Safe and predictable dynamic software updating

To dynamically update an operating system, a new factory object may have one or more new and/or updated object instances. An operating system is a computer program that is the first piece of software that a computer executes when a computing device is turned on.

A signal bearing medium tangibly embodying a program of machine-readable instructions executable by a digital processing apparatus to perform operations to dynamically update an operating system, the operations comprising: loading a new factory object, where a factory object is configured to create object instances and to maintain object instances generated by the factory; executing a dynamic update procedure that comprises: changing a factory reference pointer within the operating system from the old factory object to the new factory object; and for each old object instance maintained by the old factory object: using the new factory object to create a new object instance; transferring state information from the old object instance to the new object instance; and deleting the old object instance; and in response to completion of the dynamic update procedure, removing the old factory object. The signal bearing medium of claim 1 wherein the new factory object comprises a new object, the operations further comprising enabling invocations of the new object through the new factory object. The signal bearing medium of claim 1, wherein, for the case where a data format of an old object instance is not identical to that of its corresponding new object instance, transferring state information comprises copying a data structure of the old object instance via a common intermediate format to the new object instance. The signal bearing medium of claim 1, wherein, for the case where a data format of an old object instance is identical to that of its corresponding new object instance, transferring state information comprises resetting a pointer between the old object instance and an underlying data structure used by the old object instance to point from the corresponding new object instance to the underlying data structure, and wherein removing the old object instance does not comprise deleting the underlying data structure. The signal bearing medium of claim 4, wherein transferring state information does not comprise making a copy of the underlying data structure. The signal bearing medium of claim 1, further comprising determining when at least one of the old object instances reaches a safe point prior to changing the factory reference pointer. The signal bearing medium of claim 6, wherein determining when the old object instance reaches a safe point further comprises blocking new invocations of the old object instance. The signal bearing medium of claim 1, wherein the operating system is dynamically updated without rebooting. The signal bearing medium of claim 1, further comprising an embodied kernel module loader program that downloads the machine readable instructions into a kernel of the operating system and initiates the steps of the dynamic update procedure. The signal bearing medium of claim 1, where the operations further comprise determining that a version of a corresponding old factory object is compatible with the new factory object. The signal bearing medium of claim 1, where the dynamic update procedure further comprises: tracking incoming calls to the old factory object; in response to all pending calls to the old factory object being tracked, suspending subsequent calls to the old factory object; and, in response to determining that all pending calls to the old factory object are complete, determining that the old factory object is quiescent, where setting the pointer is performed when the old factory object is quiescent; and forwarding the suspended subsequent calls to the new factory object. The signal bearing medium of claim 1, where the dynamic update procedure further comprises: tracking incoming calls to the old object instance; in response to all pending calls to the old object instance being tracked, suspending subsequent calls to the old object instance; in response to determining that all pending calls to the old object instance are complete, determining that the old factory object is quiescent; and in response to transferring state information, forwarding the suspended subsequent calls to the new object instance. A method of dynamically updating an operating system comprising: loading a new factory object, where a factory object is configured to create object instances and to maintain object instances generated by the factory; executing a dynamic update procedure that comprises: setting a pointer that goes between a factory reference and the old factory object to go between the factory reference and the new factory object; and for each old object instance maintained by the old factory object: using the new factory object to create a new object instance; establishing a safe point for the old object instance transferring state information from the old object instance to the new object instance; and deleting the old object instance; and in response to completion of the dynamic update procedure, deleting the old factory object. The method of claim 13, further comprising updating a kernel of the operating system by relating indeterminate references to either or both of kernel symbols or library routines, the indeterminate references present in a kernel update module, to at least one object translation table without rebooting the operating system. The method of claim 13, wherein the new factory object comprises at least one additional object instance and at least one new object instance, where said additional object instance is of a different class than each of the new object instances. The method of claim 13, wherein, for the case where the old object instance exhibits an identical data format as its corresponding new object instance, transferring state information comprises resetting a pointer between the old object instance and an underlying data structure used by the old object instance to go between the new object instance and the underlying data structure, and deleting the old object instance comprises deleting only that portion of the old object instance that is not the underlying data structure. The method of claim 13, wherein establishing, transferring, and deleting are executed for each of the updated object instances separately. The method of claim 13, wherein establishing, changing, transferring, and deleting are executed for each of the new object instances in parallel in a multi-user operating system environment. The method of claim 13, wherein establishing a safe point comprises blocking new access to the old object instance and determining when all existing access threads to the old object instance are terminated. The method of claim 13, wherein establishing a safe point and transferring are done separately for at least two old object instances for the case where the computer comprises a multi-user environment.

This may be performed for multiple updated object instances in the new factory object, preferably each separately. Ganger, Orran Krieger, Michael Stumm, Marc Auslander, Michal Ostrowski, Bryan Rosenburg, Jimi Xenidis, “System Support for Online Reconfiguration”, Proceedings of Usenix 2003, pp. Baumann, Kerr, Appavoo, Da Silva, Krieger, Wisniewski, “Module Hot-Swapping for Dynamic Update and Reconfiguration in K42” Apr. Shalloway and Trott, “Design Patterns Explained: A New Perspective on Object-Oriented Design, Second Edition” Oct. 1998, Proceedings of the USENIX Annual Technical Conference (NO98), New Orleans, Louisiana, 13 pgs. et al., “Optimistic Incremental Specialization: Streamlining a Commercial Operating System”, 11 pgs. et al., “Mutatis mutandis: Safe and Predictable Dynamic Software Updating”, Jan. It then provides those resources to other applications that the user wants to execute.

For the case of new object instances, they are created by the new factory and pointers established to invoke them. 12-14, 2005, POPL '05, Long Beach, California, 12 pgs. Typical services that an operating system provides include a task scheduler, a memory manager, a disk manager, a network manager, other I/O services manager, and a security manager. The core operating system functions, the management of the computer system, lie in what is termed the kernel of the operating system in a traditional computer architecture.

As mentioned, the Appavoo publication and the works discussed therein describe how to hot-swap an individual object. Other approaches are limited to perform an upgrade on a single threaded user-space applications cite.

For a true dynamic upgrade, all objects of a given class need to be swapped. What is needed is a dynamic upgrade approach that is scalable for both upgraded objects and new objects, for both single CPU computer systems and those with hypervisors and multiple instances of operating systems, that has the capability to track objects and to dynamically upgrade all objects of a particular type in a running operating system, without the need to shut down or reboot that operating system.

Leave a Reply