spheres of undo: a framework for extending undo aaron brown january 2004 roc retreat
DESCRIPTION
Slide 3 Sphere of Undo What is a Sphere of Undo (SoU)? SoU: a “bubble” of state & time – isolated from external world – defines boundaries of undo operation Example: productivity application In-memory document Productivity Application end user disk save external observerTRANSCRIPT
Spheres of Undo: A Framework for Extending Undo
Aaron BrownJanuary 2004 ROC Retreat
Slide 2
Motivation: Why Spheres of Undo?• Provide conceptual model to help
explain ROC Undo concepts– time travel– paradoxes– boundaries
• Develop framework for extending Undo to more complex systems– nested undo: undo for desktops, shared servers– distributed undo: undo for distributed systems
Slide 3
Sphere ofUndo
What is a Sphere of Undo (SoU)?• SoU: a “bubble” of state & time
– isolated from external world– defines boundaries of undo operation
• Example: productivity application
In-memorydocumen
t
Productivity
Application
end user
disk
save
externalobserver
Slide 4
ROC Undo as Spheres of Undo
• Challenge: end-users now outside boundary
Sphere ofUndo
ServiceApplicati
on
stateoperator end users
timeline timeline
• ROC Undo == system-wide undo for services– entire service is now enclosed in sphere of undo
Slide 5
The Problem of Paradoxes
• Operator’s undo can cause externally-visible temporal inconsistencies: paradoxes– sphere of undo establishes paradox boundary
Sphere ofUndo
ServiceApplicati
on
state
undo
1 2 3 4 5 6
t=3end user
3
t
t
operator
Paradox!
Slide 6
Addressing Paradoxes: Nested SoUs• Add replay of end-user updates via an
additional sphere of undo– restores end-user state when operator commits undo
• But end users can still see inconsistencies!
Application
Service
userstat
e
system
stateoperator
endusers
• Outer sphere provides undo only (all state)
• Inner sphere provides undo & redo (user state)
Slide 7
Coping with Remaining Paradoxes• In general, impossible to make
transparent
• Solution: identify paradoxes and compensate – via framework for detecting, explaining inconsistency– works for services with human users
• Sphere of Undo defines points needing paradox management– wherever information flows out across SoU boundary– whenever state outside SoU is altered
Slide 8
Outline• Motivation• Spheres of Undo• Modeling Today’s ROC Undo• Extending Undo: Hierarchical
Services• Extending Undo: Distributed Services• Wrapup
Slide 9
Undo for Hierarchical Services• ROC Undo only works for monolithic
services– all service state in one sphere of undo– entire service time-travels as a unit
• Can we extend it to hierarchical services?– multiple-granularity undo in e-mail
» per-user undo as well as whole-system undo– ASP with shared machines
» undo of each share plus whole-machine undo– desktop system
» undo of app config, system config, or entire system
Slide 10
Nested Spheres of Undo• SoUs nest according to state hierarchy:
E-mail ASP
user1mail
userNmail
...
... ...
E-mailServiceSoU
E-mailusers
App.service 1
...
App.service N
ASPServiceSoU
OSState
Service 1users
Service Nusers
E-mailuser’sSoU
Slide 11
Nested SoUs: Composition Model
Pre-Undo Post-Undo
Self-contained Service(single sphere of undo)
Nested spheres of undoS1
S1c
S1
S2
S2
S1
S2
S1 undoes S2 undoes
S1
S2
c
S1
S2
S1
Key: timelinecurrent time
compensationc
Slide 12
Nesting Undo Models• Each nest can use a different undo
model– we saw this before with paradox management:
Application
Service
userstat
e
system
stateoperator
endusers
• Outer sphere provides undo only (all state)
• Inner sphere provides undo & redo (user state)
Slide 13
Example of Nesting Undo Models:Desktop Environment
Desktop Applicatio
n
docu-ments
P
OS bins;low-level
state
Application’s
config. tool
P
app cfg
state
Softwareinstaller
Platform’s
cfg. toolplatform cfg. stateP
Userapp. config. changesdocument edits
platform config. changes
software installsuntracked changes
OS upgrades
Slide 14
Implementing Nested SoUs• Foundation: nested rewindable storage
layer– independent rollback of substate
• Multiple proxy points for verb generation– record user actions at multiple levels
• New APIs for inner spheres of undo– invoke, commit, cancel nested undo
• Minor changes to verb log structure– maintain tentative verb log during replay; install on
commit
Slide 15
Outline• Motivation• Spheres of Undo• Modeling Today’s ROC Undo• Extending Undo: Hierarchical
Services• Extending Undo: Distributed Services• Wrapup
Slide 16
Undo for Distributed Services• Goal: allow unilateral undo of one service
in a network of cooperating services
• Challenge: paradoxes between spheres
Credit-card
Service
state
Fulfillment
Service
state
ShoppingService
state
endusers
Authorization
Orders
Charges
E-Shopping Example
Slide 17
Paradoxes and Distributed Undo• Two choices for handling paradoxes
– coordinated spheres: propagate undo from paradox producer to paradox consumer
S1
S1
S2
S2
S1
S1
S2
S2
c c
S1
S1
S2
S2
S1
S1
S2
S2
– uncoordinated spheres: paradox producer invokes compensation on consumer
Undo ofS1
Undo ofS1
c
c c
Slide 18
Implementing Distributed Undo• SoUs provide undo for each subservice
& define paradox management points• Coordination of SoUs is likely complex
– separation of input and output verbs– correlation of requests across spheres of undo– epoch-based log architecture with paradox
detection across epochs– challenges with non-request-response comm.
patterns• We have tentative algorithms & APIs
– but definitely a fertile area for future study
Slide 19
Outline• Motivation• Spheres of Undo• Modeling Today’s ROC Undo• Extending Undo: Hierarchical
Services• Extending Undo: Distributed Services• Wrapup
Slide 20
Wrapup• Spheres of Undo provide a
foundation for understanding and extending undo– define boundaries of state and time– identify paradox management points– suggest hierarchical and distributed extensions
» first step in undo for desktops and distributed services
• Fertile area for future study and implementation work!
Spheres of Undo: A Framework for Extending Undo• For more info:
– [email protected]– dissertation:
A. Brown. “A Recovery-Oriented Approach to Dependable Services: Repairing Past Errors with System-Wide Undo.” UCB Technical Report UCB//CSD-04-XXXX
– tech report on distributed undo:A. Brown. “Toward System-Wide Undo for Distributed Services.” UCB Technical Report UCB//CSD-03-1298.
Backup Slides
Slide 23
Output Paradoxes & Distributed Undo
• Output verbs needed to detect scenarios like:
Original Execution
A B CrA rB outC
After coordinated Undo of A & B
A B CrA r'B
outC
out'C
PARADOX!
Slide 24
J2EE PetStore as Spheres of Undo
StorefrontService
ManagementService
Order-processingService
Supplier 1 Supplier N
endusers
manager
. . .
e-mailconfirmations
orders(async)
queries, order approval/rejection(sync)
orders(async)
inventory updates(sync)