towards a theory of undo
play

Towards a theory of Undo Aaron Brown UC Berkeley June 2002 ROC - PowerPoint PPT Presentation

Jan 27, 2024 •203 likes •447 views

Towards a theory of Undo Aaron Brown UC Berkeley June 2002 ROC Retreat Outline Recap of Undo: motivation and the 3 Rs First implementation attempt & lessons learned Towards a theory for undo foundation: logging of

  1. Towards a theory of Undo Aaron Brown UC Berkeley June 2002 ROC Retreat

  2. Outline • Recap of Undo: motivation and the 3 R’s • First implementation attempt & lessons learned • Towards a theory for undo – foundation: logging of application-level “verbs” – modeling verbs and undo history – properties of undo-wrappable systems • Status and conclusions Slide 2

  3. Motivation for undo • Human error is a major impediment to dependability – largest single contributing factor to outages • Undo is a recovery mechanism well-matched to coping with human (and non-human) error – tolerates inevitable errors – harnesses hindsight and provides retroactive repair » ~70% of human errors are immediately self-detected – supports trial & error exploration of complex systems » allow operators to learn from mistakes Slide 3

  4. The 3R undo model • Undo == time travel for system operators • Three R’s for recovery – Rewind: roll system state backwards in time – Repair: change system to prevent failure » e.g., edit history, fix latent error, retry unsuccessful operation, install preventative patch – Replay: roll system state forward, replaying end-user interactions lost during rewind • All three R’s are critical – rewind enables undo – repair lets user/administrator fix problems – replay preserves updates, propagates fixes forward Slide 4

  5. Challenges in 3R undo model • External consistency – repair may alter state that’s previously been seen by an external entity • Drawing the boundary of undo recovery – want to recover content while allowing system state to change • Providing multiple-granularity undo Slide 5

  6. First implementation attempt • Undo wrapper for open source e-mail store 3R Layer State Email Server Tracker Includes: - user state SMTP - mailboxes SMTP 3R P A - application M I Proxy - operating system IMAP Non-overwriting control Undo Storage Log • Written in Java using BerkeleyDB for logging – partially completed: IMAP only, no integration w/FS Slide 6

  7. Lessons learned during 1 st try • Undo wrapper is complex and error-prone – deciding what to log is a challenge – have to anticipate all possible external inconsistencies – mechanics of log management & state tracking are ugly • Ad-hoc approach doesn’t work – bottom-up design => policy expressed procedurally » hard to reason about, change, debug – no framework for making policy decisions • E-mail protocols are not conducive to undo- wrapping – no GUIDs, incomplete command set, ... Slide 7

  8. A theory for undo • Goals: – framework to reason about external inconsistencies generated by an undo cycle – framework to reason about correctness of undo implementation – template for undo-wrappable applications/services – guide to a more general implementation • Approach: – model undo system structure and applications – map example apps (e-mail) onto model – build implementation following model Slide 8

  9. Foundation: undo system structure • An undoable system consists of: – an application with a well-defined, non-procedural user interface (a service ) – a stable storage layer supporting time travel » snapshots, backups, non-overwriting/log-structured FS – an undo wrapper that logs and replays user/operator interactions with the application App. Service Includes: Undo App protocol - user state Wrapper - application - operating system Log Time-travel control storage layer Slide 9

  10. Undo logging • Logging must capture user intent, not actual state changes – software may be buggy => state changes may be wrong – repair, history deletions may invalidate physical logs – easier to reason about consistency with intentional logs • Undo system logs at a high semantic level – user/operator application-level actions ( verbs ) – higher-level than DBMS logical logging • Fringe benefit: easy georeplication – log shipping of high-level undo logs to remote site(s) – undo system provides all mechanisms, including resync » and vice versa: georeplicated systems easy to undo? Slide 10

  11. Modeling undo logging • Application-client interface is specified as a set of verbs – verbs define actions on logically-named state entities – e-mail examples: » deliver, fetch, set flags, delete, refile, create folder, ... • Operations are instances of verbs – reflect actual user/operator interaction • The undo log is a history of operations – during repair, the history may be modified – and other changes may be made to the system that aren’t reflected in the history Slide 11

  12. Modeling operations • Each logged operation is modeled by: – a verb specifying the action – a set of state entities needed to carry out the action – a set of preconditions over the state entities » if satisfied, operation will produce same results as previous execution used to classify operation as safe or unsafe – an indication of which state is modified – an indication of which state is externalized – a time specifying when results are externalized » allows for delayed responses and “undo windows” used to determine if unsafe state is externalized Slide 12

  13. Operations & external inconsistency • An operation is safe upon replay iff: – the operation existed, unmodified, in the pre-repair history – all associated state entities exist – all preconditions are met – informally, the operation can execute and produces the same results as the original execution • Unsafe operations represent potential external inconsistencies – but only if the modified (unsafe) state is externalized later in the history » determined by following dependencies in history Slide 13

  14. Classifying histories • A history is replay-safe if: – it contains only safe operations, OR – no unsafe operation modifies state that is externalized by a later operation in the history – these histories cause no visible inconsistencies – all pre-repair histories are replay-safe • A history is replay-acceptable if: – it contains unsafe or deleted operations – the history can be made replay-safe by inserting appropriate compensating actions – these histories have acceptable visible inconsistency • Undo requires replay-acceptable histories! Slide 14

  15. Making histories replay-acceptable • Step 1: identify unsafe operations – check preconditions and existence of needed state – done dynamically during replay • Step 2: insert compensating actions – compensations are inherently application-specific – explanatory compensations explain unsafe operations to user » ex: “this message was deleted because it had a virus” – repairing compensations alter state to reestablish preconditions » ex: create “lost&found” to stand in for nonexistent or read-only e-mail folder Slide 15

  16. Example e-mail scenario • Before undo: – virus-laden message arrives – user copies it into a folder without looking at it • Operator invokes undo to install virus filter • During replay: – message is redelivered and discarded by virus filter – copy operation is unsafe » violated precondition: existence of source messsage – copy operation externalizes existence of message » history is replay-unsafe – compensating action: insert placeholder for message » now copy can be executed; history is replay-acceptable Slide 16

  17. Guaranteeing replay-acceptability • A dependable undo system must be able to make any history replay-acceptable – operation templates (verbs) must be specified correctly » all needed preconditions and no extraneous ones – compensations must exist for all precondition violations » explicit compensations or dummy compensations that allow the inconsistency to pass through – precondition and compensation logic must be correct » model identifies cases for exhaustive testing Slide 17

  18. Recap: model benefits • Simplifies reasoning about undo inconsistency – expressed in terms of preconditions & compensations • Provides greater confidence in undo – by construction, if preconditions are correct and compensations exist, all scenarios will produce acceptable external consistency – declarative specifications of verbs, preconditions, and compensations are easier to write and check – model provides guidance for exhaustive testing • Provides framework for general implementation – can separate app-specific policy from undo mechanisms • Implicitly defines properties of applications that can be wrapped for undo Slide 18

  19. Implications for applications • Model induces a set of properties for undo- wrappable applications – a high-level, verb-structured interface/API for user, operator, and external actions – a state model where all state is nameable via the API and tagged with GUIDs – a “complete” API where each an inverse for each verb exists or can be constructed – external consistency semantics that permit compensation for non-commuting or non-replayable verbs Slide 19

  20. Implications for applications • Model induces a set of properties for undo- wrappable applications + a high-level, verb-structured interface/API for user, operator, and external actions – a state model where all state is nameable via the API and tagged with GUIDs – a “complete” API where each an inverse for each verb exists or can be constructed + external consistency semantics that permit compensation for non-commuting or non-replayable verbs • Example: IMAP/SMTP-based e-mail Slide 20

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Undo-Redo Principles, concepts Undo patterns Java implementation Undo 1 Undo* Benefits

Undo-Redo Principles, concepts Undo patterns Java implementation Undo 1 Undo* Benefits

Undo-Redo Principles, concepts Undo patterns Java implementation Undo 1 Undo* Benefits Undo lets you recover from errors - input errors (human) and interpretation errors (computer) - you can work quickly (without fear) Undo enables

541 views • 27 slides
Problem: commands with state and undo support How do applications with undo options

Problem: commands with state and undo support How do applications with undo options

Problem: commands with state and undo support How do applications with undo options (e.g., formatting in word processors) support the undo? How can a command, e.g., load files, find line numbers, be encapsulated into a class/object?

83 views • 4 slides
Reflogs Sign in on the attendance sheet! How to Undo Things Accidental Merge How to Undo

Reflogs Sign in on the attendance sheet! How to Undo Things Accidental Merge How to Undo

Lecture 10 Dumpster Diving in Git: Reflogs Sign in on the attendance sheet! How to Undo Things Accidental Merge How to Undo Things Fix messed up master How to Undo Things Made a commit on the wrong branch (master instead of

133 views • 12 slides
CS 2550 / Spring 2006 Principles of Database Systems Undo/No-Redo No-Undo/Redo

CS 2550 / Spring 2006 Principles of Database Systems Undo/No-Redo No-Undo/Redo

Recovery Techniques and Assumptions Undo/Redo Algorithm CS 2550 / Spring 2006 Principles of Database Systems Undo/No-Redo No-Undo/Redo (also called logging with deferred updates ) 14 Recovery Algorithms

350 views • 7 slides
Undo: Update and Futures Aaron Brown ROC Research Group University of California, Berkeley

Undo: Update and Futures Aaron Brown ROC Research Group University of California, Berkeley

Undo: Update and Futures Aaron Brown ROC Research Group University of California, Berkeley Summer 2003 ROC Retreat 5 June 2003 Outline Recap of Undo for Operators Measurements of e-mail undo prototype Upcoming: human evaluation

295 views • 28 slides
Undo Logging Rules Undo 1: If transaction T modifies the database element X that held value old

Undo Logging Rules Undo 1: If transaction T modifies the database element X that held value old

Undo Logging Rules Undo 1: If transaction T modifies the database element X that held value old Write T, X, old to the log Only when the log record appears on disk can we write the new value for X to disk. Undo 2: If transaction T

804 views • 29 slides
Suppo rting undo c ume nte d stude nts a nd the ir fa milie s Ale jandr a P r e z Co lle g

Suppo rting undo c ume nte d stude nts a nd the ir fa milie s Ale jandr a P r e z Co lle g

Suppo rting undo c ume nte d stude nts a nd the ir fa milie s Ale jandr a P r e z Co lle g e & Ca re e r Suc c e ss Co o rdina to r Co mmunity Ce nte r fo r E duc a tio n Re sults Stor y of Se lf: Undo c u Vo ic e s & E xpe

671 views • 46 slides
What Can We Do? How do you undo the damage of the WHI? 16th WCM 6/4/18 318 Pre-Congress

What Can We Do? How do you undo the damage of the WHI? 16th WCM 6/4/18 318 Pre-Congress

What Can We Do? How do you undo the damage of the WHI? 16th WCM 6/4/18 318 Pre-Congress Workshop Faculty/Presenter Disclosure Faculty: Dr. Denise Black Relationships with commercial interests: Speakers Bureau/Honoraria: Merck,

493 views • 23 slides
UNRM Hacking the filesystem Jessica Yu WHOOPS... GMAIL: UNDO SEND unrm operates on the same

UNRM Hacking the filesystem Jessica Yu WHOOPS... GMAIL: UNDO SEND unrm operates on the same

UNRM Hacking the filesystem Jessica Yu WHOOPS... GMAIL: UNDO SEND unrm operates on the same idea as Gmail's undo send. UNRM: USAGE Goal : after an rm , want to be able to recover all removed files under a certain directory within a set period

888 views • 58 slides
The Design Complexity of Program Undo Support in a General

The Design Complexity of Program Undo Support in a General

The Design Complexity of Program Undo Support in a General Purpose Processor Radu Teodorescu and Josep Torrellas University of Illinois at Urbana-Champaign http://iacoma.cs.uiuc.edu

438 views • 16 slides
Commun unity O Outrea each & h & Listen ening ng A Activities es UNDO DOCUMENTED

Commun unity O Outrea each & h & Listen ening ng A Activities es UNDO DOCUMENTED

Commun unity O Outrea each & h & Listen ening ng A Activities es UNDO DOCUMENTED I D INDI DIVIDU DUALS LATINA L NA LONG NG-TERM S SURVI VIVOR ORS O OR S SENIOR ORS 1 The Community Engagement Committee determines

481 views • 25 slides
To change your response, text undo , then text your new response in a separate message

To change your response, text undo , then text your new response in a separate message

To change your response, text undo , then text your new response in a separate message PATERNITY: A Case Study 2 DIRE RECTE TED D DISC SCUSSI SSION What errors did the juvenile court make regarding paternity? How would you go

930 views • 55 slides
Undo/Redo Principles, concepts, and Java implementation Direct Manipulation Principles There

Undo/Redo Principles, concepts, and Java implementation Direct Manipulation Principles There

Undo/Redo Principles, concepts, and Java implementation Direct Manipulation Principles There is a visible and continuous representation of the domain objects and their actions. Consequently, there is little syntax to remember. The

916 views • 28 slides
Application Level Undo & Recovery: Applied to the Pencil Application Presented by: Rafat

Application Level Undo & Recovery: Applied to the Pencil Application Presented by: Rafat

Application Level Undo & Recovery: Applied to the Pencil Application Presented by: Rafat Rashid, Bozhidar Lenchov, Kush Dua Motivation Loss of data detrimental to productivity and motivation Code/configuration/operator errors could

685 views • 14 slides
Solving Linear System of Equations The Undo button for Linear Operations Matrix-vector

Solving Linear System of Equations The Undo button for Linear Operations Matrix-vector

Solving Linear System of Equations The Undo button for Linear Operations Matrix-vector multiplication: given the data and the operator , we can find such that = transformation What if we know

592 views • 34 slides
Solving Linear System of Equations The Undo button for Linear Operations Matrix-vector

Solving Linear System of Equations The Undo button for Linear Operations Matrix-vector

Solving Linear System of Equations The Undo button for Linear Operations Matrix-vector multiplication: given the data and the operator , we can find such that = transformation What if we know

465 views • 31 slides
Analysis of wide area user mobility patterns Kevin Simler*, Steven E. Czerwinski , Anthony

Analysis of wide area user mobility patterns Kevin Simler*, Steven E. Czerwinski , Anthony

Analysis of wide area user mobility patterns Kevin Simler*, Steven E. Czerwinski , Anthony Joseph UC Berkeley * Now at MIT 2004/12/02 Now at Google Motivation We want to understand user behavior In order to design better

664 views • 49 slides
Graphical Models Graphical Models Relationship between the directed & undirected models

Graphical Models Graphical Models Relationship between the directed & undirected models

Graphical Models Graphical Models Relationship between the directed & undirected models Siamak Ravanbakhsh Winter 2018 Two directions Two directions Markov network Bayes-net Markov network Bayes-net

311 views • 19 slides
PixelVault:+Using+GPUs+for+Securing+ Cryptographic+Opera;ons+ ! Giorgos+Vasiliadis + +

PixelVault:+Using+GPUs+for+Securing+ Cryptographic+Opera;ons+ ! Giorgos+Vasiliadis + +

PixelVault:+Using+GPUs+for+Securing+ Cryptographic+Opera;ons+ ! Giorgos+Vasiliadis + + +gvasil@ics.forth.gr+ Elias!Athanasopoulos ! !elathan@ics.forth.gr! Michalis!Polychronakis ! !mikepo@cs.columbia.edu! So=ris!Ioannidis! ! !

931 views • 38 slides
Chapter 2 Application Layer

Chapter 2 Application Layer

Chapter 2 Application Layer

1.46k views • 114 slides
FPGAs for Image Processing A DSL and program transformations Rob Stewart Greg Michaelson Idress

FPGAs for Image Processing A DSL and program transformations Rob Stewart Greg Michaelson Idress

FPGAs for Image Processing A DSL and program transformations Rob Stewart Greg Michaelson Idress Ibrahim Deepayan Bhowmik Andy Wallace Paulo Garcia Heriot-Watt University 10 May 2016 What I will say 1. EPSRC Rathlin project interested in

542 views • 30 slides
Marginal Inference in MRFs using Frank-Wolfe David Belanger, Daniel Sheldon, Andrew McCallum

Marginal Inference in MRFs using Frank-Wolfe David Belanger, Daniel Sheldon, Andrew McCallum

Marginal Inference in MRFs using Frank-Wolfe David Belanger, Daniel Sheldon, Andrew McCallum School of Computer Science University of Massachusetts, Amherst { belanger,sheldon,mccallum } @cs.umass.edu December 10, 2013 Table of Contents Markov

1.05k views • 49 slides
Quantifying the Performance Impacts of Using Local Memory for Many-Core Processors Jianbin Fang 1

Quantifying the Performance Impacts of Using Local Memory for Many-Core Processors Jianbin Fang 1

Quantifying the Performance Impacts of Using Local Memory for Many-Core Processors Jianbin Fang 1 , Ana Lucia Varbanescu 2 , Henk Sips 1 1 Delft University of Technology 2 University of Amsterdam The Netherlands MuCoCoS'13: Quantifying the

273 views • 25 slides
Automated Key Management for End-To-End Encrypted Email Communication Intermediate talk for the

Automated Key Management for End-To-End Encrypted Email Communication Intermediate talk for the

Chair of Network Architectures and Services Department of Informatics Technical University of Munich Automated Key Management for End-To-End Encrypted Email Communication Intermediate talk for the Guided Research by Thomas Maier advised by

463 views • 10 slides

More recommend