Spheres of Undo: A Framework for Extending Undo

Aaron BrownJanuary 2004 ROC Retreat

Slide 2

Motivation: Why Spheres of Undo?• Provide conceptual model to help

explain ROC Undo concepts– time travel– paradoxes– boundaries

• Develop framework for extending Undo to more complex systems– nested undo: undo for desktops, shared servers– distributed undo: undo for distributed systems

Slide 3

Sphere ofUndo

What is a Sphere of Undo (SoU)?• SoU: a “bubble” of state & time

– isolated from external world– defines boundaries of undo operation

• Example: productivity application

In-memorydocumen

t

Productivity

Application

end user

disk

save

externalobserver

Slide 4

ROC Undo as Spheres of Undo

• Challenge: end-users now outside boundary

Sphere ofUndo

ServiceApplicati

on

stateoperator end users

timeline timeline

• ROC Undo == system-wide undo for services– entire service is now enclosed in sphere of undo

Slide 5

The Problem of Paradoxes

• Operator’s undo can cause externally-visible temporal inconsistencies: paradoxes– sphere of undo establishes paradox boundary

Sphere ofUndo

ServiceApplicati

on

state

undo

1 2 3 4 5 6

t=3end user

3

t

t

operator

Paradox!

Slide 6

Addressing Paradoxes: Nested SoUs• Add replay of end-user updates via an

additional sphere of undo– restores end-user state when operator commits undo

• But end users can still see inconsistencies!

Application

Service

userstat

e

system

stateoperator

endusers

• Outer sphere provides undo only (all state)

• Inner sphere provides undo & redo (user state)

Slide 7

Coping with Remaining Paradoxes• In general, impossible to make

transparent

• Solution: identify paradoxes and compensate – via framework for detecting, explaining inconsistency– works for services with human users

• Sphere of Undo defines points needing paradox management– wherever information flows out across SoU boundary– whenever state outside SoU is altered

Slide 8

Outline• Motivation• Spheres of Undo• Modeling Today’s ROC Undo• Extending Undo: Hierarchical

Services• Extending Undo: Distributed Services• Wrapup

Slide 9

Undo for Hierarchical Services• ROC Undo only works for monolithic

services– all service state in one sphere of undo– entire service time-travels as a unit

• Can we extend it to hierarchical services?– multiple-granularity undo in e-mail

» per-user undo as well as whole-system undo– ASP with shared machines

» undo of each share plus whole-machine undo– desktop system

» undo of app config, system config, or entire system

Slide 10

Nested Spheres of Undo• SoUs nest according to state hierarchy:

E-mail ASP

user1mail

userNmail

...

... ...

E-mailServiceSoU

E-mailusers

App.service 1

...

App.service N

ASPServiceSoU

OSState

Service 1users

Service Nusers

E-mailuser’sSoU

Slide 11

Nested SoUs: Composition Model

Pre-Undo Post-Undo

Self-contained Service(single sphere of undo)

Nested spheres of undoS1

S1c

S1

S2

S2

S1

S2

S1 undoes S2 undoes

S1

S2

c

S1

S2

S1

Key: timelinecurrent time

compensationc

Slide 12

Nesting Undo Models• Each nest can use a different undo

model– we saw this before with paradox management:

Application

Service

userstat

e

system

stateoperator

endusers

• Outer sphere provides undo only (all state)

• Inner sphere provides undo & redo (user state)

Slide 13

Example of Nesting Undo Models:Desktop Environment

Desktop Applicatio

n

docu-ments

P

OS bins;low-level

state

Application’s

config. tool

P

app cfg

state

Softwareinstaller

Platform’s

cfg. toolplatform cfg. stateP

Userapp. config. changesdocument edits

platform config. changes

software installsuntracked changes

OS upgrades

Slide 14

Implementing Nested SoUs• Foundation: nested rewindable storage

layer– independent rollback of substate

• Multiple proxy points for verb generation– record user actions at multiple levels

• New APIs for inner spheres of undo– invoke, commit, cancel nested undo

• Minor changes to verb log structure– maintain tentative verb log during replay; install on

commit

Slide 15

Outline• Motivation• Spheres of Undo• Modeling Today’s ROC Undo• Extending Undo: Hierarchical

Services• Extending Undo: Distributed Services• Wrapup

Slide 16

Undo for Distributed Services• Goal: allow unilateral undo of one service

in a network of cooperating services

• Challenge: paradoxes between spheres

Credit-card

Service

state

Fulfillment

Service

state

ShoppingService

state

endusers

Authorization

Orders

Charges

E-Shopping Example

Slide 17

Paradoxes and Distributed Undo• Two choices for handling paradoxes

– coordinated spheres: propagate undo from paradox producer to paradox consumer

S1

S1

S2

S2

S1

S1

S2

S2

c c

S1

S1

S2

S2

S1

S1

S2

S2

– uncoordinated spheres: paradox producer invokes compensation on consumer

Undo ofS1

Undo ofS1

c

c c

Slide 18

Implementing Distributed Undo• SoUs provide undo for each subservice

& define paradox management points• Coordination of SoUs is likely complex

– separation of input and output verbs– correlation of requests across spheres of undo– epoch-based log architecture with paradox

detection across epochs– challenges with non-request-response comm.

patterns• We have tentative algorithms & APIs

– but definitely a fertile area for future study

Slide 19

Outline• Motivation• Spheres of Undo• Modeling Today’s ROC Undo• Extending Undo: Hierarchical

Services• Extending Undo: Distributed Services• Wrapup

Slide 20

Wrapup• Spheres of Undo provide a

foundation for understanding and extending undo– define boundaries of state and time– identify paradox management points– suggest hierarchical and distributed extensions

» first step in undo for desktops and distributed services

• Fertile area for future study and implementation work!

Spheres of Undo: A Framework for Extending Undo• For more info:

– abrown@cs.berkeley.edu– dissertation:

A. Brown. “A Recovery-Oriented Approach to Dependable Services: Repairing Past Errors with System-Wide Undo.” UCB Technical Report UCB//CSD-04-XXXX

– tech report on distributed undo:A. Brown. “Toward System-Wide Undo for Distributed Services.” UCB Technical Report UCB//CSD-03-1298.

Backup Slides

Slide 23

Output Paradoxes & Distributed Undo

• Output verbs needed to detect scenarios like:

Original Execution

A B CrA rB outC

After coordinated Undo of A & B

A B CrA r'B

outC

out'C

PARADOX!

Slide 24

J2EE PetStore as Spheres of Undo

StorefrontService

ManagementService

Order-processingService

Supplier 1 Supplier N

endusers

manager

. . .

e-mailconfirmations

orders(async)

queries, order approval/rejection(sync)

orders(async)

inventory updates(sync)