A Formal Study of Backward Compatible Dynamic Software Updates

Abstract

We study the dynamic software update problem for programs interacting with an environment that is not necessarily updated. We argue that such updates should be backward compatible. We propose a general definition of backward compatibility and cases of backward compatible program update. Based on our detailed study of real world program evolution, we propose classes of backward compatible update for interactive programs, which are included at an average of 32 % of all studied program changes. The definitions of update classes are parameterized by our novel framework of program equivalence, which generalizes existing results on program equivalence to non-terminating executions. Our study of backward compatible updates is based on a typed extension of W language.

Appendices

Proof Rule for Behavioral Equivalence

We show the formal proof rule for behavioral equivalence. The output sequence produced in executions of a statement sequence S depends on values of a set of variables in the program, the output deciding variables \(\text {OVar}(S)\). The output deciding variables are of two parts: \(\text {TVar}_o(S)\) are variables affecting the termination of executions of a statement sequence; \(\text {Imp}_o(S)\) are variables affecting values of the I/O sequence produced in executions of a statement sequence. We show the definition of \(\text {TVar}_o(S)\), \(\text {Imp}_o(S)\) and \(\text {OVar}(S)\) in order.

Definition 10

(Imported Variables Relative to Output). The imported variables in one program S relative to output, written \(Imp_o(S)\), are listed as follows:

1. 1.

   \(Imp_o(S) = \{{id}_{IO}\}\), if \((\forall e\,:\, ``output\,e\)” \(\notin S)\);

2. 2.

   \(Imp_o(``output\,e\)”) = \(\{{id}_{IO}\} \cup Use(e)\);

3. 3.

   \(Imp_o(``If\,(e)\,then\,\{S_t\}else\,\{S_f\}\)”) \(= Use(e) \cup Imp_o(S_t) \cup Imp_o(S_f)\) if \((\exists e\,:\, ``output\,e\)” \(\in S)\);

4. 4.

   \(Imp_o(``while_{\langle n\rangle }(e)\{S''\}\)”) \(= Imp(``while_{\langle n\rangle }(e)\{S''\}\)”, \(\{{id}_{IO}\}) if (\exists e\,:\, ``output\,e\)” \(\in S'')\);

5. 5.

   For \(k>0\), \(Imp_o(s_1;...;s_k;s_{k+1}) = Imp(s_1;...;s_k, Imp_o(s_{k+1})) if (\exists e\,:\, ``output\,e\)” \(\in s_{k+1})\);

6. 6.

   For \(k>0\), \(Imp_o(s_1;...;s_k;s_{k+1}) = Imp_o(s_1;...;s_k) if (\forall e\,:\, ``output\,e\)” \(\notin s_{k+1})\);

Definition 11

(Termination Deciding Variables Relative to Output). The termination deciding variables in a statement sequence S relative to output, written \(TVar_o(S)\), are listed as follows:

1. 1.

   \(TVar_o(S) = \emptyset \,\,if\,\,(\forall e\,:\, ``output\,e\)” \(\notin S)\);

2. 2.

   \(TVar_o(``output\,e\)”) \(= Err(e)\);

3. 3.

   \(TVar_o(``If\,(e)\,then\,\{S_t\}else\,\{S_f\}\)”)\(\,\, = Use(e) \cup TVar_o(S_t) \cup TVar_o(S_f)if\,\,(\exists e\,:\, ``output\,e\)” \(\in S)\);

4. 4.

   \(TVar_o(``while(e)\{S''\}\)”) \(= TVar(``while(e)\{S''\}\)”) \(if\,\,(\exists e\,:\, ``output\,e\)” \(\in S'')\);

5. 5.

   For \(k>0\), \(TVar_o(s_1;...;s_k;s_{k+1}) = TVar(s_1;...;s_k)\)

   \(\cup Imp(s_1;...;s_k, TVar_o(s_{k+1}))\,\,if\,\,\)(\(\exists e\,:\, ``output\,e\)” \(\in s_{k+1})\);

6. 6.

   For \(k>0\), \(TVar_o(s_1;...;s_k;s_{k+1}) = TVar_o(s_1;...;s_k)\,\,if\,\,\)(\(\forall e\,:\, ``output\,e\)” \(\notin s_{k+1})\);

Definition 12

(Output Deciding Variables). The out-deciding variables in a statement sequence S are \(Imp_o(S) \cup TVar_o(S)\), written OVar(S).

The condition of the same output sequence is defined recursively. The base case is for two same output statements or two statements where the output sequence variable is not defined. The inductive cases are syntax directed considering the syntax of compound statements and statement sequences.

Definition 13

(Proof Rule for Behavioral Equivalence). Two statement sequences \(S_1\) and \(S_2\) satisfy the condition of the same output sequence, written \(S_1 \equiv _{O}^S S_2\), iff one of the following holds:

1. 1.

   \(S_1\) and \(S_2\) are one statement and one of the following holds:

   1. (a)

      \(S_1\) and \(S_2\) are simple statement and one of the following holds:

      1. i.

         \(S_1\) and \(S_2\) are not output statement, \(\forall e_1\, e_2\,:\, (``output\,{e_1}\)” \(\ne S_1) \wedge (``output\,{e_2}\)” \(\ne S_2)\); or

      2. ii.

         \(S_1 = S_2 = ``output\,e\)”.

   2. (b)

      \(S_1 = ``If\,(e)\,then\,\{S_1^t\} else\,\{S_1^f\}\)”, \(S_2 = ``If\,(e)\,then\,\{S_2^t\} else\,\{S_2^f\}\)” and all of the following hold:

      • There is an output statement in \(S_1\) and \(S_2\),

        \(\exists e_1\, e_2\,:\, (``output\,{e_1}\,\)” \(\in S_1) \wedge (``output\,e_2\)” \(\in S_2)\);

      • \((S_1^t \equiv _{O}^S S_2^t) \wedge (S_1^f \equiv _{O}^S S_2^f)\);

   3. (c)

      \(S_1 = ``while_{\langle n_1 \rangle }(e) \; \{S_1''\}\)” and \(S_2 = ``while_{\langle n_2 \rangle }(e) \; \{S_2''\}\)” and all of the following hold:

      • There is an output statement in \(S_1\) and \(S_2\),

        \(\exists e_1\, e_2\,:\, (``output\,e_1\)” \(\in S_1) \wedge (``output\,e_2\)” \(\in S_2)\);

      • \(S_1'' \equiv _{O}^S S_2''\);

      • \(S_1''\) and \(S_2''\) have equivalent computation of \(OVar(S_1) \cup OVar(S_2)\);

      • \(S_1''\) and \(S_2''\) satisfy the proof rule of termination in the same way, \(S_1'' \equiv _{H}^S S_2''\);

   4. (d)

      Output statements are not in both \(S_1\) and \(S_2\),

      \(\forall e_1\,e_2\,:\, (``output\,e_1\)” \(\notin S_1) \wedge (``output\,e_2\)” \(\notin S_2)\).

2. 2.

   \(S_1\) and \(S_2\) are not both one statement and one of the following holds:

   1. (a)

      \(S_1=S_1';s_1\) and \(S_2=S_2';s_2\), and all of the following hold:

      • \(S_1' \equiv _{O}^S S_2'\);

      • \(S_1'\) and \(S_2'\) have equivalent computation of \(OVar(s_1) \cup OVar(s_2)\);

      • \(S_1'\) and \(S_2'\) satisfy the proof rule of termination in the same way: \(S_1' \equiv _{H}^S S_2'\);

      • There is an output statement in both \(s_1\) and \(s_2\), \(\exists e_1\, e_2\,:\, (``output\,e_1\)” \(\in s_1) \wedge (``output\,e_2\)” \(\in s_2)\);

      • \(s_1 \equiv _{O}^S s_2\);

   2. (d)

      There is no output statement in the last statement in \(S_1\) or \(S_2\):

      \(\big ((S_1 = S_1';s_1) \wedge (S_1' \equiv _{O}^S S_2) \wedge (\forall e\,:\, ``output\,e\)” \(\notin s_1)\big )\)

      \(\vee \big ((S_2 = S_2';s_2) \wedge (S_1 \equiv _{O}^S S_2') \wedge (\forall e\,:\, ``output\,e\)” \(\notin s_2)\big )\);

Backward Compatible Update Classes

Please refer to our technical report [31] for the proof rules for real world update classes.

Appendix: Formal Programming Language

Please refer to our technical report [31] for the small step operational semantics of our formal language.