC2j w WC5 piS
s » v> «Ph Pi^ &q 6- ». f^ Pm P>4 Pi PE) P4 PQ wps^- *-•
«
coca :»o » X ZD ffi Pl« CO }fr ^ faP«i w w z: EH « pq w.< 3»
2: » » (=i^ Eh CO P^ CO »• HH 3 E> CO CO P4 P4 pa CO£h « ps: fed ,-q EhX » K W -3 « » P«4 PQ pq HH »—
•
z: < ««5 » >_Of«, aq HH
» » w CJ 2: CO CO z < » 1/V r-4 ww WW CO
P3 » » Oi-t M p.q < W * X P4 P4 pa z; z: M Kh; Pm
» -< «o 6h fyj W PC * piQ PS fr: Pd Prf pa w cd opa P^
< » M P^PiQ < CO » tx: < •< < «< z: z: *j>-'ji:H » « W 6h » w 1^ f-) fj «-)
« » 00 < « M t-i Ji- « CJ c^ (j>
Eh» •-*>«; »-:) » 1-4 )« «S w K « w
CJ» OQ W fiil « l-l CO * pq » (=t AH» EhK « *1 (i4 < «. «
•-9» }(





















































































































































E-i pq ^-' •-
>-• PS t-»
« P5 M
>< P«< +H 3: P>4



























































































CO to to to CM
-^ in jN 00 05
CM CM CM CM CM
CO 10 to to CO CM
sj «H CM CO '*< m
to CO CO to to CO
CO to to CO to CO
CD £>- 00 05 <S> ^







CO •- * >^Z -^ » *
e^ >« •*! o^
PS -wv ci> \ EH
o o «•
Z M A4 Cd «
«} « -< O '-^
pa H^ < w « w
e^ « 2: X i>44 :=> » o pm
m o w m z ^v o
o h^ •« «tl «•M t-t o M .* IIM + Mhzz\M-«6-« «
BQ »/v-«so«-Z''M « fl4
-—»XQO»»CO O ,.*i-i
•••PS CD MkwphO^P«« CJ "VO00 • as W Eh O ^n- P«4 W «• « Z
«o '-^ w«owx/\0 ••'osz zozw
OPh 6-< O ZZ M \/ • MM OM» Mas
CO M M XH-t PS 6h pi.^HiCOe-i ••..» ogtOfrE-'MQ »J « PS M £-• /\ .«» C> « E-i p:^ W O O O < tSi
PS^ "^ pq MacZVSC z— OMWpStO WPS MCVMOtH
C)M M*-D Z M :3 CJ MM:»COOeS) 00 PS!S)«aEi<S)/\0«\6-'H0 •-• Mil OW M 6-i-iA-M < O * :* O VM »•>-£-•(::) O C3 M<0 !>-.OMM<ll ww co II II o II
CJM pp>-i'w- M phc5h^»-3< Ci:«<0« 0« u-i M E-iOZ» pqn^J.* m ^i-»MM COWM gHM <-«i5 MMOPSMM
p:ii_iME->-uva:n M»-^Mw« i-ttl^pslilla^PH MM PSPiM PicoQ 0ie-iE3 QcoPrt »• ISJM >-< h^^ *3>« «PS 0>>-iWM>-iMO CJ»-4M*«J O * i-HWXMM ppMIIMMi-iE-' OE-t'OE-tM
2: "O^KMz:* » H^XWCC^ <0S MPhVjW lll|.~<Wr-iMwOX «p:S>^PS«w )f <MCC •-• £-• Ehos-" 0"« o oe» o
la) PS t-4 :=>(=) » i-ia: MS cqiim*ehPmmoco(x,zmmp:;mmm
S23 Oco«c;>tiE-i< » e-" Ok-^:».-.m corHWt-ipsftoi-iMH-«ps<3K-tPSi-i
« »»-<OSM MM »• t-t.«««}t-i O ZMC50
< WD3 OOE-«pS« » Z<aM350Z»MMft;MH-M «-M »MH «E-«3 «• -• PS :» O M \i^ O < PS \ •-• \»-i v^i-t
PS •«] O )(• II
E-tM3f' Z)(-»3fOOpS\ M * v^»-»\«M »-
•-> »









cvi cocococo CM cvijor** cocoeoco cocO"«^Ti<T*4 toco toco
CVi CO^i^un;0 C^ cncStH CMCOri^if) CDD-aOOilS) ^ c^ to ^























































































































-;t* ^ ^ eo to totoro cvi «h
(D D-aoa5'-«cvjtO"«*i cot-oD Oi <a
PC s »s
C\J Si 1-1 '^
CO <SJ ,H r-l
c\i 3 ja s
S) (S S) IS)
3B
II II II II
»-4
pq P£) pq ^-v 6-"
esi tsj csi CO -<
»-l •-• HH >^ ^
CO CO CO (K H-i
•• P^ « PL.
z cvJ ^ ««• W *! « Z
i-t pq pq c_) p«j «
l-l CO pri p:: ^ pci pq
£-• •< <<6H
-< •< CO CO z: CO
2: pq E-4 pq Pq < CO
pc; pc; z h4 z: z pi; 1
<< -«5 P4 C3 •- z:
Pm 6-« •*! z: t^ \
z pq CO H^ t-H p; »-4
»—
t
(=i^ KX Oi (^
-1 -< CO
p^








APPENDIX D. KERNEL LOADER LISTING
/"* Kernel Loader Routine "^
/
'I /* This pseudo-code is included to faFiliarize the "*/
/* reader with the kernel loader routine function and is not "'Z








Z'p REINITIALIZE THE ADDRESS SPACE INDEX (AS I) *Z
' ASi = k;
Z* INDEX THROUGH THE PROCESS ADDRESS SPACE (PAS) TO
RELOAD EACH SEG^^ENT "'Z
,
DO WEILE(PDT(PROC$NUM).PAS(ASI)<>NULL)OR(ASI <> MAX$SEG));
I Z'' RELOAD THE SEGMENT *Z
SEG$LOC = SVAP$IN(PDT(PROC$NUM).PAS(ASI));
Z* RECORD SEGMENT LOCATION IN THE PROCESS PARAMETER
BLOCK ^/
PPB(ASI) = SEG$LOC;
Z* INCREMENT- THE ADDRESS SPACE INDEX '^Z
ASI = ASI > i;
end; Z* do WHILE '^Z
Z* CREATE PROCESS DESCRIPTOR SEGMENT *Z
CALL create$processOppb);
end; /"* REINITIALIZE PROCEDURE '^Z
Z* REINITIALIZE CPU EVENTCOUNT AWAITED 7ALUE *Z
AWAIT$VALUE = i;
/* ENTER DO FOREVER LOOP *Z
DO WHILE 01;
Z* CHECK TO SEE IF THIS IS THE LOAD CPU *Z
IF LOG$CPU$ID = THEN DO;
/^ REINITIALIZE THE LOAD CPU EVENTCOUNT VALUE AWAITED ^/
CPU$AWAIT$VALUE = i;
Z* DETERMINE THE NUMBER OF CPUS AVAILABLE FOR RECOVERY




/^ INDEX THROUGH THE PDT TO REINITIALIZE ALL PROCESSES */
DO PROC^NUM = TO MAX$PEOC;
A DETERMINE PROCESS CPU AFFINITY "^
/
PROC$AFFINITY = PDT(PR0C$NUM ) .PCr-(TOTAL$CPUS ) ;
/* IF THE AFFINTI7 IS FOR THE LOAD CPU THEN DO */
IF PROC^AFFINITT = THEN
Z'" REINITIALIZE THE APPLICATION PROCESS */
CALL RINITIALIZE(PR0C$NUM);
/* IF NOT THE LOAD CPU AFFINITY THEN */
ELSE do;
/* SIGNAL THE TARGET CPU LOADER PROCESS */
CALL AD7ANCE(SYS$EVC$TEL(PR0C$AFFINITY) );
/* ENTER A WAIT STATE UNTIL THE TARGET CPU HAS
COMPLETED THE PROCESS REINITIALIZATION '^/
CALL AWAIT ( SYS $E7C$TEL(0),CPU0$AWAIT$VAIUE);
/* INCREMENT EVENTCOUNT VALUE AWAITED "^
/
CPU0$AWAIT$7ALUE = CPU0HWAIT$VALaE + i;
end; /* ELSE V
end; /* DO */
/* RESTART THE SYSTEM ^/
CALL ADVANCS(SYS$EVC$TBL(START$EVENT) )
;
/* ENTER A WAIT STATE UNTIL RESTARTED '^/
CALL AWAIT(SYS$EyC$TBL(0),CPU0$AWAIT$7AIUE);
end; /'» IF LOG$CPU$ID = */
/'» IF NOT THE LOAD CPU THEN FOLLOW THESE INSTRUCTIONS =*/
ELSE do;
/» ENTER A WAIT STATE UNTIL SIGNALLED BT THE LOAD CPU
TO RELOAD A PROCESS */
CALL AWAIT(SYS$EVC$TBL(LOG$CPU$ID),AWAlT$VALUE);
/* INCREMENT THE EVENTCOUNT VALUE AWAITED */
AWAIT$VALUE = AWAIT$VALUE > i;
/* REINITIALIZE THE APPLICATION PROCESS */
CALL REINITIALIZE(PROC$NUM);
end; /* ELSE */
end; /* DO FOREVER '"/




1. Avizienis, A., "Fault-Tolerance: The Survival Attribute
of Digital Systems", Proceedings of tfte IEEE , Vol. 66,
No. 10, pp. 1109-1125, October 1978.
2. Brenner, R., Multiple Microprocessor Arcnitecture for
Smart Sensor Focal Plane Ima^e Processing
,
M.S. Thesis
Naval Postgraduate school, June 1980.
3. Hopkins, A.L. Jr. etal, "FTMP- A Highly Reliable Fault-
Tolerant Multiprocessor for Aircraft", Proceedings of
the IEEE , Vol. 66, No. 10, pp. 1221-1239, October 1978
4. Intel Corporation, The 8fe^66 Fanily User^s Manual
,
1979.
5. Intel Corporation, PL/M-86 Programming Manual
,
1979.
6. Intel Corporation, MCS-e6 Software Development Utilities
Operating Instructions for ISIS-II Users
,
1979.
7. Intel Corporation, ISIS-II PL/M-e6 Comniler 0-perator^s
Manual, 1979.
8, Intel Corporation, MCS-g6 Macro Assembler Operating
Instructions for ISIS-II Users, 1979.
9. Intel Corporation, iS£C 975A-iS£C 86/12A Interface and
Execution Paclrage Manual, 1979.
10. Intel Corporation, iCS 80 Industrial Chassis Hardware
Reference Manual , 1979.
11. Intel Corporation, iSBC 86/12A Single £oard Computer
Hardware Reference Manual, 1979.
12. Katsuici, D. etal, Pluribus-An Operational Fault-Tolerant
152

Multiprocessor", Proceedings of tne IEEE . Vol. 66, No.
10, pp. 1146-115Sr, October 1978.
13. Luniewski, A., A Sim-pie and Flexible System Initialization
Mechanism
,
M.S. Thesis, M.I.T.» May 1977.
14. Moore, E.E. and Gary, A.V., The Design and Implementation
of the Memory Manager for a Secure Archival Storage
^ystem
,
M.S. Thesis, Naval Postgraduate School, June 198e
15. O'Connell, J., and Richardson, D., Secure Design for a
Multi-Processor Operating System , M.S. Thesis, Naval
Postgraduate School, June 1980.
16. Organii, S., Multics; An Examination of It^s Structure ,
M.I.T. Press, 1972.
17. Rapantzilcos , D., Implementation of a Distributed Multiple
Microcomputer Operating System
,
M.S. thesis in prepara-
tion Naval Postgraduate School, (expected completion,
April 1981).
18. Reed, D.P., P rocessor Multiplexing in a Layered Operating
System
,
M.S'. Thesis. M.I.T. , 1976.
19. Rennels, D.A., "Distributed Fault-Tolerant Computer
Systems", Computer, pp. 55-65, March 1980.
20. Ross, J.I., Design of a System Initialization Mechanism
for a Multiple Microcomputer , M.S. Thesis, Naval
Postgraduate School, June 1980.
21. Schell, R.H., Dynamic Reconfiguration in a Modular
Computer System , Ph.D. Tnesis, M.I.T., May 1971.
22. Schell, R.R., Kodres, U.R., Amir, H., Wasson, J. and Tao,
T.F., Processing of Infrared Images by Multiple Micro-
computer System, Proceedings of the SPIE, Vol. 241, 1980
153





Postgraduate School, June 1980.
24. Wensley, J.H., etal, "Sift: Design and Analysis of a Fault
Tolerant ComDUter for Aircraft Control", Proceedings of
tne IEEE , Vol. 66, No. 10, pp. 1240-1255, October 1978.
25. Verhofstad, J.S.M., "Recovery Techniques for Database






1. Defense Tecanlcal Information Center 2
Cameron Station
Alexandria, Virgrinia 22314
2. Library, Code 0142 2
Naval Postgraduate ScJiool
Monterey, California 93940
3. Department Chairman, Code 52 1
Department of Computer Science
Naval Postgraduate Scnool
Monterey, California 93940
4. Col. R. R. Schell, Code 52SJ 4
Department of Computer Science
Naval Postgraduate School
Monterey, California 93940
5. Asst. Professor U. R. Kodres, Code 52Kr 1
Department of Computer Science
Naval Postgraduate Scnool
Monterey, California 93940
6. Professor T. F. Tao , Code 62Tv 3
Department of Electrical Engineering
Naval Postgraduate School
Monterey, California 93940





8. Intel Corporation 1
Attn: Mr. Robert Childs
Mail Code: SC4-490
3065 Bowers Avenue
Santa Clara, California 95051
9. Lt Richard L. Anderson, USN 3
Commander Naval Military Personnel Command
(NMPC-ien)






Anderson 1 9 7 O i
Automatic recovery




' ^'-'^^-^ 27 7 19













Automatic recovery in a real-time, distr
3 2768 001 91504 4
DUDLEY KNOX LIBRARY
