In order to gather, store temporarily and efficiently deliver (if needed) safestore information in a fault tolerant central processing unit having data manipulation circuitry including a plurality of software visible registers, a shadow set of the software visible registers are used in conjunction with shadowing and packing circuitry for copying the contents of the software visible registers, after a data manipulation operation, into the shadow set after the validity of such contents have been verified. In the event of a detected fault in a data manipulation operation, the contents of the shadow set, which will be the last valid set immediately before the error was detected, are transferred back to the software visible registers to institute recovery at the point in the data manipulation immediately prior to that at which the error was detected. Preferably, packing circuitry is included to pack half-word (or shorter) register information into full words in the shadow set to minimize the number of shadow registers and support circuitry required. In the preferred embodiment, during the recovery process, the safestore information in the shadow set is routed through a cache memory which is normally in direct contact with the working register set such that minimum special circuitry is necessary to restore the contents of the working registers.

A multiprocessor computer system includes first processors, second processors, a system management means for performing system management functions, including detecting pending power shut-downs and sending power shut-down messages addressed to each of the first processors warning of pending power shut-downs, and a system bus for communication between the first and second processors and the system management means, including the communication of pending power shut-down messages. The first processors include interrupt handling means responsive to pending power shut-down messages for executing power shut-down routines for placing the first processors into a known state before power termination, but the second processors inherently do not include a power shut-down capability. In each of the second processors, a power shut-down means is provided to place the second processors in a known state before a power termination, including a bus monitor connected from the system bus and responsive to any power shut-down message addressed to a first processor for generating an output indicating the occurrence of a power shut-down message to a first processor. The second processor also includes non-maskable interrupt logic connected from the power shut-down message output of the bus monitor and responsive to the power shut-down message output of the bus monitor for generating a non-maskable interrupt output to the second processor. The second processor is in turn responsive to a non-maskable interrupt output of the non-maskable logic for querying the non-maskable logic to determine the nature of the interrupt, and responsive to the indicated occurrence of a power shut-down message to any first processor for executing a power shut-down routine for placing the second processor in a known state before the termination of power.

In order to gather, store temporarily and efficiently deliver (if needed) safestore information in a fault tolerant central processing unit having data manipulation circuitry including a plurality of software visible registers, a shadow set of the software visible registers are used in conjunction with shadowing and packing circuitry for copying the contents of the software visible registers, after a data manipulation operation, into the shadow set after the validity of such contents have been verified. In the event of a detected fault in a data manipulation operation, the contents of the shadow set, which will be the last valid set immediately before the error was detected, are transferred back to the software visible registers to institute recovery at the point in the data manipulation immediately prior to that at which the error was detected. Preferably, packing circuitry is included to pack half-word (or shorter) register information into full words in the shadow set to minimize the number of shadow registers and support circuitry required. In the preferred embodiment, during the recovery process, the safestore information in the shadow set is routed through a cache memory which is normally in direct contact with the working register set such that minimum special circuitry is necessary to restore the contents of the working registers. The speed of recovery is enhanced by the use of double word transfers between the shadow set and the software visible working registers via the cache memory.

A down line-loading start control system for controlling the start of down line-loading by scanning down line-loading devices. The device ID numbers assigned to peripheral control units expected to serve as down line-loading devices are registered in a ROM (Random Access Memory) beforehand, while a down line-loading device scan table is generated by referencing a resource table. Alternatively, the device ID numbers of the peripheral control units or expected down line-loading devices may be rewritably registered in an auxiliary storage. Password checking means inhibits registered device ID number rewriting means from operating until one enters a correct password.

In order to gather, store temporarily and efficiently deliver safestore information in a CPU having data manipulation circuitry including a register bank, first and second serially oriented safestore buffers are employed. At suitable times during the processing of information, a copy of the instantaneous contents of the register bank is transferred into the first safestore buffer. After a brief delay, a copy of the first safestore buffer is transferred into the second safestore buffer. If a call for a domain change (which might include a process change or a fault) is sensed, a safestore frame is sent to cache, and the first safestore buffer is loaded from he second safestore buffer rather than from the register bank. Later, during a climb operation, if a restart of the interrupted process is undertaken and the restoration of the register bank is directed to be taken from the first safestore buffer, this source, rather than the safestore frame stored in cache, is employed to obtain a corresponding increase in the rate of restart. In one embodiment, the transfer of information between the register bank and the safestore buffers is carried out on a bit-by-bit basis to achieve additional flexibility of operation and also to conserve integrated circuit space.