Automated design of efficient fail-safe fault tolerance

Both the scale and the reach of computer systems and embedded devices have been constantly increasing over the last decade. As such computer systems become pervasive, our reliance on such systems increases, resulting in our expectation for such systems to continuously deliver services, even in the presence of faults, that is we expect the computer systems to be dependable. One way to ensure the continuous delivery of dependable services is replication, which however, is expensive, so we focus on the cheaper alternative, that of software-based fault tolerance. There are different levels of fault tolerancethat can be provided, for example masking fault tolerance, fail-safe fault tolerance etc. In this thesis, we focus on providing fail-safe fault tolerance. Intuitively, a fail-safe faulttolerant program is one where it is acceptable for such a program to “halt” when faults occur, as long as it always remains in a “safe” state. Moreover, we endeavor to synthesize efficient fail-safe fault tolerance. We used two commonly-used criteria to assess the efficiency of a fail-safe fault-tolerant program, namely (i) error detection latency – or latency for short –, i.e., how fast can a fail-safe fault-tolerant program detect an erroneous state, and (ii) error detection coverage – or coverage for short, i.e., the ratio of “harmful” errors the program can detect. In this thesis, we present a formal framework for the design of efficient fail-safe fault-tolerant program. The framework is based on a refined theory of detectors, which introduces novel insights into their working principles. We introduce the concept of a perfect detector, which allows a fail-safe faulttolerant program to have perfect detection. This means that a program, composed with perfect detectors, have optimal detection coverage. Optimal in the sense that the detectors detect all of the “harmful” errors, and make no mistakes. Then, we present the concept of fast detection, and show how a failsafe fault-tolerant program can have both perfect, and fast error detection. In fact, the detection latency is shown to be minimal, i.e., the error is detected