Failboxes: Provably Safe Exception Handling

The primary goal of exception mechanisms is to help ensure that when an operation fails, code that depends on the operation's successful completion is not executed (a property we call dependency safety ). However, the exception mechanisms of current mainstream programming languages make it hard to achieve dependency safety, in particular when objects manipulated inside a try block outlive the try block. Many programming languages, mechanisms and paradigms have been proposed that address this issue. However, they all depart significantly from current practice. In this paper, we propose a language mechanism called failboxes. When applied correctly, failboxes have no significant impact on the structure, the semantics, or the performance of the program, other than to eliminate the executions that violate dependency safety. Specifically, programmers may create failboxes dynamically and execute blocks of code in them. Once any such block fails, all subsequent attempts to execute code in the failbox will fail. To achieve dependency safety, programmers simply need to ensure that if an operation B depends on an operation A , then A and B are executed in the same failbox. Furthermore, failboxes help fix the unsafe interaction between locks and exceptions and they enable safe cancellation and robust resource cleanup. Finally, the Fail Fast mechanism prevents liveness issues when a thread is waiting on a failed thread. We give a formal syntax and semantics of the new constructs, and prove dependency safety. Furthermore, to show that the new constructs are easy to reason about, we propose proof rules in separation logic. The theory has been machine-checked.

[1]  Frank Piessens,et al.  Sound reasoning about unchecked exceptions: soundness proof , 2007 .

[2]  Frank Yellin,et al.  The Java Virtual Machine Specification , 1996 .

[3]  Jim Shore,et al.  Fail Fast , 2004, IEEE Softw..

[4]  Frank Piessens,et al.  Sound reasoning about unchecked exceptions , 2007, Fifth IEEE International Conference on Software Engineering and Formal Methods (SEFM 2007).

[5]  Bertrand Meyer,et al.  Eiffel: The Language , 1991 .

[6]  Richard F. Paige,et al.  Exceptions in Concurrent Eiffel , 2007, J. Object Technol..

[7]  Joe Armstrong,et al.  Making reliable distributed systems in the presence of software errors , 2003 .

[8]  Cecília M. F. Rubira,et al.  A comparative study of exception handling mechanisms for building dependable object-oriented software , 2001, J. Syst. Softw..

[9]  George C. Necula,et al.  Finding and preventing run-time error handling mistakes , 2004, OOPSLA.

[10]  Simon L. Peyton Jones,et al.  Asynchronous exceptions in Haskell , 2001, PLDI '01.

[11]  Dan S. Wallach,et al.  Termination in language-based systems , 2002, TSEC.

[12]  Frank D. Valencia,et al.  Formal Methods for Components and Objects , 2002, Lecture Notes in Computer Science.

[13]  Guy L. Steele,et al.  The Java Language Specification , 1996 .

[14]  Robert Bruce Findler,et al.  Kill-safe synchronization abstractions , 2004, PLDI '04.

[15]  Christophe Dony,et al.  Exception handling and object-oriented programming: towards a synthesis , 1990, OOPSLA/ECOOP '90.

[16]  Martin Odersky ECOOP 2004 – Object-Oriented Programming , 2004, Lecture Notes in Computer Science.

[17]  Alan Snyder,et al.  Exception Handling in CLU , 1979, IEEE Transactions on Software Engineering.

[18]  Christof Fetzer,et al.  Automatic detection and masking of non-atomic exception handling , 2003, 2003 International Conference on Dependable Systems and Networks, 2003. Proceedings..

[19]  Bor-Yuh Evan Chang,et al.  Boogie: A Modular Reusable Verifier for Object-Oriented Programs , 2005, FMCO.

[20]  Matthias Felleisen,et al.  Programming languages as operating systems (or revenge of the son of the lisp machine) , 1999, ICFP '99.

[21]  Mark Lillibridge,et al.  Extended static checking for Java , 2002, PLDI '02.

[22]  C. Hawblitzel,et al.  Luna: a flexible Java protection system , 2002, OSDI '02.

[23]  Nir Shavit,et al.  Software transactional memory , 1995, PODC '95.

[24]  Suresh Jagannathan,et al.  Transactional Monitors for Concurrent Objects , 2004, ECOOP.