Evaluating Dynamic Software Update Safety Using Systematic Testing

Hayden, Christopher M.; Smith, E. K. M.; Hardisty, Eric A.; Hicks, Michael; Foster, Jeffrey S.

doi:10.1109/tse.2011.101

Cited by 29 publications

(47 citation statements)

References 19 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…To automatically quiesce a program in a stable and reproducible configuration, MCR requires instrumenting perthread quiescent points that specify safe locations to block long-lived threads-avoiding synchronization and updatesafety issues [29]-and yield short call stacks with minimal stack-resident state-avoiding pervasive stack instrumentation to trace stack-allocated data structures, a nontrivial source of overhead in prior solutions [38]. To fulfill both requirements, MCR selects blocking calls (e.g., accept) found at the top of long-running thread loops as ideal quiescent point candidates, similar to analogous update point-based strategies adopted in prior work in the area [30,41,42].…”

Section: Quiescence Detectionmentioning

confidence: 99%

“…Quiescence detection algorithms proposed in prior work operate at the level of individual functions [7,10,22,25] or generic events [12,13,23,41,42,45]. The former approach is known for its weak consistency guarantees [23,29] and typically relies on passive stack inspection [7,10,22,25] that cannot guarantee convergence in bounded time [38,39]. The latter approach relies on either update-friendly system design [12,23,45]-rarely an option for existing C programs-or explicit per-thread update points [30,38,41,42]-typically annotated at the top of longrunning loops.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Mutable checkpoint-restart

Giuffrida

Iorgulescu

Tanenbaum

2014

Proceedings of the 15th International Middleware Conference on - Middleware '14

View full text Add to dashboard Cite

The pressing demand to deploy software updates without stopping running programs has fostered much research on live update systems in the past decades. Prior solutions, however, either make strong assumptions on the nature of the update or require extensive and error-prone manual effort, factors which discourage live update adoption.This paper presents Mutable Checkpoint-Restart (MCR), a new live update solution for generic (multiprocess and multithreaded) server programs written in C. Compared to prior solutions, MCR can support arbitrary software updates and automate most of the common live update operations. The key idea is to allow the new version to restart as similarly to a fresh program initialization as possible, relying on existing code paths to automatically restore the old program threads and reinitialize a relevant portion of the program data structures. To transfer the remaining data structures, MCR relies on a combination of precise and conservative garbage collection techniques to trace all the global pointers and apply the required state transformations on the fly. Experimental results on popular server programs (Apache httpd, nginx, OpenSSH and vsftpd ) confirm that our techniques can effectively automate problems previously deemed difficult at the cost of negligible run-time performance overhead (2% on average) and moderate memory overhead (3.9x on average).

show abstract

Section: Quiescence Detectionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Mutable checkpoint-restart

Giuffrida

Iorgulescu

Tanenbaum

2014

Proceedings of the 15th International Middleware Conference on - Middleware '14

View full text Add to dashboard Cite

show abstract

“…While this delay makes sense, it is not sufficient to avoid trouble. Hayden et al [7] studied several years' worth of changes to three server programs and found that dynamic updates derived from actual releases sometimes fail even while adhering to this "activeness" restriction. Other work [8] suggests that simply asking programmers to specify a few program points (dubbed update points) at which updates are permitted makes the system easier to reason about.…”

Section: Dynamic Software Updatingmentioning

confidence: 99%

Automating object transformations for dynamic software updating

Magill¹,

Hicks

Subramanian

et al. 2012

SIGPLAN Not.

Self Cite

View full text Add to dashboard Cite

Dynamic software updating (DSU) systems eliminate costly downtime by dynamically fixing bugs and adding features to executing programs. Given a static code patch, most DSU systems construct runtime code changes automatically. However, a dynamic update must also specify how to change the running program's execution state, e.g., the stack and heap, to make it compatible with the new code. Constructing such state transformations correctly and automatically remains an open problem. This paper presents a solution called Targeted Object Synthesis (TOS). TOS first executes the same tests on the old and new program versions separately, observing the program heap state at a few corresponding points. Given two corresponding heap states, TOS matches objects in the two versions using key fields that uniquely identify objects and correlate old and new-version objects. Given example object pairs, TOS then synthesizes the simplest-possible function that transforms an old-version object to its new-version counterpart. We show that TOS is effective on updates to four open-source server programs for which it generates non-trivial transformation functions that use conditionals, operate on collections, and fix memory leaks. These transformations help programmers understand their changes and apply dynamic software updates.

show abstract

“…This section formalizes a semantics for dynamic updates to single-threaded programs, then defines the merging transformation and proves it correct with respect to the semantics. Many server programs for which dynamic updating is useful are single-threaded [12,18,11]. However, an important next step for this work would be to adapt it to support updates to multi-threaded (and distributed) programs.…”

Section: Verification Via Program Mergingmentioning

confidence: 99%

“…For instance, Hayden et al observed that OpenSSH's test suite only grew between versions-all of the old tests continued to hold as time went on [11]. This makes intuitive sense: many updates simply add new features, leaving the old features (and properties about them) unchanged, or refactor the program to improve non-functional aspects such as performance.…”

Section: A1 Backward Compatible Co-specsmentioning

confidence: 99%

Specifying and Verifying the Correctness of Dynamic Software Updates

Hayden¹,

Magill²,

Hicks³

et al. 2011

Self Cite

View full text Add to dashboard Cite

Abstract. Dynamic software updating (DSU) systems allow running programs to be patched on-the-fly to add features or fix bugs. While dynamic updates can be tricky to write, techniques for establishing their correctness have received little attention. In this paper, we present the first methodology for automatically verifying the correctness of dynamic updates. Programmers express the desired properties of an updated execution using client-oriented specifications (CO-specs), which can describe a wide range of client-visible behaviors. We verify CO-specs automatically by using off-the-shelf tools to analyze a merged program, which is a combination of the old and new versions of a program. We formalize the merging transformation and prove it correct. We have implemented a program merger for C, and applied it to updates for the Redis key-value store and several synthetic programs. Using Thor, a verification tool, we could verify many of the synthetic programs; using Otter, a symbolic executor, we could analyze every program, often in less than a minute. Both tools were able to detect faulty patches and incurred only a factor-of-four slowdown, on average, compared to single version programs.

show abstract

Evaluating Dynamic Software Update Safety Using Systematic Testing

Cited by 29 publications

References 19 publications

Mutable checkpoint-restart

Mutable checkpoint-restart

Automating object transformations for dynamic software updating

Specifying and Verifying the Correctness of Dynamic Software Updates

Contact Info

Product

Resources

About