Provably live exception handling

Writing concurrent Java programs that provably terminate, i.e. that terminate in all executions allowed by the language specification, is difficult, because of the combination of two language "features": firstly, the virtual machine is allowed to throw a VirtualMachineError exception at any point in the execution of the program; secondly, if a thread terminates because of an exception, a stack trace is printed to the console, but other threads continue to execute normally. As a result, no program where threads wait for other threads is provably live. Furthermore, even if we ignore the VirtualMachineError issue, dealing with exceptions in a way that preserves liveness and compositionality is nontrivial. For example, in the .NET Framework, if a thread terminates because of an exception, the program is terminated. This preserves liveness, but it is not compositional. At ECOOP 2009, we proposed the failboxes language extension. We showed how it facilitates writing programs that deal with exceptions in a way that preserves safety, liveness, and compositionality. We proposed proof rules for proving safety, but not for proving liveness. In this paper, we present our ongoing research on writing and verifying provably live programs. In particular, building on Chalice's approach for proving deadlock-freedom in the absence of exceptions of programs that use channels, we propose preliminary proof rules for proving deadlock-freedom in the presence of synchronous and asynchronous exceptions of programs that use semaphores and failboxes.