This chapter reviews the development of the recovery block approach to software fault tolerance and subsequent work based on this approach. It starts with an account of the development and implementations of the basic recovery block scheme in the early 1970s at Newcastle, and then goes on to describe work at Newcastle and elsewhere on extensions to the basic scheme, recovery in concurrent systems, and linguistic support for recovery blocks based on the use of object-oriented programming concepts.

Following in the spirit of data structure and algorithm correctness checking, authenticated data structures provide cryptographic proofs that their answers are as accurate as the author intended, even if the data structure is being maintained by a remote host. We present techniques for authenticating data structures that represent graphs and collection of geometric objects. We use a model where a data structure maintained by a trusted source is mirrored at distributed directories, with the directories answering queries made by users. When a user queries a directory, it receives a cryptographic proof in addition to the answer, where the proof contains statements signed by the source. The user verifies the proof trusting only the statements signed by the source. We show how to efficiently authenticate data structures for fundamental problems on networks, such as path and connectivity queries, and on geometric objects, such as intersection and containment queries.

In the program checking paradigm, the original program is run on the desired input, and its output is checked by another program called achecker. Recently, the notion of program checking has been extended from its original formulation of checking functions to checking a sequence of operations which query and alter the state of an object external to the program, e.g., checking the interactions between a client and the manager (server) of a data structure. In this expanded paradigm, the checker acts as an intermediary between the client, which generates the requests, and the server, which processes them. The checker is allowed a small amount of reliable memory and may provide a probabilistic guarantee of correctness for the client. We present off-line and on-line checkers for data structures such as linked lists, trees, and graphs. Previously, the only data structures for which such checkers existed were random access memories, stacks, and queues.

We present an efficient algorithm which can check the answers given by the fundamental abstract data types priority queues and mergeable priority queues. This is the first linear-time checker for mergeable priority queues. These abstract data types are widely used in routing, scheduling, simulation, computational geometry and many other algorithmic domains. We have implemented our answer checker and have performed experiments comparing the speed of our checker to recently benchmarked priority queue and mergeable priority queue implementations, and our checker is substantially faster than the best of these implementations. 1 Introduction This paper concerns the fundamental abstract data types of priority queues (PQs) and mergeable priority queues (MPQs). These abstract data types have been recognized as centrally important from the early days of computer-algorithm design. They appear in seminal algorithm texts such as Knuth's [10] and Aho, Hopcroft and Ullman's [1]. Data structure impl...

1 Introduction In this paper we describe a novel and powerful technique for achieving fault tolerance in systems. Although applicable to both hardware and software implementation, we restrict our discussion of this technique to implementation in software. To explain our technique, we will first discuss a simpler method. In this method the specification of a problem is given and an algorithm to solve it is constructed. This algorithm is executed on a particular input and the output is stored. Next, the same algorithm is executed again on the same input and the output is compared to the earlier output. If the outputs differ then an error is indicated, otherwise the output is accepted as correct. This method requires additional time, so called time

We introduce novel techniques for organizing the indexing structures of how data is stored so that alterations from an original version can be detected and the changed values specifically identified. We give forensic constructions for several fundamental data structures, including arrays, linked lists, binary search trees, skip lists, and hash tables. Some of our constructions are based on a new reduced-randomness construction for nonadaptive combinatorial group testing.

In this paper we describe a general technique for checking the integrity of data structures which can be corrupted by memory faults. Our approach is based on a recursive checksum technique. Basic methods of using checksums have been previously seen to be useful for detecting faults at the bit or word level; among our results will be their extension to the node level. The major contributions of our paper are threefold. First, we show how the recursive checksum procedure can be applied to tree data structures that are dynamically changing, whereas the previous work concentrated on trees that were static in their structure. This results in a asymptotic improvement in running time for applications where it is natural to model the underlying data as a tree. Second, we present a C ++ implementation of this scheme. Significantly, it is seen that our software can be used with existing applications which manipulate trees with only minor modification of the application programs. Finally, we ha...

this paper, we consider the problem of detecting errors in the answers given in response to data structure queries. For many programs a substantial fraction of the intricate error-prone code resides in the routines associated with data structure access. In addition, a significant fraction of total program running time is spent executing the code of these routines. Data structures are often used to implement abstract data types (ADTs) and in recent years a number of different ADTs have been shown to be efficiently checkable. Checkers which are also referred to as error monitors in this paper have been developed for priority queues, the union/find data type, and most recently mergeable priority queues and have been shown to require only O(n) time to check a sequence of n operations [5, 21, 23]. These checkers detect any errors in query answers and since each of these checkers is based on an ADT

In this paper we describe the use of the certification-trail technique as the basis of a new hybrid framework for building formally verified software systems. Our technique involves formally verifying only a part of a software system; however, the technique yields a software system which still satisfies the most important correctness properties. Substantial savings in the overhead of software verification, and also in program running time are shown to be possible in comparison to traditional methods. We apply our technique to the problem of sorting since sorting represents one of the most basic operations in computer science, and a formally verified sorting certifier should have significant applicability. The results presented in this paper represent an enhancement of the certification-trail technique relative to the detection of incorrect computational output caused by software faults. Index terms: Sorting; formal program verification; software correctness; certification trails; prog...

We report on the use of program checking in the LEDA library of efficient data types and algorithms.