Abstract—This paper gives the main definitions relating to dependability, a generic concept including as special case such attributes as reliability, availability, safety, integrity, maintainability, etc. Security brings in concerns for confidentiality, in addition to availability and integrity. Basic definitions are given first. They are then commented upon, and supplemented by additional definitions, which address the threats to dependability and security (faults, errors, failures), their attributes, and the means for their achievement (fault prevention, fault tolerance, fault removal, fault forecasting). The aim is to explicate a set of general concepts, of relevance across a wide range of situations and, therefore, helping communication and cooperation among a number of scientific and technical communities, including ones that are concentrating on particular types of system, of system failures, or of causes of system failures.

this paper we discuss four major problems we have observed in our developing and deploying wide-area distributed object applications and middleware. First, most programs are developed ignoring the variable wide area conditions. Second, when application programmers do try to handle these conditions, they have great difficulty because these harsh conditions are different from thost of the local objects they are used to dealing with. Third, IDL hides information about the tradeoffs any implementation of an object must make. Fourth, there is presently no way to systematically reuse current technology components which deal with these conditions, so code sharing becomes impractical. In this paper we also describe our architecture, Quality of Service for CORBA Objects (QuO), which we have developed to overcome these limitations and integrate their solution by providing QoS abstractions to CORBA objects. First, it makes these conditions first class entities and integrates knowledge of them over time, space, and source. Second, it reduces their variance by masking. Third, it exposes key design decisions of an object's implementation and how it will be used. Fourth, it supports reuse of various architectural components and automatically generates others.

This paper presents a scheme for coordinated error recovery between multiple interacting objects in a concurrent object-oriented system. A conceptual framework for fault tolerance is established based on a general object concurrency model that is supported by most concurrent object-oriented languages and systems. This framework integrates two complementary concepts — conversations and transactions. Conversations (associated with cooperative exception handling) are used to provide coordinated error recovery between concurrent interacting activities whilst transactions are used to maintain the consistency of shared resources in the presence of concurrent access. The serialisability property of transactions is exploited in order to help prevent unexpected information smuggling. The proposed framework is illustrated by means of a case study, and various linguistic and implementation issues are discussed.

: The FRIENDS system developed at LAAS-CNRS is a metalevel architecture providing libraries of metaobjects for fault tolerance, secure communications and group-based distributed applications. The use of metaobjects provides a nice separation of concerns between mechanisms and applications. Metaobjects can be used transparently by applications and can be composed according to the needs of a given application, a given architecture and its underlying properties. In FRIENDS, metaobjects are used recursively to add new properties to applications. They are designed using an object oriented design method and implemented on top of basic system services. This paper describes the FRIENDS software-based architecture, the objectoriented development of metaobjects, the experiments that we have done and summarises the advantages and drawbacks of a metaobject approach for building fault tolerant systems. 1 Introduction The use of a metalevel architecture to build dependable systems has emerged recen...

Behavioral reflection is a powerful approach for adapting the behavior of running applications. In this paper we present and motivate partial behavioral reflection, an approach to more e#cient and flexible behavioral reflection. We expose the spatial and temporal dimensions of such reflection, and propose a model of partial behavioral reflection based on the notion of hooksets. In the context of Java, we describe a reflective architecture o#ering appropriate interfaces for static and dynamic configuration of partial behavioral reflection at various levels, as well as Reflex, an open reflective extension for Java implementing this architecture. Reflex is the first extension that fully supports partial behavioral reflection in a portable manner, and that seamlessly integrates load-time and runtime behavioral reflection. The paper shows preliminary benchmarks and examples supporting the approach. The examples, dealing with the observer pattern and asynchronous communication via transparent futures, also show the interest of partial behavioral reflection as a tool for open dynamic Aspect-Oriented Programming.

A membership service is used to maintain information about which sites are functioning in a distributed system at any given time. Many such services have been defined, with each implementing a unique combination of properties that simplify the construction of higher levels of the system. Despite this wealth of possibilities, however, any given service only realizes one set of properties, which makes it difficult to tailor the service provided to the specific needs of the application. Here, a configurable membership service that addresses this problem is described. This service is based on decomposing membership into its constituent abstract properties, and then implementing these properties as separate software modules called micro-protocols that can be configured together to produce a customized membership service. A prototype C++ implementation of the membership service for a simulated distributed environment is also described. December 19, 1994 Revised January 9, 1996 Department of ...

We address the problem of how to handle exceptions in distributed object-oriented systems. In a distributed computing environment exceptions may be raised simultaneously and thus need to be treated in a coordinated manner. We take two kinds of concurrency into account: 1) several objects are designed collectively and invoked concurrently to achieve a global goal, and 2) concurrent objects or object groups that are designed independently compete for the same system resources. We propose a new distributed algorithm for resolving concurrent exceptions and show that the algorithm works correctly even in complex nested situations, and is an improvement over previous proposals in that it requires only O(N²) messages, and is fully object-oriented.

Modern software systems are often built from existing library components. A common problem is how to fix bugs when source code is not available. Xept is an instrumentation language and tool that can be used to add to object code the ability to detect, mask, recover and propagate exceptions from library functions. This helps to alleviate or avoid a large class of errors resulting from function misuses. Examples will be given to show applications of Xept in actual software systems. 1. Introduction Modern software systems are often built out of reusable components from diverse sources, including freeware or software vendors. For various reasons, including proprietary concerns, source code for such components is often not available. Thus, unless the original developers are still around and willing to help, bugs in such components are often left unfixed. This points out a need for tools and approaches to handle bugs in object code. This is not a generally solvable problem because bugs can a...

The contribution of this thesis is the development of a framework for simplifying the construction of grid computational applications. The framework provides a generic extension mechanism for incorporating functionality into applications and consists of two models: (1) the reflective graph and event model, and (2), the exoevent notification model. These models provide a platform for extending user applications with additional capabilities via composition. While the models are generic and can be used for a variety of purposes, including security, resource accounting, debugging, and application monitoring [VILE97, FERR99, LEGI99, MORG99], we apply the models in this dissertation towards the integration of fault-tolerance techniques. Using the framework, fault-tolerance experts can encapsulate algorithms using the two reflective models developed in this dissertation. Developers incorporate these algorithms into their tools and augment the set of services provided to application programmers. Application programmers then use these augmented tools to increase the likelihood that their programs will complete successfully.

. FRIENDS is a software-based architecture for implementing faulttolerant and, to some extent, secure applications. This architecture is composed of sub-systems and libraries of metaobjects. Transparency and separation of concerns is provided not only to the application programmer but also to the programmers implementing metaobjects for fault tolerance, secure communication and distribution. Common services required for implementing metaobjects are provided by the sub-systems. Metaobjects are implemented using object-oriented techniques and can be reused and customised according to the application needs, the operational environment and its related fault assumptions. Flexibility is increased by a recursive use of metaobjects. Examples and experiments are also described. 1 Introduction The dependability research community has designed and experimented a number of mechanisms which have now reached full maturity. Nevertheless, in practice, the integration of such mechanisms within applica...