A Fault Tolerant Java Virtual Machine
Werbung
A Fault Tolerant Java Virtual Machine
Malte Tiedje
Seminar
Zuverlässigkeit von Software in sicherheitskritischen Systemen
28. Juni 2005
Malte Tiedje ( Seminar Zuverlässigkeit von Software
A FaultinTolerant
sicherheitskritischen
Java Virtual Systemen)
Machine
28. Juni 2005
1 / 25
Introduction
Fault-tolerance
Fault-tolerance
What is Fault-tolerance ?
Malte Tiedje ( Seminar Zuverlässigkeit von Software
A FaultinTolerant
sicherheitskritischen
Java Virtual Systemen)
Machine
28. Juni 2005
2 / 25
Introduction
Fault-tolerance
Fault-tolerance
What is Fault-tolerance ?
Definition
... is the property of a system that continues operating properly in the
event of failure of some of its parts.
www.wikipedia.org
Malte Tiedje ( Seminar Zuverlässigkeit von Software
A FaultinTolerant
sicherheitskritischen
Java Virtual Systemen)
Machine
28. Juni 2005
2 / 25
Introduction
Why Java?
Why Java?
Java is ...
Malte Tiedje ( Seminar Zuverlässigkeit von Software
A FaultinTolerant
sicherheitskritischen
Java Virtual Systemen)
Machine
28. Juni 2005
3 / 25
Introduction
Why Java?
Why Java?
Java is ...
portable
Malte Tiedje ( Seminar Zuverlässigkeit von Software
A FaultinTolerant
sicherheitskritischen
Java Virtual Systemen)
Machine
28. Juni 2005
3 / 25
Introduction
Why Java?
Why Java?
Java is ...
portable
secure: strong-typing, ...
Malte Tiedje ( Seminar Zuverlässigkeit von Software
A FaultinTolerant
sicherheitskritischen
Java Virtual Systemen)
Machine
28. Juni 2005
3 / 25
Introduction
Why Java?
Why Java?
Java is ...
portable
secure: strong-typing, ...
distributed: RMI
Malte Tiedje ( Seminar Zuverlässigkeit von Software
A FaultinTolerant
sicherheitskritischen
Java Virtual Systemen)
Machine
28. Juni 2005
3 / 25
Introduction
Why Java?
Why Java?
Java is ...
portable
secure: strong-typing, ...
distributed: RMI
and of course: OO, simple, wide-used
Malte Tiedje ( Seminar Zuverlässigkeit von Software
A FaultinTolerant
sicherheitskritischen
Java Virtual Systemen)
Machine
28. Juni 2005
3 / 25
Introduction
Why Java?
Why Java?
Java is ...
portable
secure: strong-typing, ...
distributed: RMI
and of course: OO, simple, wide-used
but Java is not fault-tolerant
Malte Tiedje ( Seminar Zuverlässigkeit von Software
A FaultinTolerant
sicherheitskritischen
Java Virtual Systemen)
Machine
28. Juni 2005
3 / 25
The approach
4 Steps
4 Steps
1. Define a deterministic state machine a unit of replication
Malte Tiedje ( Seminar Zuverlässigkeit von Software
A FaultinTolerant
sicherheitskritischen
Java Virtual Systemen)
Machine
28. Juni 2005
4 / 25
The approach
4 Steps
4 Steps
1. Define a deterministic state machine a unit of replication
2. Implement independently failing replicas of the state machine
Malte Tiedje ( Seminar Zuverlässigkeit von Software
A FaultinTolerant
sicherheitskritischen
Java Virtual Systemen)
Machine
28. Juni 2005
4 / 25
The approach
4 Steps
4 Steps
1. Define a deterministic state machine a unit of replication
2. Implement independently failing replicas of the state machine
3. Ensure all replicas start from identical states and perform the same
sequence of state transitions
Malte Tiedje ( Seminar Zuverlässigkeit von Software
A FaultinTolerant
sicherheitskritischen
Java Virtual Systemen)
Machine
28. Juni 2005
4 / 25
The approach
4 Steps
4 Steps
1. Define a deterministic state machine a unit of replication
2. Implement independently failing replicas of the state machine
3. Ensure all replicas start from identical states and perform the same
sequence of state transitions
4. Ensure each output-producing transition yields in a single output to
the environment
Malte Tiedje ( Seminar Zuverlässigkeit von Software
A FaultinTolerant
sicherheitskritischen
Java Virtual Systemen)
Machine
28. Juni 2005
4 / 25
The approach
State-Machines
State Machines
State Machines are ..
a set of state variables and a sequence of commands
Malte Tiedje ( Seminar Zuverlässigkeit von Software
A FaultinTolerant
sicherheitskritischen
Java Virtual Systemen)
Machine
28. Juni 2005
5 / 25
The approach
State-Machines
State Machines
State Machines are ..
a set of state variables and a sequence of commands
A command ...
reads a subset of state variables (read set values = rsvs)
Malte Tiedje ( Seminar Zuverlässigkeit von Software
A FaultinTolerant
sicherheitskritischen
Java Virtual Systemen)
Machine
28. Juni 2005
5 / 25
The approach
State-Machines
State Machines
State Machines are ..
a set of state variables and a sequence of commands
A command ...
reads a subset of state variables (read set values = rsvs)
modifies a subset of states variables (write set values = wsvs)
Malte Tiedje ( Seminar Zuverlässigkeit von Software
A FaultinTolerant
sicherheitskritischen
Java Virtual Systemen)
Machine
28. Juni 2005
5 / 25
The approach
State-Machines
State Machines
State Machines are ..
a set of state variables and a sequence of commands
A command ...
reads a subset of state variables (read set values = rsvs)
modifies a subset of states variables (write set values = wsvs)
A command is deterministic ...
when a comand produces a deterministic wsvs and outputs an given
rsvs
Malte Tiedje ( Seminar Zuverlässigkeit von Software
A FaultinTolerant
sicherheitskritischen
Java Virtual Systemen)
Machine
28. Juni 2005
5 / 25
The approach
State-Machines
State Machines
State Machines are ..
a set of state variables and a sequence of commands
A command ...
reads a subset of state variables (read set values = rsvs)
modifies a subset of states variables (write set values = wsvs)
A command is deterministic ...
when a comand produces a deterministic wsvs and outputs an given
rsvs
A deterministic state machine ...
reads fixed sequence of deterministic commands
Malte Tiedje ( Seminar Zuverlässigkeit von Software
A FaultinTolerant
sicherheitskritischen
Java Virtual Systemen)
Machine
28. Juni 2005
5 / 25
The approach
State-Machines
Fault-tolerance by duplication
Replication
Definition
Providing multiple identical instances of the same system, directing tasks
to all of them in parallel, and choosing the correct result on the basis of a
quorum
www.wikipedia.org
Malte Tiedje ( Seminar Zuverlässigkeit von Software
A FaultinTolerant
sicherheitskritischen
Java Virtual Systemen)
Machine
28. Juni 2005
6 / 25
The approach
State-Machines
Fault-tolerance by duplication
Replication
Definition
Providing multiple identical instances of the same system, directing tasks
to all of them in parallel, and choosing the correct result on the basis of a
quorum
www.wikipedia.org
Each replica undergoes the sames sequence of state transitions and
produces the sames output!
Malte Tiedje ( Seminar Zuverlässigkeit von Software
A FaultinTolerant
sicherheitskritischen
Java Virtual Systemen)
Machine
28. Juni 2005
6 / 25
The approach
JVM as State Machine
JVM as State Machine I
Implement replica coordination in the JVM:
3 Challenges
1. not all commands executed by the JVM are deterministic
Malte Tiedje ( Seminar Zuverlässigkeit von Software
A FaultinTolerant
sicherheitskritischen
Java Virtual Systemen)
Machine
28. Juni 2005
7 / 25
The approach
JVM as State Machine
JVM as State Machine I
Implement replica coordination in the JVM:
3 Challenges
1. not all commands executed by the JVM are deterministic
2. replicas of a JVM do not in general execute identical sequence of
commands
Malte Tiedje ( Seminar Zuverlässigkeit von Software
A FaultinTolerant
sicherheitskritischen
Java Virtual Systemen)
Machine
28. Juni 2005
7 / 25
The approach
JVM as State Machine
JVM as State Machine I
Implement replica coordination in the JVM:
3 Challenges
1. not all commands executed by the JVM are deterministic
2. replicas of a JVM do not in general execute identical sequence of
commands
3. the read-set for a given command is not guaranteed to contain
identical values at all replicas
Malte Tiedje ( Seminar Zuverlässigkeit von Software
A FaultinTolerant
sicherheitskritischen
Java Virtual Systemen)
Machine
28. Juni 2005
7 / 25
The approach
JVM as State Machine
JVM as State Machine II
Problem: JVM is multi-threaded and a state-machines typical are not
Malte Tiedje ( Seminar Zuverlässigkeit von Software
A FaultinTolerant
sicherheitskritischen
Java Virtual Systemen)
Machine
28. Juni 2005
8 / 25
The approach
JVM as State Machine
JVM as State Machine II
Problem: JVM is multi-threaded and a state-machines typical are not
Solution: every thread is a state-machine and the JVM is a set of
cooperating state-machines
In particular: BEE (Bytecode Execution Engines) as set of functions
that define together a replica
Napper 2003
Malte Tiedje ( Seminar Zuverlässigkeit von Software
A FaultinTolerant
sicherheitskritischen
Java Virtual Systemen)
Machine
28. Juni 2005
8 / 25
Details
Non-deterministic commands
Non-deterministic commands
Exclusively invoked by Java Native Interface (JNI)
e.g read the hardware clock
Malte Tiedje ( Seminar Zuverlässigkeit von Software
A FaultinTolerant
sicherheitskritischen
Java Virtual Systemen)
Machine
28. Juni 2005
9 / 25
Details
Non-deterministic commands
Non-deterministic commands
Exclusively invoked by Java Native Interface (JNI)
e.g read the hardware clock
Problem: the replicas have different input values, because the input is
performed outside the scope of the JVM
Malte Tiedje ( Seminar Zuverlässigkeit von Software
A FaultinTolerant
sicherheitskritischen
Java Virtual Systemen)
Machine
28. Juni 2005
9 / 25
Details
Non-deterministic commands
Non-deterministic commands
Exclusively invoked by Java Native Interface (JNI)
e.g read the hardware clock
Problem: the replicas have different input values, because the input is
performed outside the scope of the JVM
Solution: the protocol forces the backup to adopt the writes-set
values produces by the primary
Malte Tiedje ( Seminar Zuverlässigkeit von Software
A FaultinTolerant
sicherheitskritischen
Java Virtual Systemen)
Machine
28. Juni 2005
9 / 25
Details
Non-deterministic commands
Non-deterministic commands
Exclusively invoked by Java Native Interface (JNI)
e.g read the hardware clock
Problem: the replicas have different input values, because the input is
performed outside the scope of the JVM
Solution: the protocol forces the backup to adopt the writes-set
values produces by the primary
But: this is not enough: we have to restrict the behavior of the native
methods
Malte Tiedje ( Seminar Zuverlässigkeit von Software
A FaultinTolerant
sicherheitskritischen
Java Virtual Systemen)
Machine
28. Juni 2005
9 / 25
Details
Non-deterministic commands
Restriction 1 and 2
Restriction 1
Native methods must not produce non-deterministic output to the
environment
Malte Tiedje ( Seminar Zuverlässigkeit von Software
A FaultinTolerant
sicherheitskritischen
Java Virtual Systemen)
Machine
28. Juni 2005
10 / 25
Details
Non-deterministic commands
Restriction 1 and 2
Restriction 1
Native methods must not produce non-deterministic output to the
environment
Example
native void DoNotDo() {
lc = read time of day ();
print ( lc );
}
Malte Tiedje ( Seminar Zuverlässigkeit von Software
A FaultinTolerant
sicherheitskritischen
Java Virtual Systemen)
Machine
28. Juni 2005
10 / 25
Details
Non-deterministic commands
Restriction 1 and 2
Restriction 1
Native methods must not produce non-deterministic output to the
environment
Example
native void DoNotDo() {
lc = read time of day ();
print ( lc );
}
native long Input () {
return read time of day ();
}
native void Output(long lc) {
print ( lc );
}
Malte Tiedje ( Seminar Zuverlässigkeit von Software
A FaultinTolerant
sicherheitskritischen
Java Virtual Systemen)
Machine
28. Juni 2005
10 / 25
Details
Non-deterministic commands
Restriction 1 and 2
Restriction 2
Native methods must invoke other methods deterministically
Malte Tiedje ( Seminar Zuverlässigkeit von Software
A FaultinTolerant
sicherheitskritischen
Java Virtual Systemen)
Machine
28. Juni 2005
11 / 25
Details
Non-deterministic commands
Restriction 1 and 2
Restriction 2
Native methods must invoke other methods deterministically
Example
native void DoNotDo() {
lc = read time of day ();
if ( lc > 17:24:32)
acquire lock ();}
Malte Tiedje ( Seminar Zuverlässigkeit von Software
A FaultinTolerant
sicherheitskritischen
Java Virtual Systemen)
Machine
28. Juni 2005
11 / 25
Details
Non-deterministic commands
Restriction 1 and 2
Restriction 2
Native methods must invoke other methods deterministically
Example
native void DoNotDo() {
lc = read time of day ();
if ( lc > 17:24:32)
acquire lock ();}
native long Input () {
return read time of day ();
}
void do(long lc ) {
lc = Input ();
if ( lc > 17:24:32)
acquire lock ();}
Malte Tiedje ( Seminar Zuverlässigkeit von Software
A FaultinTolerant
sicherheitskritischen
Java Virtual Systemen)
Machine
28. Juni 2005
11 / 25
Details
Non-deterministic commands
Implementation
Checked all native methods in JRE libraries
less then 100 are non-deterministic
Malte Tiedje ( Seminar Zuverlässigkeit von Software
A FaultinTolerant
sicherheitskritischen
Java Virtual Systemen)
Machine
28. Juni 2005
12 / 25
Details
Non-deterministic commands
Implementation
Checked all native methods in JRE libraries
less then 100 are non-deterministic
Stored signature of each method in hash table
(class, method, arguments)
Malte Tiedje ( Seminar Zuverlässigkeit von Software
A FaultinTolerant
sicherheitskritischen
Java Virtual Systemen)
Machine
28. Juni 2005
12 / 25
Details
Non-deterministic commands
Implementation
Checked all native methods in JRE libraries
less then 100 are non-deterministic
Stored signature of each method in hash table
(class, method, arguments)
When primary invokes native method, check hash table
Malte Tiedje ( Seminar Zuverlässigkeit von Software
A FaultinTolerant
sicherheitskritischen
Java Virtual Systemen)
Machine
28. Juni 2005
12 / 25
Details
Non-deterministic commands
Implementation
Checked all native methods in JRE libraries
less then 100 are non-deterministic
Stored signature of each method in hash table
(class, method, arguments)
When primary invokes native method, check hash table
On match, send backup return values and modified arguments
Malte Tiedje ( Seminar Zuverlässigkeit von Software
A FaultinTolerant
sicherheitskritischen
Java Virtual Systemen)
Machine
28. Juni 2005
12 / 25
Details
Non-deterministic commands
Implementation
Checked all native methods in JRE libraries
less then 100 are non-deterministic
Stored signature of each method in hash table
(class, method, arguments)
When primary invokes native method, check hash table
On match, send backup return values and modified arguments
On recovery, backup may use logged values
Malte Tiedje ( Seminar Zuverlässigkeit von Software
A FaultinTolerant
sicherheitskritischen
Java Virtual Systemen)
Machine
28. Juni 2005
12 / 25
Details
Non-deterministic rsvs
Non-deterministic Read Sets I
Because of Multi-Threading in the JVM the values of shared variables
are non-deterministic
Malte Tiedje ( Seminar Zuverlässigkeit von Software
A FaultinTolerant
sicherheitskritischen
Java Virtual Systemen)
Machine
28. Juni 2005
13 / 25
Details
Non-deterministic rsvs
Non-deterministic Read Sets I
Because of Multi-Threading in the JVM the values of shared variables
are non-deterministic
Solution I:
All access to shared data is wrapped by correct use of monitors (using
synchronized)
Malte Tiedje ( Seminar Zuverlässigkeit von Software
A FaultinTolerant
sicherheitskritischen
Java Virtual Systemen)
Machine
28. Juni 2005
13 / 25
Details
Non-deterministic rsvs
Non-deterministic Read Sets I
Because of Multi-Threading in the JVM the values of shared variables
are non-deterministic
Solution I:
All access to shared data is wrapped by correct use of monitors (using
synchronized)
therefore we need replicating the Lock Synchronization
Malte Tiedje ( Seminar Zuverlässigkeit von Software
A FaultinTolerant
sicherheitskritischen
Java Virtual Systemen)
Machine
28. Juni 2005
13 / 25
Details
Non-deterministic rsvs
Implementation I
Napper 2003
Definition
< tid , tasn , lid , lasn >
tid thread id of the locking thread
Malte Tiedje ( Seminar Zuverlässigkeit von Software
A FaultinTolerant
sicherheitskritischen
Java Virtual Systemen)
Machine
28. Juni 2005
14 / 25
Details
Non-deterministic rsvs
Implementation I
Napper 2003
Definition
< tid , tasn , lid , lasn >
tid thread id of the locking thread
asn
thread acquire sequence number recording the number of
locks acquired so far by thread tid
Malte Tiedje ( Seminar Zuverlässigkeit von Software
A FaultinTolerant
sicherheitskritischen
Java Virtual Systemen)
Machine
28. Juni 2005
14 / 25
Details
Non-deterministic rsvs
Implementation I
Napper 2003
Definition
< tid , tasn , lid , lasn >
tid thread id of the locking thread
asn
thread acquire sequence number recording the number of
locks acquired so far by thread tid
lid lock id
Malte Tiedje ( Seminar Zuverlässigkeit von Software
A FaultinTolerant
sicherheitskritischen
Java Virtual Systemen)
Machine
28. Juni 2005
14 / 25
Details
Non-deterministic rsvs
Implementation I
Napper 2003
Definition
< tid , tasn , lid , lasn >
tid thread id of the locking thread
asn
thread acquire sequence number recording the number of
locks acquired so far by thread tid
lid lock id
lasn lock acquire sequence number recording the number of times
lid has been acquired so far
Malte Tiedje ( Seminar Zuverlässigkeit von Software
A FaultinTolerant
sicherheitskritischen
Java Virtual Systemen)
Machine
28. Juni 2005
14 / 25
Details
Non-deterministic rsvs
Implementation II
Hard to create unambiguous ids
Cannot use object address as li d
Malte Tiedje ( Seminar Zuverlässigkeit von Software
A FaultinTolerant
sicherheitskritischen
Java Virtual Systemen)
Machine
28. Juni 2005
15 / 25
Details
Non-deterministic rsvs
Implementation II
Hard to create unambiguous ids
Cannot use object address as li d
Cannot use order of events at primary
Malte Tiedje ( Seminar Zuverlässigkeit von Software
A FaultinTolerant
sicherheitskritischen
Java Virtual Systemen)
Machine
28. Juni 2005
15 / 25
Details
Non-deterministic rsvs
Implementation II
Hard to create unambiguous ids
Cannot use object address as li d
Cannot use order of events at primary
Malte Tiedje ( Seminar Zuverlässigkeit von Software
A FaultinTolerant
sicherheitskritischen
Java Virtual Systemen)
Machine
28. Juni 2005
15 / 25
Details
Non-deterministic rsvs
Implementation II
Hard to create unambiguous ids
Cannot use object address as li d
Cannot use order of events at primary
Napper 2003
Malte Tiedje ( Seminar Zuverlässigkeit von Software
A FaultinTolerant
sicherheitskritischen
Java Virtual Systemen)
Machine
28. Juni 2005
15 / 25
Details
Non-deterministic rsvs
Non-deterministic Read Sets II
Solution I: many programs do not meet this condition (not even Sun’s
JRE)
Malte Tiedje ( Seminar Zuverlässigkeit von Software
A FaultinTolerant
sicherheitskritischen
Java Virtual Systemen)
Machine
28. Juni 2005
16 / 25
Details
Non-deterministic rsvs
Non-deterministic Read Sets II
Solution I: many programs do not meet this condition (not even Sun’s
JRE)
Example
class Example {
static Formatter shared data = null ;
String toString (){
if ( shared data == null){
shared data = new Formater();
synchronized method();
...
}}}
Malte Tiedje ( Seminar Zuverlässigkeit von Software
A FaultinTolerant
sicherheitskritischen
Java Virtual Systemen)
Machine
28. Juni 2005
16 / 25
Details
Non-deterministic rsvs
Non-deterministic Read Sets II
Solution II:
A thread has exclusives access to all shared variables while scheduled
Malte Tiedje ( Seminar Zuverlässigkeit von Software
A FaultinTolerant
sicherheitskritischen
Java Virtual Systemen)
Machine
28. Juni 2005
17 / 25
Details
Non-deterministic rsvs
Non-deterministic Read Sets II
Solution II:
A thread has exclusives access to all shared variables while scheduled
therefore we need to replicate the thread scheduling
Malte Tiedje ( Seminar Zuverlässigkeit von Software
A FaultinTolerant
sicherheitskritischen
Java Virtual Systemen)
Machine
28. Juni 2005
17 / 25
Details
Non-deterministic rsvs
Implementation
Definition
< brcnt , pcoff , moncnt , lasn , tid >
brcnt counts the control flow changes executed (e.g. branches,
jumps, and methods invocations)
Malte Tiedje ( Seminar Zuverlässigkeit von Software
A FaultinTolerant
sicherheitskritischen
Java Virtual Systemen)
Machine
28. Juni 2005
18 / 25
Details
Non-deterministic rsvs
Implementation
Definition
< brcnt , pcoff , moncnt , lasn , tid >
brcnt counts the control flow changes executed (e.g. branches,
jumps, and methods invocations)
pcoff records the bytecode offset of the PC within the method
currently executed by t
Malte Tiedje ( Seminar Zuverlässigkeit von Software
A FaultinTolerant
sicherheitskritischen
Java Virtual Systemen)
Machine
28. Juni 2005
18 / 25
Details
Non-deterministic rsvs
Implementation
Definition
< brcnt , pcoff , moncnt , lasn , tid >
brcnt counts the control flow changes executed (e.g. branches,
jumps, and methods invocations)
pcoff records the bytecode offset of the PC within the method
currently executed by t
moncnt counts the monitor acquisitions and releases performed by t
Malte Tiedje ( Seminar Zuverlässigkeit von Software
A FaultinTolerant
sicherheitskritischen
Java Virtual Systemen)
Machine
28. Juni 2005
18 / 25
Details
Non-deterministic rsvs
Implementation
Definition
< brcnt , pcoff , moncnt , lasn , tid >
brcnt counts the control flow changes executed (e.g. branches,
jumps, and methods invocations)
pcoff records the bytecode offset of the PC within the method
currently executed by t
moncnt counts the monitor acquisitions and releases performed by t
lasn records the lock acquisition sequence number when t is
rescheduled while waiting on a lock
Malte Tiedje ( Seminar Zuverlässigkeit von Software
A FaultinTolerant
sicherheitskritischen
Java Virtual Systemen)
Machine
28. Juni 2005
18 / 25
Details
Non-deterministic rsvs
Implementation
Definition
< brcnt , pcoff , moncnt , lasn , tid >
brcnt counts the control flow changes executed (e.g. branches,
jumps, and methods invocations)
pcoff records the bytecode offset of the PC within the method
currently executed by t
moncnt counts the monitor acquisitions and releases performed by t
lasn records the lock acquisition sequence number when t is
rescheduled while waiting on a lock
tid the thread id of the next scheduled thread
Malte Tiedje ( Seminar Zuverlässigkeit von Software
A FaultinTolerant
sicherheitskritischen
Java Virtual Systemen)
Machine
28. Juni 2005
18 / 25
Details
Output to the environment
Output to the environment
Objective: Simulate a single, fault-tolerant state-machine
Malte Tiedje ( Seminar Zuverlässigkeit von Software
A FaultinTolerant
sicherheitskritischen
Java Virtual Systemen)
Machine
28. Juni 2005
19 / 25
Details
Output to the environment
Output to the environment
Objective: Simulate a single, fault-tolerant state-machine
In general impossible
Malte Tiedje ( Seminar Zuverlässigkeit von Software
A FaultinTolerant
sicherheitskritischen
Java Virtual Systemen)
Machine
28. Juni 2005
19 / 25
Details
Output to the environment
Output to the environment
Objective: Simulate a single, fault-tolerant state-machine
In general impossible
Restriction 3
All native method output to the environment is either idempotent or
testable
Malte Tiedje ( Seminar Zuverlässigkeit von Software
A FaultinTolerant
sicherheitskritischen
Java Virtual Systemen)
Machine
28. Juni 2005
19 / 25
Details
Output to the environment
Output to the environment
Objective: Simulate a single, fault-tolerant state-machine
In general impossible
Restriction 3
All native method output to the environment is either idempotent or
testable
therefor we need a Side Effect Handler
Malte Tiedje ( Seminar Zuverlässigkeit von Software
A FaultinTolerant
sicherheitskritischen
Java Virtual Systemen)
Machine
28. Juni 2005
19 / 25
Details
Output to the environment
Side Effect Handler
register: method’s signature, what should be logged, etc
Malte Tiedje ( Seminar Zuverlässigkeit von Software
A FaultinTolerant
sicherheitskritischen
Java Virtual Systemen)
Machine
28. Juni 2005
20 / 25
Details
Output to the environment
Side Effect Handler
register: method’s signature, what should be logged, etc
test: called on testable, uncertain commands
Malte Tiedje ( Seminar Zuverlässigkeit von Software
A FaultinTolerant
sicherheitskritischen
Java Virtual Systemen)
Machine
28. Juni 2005
20 / 25
Details
Output to the environment
Side Effect Handler
register: method’s signature, what should be logged, etc
test: called on testable, uncertain commands
log & receive: how primary and backup exchange state
Malte Tiedje ( Seminar Zuverlässigkeit von Software
A FaultinTolerant
sicherheitskritischen
Java Virtual Systemen)
Machine
28. Juni 2005
20 / 25
Details
Output to the environment
Side Effect Handler
register: method’s signature, what should be logged, etc
test: called on testable, uncertain commands
log & receive: how primary and backup exchange state
restore: called at the backup during recovery
Malte Tiedje ( Seminar Zuverlässigkeit von Software
A FaultinTolerant
sicherheitskritischen
Java Virtual Systemen)
Machine
28. Juni 2005
20 / 25
Details
Output to the environment
Side Effect Handler
register: method’s signature, what should be logged, etc
test: called on testable, uncertain commands
log & receive: how primary and backup exchange state
restore: called at the backup during recovery
Malte Tiedje ( Seminar Zuverlässigkeit von Software
A FaultinTolerant
sicherheitskritischen
Java Virtual Systemen)
Machine
28. Juni 2005
20 / 25
Evaluation
Evaluation
Overhead: depends on application and Rep. Lock-Sync / Rep. Thread
Sched.
Malte Tiedje ( Seminar Zuverlässigkeit von Software
A FaultinTolerant
sicherheitskritischen
Java Virtual Systemen)
Machine
28. Juni 2005
21 / 25
Evaluation
Evaluation
Overhead: depends on application and Rep. Lock-Sync / Rep. Thread
Sched.
Experiments: SPEC JVM98 benchmark (i.a: compress, db, raytracer
rendering)
Malte Tiedje ( Seminar Zuverlässigkeit von Software
A FaultinTolerant
sicherheitskritischen
Java Virtual Systemen)
Machine
28. Juni 2005
21 / 25
Evaluation
Evaluation
Overhead: depends on application and Rep. Lock-Sync / Rep. Thread
Sched.
Experiments: SPEC JVM98 benchmark (i.a: compress, db, raytracer
rendering)
Qualitative: differ from 5% up to 375%, average 60% for rts, 140%
for rla
Malte Tiedje ( Seminar Zuverlässigkeit von Software
A FaultinTolerant
sicherheitskritischen
Java Virtual Systemen)
Machine
28. Juni 2005
21 / 25
Evaluation
Eval.: Replicated Lock Acquisition
Malte Tiedje ( Seminar Zuverlässigkeit von Software
A FaultinTolerant
sicherheitskritischen
Java Virtual Systemen)
Machine
Napper 2003
28. Juni 2005
22 / 25
Evaluation
Eval.: Replicated Thread Scheduling
Malte Tiedje ( Seminar Zuverlässigkeit von Software
A FaultinTolerant
sicherheitskritischen
Java Virtual Systemen)
Machine
Napper 2003
28. Juni 2005
23 / 25
Evaluation
Conclusion
A fault-tolerant JVM (at a reasonable cost)
Malte Tiedje ( Seminar Zuverlässigkeit von Software
A FaultinTolerant
sicherheitskritischen
Java Virtual Systemen)
Machine
28. Juni 2005
24 / 25
Evaluation
Conclusion
A fault-tolerant JVM (at a reasonable cost)
Write Once, Run Anywhere
Malte Tiedje ( Seminar Zuverlässigkeit von Software
A FaultinTolerant
sicherheitskritischen
Java Virtual Systemen)
Machine
28. Juni 2005
24 / 25
Evaluation
Conclusion
A fault-tolerant JVM (at a reasonable cost)
Write Once, Run Anywhere
A framework for replicating multi-threaded SMs
Malte Tiedje ( Seminar Zuverlässigkeit von Software
A FaultinTolerant
sicherheitskritischen
Java Virtual Systemen)
Machine
28. Juni 2005
24 / 25
Evaluation
References
A Fault-Tolerant Java Virtual Machine: Jeff Napper, Lorenzo
Alvisi, Harrick Vin
http://www.cs.utexas.edu/users/jmn/papers/napper03fault.ppt
www.wikipedia.org
Malte Tiedje ( Seminar Zuverlässigkeit von Software
A FaultinTolerant
sicherheitskritischen
Java Virtual Systemen)
Machine
28. Juni 2005
25 / 25
