Specifying and Verifying the Correctness of Dynamic Software Updates

  • Christopher M. Hayden
  • Stephen Magill
  • Michael Hicks
  • Nate Foster
  • Jeffrey S. Foster
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7152)


Dynamic software updating (DSU) systems allow running programs to be patched on-the-fly to add features or fix bugs. While dynamic updates can be tricky to write, techniques for establishing their correctness have received little attention. In this paper, we present the first methodology for automatically verifying the correctness of dynamic updates. Programmers express the desired properties of an updated execution using client-oriented specifications (CO-specs), which can describe a wide range of client-visible behaviors. We verify CO-specs automatically by using off-the-shelf tools to analyze a merged program, which is a combination of the old and new versions of a program. We formalize the merging transformation and prove it correct. We have implemented a program merger for C, and applied it to updates for the Redis key-value store and several synthetic programs. Using Thor, a verification tool, we could verify many of the synthetic programs; using Otter, a symbolic executor, we could analyze every program, often in less than a minute. Both tools were able to detect faulty patches and incurred only a factor-of-four slowdown, on average, compared to single version programs.


Program Version State Transformation Dynamic Software Dynamic Patch Type Safety 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Ajmani, S., Liskov, B., Shrira, L.: Modular Software Upgrades for Distributed Systems. In: Hu, Q. (ed.) ECOOP 2006. LNCS, vol. 4067, pp. 452–476. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  2. 2.
    Armstrong, J., Virding, R., Wikstrom, C., Williams, M.: Concurrent programming in ERLANG, 2nd edn. Prentice Hall International Ltd. (1996)Google Scholar
  3. 3.
    Bloom, T., Day, M.: Reconfiguration and module replacement in Argus: theory and practice. Software Engineering Journal 8(2), 102–108 (1993)CrossRefGoogle Scholar
  4. 4.
    Bracha, G.: Objects as software services (August 2006),
  5. 5.
    Cassandra API overview,
  6. 6.
    Charlton, N., Horsfall, B., Reus, B.: Formal reasoning about runtime code update. In: HOTSWUP (2011)Google Scholar
  7. 7.
    Duggan, D.: Type-based hot swapping of running modules. In: ICFP (2001)Google Scholar
  8. 8.
    Flanagan, C., Sabry, A., Duba, B.F., Felleisen, M.: The essence of compiling with continuations. In: PLDI (1993)Google Scholar
  9. 9.
    Gupta, D., Jalote, P., Barua, G.: A formal framework for on-line software version change. IEEE TSE 22(2) (1996)Google Scholar
  10. 10.
    Hayden, C.M., Hardisty, E.A., Hicks, M., Foster, J.S.: Efficient Systematic Testing for Dynamically Updatable Software. In: HOTSWUP (2009)Google Scholar
  11. 11.
    Hayden, C.M., Magill, S., Hicks, M., Foster, N., Foster, J.S.: Specifying and verifying the correctness of dynamic software updates (extended version). Technical Report CS-TR-4997, Dept. of Computer Science, University of Maryland (2011)Google Scholar
  12. 12.
    Hayden, C.M., Smith, E.K., Hardisty, E.A., Hicks, M., Foster, J.S.: Evaluating dynamic software update safety using systematic testing (March 2011)Google Scholar
  13. 13.
    Hicks, M., Nettles, S.: Dynamic software updating. ACM TOPLAS 27(6) (2005)Google Scholar
  14. 14.
  15. 15.
    Kramer, J., Magee, J.: The evolving philosophers problem: Dynamic change management. IEEE TSE 16(11) (1990)Google Scholar
  16. 16.
    Never reboot Linux for Linux security updates : Ksplice,
  17. 17.
    Magill, S., Tsai, M.-H., Lee, P., Tsay, Y.-K.: THOR: A Tool for Reasoning about Shape and Arithmetic. In: Gupta, A., Malik, S. (eds.) CAV 2008. LNCS, vol. 5123, pp. 428–432. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  18. 18.
    Magill, S., Tsai, M.-H., Lee, P., Tsay, Y.-K.: Automatic numeric abstractions for heap-manipulating programs. In: POPL (2010)Google Scholar
  19. 19.
    Neamtiu, I., Hicks, M., Stoyle, G., Oriol, M.: Practical dynamic software updating for C. In: PLDI (2006)Google Scholar
  20. 20.
    Qadeer, S., Wu, D.: KISS: Leep it simple and sequential. In: PLDI (2004)Google Scholar
  21. 21.
  22. 22.
    Reisner, E., Song, C., Ma, K.-K., Foster, J.S., Porter, A.: Using symbolic evaluation to understand behavior in configurable software systems. In: ICSE (2010)Google Scholar
  23. 23.
    Stoyle, G., Hicks, M., Bierman, G., Sewell, P., Neamtiu, I.: Mutatis Mutandis: Safe and flexible dynamic software updating. ACM TOPLAS 29(4) (2007)Google Scholar
  24. 24.
    Subramanian, S., Hicks, M., McKinley, K.S.: Dynamic software updates for Java: A VM-centric approach. In: PLDI (2009)Google Scholar
  25. 25.
    Walton, C.: Abstract Machines for Dynamic Computation. PhD thesis, University of Edinburgh, ECS-LFCS-01-425 (2001)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Christopher M. Hayden
    • 1
  • Stephen Magill
    • 1
  • Michael Hicks
    • 1
  • Nate Foster
    • 2
  • Jeffrey S. Foster
    • 1
  1. 1.Computer Science DepartmentUniversity of MarylandCollege ParkUSA
  2. 2.Computer Science DepartmentCornell UniversityUSA

Personalised recommendations