Abstract:Dynamic software updating (DSU) systems patch programs on the fly without incurring downtime.To avoid failures due to the updating process itself, many DSU systems employ timing restrictions.However, timing restrictions are theoretically imperfect, and their practical effectiveness is an open question. This paper presents the first significant empirical evaluation of three popular timing restrictions: activeness safety (AS), which prevents updates to active functions; con-freeness safety (CFS), which only allo… Show more
“…To automatically quiesce a program in a stable and reproducible configuration, MCR requires instrumenting perthread quiescent points that specify safe locations to block long-lived threads-avoiding synchronization and updatesafety issues [29]-and yield short call stacks with minimal stack-resident state-avoiding pervasive stack instrumentation to trace stack-allocated data structures, a nontrivial source of overhead in prior solutions [38]. To fulfill both requirements, MCR selects blocking calls (e.g., accept) found at the top of long-running thread loops as ideal quiescent point candidates, similar to analogous update point-based strategies adopted in prior work in the area [30,41,42].…”
Section: Quiescence Detectionmentioning
confidence: 99%
“…Quiescence detection algorithms proposed in prior work operate at the level of individual functions [7,10,22,25] or generic events [12,13,23,41,42,45]. The former approach is known for its weak consistency guarantees [23,29] and typically relies on passive stack inspection [7,10,22,25] that cannot guarantee convergence in bounded time [38,39]. The latter approach relies on either update-friendly system design [12,23,45]-rarely an option for existing C programs-or explicit per-thread update points [30,38,41,42]-typically annotated at the top of longrunning loops.…”
The pressing demand to deploy software updates without stopping running programs has fostered much research on live update systems in the past decades. Prior solutions, however, either make strong assumptions on the nature of the update or require extensive and error-prone manual effort, factors which discourage live update adoption.This paper presents Mutable Checkpoint-Restart (MCR), a new live update solution for generic (multiprocess and multithreaded) server programs written in C. Compared to prior solutions, MCR can support arbitrary software updates and automate most of the common live update operations. The key idea is to allow the new version to restart as similarly to a fresh program initialization as possible, relying on existing code paths to automatically restore the old program threads and reinitialize a relevant portion of the program data structures. To transfer the remaining data structures, MCR relies on a combination of precise and conservative garbage collection techniques to trace all the global pointers and apply the required state transformations on the fly. Experimental results on popular server programs (Apache httpd, nginx, OpenSSH and vsftpd ) confirm that our techniques can effectively automate problems previously deemed difficult at the cost of negligible run-time performance overhead (2% on average) and moderate memory overhead (3.9x on average).
“…To automatically quiesce a program in a stable and reproducible configuration, MCR requires instrumenting perthread quiescent points that specify safe locations to block long-lived threads-avoiding synchronization and updatesafety issues [29]-and yield short call stacks with minimal stack-resident state-avoiding pervasive stack instrumentation to trace stack-allocated data structures, a nontrivial source of overhead in prior solutions [38]. To fulfill both requirements, MCR selects blocking calls (e.g., accept) found at the top of long-running thread loops as ideal quiescent point candidates, similar to analogous update point-based strategies adopted in prior work in the area [30,41,42].…”
Section: Quiescence Detectionmentioning
confidence: 99%
“…Quiescence detection algorithms proposed in prior work operate at the level of individual functions [7,10,22,25] or generic events [12,13,23,41,42,45]. The former approach is known for its weak consistency guarantees [23,29] and typically relies on passive stack inspection [7,10,22,25] that cannot guarantee convergence in bounded time [38,39]. The latter approach relies on either update-friendly system design [12,23,45]-rarely an option for existing C programs-or explicit per-thread update points [30,38,41,42]-typically annotated at the top of longrunning loops.…”
The pressing demand to deploy software updates without stopping running programs has fostered much research on live update systems in the past decades. Prior solutions, however, either make strong assumptions on the nature of the update or require extensive and error-prone manual effort, factors which discourage live update adoption.This paper presents Mutable Checkpoint-Restart (MCR), a new live update solution for generic (multiprocess and multithreaded) server programs written in C. Compared to prior solutions, MCR can support arbitrary software updates and automate most of the common live update operations. The key idea is to allow the new version to restart as similarly to a fresh program initialization as possible, relying on existing code paths to automatically restore the old program threads and reinitialize a relevant portion of the program data structures. To transfer the remaining data structures, MCR relies on a combination of precise and conservative garbage collection techniques to trace all the global pointers and apply the required state transformations on the fly. Experimental results on popular server programs (Apache httpd, nginx, OpenSSH and vsftpd ) confirm that our techniques can effectively automate problems previously deemed difficult at the cost of negligible run-time performance overhead (2% on average) and moderate memory overhead (3.9x on average).
“…While this delay makes sense, it is not sufficient to avoid trouble. Hayden et al [7] studied several years' worth of changes to three server programs and found that dynamic updates derived from actual releases sometimes fail even while adhering to this "activeness" restriction. Other work [8] suggests that simply asking programmers to specify a few program points (dubbed update points) at which updates are permitted makes the system easier to reason about.…”
Dynamic software updating (DSU) systems eliminate costly downtime by dynamically fixing bugs and adding features to executing programs. Given a static code patch, most DSU systems construct runtime code changes automatically. However, a dynamic update must also specify how to change the running program's execution state, e.g., the stack and heap, to make it compatible with the new code. Constructing such state transformations correctly and automatically remains an open problem. This paper presents a solution called Targeted Object Synthesis (TOS). TOS first executes the same tests on the old and new program versions separately, observing the program heap state at a few corresponding points. Given two corresponding heap states, TOS matches objects in the two versions using key fields that uniquely identify objects and correlate old and new-version objects. Given example object pairs, TOS then synthesizes the simplest-possible function that transforms an old-version object to its new-version counterpart. We show that TOS is effective on updates to four open-source server programs for which it generates non-trivial transformation functions that use conditionals, operate on collections, and fix memory leaks. These transformations help programmers understand their changes and apply dynamic software updates.
“…This section formalizes a semantics for dynamic updates to single-threaded programs, then defines the merging transformation and proves it correct with respect to the semantics. Many server programs for which dynamic updating is useful are single-threaded [12,18,11]. However, an important next step for this work would be to adapt it to support updates to multi-threaded (and distributed) programs.…”
Section: Verification Via Program Mergingmentioning
confidence: 99%
“…For instance, Hayden et al observed that OpenSSH's test suite only grew between versions-all of the old tests continued to hold as time went on [11]. This makes intuitive sense: many updates simply add new features, leaving the old features (and properties about them) unchanged, or refactor the program to improve non-functional aspects such as performance.…”
Abstract. Dynamic software updating (DSU) systems allow running programs to be patched on-the-fly to add features or fix bugs. While dynamic updates can be tricky to write, techniques for establishing their correctness have received little attention. In this paper, we present the first methodology for automatically verifying the correctness of dynamic updates. Programmers express the desired properties of an updated execution using client-oriented specifications (CO-specs), which can describe a wide range of client-visible behaviors. We verify CO-specs automatically by using off-the-shelf tools to analyze a merged program, which is a combination of the old and new versions of a program. We formalize the merging transformation and prove it correct. We have implemented a program merger for C, and applied it to updates for the Redis key-value store and several synthetic programs. Using Thor, a verification tool, we could verify many of the synthetic programs; using Otter, a symbolic executor, we could analyze every program, often in less than a minute. Both tools were able to detect faulty patches and incurred only a factor-of-four slowdown, on average, compared to single version programs.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.