Recovery Guarantees for General Multi-Tier Applications

Database recovery does not mask failures to applications and users. Recovery is needed that considers data, messages, and application components. Special cases have been studied, but clear principles for recovery guarantees in general multi-tier applications such as web-based e-services are missing. We develop a framework for recovery guarantees that masks almost all failures. The main concept is an interaction contract between two components, a pledge as to message and state persistence, and contract release. Contracts are composed into system-wide agreements so that a set of components is provably recoverable with exactly-once message delivery and execution, except perhaps for crash interrupted user input or output. Our implementation techniques reduce logging cost, allow effective log truncation, and provide independent recovery for critical server components. Interaction contracts form the basis for our Phoenix/COM project on persistent components. Our framework’s utility is demonstrated with a case study of a web-based e-service.