Specifying Graceful Degradation

Complex programs are often required to display graceful degradation, reacting adaptively to changes in the environment. Under ideal circumstances, the program's behavior satisfies a set of application-dependent constraints. In the presence of events such as failures, timing anomalies, synchronization conflicts, or security breaches, certain constraints may become difficult or impossible to satisfy, and the application designer may choose to relax them as long as the resulting behavior is sufficiently " close " to the preferred behavior. This paper describes the relaxation la#ice method, a new approach to specifying graceful degradation for a large class of programs. A relaxation lattice is a lattice of specifications parameterized by a set of constraints, where the stronger the set of constraints, the more restrictive the specification. While a program is able to satisfy its strongest set of constraints, it satisfies its preferred specification, but if changes to the environment force it to satisfy a weaker set, then it will permit additional " weakly consistent " computations which are undesired but tolerated. The use of relaxation lattices is illustrated by specifications for programs that tolerate 1) faults, such as site crashes and network partitions, 2) timing anomalies, such as attempting to read a value " too soon " after it was written, 3) synchronization conflicts, such as choosing the oldest " unlocked " item from a queue, and 4) security breaches, such as acquiring unauthorized capabilities. A preliminary version of this paper appeared in the proceedings of the Sixth ACM SIGACT-SIGOPS Symposium on Principles of Distributed Computing WV. C OMPLEX programs are often required to display grucejkl degradation, reacting adaptively to changes in the environment. Under ideal circumstances, the program's behavior satisfies a set of application-dependent preferred constraints. Each constraint typically preserves a certain level of consistency, and each has an associated cost. In the presence of failures, timing anomalies, synchronization conflicts, or security violations, certain constraints may become difficult or impossible to satisfy, and the application designer may choose to relax them as long as the resulting behavior is sufficiently " close " to the preferred behavior. Although numerous techniques have been proposed for implementing graceful degradation in a variety of domains, the resulting behavior has proved difficult to specify using existing techniques. In this paper, we propose the relaxation lattice method, a new approach to specifying graceful degradation for a large class of programs, including sequential, concurrent, and distributed programs. This method incorporates …