This dissertation makes the case that programs can be updated while they run, with modest programmer effort, while providing certain update safety guarantees, and without imposing a significant performance overhead. Few systems are designed with on-the-fly updating in mind. Those systems that permit it support only a very limited class of updates, and generally provide no guarantees that following the update, the system will behave as intended. We tackle the on-the-fly updating problem using a compiler-based approach called dynamic software updating (DSU), in which a program is patched with new code and data while it runs. The challenge is in making DSU practical: it should support changes to programs as they occur in practice, yet be safe, easy to use, and not impose a large overhead. This dissertation makes both theoretical contributions—formalisms for reasoning about, and ensuring update safety—and practical contributions—Ginseng, a DSU implementation for C. Ginseng supports a broad range of changes to C programs, and performs a suite of safety analyses to ensure certain update safety

Software products are often released with missing functionality or errors that result in failures in the eld. In previous work, we presented the Gamma technology, which facilitates remote monitoring of deployed software and allows for a prompt reaction to failures. In this paper, we investigate one of the principal technologies on which Gamma is based: software tomography. Software tomography splits monitoring tasks across many instances of the software, so that partial information can be (1) collected from users by means of light-weight instrumentation and (2) merged to gather the overall monitoring information. After describing the technology, we illustrate an instance of software tomography for a speci c monitoring task. We also present two case studies that we performed to evaluate the presented technique on a real program. The results of the studies show that software tomography can be successfully applied to collect accurate monitoring information using only minimal instrumentation on each deployed program instance.

Software evolves to fix bugs and add features. Stopping and restarting programs to apply changes is inconvenient and often costly. Dynamic software updating (DSU) addresses this problem by updating programs while they execute, but existing DSU systems for managed languages do not support many updates that occur in practice and are inefficient. This paper presents the design and implementation of JVOLVE, a DSU-enhanced Java VM. Updated programs may add, delete, and replace fields and methods anywhere within the class hierarchy. JVOLVE implements these updates by adding to and coordinating VM classloading, just-in-time compilation, scheduling, return barriers, on-stack replacement, and garbage collection. JVOLVE is safe: its use of bytecode verification and VM thread synchronization ensures that an update will always produce type-correct executions. JVOLVE is flexible: it can support 20 of 22 updates to three open-source programs—Jetty web server, JavaEmailServer, and CrossFTP server—based on actual releases occurring over 1 to 2 years. JVOLVE is efficient: performance experiments show that JVOLVE incurs no overhead during steady-state execution. These results demonstrate that this work is a significant step towards practical support for dynamic updates in virtual machines for managed languages.

This paper presents POLUS, a software maintenance tool capable of iteratively evolving running software into newer versions. POLUS’s primary goal is to increase the dependability of contemporary server software, which is frequently disrupted either by external attacks or by scheduled upgrades. To render POLUS both practical and powerful, we design and implement POLUS aiming to retain backward binary compatibility, support for multithreaded software and recover already tainted state of running software, yet with good usability and very low runtime overhead. To demonstrate the applicability of POLUS, we report our experience in using POLUS to dynamically update three prevalent server applications: vsftpd, sshd and apache HTTP server. Performance measurements show that POLUS incurs negligible runtime overhead: a less than 1% performance degradation (but 5 % for one case). The time to apply an update is also minimal. 1.

Software evolves to fix bugs and add features, but stopping and restarting existing programs to take advantage of these changes can be inconvenient and costly. Dynamic software updating (DSU) addresses these problems by updating programs while they run. The challenge is to develop DSU infrastructure that is flexible, safe, and efficient—DSU should enable updates that are likely to occur in practice, and updated programs should be as reliable and as efficient as those started from scratch. This paper presents the design and implementation of a JVM we call JVOLVE that is enhanced with DSU support. The paper’s key insight is that flexible, safe, and efficient DSU can be supported by naturally extending existing VM services. By piggybacking on classloading and garbage collection, JVOLVE can flexibly support additions and replacements of fields and methods anywhere within the class hierarchy, and in a manner that may alter class signatures. By utilizing bytecode verification and thread synchronization support, JVOLVE can ensure that an applied update will never violate type-safety. Finally, by employing JIT compilation, all DSU-related overhead before or after an update can be effectively eliminated. Using JVOLVE, we successfully applied dynamic continuous updates corresponding to 20 of the 22 releases that occurred over nearly two years ’ time, one update per release, for three open-source programs, Jetty web server, JavaEmailServer, and CrossFTP server. Our results indicate that the VM is well-suited to support practical DSU services.

Patches to modern operating systems, including bug fixes and security updates, and the reboots and downtime they require, cause tremendous problems for system users and administrators. Dynamic update allows an operating system to be patched without the need for a reboot or other service interruption. We have taken the approach of building dynamic update functionality directly into an existing operating system, K42. To determine the applicability of our update system, and to investigate the changes that are made to OS code, we analysed K42’s revision history. The analysis showed that our original system could only support half of the desired changes to K42. The main problem preventing more changes from being converted to dynamic updates was our system’s inability to update interfaces. Other studies, as well as our own investigations, have shown that change to interfaces is also prevalent in systems such as Linux. Thus, it is apparent that a dynamic update mechanism needs to handle interface changes to be widely applicable. In this paper, we describe how to support interface changes in a modular dynamic update system. With this improvement, approximately 79 % of past performance and bug fix changes to K42 could be converted to dynamic updates, and we expect the proportion would be even higher if the fixes were being developed for dynamic update. Measurements of our system show that the runtime overhead is very low, and the time to apply updates is acceptable. This paper makes the following contributions. We present a mechanism to handle interface changes for dynamic updates to an operating system. For performancesensitive updates, we show how to apply changes lazily. We discuss lessons learned, including how an operating system can be structured to better support dynamic update. We also describe how our approach extends to other systems such as Linux, that although structured modularly, are not strictly object-oriented like K42. 1

Adding self healing functionalities into legacy applications without user involvement is immensely useful for users and programmers of such systems. This paper presents a technique of injecting user code with self-healing primitives by statically analyzing the legacy object oriented code and instrumenting it to become a self-manageable and self-healing component. Our experiments show that it is worthwhile to instrument legacy code to provide such autonomic behavior. 1.

Abstract Modern applications distributed across networks such as the Internet may need to evolve without compromising application availability. Object systems are well suited for runtime upgrade, as encapsulation clearly separates internal structure and external services. This paper considers a mechanism for dynamic class upgrade, allowing class hierarchies to be upgraded in such a way that the existing objects of the upgraded class and of its subclasses gradually evolve at runtime. The mechanism is integrated in Creol, a high-level language which targets distributed applications by means of concurrent objects communicating by asynchronous method calls. The dynamic class construct is given a formal semantics in rewriting logic, extending the semantics of the Creol language. 1

Integrating applications with autonomic,fiinctions such as checkpointing/restart, self-healing or self-updating is diflcult and time consuming [8]. We demonstrate tlmt autonomic,f~tnctionality can he sepuruted,frotn upplications und supplied by default imple?nentations, thereby dramatically reducing the cost oj'scipplying autonomy. This article proposes a proxy/vvrapper technique with an additiorzul code Izook-lip infrustr~lct~ire to provide applic~ztion adaptation with self-upduting, self-configuratior ~ and self-optimizution,fiinctionalities. 1.

Abstract Modern applications distributed across networks such as the Internet may need to evolve without compromising application availability. Object systems are well suited for runtime update, as encapsulation clearly separates internal structure and external services. This paper considers a type-safe asynchronous mechanism for dynamic class upgrade, allowing class hierarchies to be updated in such a way that the existing objects of the upgraded class and of its subclasses gradually evolve at runtime. New external services may be introduced in classes and old services may be reprogrammed while static type checking ensures that asynchronous class updates maintain type safety. A formalization is shown in the Creol language which, addressing distributed and object-oriented systems, provides a natural framework for dynamic upgrades. 1