Program Verification for Exception Handling on Active Objects using Futures Crystal Chang Din 1 , Rudolf Schlatte 1 , and Tzu-Chun Chen 2 1 Department of Informatics, University of Oslo, Norway {crystald,rudi}@ifi.uio.no 2 Department of Computer Science , Technische Universität Darmstadt, Germany tc.chen@dsp.tu-darmstadt.de Abstract. For implementing correct systems, handling and recovering from exceptional situations is important but challenging for ensuring correct interactions among distributed objects which are processing con- currently. To focus on exploring novel handling constructs for actor-based programming languages, we study ABS, an actor-based concurrent mod- eling language with an underlying executable formal semantics. This pa- per introduces multi-party session blocks with recovery handlers for ex- ceptions into ABS. With this novel construct, we verify the correctness of interactions among objects within a session block. Program correctness is ensured by specifying invariants as pre- and post-conditions, called session contracts, for such a block, which is more expressive than the ex- isting class invariant proof system for ABS. We present the extension of ABS with a try-catch-finally construct and class session recovery blocks that handle uncaught exceptions. 1 Introduction Properly handling and recovering from exceptional situations is an important part of specifying and implementing robust and correct systems, especially for distributed systems where correctness must take partial failure scenarios into account [21]. Therefore, modeling languages should include means of specifying exceptional situations and how to recover from them. This paper presents a new approach to expressing multi-party exception transmission and recovery for active object languages [5]. We designed the approach for the modeling language ABS [14]. This paper adds standard language constructs to specify, raise and handle exceptional situations, as well as a novel construct, the session block, for reestablishing object invariants after unhandled exceptions. Existing class invariant-based proof theories for ABS [8] are restricted in ex- pressivity, specifically in the area of upholding guarantees of protocols involving series of message exchanges between multiple participants. The problem is that the semantics of ABS process interleaving and scheduling cannot forbid arbitrary messages to be processed in-between the expected ones, requiring whole-program analysis. This paper addresses this problem by introducing the concept of ses- sions, which temporarily restrict the scheduling behavior to the parts of a model 1