CS 444A Supplementary Reading List

Last modified: $Date: 2001/09/12 17:06:54 $

Recommended Textbooks

• Safeware: System Safety and Computers, by Nancy G. Leveson.  Overview of the field of computer system safety, a bit chatty but has some good background from the established safety-critical-systems community.  Various appendices detail some case studies of systems that failed, including the Ariane 5 and Therac-25 stories.
• Fault Tolerance in Distributed Systems, by Pankaj Jalote.  Good reference book for basic concepts and algorithms of "classical" fault tolerance: distributed consensus, replication and consistency, stable storage, atomic transactions, reliable broadcast, etc.

Systems Overview

• ACID semantics and transactions: lecture 1 of Joe Hellerstein's UC Berkeley CS 186 (Databases)
• Fault tolerance while maintaning ACID semantics: the original Aries paper.
• John Ousterhout, The Role of Distributed State: why state maintenance is hard in a distributed system, the pros and cons of distributed vs. centralized state management.
• Alan Demers, Karin Petersen, Mike Spreitzer, Douglas Terry, Marvin Theimer, Brent Welch. The Bayou Architecture: Support for Data Sharing Among Mobile Users. Proc. SOSP-15, Copper Mountain, CO, 1995.  Bayou trades consistency for availability by providing a set of well-defined user models with varying guarantees, so applications can choose the model appropriate for their semantics.

Design For Failure

• Mars Pathfinder priority inversion explanation, and lessons learned (from Risks Digest)
• The CIRRUS banking network, by David Gifford and Alfred Spector, Communications of the ACM 28(8): 798-807, Aug. 1985 [PDF] [commentary] - a good example of how out-of-band mechanisms are employed to robustify the ATM network

Glenn Reeves' excellent description also includes the following comment, which I found highly illuminating and with which I resonated quite a bit:

We did have one other thing on our side; we knew how robust our system was because that is the way we designed it.

We knew that if this problem occurred we would reset. We built in mechanisms to recover the current activity so that there would be no interruptions in the science data (although this wasn't used until later in the landed mission). We built in the ability (and tested it) to go through multiple resets while we were going through the Martian atmosphere. We designed the software to recover from radiation induced errors in the memory or the processor. The spacecraft would have even done a 60 day mission on its own, including deploying the rover, if the radio receiver had broken when we landed. There are a large number of safeguards in the system to ensure robust, continued operation in the event of a failure of this type. These safeguards allowed us to designate problems of this nature as lower priority.

We had our priorities right.

Models and Characterizations

• TACC and DDS [or maybe roll this into Internet-Scale Challenges, or Lessons from Giant-Scale Systems]
• TACT
• Availability benchmarking
• Soft state model

Techniques

• Recursive restartability
• Disco or other VM papers
• Hypervisor-based FT
• Lightweight RVM/Logged VM, Free Transactions with Rio Vista