360 likes | 446 Views
Formalising Java RMI with Explicit Code Mobility. Alexander Ahern Nobuko Yoshida Department of Computing Imperial College London. Motivation. Distribution is important to modern object-oriented programming Yet, existing formalisms are insufficient: Single location
E N D
Formalising Java RMI with Explicit Code Mobility Alexander Ahern Nobuko Yoshida Department of Computing Imperial College London
Motivation • Distribution is important to modern object-oriented programming • Yet, existing formalisms are insufficient: • Single location • No modelling of distributed runtime
DJ – Distributed Java • First formalisation of Java RMI • New primitives for type-safe code mobility • A novel proof technique for type safety of distributed programs • Proof of correctness of several RMI optimisations
x and y are dead from the client’s point of view Call Aggregation [Bogle & Liskov 1994, Yeung & Kelly 2003] int m1(RemoteObject r, int a) { int x = r.f(a); int y = r.g(a, x); int z = r.h(a, y); return z; } Client Server
Call Aggregation [Bogle & Liskov 1994, Yeung & Kelly 2003] // Client int m1(RemoteObject r, int a) { (unit -> int) t = freeze() { int x = r.f(a); int y = r.g(a, x); int z = r.h(a, y); return z; }; return r.run(t); } // Server int run((unit -> int) x) { returndefrost(x); } Client Server
DJ – Model DJ = Java + distribution + new primitives and types Creates a closure e ::= freeze(T x) { e } | defrost(e, e) | … T ::= T -> T | … Evaluates a closure A new arrow type for closures
Runtime Syntax • We require lots of syntax Don’t worry! You don’t need to remember this!
Networks Networks consist of zero or more JVMs executing in parallel JVM JVM Virtual machines communicate by Remote Method Invocations Each machine keeps a table of classes, and has a private memory JVM JVM
Remote Method Invocation • Nature of parameters affects the nature of remote calls • If a parameter is not a subtype of java.rmi.Remote, then it is passed by value • For object parameters, this requires object serialisation • This is the conversion of structured data into an array of bytes suitable for network transfer • We model all of these features in DJ
0 1 0 1 1 1 0 0 Remote Method Invocation Bytes are transferred to the server Deserialise bytes into structured form Serialise actual parameters Network Evaluate local method call Deserialisation can trigger class downloading Bytes transferred to the client Network Serialise return value Return value deserialised, returned to caller
Our model of RMI • We model serialisation • Method call = message passing Time Network Boundary
Code Mobility Primitives - Freezing Fresh names for the identifiers appearing free in this closure Parameter Classes The name (IP address) of the location that created this closure Environment (variables/objects) the closure depends upon Code
Code Mobility Primitives - Defrosting • Formal parameter x is replaced with actual parameter v • Much like calling a method
Runtime relationships Serialisation / Deserialisation RMI Freeze In DJ, code mobility is a generalisation of serialisation Defrost Instantiation (new C) Class downloading
Network Invariants and Typing • Network invariants ensure type safe code mobility • Model features that are hard to capture by typing rules alone
Invariants – Properties • A property Ψ is a subset of the set of all networks • A network invariant is just a special kind of property • It has some initial conditions, Ψ0 • It is reduction closed Ψ All networks Ψ0
Invariants (Class Availability) • We have lots (17)
Invariants (Locality) • We have lots (17)
Invariants (Channel Linearity) • We have lots (17)
Invariants (Closures and Locks) • We have lots (17)
Invariants – Examples • new C always succeeds • All super-classes of C are present in local class table • Fields are never accessed remotely • Java RMI is implemented as a proxy pattern
Theorem (Subject Reduction) Corollary (Network Invariant) Theorem (Progress, locality and linearity) Properties of the typing system
Correctness of Optimisations Lightweight transformation rules Non-interference property Semantics preserving optimisation
Transformation Rules We can inline this, modulo some details Return point for a method call Uncomputed expression to return
N * N1 N2 * N’ Non-Interference [Reynolds 1978] Definition (Non-interference)
Lemma (Contextual Equivalence) Semantic Preservation Optimised code N N’ Context N’ N
Properties of Transformation Theorem • . Type preservation By previous Lemma and this Theorem
int m1(RemoteObject r, int a) { int x = r.f(a); int y = r.g(a, x); int z = r.h(a, y); return z; } Original Code // Client int m1(RemoteObject r, int a) { (unit -> int) t = freeze() { int x = r.f(a); int y = r.g(a, x); int z = r.h(a, y); return z; }; return r.run(t); } Optimised Code By Theorem
Conclusion • DJ: first formalisation of Java RMI • Introduction of first class functions to Java • May appear in C# 3.0 • New proof method for type safety of distributed programs using network invariants • New method for showing the correctness of optimisations for distributed programs using semantics-preserving transformations
Conclusion – Future Work • http://dj-project.sourceforge.net/ • Full version of this work • Prototype implementation of DJ using Polyglot Compiler Framework (Cornell University) • Prove correctness of translation from DJ to Java • Code generation • Cost modelling • Types for access control and security
Related Work • Class loading • Liang & Bracha (1998) • Drossopoulou & Eisenbach (2002) • Krintz et al (1999) • Distributed Objects • Obliq • Emerald • Staged and meta-programming • MetaML • Jumbo • Meta-AspectJ
Observational Congruence • Reduction closed • Respects an observational predicate We choose to observe remote method return:
Our model of RMI Client makes a remote call Now, deserialise parameter for call Make local call Therefore, serialise parameter, call it v’ Time Network Boundary Deserialise and return to caller Serialise the return value, call it r’
N * N1 N N2 * N’ * N1 ≡ N2 Non-Interference Definition (Non-interference)