Dynamic software updating

Many important applications must run continuously and without interruption, yet must be changed to fix bugs or upgrade functionality. No prior general-purpose methodology for dynamic updating achieves a practical balance between flexibility, robustness, low overhead, and ease of use. We present a new approach for C-like languages that provides type-safe dynamic updating of native code in an extremely flexible manner (code, data, and types may be updated, at programmer-determined times) and permits the use of automated tools to aid the programmer in the updating process. Our system is based on dynamic patches that both contain the updated code and the code needed to transition from the old version to the new. A novel aspect of our patches is that they consist of verifiable native code (e.g. Proof-Carrying Code [17] or Typed Assembly Language [16]), which is native code accompanied by annotations that allow on-line verification of the code's safety. We discuss how patches are generated mostly automatically, how they are applied using dynamic-linking technology, and how code is compiled to make it updateable. To concretely illustrate our system, we have implemented a dynamically-updateable web server, FlashEd. We discuss our experience building and maintaining FlashEd. Performance experiments show that for FlashEd, the overhead due to updating is typically less than 1%.

[1]  Mike Williams,et al.  Concurrent programming in erlang (second edition) , 1996 .

[2]  Dominic Duggan Sharing in Typed Module Assembly Language , 2000, Types in Compilation.

[3]  Toby Bloom,et al.  Reconfiguration and module replacement in Argus: theory and practice , 1993, Softw. Eng. J..

[4]  M. Dmitriev Towards Flexible and Safe Technology for Runtime Evolution of Java Language Applications , 2001 .

[5]  Dan Grossman,et al.  Scalable Certification for Typed Assembly Language , 2000, Types in Compilation.

[6]  Mark A. Linton,et al.  Linking programs incrementally , 1991, TOPL.

[7]  John C. Mitchell A type-inference approach to reduction properties and semantics of polymorphic expressions (summary) , 1986, LFP '86.

[8]  Nacho Navarro,et al.  DITools: Application-level Support for Dynamic Extension and Flexible Composition , 2000, USENIX Annual Technical Conference, General Track.

[9]  Philip Wadler,et al.  A practical subtyping system for Erlang , 1997, ICFP '97.

[10]  Volker Strumpen,et al.  Portable Checkpointing for Heterogenous Architectures , 1997, International Symposium on Fault-Tolerant Computing.

[11]  Oscar Naim,et al.  MDL: a language and compiler for dynamic program instrumentation , 1997, Proceedings 1997 International Conference on Parallel Architectures and Compilation Techniques.

[12]  J. Girard Une Extension De ĽInterpretation De Gödel a ĽAnalyse, Et Son Application a ĽElimination Des Coupures Dans ĽAnalyse Et La Theorie Des Types , 1971 .

[13]  M. Lillibridge Translucent Sums: A Foundation for Higher-Order Module Systems , 1997 .

[14]  Peyman Oreizy Issues in Modeling and Analyzing Dynamic Software Architectures , 1998 .

[15]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.

[16]  Michael J. Oehler,et al.  HMAC-MD5 IP Authentication with Replay Prevention , 1997, RFC.

[17]  John C. Mitchell,et al.  Higher-order modules and the phase distinction , 1989, POPL '90.

[18]  François Rouaix A Web Navigator with Applets in Caml , 1996, Comput. Networks.

[19]  David B. MacQueen,et al.  The Definition of Standard ML (Revised) , 1997 .

[20]  Karl Crary,et al.  From system F to typed assembly language , 1999, TOPL.

[21]  Peyman Oreizy Issues in the Runtime Modification of Software Architectures , 1997 .

[22]  Jeff Magee,et al.  The Evolving Philosophers Problem: Dynamic Change Management , 1990, IEEE Trans. Software Eng..

[23]  Dawson R. Engler,et al.  Exokernel: an operating system architecture for application-level resource management , 1995, SOSP.

[24]  Drew Dean,et al.  The security of static typing with dynamic linking , 1997, CCS '97.

[25]  Carl A. Gunter,et al.  PLANet: an active internetwork , 1999, IEEE INFOCOM '99. Conference on Computer Communications. Proceedings. Eighteenth Annual Joint Conference of the IEEE Computer and Communications Societies. The Future is Now (Cat. No.99CH36320).

[26]  David E. Culler,et al.  Scalable, distributed data structures for internet service construction , 2000, OSDI.

[27]  Michael Stumm,et al.  Tornado: maximizing locality and concurrency in a shared memory multiprocessor operating system , 1999, OSDI '99.

[28]  Charles Consel,et al.  Tempo: specializing systems applications and beyond , 1998, CSUR.

[29]  Earl T. Barr,et al.  Runtime Support for Type-Safe Dynamic Java Classes , 2000, ECOOP.

[30]  Trevor Jim,et al.  Certifying Compilation and Run-Time Code Generation , 1999, High. Order Symb. Comput..

[31]  Jonathan M. Smith,et al.  Alien: a generalized computing model of active networks , 1998 .

[32]  George C. Necula,et al.  A certifying compiler for Java , 2000, PLDI '00.

[33]  John R. Levine Linkers and Loaders , 1999 .

[34]  John H. Reppy,et al.  Concurrent programming in ML , 1999 .

[35]  Joe L. Armstrong The development of Erlang , 1997, ICFP '97.

[36]  Jonathan M. Smith,et al.  EROS: a fast capability system , 1999, SOSP.

[37]  Eddie Kohler,et al.  The Click modular router , 1999, SOSP.

[38]  Angelos D. Keromytis,et al.  Scalable Resource Control in Active Networks , 2000, IWAN.

[39]  Jean D. Gibbons,et al.  Concepts of Nonparametric Theory , 1981 .

[40]  Brian N. Bershad,et al.  Safe Dynamic Linking in an Extensible Operating System , 1999 .

[41]  Dexter Kozen,et al.  Low-Level Type Systems for Modularity and Object-Oriented Constructs , 1999 .

[42]  Sushil da Silva,et al.  TOWARDS PROGRAMMABLE NETWORKS , 1996 .

[43]  B. Ramkumar,et al.  Portable checkpointing for heterogeneous architectures , 1997, Proceedings of IEEE 27th International Symposium on Fault Tolerant Computing.

[44]  Paul Hudak,et al.  Principled Dynamic Code Improvement , 1997 .

[45]  Matthias Felleisen,et al.  Units: cool modules for HOT languages , 1998, PLDI.

[46]  Ronald A. Olsson,et al.  An approach to genuine dynamic linking , 1991, Softw. Pract. Exp..

[47]  Michael Franz Dynamic Linking of Software Components , 1997, Computer.

[48]  Carl A. Gunter,et al.  PLAN: a packet language for active networks , 1998, ICFP '98.

[49]  Ophir Frieder,et al.  On-the-fly program modification: systems for dynamic updating , 1993, IEEE Software.

[50]  Ken Arnold,et al.  The Java Programming Language , 1996 .

[51]  Xavier Leroy,et al.  Manifest types, modules, and separate compilation , 1994, POPL '94.

[52]  Luca Cardelli,et al.  Program fragments, linking, and modularization , 1997, POPL '97.

[53]  Paul Mackerras,et al.  The rsync algorithm , 1996 .

[54]  Robert Harper,et al.  Compiling polymorphism using intensional type analysis , 1995, POPL '95.

[55]  J. Gregory Morrisett,et al.  Type-safe linking and modular assembly language , 1999, POPL '99.

[56]  Brian Neil Levine,et al.  Cheat-proof playout for centralized and distributed online games , 2001, Proceedings IEEE INFOCOM 2001. Conference on Computer Communications. Twentieth Annual Joint Conference of the IEEE Computer and Communications Society (Cat. No.01CH37213).

[57]  Toby Bloom,et al.  Dynamic module replacement in a distributed programming system , 1983 .

[58]  Seung-Soon Im,et al.  Tool interface standard (TIS) executable and linking format (ELF) specification , 1995 .

[59]  I. Lee,et al.  DYMOS: a dynamic modification system , 1983, SIGSOFT '83.

[60]  David Mosberger,et al.  httperf—a tool for measuring web server performance , 1998, PERV.

[61]  Dilma Da Silva,et al.  System Support for Online Reconfiguration , 2003, USENIX Annual Technical Conference, General Track.

[62]  Kai Li,et al.  Libckpt: Transparent Checkpointing under UNIX , 1995, USENIX.

[63]  Jonathan M. Smith,et al.  A survey of process migration mechanisms , 1988, OPSR.

[64]  Angelos D. Keromytis,et al.  A secure PLAN , 1999, IEEE Trans. Syst. Man Cybern. Part C.

[65]  Insup Lee,et al.  DYMOS: a dynamic modification system , 1983 .

[66]  John C. Reynolds,et al.  Design of the programming language FORSYTHE , 1997 .

[67]  Liuba Shrira,et al.  Lazy modular upgrades in persistent object stores , 2003, OOPSLA '03.

[68]  Robert Harper,et al.  Semantics of memory management for polymorphic languages , 1999 .

[69]  Benjamin C. Pierce,et al.  Simple type-theoretic foundations for object-oriented programming , 1994, Journal of Functional Programming.

[70]  Martín Abadi,et al.  Dynamic typing in polymorphic languages , 1995, Journal of Functional Programming.

[71]  Joe Armstrong,et al.  Concurrent programming in ERLANG , 1993 .

[72]  Ravi Sethi,et al.  Adding New Code to a Running C++ Program , 1990, C++ Conference.

[73]  Deepak Gupta,et al.  On‐line software version change using state transfer between processes , 1993, Softw. Pract. Exp..

[74]  Ophir Frieder,et al.  On dynamically updating a computer program: From concept to prototype , 1991, J. Syst. Softw..

[75]  Moshe Bar,et al.  Open Source Development with CVS , 1999 .

[76]  M. S. Day REPLICATION AND RECONFIGURATION IN A DISTRIBUTED MAIL REPOSITORY , 1987 .

[77]  Deepak Gupta,et al.  A Formal Framework for On-line Software Version Change , 1996, IEEE Trans. Software Eng..

[78]  Jeffrey K. Hollingsworth,et al.  An API for Runtime Code Patching , 2000, Int. J. High Perform. Comput. Appl..

[79]  Jeff Magee,et al.  Dynamic Configuration for Distributed Systems , 1985, IEEE Transactions on Software Engineering.

[80]  William H. Sanders,et al.  On low-cost error containment and recovery methods for guarded software upgrading , 2000, Proceedings 20th IEEE International Conference on Distributed Computing Systems.

[81]  Dan Grossman,et al.  TALx86: A Realistic Typed Assembly Language∗ , 1999 .

[82]  John C. Mitchell,et al.  Abstract types have existential type , 1988, TOPL.

[83]  Morris Sloman,et al.  Constructing Distributed Systems in Conic , 1989, IEEE Trans. Software Eng..

[84]  S. Nettles,et al.  Implementing orthogonal persistence: a simple optimization using replicating collection , 1993, Proceedings Third International Workshop on Object Orientation in Operating Systems.

[85]  Hans-Juergen Boehm,et al.  Garbage collection in an uncooperative environment , 1988, Softw. Pract. Exp..

[86]  David Garlan,et al.  A structural approach to the maintenance of structure-oriented environments , 1987, SDE 2.

[87]  John C. Reynolds,et al.  Towards a theory of type structure , 1974, Symposium on Programming.

[88]  Scott Nettles,et al.  Concurrent replicating garbage collection , 1994, LFP '94.

[89]  Robert Gray,et al.  Dynamic C++ Classes - A Lightweight Mechanism to Update Code in a Running Program , 1998, USENIX Annual Technical Conference.

[90]  Deepak Gupta,et al.  On Line Software Version Change , 1994 .

[91]  G.J. Minden,et al.  A survey of active network research , 1997, IEEE Communications Magazine.

[92]  Kenneth L. Calvert,et al.  Bowman and CANEs: Implementation of an Active Network , 1999 .

[93]  Karl Crary,et al.  Safe and Flexible Dynamic Linking of Native Code , 2000, Types in Compilation.

[94]  Peter Sewell Modules, abstract types, and distributed versioning , 2001, POPL '01.

[95]  Willy Zwaenepoel,et al.  Flash: An efficient and portable Web server , 1999, USENIX Annual Technical Conference, General Track.

[96]  Bogumil Hausman Turbo Erlang: Approaching the Speed of C , 1993, ICLP-Workshops on Implementation of Logic Programming Systems.

[97]  Karl Crary,et al.  Intensional polymorphism in type-erasure semantics , 1998, ICFP '98.

[98]  William H. Sanders,et al.  On-board guarded software upgrading for space missions , 1999, Gateway to the New Millennium. 18th Digital Avionics Systems Conference. Proceedings (Cat. No.99CH37033).

[99]  Stephen Gilmore,et al.  Dynamic ML without dynamic types , 1997 .

[100]  Michael Hicks,et al.  A Calculus for Dynamic Loading , 2001 .

[101]  Benjamin C. Pierce,et al.  What is a file synchronizer? , 1998, MobiCom '98.

[102]  Peter Sewell,et al.  Formalizing Dynamic Software Updating , 2003 .

[103]  David Walker,et al.  Alias Types for Recursive Data Structures , 2000, Types in Compilation.

[104]  Stephen Gilmore,et al.  An abstract machine for module replacement , 1998 .

[105]  George C. Necula,et al.  Safe kernel extensions without run-time checking , 1996, OSDI '96.

[106]  Robert Harper,et al.  Typed closure conversion , 1996, POPL '96.

[107]  James S. Plank,et al.  An Overview of Checkpointing in Uniprocessor and DistributedSystems, Focusing on Implementation and Performance , 1997 .

[108]  Brian N. Bershad,et al.  Extensibility safety and performance in the SPIN operating system , 1995, SOSP.

[109]  Robert P. Cook,et al.  *MOD—A Language for Distributed Programming , 1980, IEEE Transactions on Software Engineering.

[110]  Vivek S. Pai,et al.  Flash : An e cient and portable Web server , 1999 .

[111]  Scott Nettles,et al.  Active Networking Means Evolution (or Enhanced Extensibility Required) , 2000, IWAN.

[112]  Mark Lillibridge,et al.  A type-theoretic approach to higher-order modules with sharing , 1994, POPL '94.

[113]  Damien Doligez,et al.  The Objective Caml system release 2.04 , 2002 .

[114]  Manuel Fähndrich,et al.  Extensions to Standard ML to Support Transactions , 1992 .

[115]  Robert Harper,et al.  A Simplified Account of Polymorphic References , 1994, Inf. Process. Lett..

[116]  John V. Guttag,et al.  ANTS: a toolkit for building and dynamically deploying network protocols , 1998, 1998 IEEE Open Architectures and Network Programming.

[117]  Frank Yellin,et al.  The Java Virtual Machine Specification , 1996 .

[118]  Emin Gün Sirer,et al.  Design and implementation of a distributed virtual machine for networked computers , 1999, SOSP.