Ever since their invention 30 years ago, checked exceptions have been a point of much discussion. On the one hand, they increase the robustness of soft ware by preventing the manifestation of unanticipated checked exceptions at run-time. On the other hand, they decrease the adaptability of software bec ause they must be propagated explicitly, and must often be handled even if they cannot be signalled. We show that these problems are caused by a conflict between the exceptional interface of a method and the principle of abstraction. We then solve this conflict by introducing anchored exception declarations, which allow the exceptional behaviour of a method to be declared relative to that of others. We present their formal semantics, along with the necessary rules for ensuring compile-time safety, and give a proof of correctness. We show that ancho red exception declarations do not violate the principle of information hiding when used properly, and provide a guideline for when to use them. We have implemented anchored exception declarations as an extension to the ClassicJava programming language, called Cappuccino.

Abstract. Exception specifications can aid in the tasks of writing correct exception handlers and understanding exceptional control flow, but current exception specification systems are impractical in a number of ways. In particular, they are too low-level, too heavyweight, and do not provide adequate support for describing exception policies. We have identified the essential properties of a practical exception specification system and we present a methodology and tool that provides integrated support for specifying, understanding, and evolving exception policies. The annotations required of the programmer are lightweight and easier to maintain than those of current systems; in our studies we observed a 50 % to 93 % reduction in annotations. By leveraging these annotations, our system provides scalable support for understanding exception flow and for modifying exception annotations. 1

We consider the problem of recovering from failures of distributable threads with assured timeliness. When a node hosting a portion of a distributable thread fails, it causes orphans—i.e., thread segments that are disconnected from the thread’s root. We consider a termination model for recovering from such failures, where the orphans must be detected and aborted, and failure-exception notification must be delivered to the farthest, contiguous surviving thread segment for resuming thread execution. We present a realtime scheduling algorithm called AUA, and a distributable thread integrity protocol called TP-TR. We show that AUA and TP-TR bound the orphan cleanup and recovery time, thereby bounding thread starvation durations, and maximize the total thread accrued timeliness utility. We implement AUA and TP-TR in a real-time middleware that supports distributable threads. Our experimental studies with the implementation validate the algorithm/protocol’s timebounded recovery property and confirm their effectiveness. 1.

It is difficult to write programs that behave correctly in the presence of run-time errors. Proper behavior in the face of exceptional situations is important to the reliability of long-running programs. Existing programming language features often provide poor support for executing clean-up code and for restoring invariants. We present a dataflow analysis for finding a certain class of mistakes made during exceptional situations. We also present a specification miner for automatically inferring partial notions of what programs should be doing. Finally, we propose and evaluate a new language feature, the compensation stack, to make it easier to write solid code in the presence of run-time errors. We give a dataflow analysis for finding a certain class of exception-handling mis-takes: those that arise from a failure to release resources or to clean up properly along all paths. Many real-world programs violate such resource usage rules because of incorrect exception handling. Our flow-sensitive analysis keeps track of outstanding obligations along program paths and does a precise modeling of control flow in the presence of exceptions. Using it, we have found over 800 exception handling mistakes in almost 4 million lines of Java code. The analysis is unsound and produces false positives, but a few simple filtering rules suffice to remove them in practice. The remaining mistakes were manually verified. These mistakes cause sockets, files and database handles to be leaked along some paths. Specifications are necessary in order to find software bugs using program verification tools. We give a novel automatic specification mining algorithm that uses information about exception handling to learn temporal safety rules. Our algorithm is based on the observation that programs often make mistakes along exceptional control-flow paths, even when they behave correctly on normal execution paths. We show that this focus improves the miner’s effectiveness at discovering specifications beneficial for bug finding. We present quantitative results comparing our technique to four existing miners. We highlight assumptions made by various miners that are not always borne out in practice. Additionally, we apply our algorithm to existing Java programs and analyze its ability to learn specifications that find bugs in those programs. In our experiments, we find filtering candidate specifications to be more important than ranking them. We find 430 bugs in 1 million lines of code. Notably, we find 250 more bugs using per-program specifications learned by our algorithm than with generic specifications that apply to all programs. We present a characterization of the most common causes of those bugs and discuss the limitations of exception handling, finalizers and destructors. Based on that characterization we propose a programming language feature, the compensation stack, that keeps track of obligations at run time and ensures that they are discharged. Finally, we present case studies to demonstrate that this feature is natural, efficient, and can improve reliability; for example, retrofitting a 34,000-line program with compensation stacks resulted in a 0.5% code size decrease, a surprising 17% speed increase (from correctly deallocating resources in the presence of exceptions), and more consistent behavior.

Handling erroneous conditions in context-aware mobile agent systems is challenging due to their intrinsic characteristics: openness, lack of structuring, mobility, asynchrony and increased unpredictability. Even though several context-aware middleware systems support now the development of mobile agent-based applications, they rarely provide explicit and adequate features for context-aware exception handling. This paper reports our experience in implementing error handling strategies in some prototype context-aware collaborative applications built with the MoCA (Mobile Collaboration Architecture) system. MoCA is a publish-subscribe middleware supporting the development of collaborative mobile applications by incorporating explicit services to empower software agents with context-awareness. We propose a novel context-aware exception handling mechanism and discuss some lessons learned during its integration in the MoCA infrastructure.

Abstract. The primary goal of exception mechanisms is to help ensure that when an operation fails, code that depends on the operation’s successful completion is not executed (a property we call dependency safety). However, the exception mechanisms of current mainstream programming languages make it hard to achieve dependency safety, in particular when objects manipulated inside a try block outlive the try block. Many programming languages, mechanisms and paradigms have been proposed that address this issue. However, they all depart significantly from current practice. In this paper, we propose a language mechanism called failboxes. When applied correctly, failboxes have no significant impact on the structure, the semantics, or the performance of the program, other than to eliminate the executions that violate dependency safety. Specifically, programmers may create failboxes dynamically and execute blocks of code in them. Once any such block fails, all subsequent attempts to execute code in the failbox will fail. To achieve dependency safety, programmers simply need to ensure that if an operation B depends on an operation A, then A and B are executed in the same failbox. Furthermore, failboxes help fix the unsafe interaction between locks and exceptions and they enable safe cancellation and robust resource cleanup. Finally, the Fail Fast mechanism prevents liveness issues when a thread is waiting on a failed thread. We give a formal syntax and semantics of the new constructs, and prove dependency safety. Furthermore, to show that the new constructs are easy to reason about, we propose proof rules in separation logic. The theory has been machine-checked. 1

Exception handling in multi-agent systems (MAS) is a complex issue due to distributed and decentralized nature of data and control in such systems. Autonomous agents representing different organizations need to implement a set of behaviors in addition to their problem solving behaviors in order to facilitate the coordinated exception handling processes across organizational boundaries. In this paper we review the limitations of the current domain independent exception handling approaches and propose a flexible approach to exception handling in MAS. The approach works by incorporating the exception handling services provided by the MAS infrastructure owner and local exception handling mechanism of individual agents. It allows the agent to use system provided exception handling service for all of its protocol related (social) exceptions or use its local exception handling mechanism to deal with a subset of these exceptions. It is claimed that this provides flexibility in exception handling. This work provides way of how to increase the reliability and availability of open agent system in exceptional situations.

The paper reports on ongoing research into the development of a management system to co-ordinate a set of activities of a virtual organisation for the production of chemicals. The paper reports on the authors ’ experience in considering a real virtual organisation and raises issues of co-ordinating atomic activities that span across organisational boundaries and deals with systems that possess a high degree of autonomy and dynamicity. The focus here is on determining the requirements in terms of the co-ordination of parallel activities, trust and security issues such as access control, validation of resources and identities, formalisation, risk analysis and finally fault tolerance.

Most modern programming languages rely on exceptions for dealing with errors. Although exception handling was a significant improvement over other mechanisms like checking return codes, it’s far from perfect. In fact, it can be argued that this mechanism is seriously flawed. In this paper we argue that exception handling should be automatically done at the runtime/operating system level. The motivation is similar to the one that lead to garbage collection: memory management was a tedious and error prone process, thus virtual machines included support for taking care of it. We believe that many exceptions can be automatically dealt with, and recovered, as long as appropriate mechanisms exist in the runtime environment. We believe that this approach may dramatically influence the way programming languages are designed and significantly contribute to having more robust code, being actually developed with much less programming effort. 1.

Abstract—Several recent studies indicate that many industrial applications exhibit poor quality in the design of exception-handling. To improve the quality of error-handling, we need to understand the problems and obstacles that developers face when designing and implementing exception-handling. In this paper, we present our research on understanding the viewpoint of developers—novices and experts—toward exception-handling. First, we conducted a study with novice developers in industry. The study results reveal that novices tend to ignore exceptions because of the complex nature of exception-handling. Then, we conducted a second study with experts in industry to understand their perspective on exception-handling. The study results show that, for experts, exception-handling is a crucial part in the development process. Experts also confirm the novices ’ approach of ignoring exception-handling and provide insights as to why novices do so. After analyzing the study data, we identified factors that influence experts ’ strategy selection process for handling exceptions and then built a model that represents a strategy selection process experts use to handle exceptions. Our model is based on interacting modules and fault scope. We conclude with some recommendations to help novices improve their understanding of exception-handling. Index Terms—Exception handling, user study, software developers. Ç