formalising java rmi with explicit code mobility
DESCRIPTION
Formalising Java RMI with Explicit Code Mobility. Alexander Ahern Nobuko Yoshida Department of Computing Imperial College London. Motivation. Distribution is important to modern object-oriented programming Yet, existing formalisms are insufficient: Single location - PowerPoint PPT PresentationTRANSCRIPT
Formalising Java RMI with Explicit Code MobilityAlexander AhernNobuko YoshidaDepartment of ComputingImperial College London
2
Motivation
Distribution is important to modern object-oriented programming
Yet, existing formalisms are insufficient:Single locationNo modelling of distributed runtime
3
DJ – Distributed Java
First formalisation of Java RMI New primitives for type-safe code mobility A novel proof technique for type safety of
distributed programs Proof of correctness of several RMI
optimisations
4
Call Aggregation [Bogle & Liskov 1994, Yeung & Kelly 2003]
int m1(RemoteObject r, int a) { int x = r.f(a); int y = r.g(a, x); int z = r.h(a, y); return z; } C
lient
Ser
ver
x and y are dead from the client’s point of view
5
// Client int m1(RemoteObject r, int a) { (unit -> int) t = freeze() { int x = r.f(a); int y = r.g(a, x); int z = r.h(a, y); return z; }; return r.run(t); }// Server int run((unit -> int) x) { return defrost(x); }
Call Aggregation [Bogle & Liskov 1994, Yeung & Kelly 2003]
Clie
nt
Ser
ver
6
DJ – Model
e ::= freeze(T x) { e } | defrost(e, e)| …
T ::= T -> T | …
DJ = Java + distribution + new primitives and typesCreates a closure
Evaluates a closure
A new arrow type for closures
7
Runtime Syntax
We require lots of syntax
Don’t worry! You don’t need toremember this!
8
Networks
JVM
JVM
JVMJVM
Virtual machines communicate by Remote
Method Invocations
Networks consist of zero or more
JVMs executing in parallel
Each machine keeps a table of
classes, and has a private memory
9
Remote Method Invocation Nature of parameters affects the nature of
remote calls If a parameter is not a subtype of java.rmi.Remote, then it is passed by value
For object parameters, this requires object serialisation This is the conversion of structured data into an array
of bytes suitable for network transfer We model all of these features in DJ
10
Remote Method Invocation
Network
Network
0 1 1 0
1 0 1 0
Bytes are transferred to
the serverDeserialise bytes into
structured form
Evaluate local method call
Serialise return value
Serialise actual parameters
Bytes transferred to the client
Return value deserialised, returned to caller
Deserialisation can triggerclass downloading
11
Our model of RMITim
e
Netw
ork Boundary
We model serialisation Method call = message passing
12
Code Mobility Primitives - Freezing
Parameter
Code
Fresh names for the identifiersappearing free in this closure
The name (IP address) of the location that created this closure
Environment (variables/objects) the closure depends upon
Classes
13
Code Mobility Primitives - Defrosting
Formal parameter x is replaced with actual parameter v
Much like calling a method
14
Runtime relationships
RMI Serialisation / Deserialisation
Defrost
Class downloading
Freeze
Instantiation (new C)
In DJ, code mobility is a
generalisation of serialisation
15
Network Invariants and Typing
Network invariants ensure type safe code mobility
Model features that are hard to capture by typing rules alone
16
Invariants – Properties
A property Ψ is a subset of the set of all networks A network invariant is just a special kind of property
It has some initial conditions, Ψ0
It is reduction closed
All netw
orksΨ
Ψ0
17
Invariants (Class Availability)
We have lots (17)
18
Invariants (Locality)
We have lots (17)
19
Invariants (Channel Linearity)
We have lots (17)
20
Invariants (Closures and Locks)
We have lots (17)
21
Invariants – Examples
new C always succeedsAll super-classes of C are present in local
class table
Fields are never accessed remotelyJava RMI is implemented as a proxy pattern
22
Properties of the typing systemTheorem (Subject Reduction)
Theorem (Progress, locality and linearity)
Corollary (Network Invariant)
23
Correctness of OptimisationsLightweight transformation rules
Non-interference property
Semantics preserving optimisation
24
Transformation Rules
Return point for a method call
Uncomputed expression to return
We can inline this, modulo some
details
25
Non-Interference [Reynolds 1978]Definition (Non-interference)
N
N1 N2
N’
*
*
26
Semantic PreservationLemma (Contextual Equivalence)
N N’
N N’
Context
Optimised code
27
Properties of TransformationTheorem
.
By previous Lemma and this Theorem
Type preservation
28
By Theoremint m1(RemoteObject r, int a) { int x = r.f(a); int y = r.g(a, x); int z = r.h(a, y); return z;}
Orig
inal
Cod
e
// Client int m1(RemoteObject r, int a) { (unit -> int) t = freeze() { int x = r.f(a); int y = r.g(a, x); int z = r.h(a, y); return z; }; return r.run(t); }O
ptim
ised
Cod
e
29
Conclusion
DJ: first formalisation of Java RMI Introduction of first class functions to Java
May appear in C# 3.0 New proof method for type safety of distributed
programs using network invariants New method for showing the correctness of
optimisations for distributed programs using semantics-preserving transformations
30
Conclusion – Future Work
http://dj-project.sourceforge.net/ Full version of this work Prototype implementation of DJ using Polyglot
Compiler Framework (Cornell University) Prove correctness of translation from DJ to Java Code generation Cost modelling Types for access control and security
31
32
Related Work Class loading
Liang & Bracha (1998) Drossopoulou & Eisenbach (2002) Krintz et al (1999)
Distributed Objects Obliq Emerald
Staged and meta-programming MetaML Jumbo Meta-AspectJ
33
Observational Congruence Reduction closed
Respects an observational predicate
We choose to observe remote method return:
34
35
Our model of RMITim
e
Netw
ork Boundary
Therefore, serialise parameter, call it v’
Now, deserialise parameter for call
Make local call
Serialise the return value, call it r’
Deserialise and return to caller
Client makes a remote call
36
Non-InterferenceDefinition (Non-interference)
N
N1 N2
N’
*
*
N
N1 N2
*≡