WO2008127947A2

WO2008127947A2 - Systems and methods of incremental computing and quota accounting

Info

Publication number: WO2008127947A2
Application number: PCT/US2008/059798
Authority: WO
Inventors: Tyler Arthur Akidau; Nate E. Dire; Neal T. Fachan; Peter J. Godman; Justin M. Husted; Zachary M. Loafman; Aaron J. Passey
Original assignee: Isilon Systems, Inc.
Priority date: 2007-04-13
Filing date: 2008-04-09
Publication date: 2008-10-23
Also published as: WO2008127947A3

Abstract

Embodiments of the invention relate generally to incremental computing. Specifically, embodiments of the invention include systems and methods for the concurrent processing of multiple, incremental changes to a data value while at the same time monitoring and/or enforcing threshold values for that data value. Embodiments of the invention also include systems and methods of managing utilization of a resource of a computer system having a number of threads.

Description

SYSTEMS AND METHODS OF INCREMENTAL COMPUTING AND QUOTA

ACCOUNTING

LIMITED COPYRIGHT AUTHORIZATION

[0001] A portion of the disclosure of this patent document includes material which is subject to copyright protection. The copyright owner has no objection to the facsimile reproduction by anyone of the patent document or the patent disclosure as it appears in the Patent and Trademark Office patent file or records, but otherwise reserves all copyrights whatsoever.

CROSS-REFERENCE TO RELATED APPLICATIONS

[0002] This application claims priority to the following applications: U.S. Patent Application No. 11/787,225, filed April 13, 2007, entitled "SYSTEMS AND METHODS OF PROVIDING POSSIBLE VALUE RANGES," U.S. Patent Application No. 11/787,117, filed April 13, 2007, entitled "SYSTEMS AND METHODS OF QUOTA ACCOUNTING," and U.S. Patent Application No. 11/787,224, filed April 13, 2007, entitled "SYSTEMS AND METHODS OF MANAGING RESOURCE UTILIZATION ON A THREADED COMPUTER SYSTEM," all of which are hereby incorporated by reference in their entirety herein.

FIELD

[0003] In general, embodiments of the invention relate to incremental computing.

BACKGROUND

[0004] The increase in processing power of computer systems has ushered in a new era in which information is accessed on a constant basis. Multiple transactions in a computing environment often access the same data with incremental changes. In some systems, it may be advantageous to process incremental change requests, or delta transactions, concurrently. In some systems, it may also be advantageous to establish thresholds for the value of the data being changed incrementally. Additionally, it may be advantageous to manage utilization of resources in the computing environment while managing requests for changing data. SUMMARY

[0005] In general, embodiments of the invention relate to incremental computing. More specifically, systems and methods embodying the invention provide support for concurrent processing of delta transactions while monitoring and/or enforcing thresholds for the data values being changed incrementally.

[0006] In one embodiment, a method of determining whether multiple incremental changes to a data field could pass a threshold is provided. The method may include receiving at least one threshold related to a data field; receiving a request to incrementally modify a data value of the data field; and determining whether the request, in combination with a subset of other pending requests to incrementally modify the data value, could pass the at least one threshold.

[0007] In an embodiment of this method, the at least one threshold is a threshold for a maximum or minimum data value of the data field. In another embodiment of the method, the determining comprises computing a possible data value for the data field based on the request and a bound of possible values of the data field and comparing the possible data value with the at least one threshold. The bound may be derived from the other pending requests.

[0008] In another embodiment of the method, the request is a request either to increment or to decrement the data value, and the other pending requests are requests, respectively, either to increment or to decrement the data value. In another embodiment of the method, the data field is associated with at least one of the following: a data storage system, a distributed storage system, a file system, and a distributed file system. In another embodiment of the method, the request and the other pending requests are associated with uncommitted, concurrent transactions to write to a storage location associated with the data field. In another embodiment of the method, the at least one threshold is specific to at least one of the following: an operation type associated with the request, the data field, and a subset of a combination of the request and the other pending requests.

[0009] In another embodiment of the method, if it is determined that the request could pass the at least one threshold, the method further comprises permitting or denying the request. In an embodiment of this method, if permitting the request causes the at least one threshold to be passed, the method further comprises performing at least one of the following: sending an advisory notice that the at least one threshold has been passed and permitting data values of the data field to be past the at least one threshold until a condition is met. In an embodiment, the condition is associated with an amount of time.

[0010] In another embodiment, a computer-readable medium having instructions stored thereon for determining, when the instructions are executed, whether multiple incremental changes to a data field could pass a threshold is provided. The instructions may include receiving at least one threshold related to a data field; receiving a request to incrementally modify a data value stored in the data field; and determining whether the request could cause an incremented data value to pass the at least one threshold in combination with any subset of other pending incremental requests.

[0011] In an embodiment of the computer-readable medium, the data field is associated with at least one of the following: a data storage system, a distributed storage system, a file system, and a distributed file system. In another embodiment of the computer- readable medium, the determining comprises computing the incremented data value of the data field based on the request and a bound of possible values of the data field and comparing the incremented data value with the at least one threshold. The bound may be derived from the other pending incremental requests.

[0012] In another embodiment, a system that determines whether a subset of pending transactions could pass a threshold is provided. The system may include a module configured to receive at least one threshold related to a data field; to receive an incremental transaction on the data field; and to determine whether the incremental transaction could cause the data field to pass the at least one threshold in combination with any subset of other pending incremental transactions.

[0013] In an embodiment of the system, if the incremental transaction could cause the data field to pass the at least one threshold, the module may be further configured to disallow the incremental transaction until the other pending incremental transactions have resolved, and then to permit the incremental transaction as a serial operation while postponing additional incremental transactions. In an embodiment of this system, when the incremental transaction is permitted as a serial operation, the module may be further configured to perform at least one of the following: send an advisory notice that the at least one threshold has been passed and permit the data field to be past the at least one threshold until a condition is met. In an embodiment of this system, the condition is associated with an amount of time.

[0014] In another embodiment, the system comprises at least one of the following: a data storage system, a distributed storage system, a file system, and a distributed file system. In an embodiment, the system further comprises a persistent memory and a journal module. The journal module may be configured to store in the persistent memory the incremental transaction after determining that the incremental transaction could not cause the data field to pass the at least one threshold in combination with any subset of other pending incremental transactions. In another embodiment of the system, configured to determine comprises being configured to compute an incremented data value of the data field based on the incremental transaction and a bound of possible values of the data field and to compare the incremented data value with the at least one threshold. The bound may be derived from the other pending incremental transactions.

[0015] In another embodiment, a method of tracking a boundary for a field stored in a computer system is provided. The method may include receiving a delta request associated with a field stored in a computer system; and computing an updated boundary value of possible values for the field, wherein the possible values are based on the delta request and a previous boundary value, the previous boundary value derived from a subset of other pending delta requests for the field.

[0016] In an embodiment of the method, the delta request comprises an incremental value and an operation type that indicates either increment or decrement, and the operation type indicates whether the delta request increments or decrements the possible values for the field. In another embodiment of the method, the updated boundary value is an updated upper boundary value and the previous boundary value is a previous upper boundary value. In another embodiment of the method, if the data request is a request to increment the field by an incremental value, computing the updated boundary value comprises incrementing the previous upper boundary value by the incremental value. In another embodiment of the method, if the delta request commits and if the delta request is a request to decrement the field by an incremental value, the method further comprises computing a readjusted upper boundary value by decrementing the updated upper boundary value by the incremental value. In another embodiment of this method, if the delta request aborts and if the delta request is a request to increment the field by an incremental value, the method further comprises computing a readjusted upper boundary value by decrementing the updated upper boundary value by the incremental value.

[0017] In an embodiment of the method, the updated boundary value may be an updated lower boundary value and the previous boundary value may be a previous lower boundary value. In an embodiment of the method, if the data request is a request to decrement the field by an incremental value, computing the updated boundary value comprises decrementing the previous lower boundary value by the incremental value. In an embodiment of this method, if the delta request commits and if the delta request is a request to increment the field by an incremental value, the method further comprises computing a readjusted lower boundary value by incrementing the updated lower boundary value by the incremental value. In an embodiment of the method, if the delta request aborts and if the delta request is a request to decrement the field by an incremental value, the method further comprises computing a readjusted lower boundary value by incrementing the updated lower boundary value by the incremental value. In an embodiment of the method, the field is associated with at least one of the following: a data storage system, a distributed storage system, a file system, and a distributed file system.

[0018] In another embodiment, a system for tracking a boundary of a field stored in a computer system is provided. The system may include a boundary module configured to receive a delta transaction associated with a field stored in a computer system; and to compute an updated boundary value based on possible values for the field, wherein the possible values are based on the delta transaction and a previous boundary value, the previous boundary value derived from a subset of other pending delta transactions for the field.

[0019] In an embodiment, the system may comprise at least one of the following: a data storage system, a distributed storage system, a file system, and a distributed file system. In another embodiment of the system, the delta transaction comprises an incremental value and an operation type that indicates either increment or decrement, and the operation type may indicate whether the delta request increments or decrements the possible values for the field. In another embodiment, the system further comprises a persistent memory and a journal module. The journal module may be configured to store in the persistent memory the delta transaction until the delta transaction either commits or aborts. The boundary module may be further configured to compute a readjusted boundary value based on the updated boundary value, the incremental value, and whether the delta transaction either committed or aborted.

[0020] In another embodiment, a computer-readable medium having data structures stored thereon for tracking a boundary of a data field is provided. The data structures may include a data value field, wherein the data value field comprises a stored data value capable of being modified incrementally; a plurality of delta value fields, wherein the delta value fields comprise, respectively, ones of a plurality of pending incremental values to be combined with the stored data value; and at least one boundary field, wherein the at least one boundary field comprises a boundary value of possible data values resulting from a combination of the stored data value with a subset of the plurality of pending incremental values.

[0021] In an embodiment of the computer-readable medium, the data structures may further comprise at least one threshold field related to the data value field, and the at least one threshold field may comprises a threshold value associated with a set of instructions to be executed if the boundary value passes the threshold value. In another embodiment of the computer-readable medium, the data value field may be associated with at least one of the following: a data storage system, a distributed storage system, a file system, and a distributed file system.

[0022] In another embodiment, a method of implementing domain quotas within a data storage system is provided. The method may include receiving at least one quota related to a size of a data domain, wherein the data domain associates a subset of data storage within a data storage system, wherein the size measures the subset, and wherein the at least one quota defines a threshold size for the data domain; receiving a data transaction that could change the size of the data domain; and determining whether the data transaction could cause the size of the data domain to pass the at least one quota in combination with a subset of other pending data transactions that could also change the size of the data domain. [0023] In an embodiment of the method, if it is determined that the data storage transaction could cause the size of the data domain to pass the at least one quota, the method further comprises permitting the data transaction and sending a notification that the at least one quota has been passed. In an embodiment of the method, if it is determined that the data storage transaction could cause the size of the data domain to pass the at least one quota, the method further comprises permitting the data transaction and monitoring a condition associated with the size of the data domain being past the at least one quota. In an embodiment of this method, the condition may be an amount of time that the size of the data domain is past the at least one quota.

[0024] In another embodiment of the method, if it is determined that the data storage transaction could cause the size of the data domain to pass the at least one quota, the method further comprises denying the data transaction. In another embodiment of the method, the determining comprises computing a maximum possible size or a minimum possible size of the data domain. The maximum possible size and the minimum possible size may be based on cumulative changes to the data domain that could be caused, respectively, by the data transaction and the other pending data transactions. The method may further comprise comparing the maximum possible size or the minimum possible size to the at least one quota.

[0025] In another embodiment of the method, the data storage system may be associated with at least one of the following: a distributed storage system, a file system, and a distributed file system. In another embodiment of the method, the data transaction and the other pending data transactions may be uncommitted, concurrent transactions. In another embodiment of the method, the at least one quota may be specific to at least one of the following: whether the data transaction either increments or decrements the size of the data domain, the data domain, a subset of a combination of the data transaction and the other pending data transactions. In another embodiment, if permitting the data storage transaction causes the data quota to pass the threshold, the method further comprises performing at least one of the following: sending an advisory notice that the threshold has been passed and keeping a reference associated with a time at which the threshold is passed. [0026] In another embodiment, a computer-readable medium having instructions stored thereon for implementing, when the instructions are executed, domain quotas within a data storage system is provided. The instructions may include receiving at least one quota related to a size of a data domain, wherein the data domain associates a subset of data storage within a data storage system, wherein the size measures the subset, and wherein the at least one quota defines a threshold size for the data domain; receiving a data transaction that could change the size of the data domain; and determining whether the data transaction could cause the size of the data domain to pass the at least one quota in combination with a subset of other pending data transactions that could also change the size of the data domain.

[0027] In another embodiment, a system for implementing domain quotas within a data storage system is provided. The system may include a quota module configured to receive at least one quota related to a size of a data domain, wherein the data domain associates a subset of data storage within a data storage system, wherein the size measures the subset, and wherein the at least one quota defines a threshold size for the data domain; to receive a data transaction that could change the size of the data domain; and to determine whether the data transaction could cause the size of the data domain to pass the at least one quota in combination with a subset of other pending data transactions that could also change the size of the data domain.

[0028] In another embodiment of the system, if the data transaction could cause the size of the data domain to pass the at least one quota, the module is further configured to disallow the data transaction until the other pending data transactions have resolved, and then to permit the data transaction and to send an advisory notice that the size of the data domain has passed the at least one quota. In another embodiment of the system, if the data transaction could cause the size of the data domain to pass the at least one quota, the module is further configured to disallow the data transaction until the other pending data transactions have resolved, and then to permit the data transaction and to monitor a condition associated with the size of the data domain being past the at least one quota. In an embodiment of this system, the condition is an amount of time.

[0029] In another embodiment of the system, if the data transaction could cause the size of the data domain to pass the at least one quota, the module is further configured to disallow the data transaction until the other pending data transactions have resolved, and then, while postponing subsequent data transactions, to permit the data transaction and to compute, respectively, a maximum possible size or a minimum possible size of the data domain based on the permitted data transaction. The maximum possible size or the minimum possible size may be used to determine whether subsequent data transactions could cause the size of the data domain to pass the at least one quota or a different quota. In another embodiment of the system, if the data transaction could cause the size of the data domain to pass the at least one quota, the module is further configured to permit the data transaction and to determine whether subsequent data transactions could cause the size of the data domain to pass a different quota from the at least one quota.

[0030] In another embodiment, the system may comprise at least one of the following: a distributed storage system, a file system, and a distributed file system. In another embodiment, the system further comprises a persistent storage and a journal module. The journal module may be configured to store in the persistent memory the data transaction after determining whether the data transaction could cause the size of the data domain to pass the at least one quota. In another embodiment, the system further comprises a persistent storage and a journal module. If the data transaction could change the size of the data domain by an incremental value, the journal module may be configured to store in the persistent memory the data transaction until the data transaction either commits or aborts. The quota module may be further configured to compute a maximum possible size or a minimum possible size of the data domain based on the incremental value of the data transaction that committed or aborted.

[0031] In another embodiment, a computer- readable medium having data structures stored thereon for implementing domain quotas within a data storage system is provided. The data structures may include a domain size field, the domain size field comprising a value that reflects a size of a data domain comprising committed transactions; a bounded size field, the bounded size field comprising a value that reflects a maximum possible size or a minimum possible size of the data domain based on a plurality of pending data transactions that have not committed or aborted; an incremental value field, the incremental value field comprising a value that reflects a change in the size of the data domain caused by a data transaction; an operation type field, the operation type field comprising a value that indicates whether the change in the size of the data domain caused by the data transaction is either an increment or a decrement; and a quota field, the quota field comprising a value that indicates a size threshold for either a minimum or maximum size for the size of the data domain to be within a quota defined for the data domain.

[0032] In another embodiment, a method of managing utilization of a resource of a computer system having a number of threads is provided. The method may include receiving a usage threshold for a resource on the computer system and determining a usage for the resource on the system. The method may further include organizing the system into a number of subsystems, wherein the number of subsystems is two or more, and wherein the number is determined at least in part on factors including the number of threads, the usage threshold, and the usage. The method may further include allocating the subsystems among the threads, tracking resource usage for each subsystem, and distributing a request to modify resource usage to at least one subsystem.

[0033] In an embodiment of the method, the computer system may comprise a distributed system comprising one or more nodes. In an embodiment, at least one node of the distributed system is allocated one or more subsystems. In another embodiment of the method, the distributed system comprises at least one of a distributed storage system and a distributed file system. In another embodiment of the method, the resource comprises physical space on a storage device. In another embodiment of the method, the resource comprises quantity of files stored on a storage device. In an embodiment of this method, the quantity of files comprises a count associated with the number of files. In another embodiment of this method, the quantity of files comprises physical space associated with the files. In an embodiment of the method, the resource comprises logical space on a storage device. In an embodiment of this method, the logical space comprises physical space less space relating to metadata associated with a protection level for the resource.

[0034] In another embodiment of the method, organizing the system into a number of subsystems comprises determining a subsystem usage threshold for each subsystem and tracking resource usage for each subsystem comprises determining a subsystem usage for the resource. In an embodiment, the sum of the subsystem usage thresholds equals the usage threshold. In another embodiment, the sum of the subsystem usages equals the usage. In another embodiment of the method, the request to modify resource usage comprises a delta request for the resource. In an embodiment, tracking resource usage comprises determining whether the delta request could cause the subsystem usage to pass the subsystem usage threshold in combination with any subset of delta requests pending on the subsystem.

[0035] In another embodiment of the method, allocating the subsystems among the threads comprises allocating at most one subsystem to any thread. In another embodiment of the method, the factors for determining the number of subsystems further include a protection level for the resource. In an embodiment, allocating the subsystems among the threads comprises mirroring the subsystems based at least in part on the protection level.

[0036] In another embodiment, the method further comprises reorganizing the system into one or more subsystems based on occurrence of an event. In an embodiment, the event comprises a subsystem usage level passing a subsystem usage threshold. In another embodiment, the event comprises adding a new thread to the system. In another embodiment, the event comprises updating a usage threshold for the system or a subsystem. In another embodiment, the event comprises a possible value range boundary associated with subsystem usage passing a subsystem usage threshold.

[0037] In another embodiment of the method, the reorganizing comprises determining a number of the subsystems for reorganization, and the number is one or more. In one embodiment, the number of subsystems is one. In another embodiment, the number is based at least in part on factors including the number of threads, the usage threshold, and the usage. In an embodiment, the factors further include a protection level for the resource.

[0038] In another embodiment, a computer-readable medium having instructions stored thereon for managing, when the instructions are executed, utilization of a resource of a computer system having a number of threads is provided. The instructions may include receiving a usage threshold for a resource on the computer system and determining a usage for the resource on the system. The instructions may further include organizing the system into a number of subsystems, wherein the number of subsystems is two or more, and wherein the number is determined at least in part on factors including the number of threads, the usage threshold, and the usage. The instructions may further include allocating the subsystems among the threads, tracking resource usage for each subsystem, and distributing a request to modify resource usage to at least one subsystem.

[0039] In another embodiment, a system for managing utilization of a resource of a computer system having a number of threads is provided. The system may include a module configured to receive a usage threshold and to determine usage for a resource on the computer system. The module may be further configured to organize the computer system into a number of subsystems, wherein the number is two or more and depends at least in part on factors including the number of threads, the usage threshold, and the usage. The module may be further configured to allocate the subsystems among the threads for tracking resource usage for each subsystem, and to distribute a request to modify resource usage to at least one subsystem.

[0040] In an embodiment of the system, the computer system comprises a distributed system comprising one or more nodes. In an embodiment, at least one node of the distributed system is allocated one or more subsystems. In an embodiment, the distributed system comprises at least one of a distributed storage system and a distributed file system. In an embodiment, the resource comprises physical space on a storage device. In an embodiment, the resource comprises quantity of files stored on a storage device. In an embodiment, the quantity of files comprises a count associated with the number of files. In an embodiment, the quantity of files comprises physical space associated with the files. In another embodiment, the resource comprises logical space on a storage device. In an embodiment, the logical space comprises physical space less space relating to metadata associated with a protection level for the resource.

[0041] In another embodiment of the system, the module is further configured to determine a subsystem usage threshold for each subsystem and to determine a subsystem usage level for the resource usage tracked by each subsystem. In an embodiment of this system, the sum of all the subsystem usage thresholds equals the usage threshold. In another embodiment, the sum of all the subsystem usage levels equals the usage. In another embodiment of the system, the request to modify resource usage comprises a delta request for the resource. In another embodiment of the system, the module is further configured to determine whether the delta request could cause the subsystem usage to pass the subsystem usage threshold in combination with any subset of delta requests pending on the subsystem.

[0042] In another embodiment of the system, the module is configured to allocate at most one subsystem to any thread. In another embodiment, the factors for determining the number of subsystems further include a protection level for the resource. In another embodiment, the module is further configured to mirror the subsystems based at least in part on the protection level. In another embodiment of the system, the module is further configured to reorganize the system into one or more subsystems based on occurrence of an event. In an embodiment, the event comprises a subsystem usage level passing a subsystem usage threshold. In an embodiment, the event comprises adding a new thread to the computer system. In an embodiment, the event comprises updating a usage threshold for the computer system or a subsystem. In an embodiment, the event comprises a possible value range boundary associated with the subsystem usage level passing a subsystem usage threshold.

[0043] In another embodiment of the system, the reorganizing comprises determining a number of the subsystems for reorganization, wherein the number is one or more. In an embodiment, the number of subsystems is one. In another embodiment, the number is based at least in part on factors including the number of threads, the usage threshold, and the usage. In an embodiment, the factors further include a protection level for the resource.

[0044] For purposes of this summary, certain aspects, advantages, and novel features of the invention are described herein. It is to be understood that not necessarily all such advantages may be achieved in accordance with any particular embodiment of the invention. Thus, for example, those skilled in the art will recognize that the invention may be embodied or carried out in a manner that achieves one advantage or group of advantages as taught herein without necessarily achieving other advantages as may be taught or suggested herein.

BRIEF DESCRIPTION OF THE DRAWINGS

[0045] Figures IA and IB illustrate a problem that may arise with concurrent incremental changes and one embodiment of a possible solution using possible value ranges. [0046] Figures 2A and 2B illustrate embodiments of a computer system configured to implement possible value ranges for incremental computing.

[0047] Figure 3 illustrates embodiments of writing delta transactions to a journal and determining the possible value range of the delta transactions.

[0048] Figure 4A and 4B illustrate flow charts of embodiments of writing a delta transaction to a journal after determining whether the delta can be applied without passing a threshold.

[0049] Figure 5 illustrates one embodiment of processing delta transactions with a shared and an exclusive lock, respectively.

[0050] Figure 6 illustrates one embodiment of a state diagram of thresholds for a data value being changed incrementally.

[0051] Figure 7 illustrates one embodiment of three domains within a file system.

[0052] Figure 8 illustrates various threshold values defined for three different domains.

[0053] Figure 9 illustrates one embodiment of a timing diagram of a distributed computing system that implements incremental computing.

[0054] Figures 1OA, 1OB, 1OC, 10D, 1OE, 1OF, and 1 OG illustrate embodiments of determining whether a delta transaction can be applied without passing a threshold.

[0055] Figure 11 illustrates embodiments of resource usage management systems on a distributed computing system.

[0056] Figure 12 illustrates an embodiment of an example accounting system C₀ for the domain do that has been organized into three example accounting subsystems Coo, Coi, and Co₂ each of which tracks usage in a portion of the domain.

[0057] Figure 13 illustrates an embodiment of an abstract data structure that can be used to implement a quota domain account for tracking resource usage for a quota domain.

[0058] Figure 14 illustrates an embodiment of an example allocation of quota account constituents and mirrored quota accounting blocks in a quota domain system.

[0059] Figure 15 is a flow chart that illustrates an embodiment of a constituent reorganization method for a quota accounting domain. [0060] Figure 16 is a flow chart that illustrates an embodiment of a method by which a quota constituent module can organize a quota domain into constituents.

[0061] Figure 17 is a flow chart that illustrates an embodiment of a method by which the quota constituent module can allocate the constituents to nodes of a file system.

[0062] Figure 18 is a graph schematically illustrating one example embodiment of how the number of constituents may depend on proximity of resource usage to a limit, such as, for example, an advisory, a soft, or a hard limit.

[0063] Figure 19A is one embodiment of a graph that illustrates the number of constituents in a singleton mode of reorganization as a function of span at the time of the reorganization.

[0064] Figure 19B is one embodiment of a graph that illustrates the number of constituents that may be selected during a linear mode of reorganization as a function of span at the time of reorganization.

[0065] Figure 19C is one embodiment of a graph that illustrates the number of constituents that may be selected during a 1 -or-N mode of reorganization as a function of span at the time of reorganization.

[0066] Figure 2OA is one example of a chart that illustrates properties related to the constituents of the quota accounting system at six snapshots in a time period during which several linear mode reorganizations occur.

[0067] Figure 2OB is one example of a graph that shows the number of constituents as a function of usage for the example system illustrated in Figure 2OA.

[0068] These and other features will now be described with reference to the drawings summarized above. The drawings and the associated descriptions are provided to illustrate embodiments of the invention and not to limit the scope of the invention. Throughout the drawings, reference numbers may be reused to indicate correspondence between referenced elements. In addition, the first digit of each reference number generally indicates the figure in which the element first appears. DETAILED DESCRIPTION OF PREFERRED EMBODIMENTS [0069] Systems and methods which represent one embodiment of an example application of the invention will now be described with reference to the drawings. Variations to the systems and methods which represent other embodiments will also be described.

[0070] For purposes of illustration, some embodiments will be described in the context of a distributed file system. The present invention is not limited by the type of environment in which the systems and methods are used, however, and systems and methods may be used in other environments, such as, for example, other file systems, other distributed systems, the Internet, the World Wide Web, a private network for a hospital, a broadcast network for a government agency, and an internal network for a corporate enterprise, an Intranet, a local area network, a wide area network, a wired network, a wireless network, and so forth. Some of the figures and descriptions, however, relate to an embodiment of the invention wherein the environment is that of a distributed file system. It is also recognized that in other embodiments, the systems and methods may be implemented as a single module and/or implemented in conjunction with a variety of other modules and the like. Moreover, the specific implementations described herein are set forth in order to illustrate, and not to limit, the invention. The scope of the invention is defined by the appended claims.

[0071] One example of a distributed file system, in which embodiments of systems and methods described herein may be implemented, is described in U.S. Patent Application No. 10/007,003 entitled "SYSTEMS AND METHODS FOR PROVIDING A DISTRIBUTED FILE SYSTEM UTILIZING METADATA TO TRACK INFORMATION ABOUT DATA STORED THROUGHOUT THE SYSTEM," filed November 9, 2001, which claims priority to Application No. 60/309,803 filed August 3, 2001, U.S. Patent No. 7,146,524 entitled "SYSTEMS AND METHODS FOR PROVIDING A DISTRIBUTED FILE SYSTEM INCORPORATING A VIRTUAL HOT SPARE," filed October 25, 2002, and U.S. Patent Application No. 10/714,326 entitled "SYSTEMS AND METHODS FOR RESTRIPING FILES IN A DISTRIBUTED FILE SYSTEM," filed November 14, 2003, which claims priority to Application No. 60/426,464, filed November 14, 2002, all of which are hereby incorporated by reference herein in their entirety. I. Overview

[0072] In general, embodiments of the invention relate to incremental computing. More specifically, embodiments of the invention allow for the concurrent processing of multiple, incremental changes to a data value while at the same time monitoring and/or enforcing threshold values for that data value. Figure IA illustrates a problem addressed by embodiments of the invention. Figure IA illustrates a group of potential delta transactions 100. These potential delta transactions 100 are associated with data 102, a low threshold 104 and a high threshold 106. Specifically, the initial value of data 102 is seventy- five; the value of the low threshold 104 is zero; and the value of the high threshold 106 is one- hundred. In other words, two threshold values have been defined for data 102, which collectively define a range of possible values for data 102 that do not pass either threshold. In the illustrated example, there are eight incremental values in the group of potential delta transactions 100. Delta transactions may be incremental changes to, for example, a data field. The illustrated delta transactions include an incremental value and an associated operation type that is either positive or negative, corresponding to increment or decrement, respectively. Taken together, the incremental value and the operation type define an incremental operation to be performed on the value of data 102. Depending on the sequence in which these potential incremental changes are processed, the data value may or may not pass one of the two thresholds, low threshold 104 or high threshold 106. There are three illustrated transaction sequences 108. In Sequence # 1, the third incremental change causes the value of data 102 to pass the value of high threshold 106. In Sequence # 2, the third incremental change causes the value of data 102 to pass the value of low threshold 104. In Sequence # 3, the incremental changes are processed in such an order that the value of data 102 never passes either the value of low threshold 104 or the value of high threshold 106.

[0073] In many computing environments, there may be no fixed sequence order for processing pending transactions. Furthermore, in some computing environments, some pending transactions may be aborted, adding increased variability to the possible value of a certain data. In such environments, it may be advantageous to know whether any combination of pending delta transactions could cause, for example, an affected data field to pass a defined threshold. Figure IB illustrates one embodiment of an example of using possible value ranges 110 to determine whether a combination of pending transactions 112 would cause a value of data 102 to pass the value of either low threshold 104 or the value of high threshold 106. There are eight potential delta transactions 100 illustrated in Figure IB. As these incoming, potential transactions are considered as possible candidates to become pending transactions — that is, transactions that may be processed, for example, without regard to their order of arrival — a computing system may evaluate whether the newly considered transaction could cause, in combination with any other subset of pending transactions, the value of data 102 to pass, for example, the value of low threshold 104 or the value of high threshold 106. Determining a possible value range is one method for determining whether any subset of pending transactions may exceed a threshold. In the example illustrated in Figure IB, the delta transaction "+20" is considered first. If transaction "+20" becomes pending, the lowest possible value of data 102 would not be affected because transaction "+20" could only cause the value of data 102 to increase. In contrast, if transaction "+20" becomes pending, the highest possible value of data 102 would be ninety-five because, if transaction "+20" completes and there are no other pending transactions, the value of data 102 would be the initial value, seventy-five, plus twenty. In some embodiments of an incremental computing system, transaction "+20" would be allowed to become pending because it could not cause the value of data 102 to pass either the value of low threshold 104 or the value of high threshold 106.

[0074] In the example illustrated in Figure IB, transaction "-75" is considered second. If transaction "-75" becomes pending, the lowest possible value of data 102 would be zero. The value of data 102 would be zero if the transaction "+20" aborts and the transaction "-75" completes. The highest possible value of data 102 would not be affected, if transaction "-75" became pending, because transaction "-75" could only cause the value of data 102 to decrease. In some embodiments of an incremental computing system, transaction "-75" would be allowed to become pending because it could not cause the value of data 102 to pass either the value of low threshold 104 or the value of high threshold 106.

[0075] In the example illustrated in Figure IB, transaction "+10" is considered third. If transaction "+10" becomes pending, the lowest possible value of data 102 would still be zero because transaction "+10" could only cause the value of data 102 to increase. If transaction "+10" becomes pending, however, the highest possible value of data 102 would be one- hundred and five. The value of data 102 could be one- hundred and five if the "+20" and "+10" transactions complete and the "-75" transaction aborts. In some embodiments of an incremental computing system, transaction "+10" would not be allowed to become pending, as an incremental transaction, because it could cause the value of data 102 to pass the value of high threshold 106, which is one-hundred. In other embodiments, transactions that could cause a data value to pass a threshold may still be allowed to become pending, once other transactions have resolved, but may, for example, trigger a notification or trigger a condition to be monitored.

[0076] Although, in the incremental computing system described above, possible value ranges are used to monitor thresholds in a transaction environment where some transactions fail, in other incremental computing systems possible value ranges may be used to monitor thresholds even where all transactions complete. For example, it may be advantageous to know prior to transaction completion whether a certain pending value could cause, in combination with the other pending values, a data value to pass a threshold. If a potential transaction could later cause, in combination with the pending transactions, a threshold to be passed, an incremental computing system may, for example, prevent such a potential transaction from becoming pending, may notify a resource that the newest pending transaction will cause a threshold to be passed, and/or may monitor a condition associated with the forecasted passing of the threshold value.

[0077] A storage system is one example of a computing system that may use possible value ranges to determine whether a transaction could cause, in combination with a subset of previously pending transactions, to pass a threshold. For example, in a storage system, it may be advantageous to process multiple incremental requests to change a value at a storage location. In some systems, writing a new incremental value may include requesting permission from a resource, such as a disk drive, in order to write the transaction to a specified storage location. Processing a single write request may involve many different processes including, for example, writing a copy of the value to a journal that temporarily stores the value before verification that the value has been written to long-term storage, such as a hard-disk drive; verifying that a data value has been successfully written to a storage device, such as a hard-disk drive; and communicating with other computing devices that may be involved with a related transaction that could cause the incremental transaction to either commit or abort. While these operations are being performed, other incremental change requests, or delta transactions, may arrive at the same time. It may be advantageous to process concurrently as many relevant operations for each delta transaction as possible. In some systems, it may be possible to write multiple pending delta transactions to a journal. These pending delta transactions may be recorded in the journal during overlapping periods of time until, for example, a long-term storage device is available to write the value at a particular storage location, including the cumulative value of the pending incremental changes to the value that accumulated while attempting to gain access to the long-term storage device.

[0078] Embodiments of a journal system, in which embodiments of systems and methods described herein may be implemented, are described in U.S. Patent Application No. 11/506,597, entitled "SYSTEMS AND METHODS FOR PROVIDING NONLINEAR JOURNALING," filed August 18, 2006; U.S. Patent Application No. 11/507,073 entitled "SYSTEMS AND METHODS FOR PROVIDING NONLINEAR JOURNALING," filed August 18, 2006; U.S. Patent Application No. 11/507,070, entitled "SYSTEMS AND METHODS FOR PROVIDING NONLINEAR JOURNALING," filed August 18, 2006; and U.S. Patent Application No. 11/507,076, entitled "SYSTEMS AND METHODS FOR ALLOWING INCREMENTAL JOURNALING," filed August 18, 2006. All four of the foregoing applications are hereby incorporated by reference herein in their entirety. II. Computing System

[0079] Figures 2A and 2B illustrate embodiments of a computing system that implements possible value ranges for incremental computing. Figure 2A illustrates a computing system 200 with a processor 202, a system memory 204, a persistent memory 206, a storage 208, and system modules 210. These components and modules are connected via an internal communication system. Typically, computing system 200 processes system modules 210 with processor 202, and writes data associated with system modules 210 to system memory 204, persistent memory 206, and/or storage 208. In the illustrated embodiment, persistent memory 206 is designated as a journal for computing system 200. In other embodiments, computing system 200 may have additional components and/or modules. Alternatively, computing system 200 may have fewer components and/or modules than illustrated in Figure 2A. For example, in some embodiments, computing system 200 may not have persistent memory 206. In addition, one or more of the components or modules may be combined or divided as subcomponents or submodules.

A. Example Components/Modules

[0080] Although storage 208 is illustrated as a single storage device, in other embodiments storage 208 may include an array of one or more types of storage devices. Multiple processors, system memory components, and persistent memory components may also be included. Furthermore, although embodiments of the invention are generally described with respect to storage devices based on hard-disk drives, other embodiments may be implemented on systems including alternative forms of storage, such as solid state disks (or drives), random access memory (RAM) disks, Flash disks, combinations of the same, and suitable equivalents. Similarly, embodiments of the invention may include storage devices with various implementations of system memory 204, including memory based on static RAM (SRAM), non-volatile RAM (NVRAM), dynamic RAM (DRAM), combinations of the same, and suitable equivalents. It will be appreciated by one skilled in the art how to implement embodiments of the invention on storage systems using suitable alternative storage-related devices.

[0081] In the illustrated embodiment, a journal of disk writes to storage 208 is stored in persistent memory 206. Persistent memory, as described herein, may refer to memory devices whose content remain stable despite power failure to the device. For example, a hard-disk drive is an example of persistent storage. Hard-disk drives retain their content, even in the absence of a power supply. Hard-disk drives do not, however, have efficient random access. Relatively long seek times limit the advantageous use of hard-disk drives for journal storage. Although a hard-disk drive may be used to store a journal, in some embodiments nonvolatile random access memory (NVRAM) is preferred. Flash memory, for example, has faster access times in comparison with hard-disk drives. One disadvantage of Flash memory, however, is its relatively limited lifecycle. In one embodiment, persistent memory 206 is battery-backed RAM, such that if it loses power, the backup battery maintains its persistent state. Battery-backed RAM has the advantage of efficient access time, long lifecycle, and persistent state, making it a suitable source of persistent memory 206 for storing a journal. Because battery-backed RAM can lose its memory contents in the event that the battery fails, persistent memory 206 includes not only those storage mediums that maintain their contents without any power; such as a hard-disk drive, but may also include storage mediums with suitable power-supply backups. Persistent memory 206 may also include magnetic random access memory (MRAM), which has access time and lifecycle advantages of battery-backed RAM without having a backup power supply. It will be appreciated by one skilled in the art that persistent memory 206 may include many suitable forms of nonvolatile memory, including, for example, magnetic random access memory (MRAM), Flash RAM, battery- backed RAM, combinations of the same, and suitable equivalents.

[0082] Although in the illustrated embodiment system modules 210 are illustrated as a separate component, the system modules 210 are program instructions that may be stored in a variety of suitable locations, including, for example, local partitions on storage 208 or dedicated storage devices. In general, the word module, as used herein, refers to logic embodied in hardware or firmware, or to a collection of software instructions, possibly having entry and exit points, written in a programming language, such as, for example, C or C++. A software module may be compiled and linked into an executable program, installed in a dynamic link library, or may be written in an interpreted programming language such as, for example, BASIC, Perl, or Python. It will be appreciated that software modules may be callable from other modules or from themselves, and/or may be invoked in response to detected events or interrupts. Software instructions may be embedded in firmware, such as an EPROM. It will be further appreciated that hardware modules may be comprised of connected logic units, such as gates and flip-flops, and/or may be comprised of programmable units, such as programmable gate arrays or processors. The modules described herein are preferably implemented as software modules, but may be represented in hardware or firmware. Moreover, although in some embodiments a module may be separately compiled, in other embodiments a module may represent a subset of instructions of a separately compiled program, and may not have an interface available to other logical program units.

[0083] In some embodiments, computing system 200 may comprise a variety of computer systems such as, for example, a computer, a server, a smart storage unit, and so forth. In one embodiment, the computer may be a general purpose computer using one or more microprocessors, such as, for example, a Pentium processor, a Pentium II processor, a Pentium Pro processor, a Pentium IV processor, an x86 processor, an 8051 processor, a MIPS processor, a Power PC processor, a SPARC processor, an Alpha processor, and so forth. The computer may run a variety of operating systems that perform standard operating system functions such as opening, reading, writing, and closing a file. It is recognized that other operating systems may be used, such as, for example, Microsoft® Windows® 3.X, Microsoft® Windows® 98, Microsoft® Windows® 2000, Microsoft® Windows® NT, Microsoft® Windows® Vista®, Microsoft® Windows® CE, Microsoft® Windows® ME, Palm Pilot OS, Apple® MacOS®, Disk Operating System (DOS), UNIX, IRIX, Solaris, SunOS, FreeBSD, Linux®, IBM® OS/2® operating systems, and so forth.

[0084] In some embodiments, computing system 200 may be connected to a cluster of networked computing devices, forming a distributed network system. A distributed network system may be arranged in many topologies, including, but not limited to, the following topologies: fully-connected, ring, mesh, star, line, tree, bus topologies, and so forth. It will be appreciated by one skilled in the art that various network topologies and/or combinations thereof may be used to implement different embodiments of the invention. In addition, it is recognized that nodes in a distributed network system may be connected directly, indirectly, or a combination of the two, and that all of the nodes may be connected using the same type of connection or one or more different types of connections. It is also recognized that in other embodiments, a different number of nodes may be included in the cluster, such as, for example, 2, 16, 83, 6, 883, 10,000, and so forth.

[0085] In one embodiment, the nodes of a distributed network system are interconnected through a bi-directional communication link where messages are received in the order they are sent. In one embodiment, the link comprises a "keep-alive" mechanism that quickly detects when nodes or other network components fail, and the nodes are notified when a link goes up or down. In one embodiment, the link includes a Transmission Control Protocol (TCP) connection. In other embodiments, the link includes a Session Description Protocol (SDP) connection over Infiniband, a wireless network, a wired network, a serial connection, Internet Protocol (IP) over FibreChannel, proprietary communication links, connection based datagrams or streams, and/or connection based protocols. B. Example Data Structures

[0086] Figure 2B illustrates one embodiment of three of the components of computing system 200 in more detail. Specifically, Figure 2B illustrates some of the data and data structures stored in system memory 204, persistent memory 206, and storage 208. Storage 208 is a hard-disk drive with multiple disk platters. The disk platters are divided into smaller data blocks, or disk blocks. Within a disk block, there may be multiple offset values that define different storage locations on the block. In the illustrated embodiment, the storage location 211 is defined as being on disk block "z" at offset "428." Conceptually, a data block may be any size of data, such as a single bit, a byte, a gigabyte, or even larger. In some embodiments, a data block is the smallest logical unit of data storage in a file system. Additionally and/or alternatively, a file system may use data block sizes that are different from the native block size of a disk. For example, a disk may have a native size of 512 bytes, but a file system may address 4096 bytes or 8192 bytes. One skilled in the art will appreciate that file systems may be implemented with many suitable data block sizes, including, but not limited to, 512 bytes, 4096 bytes, and 8192 bytes. In some embodiments, the block size may be configurable. It will be further appreciated that, although the illustrated embodiment illustrates a single data block size, file systems may be implemented with variably sized data blocks.

[0087] There are various data values stored in system memory 204 that correspond to storage location 211. Storage reference 212 is a pointer value that refers to the storage location 211 on storage 208. Usage 214 stores the value of the data stored at storage location 211. In the illustrated embodiment, usage 214 corresponds to a "usage" value of, for example, a defined domain of directories and files within a file system. PVR reference 216 is a pointer to possible value range (PVR) variables including, low value 218, and high value 220. Threshold reference 222 is a pointer to threshold variables for usage 214, including low threshold 224 and high threshold 226. Delta reference 228 is a pointer reference to the values of delta transactions for usage 214, including delta values 230. Although in the illustrated embodiment the delta values 230 are illustrated as positive and negative values, in other embodiments the delta values 230 may be unsigned values. Additionally and/or alternatively, there may be additional variables defining the respective signs of data values 230. [0088] Persistent memory 206 includes a journal data structure 232. Journal data structure 232 includes a journal block 234 that is a pointer reference to a linked list of transaction blocks 236. The transaction blocks 236, respectively, link together all of the associated data block writes for respective transactions. For example, the transaction T₀ includes a block descriptor 240 and a block value 242. Block descriptor 240 includes a pointer reference to storage location 211. Block value 242 stores the value that is to be written to storage location 211. Transactions Ti and T₂ include delta transactions that modify the value stored at storage location 211. These delta transactions 244 include a reference to the storage location 211 to which they correspond, as well as an incremental value and associated sign. When it comes time to write the value of usage 214 to storage location 211, the incremental values of the delta transactions 244 will be combined with the data value 242 and written to storage location 211. III. Possible Value Range (PVR) Module

[0089] In some embodiments, a possible value range is a closed range [v/, v_h] describing bounds (or boundaries) for the possible values of a variable. A possible value range module tracks one or more boundaries for a data field stored in a computer system. The boundaries are the lowest and/or highest possible values that may be stored in the data field. Thus, the possible value range is a set of boundary limits for the value of a given data field. Table 1 describes one embodiment of a possible value range (PVR).

Table 1

[0090] The illustrated PVR keeps track of both a lower and upper (or low and high) boundary value for a variable with an initial value of "100." Three subsequent transactions that incrementally modify this same data field are processed. Because these transactions are "uncommitted," the system cannot determine with certainty the exact value of the data field. In other words, in one embodiment, until the system has determined whether certain pending (uncommitted) transactions, affecting a particular variable, will execute (commit) or not execute (abort), the PVR module can track the lower and upper bounds of the possible values for the particular variable. Therefore, the PVR module uses the PVTv to track the possible lower and upper boundary values of the data field.

[0091] Specifically, when the first uncommitted transaction is accounted for, the PVR for the variable would be "[100: 101]," indicating that the lowest possible value of the variable would be "100" and the highest possible value would be "101." When the second uncommitted transaction is accounted for, the PVTv for the variable would then be "[98: 101]." If the first transaction aborted and the second transaction committed, the variable with initial state of "100" would be decremented "-2" without being incremented "+1", yielding a result of "98." Finally, when the third uncommitted transaction is accounted for, the PVTv for the variable would be "[88: 101]," as illustrated. If both the second and third transactions committed, but the first transaction aborted, the variable would have a value of "88." On the other hand, if the first transaction committed and the second and third transactions aborted, then the variable would have a value of "101." There are, of course, other possible values, including "99" (TXN 1 and TXN 2 commit; TXN 3 aborts), "89" (TXN 1, TXN 2, and TXN 3 commit), "100" (TXN 1, TXN 2, TXN 3 abort), "91" (TXN 1 and TXN 3 commit; TXN 2 aborts), "98" (TXN 2 commits; TXN 1 and TXN 3 abort), and "90" (TXN 3 commits; TXN 1 and TXN 2 abort). The embodiments described herein, generally, describe a PVTv module that tracks upper and lower boundary values. Other embodiments could track the possible middle boundaries/values. In some embodiments, the boundary values of a PVTv may be inclusive, and, in other embodiments, the boundary values may be exclusive. In other words, in some embodiments, the possible value range of a variable may include the boundary value, and, in other embodiments, the possible value range of a variable excludes the boundary value.

[0092] Table 2 illustrates one embodiment of operations to track a low value v/ and high value v_h (in other words, a lower bound and an upper bound) of a variable. These possible values are modified as uncommitted incremental, or delta (Δ), transactions are accounted for, causing a "change" in the PVTv (incrementing the high value for increments and decrementing the low value for decrements) and then either committed (incrementing the low value for increments and decrementing the high value is decrements) or aborted (decrementing the high value for increments and incrementing the low value for decrements).

Table 2

[0093] If, for example, the PVR is [88:101], and TXN 2 commits, then the high value is decremented by the respective delta ("2"), yielding a PVR of [88:99]. As described here, the "delta" refers to the unsigned incremental value. If TXN 3 then aborts, the low value is incremented by the respective delta ("10"), yielding a PVR of [98:99]. If TXN 1 then commits, the low value is incremented by the respective delta ("1"), yielding a PVR of [99:99].

A. Exemplary PVTv Enabled Journal

[0094] Figure 3 illustrates one embodiment of tracking PVRs in a journal subsystem. As described above with reference to Figure 2B, computing system 200 includes persistent memory 206, which keeps a journal of data writes to storage 208. In one embodiment of a journal subsystem, transactions are stored in a journal in, for example, one of three states: prepared (p), committed (c), or aborted (a). Prepared transactions are uncommitted transactions that have been written to the journal in preparation to being written to the storage (if committed). If these prepared transactions include incremental changes (or delta transactions) to a storage location already written to the journal (in another transaction, for example), a PVR module adjusts the PVR of the storage location to account for the incremental change (or delta transaction) included in the newly prepared transaction. One skilled in the art will appreciate that a PVR module may adjust the PVR of a storage location before or after an incremental change (or delta transaction) is written to a journal. Committed transactions are transactions that have been committed by the system to be written to storage. In the illustrated embodiment, if a committed transaction includes delta transactions for any storage locations, the PVRs of these storage locations are adjusted to reflect that the respective incremental changes (or delta transactions) are committed, and, therefore, no longer contribute to the uncertainty of the "possible" value ranges corresponding to the respective storage locations. Aborted transactions are transactions that have been aborted by the system and are not written to storage. In the illustrated embodiment, if an aborted transaction includes delta transactions for any storage locations, the PVTIs of these storage locations are adjusted to reflect that the respective incremental changes (or delta transactions) are aborted, and, therefore, no longer contribute to the uncertainty of the "possible" value ranges corresponding to the respective storage locations.

[0095] In 300, there is one transaction, T₀, linked into the journal. Transaction T₀ is "committed," meaning that computing system 200 has committed to write the storage locations associated with transaction T₀ to their respective storage locations. One of the storage locations associated with transaction T₀ is storage location [z, 428]. This storage location corresponds to disk block "z" at offset "428" on storage 208. The PVTv of the data to be stored at storage location [z, 428] is [75:75]. In other words, the lowest possible value of storage location [z, 428] is "75," and the highest possible value of storage location [z, 428] is also "75." This indicates that there are no deltas corresponding to storage location [z, 428].

[0096] In 302, a new transaction is linked into the journal. Transaction Ti is in the "prepared" state, meaning that it has been recorded in the journal, but the computing system 100 has not committed to executing transaction T₁. One of the storage locations affected by transaction Ti is storage location [z, 428]. Transaction Ti adds the incremental value of "25" to the value stored at location [z, 428]. Because the incremental change is an increment, the high value of the PVR corresponding to [z, 428] is increased to "100," the value of the storage location in transaction T₀ and the incremental value in transaction T₁. Because the delta transaction corresponding to transaction Ti would not cause a decrement to the value of the data corresponding to storage location [z, 428], the lowest possible value remains the same. Thus, the total possible value range in 302 is [75:100].

[0097] In 304, a new transaction, T₂, is linked into the journal. It is also in the "prepared" state, meaning that the computing system 100 has not committed to modifying the relevant storage locations. One of the storage locations affected by transaction T₂ is storage location [z, 428]. Transaction T₂ decrements the value stored at [z, 428] by 10. Thus, the low value of the PVR for the value of the data stored at [z, 428] is now 65. The high value remains the same. Thus, the possible value range for the data stored at [z, 428] is [65:100].

[0098] In 306, transaction T₂ commits, meaning that the system is committed to writing the storage locations corresponding to transaction T₂. Because T₂ has been committed, the PVR for the data stored at [z, 428] is adjusted. The high value is decremented by 10, resulting in the value of "90." The low value of the data stored at [z, 428] is still 65. Thus, the possible value range is [65:90].

[0099] In 308, transaction Ti aborts, meaning that the corresponding storage locations will not be modified by Ti. Because Ti will no longer be executed, the PVR of the data stored at [z, 428] is adjusted. The high value of the PVR is now 65, which is also the low value because there are no uncommitted delta transactions pending. Thus, the PVR is the cumulative sum of the data value "75" and the committed delta transactions, which in this example is the delta transaction "-10."

B. Threshold Evaluation Procedures

[0100] Figure 4 illustrates a flow chart of one embodiment of determining whether to write a delta to a journal, such as journal 232. In the illustrated embodiment, a delta transaction is written to the journal if the delta transaction could not, in combination with any other set of pending uncommitted transactions, cause the PVR for the associated storage location to pass a threshold. To determine whether a threshold could be passed, the PVR module determines a temporary PVR — the PVR that could result with the addition of the delta transaction — and compares the adjusted low/high value to the corresponding threshold.

[0101] In state 402, the PVR module receives a delta, an operation, and a threshold for a storage location — for example, a particular data block and offset stored on storage 208. In state 404, the PVR module determines the current PVR for the block and the offset. In state 406, the PVR module determines whether the delta can be applied without passing the threshold. This determination is discussed in greater detail below with reference to Figure 4B. If the delta cannot be applied without passing the threshold, then the PVR module returns an error. In some embodiments, the system may respond to the error by, for example, retrying after an elapse of time or some other suitable condition or allowing the delta transaction in a serial, exclusive, or locked mode. In state 408, if the PVR module determines that the delta can be applied without passing the threshold, the PVR module writes the delta to the journal, in state 410.

[0102] The following is exemplary pseudocode of one embodiment of determining whether to write a delta to a journal. It will be appreciated by one skilled in the art that there are many suitable ways to determine whether to write a delta to a journal.

write delta (transaction, address, offset, op, delta, threshold) {

/*

* Look up the disk block for the given address so we can

* try to apply a delta to it. */ block = get_block_for_delta (transaction, address);

/*

* Look up the pvr for this disk block and offset,

* creating one if necessary. */ pvr = get_or_create_pvr (block, offset);

/* Try to apply the delta */ error = apply delta (op, delta, pvr, threshold) ; if (error) goto out;

/*

* If the delta didn't cross the threshold, write it to the

* ] ournal as part of this transaction */ wπte_delta_to_] ournal (transaction, block, offset, op, delta) ; out : return error; }

[0103] Figure 4B illustrates, in greater detail, one embodiment of state 406 of Figure 4A, which determines whether a delta can be applied without passing a threshold. In state 452, the PVR module determines whether the operation is an increment or decrement. If the operation is a decrement, the PVR module determines whether decrementing the lower bound of the PVR would avoid passing the lower threshold, in state 454. If the operation is an increment, the PVTv module determines whether incrementing the upper bound of the PVR would avoid passing the upper threshold, in state 456. If decrementing the lower bound or incrementing the upper bound would cause the possible value to pass the lower or upper thresholds, respectively, the PVR module returns the answer "no," in state 458. If decrementing the lower bound of the PVR would not pass the lower threshold, the PVR module adjusts the lower bound to reflect the delta, in state 460. If incrementing the upper bound of the PVR module would avoid passing the upper threshold, the PVR module adjusts the upper bound to reflect the delta, in state 462. After adjusting either the lower bound or the upper bound, the PVR module returns the answer "yes," in state 464.

[0104] The following is exemplary pseudocode of one embodiment of determining whether a delta can be applied without passing a threshold. It will be appreciated by one skilled in the art that there are many suitable ways to determine whether a delta can be applied without passing a threshold.

apply_delta (op, delta, pvr, threshold) { pvr_oπg = pvr; pvr tmp = pvr; error = 0; switch (op) { case ADD: pvr tmp. high += delta; if (pvr_tmp.high < pvr_oπg. high /* overflow */ | | pvr tmp. high > threshold /* crossed threshold */) { error = ESPANSRANGE; goto out; } case SUB: pvr_tmp->low -= delta; if (pvr tmp. low > pvr oπg.low /* overflow */ | | pvr_tmp.low < threshold /* crossed threshold */) { error = ESPANSRANGE; goto out; } }

/* Copy out the modified pvr */ pvr = pvr_tmp; out : return error; }

C. Example Transactions

[0105] Figure 5 illustrates one embodiment of how a group of transactions use possible value ranges (PVRs) to acquire an exclusive lock to pass a threshold. State 500 illustrates a set of initial conditions. A computing system, such as computing system 200, has a data field with an initial value V₁ set to "1000," a low threshold set to "0," and a high threshold set to "1400." Because there are no deltas defined in the initial state, the PVTv of the data value, initially, is [1000: 1000].

[0106] In state 502, transaction T₀ prepares. In the illustrated embodiment, when a transaction prepares, the associated delta is written to the journal. Because the transaction has not yet committed, the value of the associated data block is not certain. If transaction T₀ aborts, the value remains "1000." If the transaction T₀ commits, then the value would be 1300, as the incremental value of transaction T₀ for the data value is "300" and the operation type is increment. Thus, in state 502, the PVR is [1000: 1300].

[0107] In state 504, transaction Ti prepares. Transaction T₁, if committed, would decrement the value by "100." If transaction T₀ aborted and transaction Ti committed, then the data value would be "900." Thus, the lowest possible value is "900." If transaction T₀ commits and transaction Ti aborts, then the data value would be "1300," which is the highest possible value. Thus, the PVR is [900: 1300]. If both T₀ and Ti commit, then the data value would be "1200." If transaction T₀ and transaction Ti both abort, then the data value would be "1000."

[0108] In state 506, transaction T₂ attempts to prepare. Because transaction T₂ would cause the PVR to pass the high threshold of "1400," transaction T₂ is not written to the journal. Subsequently, transaction T₂ requests an exclusive lock in order to serially handle the application of the delta, which could pass a threshold. In state 508, transaction T₀ aborts, and the PVR module adjusts the possible value range to [900: 1000]. In state 510, transaction T₂ attempts to prepare again. Because transaction T₂ would still cause the possible value range to pass the high threshold, transaction T₂ is not allowed to prepare. Transaction T₂ continues to request the exclusive lock. In the illustrated embodiment, a disallowed transaction could repeatedly check to see if it still should request an exclusive lock before it receives one. Alternatively, a disallowed transaction would request an exclusive lock just once, and then wait for it. One skilled in the art will appreciate the various possible implementations of requesting/granting shared and exclusive locks. In state 512, transaction Ti commits, causing the possible value range to be [900:900]. Although not illustrated, in some embodiments, transaction T₂ could check whether it still should request an exclusive lock.

[0109] In state 514, transaction T₂ acquires an exclusive lock. Transaction T₂ then prepares, causing the possible value range to adjust to [900: 1500]. In state 516, transaction T₂ commits, causing the possible value range to change to [1500: 1500]. In state 518, the PVR module resets the thresholds and the initial value because a threshold has been passed. The data value is updated to the current value of 1500. In the illustrated embodiment, an upper threshold is now set at 2000, and the previous upper threshold becomes a lower threshold. The PVR of the data value is now [1500: 1500]. In the embodiment just described, a transaction is allowed to pass a threshold after acquiring an exclusive lock. Thresholds may be defined with different characteristics that cause different handling after acquiring an exclusive lock. Some thresholds, for example, may merely issue an advisory notice that a threshold has been passed, some may prevent a threshold from being passed, and some may prevent a threshold to be passed while certain conditions are met. One skilled in the art will appreciate that there are many suitable ways to define characteristics of thresholds. Some exemplary threshold types are discussed in greater detail below with reference to Figure 6.

[0110] In state 520, transaction T₃ acquires a shared lock, and attempts to prepare. Because transaction T₃ could cause the possible value range to pass the lower threshold, it is not allowed to prepare. Transaction T₃ then requests an exclusive lock. In state 522, transaction T₄ prepares because it would not cause the possible value range to pass either the low or high threshold. The possible value range is now 1500: 1600. The resolution of transactions T₃ and T₄ are not illustrated. Although the illustrated embodiments have resolved transactions that could pass thresholds by implementing shared and exclusive locks, in other embodiments there are other suitable ways to resolve these transactions, such as, for example, rejecting such transactions. IV. Threshold Types

[0111] Figure 6 illustrates embodiment of a state diagram that defines, for example, advisory, soft, and hard thresholds. For an advisory threshold, the PVR module allows the threshold to be passed, and sends an advisory notice that the threshold has been passed. A soft threshold also allows the threshold to be passed, but the passing of the threshold triggers a monitor of one or more conditions that, if satisfied, signal the PVR module to disallow the threshold to be passed subsequently. A hard threshold signals the PVR module to prevent the threshold from being passed. Transactions that attempt to pass a hard threshold are aborted.

[0112] Described below are enforcement states and state transitions corresponding to the state diagram illustrated in Figure 6. As used below, "usage" refers to a data variable with defined thresholds. Furthermore, as used below, "grace period" refers to the amount of time a threshold may be exceeded before becoming another type of threshold, such as, for example, becoming a hard threshold after the grace period for a soft threshold has expired. A grace period is one embodiment of a condition which may be monitored to implement advisory, soft, and hard threshold semantics. In the described embodiment, all thresholds have an associated grace period. Advisory thresholds have an infinite grace period; hard thresholds have a grace period of zero; and anything else is a soft threshold. It is recognized that, in other embodiments, one or more, or even all, thresholds may not have an associated grace period. As described in greater detail below with reference to the embodiments disclosed in Figures 7, 8, 9, 1OA, 1OB, 1OC, 10D, 1OE, 1OF, and 1OG, "usage" refers to domain usage. [0113] The following enforcement states correspond to the state diagram.

U (Under) If the usage is less than the enforcement threshold, the enforcement is in state U.

O (Over) If the usage is greater than the enforcement threshold, the enforcement is in state O. At the time the system transitioned to state O, the grace period for the given threshold was not yet expired. It is possible for the grace period to be expired while the enforcement remains in state O, if the corresponding domain has not been accessed since the grace period has expired.

E (Expired) If the usage is greater than the threshold, and the usage has remained over the enforcement threshold past the grace period expiration, and an attempt to access the domain has been made since the expiration, then the threshold is in state E. If the threshold is modified but not the grace period, and the usage still exceeds the threshold, the enforcement remains in state E.

[0114] The following state transitions correspond to the state diagram. State transitions marked with an asterisk define state transitions where errors may be returned and where the action may be denied.

UO An enforcement moves from state U to O when the usage is increased or the threshold is changed such that the usage exceeds the threshold, and the grace period on the threshold is non-zero (that is, not a hard threshold) . The UO transition sets the expiration time.

UE An enforcement moves from state U to E when the usage is increased or the threshold is changed by an administrator such that the usage exceeds the threshold, and the enforcement has a grace period of zero (that is, a hard threshold) . The UE transition also sets the expiration time, but, in this case, the time is already exceeded .

OU An enforcement moves from state O to U when usage is reduced or the threshold is changed such that the usage no longer exceeds the threshold. The OU transition resets the expiration time.

OE An enforcement moves from state O to state E once the grace period expiration is noticed. Expiration is only noticed during operations that involve the domain in some way (for example, allocation, queries, and so forth) ; in other words, an active timer for the grace period is not kept. Once the OE transition occurs, the action is reevaluated in the context of state E, meaning that if the action causes the usage to increase, the action is denied. An enforcement also moves from state 0 to state E if the grace period is lowered and, thus, now expired.

EO If an administrator raises the grace period for a threshold such that the grace period for an enforcement is no longer expired, the enforcement moves from state E to 0.

EU An enforcement moves from state E to state U when usage is reduced or the threshold is changed such that the soft threshold is no longer exceeded. The EU transition resets the expiration time.

[0115] The following are situations where the full state does not change, but which are helpful to consider:

UU± An attempt to increase usage (UU+) or decrease usage (UU-) may cause an enforcement to stay within state U.

00+ An attempt to increase usage (00+) or decrease usage (OO-) may cause an enforcement to stay within state O.

UEU An attempt to increase usage by a non- administrator may be denied as a result of a hard threshold. If the action had been allowed to continue, it would have resulted in a transition from U to E.

EE+ An attempt to increase usage (EE+) or decrease usage (EE-) may cause an enforcement to stay within state E. The EE+ case is denied for non-administrators.

[0116] Although the above description relates to one embodiment of a state diagram, it is recognized that other embodiments may be used. V. Quota Accounting

[0117] Figures 7, 8, 9, 1OA, 1OB, 1OC, 10D, 1OE, 1OF, and 1OG, and the accompanying text, describe one embodiment of a quota accounting module that uses PVTIs to implement domain quotas within a data storage system. Domain quotas are quotas for the usage of a particular domain, for example, a file system domain. In some embodiments, it may be advantageous to define certain domains in a file system, and to set thresholds for the usage of such domains. By monitoring usage levels and/or enforcing thresholds, system administrators may maintain control over the amount of file system space allocated to a user or group of users. Because many transactions may be processed in close proximity, it may be advantageous to track the possible value ranges of domain usage, as uncommitted transactions become pending.

[0118] Figure 7 and the accompanying text illustrate embodiments of several domains in an exemplary file system. Figure 8 and the accompanying text illustrate exemplary threshold values defined for the exemplary domains. Figure 9 illustrates one embodiment of a timing diagram of exemplary transactions that may cause the usage value of the exemplary domains to pass the exemplary thresholds. Figures 1OA, 1OB, 1OC, 10D, 1OE, 1OF, and 1OG illustrate, in greater detail, embodiments of the implementation of a quota accounting module that uses PVTIs to manage the exemplary transactions.

A. Example Domains

[0119] Figure 7 illustrates an example embodiment of three domains defined within a file system 700. File system 700 includes various directories and files organized in a tree-like data structure. As illustrated, there are three domains (d₀, di, d₂) defined within file system 700. A domain is a set of directories and files associated together. Domain d₀ includes all of the files and directories within the /ifs/eng/ directory, which includes the following files and directories: eng/, quota_design.doc, home/, tyler/, quota_pseudocode.doc, pete/ and quota_patent_app.doc. Domain di includes all of the files and directories owned by pete in the /ifs/eng/ directory, which includes the following files and directories: eng/, quota designdoc, pete/ and quota_patent_app.doc. Domain A₂ includes all of the files in the directory ifs/eng/home/tyler/, which includes the following files and directories: tyler/, quota_pseudocode.doc and quota_patent_ap.doc. [0120] Figure 8 and Table 3 illustrate one embodiment of the various thresholds defined for domains do, di, and d₂. Usage values are stored for the respective domains. The usage values corresponding to domains d₀ and di are stored on the same participant node P₀, described in greater detail below with reference to Figure 9, on block "x" at offset "0" and on block "y" at offset "5," respectively. The usage value corresponding to domain d₂ is stored on participant node Pi on block "z" at offset "428." The initial usage of domain d₀ is 999 megabytes, of domain di is 48.9 megabytes, and of domain d₂ is 4.55 megabytes. Domain do has three defined thresholds including an advisory threshold at one thousand and one megabytes, a soft threshold at one thousand five hundred megabytes, and a hard threshold at two thousand megabytes. Domain di has two defined thresholds, including a soft threshold at forty-nine megabytes and a hard threshold at fifty megabytes. Domain d₂ also has two defined thresholds, including an advisory threshold at 4.5 megabytes and a hard threshold at five megabytes.

Table 3

B. Example Transactions

[0121] Figure 9 illustrates one embodiment of a timing diagram of multiple transactions in embodiments of an incremental computing system. Incremental computing system 900 is a distributed file system, which includes an initiator node 902, node I, and two participant nodes 904, nodes P₀ and Pi. The timing diagram illustrates the order of messages sent and received by the various described nodes in the incremental computing system 900 as three transactions, T₀, Ti₁ and T₂, are accounted for in the system.

[0122] In the illustrated embodiment, the various nodes of the distributed file system may process transactions according to a global transaction system. A global transaction system in which embodiments of systems and methods described herein may be implemented, is described in U.S. Patent Application No. 11/449,153 entitled "NON- BLOCKING COMMIT PROTOCOL SYSTEMS AND METHODS," filed June 8, 2006, which is a continuation of U.S. Patent Application No. 11/262,306 entitled "NON- BLOCKING COMMIT PROTOCOL SYSTEMS AND METHODS," filed October 28, 2005, which claims priority to Application No. 60/623,843, filed October 29, 2004, all of which are hereby incorporated by reference herein in their entirety.

[0123] In state 906, delta commands corresponding to transactions T₀ are sent from the initiator node I to participant node P₀. There are two delta commands corresponding to transaction T₀, each delta command corresponding to one of the two domains to which transaction T₀ corresponds. In state 906, the initiator node I also sends delta commands corresponding to transaction Ti to participant nodes Po and Pi. Each of the delta commands corresponds to one of the respective domains to which transaction Ti corresponds. The usage field for domain d₀ is stored on participant P₀, the usage field corresponding to domain d₂ is stored on participant Pi. Thus, delta commands are sent to both participant nodes Po and Pi. Because the usage field for domain di is stored on participant node P₀, both delta commands corresponding to transaction Ti are sent to participant node P₀. Transactions Ti and T₂ are sent within a close period of time. Although in the illustrated embodiment, the delta commands arrive in the order in which they were sent, in other examples/embodiments the delta commands may arrive in an order different from their sending order. Generally speaking, the respective delta commands for transactions Ti and T₂, the delta commands corresponding to Ti and T₂ may be processed concurrently by participant nodes P₀ and Pi. Generally speaking, this concurrency may be between the respective participant nodes, or between the respective delta commands being executed on a particular participant node.

[0124] After participant nodes P₀ and Pi determine whether or not the respective deltas can be applied without passing a threshold, participant nodes P₀ and Pi send to the initiator node I a return message indicating a Boolean response of whether the delta may be applied without passing a threshold. In state 908, participant Po sends return values for the delta commands corresponding to transaction T₀. The return value for the delta command corresponding to domain d₀ is "Yes," indicating that the delta may be applied to domain d₀ without passing a threshold. The return value for the delta command corresponding to domain di is "No," indicating that the delta cannot be applied without passing its threshold. In state 910, participants P₀ and Pi return respective values for the delta commands corresponding to transaction Ti. The return value for the delta transaction corresponding to domain d₀ is "Yes," indicating that the delta can be applied without passing a threshold. The return value for the delta command corresponding to domain d₂ is "No," indicating that the delta cannot be applied without passing a threshold.

[0125] Because transactions T₀ and Ti could each respectively cause a respective usage value to pass a threshold (transaction T₀ could cause usage for domain di to pass a threshold; transaction Ti could causes usage for domain d₂ to pass a threshold), a reorganization is executed for each transaction respectively. Thus, in state 910, a reorganization is executed corresponding to transaction T₀. In state 912, a reorganization is executed corresponding to Ti.

[0126] In state 914, initiator node I sends respective delta commands corresponding to transaction T₂. Because the usage fields for domains d₀ and di are stored on participant P₀, the two respective delta commands corresponding to these domains are sent to participant P₀. The delta command corresponding to domain d₂ is sent to participant Pi because the usage value corresponding to d₂ is stored on participant Pi. In state 916, participants P₀ and Pi send the respective return values for transaction T₂ corresponding to domains do, di, and d₂. The return value for the delta command corresponding to do is "Yes," indicating that the delta may be applied to the usage field of corresponding to d₀ without passing a threshold. The return values for the delta commands corresponding to domains di and d₂ are "No," indicating that the delta value cannot be applied to the respective usage fields of domains di and d₂ without passing the respective thresholds for these domains. This occurs in state 916. In state 918, a reorganization is executed corresponding to transaction T₂ because the thresholds corresponding to domains di and d₂ could be passed if the respective delta of transaction T₂ is applied.

[0127] Figures 1OA, 1OB, 1OC, 10D, 1OE, 1OF, and 1OG illustrate, in more detail, embodiments of the execution of the delta commands corresponding to transactions T₀, Ti, and T₂, which are described above in the timing diagram illustrated in Figure 9. In 1000, the respective usage fields for domains do, di, and d₂ are illustrated along with their corresponding PVR data structures. The usage value for domain d₀ is stored on block "x" of participant P₀ at offset "0." The initial usage value of domain d₀ is "999." Because there are no deltas yet associated with the usage value for domain do, the PVR is [999:999]. In other words, the low value vi of the PVR is "999," and the high value v_h of the PVR is "999." There are two thresholds defined for domain do, the low threshold set to "0" and the high threshold set to "1001." There are no deltas yet for the usage value of domain do.

[0128] The usage value of domain di is stored on disc block "y" of participant P₀ at offset "5." The initial usage value of domain di is "48.9." Because there are no deltas yet for the usage value of domain di, the PVR of the usage for domain di is [48.9:48.9]. In other words, the low value v/ of the PVR corresponding to domain di is "48.9," and the high value Vh of the PVR corresponding to domain di is "48.9." There are two thresholds defined for domain di, the low threshold set to "0" and the high threshold set to "49." As mentioned above, there are no deltas defined for the usage of domain di.

[0129] The usage value for domain d₂ is stored on disc block "z" of participant P₂ at offset "428." The initial usage value is "4.55." Because there are no deltas yet defined for the usage value on domain d₂, the PVR of the usage for domain d₂ is [4.55:4.55]. In other words, the low value v/ of the PVR for the usage value corresponding to domain d₂ is 4.55, and the high value v_h of the PVR corresponding to usage for domain d₂ is also 4.55. There are two thresholds defined for the usage value corresponding to domain d₂, the low threshold set to "4.5," and the high threshold set to "5." As mentioned above, there are no deltas yet defined for the usage value corresponding to domain d₂.

[0130] Table 4 illustrates one embodiment of the initial domain usage values described above, and also illustrates the potential incremental affects of three transactions, T₀, Ti₁ and T₂, on the domain usage.

Table 4

[0131] In 1002, the respective delta commands corresponding to transaction T₀ are received by participant P₀. There are two delta commands corresponding to the two domains d₀ and di, the domains affected by transaction T₀. In other words, transaction T₀ modifies files and/or directories within domain d₀ and di, changing the usage values corresponding to these respective domains. Although in the illustrated embodiment the delta cmd To corresponding to domain d₀ is processed before the delta_cmd_T₀ corresponding to di, in other embodiments the delta commands may be processed in a different order.

[0132] The delta cmd To corresponding to domain do includes an operator type field set to "add," a delta field set to "0.3," a threshold field set to "1001," a block field set to "x," and an offset field set to "0." In order words, the delta cmd To corresponding to d₀ requests whether "0.3" may be added to the usage level corresponding to domain do, which is stored on block "x" at offset "0," without passing the threshold "1001." T₀ could cause the PVR of the usage value for domain d₂ to be [999:999.3]. In other words, if T₀ executes (commits), then the usage of domain do, in combination with any other pending transactions, could be "999.3." If transaction T₀ does not execute (aborts), then the usage value for domain do could be "999." Because the high value v/, of the PVR corresponding to domain do is less than the high threshold corresponding to domain do, the delta can be applied without passing a threshold. Subsequently, the delta is written to the journal, as described in greater detail above with reference to Figs. 3, 4A, and 4B. The in-memory structures tracking the possible value range and the deltas are modified. Specifically, the high value v_h of the PVR corresponding to d₀ is now "999.3." Furthermore, the delta value "+0.3" is stored in memory.

[0133] The delta_cmd_T₀ corresponding to domain di includes an operator type field set to "add," a delta field set to "0.3," a threshold field set to "49," a block field set to "y," and an offset field set to "5." In order words, the delta_cmd_T₀ corresponding to di requests whether "0.3" may be added to the usage level corresponding to domain di, which is stored on block "y" at offset "5," without passing the threshold "49." T₀ could cause the PVR corresponding to domain di to be [48.9:49.2]. In other words, the delta corresponding to transaction T₀ would push the high value of the possible value range of the PVTv to "49.2." Thus, if transaction T₀ executes (commits), then the usage value for domain di, in combination with any other pending transactions, could be "49.2." If, however, the transaction T₀ does not execute (aborts), then the usage value of domain di could be "48.9." Because the possible high value of the PVR is greater than the value of the high threshold corresponding to domain di, the delta corresponding to transaction T₀ cannot be applied without passing a threshold. Because transaction T₀ could cause the usage value of di to pass a threshold, the return value of delta cmd To for domain di is "No." Transaction T₀, therefore, requests an exclusive lock. Because transaction T₀ would not have passed a threshold in domain do, as discussed above, the delta was applied to the data structures corresponding to domain d₀. Because transaction T₀ is now suspended until it acquires an exclusive lock, the data structures corresponding to domain do are rolled back to their condition prior to transaction T₀. Thus, the PVR for usage in domain d₀ is "999:999," and there are no pending deltas.

[0134] In 1004, the delta commands corresponding to transaction Ti are processed. As mentioned above, although in the illustrated embodiment, the respective delta commands are processed in the order of d₀ and then d₂, in other embodiments the delta commands may be processed in a different order. The delta cmd Ti corresponding to domain d₀ includes an operator type field set to "sub," a delta field set to "0.1," a threshold field set to "0," a block field set to "x," and an offset field set to "0." In order words, the delta cmd Ti corresponding to do requests whether "0.1" may be subtracted from the usage level corresponding to domain d₀, which is stored on block "x" at offset "0," without passing the threshold "0." Transaction Ti could decrease the low value v/ of the PVR the usage value for domain d₀ to "9.2." Thus, the temporary PVR of the usage value of domain do, in combination with any other transactions, is [99.2:99.3]. Because the low value v/ of the PVR corresponding to the usage field of domain d₀ is greater than or equal to the low threshold corresponding to domain do, the delta value of delta cmd Ti can be applied without crossing a threshold. Subsequently, the delta is written to the journal, as described in greater detail above with reference to Figs. 3, 4A, and 4B. The in-memory structures tracking the possible value range and the deltas are modified. Specifically, the low value v/ of domain do is decremented by the delta value "0.1." Furthermore, the delta value "-0.1" is also recorded in memory, as a pending delta.

[0135] The delta cmd Ti corresponding to domain d₂ includes the following data fields: an operator type field set to "sub," a delta field set to "0.1," a threshold field set to "4.5," a block field set to "z," and an offset field set to "428." In other words, the delta cmd Ti requests whether "0.1" may be subtracted from the usage value corresponding to domain d₂, which is stored on block "z" at offset "428," without passing the threshold "4.5." Transaction Ti could cause the PVR corresponding to domain d₂ to be [4.45:4.55]. Because transaction Ti could cause the usage value of d₂ to pass a threshold, the return value of delta cmd Ti for domain d₂ is "No." Transaction T₁, therefore, requests an exclusive lock. Because transaction Ti would not have passed a threshold in domain d₀, as discussed above, the delta was applied to the data structures corresponding to domain d₀. Because transaction Ti is now suspended until it acquires an exclusive lock, the data structures corresponding to domain d₀ are rolled back to their condition prior to transaction T₁. Thus, the PVR for usage in domain d₀ is still "999:999," and there are no pending deltas.

[0136] In 1006, the PVR module reorganizes domains do and di based on transaction T₀. Because transaction T₀ could cause the usage value of domain di to pass the corresponding soft threshold in the upward direction, transaction T₀ is processed with an exclusive lock, and the relevant domains d₀ and di are reorganized. During the reorganization, transaction T₀ is allowed to commit because no hard thresholds are passed. Because transaction T₀ would increment the respective usage values of domains do and di by "0.3," the usage value of domain d₀ is set to "999.3," and the usage value of domain di is set to "49.2." The respective PVR values are adjusted to reflect the respective usages for domains d₀ and di. Because no thresholds were passed in domain do, the thresholds remain the same for d₀. Because transaction T₀ causes the usage value of domain di to pass the soft threshold for domain di in the upward direction, the thresholds are adjusted. The low threshold for domain di is now the soft threshold of "49" and the high threshold for domain di is now the hard threshold "50."

[0137] Because transaction Ti could also cause one of the usage values of domains do and d₂ to pass a threshold, in 1008, domains do and d₂ are reorganized by transaction T₁. During the reorganization, transaction Ti is allowed to commit because no hard thresholds are passed. With respect to domain do, the usage value is decremented to "999.2." Because transaction Ti does not cause the usage value of domain d₀ to pass a threshold, the thresholds for domain d₀ remain the same. With respect to domain d₂, the usage value is decremented to 4.45. Because the new decremented usage value passes the advisory threshold in the downward direction, the thresholds are readjusted. The adjusted low threshold is now "0," and the adjusted high threshold is now the advisory threshold "4.5."

[0138] In 1010, the delta commands corresponding to transaction T₂ are processed. With respect to domain do, delta_cmd_T₂ includes the following data fields: an operation type field set to "add," a delta field set to "0.9," a threshold field set to "1001," a block field set to "x," and an offset field set to "0." In other words, delta_cmd_T₂ requests whether "0.9" may be added to the usage value corresponding to do, which is stored on block "x" at offset "0," without passing the threshold "1001." Thus, the temporary PVR is [99.2: 1000.1]. Said differently, delta_cmd_T₂ could increment the high value v_h of the PVR corresponding to domain d₀ to "1000.1." Because 1000.1 is less than or equal to 1001, the delta may be applied without passing a threshold. In other words, because the high value v/, of the PVR for domain d₀ would be less than the high threshold for do, the delta may be applied. Subsequently, the delta is written to the journal, as described in greater detail above with reference to Figs. 3, 4A, and 4B. The in- memory structures tracking the possible value range and the deltas are modified. Subsequently, the high value v_h of the PVR for D₀ is adjusted to "1000.1" and the delta value "+0.9" is recorded in system memory.

[0139] With respect to domain di, delta_cmd_T₂ includes the following data fields: an operation type field set to "add," a delta field set to "0.9," a threshold field set to "50," a block field set to "y," and an offset field set to "5." In other words, delta_cmd_T₂ requests whether "0.9" may be added to the usage value corresponding to domain di, which is stored on block "y" at offset "5," without passing the threshold "50." Transaction T₂ could cause the PVR for di to be [49.2:50.1]. In other words, delta_cmd_T₂ could increment the high value V_h of the PVR of domain di to "50.1." Because 50.1 is greater than 50, the delta_cmd_T₂ could cause di to pass a threshold. Specifically, the transaction T₂ could cause the usage value of domain di to pass the high threshold, which is a hard threshold. Because transaction T₂ could cause the usage value of di to pass a threshold, the return value of delta cmd Ti for domain di is "No."

[0140] With respect to domain d₂, delta_cmd_T₂ includes the following data fields: an operation type field set to "add," a delta field set to "0.9," a threshold field set to "4.5," a block field set to "z," and an offset field set to "428." In other words, delta_cmd_T₂ requests whether "0.9" may be added to the usage value corresponding to domain d₂, which is stored on block "z" at offset "428," without passing the threshold "4.5." If delta_cmd_T₂ is applied, the PVR for d₂ would be [4.45:5.35]. In other words, the delta_cmd_T₂ would increase the high value v_h of the PVR of domain d₂ to "5.35." Because 5.35 is greater than 4.5, which is the high threshold, the delta_cmd_T₂ could cause the usage value of domain d₂ to pass a threshold. Because transaction T₂ could cause the usage value of d₂ to pass a threshold, the return value of delta cmd Ti for domain d₂ is "No."

[0141] Because transaction T₂ could cause the usage value of either di or d₂ to pass a threshold, transaction T₂ requests an exclusive lock. Because transaction T₂ would not have passed a threshold in domain do, as discussed above, the delta was applied to the data structures corresponding to domain do. Because transaction T₂ is now suspended until it acquires an exclusive lock, the data structures corresponding to domain d₀ are rolled back to their condition prior to transaction T₂. Thus, the PVR for usage in domain d₀ is "999.2:999.2," and there are no pending deltas.

[0142] In 1012, domains do, di, and d₂ are reorganized because transaction T₂ could cause one or more thresholds to be passed in the respective domains. Specifically, because transaction T₂ could cause the usage values of domains di and d₂ to pass respective thresholds, the relevant domains are reorganized. Because transaction T₂ could cause the usage of domain di to pass a hard threshold, transaction T₂ is aborted. Accordingly, the usage values of domains do, di, and d₂ remain the same. Similarly, the PVTIs and thresholds for domains do, di, and d₂ also remain the same. In the illustrated embodiment, during reorganization, the transaction with the exclusive lock is processed serially with respect to the different affected domains. For example, transaction T₂ may be processed first with respect to domain d₀ and then domain di. Because transaction T₂ would not cause domain d₀ to pass a threshold, the data structures corresponding to do may be adjusted before it is discovered that transaction T₂ would cause domain di to pass a hard threshold, triggering an abort of transaction T₂. Accordingly, during reorganization, some data structures may be changed and then rolled back after discovering that a hard threshold is passed. Although the final states of the three respective domains are illustrated in the example above, the temporary modification and subsequent readjustment are not illustrated. VT. Resource Usage Management

[0143] In many computing environments it is desirable to manage usage of one or more resources by consumers of the resources. Resource usage management may include, for example, determining the types of resources to be managed, tracking and accounting for the usage of these resources, reporting resource usage to a system administrator, and/or enforcing limits on the resource usage. The types of resources accounted for may represent resources that are part of the computing environment (for example, physical space on a storage medium) or external to the environment (for example, monetary value of banking or brokerage accounts). Consumers of the resources may include, for example, users having system accounts in the computing environment as well as processes and threads that consume computing resources.

[0144] For purposes of illustration, embodiments of systems and methods for resource usage management will be described with reference to a distributed computing environment and in particular with reference to quota tracking systems and methods for a distributed file system. The systems and methods disclosed herein are not limited to these illustrative embodiments and are applicable to a wide range of implementations. For example, a bank may wish to track account balances for its account holders, or a securities brokerage may wish to track the trading activity of participants on an securities exchange. In an Internet context, an Internet Service Provide may wish to monitor and enforce limits on bandwidth use.

[0145] Figure 11 schematically illustrates one embodiment of a distributed computing system 1100a that comprises N threads 1102 labeled as S₁, where index i runs from 0 to N-I. In one embodiment, the computing system 1100a is a distributed file system and the threads 1102 comprise nodes of the file system. In this example, a resource R having usage U (on some or all of the threads S₁) is tracked by an accounting system 1104 denoted by C in Figure 11 and is checked against at least one threshold H. In a file system embodiment, the resource may comprise physical space in a quota domain on the file system, and the threshold H may be a hard, soft, and/or advisory threshold described above. If a request for the resource will cause the resource usage U to pass the threshold H, the accounting system 1104 may take a suitable enforcement action, which may depend on the threshold type. For example, in a file system embodiment, if a request to write a new file or modify an existing file will cause the usage U to pass a hard threshold H, the accounting system 1104 may prevent writing the new file or modifying the existing file. If, in this example, the threshold H were an advisory threshold, the accounting system 1104 may allow the new file to be written or the existing file to be modified and may communicate an appropriate notification to the resource requestor and/or a file system administrator.

[0146] The implementation of the accounting system 1104 illustrated in Figure 11 may suffer a disadvantage, because all of the updates, on any of the threads S₁, to the resource usage U are processed by the single thread S₀. If the number (or rate) of updates becomes too large, capacity of the thread S₀ may be insufficient to handle the updates, and the thread S₀ may become a bottleneck for the computing system 1100a.

[0147] Figure 11 illustrates an alternative implementation that addresses this disadvantage. In this example implementation, a computing system 1100b also comprises N threads 1102 labeled as S₁. An accounting system 1108 is allocated among the threads 1102 as N subsystems C₁. Although Figure 11 illustrates each thread S₁ as having a single subsystem C₁, in other embodiments, a different allocation may be used, and a particular thread S₁ may be allocated 0, 1, 2, 3, 7, 23, or any other number of accounting subsystems 1108. Also, although Figure 11 illustrates the same number of subsystems C₁ as threads S₁, in other embodiments, the number of subsystems C₁ may be less than, or greater than, the number of threads S₁. The total usage U of the resource may be divided into subusages U₁ for each of the subsystems C₁. Similarly, the threshold H may be divided into subthresholds H₁. In certain embodiments, it may be desirable to provide an exact accounting for the resource usage U on the system 1100b. Accordingly, in these embodiments, the organization into subsystems C₁ may be made so that the sum of the subusages U₁ equals the total usage U and the sum of the subthresholds H₁ equals the threshold H.

[0148] The implementation of the accounting system 1108 advantageously may avoid or reduce the likelihood of a bottleneck, because updates to resource usage on the computing system 1100b are processed by the N threads S₀ to S_N-i rather than by one thread (as in system 1100a) or a few threads. An additional advantage is that the accounting system 1108 is scalable. For example, if new threads are added to (or existing threads are removed from) the distributed computing system, the number of accounting subsystems can be increased or decreased to accommodate the change. Additionally, distributed computing systems may have a very large number of users consuming resources. The number of subsystems C₁ in the accounting system 1108 may be suitably scaled to handle resource usage by the users.

[0149] Figure 11 illustrates another aspect of the organization of the accounting system 1108 into subsystems C₁. In the thread S₂, resource subusage U₂ has passed the threshold H₂. The usual system enforcement action taken when a threshold is passed may be, for example, to prevent further writes to a file system domain. However, as can be seen in Figure 11, depicted subsystem usages U₁ have not passed the corresponding subthresholds H₁ in the other illustrated threads: So, Si, and SN-I. Accordingly, although the subusage in the subsystem C₂ indicates that an enforcement action should be taken, the total usage U (summed over all threads) may be less than the threshold H, which indicates that no enforcement action should be taken. To avoid or reduce the likelihood this outcome, certain embodiments reorganize the accounting system into a new set of subsystems and reallocate the new subsystems among the threads S₁ when a subusage U₁ passes (or approaches) a subthreshold H₁. Reorganization may also occur if system properties and/or parameters change such as, for example, if the number N of threads and/or the threshold H change. A. Quota Accounting System For A Distributed File System

[0150] Illustrative embodiments of systems and methods for resource usage management in the context of a quota accounting system for file system domains will now be discussed. The quota accounting system may be configured to track, for example, usage of storage capacity in a domain of a file system such as, for example, the domains do, di, and/or d₂ of the file system 700 described with reference to Figure 7. The storage capacity in the domain may be measured via one or more metrics including, for example, physical space (for example, megabytes on a disk drive), logical space (for example, physical space less certain file system metadata) and/or number of files in the domain. In certain embodiments, logical space includes physical space less redundant space used for increased data protection (for example, mirroring, parity, and/or other metadata).

[0151] Figure 12 illustrates an embodiment of an example of an accounting system C₀ (shown by reference numeral 1200a) for the domain d₀ that has been organized into three accounting subsystems C_Oo, Coi, and C0₂ (shown by reference numeral 1200b), each of which tracks usage in a portion of the domain. In the context of a distributed file system, the accounting subsystems will be called "constituents." The constituents may be allocated among nodes of the distributed file system. A node may be allocated 0, 1, 2, 3, 5, 17, or any other number of constituents.

[0152] The domain d₀ tracked by the accounting system C₀ may be associated with one or more thresholds or "limits," any of which may be advisory, soft, or hard as described above with reference to Figure 8. In this example, three limits are associated with the quota on the domain d₀. The physical limit of 2 gigabytes represents total physical space used to store the files and directories of the domain d₀. The file limit of 302 files represents the number of files in the domain do, and the logical limit of 1.5 gigabytes represents the physical space of the domain d₀ less certain file system overhead. Total current usage on the domain do is 1 gigabyte.

[0153] As mentioned, the accounting system C₀ may be organized into the constituents Coi, where the index i runs from 0 to N- 1 , where N is the number of constituents (3 in Fig. 12). Various methods for selecting the number N of constituents will be described more fully below. In some embodiments, the usage and limits of the domain are divided substantially equally among the constituents. If a quantity does not divide evenly, the quantity is divided as evenly as possible subject to the restriction that no lower-indexed constituent has a lower value than a higher- indexed constituent. For example, Figure 12 illustrates the division of the usage and the physical, file, and logical limits among the three constituents Ca.

[0154] Figure 12 also illustrates examples of how the system handles pending transactions that change resource usage. In the accounting system 1200a, four pending transactions 1210 are pending. In some implementations, the transactions may comprise delta transactions, which provide incremental changes to the value of a data field and which permit the system to process multiple concurrent transactions (for example, see the discussion with reference to Fig. 1). Figure 12 illustrates (in the column labeled Delta Operations Example) four example delta transactions 1210, which change the physical size of the quota domain by amounts (in megabytes): +20 MB, -100 MB, +300 MB, and +50 MB. As described above, in some embodiments, these four example concurrent delta transactions may be processed without regard to the order in which they were sent.

[0155] If the accounting system is organized into the constituents Cd (such as the system 1200b), the transactions 1210 are distributed to the constituents Cd. Figure 12 illustrates two examples 1210a and 1210b of how the transactions 1210 may be distributed 1210a and 1210b to the three constituents C_Oo, Coi, C₀2 (see columns labeled Delta Operations Example 1 and Delta Operations Example 2). In some embodiments, the transactions 1210 are distributed randomly to the constituents, which advantageously causes the quota accounting processing load to be shared relatively evenly among the constituents.

[0156] It may be desirable for the quota domain accounting system to enforce "limit exactness," in which the usage level relative to the limits is known and in which the usage level takes account of, and does not exclude, pending modifications to the domain. By enforcing limit exactness, an accounting system advantageously can determine whether the current usage level violates any limit and take suitable action if the limit is violated. Enforcing limit exactness, however, may lead to disadvantages in some incremental computing systems that utilize delta transactions. For example, before the accounting system can determine the current usage, the system may stop ongoing transactions and wait for pending transactions either to commit or abort. This approach, however, may lead to serialization of the transactions.

[0157] To avoid or reduce the likelihood of serialization, certain embodiments of the accounting system use possible value ranges (PVRs) to track the upper and lower bounds of the possible range for the usage. The use of PVRs advantageously permits the system to process multiple concurrent delta transactions while enforcing limit exactness. In some embodiments, methods similar to the method 450 illustrated in Figure 4B may be used to determine whether applying a delta to a constituent usage will cause an associated PVR boundary to pass a constituent usage limit. In one embodiment, pending delta transactions in which a boundary of the PVR does not pass the limit are permitted to complete, because such transactions will not cause a limit violation. However, if the pending delta transaction will cause a boundary of the PVR to cross a limit, the delta transaction is rejected. In this case, as will be further described below, the accounting system may take suitable action to reorganize the constituents.

[0158] Figure 13 illustrates an embodiment of an abstract data structure 1300 that can be used to implement a quota domain account 1304 for tracking resource usage U for the quota domain. The resource may include, for example, physical space, logical space, and/or number of files in the quota domain. The quota domain account may have one or more limits (or thresholds) /,, where index j runs from 1 to L, the number of limits. For example, in some embodiments, three limits (for example, an advisory, a soft, and a hard limit) are provided for each resource whose usage U is tracked.

[0159] The quota domain account 1304 is organized into a number N of quota account constituents 1308. In various embodiments, the number N may be fixed at system initiation or may be dynamically selected depending on system usages and limits. The constituents are labeled QAC₁, where index i runs from 0 to N-I. Each constituent QAC₁ tracks usage U₁ in a portion of the quota domain. As mentioned above, the resource usage U may be divided among the constituents so that ^ U₁ = U. Additionally, each constituent

QAC₁ may have constituent limits /„ that may be determined according to ^ ₀ l_y = l_y In certain embodiments, division of the resource usage U and the limits I₃ is made as equal as possible among the constituents to balance the processing load on the constituents.

[0160] The file system may provide increased protection for the integrity of file system data such as, for example, by providing error detection, and/or error correction including, for example, parity protection and/or mirrored protection. In some embodiments providing mirrored protection, identical copies of the files are mirrored on different nodes. For example, if a particular file system node fails, if a media error occurs on part of a storage device (for example, a disk drive), or if other file system problems occur, a mirrored file system advantageously enables the user to have continued access to information in the file by accessing a mirrored copy of the file. In many embodiments, the protection process is transparent to the user, who need not (and typically does not) know which nodes actually provide the data. The level of protection provided by mirroring may be denoted by a protection value P, which in some embodiments is an integer that reflects the number of independent mirrored versions of the file stored by the file system. For example, if a file system has "3X" protection, the value of P equals 3, meaning 3 identical versions of each file are maintained.

[0161] The quota domain account 1304 may provide mirroring in order to increase the integrity of the quota accounting. In some embodiments, each quota accounting constituent 1308 is mirrored P times. Figure 13 illustrates mirroring of each constituent QAC₁ in P mirrored quota accounting blocks 1310. The quota accounting blocks are denoted as QAB_lk, where the index i runs over the number of constituents (for example, from 0 to N-I) and index k runs over the number of mirrors (for example, from 0 to P-I). Each quota accounting block QAB₁U may be configured to track the usage U₁ and the limits I₁₃ in the corresponding constituent QAC₁. In certain embodiments, the constituent limits are tracked and managed by the QAB data structures. In other embodiments, the constituent limits are tracked and managed by the constituents 1308 or by the quota domain account 1304.

[0162] As mentioned above, in some embodiments, the quota accounting blocks QAB₁U are configured to manage usage of more than a single resource in a constituent QAC_j. For example, usage of resources such as physical space, logical space, and/or the number of files may be tracked in some or all of the constituents. In such embodiments, there may be a separate set of limits / for each resource usage that is tracked (for example, advisory, soft, and/or hard limits for physical space, advisory, soft, and/or hard limits for logical space, and so forth).

[0163] Figure 14 illustrates an embodiment of an example allocation of quota account constituents QAC₁ and mirrored quota accounting blocks QAB_lk in a quota domain system 1404. In this example, the quota domain system 1404 is implemented on a distributed file system having 8 nodes 1420 and a protection level P = 3. In certain embodiments, the number of constituents N is selected according to

NODES

N = -R (1)

P where NODES is the number of nodes, P is the protection level, and R is a tunable parameter that represents the maximum number of constituents per node in the file system. For example, the value R=I provides 1 constituent per node, R=2 provides 2 constituents per node, and R=I /3 provides that roughly 1/3 of the nodes have a constituent. In Equation (1), the symbol |_ J represents the mathematical floor operator, which returns the largest integer less than or equal to its argument. In other embodiments, other mathematical functions (for example, ceiling, integer part, and so forth) may be used to determine the number of constituents. In the example illustrated in Figure 14, Equation (1) demonstrates that there are 2 constituents 1408a and 1408b. Because file system provides 3X protection, each constituent 1408a, 1408b comprises three nodes, which may be selected randomly (with removal) from the available nodes. As depicted in Figure 14, the constituent 1408a comprises the three nodes 2, 5, and 7, and the constituent 1408b comprises the three nodes 6, 1, and 4. The nodes 0 and 3 are not used by the quota domain accounting system 1404.

[0164] In some embodiments, if nodes are added to (or removed from) the file system, the quota domain accounting system 1404 may reorganize and utilize a new (and possibly different) number of constituents determined from Equation (1). For example, if 4 nodes were added to the file system illustrated in Figure 14 (making a total of 12 nodes), Equation (1) indicates there should be 4 quota constituents. Each constituent would be mirrored 3 times; therefore, each node in the file system would be utilized by quota accounting. B. Reorganization

[0165] Certain embodiments of the quota accounting system provide for reorganization of the constituents based on the occurrence of various events. Quota accounting systems may provide for several events that trigger reorganization. For example, if a request to modify resource usage in the quota domain causes constituent usage to pass a constituent limit (for example, from under-to-over quota or from over-to-under quota) or if the request causes a data value's PVR boundary associated with constituent usage to pass a constituent limit, then the accounting system may reorganize. Such reorganization may be appropriate, because although resource usage in a particular constituent may be near a quota limit, there may be adequate resources on the other constituents in the domain to support the request. By reorganizing the constituents, and their associated usages and limits, the accounting system advantageously will be able to more evenly balance the usage load among the constituents.

[0166] Figure 15 is a flow chart that illustrates an embodiment of a constituent reorganization method 1500. The method 1500 may be implemented by a quota constituent module of the system module 210 of the computing system 200 illustrated in Figure 2. In state 1504, the quota constituent module determines usages and limits among the current constituents. This information may be calculated and/or received from an administrator of the system. In state 1508, the module determines system information including, for example, the number of available nodes in the file system, the protection level, and other adjustable parameters (for example, the constituents per node parameter R). This information may be calculated and/or received from an administrator of the system. In state 1512, the quota constituent module organizes the quota domain account system into constituents. Figure 14 discussed above provides one example of the organization of a quota domain accounting system organized into 2 constituents (each mirrored 3 times) on a file system having 8 nodes.

[0167] State 1516 represents the typical operating state of the accounting system, in which the quota constituent module tracks resource usage in each of the constituents. System embodiments utilizing incremental delta transactions and PVTv usage ranges advantageously can process multiple concurrent transactions while enforcing limit exactness. [0168] The quota constituent module monitors the status of the quota accounting system to determine whether an event has occurred that may trigger a reorganization of the constituents. Figure 15 depicts three possible events, shown in states 1520, 1524, and 1528, that may trigger the quota constituent module to reorganize. In other embodiments, there may be fewer or greater reorganization events, and the events may be different from the illustrated examples.

[0169] State 1520 has been described above and represents the event where a request for resource modification is rejected because a limit would be passed (for example, by resource usage and/or by a PVR boundary). For example, in some embodiments, an incremental delta request that would cause constituent usage (or a PVTv value associated with constituent usage) to pass a limit is rejected, and an error message is communicated to the quota constituent module. In response to the error message, the quota constituent module returns to state 1504 to reorganize the quota accounting system.

[0170] State 1524 represents events in which system parameters (for example, limits, PVTvs, the R parameter, and so forth) have been changed. For example, if a PVTv boundary associated with resource usage is modified, and the new PVTv boundary is sufficiently "close" to (or passes) the nearest limit, the quota constituent module may return to state 1504 and reorganize the constituents. Reorganization caused by events in state 1540 advantageously handles cases where resource usage is increasing in a quota domain and the number of constituents should increase to provide better concurrency for resource requests. For example, in one embodiment, the number N of constituents grows in proportion to allocated resources, which beneficially provides that the file system resources allocated to the quota accounting blocks make up only a relatively small fraction of the total resources.

[0171] State 1528 represents any event in which the layout of the constituents on the nodes of the file system is suboptimal. The quota constituent module may track one or more heuristics that measure a quality factor for the constituent organization, and if the quality factor is suboptimal the module causes a return to state 1504 for reorganization. In certain embodiments, determination of whether the constituent layout is suboptimal is handled in state 1520. [0172] Figure 16 illustrates in more detail an embodiment of state 1512 of Figure 15, in which the quota constituent module organizes the quota domain into constituents. In state 1604, the module determines the current limit state, which includes information identifying which, if any, limits have been violated on any of the constituents. In some embodiments, the limit state is represented as a bit state identifying the violated limits. For example, if no limits have been violated, the limit state is empty (or null). If one or more limits have been violated, the limit state comprises a set including the violated limits as members.

[0173] In some embodiments, the module also determines one or more reorganize bounds that represent usage levels at which reorganization should occur. For example, the reorganize bounds may comprise a pair of values, [B_low,

which designate a lower (B_low) and an upper (Bhigh) usage value (for example, measured in megabytes or number of files). In this example, if current resource usage passes B_low from above or B^_h from below, the quota constituent module causes a reorganization to occur. In some embodiments, the reorganize bounds may be different from a limit range, which may be defined as a half-open interval (/i_ow, /_hig_h] having a lower limit

and an upper limit /_hig_h- A limit range may be defined, for example, by dividing the range from 0 to a suitable maximum value for each resource type (for example, physical, logical, files) by all the limits applicable to that resource type (including advisory, soft, and hard limits). In various embodiments, the maximum value, denoted by max_value, may be infinite or a suitably large value (for example, 2⁶⁴-l bytes for a physical or logical space limit). Returning to the example shown in Figure 8, the domain d₀ has four limit ranges of [0, 1001 MB], (1001 MB, 1500 MB], (1500 MB, 2000 MB], and (2000 MB, max value]. In this example, the first limit range [0, 1001 MB] is a closed at the lower usage boundary so that a domain having no usage (0 MB) does not violate usage quotas. In some embodiments, the reorganize bounds are selected to fall within a particular limit range, for example, < B_low < B_hig_h ≤ /_hig_h- Each limit range may have different reorganize bounds. An advantage of using reorganize bounds is that the quota constituent module can, if needed, force a reorganization to occur at suitable resource usage values within a limit range.

[0174] In state 1608, the quota constituent module determines the total usage U by combining the constituent usages Ui, after completion of pending incremental delta transactions. In state 1612, the module determines whether there are any disk errors such as, for example, errors caused by defective disk blocks in the storage 208 that cannot be written to or read from. Advantageously, these defective blocks can be identified and tracked so that no further reads or writes are performed therein. If disk errors are found, the module returns to state 1604 and 1608 and recomputes the limit state, reorganize bounds, and usage. State 1612 is optional in some embodiments, and in other embodiments, it may be performed less frequently than at every constituent reorganization.

[0175] In state 1616, the quota constituent module determines the number N of constituents, for example, by use of an algorithm such as Equation (1). Other algorithms for determining the number N of constituents will be described below. In state 1620, the module determines the new limit state and reorganize bounds for the number of constituents determined in state 1616. In state 1624, the module takes suitable action if there are any new limit violations (for example, if the limit state is not empty). In certain embodiments, the actions may include notifying the system administrator and/or user of the violation (for example, by e-mail), compressing old or less-frequently used files, moving files to a different storage device, and so forth.

[0176] In state 1628, the quota constituent module allocates the constituents to nodes of the file system. Figure 17 is a flow chart that illustrates in more detail an embodiment of state 1628. In state 1704, the quota constituent module determines the availability of nodes on the file system to serve as constituents. The set of available resources on the nodes (for example, disks with space for allocating the quota accounting constituents) will be denoted by D, and the number of available nodes will be denoted by |D|. In state 1708, the quota constituent module initializes a counter Q to the number of constituents determined in state 1616 shown in Figure 16. States 1712-1740 represent an iterative block that the quota constituent module performs while the counter Q is nonzero. In state 1716, the module determines a set of nodes S that will be used for a constituent. To account for mirroring, the set S comprises P nodes, which may be randomly chosen from the available nodes D. In other embodiments, other selection criteria may be used, such as, for example, round robin, least recently used, and so forth. The P nodes selected in state 1716 are removed from the set of available nodes D, and the number of available nodes |D| is decremented by P. [0177] In state 1724, the quota constituent module allocates the quota accounting domain onto the set of nodes S. For example, the module may set up a quota domain accounting data structure such as described with reference to Figure 13. In state 1728, the module checks whether the number of available nodes |D| is less than the protection level P. If |D| is not smaller than P, there are enough remaining nodes to allocate the next constituent (accounting for the protection level), and the module decrements the counter Q by one in state 1736 and returns to state 1712 if the counter is nonzero. However, in state 1728, if the number of available nodes |D| is smaller than the protection level P, then there are too few nodes remaining to provide a separate mirror on each node. In this case, the quota constituent module continues in state 1732, where the set D is equated to the currently available node resources. The quota constituent module then continues in state 1736 as described above and continues to allocate quota accounting domains onto the available nodes, each of which may be allocated more than one accounting domain.

C. Number of Constituents

[0178] When the quota accounting system is reorganized, the number N of constituents may be selected based at least in part on factors including, for example, the number of nodes, the protection level, and constituent usages relative to the limit ranges. In various embodiments, the quota accounting system may utilize one or more parameters to provide suitable control over how the number of constituents is determined. An example of one such parameter is the constituents per node parameter R (described above with reference to Eq. (I)), which can be set to provide an allocation of approximately R constituents per node.

[0179] In certain embodiments, the number N of constituents is fixed until a reorganization occurs. During the reorganization, the quota constituent module (in state 1616 shown in Fig. 16) determines an updated number of constituents based on current system properties. The updated number may be the same as, less than, or greater than the previous number of constituents.

[0180] Figure 18 is a graph schematically illustrating one example embodiment of how the number of constituents may depend on proximity of resource usage to a limit, such as an advisory, soft, or hard limit. In this example, the number of constituents can range between a minimum of one and maximum of N_max. In some embodiments, the maximum number N_max is determined from Equation (1). As seen in Figure 18, the number of constituents decreases (to the minimum of one) as the resource usage nears any of the limits, which advantageously reduces the likelihood of processing bottlenecks as the limit is passed. In some embodiments, as the usage nears a limit, the number of constituents linearly ramps down to one. For example, in an embodiment, the number of constituents is determined according to N = max(min(Nmax, Span), 1), where Span measures the "distance" of the resource usage from the nearest limit, and max and min are mathematical maximum and minimum functions, respectively. In one embodiment, if the usage is U and the nearest limit is /, then the Span may be defined as Span = floor(abs(U-/)/span_size), where floor has been defined above and abs is absolute value. The adjustable parameter span size may depend on factors including the resource type (for example, physical, logical, or files) and the limit type (for example, advisory, soft, or hard). The slope of the linear ramps near the limits in Figure 18 is inversely proportional to the magnitude of the parameter span size. If span size is selected to be sufficiently large, the number of constituents will remain near one, because, in general terms, the usage will be within one "Span" of the limit at substantially all times. Conversely, if span_size is selected to be sufficiently small, the number of constituents will remain near N_max except for a relatively narrow region near the limit. In other embodiments, the number of constituents as a function of "Span" may be selected differently such as, for example, by selecting nonlinear functions to ramp down the number of constituents as usage nears a limit.

[0181] It will be recognized that during a reorganization, the number N of constituents may be selected based on a wide variety of mathematical functions, heuristics, goals, parameters, and so forth. Three example reorganize modes will now be described: "singleton," "linear," and "1-or-N."

1. Singleton Mode

[0182] In this mode, the number N of constituents is always equal to one. When reorganization occurs, the new quota accounting domain may be randomly assigned to a node (which may differ or be the same as the previous accounting node).

[0183] In embodiments using reorganize bounds, the bounds may be set to match the limit range currently bounding the usage: B_low = /_low and B^_h = /_hig_h- Figure 19A is one embodiment of a graph that illustrates that the number of constituents in the singleton mode is always one, regardless of the "distance" of the resource usage from any of the limits (for example, Span).

2. Linear Mode

[0184] In linear mode, the "distance" of the resource usage U from the nearest bound of the limit state (/_l0Wj /_hig_h] is measured by the Span variable according to:

For example, if the span_size is 10 MB, the current usage U=75 MB, and the limit state is (20 MB, 100 MB], then Equation (2) indicates the Span is 2. In linear mode, the number N of constituents is equal to the current Span, bounded by the range [1, Nm_3x], for example, N = max(min(Span, N_max), 1). Figure 19B is one embodiment of a graph that illustrates the number of constituents that will be selected during a linear mode reorganization as a function of the Span at the time of the reorganization. Note that since the number of constituents is held fixed at other times, the graph in Figure 19B (and Fig. 19C) is not a dynamic representation of the actual number of constituents in the quota domain accounting system at any particular Span value. Figure 2OB, to be discussed below, illustrates such a dynamic representation of the number of constituents as a function of usage.

[0185] If the accounting system uses reorganize bounds, the bounds are determined in the following manner in some embodiments. The bounds may be set differently based on which of the limits is "nearest" to the current usage U and whether changes in usage are moving current usage U toward or away from the nearest limit. In some implementations, the reorganize bound in the direction of the near limit is set equal to the limit itself. A rationale for this selection is that choosing a bound with a smaller value would cause unnecessary reorganizations to occur as the limit is approached.

[0186] The reorganize bound in the direction of the far limit may be set differently depending upon whether the new number of constituents is equal to N_m3x. In some embodiments, if the new number of constituents is N_m3x, then the reorganize bound is set equal to the value of the far limit, because more frequent reorganization will not provide additional constituents since the number of constituents is already at the maximum value N_max. On the other hand, if the current number N of constituents is less than the maximum N_m3x, the reorganize bound B may be set equal to B = U + (N * span size) / F, where F is a tunable ratio in the range (0, I]. The parameter F represents a minimum average constituent utilization in the direction of the far limit in order to approximately double the number of constituents when reorganization occurs. For example, if F is set equal to ¹A, an average constituent utilization in the direction of the far limit of about 50% will result in approximately doubling the number of constituents at the next reorganization. If F is set equal to ¹A, an average constituent utilization of only about 25% will result in approximately doubling the number of constituents at the next reorganization. A possible advantage of this choice for the value of the reorganize bound in the direction of the far limit is that by approximately doubling the number of constituents at a reorganization, the system performance may also approximately double, at least in cases where the number of constituents is a performance bottleneck. Additionally, if a resource user is rapidly writing a large amount of data, the user may reach the next reorganization point in about the same time it took to reach the previous reorganization point, even though twice as much data is being written. 3. 1-Or-N Mode

[0187] In 1-or-N mode, the number of constituents is 1 if the current Span is less than N_ma_x and is N_m3x otherwise. In terms of the well-known ternary ?: operator, the number of constituents can be written N = (Span < N_m3x) ? 1 : N_m3x. In some embodiments, the Span is determined from Equation (2). Figure 19C is one embodiment of a graph that illustrates the number of constituents that will be selected during a 1-or-N mode reorganization as a function of the Span at the time of the reorganization.

[0188] If the accounting system uses reorganize bounds, the bounds are determined in the following manner in some embodiments. The bound nearest the current usage U is selected using the algorithm for the linear mode. The bound farthest from the current usage is also selected using the linear mode algorithm, if the number of constituents is equal to the maximum N_m3x. If, instead, the current number of constituents is 1, the far bound is determined as B = U + N * span_size, which provides that reorganization will not occur until the distance from the near limit is sufficiently large to ensure that the next reorganization results in N_m3x constituents. D. Example of Linear Mode Reorganization

[0189] Figures 2OA and 2OB illustrate one embodiment of an example of linear mode reorganization on a distributed file system having a maximum number of constituents Nmax = 20 (for example, a 40 node cluster having 2X protection or a 60 node cluster having 3X protection). Figure 2OA is a chart that illustrates properties related to the constituents of the quota accounting system at six snapshots in time. The initial time is to, and the six snapshots occur at times ti, t₂, t3, U, Xs, and U- During the timeframe shown in Figure 2OA, the quota constituent module coordinates three reorganizations at times X₂, U, and X₆ following an initial reorganization at to. This example is intended to illustrate some of the features and aspects of linear mode reorganization but is not intended to be limiting.

[0190] Figure 2OB is a graph that shows the number of constituents as a function of usage for the example system illustrated in Figure 2OA. The number of constituents starts at 1 and increases to 4, 10, and 20 following the 3 reorganizations. The usage at each reorganization is marked on the graph (for example, 72, 137, and 304). The graph demonstrates that the actual number of constituents in the file system at any time (for example, at any particular usage value on the graph) is not a direct mapping from the graph of the number of constituents versus Span illustrated in Figure 19B. The actual number of constituents at any usage value can depend on the history of resource usage and previous numbers of constituents at earlier reorganizations.

[0191] Returning to the chart in Figure 2OA, the horizontal axis measures resource usage (in megabytes). The example quota accounting system includes an advisory limit at 30 and a soft limit at 5000; accordingly, the limit state for this system is (30, 5000]. The parameter span size equals 10. The current Span may be calculated using the span size parameter, the total usage for a given snapshot in time, and the current limits in the limit state (30 and 5000). Reorganize bounds B_low and B^ are determined according to the algorithm discussed above for the linear mode. At the top of Figure 2OA is the snapshot at the initial time to, and subsequent snapshots are displaced downward from the initial snapshot. Marked vertically along the chart at each of the times X₁ are the current usage, the Span (for example, determined from Eq. (2)), and the number of constituents ("Cons"). For example, at initial time to, the system has reorganized with a total usage of 35, 1 constituent, and the Span is 0. [0192] For each snapshot, the horizontal bar marked "Total" depicts the usage and the reorganize bounds for the total quota domain. Below the "Total" bar are one or more bars showing usage and reorganize bounds for each of the constituents in existence at that snapshot. The constituent bars are labeled as "Con" followed by a numeral indexing the constituents. For readability at times U-U where there are relatively many constituents, constituent bars having identical properties have been grouped together (for example, "Conl- Con7" at time t4) and further labeled with a parenthetical indicator for the number of constituents in the grouping (for example, "x7"). Above each horizontal bar (whether for "Total" or "Con"), the reorganize bounds and the current usage are shown. Below each horizontal bar, the "distances" of the current usage from the low and high reorganize bounds are shown. As can be seen in Figure 2OA, at time to, the initial usage of 35 is between the lower reorganize bound (30) and the upper reorganize bound (50). In this case, the lower reorganize bound equals the value of the nearest limit (the advisory limit at 30), and the upper reorganize bound can be determined using the linear mode algorithm as

= U + N * span_size / F = 35 + l * 10 / (¹A) = 55, where a minimum average constituent utilization of F=¹A has been selected for this example. The distance between the usage and the reorganize bounds is 5 (to the lower bound) and 20 (to the upper bound). Similar calculations can be performed at each of the other snapshots using the information in the chart in Figure 2OA.

[0193] The state of the accounting system changes from snapshot-to-snapshot as incremental delta transactions are received and processed by the constituents. The left side of the chart shows the delta transaction(s) and the node(s) assigned to handle the transaction(s) at each snapshot. For example, moving from the initial state at to to the first snapshot at ti, constituent "Conl" processes an incremental delta transaction increasing usage by 15 megabytes ("+15"). This transaction causes usage to increase from 35 to 50, and span to increase from 0 to 2. The next delta transaction "+22" at time X₂ is processed by constituent "Conl" and causes the usage to increase to 72, which is above the upper reorganize bound at 55. Accordingly, the quota constituent module causes the quota accounting domain to reorganize.

[0194] Using the linear algorithm, the number of constituents after reorganization at time X₂ is equal to 4, because the Span (equal to 4) is less than the maximum number of constituents (equal to 20). The new upper reorganize bound for the total domain is 152 (for example, 72 + 4 * 10/ (¹A)). Figure 2OA illustrates individual usages and reorganize bounds for the four constituents "Conl" - "Con4." As discussed above, the constituent usages and bounds are divided as equally as possible among the constituents. The graph in Figure 2OB illustrates the increase in the number of constituents from 1 to 4 at the usage level of 72.

[0195] At time t₃, each of the four constituents processes a delta transaction that increases the total usage to 132. Usage in each constituent remains below the corresponding reorganize bound. At time t₄, the first constituent "Conl" receives a delta request of "+5," which is sufficient to cause the usage to exceed the upper reorganize bound in the first constituent. Accordingly, the quota constituent module again reorganizes the quota accounting domain - this time into 10 constituents (see also the graph in Fig. 20B). At time ts, the ten constituents receive delta requests that can be processed without causing any constituent usage to pass a corresponding constituent bound. The total usage increases to 300.

[0196] The final illustrated delta transaction at time X₆ is sufficient to increase usage in constituent "ConlO" above the reorganize bound, so the quota constituent module causes a third reorganization at this time. The total usage (304) is sufficiently far from the lower reorganize bound, that the Span (27) exceeds the maximum number of constituents (20). Accordingly, the number of constituents increases to the maximum number N_m3x rather than the Span. Figure 2OB illustrates the increase in constituents from 10 to 20 at the third reorganization at a usage value of 304. Because the number of constituents has reached its maximum value, the upper reorganize bound is set equal to the far limit, which in this case is the soft limit at 5000.

[0197] Further delta transactions at times beyond t₆ that increase the usage will not increase the number of constituents, which has reached its maximum value. If usage continues to increase and the soft limit at 5000 is approached, further reorganizations will reduce the number of constituents. Near the soft limit, the number of constituents may reach the minimum value of 1. VT. Other Embodiments

[0198] While certain embodiments of the invention have been described, these embodiments have been presented by way of example only, and are not intended to limit the scope of the present invention. Accordingly, the breadth and scope of the present invention should be defined in accordance with the following claims and their equivalents.

Claims

WHAT IS CLAIMED IS:

1. A method of determining whether multiple incremental changes to a data field could pass a threshold, comprising: receiving at least one threshold related to a data field; receiving a request to incrementally modify a data value of the data field; and determining whether the request, in combination with a subset of other pending requests to incrementally modify the data value, could pass the at least one threshold.

2. The method of Claim 1, wherein the at least one threshold is a threshold for a maximum or minimum data value of the data field.

3. The method of Claim 1, wherein the determining comprises computing a possible data value for the data field based on the request and a bound of possible values of the data field, the bound derived from the other pending requests, and comparing the possible data value with the at least one threshold.

4. The method of Claim 1 , wherein the request is a request either to increment or to decrement the data value, and wherein the other pending requests are requests, respectively, either to increment or to decrement the data value.

5. The method of Claim 1, wherein the data field is associated with at least one of the following: a data storage system, a distributed storage system, a file system, and a distributed file system.

6. The method of Claim 1 , wherein the request and the other pending requests are associated with uncommitted, concurrent transactions to write to a storage location associated with the data field.

7. The method of Claim 1 , wherein the at least one threshold is specific to at least one of the following: an operation type associated with the request, the data field, and a subset of a combination of the request and the other pending requests.

8. The method of Claim 1, if it is determined that the request could pass the at least one threshold, further comprising permitting or denying the request.

9. The method of Claim 8, if permitting the request causes the at least one threshold to be passed, further comprising performing at least one of the following: sending an advisory notice that the at least one threshold has been passed and permitting data values of the data field to be past the at least one threshold until a condition is met.

10. The method of Claim 9, wherein the condition is associated with an amount of time.

11. A computer-readable medium having instructions stored thereon for determining, when the instructions are executed, whether multiple incremental changes to a data field could pass a threshold, the instructions comprising: receiving at least one threshold related to a data field; receiving a request to incrementally modify a data value stored in the data field; and determining whether the request could cause an incremented data value to pass the at least one threshold in combination with any subset of other pending incremental requests.

12. The computer- readable medium of Claim 11, wherein the data field is associated with at least one of the following: a data storage system, a distributed storage system, a file system, and a distributed file system.

13. The computer-readable medium of Claim 11, wherein the determining comprises computing the incremented data value of the data field based on the request and a bound of possible values of the data field, the bound derived from the other pending incremental requests, and comparing the incremented data value with the at least one threshold.

14. A system that determines whether a subset of pending transactions could pass a threshold, comprising: a module configured to receive at least one threshold related to a data field; to receive an incremental transaction on the data field; and to determine whether the incremental transaction could cause the data field to pass the at least one threshold in combination with any subset of other pending incremental transactions.

15. The system of Claim 14, if the incremental transaction could cause the data field to pass the at least one threshold, the module further configured to disallow the incremental transaction until the other pending incremental transactions have resolved, and then to permit the incremental transaction as a serial operation while postponing additional incremental transactions.

16. The system of Claim 15, when the incremental transaction is permitted as a serial operation, the module further configured to perform at least one of the following: send an advisory notice that the at least one threshold has been passed and permit the data field to be past the at least one threshold until a condition is met.

17. The system of Claim 16, wherein the condition is associated with an amount of time.

18. The system of Claim 14, wherein the system is at least one of the following: a data storage system, a distributed storage system, a file system, and a distributed file system.

19. The system of Claim 14, further comprising a persistent memory and a journal module, the journal module configured to store in the persistent memory the incremental transaction after determining that the incremental transaction could not cause the data field to pass the at least one threshold in combination with any subset of other pending incremental transactions.

20. The system of Claim 14, wherein configured to determine comprises configured to compute an incremented data value of the data field based on the incremental transaction and a bound of possible values of the data field, the bound derived from the other pending incremental transactions, and to compare the incremented data value with the at least one threshold.

21. A method of tracking a boundary for a field stored in a computer system, comprising: receiving a delta request associated with a field stored in a computer system; and computing an updated boundary value of a possible value for the field, wherein the possible value is based on the delta request and a previous boundary value, the previous boundary value derived from a subset of other pending delta requests for the field.

22. The method of Claim 21, wherein the delta request comprises an incremental value and an operation type that indicates either increment or decrement, wherein the operation type indicates whether the delta request increments or decrements the possible values for the field.

23. The method of Claim 21, wherein the updated boundary value is an updated upper boundary value and the previous boundary value is a previous upper boundary value.

24. The method of Claim 23, wherein, if the data request is a request to increment the field by an incremental value, computing the updated boundary value comprises incrementing the previous upper boundary value by the incremental value.

25. The method of Claim 23, wherein, if the delta request commits and if the delta request is a request to decrement the field by an incremental value, further comprising computing a readjusted upper boundary value by decrementing the updated upper boundary value by the incremental value.

26. The method of Claim 23, wherein, if the delta request aborts and if the delta request is a request to increment the field by an incremental value, further comprising computing a readjusted upper boundary value by decrementing the updated upper boundary value by the incremental value.

27. The method of Claim 21, wherein the updated boundary value is an updated lower boundary value and the previous boundary value is a previous lower boundary value.

28. The method of Claim 27, wherein, if the data request is a request to decrement the field by an incremental value, computing the updated boundary value comprises decrementing the previous lower boundary value by the incremental value.

29. The method of Claim 27, wherein, if the delta request commits and if the delta request is a request to increment the field by an incremental value, further comprising computing a readjusted lower boundary value by incrementing the updated lower boundary value by the incremental value.

30. The method of Claim 27, wherein, if the delta request aborts and if the delta request is a request to decrement the field by an incremental value, further comprising computing a readjusted lower boundary value by incrementing the updated lower boundary value by the incremental value.

31. The method of Claim 21 , wherein the field is associated with at least one of the following: a data storage system, a distributed storage system, a file system, and a distributed file system.

32. A system for tracking a boundary of a field stored in a computer system, comprising: a boundary module configured to receive a delta transaction associated with a field stored in a computer system; and to compute an updated boundary value based on possible values for the field, wherein the possible values are based on the delta transaction and a previous boundary value, the previous boundary value derived from a subset of other pending delta transactions for the field.

33. The system of Claim 32, wherein the system is at least one of the following: a data storage system, a distributed storage system, a file system, and a distributed file system.

34. The system of Claim 32, wherein the delta transaction comprises an incremental value and an operation type that indicates either increment or decrement, wherein the operation type indicates whether the delta request increments or decrements the possible values for the field.

35. The system of Claim 34, further comprising a persistent memory and a journal module, the journal module configured to store in the persistent memory the delta transaction until the delta transaction either commits or aborts, wherein the boundary module is further configured to compute a readjusted boundary value based on the updated boundary value, the incremental value, and whether the delta transaction either committed or aborted.

36. A computer-readable medium having data structures stored thereon for tracking a boundary of a data field, the data structures comprising: a data value field, wherein the data value field comprises a stored data value capable of being modified incrementally; a plurality of delta value fields, wherein the delta value fields comprise, respectively, ones of a plurality of pending incremental values to be combined with the stored data value; and at least one boundary field, wherein the at least one boundary field comprises a boundary value of possible data values resulting from a combination of the stored data value with a subset of the plurality of pending incremental values.

37. The computer-readable medium of Claim 36, the data structures further comprising at least one threshold field related to the data value field, wherein the at least one threshold field comprises a threshold value associated with a set of instructions to be executed if the boundary value passes the threshold value.

38. The computer- readable medium of Claim 36, wherein the data value field is associated with at least one of the following: a data storage system, a distributed storage system, a file system, and a distributed file system.

39. A method of implementing domain quotas within a data storage system, comprising: receiving at least one quota related to a size of a data domain, wherein the data domain associates a subset of data storage within a data storage system, wherein the size measures the subset, and wherein the at least one quota defines a threshold size for the data domain; receiving a data transaction that could change the size of the data domain; and determining whether the data transaction could cause the size of the data domain to pass the at least one quota in combination with a subset of other pending data transactions that could also change the size of the data domain.

40. The method of Claim 39, if it is determined that the data storage transaction could cause the size of the data domain to pass the at least one quota, further comprising permitting the data transaction and sending a notification that the at least one quota has been passed.

41. The method of Claim 39, if it is determined that the data storage transaction could cause the size of the data domain to pass the at least one quota, further comprising permitting the data transaction and monitoring a condition associated with the size of the data domain being past the at least one quota.

42. The method of Claim 41, wherein the condition is an amount of time that the size of the data domain is past the at least one quota.

43. The method of Claim 39, if it is determined that the data storage transaction could cause the size of the data domain to pass the at least one quota, further comprising denying the data transaction.

44. The method of Claim 39, wherein the determining comprises computing a maximum possible size or a minimum possible size of the data domain, wherein the maximum possible size and the minimum possible size are based on cumulative changes to the data domain that could be caused, respectively, by the data transaction and the other pending data transactions, and further comprises comparing the maximum possible size or the minimum possible size to the at least one quota.

45. The method of Claim 39, wherein the data storage system is associated with at least one of the following: a distributed storage system, a file system, and a distributed file system.

46. The method of Claim 39, wherein the data transaction and the other pending data transactions are uncommitted, concurrent transactions.

47. The method of Claim 39, wherein the at least one quota is specific to at least one of the following: whether the data transaction either increments or decrements the size of the data domain, the data domain, a subset of a combination of the data transaction and the other pending data transactions.

48. The method of Claim 39, further comprising, if permitting the data storage transaction causes the data quota to pass the threshold, performing at least one of the following: sending an advisory notice that the threshold has been passed and keeping a reference associated with a time at which the threshold is passed.

49. A computer-readable medium having instructions stored thereon for implementing, when the instructions are executed, domain quotas within a data storage system, the instructions comprising: receiving at least one quota related to a size of a data domain, wherein the data domain associates a subset of data storage within a data storage system, wherein the size measures the subset, and wherein the at least one quota defines a threshold size for the data domain; receiving a data transaction that could change the size of the data domain; and determining whether the data transaction could cause the size of the data domain to pass the at least one quota in combination with a subset of other pending data transactions that could also change the size of the data domain.

50. A system for implementing domain quotas within a data storage system, comprising: a quota module configured to receive at least one quota related to a size of a data domain, wherein the data domain associates a subset of data storage within a data storage system, wherein the size measures the subset, and wherein the at least one quota defines a threshold size for the data domain; to receive a data transaction that could change the size of the data domain; and to determine whether the data transaction could cause the size of the data domain to pass the at least one quota in combination with a subset of other pending data transactions that could also change the size of the data domain.

51. The system of Claim 50, if the data transaction could cause the size of the data domain to pass the at least one quota, the module further configured to disallow the data transaction until the other pending data transactions have resolved, and then to permit the data transaction and to send an advisory notice that the size of the data domain has passed the at least one quota.

52. The system of Claim 50, if the data transaction could cause the size of the data domain to pass the at least one quota, the module further configured to disallow the data transaction until the other pending data transactions have resolved, and then to permit the data transaction and to monitor a condition associated with the size of the data domain being past the at least one quota.

53. The system of Claim 52, wherein the condition is an amount of time.

54. The system of Claim 50, if the data transaction could cause the size of the data domain to pass the at least one quota, the module further configured to disallow the data transaction until the other pending data transactions have resolved, and then, while postponing subsequent data transactions, to permit the data transaction and to compute, respectively, a maximum possible size or a minimum possible size of the data domain based on the permitted data transaction, wherein the maximum possible size or the minimum possible size may be used to determine whether subsequent data transactions could cause the size of the data domain to pass the at least one quota or a different quota.

55. The system of Claim 50, if the data transaction could cause the size of the data domain to pass the at least one quota, the module further configured to permit the data transaction and to determine whether subsequent data transactions could cause the size of the data domain to pass a different quota from the at least one quota.

56. The system of Claim 50, wherein the system is at least one of the following: a distributed storage system, a file system, and a distributed file system.

57. The system of Claim 50, further comprising a persistent storage and a journal module, the journal module configured to store in the persistent memory the data transaction after determining whether the data transaction could cause the size of the data domain to pass the at least one quota.

58. The system of Claim 50, wherein the data transaction could change the size of the data domain by an incremental value, and further comprising a persistent storage and a journal module, the journal module configured to store in the persistent memory the data transaction until the data transaction either commits or aborts, wherein the quota module is further configured to compute a maximum possible size or a minimum possible size of the data domain based on the incremental value of the data transaction that committed or aborted.

59. A computer-readable medium having data structures stored thereon for implementing domain quotas within a data storage system, the data structures comprising: a domain size field, the domain size field comprising a value that reflects a size of a data domain comprising committed transactions; a bounded size field, the bounded size field comprising a value that reflects a maximum possible size or a minimum possible size of the data domain based on a plurality of pending data transactions that have not committed or aborted; an incremental value field, the incremental value field comprising a value that reflects a change in the size of the data domain caused by a data transaction; an operation type field, the operation type field comprising a value that indicates whether the change in the size of the data domain caused by the data transaction is either an increment or a decrement; and a quota field, the quota field comprising a value that indicates a size threshold for either a minimum or maximum size for the size of the data domain to be within a quota defined for the data domain.

60. A method of managing utilization of a resource of a computer system having a number of threads, the method comprising: receiving a usage threshold for a resource on the computer system; determining a usage for the resource on the system; organizing the system into a number of subsystems, wherein the number of subsystems is two or more, and wherein the number is determined at least in part on factors including the number of threads, the usage threshold, and the usage; allocating the subsystems among the threads; tracking resource usage for each subsystem; and distributing a request to modify resource usage to at least one subsystem.

61. The method of Claim 60, wherein the computer system comprises a distributed system comprising one or more nodes.

62. The method of Claim 61, wherein at least one node of the distributed system is allocated one or more subsystems.

63. The method of Claim 61, wherein the distributed system comprises at least one of a distributed storage system and a distributed file system.

64. The method of Claim 60, wherein the resource comprises physical space on a storage device.

65. The method of Claim 60, wherein the resource comprises quantity of files stored on a storage device.

66. The method of Claim 65, wherein the quantity of files comprises a count associated with the number of files.

67. The method of Claim 65, wherein the quantity of files comprises physical space associated with the files.

68. The method of Claim 60, wherein the resource comprises logical space on a storage device.

69. The method of Claim 68, wherein the logical space comprises physical space less space relating to metadata associated with a protection level for the resource.

70. The method of Claim 60, wherein organizing the system into a number of subsystems comprises determining a subsystem usage threshold for each subsystem, and wherein tracking resource usage for each subsystem comprises determining a subsystem usage for the resource.

71. The method of Claim 70, wherein the sum of the subsystem usage thresholds equals the usage threshold.

72. The method of Claim 70, wherein the sum of the subsystem usages equals the usage.

73. The method of Claim 70, wherein the request to modify resource usage comprises a delta request for the resource.

74. The method of Claim 73, wherein tracking resource usage comprises determining whether the delta request could cause the subsystem usage to pass the subsystem usage threshold in combination with any subset of delta requests pending on the subsystem.

75. The method of Claim 60, wherein allocating the subsystems among the threads comprises allocating at most one subsystem to any thread.

76. The method of Claim 60, wherein the factors for determining the number of subsystems further include a protection level for the resource.

77. The method of Claim 76, wherein allocating the subsystems among the threads comprises mirroring the subsystems based at least in part on the protection level.

78. The method of Claim 60, further comprising: reorganizing the system into one or more subsystems based on occurrence of an event.

79. The method of Claim 78, wherein the event comprises a subsystem usage level passing a subsystem usage threshold.

80. The method of Claim 78, wherein the event comprises adding a new thread to the system.

81. The method of Claim 78, wherein the event comprises updating a usage threshold for the system or a subsystem.

82. The method of Claim 78, wherein the event comprises a possible value range boundary associated with subsystem usage passing a subsystem usage threshold.

83. The method of Claim 60, wherein the reorganizing comprises determining a number of the subsystems for reorganization, wherein the number is one or more.

84. The method of Claim 83, wherein the number is one.

85. The method of Claim 83, wherein the number is based at least in part on factors including the number of threads, the usage threshold, and the usage.

86. The method of Claim 85, wherein the factors further include a protection level for the resource.

87. A computer-readable medium having instructions stored thereon for managing, when the instructions are executed, utilization of a resource of a computer system having a number of threads, the instructions comprising: receiving a usage threshold for a resource on the computer system; determining a usage for the resource on the computer system; organizing the computer system into a number of subsystems, wherein the number of subsystems is two or more, and wherein the number is determined at least in part on factors including the number of threads, the usage threshold, and the usage; allocating the subsystems among the threads; tracking resource usage for each subsystem; and distributing a request to modify resource usage to at least one subsystem.

88. A system for managing utilization of a resource of a computer system having a number of threads, the system comprising: a module configured to receive a usage threshold and to determine usage for a resource on the computer system; wherein the module is further configured to organize the computer system into a number of subsystems, wherein the number is two or more and depends at least in part on factors including the number of threads, the usage threshold, and the usage; and wherein the module is further configured to allocate the subsystems among the threads for tracking resource usage for each subsystem, and to distribute a request to modify resource usage to at least one subsystem.

89. The system of Claim 88, wherein the computer system comprises a distributed system comprising one or more nodes.

90. The system of Claim 89, wherein at least one node of the distributed system is allocated one or more subsystems.

91. The system of Claim 88, wherein the distributed system comprises at least one of a distributed storage system and a distributed file system.

92. The system of Claim 88, wherein the resource comprises physical space on a storage device.

93. The system of Claim 88, wherein the resource comprises quantity of files stored on a storage device.

94. The system of Claim 93, wherein the quantity of files comprises a count associated with the number of files.

95. The system of Claim 93, wherein the quantity of files comprises physical space associated with the files.

96. The system of Claim 88, where the resource comprises logical space on a storage device.

97. The system of Claim 96, wherein the logical space comprises physical space less space relating to metadata associated with a protection level for the resource.

98. The system of Claim 88, wherein the module is further configured to determine a subsystem usage threshold for each subsystem and to determine a subsystem usage level for the resource usage tracked by each subsystem.

99. The system of Claim 98, wherein the sum of all the subsystem usage thresholds equals the usage threshold.

100. The system of Claim 98, wherein the sum of all the subsystem usage levels equals the usage.

101. The system of Claim 88, wherein the request to modify resource usage comprises a delta request for the resource.

102. The system of Claim 101, wherein the module is further configured to determine whether the delta request could cause the subsystem usage to pass the subsystem usage threshold in combination with any subset of delta requests pending on the subsystem.

103. The system of Claim 88, wherein the module is configured to allocate at most one subsystem to any thread.

104. The system of Claim 88, wherein the factors for determining the number of subsystems further include a protection level for the resource.

105. The system of Claim 104, wherein module is further configured to mirror the subsystems based at least in part on the protection level.

106. The system of Claim 88, wherein the module is further configured to reorganize the system into one or more subsystems based on occurrence of an event.

107. The system of Claim 106, wherein the event comprises a subsystem usage level passing a subsystem usage threshold.

108. The system of Claim 106, wherein the event comprises adding a new thread to the computer system.

109. The system of Claim 106, wherein the event comprises updating a usage threshold for the computer system or a subsystem.

110. The system of Claim 106, wherein the event comprises a possible value range boundary associated with the subsystem usage level passing a subsystem usage threshold.

111. The system of Claim 88, wherein said reorganizing comprises determining a number of the subsystems for reorganization, wherein the number is one or more.

112. The system of Claim 111, wherein the number is one.

113. The system of Claim 111, wherein the number is based at least in part on factors including the number of threads, the usage threshold, and the usage.

114. The system of Claim 113, wherein the factors further include a protection level for the resource.