Formalising Java RMI with Explicit Code Mobility
description
Transcript of Formalising Java RMI with Explicit Code Mobility
![Page 1: Formalising Java RMI with Explicit Code Mobility](https://reader035.fdocuments.us/reader035/viewer/2022062810/56815c3a550346895dca308c/html5/thumbnails/1.jpg)
Formalising Java RMI with Explicit Code MobilityAlexander AhernNobuko YoshidaDepartment of ComputingImperial College London
![Page 2: Formalising Java RMI with Explicit Code Mobility](https://reader035.fdocuments.us/reader035/viewer/2022062810/56815c3a550346895dca308c/html5/thumbnails/2.jpg)
2
Motivation
Distribution is important to modern object-oriented programming
Yet, existing formalisms are insufficient:Single locationNo modelling of distributed runtime
![Page 3: Formalising Java RMI with Explicit Code Mobility](https://reader035.fdocuments.us/reader035/viewer/2022062810/56815c3a550346895dca308c/html5/thumbnails/3.jpg)
3
DJ – Distributed Java
First formalisation of Java RMI New primitives for type-safe code mobility A novel proof technique for type safety of
distributed programs Proof of correctness of several RMI
optimisations
![Page 4: Formalising Java RMI with Explicit Code Mobility](https://reader035.fdocuments.us/reader035/viewer/2022062810/56815c3a550346895dca308c/html5/thumbnails/4.jpg)
4
Call Aggregation [Bogle & Liskov 1994, Yeung & Kelly 2003]
int m1(RemoteObject r, int a) { int x = r.f(a); int y = r.g(a, x); int z = r.h(a, y); return z; } C
lient
Ser
ver
x and y are dead from the client’s point of view
![Page 5: Formalising Java RMI with Explicit Code Mobility](https://reader035.fdocuments.us/reader035/viewer/2022062810/56815c3a550346895dca308c/html5/thumbnails/5.jpg)
5
// Client int m1(RemoteObject r, int a) { (unit -> int) t = freeze() { int x = r.f(a); int y = r.g(a, x); int z = r.h(a, y); return z; }; return r.run(t); }// Server int run((unit -> int) x) { return defrost(x); }
Call Aggregation [Bogle & Liskov 1994, Yeung & Kelly 2003]
Clie
nt
Ser
ver
![Page 6: Formalising Java RMI with Explicit Code Mobility](https://reader035.fdocuments.us/reader035/viewer/2022062810/56815c3a550346895dca308c/html5/thumbnails/6.jpg)
6
DJ – Model
e ::= freeze(T x) { e } | defrost(e, e)| …
T ::= T -> T | …
DJ = Java + distribution + new primitives and typesCreates a closure
Evaluates a closure
A new arrow type for closures
![Page 7: Formalising Java RMI with Explicit Code Mobility](https://reader035.fdocuments.us/reader035/viewer/2022062810/56815c3a550346895dca308c/html5/thumbnails/7.jpg)
7
Runtime Syntax
We require lots of syntax
Don’t worry! You don’t need toremember this!
![Page 8: Formalising Java RMI with Explicit Code Mobility](https://reader035.fdocuments.us/reader035/viewer/2022062810/56815c3a550346895dca308c/html5/thumbnails/8.jpg)
8
Networks
JVM
JVM
JVMJVM
Virtual machines communicate by Remote
Method Invocations
Networks consist of zero or more
JVMs executing in parallel
Each machine keeps a table of
classes, and has a private memory
![Page 9: Formalising Java RMI with Explicit Code Mobility](https://reader035.fdocuments.us/reader035/viewer/2022062810/56815c3a550346895dca308c/html5/thumbnails/9.jpg)
9
Remote Method Invocation Nature of parameters affects the nature of
remote calls If a parameter is not a subtype of java.rmi.Remote, then it is passed by value
For object parameters, this requires object serialisation This is the conversion of structured data into an array
of bytes suitable for network transfer We model all of these features in DJ
![Page 10: Formalising Java RMI with Explicit Code Mobility](https://reader035.fdocuments.us/reader035/viewer/2022062810/56815c3a550346895dca308c/html5/thumbnails/10.jpg)
10
Remote Method Invocation
Network
Network
0 1 1 0
1 0 1 0
Bytes are transferred to
the serverDeserialise bytes into
structured form
Evaluate local method call
Serialise return value
Serialise actual parameters
Bytes transferred to the client
Return value deserialised, returned to caller
Deserialisation can triggerclass downloading
![Page 11: Formalising Java RMI with Explicit Code Mobility](https://reader035.fdocuments.us/reader035/viewer/2022062810/56815c3a550346895dca308c/html5/thumbnails/11.jpg)
11
Our model of RMITim
e
Netw
ork Boundary
We model serialisation Method call = message passing
![Page 12: Formalising Java RMI with Explicit Code Mobility](https://reader035.fdocuments.us/reader035/viewer/2022062810/56815c3a550346895dca308c/html5/thumbnails/12.jpg)
12
Code Mobility Primitives - Freezing
Parameter
Code
Fresh names for the identifiersappearing free in this closure
The name (IP address) of the location that created this closure
Environment (variables/objects) the closure depends upon
Classes
![Page 13: Formalising Java RMI with Explicit Code Mobility](https://reader035.fdocuments.us/reader035/viewer/2022062810/56815c3a550346895dca308c/html5/thumbnails/13.jpg)
13
Code Mobility Primitives - Defrosting
Formal parameter x is replaced with actual parameter v
Much like calling a method
![Page 14: Formalising Java RMI with Explicit Code Mobility](https://reader035.fdocuments.us/reader035/viewer/2022062810/56815c3a550346895dca308c/html5/thumbnails/14.jpg)
14
Runtime relationships
RMI Serialisation / Deserialisation
Defrost
Class downloading
Freeze
Instantiation (new C)
In DJ, code mobility is a
generalisation of serialisation
![Page 15: Formalising Java RMI with Explicit Code Mobility](https://reader035.fdocuments.us/reader035/viewer/2022062810/56815c3a550346895dca308c/html5/thumbnails/15.jpg)
15
Network Invariants and Typing
Network invariants ensure type safe code mobility
Model features that are hard to capture by typing rules alone
![Page 16: Formalising Java RMI with Explicit Code Mobility](https://reader035.fdocuments.us/reader035/viewer/2022062810/56815c3a550346895dca308c/html5/thumbnails/16.jpg)
16
Invariants – Properties
A property Ψ is a subset of the set of all networks A network invariant is just a special kind of property
It has some initial conditions, Ψ0
It is reduction closed
All netw
orksΨ
Ψ0
![Page 17: Formalising Java RMI with Explicit Code Mobility](https://reader035.fdocuments.us/reader035/viewer/2022062810/56815c3a550346895dca308c/html5/thumbnails/17.jpg)
17
Invariants (Class Availability)
We have lots (17)
![Page 18: Formalising Java RMI with Explicit Code Mobility](https://reader035.fdocuments.us/reader035/viewer/2022062810/56815c3a550346895dca308c/html5/thumbnails/18.jpg)
18
Invariants (Locality)
We have lots (17)
![Page 19: Formalising Java RMI with Explicit Code Mobility](https://reader035.fdocuments.us/reader035/viewer/2022062810/56815c3a550346895dca308c/html5/thumbnails/19.jpg)
19
Invariants (Channel Linearity)
We have lots (17)
![Page 20: Formalising Java RMI with Explicit Code Mobility](https://reader035.fdocuments.us/reader035/viewer/2022062810/56815c3a550346895dca308c/html5/thumbnails/20.jpg)
20
Invariants (Closures and Locks)
We have lots (17)
![Page 21: Formalising Java RMI with Explicit Code Mobility](https://reader035.fdocuments.us/reader035/viewer/2022062810/56815c3a550346895dca308c/html5/thumbnails/21.jpg)
21
Invariants – Examples
new C always succeedsAll super-classes of C are present in local
class table
Fields are never accessed remotelyJava RMI is implemented as a proxy pattern
![Page 22: Formalising Java RMI with Explicit Code Mobility](https://reader035.fdocuments.us/reader035/viewer/2022062810/56815c3a550346895dca308c/html5/thumbnails/22.jpg)
22
Properties of the typing systemTheorem (Subject Reduction)
Theorem (Progress, locality and linearity)
Corollary (Network Invariant)
![Page 23: Formalising Java RMI with Explicit Code Mobility](https://reader035.fdocuments.us/reader035/viewer/2022062810/56815c3a550346895dca308c/html5/thumbnails/23.jpg)
23
Correctness of OptimisationsLightweight transformation rules
Non-interference property
Semantics preserving optimisation
![Page 24: Formalising Java RMI with Explicit Code Mobility](https://reader035.fdocuments.us/reader035/viewer/2022062810/56815c3a550346895dca308c/html5/thumbnails/24.jpg)
24
Transformation Rules
Return point for a method call
Uncomputed expression to return
We can inline this, modulo some
details
![Page 25: Formalising Java RMI with Explicit Code Mobility](https://reader035.fdocuments.us/reader035/viewer/2022062810/56815c3a550346895dca308c/html5/thumbnails/25.jpg)
25
Non-Interference [Reynolds 1978]Definition (Non-interference)
N
N1 N2
N’
*
*
![Page 26: Formalising Java RMI with Explicit Code Mobility](https://reader035.fdocuments.us/reader035/viewer/2022062810/56815c3a550346895dca308c/html5/thumbnails/26.jpg)
26
Semantic PreservationLemma (Contextual Equivalence)
N N’
N N’
Context
Optimised code
![Page 27: Formalising Java RMI with Explicit Code Mobility](https://reader035.fdocuments.us/reader035/viewer/2022062810/56815c3a550346895dca308c/html5/thumbnails/27.jpg)
27
Properties of TransformationTheorem
.
By previous Lemma and this Theorem
Type preservation
![Page 28: Formalising Java RMI with Explicit Code Mobility](https://reader035.fdocuments.us/reader035/viewer/2022062810/56815c3a550346895dca308c/html5/thumbnails/28.jpg)
28
By Theoremint m1(RemoteObject r, int a) { int x = r.f(a); int y = r.g(a, x); int z = r.h(a, y); return z;}
Orig
inal
Cod
e
// Client int m1(RemoteObject r, int a) { (unit -> int) t = freeze() { int x = r.f(a); int y = r.g(a, x); int z = r.h(a, y); return z; }; return r.run(t); }O
ptim
ised
Cod
e
![Page 29: Formalising Java RMI with Explicit Code Mobility](https://reader035.fdocuments.us/reader035/viewer/2022062810/56815c3a550346895dca308c/html5/thumbnails/29.jpg)
29
Conclusion
DJ: first formalisation of Java RMI Introduction of first class functions to Java
May appear in C# 3.0 New proof method for type safety of distributed
programs using network invariants New method for showing the correctness of
optimisations for distributed programs using semantics-preserving transformations
![Page 30: Formalising Java RMI with Explicit Code Mobility](https://reader035.fdocuments.us/reader035/viewer/2022062810/56815c3a550346895dca308c/html5/thumbnails/30.jpg)
30
Conclusion – Future Work
http://dj-project.sourceforge.net/ Full version of this work Prototype implementation of DJ using Polyglot
Compiler Framework (Cornell University) Prove correctness of translation from DJ to Java Code generation Cost modelling Types for access control and security
![Page 31: Formalising Java RMI with Explicit Code Mobility](https://reader035.fdocuments.us/reader035/viewer/2022062810/56815c3a550346895dca308c/html5/thumbnails/31.jpg)
31
![Page 32: Formalising Java RMI with Explicit Code Mobility](https://reader035.fdocuments.us/reader035/viewer/2022062810/56815c3a550346895dca308c/html5/thumbnails/32.jpg)
32
Related Work Class loading
Liang & Bracha (1998) Drossopoulou & Eisenbach (2002) Krintz et al (1999)
Distributed Objects Obliq Emerald
Staged and meta-programming MetaML Jumbo Meta-AspectJ
![Page 33: Formalising Java RMI with Explicit Code Mobility](https://reader035.fdocuments.us/reader035/viewer/2022062810/56815c3a550346895dca308c/html5/thumbnails/33.jpg)
33
Observational Congruence Reduction closed
Respects an observational predicate
We choose to observe remote method return:
![Page 34: Formalising Java RMI with Explicit Code Mobility](https://reader035.fdocuments.us/reader035/viewer/2022062810/56815c3a550346895dca308c/html5/thumbnails/34.jpg)
34
![Page 35: Formalising Java RMI with Explicit Code Mobility](https://reader035.fdocuments.us/reader035/viewer/2022062810/56815c3a550346895dca308c/html5/thumbnails/35.jpg)
35
Our model of RMITim
e
Netw
ork Boundary
Therefore, serialise parameter, call it v’
Now, deserialise parameter for call
Make local call
Serialise the return value, call it r’
Deserialise and return to caller
Client makes a remote call
![Page 36: Formalising Java RMI with Explicit Code Mobility](https://reader035.fdocuments.us/reader035/viewer/2022062810/56815c3a550346895dca308c/html5/thumbnails/36.jpg)
36
Non-InterferenceDefinition (Non-interference)
N
N1 N2
N’
*
*
N
N1 N2
*≡