clr: designing managed addins for reliability, security, and versioning jim miller, architect, clr...

CLR: Designing Managed AddIns For CLR: Designing Managed AddIns For Reliability, Security, And VersioningReliability, Security, And Versioning

Jim Miller, Architect, CLRJim Miller, Architect, CLRThomas Quinn, Architect, VSTAThomas Quinn, Architect, VSTAFUN309FUN309Microsoft CorporationMicrosoft Corporation

AgendaAgenda

AddIn ModelsAddIn Models

Object-Oriented AddIn ModelsObject-Oriented AddIn Models

Demo (hand-built)Demo (hand-built)

Visual Studio Tools for Applications Visual Studio Tools for Applications (VSTA)(VSTA)

Demo (VSTA)Demo (VSTA)

Prescriptive GuidancePrescriptive Guidance

TerminologyTerminology

““Components”Components”Hosts and their components Hosts and their components are tested are tested togethertogether

Testing is against known versions, and later “mix and Testing is against known versions, and later “mix and match” is not permittedmatch” is not permitted

Components may (or may not) be dynamically Components may (or may not) be dynamically discovered and loadeddiscovered and loaded

““AddIns”AddIns”New versions of a host New versions of a host need notneed not test against test against all existing addins (example: Microsoft Word)all existing addins (example: Microsoft Word)New versions of an addin New versions of an addin need notneed not test test against all existing hosts (example: Windows against all existing hosts (example: Windows Media Player)Media Player)AddIns are always dynamically discovered and AddIns are always dynamically discovered and loadedloaded

1.1. DeployingDeploying the addin the addin2.2. DiscoveringDiscovering the addin and its implementation the addin and its implementation

codecode3.3. QualifyingQualifying the addin to ensure it meets the the addin to ensure it meets the

constraintsconstraints4.4. ActivatingActivating an instance of the addin object an instance of the addin object

a)a) Creating the instance in the appropriate Creating the instance in the appropriate environmentenvironment

b)b) Building the communication pathBuilding the communication pathc)c) Calling methods, throwing exceptions, calling Calling methods, throwing exceptions, calling

callbacks, raising events, etc.callbacks, raising events, etc.

AddIns: The ProblemsAddIns: The Problems

Host ObjectHost Object AddIn ObjectAddIn Object

A complete addin model, like COM, A complete addin model, like COM, supplies a solution to all four of these supplies a solution to all four of these problemsproblems

Problems:Problems:• Can’t unload the addinCan’t unload the addin• Same CLR and Framework for Same CLR and Framework for

host and addinhost and addin• Same security domain for host Same security domain for host

and addinand addin• If host is updated, addin must If host is updated, addin must

be recompiled to avoid type be recompiled to avoid type mismatches (and vice-versa)mismatches (and vice-versa)

Host App Domain

AddIns: Tightly CoupledAddIns: Tightly Coupled






AddIn App DomainHost App Domain

AddIns: Isolation AddIns: Isolation BoundaryBoundary


New ProblemsNew Problems::

• Requires serialization or marshal-Requires serialization or marshal-by-ref objectsby-ref objects

• Performance penaltyPerformance penalty





AddIn App DomainHost App Domain

AddIns: Version-ResilientAddIns: Version-Resilient


ProxyProxy AdaptorAdaptor




• Design of a stable contractDesign of a stable contract

• Implementation of Proxy and Implementation of Proxy and AdaptorAdaptor

Stable Contract





AddIn ProcessHost Process

AddIns: Cross-ProcessAddIns: Cross-Process


ProxyProxy AdaptorAdaptor




• Design of a stable contractDesign of a stable contract

• Implementation of Proxy and Implementation of Proxy and AdaptorAdaptor

• Threading and re-entrancyThreading and re-entrancy

• Hosting of addin process and Hosting of addin process and lifetime issueslifetime issues

even even higherhigher

, , but can’t use but can’t use process-process-local resourceslocal resources

Stable Contract

Microsoft Microsoft RecommendationRecommendation

Tightly Coupled ModelTightly Coupled ModelFor components (“tested together”)For components (“tested together”)

Some dynamic language scenarios (eg. SmallTalk Some dynamic language scenarios (eg. SmallTalk environment)environment)

Isolated Model is for components onlyIsolated Model is for components only

Version-Resilient Model in-processVersion-Resilient Model in-processBest model for most addinsBest model for most addins

Cross-Process ModelCross-Process ModelWhen addin might require a later version of the CLR or When addin might require a later version of the CLR or FrameworkFramework

When OS isolation is required (addin calls unsafe code)When OS isolation is required (addin calls unsafe code)

To avoid process resource exhaustion (32-bit address To avoid process resource exhaustion (32-bit address space)space)

Cross-Machine (not supported by addin model)Cross-Machine (not supported by addin model)Use Service-Oriented architecture, not Object-Oriented Use Service-Oriented architecture, not Object-Oriented modelmodel

Status (Office 12 Status (Office 12 Timeframe)Timeframe)

COM provides a complete solutionCOM provides a complete solutionYou know its advantages and its limitationsYou know its advantages and its limitationsOne limitation is the lack of an object-oriented modelOne limitation is the lack of an object-oriented modelAnother limitation is that in-process COM activation isn’t Another limitation is that in-process COM activation isn’t isolatedisolated

VSTA provides a more secure solutionVSTA provides a more secure solutionProvides an object-oriented model, for both managed Provides an object-oriented model, for both managed and unmanaged codeand unmanaged codeProvides isolation via an App Domain or a processProvides isolation via an App Domain or a process

System.AddIn and System.AddIn.Contract will become System.AddIn and System.AddIn.Contract will become part of the platform, shipping first in VSTApart of the platform, shipping first in VSTA Deployment, discovery, and qualification fundamentals Deployment, discovery, and qualification fundamentals are included in V1are included in V1

Future directionFuture directionWe intend to integrate VSTA (for addins) and WCF (for We intend to integrate VSTA (for addins) and WCF (for services)services) Deployment, discovery, and qualification will be more Deployment, discovery, and qualification will be more fully addressed after Windows Vista/Office-12fully addressed after Windows Vista/Office-12

AgendaAgenda







Version-Resilient Version-Resilient ArchitectureArchitectureThe Communication PipelineThe Communication Pipeline

HostHost defines an object model it will use to call methods in defines an object model it will use to call methods in the addinthe addin

The host addin view (The host addin view (HAVHAV), an interface or abstract class), an interface or abstract class

AddInAddIn implements an object model implements an object modelThe The addin baseaddin base, typically an abstract base class, typically an abstract base class

A A stable contractstable contract connects the two object models connects the two object modelsThe stable contract is an interface which never versionsThe stable contract is an interface which never versions

The host calls a The host calls a host-to-contract adaptorhost-to-contract adaptor ( (HCAHCA) that maps ) that maps the host’s object model to the stable contractthe host’s object model to the stable contract

The contract is implemented by a The contract is implemented by a contract-to-addin adaptorcontract-to-addin adaptor ((CAACAA) that maps the stable contract to the addin’s object model) that maps the stable contract to the addin’s object model

If the addin needs to call methods on the host, a reverse If the addin needs to call methods on the host, a reverse pipeline pipeline is requiredis required

Sample: Host Creates Sample: Host Creates AddInAddIn

MenuAddIn MenuAddIn MyAddInMyAddIn = = MenuAddIn MenuAddIn.Load(manifest);.Load(manifest);

MyAddIn.Show();MyAddIn.Show();

Host AddIn View (HAV) from HostSDK

Calls infrastructure to

create AD, construct pipeline,

load addin, and activate it

Specifies assembly

and type nameHAV: Host AddIn ViewHAV: Host AddIn View

HCA: Host-to-Contract AdaptorHCA: Host-to-Contract Adaptor

CAA: Contract-to-AddIn AdaptorCAA: Contract-to-AddIn Adaptor

HCAHCAHAVHAV

HostHostAddIn AddIn CommunicationCommunication

HostHost

Host-Side ObjectsHost-Side Objects

CAACAAcontractcontract

AddInAddInAddInAddInBaseBase

Abstract base class/interfaceAbstract base class/interface

Reference passed to constructorReference passed to constructor

AddIn-Side ObjectsAddIn-Side Objects

AddIn Model (supplied by host or addin)AddIn Model (supplied by host or addin)

Infrastructure createdInfrastructure created

HAV: Host AddIn ViewHAV: Host AddIn View



contractcontractCAACAA

Bidirectional Bidirectional CommunicationCommunication

HostHost

Host-Side ObjectsHost-Side Objects AddIn-Side ObjectsAddIn-Side Objects

HCAHCAHAVHAV CAACAAcontractcontract


Abstract base class/interfaceAbstract base class/interface

Reference passed to constructorReference passed to constructor


HAVHAVHCAHCA




Versioning In Action: V1Versioning In Action: V1

AddInAddIn

V1.0V1.0

CAACAA

V1.0V1.0


AddInAddInBaseBase

V1.0V1.0

contractcontract



HosHost t V1.V1.00

HCHCAV1AV1.0.0

HAHAVV1VV1.0.0




HCHCAV2AV2.0.0

Versioning In Action: V1Versioning In Action: V1

AddInAddIn

V1.0V1.0


AddInAddInBaseBase

V1.0V1.0

CAACAA

V1.0V1.0contractcontract



HCHCAV1AV1.0.0

HosHost t V1.V1.00

HAHAVV1VV1.0.0

HosHost t V2.V2.00

HAHAVV2VV2.0.0

V2V2




AgendaAgenda







Demo Code as AddIn Demo Code as AddIn ModelModel

Host-to-AddIn PipelineHost-to-AddIn Pipeline

HostHost

Host-Side Host-Side ObjectsObjects

AddIn-Side AddIn-Side ObjectsObjects







HAV: HAV: MenuAddInMenuAddIn

HCA: HCA: MenuContractAdapatorMenuContractAdapator

Contract: Contract: IMenuItemContractIMenuItemContract

CAA: MenuBaseCAA: MenuBase

V2 Demo ExplanationV2 Demo Explanation

Host AD AddIn AD

WinFormsControl

MenuAddIn addin (a Dance.v1)

HostShape addin (a RemotelyControlledShape)

Host Code

Passed to constructor for DancePassed to constructor for Dance

Created and called on demandCreated and called on demand

AddIn callsAddIn calls

GetBackColor, GetLabel, etc.

GetMenuItems, GetName, etc.

Demo Code As AddIn Demo Code As AddIn ModelModel

Host-to-AddIn PipelineHost-to-AddIn Pipeline

AddIn-to-Host PipelineAddIn-to-Host Pipeline

CAA: CAA: RemotelyControlledShapeRemotelyControlledShape

Contract: Contract: IShapeContractIShapeContract

HCA: HCA: ShapeContractAdaptorShapeContractAdaptor

HAV: HostShapeHAV: HostShape

contractcontractCAACAA

HostHost

Host-Side Host-Side ObjectsObjects

AddIn-Side AddIn-Side ObjectsObjects



HAVHAVHCAHCA


HAV: HAV: MenuAddInMenuAddIn

HCA: HCA: MenuContractAdapatorMenuContractAdapator

Contract: Contract: IMenuItemContractIMenuItemContract

CAA: MenuBaseCAA: MenuBase

AgendaAgenda







Visual Studio Tools For Visual Studio Tools For ApplicationsApplications: SDK: SDK

ProxyGenProxyGenTool to generate proxy classes from metadata Tool to generate proxy classes from metadata or COM TypeLibor COM TypeLib

Generates source code and XML “tweak” fileGenerates source code and XML “tweak” file

Uses built-in late-binding contracts – no new contracts Uses built-in late-binding contracts – no new contracts necessarynecessary

However, allows iteration on code, and custom However, allows iteration on code, and custom contractscontracts

SamplesSamples

Projects and WizardsProjects and Wizards

Full DocumentationFull Documentation

AgendaAgenda







Design It Right From V1Design It Right From V1

Think in terms of a host, an SDK, and an addinThink in terms of a host, an SDK, and an addinA very useful design discipline even for componentsA very useful design discipline even for components

Design the contract(s) you need carefullyDesign the contract(s) you need carefullyThis isn’t a place to skimp!This isn’t a place to skimp!These interfaces “live forever, unchanged”These interfaces “live forever, unchanged”All types used are either contracts or base types All types used are either contracts or base types (integers, string, etc.)(integers, string, etc.)Strongly consider deriving from IContractStrongly consider deriving from IContract

Keep it clean: separate the five partsKeep it clean: separate the five partsSeparating the HCA and CAA may seem like wasted Separating the HCA and CAA may seem like wasted effort in V1, but without them you can’t move on to V2!effort in V1, but without them you can’t move on to V2!Host should Host should never never reference a contract, HCA, or CAA reference a contract, HCA, or CAA directly (just the HAV)directly (just the HAV)AddIn should AddIn should never never reference a contract, HAV, or HCA reference a contract, HAV, or HCA directly (just implement the CAA)directly (just implement the CAA)

DiscoveryDiscoveryFinding AddIns for this HostFinding AddIns for this Host

What Makes a What Makes a CompleteComplete AddIn Model AddIn ModelHost specifies the addin view (HAV)Host specifies the addin view (HAV)System locates all candidate addinsSystem locates all candidate addins

System searches all possible pipelinesSystem searches all possible pipelinesEach addin has a name, description and constraintsEach addin has a name, description and constraints

What’s Needed to Implement ItWhat’s Needed to Implement ItRegistration of the contracts and adaptorsRegistration of the contracts and adaptors

What To Do What To Do TodayTodayDiscovery based on directory location: host specifies a Discovery based on directory location: host specifies a directory where addins must be storeddirectory where addins must be storedUse a manifest to allow the actual code file to be stored in Use a manifest to allow the actual code file to be stored in the GAC (for shared components) or the application-specific the GAC (for shared components) or the application-specific directory directory as neededas needed

QualificationQualificationNegotiating ConstraintsNegotiating Constraints

What Makes a What Makes a CompleteComplete AddIn Model AddIn ModelAttributes on the addin and the HAV specify restrictions on Attributes on the addin and the HAV specify restrictions on use (isolation boundary, security, etc.)use (isolation boundary, security, etc.)

System chooses settings acceptable to both host and addinSystem chooses settings acceptable to both host and addin

What’s Needed to Implement ItWhat’s Needed to Implement ItStandard attributes and constraintsStandard attributes and constraints

Registration of addins and their adaptorsRegistration of addins and their adaptors

What To Do What To Do TodayTodayAddIn manifest specifies constraintsAddIn manifest specifies constraints

Host manually inspects manifest, validates it, and rejects it if Host manually inspects manifest, validates it, and rejects it if unacceptableunacceptable

ActivationActivationCreating an Instance of the AddInCreating an Instance of the AddIn

What Makes a What Makes a CompleteComplete AddIn Model AddIn ModelSystem activates addin in an environment System activates addin in an environment that satisfies the constraints of both the host that satisfies the constraints of both the host and the addinand the addin

What’s Needed to Implement ItWhat’s Needed to Implement ItProcess hosting infrastructureProcess hosting infrastructure

Lifetime managementLifetime management

What To Do What To Do TodayTodayUse VSTA loader and toolsUse VSTA loader and tools

clr: designing managed addins for reliability, security, and versioning jim miller, architect, clr...

Documents

addinif host

addinsame clr

addin objectcreating

addinsame security domain

type mismatches

clr thomas quinn

processbest model

modelfor components