Mutatis mutandis safe and predictable dynamic software updating

21 Jul

In this paper we identify requirements needed to provide a dynamically updatable operating system, describe our implementation, and present our experiences in designing and using the dynamic update mechanism.

We also discuss its applicability to other operating systems.

Programs are written in an imperative language with type aliases, global variables and functions, then translated to an annotated form where type casts from more abstract (more levels of type aliases) and more concrete (less levels) are explicit in code.

doi: 10.1145/1255450.1255455 Abstract: This article presents a formal system for modelling dynamic upgrading of single-threaded programs.

(2012) Dynamic Software Update for Message Passing Programs. In particular, we prove safety and liveness properties for well-typed programs by identifying suitable restrictions on the runtime points at which dynamic updates may occur.

In this paper we provide a Global Session Type analysis for queued channel message passing programs whose code may be updated during runtime (Dynamic Software Update).

mutatis mutandis safe and predictable dynamic software updating-33mutatis mutandis safe and predictable dynamic software updating-39

However, little attention has been paid to the correctness of the dynamic updating at the behavior level, e.g., if systems after being updated behave as expected, and if unexpected behaviors can never occur.These systems are commonly tested on real-world programs.Current operating systems and programming languages are typically not designed with DSU in mind. In the seminar, I plan to present an overview of the whole system, then translation into the annotated form, then operational semantics and the update process. When updating the application, the annotations make it easy to verify if an update is safe -- if the update changes type t, then t should not be used concretely in the remaining stack.As computing infrastructure becomes more widespread, there has been an increasing number of patches for functionality, performance, and security reasons.To take effect, these patches traditionally require either restarting system services, or often rebooting the machine. Sometimes this downtime can be scheduled, if for example the patch adds a feature, improves performance, etc.Essential for some applications and convenient for others, low-level dynamic updating has been used for many years.Perhaps surprisingly, there is little high-level understanding or language support to help programmers write dynamic updates effectively.Finally, Proteus's novel and efficient static updatability analysis allows a programmer to automatically prove that an update is independent of the on-line program state, and thus guarantee that it will succeed at runtime.Proteus admits a straightforward implementation, and we sketch how it could be extended to more advanced language features including threads.