Verifying Interactive Web Programs - PowerPoint PPT Presentation

About This Presentation
Title:

Verifying Interactive Web Programs

Description:

Expressing the Orbitz Property ... Orbitz Subproperty 2 ... The two Orbitz subproperties and the Amazon property occur repeatedly ... – PowerPoint PPT presentation

Number of Views:49
Avg rating:3.0/5.0
Slides: 67
Provided by: csC76
Learn more at: http://www.cs.cmu.edu
Category:

less

Transcript and Presenter's Notes

Title: Verifying Interactive Web Programs


1
Verifying Interactive Web Programs
  • Daniel R. Licata Shriram Krishnamurthi
  • Brown University

2
(No Transcript)
3
(No Transcript)
4
(No Transcript)
5
(No Transcript)
6
(No Transcript)
7
(No Transcript)
8
(No Transcript)
9
(No Transcript)
10
(No Transcript)
11
(No Transcript)
12
(No Transcript)
13
(No Transcript)
14
Popular Press
  • Quote
  • But when I clicked on the National car rental
    price , the site responded with this message
    You have back-buttoned too far. This was my
    first experience with back-button as a verb.
    Since that was patently untrue, I decoded
    its true meaning We ran out of cars.
  • M. Slatalla, New York Times, 2003-07-17

15
A Headache for Companies
  • Minor problem Users might get booked into the
    wrong hotels, onto the wrong flights, etc.
  • Major problem People might embarass you in
    newspapers and in public talks

16
The Orbitz Property
  • Orbitz Property the user should receive a
    reservation at the hotel that was displayed on
    the page he submitted
  • In other words, the result does not depend on the
    page on which you did not click Reserve
  • Should all sites have this property?

17
(No Transcript)
18
(No Transcript)
19
(No Transcript)
20
(No Transcript)
21
(No Transcript)
22
(No Transcript)
23
(No Transcript)
24
(No Transcript)
25
(No Transcript)
26
(No Transcript)
27
(No Transcript)
28
Question
  • What would Amazon want?

29
The Amazon Property
  • Amazon property at the end, every book the user
    added to his shopping cart is actually in his
    shopping cart
  • These properties are
  • not fixed in number
  • temporal in nature
  • ? model checking

30
Model Checking
  • From the source code of a program, generate a
    model that captures the behaviors of interest
  • Consume properties written by the developer
  • Automatically check whether or not the model
    satisfies the properties

31
Model Checking
  • From the source code of a program, generate a
    model that captures the behaviors of interest
  • Consume properties written by the developer
  • Automatically check whether or not the model
    satisfies the properties

32
Modelling Web Programs
  • Model control-flow graph (CFG)
  • What would a model of Orbitz look like?

33
Modelling Orbitz
display hotel list
set chosen
use chosen to compute displayed
use chosen to compute reserved
display reservation
display details for displayed
34
User Operations add Control Flow
  • The browser's back-button introduced control flow
    not present in the original CFG
  • Other browser operations do the same
  • How many operations do today's browsers provide?

35
One Browser
AltTab
  • How can we model all of these operations?

36
User Operation Calculus
  • Express all browser operations in terms of
    primitive user operations
  • submit form to server
  • switch to previously-visited page
  • Graunke et al., 2003
  • Only need to account for these two operations'
    control flow

37
Our Model the WebCFG
  • submit corresponds to program's control flow
  • Already in the CFG
  • switch permits returning to any
    previously-visited Web-interaction point
  • Add edges from each Web-interaction node to the
    successors of all the others (WebCFG)

38
The Orbitz CFG
display hotel list
set chosen
use chosen to compute displayed
use chosen to compute reserved
display reservation
display details for displayed
39
The Orbitz WebCFG
display hotel list
set chosen
use chosen to compute displayed
use chosen to compute reserved
display reservation
display details for displayed
40
Model Checking
  • From the source code of a program, generate a
    model that captures the behaviors of interest
  • Consume properties written by the developer
  • Automatically check whether or not the model
    satisfies the properties

41
Properties
We want to state properties about Web pages
42
Properties
Web pages are written as HTML source
  • Residence Inn by
  • Marriot Charleston
  • Downtown
  • ...

43
Properties
We want to reason about Web page texts

Residence Inn by Marriot
Charleston Downtown ...
44
Properties
How can we associate these texts with the
corresponding HTML source?

Residence Inn by Marriot
Charleston Downtown ...
45
Relating Web Page Content to Source
  • Parse the text?
  • Too hard
  • Static-distance coordinates?
  • Too brittle
  • What else can we do?

46
Relating Web Page Content to Source
Capitalize on Cascading Style Sheet (CSS) ID tags!
  • Residence Inn by
  • Marriot Charleston
  • Downtown
  • ...

47
Relating Web Page Content to Source
  • If the tag is in the HTML, it must be present in
    the source of the program that generates the page
  • This relates Web page text to the Web program
    source expression that generates it

48
Annotating the WebCFG
Annotate each WebCFG state with the propositions
true in that state

Residence Inn by
Marriot Charleston Downtown ...
generate reservation page
generate reservation text
tagreserved
49
Defining our Property Language
  • The annotated WebCFG describes the set of traces
    that potentially occur
  • The developer writes an automaton accepting the
    set of traces that should occur
  • Verification is containment of the former in the
    latter
  • Vardi and Wolper, 1986

50
Example Property
  • Password-Page Property Before reaching an
    access-controlled page, the user must go through
    a password page

tagpassword-entry
2
1
violation
tagaccess-controlled
Note In properties, tags label transitions
51
Expressing the Orbitz Property
  • Orbitz Property the user should receive a
    reservation at the hotel that was displayed on
    the page he submitted
  • Divide and conquer!

52
Orbitz Subproperty 1
Property chosen does not change between the
computation of displayed and the computation of
reserved
display hotel list
set chosen
use chosen to compute displayed
use chosen to compute reserved
display details for displayed
display reservation
We need additional propositions to express this
property!
53
Orbitz Subproperty 1
Property chosen does not change between the
computation of displayed and the computation of
reserved
display hotel list
set chosen
use chosen to compute displayed
use chosen to compute reserved
display details for displayed
display reservation
set and join enable reasoning about data
54
Orbitz Subproperty 1
Property chosen does not change between the
computation of displayed and the computation of
reserved
(set,chosen) (join,chosen)
1
2
violation
tagreserved
set and join enable reasoning about data
55
Orbitz Subproperty 2
display hotel list
set chosen
use chosen to compute displayed
Property the value of reserved comes from the
value of displayed
use chosen to compute reserved
display details for displayed
display reservation
We need additional propositions to express this
property!
56
Orbitz Subproperty 2
Property the value of reserved comes from the
value of displayed
(tagged,displayed,X)
1
2
(tagged,reserved,?X)
violation
(tagged,reserved,??X)
Augment CSS tagged propositions with additional
information for reasoning about value flow
57
Property Idioms
  • Writing these automata correctly is tricky
  • The two Orbitz subproperties and the Amazon
    property occur repeatedly
  • We provide abstractions of these properties as
    idioms in our property language

58
Model Checking
  • From the source code of a program, generate a
    model that captures the behaviors of interest
  • Consume properties written by the developer
  • Automatically check whether or not the model
    satisfies the properties

59
Verification Process
  • The model and properties we have described
  • are checkable by language containment

60
The Orbitz WebCFG
display hotel list
set chosen
use chosen to compute displayed
use chosen to compute reserved
display reservation
display details for displayed
61
The Orbitz WebCFG
display hotel list
set chosen
use chosen to compute displayed
use chosen to compute reserved
display reservation
display details for displayed
62
Verification Process
  • The model and properties we have described are
    compatible with the FLAVERS algorithms
  • Cobleigh, Naumovich, Clarke, and Osterweil,
    2001-2002
  • FLAVERS supports constraint automata
  • We can automatically generate constraints that
    rule out all the infeasible forward paths

63
Status
  • We have begun to apply our model checker to
    CONTINUE, a Web-based conference management
    application
  • Written in Scheme send/suspend primitive creates
    Web-interaction points
  • MrFlow implements SBA
  • Heintze, 1994 Flanagan and Felleisen, 1996
    Meunier, 2001

64
Minimization
  • Some WebCFG states are not labeled
  • We remove these from the model without affecting
    results
  • CONTINUE from 17,000 to 300 states

65
Future Work
  • Better data reasoning (verification conditions)
  • Concurrency
  • Case studies and more idioms

66
Perspective
  • Work encompasses traditional verification
  • Structure of Web source programs matters
  • Nature of environment models changes

67
The Amazon Idiom
68
The Orbitz Idioms
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Verifying Interactive Web Programs" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!