Abstract not found

The usual way of installing a new version of a software system is to shut down the running program and then install the new version. This necessitates a sometimes unacceptable delay during which service is denied to the users of the software. An on-line software replacement system replaces parts of the software while it is in execution, thus eliminating the shutdown. While a number of implementations of on-line version change systems have been described in the literature, little investigation has been done on its theoretical aspects. In this paper, we describe a formal framework for studying on-line software version change. We give a general definition of validity of an on-line change, show that it is in general undecidable and then develop sufficient conditions for ensuring validity for a procedural language. Keywords--- On-line software version change, validity of change, process, state, reachable state, data flow analysis, functional enhancement I. Introduction It is now well kno...

During maintenance, systems are updated to correct faults, improve functionality, and adapt the software to changes in its execution environment. The typical softwareupdate process consists of stopping the system to be updated, performing the update of the code, and restarting the system. For systems such as banking and telecommunication software, however, the cost of downtime can be prohibitive. The situation is even worse for systems such as air-traffic controllers and life-support software, for which a shut-down is in general not an option. In those cases, the use of some form of on-the-fly program modification is required. In this paper, we present a new technique for dynamic updating of Java software. Our technique is based on the use of proxy classes and requires no support from the runtime system. The technique allows for updating a running Java program by substituting, adding, and deleting classes. We also present DUSC (Dynamic Updating through Swapping of Classes), a tool that we developed and that implements our technique. Finally, we describe an empirical study that we performed to validate the technique on a real Java subject. The results of the study show that our technique can be effectively applied to Java software with only little overhead in both execution time and program size.

what constitutes an "acceptable" behavior of such a process. We capture this notion in our definition of the validity of an on-line change. We define an on-line change to be valid if some time after the change, the process reaches a reachable state of the new program version. Thus, validity ensures that following a change, the process starts behaving like the new version of the program after a "transition period". We first consider validity of on-line changes to programs written in sequential procedure based languages. For this purpose, a very simple model in which procedures and functions are not allowed is first considered. State is modelled as a mapping from variable names to values. For this model, we show that it is undecidable to find whether or not a given on-line change is valid. This result has important consequences. It means that computable necessary and sufficient conditions for validity of change can not be obtained. Undecidability in this simple model also

This report presents a new, automatic technique to assess whether replacing a component of a software system by a purportedly compatible component may change the behavior of the system. The technique operates before integrating the new component into the system or running system tests, permitting quicker and cheaper identification of problems. It takes into account the system’s use of the component, because a particular component upgrade may be desirable in one context but undesirable in another. No formal specifications are required, permitting detection of problems due either to errors in the component or to errors in the system. Both external and internal behaviors can be compared, enabling detection of problems that are not immediately reflected in the output. The technique generates an operational abstraction for the old component in the context of the system, and one for the new component in the context of its test suite. An operational abstraction is a set of program properties that generalizes over observed run-time behavior. Modeling a system as divided into modules, and taking into account the control and data flow between the modules, we formulate a logical condition to guarantee that the system’s behavior is preserved across a component replacement. If automated logical comparison indicates that the new component does not make all the guarantees that the old one did, then

In order to accomplish dependable onboard evolution, we develop a methodology which is called guarded software upgrading (GSU). The core of the methodology is a low-cost error containment and recovery protocol that escorts an upgraded software component through onboard validation and guarded operation, safeguarding mission functions. The message-driven confidence-driven (MDCD) nature of the protocol elim-inates the need for costly process coordination or atomic action, yet guaranteeing the system to reach a consistent global state upon the completion of the rollback or roll-forward actions carried out by individual processes during error recovery. Aimed at validating the effectiveness of the MDCD protocol with respect to its ability, in a real-istic, non-ideal execution environment, to enhance system reliability when a software component undergoes onboard upgrading, we conduct a stochastic activity network model based analysis. The results confirm the effectiveness of the protocol as origi-nally surmised. Moreover, the model-based analysis provides to us useful insights about the system behavior resulting from the use of the protocol under various conditions in its execution environment, facilitating effective utility of the protocol.

Self-healing systems require that repair mechanisms are available to resolve problems that arise while the system executes. Managed execution environments such as the Common Language Runtime (CLR) and Java Virtual Machine (JVM) provide a number of application services (application isolation, security sandboxing, garbage collection and structured exception handling) which are geared primarily at making managed applications more robust. However, none of these services directly enables applications to perform repairs or consistency checks of their components. From a design and implementation standpoint, the preferred way to enable repair in a self-healing system is to use an externalized repair/adaptation architecture rather than hardwiring adaptation logic inside the system where it is harder to analyze, reuse and extend. We present a framework that allows a repair engine to dynamically attach and detach to/from a managed application while it executes essentially adding repair mechanisms as another application service provided in the execution environment. 1

. A flexible database system needs to support changes to its schema in order to facilitate the requirements of new applications and to support interoperability within a multidatabase system. In this paper, we present an approach to schema evolution through changes to the EntityRelationship (ER) schema of a database. We enhance the graphical constructs used in ER diagrams, and develop EVER, an EVolutionary ER diagram for specifying the derivation relationships between schema versions, relationships among attributes, and the conditions for maintaining consistent views of programs. Algorithms are presented for mapping the EVER diagram into the underlying database and constructing database views for schema versions. Through the reconstruction of views after database reorganization, changes to an ER diagram can be made transparent to the application programs while all objects in the database remain accessible to the application programs. 1 Introduction As the reality of interest, usually c...

The computer communications world is very dynamic, requiring continual software updating for correction, perfection, and increased functionality. The problem addressed here is that of providing an evolutionary path for software that permits updating without disrupting the operation and management of the network. This problem is relevant to network management software which is also dynamic. For example SNMPv3 is not yet a standard and is not yet widely deployed. Its initial installations will need to be perfected as more experience is acquired. This paper examines a software hot-swapping solution to the problem, whereby management system software modules can be replaced dynamically without disrupting the management process. The paper also discusses application of the technique to a modular SNMPv3 system implemented in Java. Keywords: Software hot swapping, SNMP, mobile code, transaction

Self-healing systems require that repair mechanisms are available to resolve problems that arise while the system executes. Managed execution environments such as the Common Language Runtime (CLR) and Java Virtual Machine (JVM) provide a number of application services (application isolation, security sandboxing, garbage collection and structured exception handling) which are geared primarily at making managed applications more robust. However, none of these services directly enables applications to perform repairs or consistency checks of their components. From a design and implementation standpoint, the preferred way to enable repair in a self-healing system is to use an externalized repair/adaptation architecture rather than hardwiring adaptation logic inside the system where it is harder to analyze, reuse and extend. We present a framework that allows a repair engine to dynamically attach and detach to/from a managed application while it executes essentially adding repair mechanisms as another application service provided in the execution environment.