Formalising Java RMI with Explicit Code MobilityAlexander AhernNobuko YoshidaDepartment of ComputingImperial College London

2

Motivation

Distribution is important to modern object-oriented programming

Yet, existing formalisms are insufficient:Single locationNo modelling of distributed runtime

3

DJ – Distributed Java

First formalisation of Java RMI New primitives for type-safe code mobility A novel proof technique for type safety of

distributed programs Proof of correctness of several RMI

optimisations

4

Call Aggregation [Bogle & Liskov 1994, Yeung & Kelly 2003]

int m1(RemoteObject r, int a) { int x = r.f(a); int y = r.g(a, x); int z = r.h(a, y); return z; } C

lient

Ser

ver

x and y are dead from the client’s point of view

5

// Client int m1(RemoteObject r, int a) { (unit -> int) t = freeze() { int x = r.f(a); int y = r.g(a, x); int z = r.h(a, y); return z; }; return r.run(t); }// Server int run((unit -> int) x) { return defrost(x); }

Call Aggregation [Bogle & Liskov 1994, Yeung & Kelly 2003]

Clie

nt

Ser

ver

6

DJ – Model

e ::= freeze(T x) { e } | defrost(e, e)| …

T ::= T -> T | …

DJ = Java + distribution + new primitives and typesCreates a closure

Evaluates a closure

A new arrow type for closures

7

Runtime Syntax

We require lots of syntax

Don’t worry! You don’t need toremember this!

8

Networks

JVM

JVM

JVMJVM

Virtual machines communicate by Remote

Method Invocations

Networks consist of zero or more

JVMs executing in parallel

Each machine keeps a table of

classes, and has a private memory

9

Remote Method Invocation Nature of parameters affects the nature of

remote calls If a parameter is not a subtype of java.rmi.Remote, then it is passed by value

For object parameters, this requires object serialisation This is the conversion of structured data into an array

of bytes suitable for network transfer We model all of these features in DJ

10

Remote Method Invocation

Network

Network

0 1 1 0

1 0 1 0

Bytes are transferred to

the serverDeserialise bytes into

structured form

Evaluate local method call

Serialise return value

Serialise actual parameters

Bytes transferred to the client

Return value deserialised, returned to caller

Deserialisation can triggerclass downloading

11

Our model of RMITim

e

Netw

ork Boundary

We model serialisation Method call = message passing

12

Code Mobility Primitives - Freezing

Parameter

Code

Fresh names for the identifiersappearing free in this closure

The name (IP address) of the location that created this closure

Environment (variables/objects) the closure depends upon

Classes

13

Code Mobility Primitives - Defrosting

Formal parameter x is replaced with actual parameter v

Much like calling a method

14

Runtime relationships

RMI Serialisation / Deserialisation

Defrost

Class downloading

Freeze

Instantiation (new C)

In DJ, code mobility is a

generalisation of serialisation

15

Network Invariants and Typing

Network invariants ensure type safe code mobility

Model features that are hard to capture by typing rules alone

16

Invariants – Properties

A property Ψ is a subset of the set of all networks A network invariant is just a special kind of property

It has some initial conditions, Ψ0

It is reduction closed

All netw

orksΨ

Ψ0

17

Invariants (Class Availability)

We have lots (17)

18

Invariants (Locality)

We have lots (17)

19

Invariants (Channel Linearity)

We have lots (17)

20

Invariants (Closures and Locks)

We have lots (17)

21

Invariants – Examples

new C always succeedsAll super-classes of C are present in local

class table

Fields are never accessed remotelyJava RMI is implemented as a proxy pattern

22

Properties of the typing systemTheorem (Subject Reduction)

Theorem (Progress, locality and linearity)

Corollary (Network Invariant)

23

Correctness of OptimisationsLightweight transformation rules

Non-interference property

Semantics preserving optimisation

24

Transformation Rules

Return point for a method call

Uncomputed expression to return

We can inline this, modulo some

details

25

Non-Interference [Reynolds 1978]Definition (Non-interference)

N

N1 N2

N’

*

*

26

Semantic PreservationLemma (Contextual Equivalence)

N N’

N N’

Context

Optimised code

27

Properties of TransformationTheorem

.

By previous Lemma and this Theorem

Type preservation

28

By Theoremint m1(RemoteObject r, int a) { int x = r.f(a); int y = r.g(a, x); int z = r.h(a, y); return z;}

Orig

inal

Cod

e

// Client int m1(RemoteObject r, int a) { (unit -> int) t = freeze() { int x = r.f(a); int y = r.g(a, x); int z = r.h(a, y); return z; }; return r.run(t); }O

ptim

ised

Cod

e

29

Conclusion

DJ: first formalisation of Java RMI Introduction of first class functions to Java

May appear in C# 3.0 New proof method for type safety of distributed

programs using network invariants New method for showing the correctness of

optimisations for distributed programs using semantics-preserving transformations

30

Conclusion – Future Work

http://dj-project.sourceforge.net/ Full version of this work Prototype implementation of DJ using Polyglot

Compiler Framework (Cornell University) Prove correctness of translation from DJ to Java Code generation Cost modelling Types for access control and security

31

32

Related Work Class loading

Liang & Bracha (1998) Drossopoulou & Eisenbach (2002) Krintz et al (1999)

Distributed Objects Obliq Emerald

Staged and meta-programming MetaML Jumbo Meta-AspectJ

33

Observational Congruence Reduction closed

Respects an observational predicate

We choose to observe remote method return:

34

35

Our model of RMITim

e

Netw

ork Boundary

Therefore, serialise parameter, call it v’

Now, deserialise parameter for call

Make local call

Serialise the return value, call it r’

Deserialise and return to caller

Client makes a remote call

36

Non-InterferenceDefinition (Non-interference)

N

N1 N2

N’

*

*

N

N1 N2

*≡