Kitsune: Efficient, General-purpose Dynamic Software Updating for C University of Maryland, Department of Computer Science Technical Report CS-TR-5008 Christopher M. Hayden Edward K. Smith Michail Denchev Michael Hicks Jeffrey S. Foster {hayden,tedks,mdenchev,mwh,jfoster}@cs.umd.edu Abstract Dynamic software updating (DSU) systems allow programs to be updated while running, thereby allowing developers to add features and fix bugs without downtime. This paper in- troduces Kitsune, a new DSU system for C whose design has three notable features. First, Kitsune’s updating mecha- nism updates the whole program, not individual functions. This mechanism is more flexible than most prior approaches and places no restrictions on data representations or allowed compiler optimizations. Second, Kitsune makes the impor- tant aspects of updating explicit in the program text, making its semantics easy to understand while keeping programmer work to a minimum. Finally, the programmer can write sim- ple specifications to direct Kitsune to generate code that tra- verses and transforms old-version state for use by the new code; such state transformation is often necessary, and is significantly more difficult in prior DSU systems. We have used Kitsune to update five popular, open-source, single- and multi-threaded programs, and find that few program changes are required to use Kitsune, and that it incurs essentially no performance overhead. 1. Introduction Running software systems without incurring downtime is very important in today’s 24/7 world. Dynamic software up- dating (DSU) services can update programs with new code (to fix bugs or add features) without shutting them down. The research community has shown that general-purpose DSU is feasible: systems that support dynamic upgrades to running C, C++, and Java programs have been applied to dozens of realistic applications, tracking changes according to those applications’ release histories [1, 3, 7, 9–11, 13, 14, 16]. Concurrently, industry has begun to package DSU support into commercial products [2, 17]. The strength of DSU is its ability to preserve program state during an update. For example, servers for databases, media, FTP, SSH, and routing can maintain client connec- tions for unbounded time periods. DSU can allow those active connections to immediately benefit from important program updates (e.g., security fixes) whereas traditional updating strategies like rolling upgrades cannot. Servers may also maintain significant in-memory state, e.g., caching servers like Memcached and key-value servers like Redis. DSU techniques can maintain this in-memory state across the update, whereas traditional upgrade techniques will lose it (Memcached) or must rely on an expensive disk reload that degrades performance (Redis). We are interested in supporting general-purpose DSU for single- and multi-threaded C applications. While progress made by existing DSU systems is promising, a truly prac- tical system must be in harmony with the main reasons de- velopers use C: control over low-level data representations; explicit resource management; legacy code; and, perhaps above all, performance. In this paper we present Kitsune, a new DSU system for C that is the first to satisfy these mo- tivations while supporting general-purpose dynamic updates in a programmer-friendly manner. (We compare against re- lated systems in Section 5.) Kitsune operates in harmony with C thanks to three key design and implementation choices. First, Kitsune uses en- tirely standard compilation. After a translation pass to add some boilerplate calls to the Kitsune runtime, a Kitsune pro- gram is compiled and linked to form a shared object file (via a simple Makefile change). When a Kitsune program is launched, the runtime starts a driver routine that loads the first version’s shared object file and transfers control to it. When a dynamic update becomes available (only at specific program points, as discussed shortly), the program longjmps back to the driver routine, which loads the new application version and calls the new version’s main function. Thus, ap- plication code is updated all at once, and as a consequence, Kitsune places no restrictions on coding idioms or data rep- resentations; it allows the application’s internal structure to be changed arbitrarily from one version to another; and it does not inhibit any compiler optimizations. Second, Kitsune gives the programmer explicit control over the updating process, which is reflected as three kinds of additions to the original program: (1) a handful of calls to kitsune update(... ), placed at the start of one or more of the program’s long-running loops, to specify update points at which dynamic updates may take effect; (2) code to initiate data migration, which is the transformation of old global