Fault-Tolerant Sequential Programming Using Recovery Blocks

Abstract

When using recovery blocks [1], it is desirable to structure a program such that no unrecoverable operations (e.g. I/O) appear within a recovery block — thus ensuring that a recovery action will generate a consistent prior state. The figure below shows one case where only assignments are recoverable and a large file is to be processed (the merge sort example of the next section illustrates this approach):

Open image in new window

There can be two ways of designing the different algorithms for the primary and the alternatives of a recovery block: algorithms that are different but produce identical results (see the median example below) or algorithms for alternatives that are designed to provide a degraded service (producing different but nevertheless acceptable results, see the stable marriage example). In the latter situation the acceptance test can only be as strong as the test needed to check the adequacy of the ‘weakest’ alternative. Sometimes, this may prove unacceptable where a stronger test is needed for the primary (or even some of the alternatives). The following figure suggests a simple way of including both of these tests. ‘I’ represents the acceptance test and ‘Q’ represents a stronger test for the primary. It is assumed that if ‘Q’ is false, the primary will fail. ensure I by begin.. ; assert Q end else by...