Microsoft to End DLL Confusion

MankyD writes "ZDNet is reporting that Microsoft is attempting to do away with DLL version conflicts in its next version of Windows with a technology it calls 'Strong Binding'. When new programs attempt to overwrite old versions of DLL's, the Strong Binding will index the DLL's and allow the programs to reference them by a unique ID, rather than by file name. Hopefully it will prevent a new program from breaking an old one. I would think this might add to DLL clutter however."

Auto-DLL Managment?

[MSTCrow5429]

Sounds like a great idea. While there will be more DLLs in the registry, at least each and every program will have it's "own" DLL and can't be broken. Although I wonder if the software will default to the newest DLL and then go back if it doesn't function correctly.

Re:Auto-DLL Managment?

[bourne]

Sounds like a great idea.... each and every program will have it's "own" DLL

Call me old-fashioned, but I thought the point of dynamic libraries was to reduce program size and duplication of effort by allowing multiple programs to load common functions out of libraries.

So, it's a great idea, insofar as it completely negates the advantage of having DLLs in the first place. Why don't they just compile statically instead?

Re:Auto-DLL Managment?

[n3k5]

... at least each and every program will have it's "own" DLL ...

Ah, yes, what a wonderful idea; let each and every program have its own DLLs, at the mere cost of rendering the whole DLL system totally useless.

You see, if you just wanted to split your executable code over several files for one reason or another, you could include DLLs with your program (in its own directory) ever since. Those wouldn't ever be changed by Windows, but this has nothing to do with the registry. The whole idea behind registered DLLs that reside in a centralised place is that you have shared libraries, that you don't have to store code used by several programs in multiple places, but only once, where you can do easy updates.

However, now that there are so many versions of Windows out there, Microsoft is experiencing compatibility issues with DLLs and they're doing something about it. I'm not familiar with the details of their solution and don't want to say it's a bad one at all. But your ideas are a little too extreme; saving one copy of a DLL per program is just absurd.

Re:Auto-DLL Managment?

[molarmass192]

I really don't think WINE was high on their list of priorities here. I think their idea had several desired outcomes:

1 - force all non-longhorn users to upgrade
2 - force all software vendors to code to the new .NET API, and
3 - integrate SQL*Server into the OS

Also, imagine what a nice kick in the teeth to Java (which I'm sure is a bigger radar blip than WINE) this will be. I think this will backfire on them, lack of full backwards compatibility is *one* of the reasons why XP never took off. This one lacks any backwards compatibility so you can just extrapolate the barriers to adoption.

Re:Auto-DLL Managment?

[bratmobile]

It's a LOT more complicated than that. Microsoft is trying to solve a very real problem that has plagued developers on EVERY platform that supports DLLs, including Linux. Using symlinks is just one approach. And while it does solve some of the problems, it is not a complete solution.

Here's one of the main situations that Microsoft is trying to address: Microsoft ships FOO.DLL with Windows, or as part of some SDK (like DirectX). Company 1 develops an app, ships it, and on the app CD, it has a copy of FOO.DLL. Company 2 does the same thing.

Now. A bug is discovered in FOO.DLL, and it must be fixed. Unfortunately, fixing it one way causes app 1 to crash, and fixing it the other way causes app 2 to crash. And both apps link to the same version.

So what do you do? In the past, you just crossed your fingers and looked the other way, and tried to write code that behaved as best as possible in whatever circumstances you could think of. But inevitably bug fixes cause other bugs (regressions).

So, Microsoft is trying to solve this, by changing DLL binding, in two important ways:

1) DLL binding will use much more than just a name. Microsoft has developed a very powerful & flexible way to do DLL binding. This is what the .Net framework uses, but it is NOT limited to .Net DLLs -- traditional "unmanaged" code can use this, too. I won't go into details here, because it's very well-documented elsewhere, but suffice to say that developers will have a LOT more control over how apps and DLLs bind to DLLs. This is purely a Good Thing, and it IS fully backward-compatible -- it's an opt-in.

2) You'll have total control over redirecting DLLs, on a per-app basis. Some docs here. This means that you can override DLL binding -- if app 1 MUST have version 4.3.5.1.34 of FOO.DLL, and app 2 MUST have version 4.3.5.1.35b, then you can write a simple XML file for each one, that controls exactly which version they get.

Anyone who reads some kind of evil into this is just plain stupid, and has never done any serious development. Any programmer worth their salt knows that DLL binding is ridiculously crude -- and that goes for every modern platform. Microsoft suffers from this more than most, and has therefore decided to do something about it, and has designed a pretty good system. If you have half a brain, you should check it out, and try to keep that knee-jerk reaction under control. (I'm not directing that comment at Grishnakh, but at all of the slobbering idiots who just flame Microsoft whenever they see the name in a headline.)

DLL vs static libs

[selderrr]

I never really understood the advantages of a DLL over a static lib in modern times.

In the old days, when diskspace & memory were precious goods, they made sense to share code. But today, what's the burden of 4MB extra app size compared to the DLL misery ?

Except for plugins, I see no reason why developers would need DLLs. Can anyone shed some light here ?

Re:DLL vs static libs

[fruey]

Memory is still precious when you've got your OS eating up 128M of it (WinXP) and you have slightly older hardware.

When 1Gb of memory becomes standard, then maybe. In any case, it is downright inefficient to have the same code in 3 or 4 places in memory, even if you have got loads to spare.

Re:DLL vs static libs

It is not only for preserving disk space.

It also preserves ram by sharing common code between different applications.

It also makes upgrades and bugfixes easier (think openssl, for example).

Re:DLL vs static libs

[IWannaBeAnAC]

Well, on a typical system there might be a hundred or so processes. Add 4MB to all of them and its suddenly not insignificant anymore.

Plus, if two running processes are sharing a shared library, then a task swap doesn't completely blow away the cache.

Finally, I think with Windoze I think there is a mode in which DLL's can have global data, shared among all programs using it. Not sure though, its years since I did any windoze programming.

Re:DLL vs static libs

[infront314]

Bugs.

If there is a bug or a security problem in a DLL you only have to replace that DLL instead of all statically linked programs.

Remember the problems with zlib a year ago? Would you like to replace 500 applications or one library?

Re:DLL vs static libs

There are plenty of reasons to want dynamic linking. Library code is code you didn't write. Therefore, you have no control over its quality or security. If there was a buffer overflow exploit in a system library, and all programs statically linked that library, you would need to update your ENTIRE SYSTEM to remove the vulnerability. If the code is saved in a shared library (DLL), you just need to update the single shared library.

It's a classic case of the elimination of duplication in computer code. By duplicating (statically linking) the library code into every app, you only increase the burden when you want to update the library.

Furthermore, on Debian GNU/Linux I never have "DLL misery" because my operating system is not brain-dead. Multiple versions of shared libraries can coexist, there is a consistent versioning scheme, and a competent team of people who check to make sure that apps use the correct versions of the shared libraries.

Re:DLL vs static libs

[override11]

Try using a different shell. It seems to me that explorer takes up a ton of ram, especially when doing anything besides looking at the background. Aston shell does great, and when paired up with the newest Phoenix build, everything seems to just zip and open up fast, and memory usage is a lot lower. :)

Welcome to VMS

[beldraen]

I always find it interesting that Microsoft gets to announce and shake up the world with "a new feature" that they caused and of which at least one other major OS had long since solved. Versioning the library API? "Who would've thunk it?!?"

In other news, Microsoft invents a journaling file system to prevent data loss.. oh, wait..

Part of .NET, not Windows

[magiccap22]

This is a capability of the .NET framework. It has nothing to do with the next version of Windows.

It isn't really DLLs either, but rather .NET assemblies. .NET assemblies are the equivalent of DLLs for the .NET system, but this won't solve the problem of "DLL hell" unless all applications are re-written in .NET.

This is a great feature of .NET, but this article is just the Microsoft PR/marketing machine, and is nothing new technically.

Re:Security Issues vs. Api Versions

[sward]

Apparently, if you have 10 applications that each make use of the same DLL, not only will you now have 10 copies of that DLL, but in order to upgrade that DLL (e.g. for a security fix), you'll have to wait for each application's vendor to release its own upgrade package. You would then have a variety of security holes in your set of applications, despite their supposed common use of the same DLL.

And the way most companies work, this upgrade package may also include changes to the application itself instead of being more focused as most here on Slashdot would prefer. The DLL fix may be the "main course", but you'll get a side of new bugs in the app, and possibly an upgrade fee as a cover charge.

Re:In other news

[chthon]

I instruct people in Linux, and my biggest complaint with RPM is that the user must solve his dependencies himself.

E.g. we had made an installation, but left out the development tools. When you try to install gcc, it says which packages are missing, but not where you can find them. You have to dig them up yourself from the CD-ROM's, and sometimes you have to look on all of them.

I do not have any problems with the RPM system itself, but why has Red Hat still no system implemented like Debian apt ? After the installation it asks for the CD-ROM's, scans them and builds a database about what packages reside where.

So, in the case of gcc, it would say what packages are missing, select them automatically, load the needed packages onto the disk and asking for the appropriate CD-ROM whenever necessary.

This is much more friendly than the stock Red Hat approach. Oh, I know there are tools to do that with Red Hat, but you still have to install them yourself. It should come out of the box.

Contradiction of replies

[somethingwicked]

It's funny reading through the different replies to this story-

Reply 1- "This is a horrible idea! Look at all the RAM/disk space this is going to use. M$ programmers are idiots!"

Reply 2- "VMS/Apple/*enter slanted fav OS here* already does this! This was a good idea when it was done 10 years ago by ____ .

Reply 3- An idea like this is so stupid, it will NEVER work right.

So, its a stupid idea that will never work EXCEPT it has already been done BUT will take up too many resources UNLESS it is done by our fav OS AND then thats okay

*grin*

Static is the way to go

[suitti]

The physician takes an oath "to do no harm". I'm considering putting together a Linux distribution with everything compiled statically.

First, what are the advantages of DLLs?

• Less Memory Footprint
• Less Disk Footprint
• Global Security Fixes
• Use of third party binaries
• Plug ins

Less Memory Footprint

In Unix, when you have two instances of an application running, say, vi, the executable code between the two is automatically shared. The shared library gains you nothing. To gain memory footprint, you need to use the same shared library from two applications at the same time. For example, libc might be used by vi and cc.

However, if you compile statically, you bind in only the routines that are needed. For shared libraries, you need to have all routines available, since you don't know which of them are used. Now, your virtual memory system may notice that a shared libary page isn't used, and page it out. Yes, this requires additional run time execution time. The upshot is that you save memory only when you have enough different programs use the same shared library to overcome the overhead. I claim that this happens with libc, libX11, and not a whole lot else.

Less Disk Footprint

If you have 50 programs that use the same shared library, you can save some disk space becasue that libary code does not need to be duplicated that many times. However, shared libraries need to have the symbol information requried to perform the dynamic binding. The savings isn't that much.

In the old days, when an entire Unix distribution fit on a 150 MB tape, the libc shared library savings amounted to about 30%. You could get more reduction in size by using compression.

In fact, programs could be compressed on disk. The loader could decompress the image as it reads it into RAM. For slow disks, this may be faster than loading the uncompressed version into RAM. The down side here is that you then may not be able to use the original file on disk for virtual memory paging.

In any case, it's getting hard to get a disk drive under 20 GB. 30% overhead reduction for the most common shared library doesn't amount to much.

Global Security Fixes

So, your libzlib.so.5 has a bug. You whip up a quick fix, create a new libzlib.so.5, and drop it into your system. You've just fixed all of your libzlib dependent programs, right? In fact, you fixed programs you didn't even know used libzlib. You may also have broken programs that you didn't know use libzlib. And, short of testing every program on your system, you don't know. The more complex the patch, the more likely you are to have broken many things.

Quick. What is a utility which will tell you all the shared libraries that an application uses?

Use of third party binaries

Third party binaries can just as easily be distributed in source form or in a library that is statically bindable. Static binding is preferable, since you are unlikely to use a large fraction of a kitchen sink shared library - where the authors have no idea how the programmers will use it. Source is preferable, since the documentation rarely specifies enough semantic detail to allow proper use.

Plug ins

OK. Your application is Apache, and you want some real flexibility. If Apache is compiled so that modules can be loaded at run time, then the administrator can add the new module and turn on it's use in the configuration. This doesn't save any RAM or disk, but it may allow the admin to change a line of config, restart the web server, and start using some new feature.

For Apache, the admin can also recompile with the new module compiled statically. I've done it both ways. My measurements show a small run time advantage to static compilation.

Granted, if you can't recompile IIS, then DLLs will give you the same flexibility in exchange for a small performance penalty.

The Dark Side of Shared Libraries

If you compile your application statically, then upgrade your OS, you can copy the old application to the new OS, and it just runs.

If your app has shared libraries, you have to track them down on your old OS, and copy them to your new OS. If you make a mistake, and copy your old libc.so over your new one, you run the risk of trashing every program on your new system. Brilliant.

Take netscape as an example. It comes installed in it's own /usr/local/lib directory tree. In /usr/local/bin, netscape is a script which sets up the shared library search path to include the libraries that netscape needs, then runs the binary. This introduces script overhead and shell dependencies on a complicated package. And, when you upgrade your OS, you still need to find the old libc.so and copy it forward.

RPMs

Many seem to think that RPMs solve all these problems. However, many packages have bugs in their dependencies, etc. Many RPMs use different versions of the same shared libraries. I find that I have to override the dependencies to get stuff to install. Often, the requried package IS installed. Not just once in awhile. Much of the time. The difference between theory and practice is that, in theory, they are the same.

Conclusions

Shared libaries seldom save RAM or disk space. The problem with using them to fix bugs globally is that you don't know what you fixed, or even if you broke some things. Third party binaries should invariably be statically linked. In an open source environment, plug ins are not strictly needed. Shared libaries make OS upgrades more painful.

So, what I'd like is a Linux distribution with no shared libaries. The compiler, gcc, would be configured to compile statically by default. Then, after some years of running the system in production, and after adding hundreds of applications to it, I'd be able to upgrade to a new distribution without having to recompile or do the shared library search.

Hmmm, this sounds like fun...

I code in assembly and a few other languages. I can understand that it can be a very good thing to reuse one piece of code in several different places. I understand also that it can save space to reuse. No news here...

As for the idea of "Strong Binding", I wonder what Billy G. expects to acomplish by adding yet more poorly designed, poorly documented LIBs to the programming mess that Windows has evolved into. On top of that, I wonder why I would need to save EVERY SINGLE VERSION of a DLL that makes it to release...

Version tracking will become a nightmare.

Consider:
+User installs program COOL_PROGRAM.EXE
-COOL_PROGRAM uses MS_COOLNESS.DLL
+User gets an update to MS_COOLNESS.DLL:
MS_COOLNESS_V2.DLL
-The fix in V2 repairs a buffer overflow
in a function that COOL_PROGRAM used from
COOLNESS.DLL.
Question : Does the installer for V2 know that COOL_PROGRAM is dependent on it? If this is the case, Billy G. is gonna have his hands full trying to keep track of what goes where with third party devs.

If not, perhaps COOL_PROGRAM will go by default to the newest version of COOLNESS.DLL. Ok, now Billy will likely contend with tracking and modifying functions that have previously been used in highly specialized ways for security/system critical functionality that Windows does not provide either by accident or by intention. So NOW third party devs developing well organized and functional code/programs are forced to keep up with the madness of Windows development to save space. Hmmm... Guess it got the better of the buffer overflow this time. Or maybe they introduced a new bug into the system {par for course with MS}...

Better yet, how about people developing security/system critical environments use their own code to avoid this whole mess? Ok, now you dont need DLLs do you? How about 3-5 times as many? Wait for the next Windows release? So the effort YOU made during XP to keep up with DLLs and other updates is pointless right? Or XP+1? The style of MS defines itself....

Security/system critical programs?...
Thats only one side?...
Ok. Try this:

Graphics, network comunication, encryption, file editing, database editing? Or maybe drivers, file converters, scripts, inter-app comunication, diagnostics?

The list goes on. The problems generated by and complications arising from this framework are not worth the hassle.

Instead of building a system where things get more complicated I would recomend a redesign of the system itself. Current and past states of instability/insecurity are more than I care to witness again. Billy has enough money to sit around daydreaming for the rest of his days while still paying his programers for doing nothing but daydreaming themselves for the rest of theirs... Perhaps they could get up off their butts and design a system from the ground up that is easy to use, safe, fast, and reliable for users old and new... Logical?

I love C programming. C++ and Java are lots of fun. But IF you want something done right the first time, assembly and careful thought is the only answer...

S-()-u-|-s-!-|)-E