Specifying and Verifying the Correctness of Dynamic Software Updates

Dynamic software updating (DSU) systems allow running programs to be patched on-the-fly to add features or fix bugs. While dynamic updates can be tricky to write, techniques for establishing their correctness have received little attention. In this paper, we present the first methodology for automatically verifying the correctness of dynamic updates. Programmers express the desired properties of an updated execution using client-oriented specifications (CO-specs), which can describe a wide range of client-visible behaviors. We verify CO-specs automatically by using off-the-shelf tools to analyze a merged program, which is a combination of the old and new versions of a program. We formalize the merging transformation and prove it correct. We have implemented a program merger for C, and applied it to updates for the Redis key-value store and several synthetic programs. Using Thor, a verification tool, we could verify many of the synthetic programs; using Otter, a symbolic executor, we could analyze every program, often in less than a minute. Both tools were able to detect faulty patches and incurred only a factor-of-four slowdown, on average, compared to single version programs.

[1]  Dominic Duggan,et al.  Type-based hot swapping of running modules , 2005, Acta Informatica.

[2]  Thomas A. Henzinger,et al.  Lazy abstraction , 2002, POPL '02.

[3]  Nathaniel Charlton,et al.  Formal reasoning about runtime code update , 2011, 2011 IEEE 27th International Conference on Data Engineering Workshops.

[4]  Dominic Duggan Type-based hot swapping of running modules (extended abstract) , 2001, ICFP '01.

[5]  Jeffrey S. Foster,et al.  Efficient systematic testing for dynamically updatable software , 2009, HotSWUp '09.

[6]  Dave Thomas,et al.  ECOOP 2006 - Object-Oriented Programming , 2006 .

[7]  Reinhard Wilhelm,et al.  Parametric shape analysis via 3-valued logic , 1999, POPL '99.

[8]  Bor-Yuh Evan Chang,et al.  Relational inductive shape analysis , 2008, POPL '08.

[9]  Michael Hicks,et al.  Safe and Timely Dynamic Updates for Multi-threaded Programs , 2009, PLDI 2009.

[10]  Gilad Bracha,et al.  Objects as Software Services , 2005 .

[11]  Manuel Oriol,et al.  Practical dynamic software updating for C , 2006, PLDI '06.

[12]  Haibo Chen,et al.  POLUS: A POwerful Live Updating System , 2007, 29th International Conference on Software Engineering (ICSE'07).

[13]  Nancy A. Lynch,et al.  An introduction to input/output automata , 1989 .

[14]  Kathryn S. McKinley,et al.  Dynamic software updates: a VM-centric approach , 2009, PLDI '09.

[15]  Toby Bloom,et al.  Reconfiguration and module replacement in Argus: theory and practice , 1993, Softw. Eng. J..

[16]  Gavin M. Bierman,et al.  UpgradeJ: Incremental Typechecking for Class Upgrades , 2008, ECOOP.

[17]  Alan Burns,et al.  Concurrent programming , 1980, Operating Systems Engineering.

[18]  M. Frans Kaashoek,et al.  Ksplice: automatic rebootless kernel updates , 2009, EuroSys '09.

[19]  Patrice Godefroid,et al.  Automated Whitebox Fuzz Testing , 2008, NDSS.

[20]  Christopher D. Walton,et al.  Abstract machines for dynamic computation , 2001 .

[21]  Feng Long Practical Dynamic Software Updating for C , 2007 .

[22]  Gerard J. Holzmann,et al.  The SPIN Model Checker - primer and reference manual , 2003 .

[23]  Thomas Wies,et al.  Symbolic shape analysis , 2009 .

[24]  Deepak Gupta,et al.  A Formal Framework for On-line Software Version Change , 1996, IEEE Trans. Software Eng..

[25]  Peter Lee,et al.  THOR: A Tool for Reasoning about Shape and Arithmetic , 2008, CAV.

[26]  Peter W. O'Hearn,et al.  Scalable Shape Analysis for Systems Code , 2008, CAV.

[27]  Adam A. Porter,et al.  Using symbolic evaluation to understand behavior in configurable software systems , 2010, 2010 ACM/IEEE 32nd International Conference on Software Engineering.

[28]  W. Marsden I and J , 2012 .

[29]  Liuba Shrira,et al.  Modular Software Upgrades for Distributed Systems , 2006, ECOOP.

[30]  Deepak Gupta,et al.  On‐line software version change using state transfer between processes , 1993, Softw. Pract. Exp..

[31]  Amr Sabry,et al.  The essence of compiling with continuations , 1993, PLDI '93.

[32]  Jeff Magee,et al.  The Evolving Philosophers Problem: Dynamic Change Management , 1990, IEEE Trans. Software Eng..

[33]  Bertrand Jeannet,et al.  Apron: A Library of Numerical Abstract Domains for Static Analysis , 2009, CAV.

[34]  George C. Necula,et al.  CIL: Intermediate Language and Tools for Analysis and Transformation of C Programs , 2002, CC.

[35]  Claes Wikström,et al.  Concurrent programming in ERLANG (2nd ed.) , 1996 .

[36]  Jeannette M. Wing,et al.  A behavioral notion of subtyping , 1994, TOPL.

[37]  Dawson R. Engler,et al.  KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs , 2008, OSDI.

[38]  Kathryn S. McKinley,et al.  Dynamic Software Updates for Java : A VM-Centric Approach , 2008 .

[39]  Toby Bloom,et al.  Dynamic module replacement in a distributed programming system , 1983 .

[40]  C. A. R. Hoare,et al.  Communicating sequential processes , 1978, CACM.

[41]  E. Allen Emerson,et al.  Alternative Semantics for Temporal Logics , 1981, Theor. Comput. Sci..

[42]  Peter Lee,et al.  Automatic numeric abstractions for heap-manipulating programs , 2010, POPL '10.

[43]  Michael Hicks,et al.  Evaluating Dynamic Software Update Safety Using Systematic Testing , 2012, IEEE Transactions on Software Engineering.

[44]  Michael Hicks,et al.  Mutatis Mutandis : Safe and predictable dynamic software updating , 2007 .

[45]  George C. Necula,et al.  Shape Analysis with Structural Invariant Checkers , 2007, SAS.

[46]  Rida A. Bazzi,et al.  Immediate Multi-Threaded Dynamic Software Updates Using Stack Reconstruction , 2009, USENIX Annual Technical Conference.

[47]  Viktor Vafeiadis,et al.  Shape-Value Abstraction for Verifying Linearizability , 2008, VMCAI.

[48]  Dinghao Wu,et al.  KISS: keep it simple and sequential , 2004, PLDI '04.

[49]  Michael Hicks,et al.  Dynamic software updating , 2005 .

[50]  E. Allen Emerson,et al.  Temporal and Modal Logic , 1991, Handbook of Theoretical Computer Science, Volume B: Formal Models and Sematics.