Software updates typically require stopping and restarting an application, but many systems cannot afford to halt service, or would prefer not to. Dynamic software updating (DSU) addresses this difficulty by permitting programs to be updated while they run. DSU is appealing compared to other approaches for on-line upgrades because it is quite general and requires no redundant hardware. The challenge is in making DSU practical: it should be flexible, and yet safe, efficient, and easy to use.In this paper, we present Ginseng, a DSU implementation for C that aims to meet this challenge. We compile programs specially so that they can be dynamically patched, and generate most of a dynamic patch automatically. Ginseng performs a series of analyses that when combined with some simple runtime support ensure that an update will not violate type-safety while guaranteeing that data is kept up-to-date. We have used Ginseng to construct and dynamically apply patches to three substantial open-source server programs---Very Secure FTP daemon, OpenSSH sshd daemon, and GNU Zebra. In total, we dynamically patched each program with three years' worth of releases. Though the programs changed substantially, the majority of updates were easy to generate. Performance experiments show that all patches could be applied in less than 5 ms, and that the overhead on application throughput due to updating support ranged from 0 to at most 32%.
This thesis addresses the problem of evolving software through a sequence of releases without halting execution, a process referred to as Dynamic Software Updating (DSU). It looks at the theoretical foundations, develops an applied theory, and shows how this can be used to automatically transform programs into upgradable ones that come with guarantees of updatability. In contrast to many previous approaches, our semantics are developed at the language level, allowing for on-line evolution to match source-code evolution.
The first part of the thesis takes a foundational approach, developing a core theory of dynamic rebinding. The theory looks afresh at the reduction semantics of the callby- value (CBV) λ-calculus, delaying instantiations so that computations always use the most recently rebound version of a definition. We introduce the redex-time and destructtime strategies that differ in how long they delay instantiations. The computational consistency of these calculi are confirmed by showing that their contextual equivalence relations agree with that of classical CBV.
The second part of the thesis presents Proteus, a core calculus for dynamic software updating in C-like languages that is flexible, safe, and predictable. Proteus supports dynamic updates to functions (even active ones), to named types, and to data. First it is shown how an a posteriori notion of abstraction can lead to a very general typedirected mechanism for DSU whose safety can be assured dynamically, and second that this dynamic check has a good static approximation. The latter is shown by constructing a novel capability-based type system that is proved sound with respect to a reduction semantics. The final chapter reports on a prototype implementation of the theory for the C programming language.