Database recovery does not mask failures to applications
and users. Recovery is needed that considers data,
messages, and application components. Special cases
have been studied, but clear principles for recovery
guarantees in general multi-tier applications such as
web-based e-services are missing. We develop a framework
for recovery guarantees that masks almost all
failures. The main concept is an interaction contract
between two components, a pledge as to message and
state persistence, and contract release. Contracts are
composed into system-wide agreements so that a set of
components is provably recoverable with exactly-once
message delivery and execution, except perhaps for
crash interrupted user input or output. Our implementation
techniques reduce logging cost, allow effective
log truncation, and provide independent recovery for
critical server components. Interaction contracts form
the basis for our Phoenix/COM project on persistent
components. Our framework’s utility is demonstrated
with a case study of a web-based e-service.