Programming the Interactive Web - PowerPoint PPT Presentation

1 / 160

About This Presentation

Title:

Programming the Interactive Web

Description:

This was my first experience with 'back-button' as a verb. ... body bgcolor=yellow table td p id='reserved' Residence Inn by. Marriot Charleston ... – PowerPoint PPT presentation

Number of Views:47

Avg rating:3.0/5.0

Slides: 161

Provided by: shrir6

Category:

more less

Transcript and Presenter's Notes

Title: Programming the Interactive Web

1
(No Transcript)
2
(No Transcript)
3
(No Transcript)
4
(No Transcript)
5
(No Transcript)
6
(No Transcript)
7
(No Transcript)
8
(No Transcript)
9
(No Transcript)
10
(No Transcript)
11
(No Transcript)
12
(No Transcript)
13
Popular Press

But when I clicked on the National car rental
price , the site responded with this message
You have back-buttoned too far. This was my
first experience with back-button as a verb.
Since that was patently untrue, I decoded
its true meaning We ran out of cars.
M. Slatalla, New York Times, 2003-07-17

14
A Headache for Companies

Minor problem Users might get booked into the
wrong hotels, onto the wrong flights, etc.
Major problem People might embarrass you in
newspapers and in public talks

15
Programming and Verifying the Interactive Web

Shriram Krishnamurthi
Brown University

16
Where You See This

URLs become simple
https//onepass.continental.com/asp/statement.asp
URLs become complex
http//maps.yahoo.com/py/ddResults.py?PytTmapta
rnametardescnewnamenewdescnewHashnewTHas
hnewStsnewTStstlttlnsltslnnewFLUse
AddressBelownewaddr3007SantaMonicaBoulevard
newcszsantamonica,canewcountryusnewTFLUseA
ddressBelownewtaddr2815SantaMonicaBoulevard
newtcszSantaMonica,CA904042409newtcountryus
SubmitGetDirections

17
Programming InteractiveWeb Scripts
18
Adding Two Numbers(Console)

n1 read Enter first
n2 read Enter second
print
sum d\n
(n1 n2)
exit

19
Two User Interfaces
Enter first
Enter second
20
Interacting with Web Scripts
21
Interacting with Web Scripts
22
Interacting with Web Scripts
23
Interacting with Web Scripts
24
Interacting with Web Scripts
25
Interacting with Web Scripts
26
Program Transformation

n1 read
Enter first
n2 read
Enter second
print
sum d\n
(n1 n2)
exit

n1 read/web
ltformgtEnter first lt/formgt
n2 read/web
ltformgtEnter second lt/formgt
print
ltpgtsum
(n1 n2)lt/pgt
exit

27
A Central Problem

Web scripts write a page, then terminate (ie, the
stack is erased)
When the user replies, another script reads the
forms bindings and performs the next step (ie,
it must restore the stack)

28
Consequently
n1 read/web ltformgtEnter first lt/formgt n2
read/web ltformgtEnter second lt/formgt print
ltpgtsum (n1 n2)lt/pgt exit
29
More Program Transformation

n1 read/web
ltformgtEnter first lt/formgt
n2 read/web
ltformgtEnter second lt/formgt
print
ltpgtsum
(n1 n2)lt/pgt
exit

Main () print
ltform actionf1gt
Enter first
ltinput namen1gt
lt/formgt
f1 (form) print
ltform actionf2gt
ltinput hidden namen1
valueform.n1gt
Enter second
ltinput namen2gt
lt/formgt
f2 (form) print
The sum is
form.n1 form.n2

30
Problems

Generating the programs is taxing
Programmer must manually track numerous
dependencies
Mistakes have frustrating consequences(or
silently introduce dynamic scope)

31
Observation
n1 read/web ltformgtEnter first lt/formgt n2
read/web ltformgtEnter second lt/formgt print
ltpgtsum (n1 n2)lt/pgt exit
n1 read/web ltformgtEnter first lt/formgt n2
read/web ltformgtEnter second lt/formgt print
ltpgtsum (n1 n2)lt/pgt exit
32
The Key Insight

The manual decomposition
implements the
continuation-passing style
transformation!

33
In More Detail

Technically, it composes
transformation of code into continuation-passing
style
lambda-lifting
closure-conversion
Each of these has a formal, correctness-preserving
foundation

34
An API With Heavy Lifting

APIs offer form, cookie, c primitives
Build a richer API with read/web
Programmers
Stand up for your rights
make language designers work harder!

35
Two Approaches to a Better API

A Web compiler that
Automatically splits programs by form
Automatically propagates fields
Guarantees behavior preservation
Direct support from the languageserver

36
Web Programming in PLT Scheme

The DrScheme Web Server

37
The Real Primitive

read/web lies slightly
n1 read/web
ltform action???gtEnter firstlt/formgt
We provide send/suspend
n1 send/suspend k
ltform actionkgtEnter firstlt/formgt

send/suspend generates the URL that resumes
computation
38
Generated URLs

send/suspend generates a URL of the form
http//host/servlets/pc-member.scmid28129579972
5
In more detail
http//
host/servlets/
pc-member.scm
id281295799725

39
Addition Servlet

n1 send/suspend k
ltform actionkgtEnter firstlt/formgt
n2 send/suspend k
ltform actionkgtEnter secondlt/formgt
print
ltpgtsum
(n1 n2)lt/pgt
exit

40
Addition Servlet
http//host/servlets/add.scmid281295799725

n1 send/suspend k
ltform actionkgtEnter firstlt/formgt
n2 send/suspend k
ltform actionkgtEnter secondlt/formgt
print
ltpgtsum
(n1 n2)lt/pgt
exit

41
Addition Servlet
http//host/servlets/add.scmid281348792908
with memory of the value of n1

n1 send/suspend k
ltform actionkgtEnter firstlt/formgt
n2 send/suspend k
ltform actionkgtEnter secondlt/formgt
print
ltpgtsum
(n1 n2)lt/pgt
exit

42
Interacting with Web Scripts
/add.ssid17k3959569765
n1 1729
/add.ssid17k11058911710
43
Applications

Weve done more than just add numbers

44
The CONTINUE Server

Conference submission/review manager
Used by several conferences Softvis 2005, CSFW
2005, FOAL 2005, ISSTA 2004, LMO 2005, TAV-WEB
2004, PADL 2004/3/2/1, FDPE 2003, Scheme 2003/2,
...

45
Scenario
46
Email Confirmation Servlet

addr send/suspend k
ltform actionkgtEmaillt/formgt

send/suspend k ignore response send_mail
(addr, k) ltpgtWe sent mail to addrlt/pgt
add_to_database (addr)
47
Scenario
48
Scenario
49
One-Shot Guest URLs

guest_review
send/suspend k
ltform actionkgt
Overall Rating ltinput gt
Expertise ltinput gt
lt/formgt

50
One-Shot Guest URLs

guest_review
send/finish k
ltform actionkgt
Overall Rating ltinput gt
Expertise ltinput gt
lt/formgt

51
The Subtlety of Interaction
52
Whats in a URL?

Lets go back to this URL
http//maps.yahoo.com/py/ddResults.py?PytTmapta
rnametardescnewnamenewdescnewHashnewTHas
hnewStsnewTStstlttlnsltslnnewFLUse
AddressBelownewaddr3007SantaMonicaBoulevard
newcszsantamonica,canewcountryusnewTFLUseA
ddressBelownewtaddr2815SantaMonicaBoulevard
newtcszSantaMonica,CA904042409newtcountryus
SubmitGetDirections

53
Whats in a URL?

Lets go back to this URL
http//maps.yahoo.com/py/ddResults.py?PytTmapta
rnametardescnewnamenewdescnewHashnewTHas
hnewStsnewTStstlttlnsltslnnewFLUse
AddressBelownewaddr3007SantaMonicaBoulevard
newcszsantamonica,canewcountryusnewTFLUseA
ddressBelownewtaddr2815SantaMonicaBoulevard
newtcszSantaMonica,CA904042409newtcountryus
SubmitGetDirections

54
Whats in a URL?

Write it differently
http//maps.yahoo.com/py/ddResults.py?
newaddr3007SantaMonicaBoulevard
newcszsantamonica,ca
newcountryus
newtaddr2815SantaMonicaBoulevard
newtcszSantaMonica,CA904042409
newtcountryus
SubmitGetDirections

55
Whats in a URL?

Or
http//maps.yahoo.com/py/ddResults.py?
newaddr 3007SantaMonicaBoulevard
newcsz santamonica,ca
newcountry us
newtaddr 2815SantaMonicaBoulevard
newtcsz SantaMonica,CA904042409
newtcountry us
Submit GetDirections

It looks like a function call!
56
The Real Picture
The script and the user are coroutines
Event lines
script
user
57
Control Flow Back Button
A silent action!
58
Control Flow Cloning
script
user
59
Control Flow Bookmarks
60
What Programmers Need

Multiply-resumable and
restartable coroutines
Thats what send/suspend really implements

61
(No Transcript)
62
(No Transcript)
63
(No Transcript)
64
(No Transcript)
65
(No Transcript)
66
(No Transcript)
67
(No Transcript)
68
(No Transcript)
69
(No Transcript)
70
(No Transcript)
71
(No Transcript)
72
(No Transcript)
73
Question

What would Amazon want?

74
Information Flow

Operations reveal two kinds of information
local to each copy of a page
Orbitz hotel selection
shared by all pages
Amazon shopping cart

? lexical scope
? mutable state
75
Conclusion
76
Interactive Web Programs

Program structure is mangled
Web interactions are complex
Semantics provides good foundations
APIs matter send/suspend is not alone

77
Sample of Other Work

Continuation-passing has significant downside
doesnt interact well with foreign language code
destroys the stack ? hurts tools like debuggers
and stack inspectors
Challenge devise a better compilation algorithm
Result use lightweight stack inspection ICFP 05

78
Parting Thoughts

JavaScript is changing Web applications
Declarative languages win on the Web
Keep eating our own dogfood!

79
Collaborators

Faculty
Matthias Felleisen
Robby Findler
Matthew Flatt

Brown Undergrads
Pete Hopkins

PhD Students
Paul Graunke
Greg Pettyjohn

80
Debugging
81
Safety Errors
82
Safety Errors
83
Stepping Through Code
84
Stepping Through Code
85
Performance
86
PLT Web Server/ApacheStatic Documents

ratio of connections/second

Clients
87
PLT Web Server/ApacheInteractive Content
Clients
Clients
1k files
10k files
88
Perceived and Measured Costof CONTINUE Server

Almost as fast with and without caching
Measurement

89
Programming and Verifying the Interactive Web

Shriram Krishnamurthi
Brown University

90
Web Programs

Two subtleties
Program structure is mangled
User can upset programs control-flow
Continuation-based programming provides a
baseline for tackling these problems now we can
get to semantic errors

91
Verifying Temporal Behavior
92
The Orbitz Property

Orbitz Property the user should receive a
reservation at the hotel that was displayed on
the page he submitted
Should all sites behave thus?

93
The Amazon Property

Amazon property at the end, every book the user
added to his shopping cart is actually in his
shopping cart

94
Properties

These properties are
not fixed in number
temporal in nature
? model checking

95
Model Checking

From source, generate model that captures
behaviors of interest
Consume developers properties
Automatically check whether or not the model
satisfies the properties

96
Model Checking

From source, generate model that captures
behaviors of interest
Consume developers properties
Automatically check whether or not the model
satisfies the properties

97
Modelling Web Programs

Model control-flow graph (CFG)
What would a model of Orbitz look like?

98
Modelling Orbitz
display hotel list
set chosen
use chosen to compute displayed
use chosen to compute reserved
display reservation
display details for displayed
99
One Browser
AltTab

How can we model all these operations?

100
User Operation Calculus

Express all browser operations in terms of
primitive operations
submit form to server
switch to previously-visited page

101
The Orbitz CFG
display hotel list
set chosen
use chosen to compute displayed
use chosen to compute reserved
display reservation
display details for displayed
102
The Orbitz WebCFG
display hotel list
set chosen
use chosen to compute displayed
use chosen to compute reserved
display reservation
display details for displayed
103
Model Checking

From source, generate model that captures
behaviors of interest
Consume developers properties
Automatically check whether or not the model
satisfies the properties

104
Atomic Propositions
lthtmlgt ltbody bgcoloryellowgt lttablegt lttdgt
ltpgt Residence Inn by Marriot
Charleston Downtown ... lt/htmlgt
105
Relating Web Page Contentto Source

Parse the text?
Too hard
Static-distance coordinates?
Too brittle
What else can we do?

106
Relating Web Page Contentto Source
lthtmlgt ltbody bgcoloryellowgt lttablegt lttdgt
ltp idreservedgt Residence Inn by
Marriot Charleston Downtown ... lt/htmlgt
107
Annotating the WebCFG
Annotate each WebCFG state with the propositions
true in that state
lthtmlgt ltbody bgcoloryellowgt lttablegt lttdgt
ltp idreservedgt Residence Inn by
Marriot Charleston Downtown ... lt/htmlgt
generate reservation page
generate reservation text
tagreserved
108
Verification Process

Annotated WebCFG describes the set of traces that
potentially occur
Property defines traces that may occur
Verification is containment of the former in the
latter
Vardi and Wolper, 1986

109
Example Property

Before reaching an access-controlled page, the
user must go through a password page

Note In properties,tags label transitions
110
The Orbitz Property

Value of reserved comes from the value of
displayed
Value of chosen does not change between
computation of displayed and computation of
reserved

111
Orbitz Subproperty 1

Value of chosen does not change between
computation of displayed and computation of
reserved
Track value mutations

112
Orbitz Subproperty 1
Property chosen does not change between the
computation of displayed and the computation of
reserved
(set,chosen) (join,chosen)
1
2
violation
tagreserved
113
Orbitz Subproperty 2

Value of reserved comes from the value of
displayed
Augment tagged propositions for reasoning about
value flow

114
Orbitz Subproperty 2
X
Property the value of reserved comes from the
value of displayed
(tagged,displayed,X)
1
2
(tagged,reserved,?X)
violation
(tagged,reserved,??X)
?X
??X
115
Model Checking

From source, generate model that captures
behaviors of interest
Consume developers properties
Automatically check whether or not the model
satisfies the properties

116
The Orbitz WebCFG
display hotel list
set chosen
use chosen to compute displayed
use chosen to compute reserved
display reservation
display details for displayed
117
The Orbitz WebCFG
display hotel list
set chosen
use chosen to compute displayed
use chosen to compute reserved
display reservation
display details for displayed
118
Algorithm

NYSTNYD paths
make state machine precise
adapt language containment algorithm
FLAVERS algorithm has constraint automata to
eliminate infeasible paths

119
(No Transcript)
120
Representative Feature
121
Access-Control

Policy maps ltsubject, action, resourcegtto a
decision (permit, deny, )
Representation matters
matrix gets too large
people play multiple roles
policies are distributed
? policies are becoming software
New standards include XACML, EPAL, etc.

122
System Structure
123
System Structure

124
Verifying Information Access
125
CONTINUE Properties

Someone not PC Chair or Admin cannot see reviews
for conflicted papers
PC members may edit reviews they own
Someone not PC Chair or Admin may not set the PC
Meeting flag

126
Gradebook
127
Running Example

Roles
Faculty, Student
Actions
Assign, View, Receive
Resources
InternalGrades, ExternalGrades

128
Properties

No Student can Assign ExternalGrades
Faculty can Assign both InternalGrades and
ExternalGrades
No single person can both Receive and Assign
ExternalGrades

129
Basic Policy

Requests for Students to Receive ExternalGrades
succeed
Requests for Faculty to Assign or View
ExternalGrades succeed

130
Verify Basic Policy

Requests for Students to Receive ExternalGrades
succeed
Requests for Faculty to Assign or View
ExternalGrades succeed

No Student can Assign ExternalGrades
Faculty can Assign both InternalGrades and
ExternalGrades
No single person can both Receive and Assign
ExternalGrades

131
Verify Constrained Basic Policy

Requests for Students to Receive ExternalGrades
succeed
Requests for Faculty to Assign or View
ExternalGrades succeed
Faculty are disjoint from Students

No Student can Assign ExternalGrades
Faculty can Assign both InternalGrades and
ExternalGrades
No single person can both Receive and Assign
ExternalGrades

132
Verify Revised TA Policy

Requests for Students to Receive ExternalGrades
succeed
Requests for Faculty to Assign or View
ExternalGrades succeed
TAs can View and Assign InternalGrades but not
ExternalGrades
Faculty are disjoint from Students

No Student can Assign ExternalGrades
Faculty can Assign both InternalGrades and
ExternalGrades
No single person can both Receive and Assign
ExternalGrades

133
Verify Family Policy

Requests for Students to Receive ExternalGrades
succeed
Requests for Faculty to Assign or View
ExternalGrades succeed
TAs can View and Assign InternalGrades but not
ExternalGrades
FacultyFamily can Receive ExternalGrades
Disjointness constraint

No Student can Assign ExternalGrades
Faculty can Assign both InternalGrades and
ExternalGrades
No single person can both Receive and Assign
ExternalGrades

134
Margrave Response

Fails when someone is both Faculty and
FacultyFamily

No Student can Assign ExternalGrades
Faculty can Assign both InternalGrades and
ExternalGrades
No single person can both Receive and Assign
ExternalGrades

Spouses can be faculty too!
135
Properties?!?
136
Policies Without Properties

Working policy P1
Modified policy P2
Testing reveals intended change
But

137
TA Policy Minus Constrained Basic Policy

Requests for Students to Receive ExternalGrades
succeed
Requests for Faculty to Assign or View
ExternalGrades succeed
TAs have the same privileges as Faculty
Faculty are disjoint from Students

Requests for Students to Receive ExternalGrades
succeed
Requests for Faculty to Assign or View
ExternalGrades succeed
Faculty are disjoint from Students

138
Output

Faculty 0 0 0 0 0 0 0 0
Student 0 0 0 0 1 1 1 1
ExtGrades 0 0 1 1 0 0 1 1
IntGrades 1 1 0 0 1 1 0 0
Assign 0 1 0 1 0 1 0 1
View 1 0 1 0 1 0 1 0
Receive 0 0 0 0 0 0 0 0
TA 1 1 1 1 1 1 1 1
N N N N N N N N
2 2 2 2 2 2 2 2
P P P P P P P P

139
Output

Faculty 0 0 0 0 0 0 0 0
Student 0 0 0 0 1 1 1 1
ExtGrades 0 0 1 1 0 0 1 1
IntGrades 1 1 0 0 1 1 0 0
Assign 0 1 0 1 0 1 0 1
View 1 0 1 0 1 0 1 0
Receive 0 0 0 0 0 0 0 0
TA 1 1 1 1 1 1 1 1
N N N N N N N N
2 2 2 2 2 2 2 2
P P P P P P P P

Faculty 0 0 0 0
Student 0 0 1 1
ExtGrades 0 1 0 1
IntGrades 1 0 1 0
Assign 1 1 1 1
View 0 0 0 0
Receive 0 0 0 0
TA 1 1 1 1
N N N N
2 2 2 2
P P P P

Show cases involving grade assignment
140
Output

Faculty 0 0 0 0
Student 0 0 1 1
ExtGrades 0 1 0 1
IntGrades 1 0 1 0
Assign 1 1 1 1
View 0 0 0 0
Receive 0 0 0 0
TA 1 1 1 1
N N N N
2 2 2 2
P P P P

Faculty 0 0
Student 0 1
ExtGrades 1 1
IntGrades 0 0
Assign 1 1
View 0 0
Receive 0 0
TA 1 1
N N
2 2
P P

Show cases involving external grades
141
Output

Student
TA

Faculty 0 0
Student 0 1
ExtGrades 1 1
IntGrades 0 0
Assign 1 1
View 0 0
Receive 0 0
TA 1 1
N N
2 2
P P

Show all roles
142
Supported Queries

Restrict by change type (eg, D-gtP)
Restrict to boolean combinations of specific
roles, actions, resources
List roles, actions, resources occurring in
change
Emptiness

143
Implementation
144
Possibilities

Reasoning is largely propositional
CNF/DNF
Prolog
SAT solving (w/ an interface like Alloy?)
Decision diagrams

145
Multi-TerminalDecision Diagrams

Faculty (f) can assign (a) grades (g)
Students (s) can receive (r) grades (g)

146
Rules and Rule Combination
147
Constraints

Faculty are disjoint from Students
Exclude (Faculty ? Students)

X
148
Policy Differencing

Decision diagram with 16 terminals
permit?permit, permit?deny, deny?permit,
deny?not-applicable,
Built from policies using minor variations of
standard decision diagram combinators
Uniform representation is valuable!

149
Back to the Case Study
150
CONTINUE Performance

Policy has 50 MTDD variables
Policy has 1268 nodes (817 w/ constraints)
Twelve properties each lt 10ms
Memory 316,288 bytes over baseline
Change 2ms, 1133 nodes, 16.3Kb memory

151
Context
152
Temporal problems
Role problems
Instance problems
153
Temporal Policies

Coarse-grained
Fine-grained
Dont allow access to a papers other reviews
until the PC member has submitted their own review

Submit
Review
Respond
Meet
154
Temporal problems
Changeanalysis
Programanalysis
Role problems
Instance problems
155
One Conference Doesnt Fit All
Submit
Review
Respond
Meet
Submit
Review
Respond
Submit
Review
Deliberate
Feedback
Respond
156
Conclusion
157
Perspective