Formalising Java RMI with Explicit Code MobilityAlexander AhernNobuko YoshidaDepartment of ComputingImperial College London

2

Motivation

Distribution is important to modern object-oriented programmingYet, existing formalisms are insufficient:

Single locationNo modelling of distributed runtime

3

DJ – Distributed Java

First formalisation of Java RMINew primitives for type-safe code mobilityA novel proof technique for type safety of distributed programsProof of correctness of several RMI optimisations

4

Call Aggregation [Bogle & Liskov 1994, Yeung & Kelly 2003]

int m1(RemoteObject r, int a) {int x = r.f(a); int y = r.g(a, x); int z = r.h(a, y); return z;

} Clie

nt

Ser

ver

x and y are dead from the client’s point of view

5

Call Aggregation [Bogle & Liskov 1994, Yeung & Kelly 2003]

// Clientint m1(RemoteObject r, int a) {

(unit -> int) t = freeze() {int x = r.f(a); int y = r.g(a, x); int z = r.h(a, y); return z;

};return r.run(t);

}// Serverint run((unit -> int) x) {

return defrost(x); }

Clie

nt

Ser

ver

6

DJ – Model

DJ = Java + distribution + new primitives and types

e ::= freeze(T x) { e } | defrost(e, e)| …

T ::= T -> T | …

Creates a closure

Evaluates a closure

A new arrow type for closures

7

Runtime Syntax

We require lots of syntax

Don’t worry! You don’t need toremember this!

8

Networks

JVM

JVM

JVMJVM

Virtual machines communicate by Remote

Method Invocations

Networks consist of zero or more

JVMs executing in parallel

Each machine keeps a table of

classes, and has a private memory

9

Remote Method Invocation

Nature of parameters affects the nature of remote calls

If a parameter is not a subtype of java.rmi.Remote, then it is passed by value

For object parameters, this requires object serialisation

This is the conversion of structured data into an array of bytes suitable for network transfer

We model all of these features in DJ

10

Remote Method Invocation

NetworkNetwork

NetworkNetwork

0 1 1 0

1 0 1 0

Bytes are transferred to

the serverDeserialisebytes into

structured form

Evaluate local method call

Serialise return value

Serialise actual parameters

Bytes transferred to the client

Return value deserialised, returned to caller

Deserialisation can triggerclass downloading

11

Our model of RMITim

e

Netw

ork Boundary

We model serialisationMethod call = message passing

12

Code Mobility Primitives - FreezingFresh names for the identifiersappearing free in this closure

ParameterClasses

The name (IP address) of the location that created this closure

Environment (variables/objects) the closure depends upon

Code

13

Code Mobility Primitives - Defrosting

Formal parameter x is replaced with actual parameter vMuch like calling a method

14

Runtime relationships

Serialisation / DeserialisationRMI

Defrost

Freeze

Class downloadingInstantiation (new C)

In DJ, code mobility is a

generalisation of serialisation

15

Network Invariants and Typing

Network invariants ensure type safe code mobilityModel features that are hard to capture by typing rules alone

16

Invariants – Properties

A property Ψ is a subset of the set of all networksA network invariant is just a special kind of property

It has some initial conditions, Ψ0

It is reduction closed

All networks

ΨΨ0

17

Invariants (Class Availability)

We have lots (17)

18

Invariants (Locality)

We have lots (17)

19

Invariants (Channel Linearity)

We have lots (17)

20

Invariants (Closures and Locks)

We have lots (17)

21

Invariants – Examples

new C always succeedsAll super-classes of C are present in local class table

Fields are never accessed remotelyJava RMI is implemented as a proxy pattern

22

Properties of the typing systemTheorem (Subject Reduction)

Corollary (Network Invariant)

Theorem (Progress, locality and linearity)

23

Correctness of OptimisationsLightweight transformation rules

Non-interference property

Semantics preserving optimisation

24

We can inline this, modulo some

detailsTransformation Rules

Return point for a method call

Uncomputedexpression to return

25

Non-Interference [Reynolds 1978]Definition (Non-interference)

N

N1 N2

N’

*

*

26

Semantic PreservationLemma (Contextual Equivalence)

N N’

Optimised code

N’

Context

N

27

Properties of TransformationTheorem

.

By previous Lemma and this Theorem

Type preservation

28

By Theoremint m1(RemoteObject r, int a) {

int x = r.f(a); int y = r.g(a, x); int z = r.h(a, y); return z;

}

Orig

inal

Cod

e

// Clientint m1(RemoteObject r, int a) {

(unit -> int) t = freeze() {int x = r.f(a); int y = r.g(a, x); int z = r.h(a, y); return z;

};return r.run(t);

}Opt

imis

ed C

ode

29

Conclusion

DJ: first formalisation of Java RMIIntroduction of first class functions to Java

May appear in C# 3.0New proof method for type safety of distributed programs using network invariantsNew method for showing the correctness of optimisations for distributed programs using semantics-preserving transformations

30

Conclusion – Future Work

http://dj-project.sourceforge.net/Full version of this workPrototype implementation of DJ using Polyglot Compiler Framework (Cornell University)

Prove correctness of translation from DJ to JavaCode generationCost modellingTypes for access control and security

31

32

Related WorkClass loading

Liang & Bracha (1998)Drossopoulou & Eisenbach (2002)Krintz et al (1999)

Distributed ObjectsObliqEmerald

Staged and meta-programmingMetaMLJumboMeta-AspectJ

33

Observational CongruenceReduction closed

Respects an observational predicate

We choose to observe remote method return:

34

35

Our model of RMITim

e

Netw

ork Boundary

Therefore, serialise parameter, call it v’

Now, deserialiseparameter for call

Make local call

Serialise the return value, call it r’

Deserialise and return to caller

Client makes a remote call

36

Non-InterferenceDefinition (Non-interference)

N

N1 N2

N’

*

*

N

N1 N2

*≡