Designing Masking Fault Tolerance via Nonmasking Fault Tolerance

Masking fault-tolerance guarantees that programs continually satisfy their specii-cation in the presence of faults. By way of contrast, nonmasking fault-tolerance does not guarantee as much: it merely guarantees that when faults stop occurring, program executions converge to states from where programs continually (re)satisfy their speciication. We present in this paper a component based method for the design of masking fault-tolerant programs. In this method, components are added to a fault-intolerant program in a stepwise manner, rst, to transform a fault-intolerant program into a nonmask-ing fault-tolerant one and, then, to enhance the fault-tolerance from nonmasking to masking. We illustrate the method by designing programs for agreement in the presence of Byzantine faults, data transfer in the presence of message loss, triple modulo redundancy in the presence of input corruption, and mutual exclusion in the presence of process fail-stops. These examples also serve to demonstrate that the method accommodates a variety of fault-classes, it provides alternative designs for programs usually designed with extant design methods, and it ooers the potential for improved masking fault-tolerant programs.