Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
unibz.itunibz.it
Verification of
Relational Data-Centric Dynamic Systems
with External Services
Marco Montali
Joint work wi...
unibz.itunibz.it
Introduction
This talk is about verification of systems merging data and processes.
See yesterday’s keynot...
unibz.itunibz.it
Introduction
Data-Centric Dynamic Systems (DCDSs)
An abstract, pristine framework to formally describe pr...
unibz.itunibz.it
DCDS
A DCDS S is a pair D, P .
Data layer D
• Relational schema.
• Constraints (equality constraints/doma...
unibz.itunibz.it
DCDS
A DCDS S is a pair D, P .
Data layer D
• Relational schema.
• Constraints (equality constraints/doma...
unibz.itunibz.it
An Example: Hotels and Price Conversion
Data Layer: Info about hotels and room prices
Cur = UserCurrency ...
unibz.itunibz.it
An Example: Hotels and Price Conversion
Data Layer: Info about hotels and room prices
Cur = UserCurrency ...
unibz.itunibz.it
Run
HC
h1 eur
h2 eur
PEntry
h1 95 apr-25
h1 80 sep-18
h2 80 sep-18
Marco Montali Verification of Relationa...
unibz.itunibz.it
Run
HC
h1 eur
h2 eur
PEntry
h1 95 apr-25
h1 80 sep-18
h2 80 sep-18
ChooseCur(): uInputCurr() = ?
Marco Mo...
unibz.itunibz.it
Run
HC
h1 eur
h2 eur
PEntry
h1 95 apr-25
h1 80 sep-18
h2 80 sep-18
HC
h1 eur
h2 eur
PEntry
h1 95 apr-25
h...
unibz.itunibz.it
Run
HC
h1 eur
h2 eur
PEntry
h1 95 apr-25
h1 80 sep-18
h2 80 sep-18
HC
h1 eur
h2 eur
PEntry
h1 95 apr-25
h...
unibz.itunibz.it
Run
HC
h1 eur
h2 eur
PEntry
h1 95 apr-25
h1 80 sep-18
h2 80 sep-18
HC
h1 eur
h2 eur
PEntry
h1 95 apr-25
h...
unibz.itunibz.it
Run
HC
h1 eur
h2 eur
PEntry
h1 95 apr-25
h1 80 sep-18
h2 80 sep-18
HC
h1 eur
h2 eur
PEntry
h1 95 apr-25
h...
unibz.itunibz.it
Run
HC
h1 eur
h2 eur
PEntry
h1 95 apr-25
h1 80 sep-18
h2 80 sep-18
HC
h1 eur
h2 eur
PEntry
h1 95 apr-25
h...
unibz.itunibz.it
Run
HC
h1 eur
h2 eur
PEntry
h1 95 apr-25
h1 80 sep-18
h2 80 sep-18
HC
h1 eur
h2 eur
PEntry
h1 95 apr-25
h...
unibz.itunibz.it
Execution Semantics
Transition system accounting for all possible runs of the DCDS:
• States: each linked...
unibz.itunibz.it
Sources of Unboundedness/Infinity
In general: service calls cause. . .
.....
.
.....
.
. . .
• Infinite bra...
unibz.itunibz.it
Verification of DCDSs
Verification
Given a DCDS S (with transition system ΥS), and a temporal/dynamic
prope...
unibz.itunibz.it
Verification of DCDSs
Verification
Given a DCDS S (with transition system ΥS), and a temporal/dynamic
prope...
unibz.itunibz.it
Design Space
We employ variants of first-order µ-calculus (µLFO):
Φ ::= Q | ¬Φ | Φ1 ∧ Φ2 | ∃x.Φ | − Φ | Z ...
unibz.itunibz.it
Design Space
We employ variants of first-order µ-calculus (µLFO):
Φ ::= Q | ¬Φ | Φ1 ∧ Φ2 | ∃x.Φ | − Φ | Z ...
unibz.itunibz.it
Design Space
We employ variants of first-order µ-calculus (µLFO):
Φ ::= Q | ¬Φ | Φ1 ∧ Φ2 | ∃x.Φ | − Φ | Z ...
unibz.itunibz.it
History-Preserving µ-calculus (µLA)
Active-domain quantification: restricted to those
individuals present ...
unibz.itunibz.it
Persistence-Preserving µ-calculus (µLP)
In some cases, objects maintain their identity only if they persi...
unibz.itunibz.it
Persistence-Preserving µ-calculus (µLP)
In some cases, objects maintain their identity only if they persi...
unibz.itunibz.it
Persistence-Preserving µ-calculus (µLP)
In some cases, objects maintain their identity only if they persi...
unibz.itunibz.it
Persistence-Preserving µ-calculus (µLP)
In some cases, objects maintain their identity only if they persi...
unibz.itunibz.it
Bisimulations
We introduce two novel notions of bisimulation to account for µLA/µLP.
History-Preserving
B...
unibz.itunibz.it
Bisimulations
History-preserving bisimulation requires each isomorphism to be witnessed
by a bijection th...
unibz.itunibz.it
Bisimulations
History-preserving bisimulation requires each isomorphism to be witnessed
by a bijection th...
unibz.itunibz.it
Conditions for DCDSs
We devise two conditions over the transition system ΥS of a DCDS S.
Run boundedness
...
unibz.itunibz.it
Conditions for DCDSs
We devise two conditions over the transition system ΥS of a DCDS S.
Run boundedness
...
unibz.itunibz.it
Summary of ResultsUnrestrictedDCDSs(Turingcomplete)
Marco Montali Verification of Relational DCDSs PODS 20...
unibz.itunibz.it
Summary of ResultsUnrestrictedDCDSs(Turingcomplete)
Unrestricted
µLFO U
µLA U
µLP U
µL U
D: decidable; U:...
unibz.itunibz.it
Summary of ResultsUnrestrictedDCDSs(Turingcomplete)
Finite-stateDCDSs
Unrestricted Finite-state
µLFO U D
...
unibz.itunibz.it
Summary of ResultsUnrestrictedDCDSs(Turingcomplete)
Finite-stateDCDSs
Finite-range DCDSs
Unrestricted Fin...
unibz.itunibz.it
Summary of ResultsUnrestrictedDCDSs(Turingcomplete)
Run-boundedDCDSs
Finite-stateDCDSs
Finite-range DCDSs...
unibz.itunibz.it
Summary of ResultsUnrestrictedDCDSs(Turingcomplete)
Run-boundedDCDSs
Finite-stateDCDSs
Weakly-acyclic DCD...
unibz.itunibz.it
Summary of ResultsUnrestrictedDCDSs(Turingcomplete)
State-boundedDCDSs
Run-boundedDCDSs
Finite-stateDCDSs...
unibz.itunibz.it
Summary of ResultsUnrestrictedDCDSs(Turingcomplete)
State-boundedDCDSs
Run-boundedDCDSs
Finite-stateDCDSs...
unibz.itunibz.it
Summary of ResultsUnrestrictedDCDSs(Turingcomplete)
State-boundedDCDSs
Run-boundedDCDSs
Finite-stateDCDSs...
unibz.itunibz.it
Run-Bounded Systems: Decidability for µLA
Theorem
Verification of µLA over run-bounded DCDSs is decidable ...
unibz.itunibz.it
Run-Bounded Systems: Decidability for µLA
Theorem
Verification of µLA over run-bounded DCDSs is decidable ...
unibz.itunibz.it
State-bounded Systems: Undecidability for µLA
Theorem
Verification of µLA over state-bounded DCDSs is unde...
unibz.itunibz.it
State-bounded Systems: Decidability for µLP
Theorem
Verification of µLP over state-bounded DCDSs is decida...
unibz.itunibz.it
State-bounded Systems: Decidability for µLP
Theorem
Verification of µLP over state-bounded DCDSs is decida...
unibz.itunibz.it
State-bounded Systems: Decidability for µLP
Theorem
Verification of µLP over state-bounded DCDSs is decida...
unibz.itunibz.it
State-bounded Systems: Decidability for µLP
Theorem
Verification of µLP over state-bounded DCDSs is decida...
unibz.itunibz.it
Sufficient Syntactic Conditions
State- and run-boundedness are semantic conditions.
We show they are undeci...
unibz.itunibz.it
Sufficient Syntactic Conditions - Example 1
Example
Consider a DCDS S with process {true −→ α()},
action α(...
unibz.itunibz.it
Sufficient Syntactic Conditions - Example 2
Example
Consider a DCDS S with process {true −→ α(), true −→ β(...
unibz.itunibz.it
Conclusions
• Our work is grounded in real-world data-aware processes.
• We study robust conditions for d...
unibz.itunibz.it
History-Preserving Bisimulation
Given Υ1, Υ2 over = data domains ∆1 and ∆2, with states Σ1 and Σ2. . .
• ...
unibz.itunibz.it
History-Preserving Bisimulation
Given Υ1, Υ2 over = data domains ∆1 and ∆2, with states Σ1 and Σ2. . .
• ...
unibz.itunibz.it
Persistence-Preserving Bisimulation
Given Υ1, Υ2 over = data domains ∆1 and ∆2, with states Σ1 and Σ2. . ...
unibz.itunibz.it
Persistence-Preserving Bisimulation
Given Υ1, Υ2 over = data domains ∆1 and ∆2, with states Σ1 and Σ2. . ...
Upcoming SlideShare
Loading in …5
×

PODS 2013 - Montali - Verification of Relational Data-Centric Dynamic Systems with External Services

127 views

Published on

Presentation of the paper "Verification of Relational Data-Centric Dynamic Systems with External Services" at the 32nd ACM SIGACT SIGMOD SIGART Symposium on Principles of Database Systems (PODS 2013)

  • Be the first to comment

  • Be the first to like this

PODS 2013 - Montali - Verification of Relational Data-Centric Dynamic Systems with External Services

  1. 1. unibz.itunibz.it Verification of Relational Data-Centric Dynamic Systems with External Services Marco Montali Joint work with: B. Bagheri Hariri, D. Calvanese, G. De Giacomo, A. Deutsch KRDB Research Centre for Knowledge and Data Free University of Bozen-Bolzano, Italy PODS 2013 New York, USA Marco Montali Verification of Relational DCDSs PODS 2013 1 / 25
  2. 2. unibz.itunibz.it Introduction This talk is about verification of systems merging data and processes. See yesterday’s keynote by Diego Calvanese. Process (Wil van der Aalst) looking at data (Victor Vianu) @BPM 2011 Marco Montali Verification of Relational DCDSs PODS 2013 2 / 25
  3. 3. unibz.itunibz.it Introduction Data-Centric Dynamic Systems (DCDSs) An abstract, pristine framework to formally describe processes that manipulate data. • Captures virtually all existing approaches to data-aware processes, such as the artifact-centric paradigm. DCDS Data Layer Process Layer external service external service external service UpdateRead • Data layer: relational database (with constraints). • Process layer: condition-action rules (include service calls that input new data). Marco Montali Verification of Relational DCDSs PODS 2013 3 / 25
  4. 4. unibz.itunibz.it DCDS A DCDS S is a pair D, P . Data layer D • Relational schema. • Constraints (equality constraints/domain-independent FOL). • Initial DB. Marco Montali Verification of Relational DCDSs PODS 2013 4 / 25
  5. 5. unibz.itunibz.it DCDS A DCDS S is a pair D, P . Data layer D • Relational schema. • Constraints (equality constraints/domain-independent FOL). • Initial DB. Process layer P • Services to introduce new data into the system - results taken from a countably infinite domain. • Actions with parameters, specified in terms of effects that: 1 query the current DB (with UCQs + domain-independent FO filters); 2 transfer the obtained answers, together with service call results, into facts that constitute the new DB. • Declarative description of the process with condition-action rules. Condition: (domain-independent) FO query. Each rule queries the current DB and determines the executability of the corresponding action with params. Marco Montali Verification of Relational DCDSs PODS 2013 4 / 25
  6. 6. unibz.itunibz.it An Example: Hotels and Price Conversion Data Layer: Info about hotels and room prices Cur = UserCurrency CH = Hotel, Currency PEntry = Hotel, Price, Date Process Layer/1 User selection of a currency. • Process: true −→ ChooseCur() • Service call for currency selection: uInputCurr() Models user input with non-deterministic behavior: same-argument calls possibly return different values at different time moments. • ChooseCur() : true Cur(uInputCurr()) CH(h, c) CH(h, c) PEntry(h, p, d) PEntry(h, p, d) Marco Montali Verification of Relational DCDSs PODS 2013 5 / 25
  7. 7. unibz.itunibz.it An Example: Hotels and Price Conversion Data Layer: Info about hotels and room prices Cur = UserCurrency CH = Hotel, Currency PEntry = Hotel, Price, Date Process Layer/2 Price conversion for a hotel. • Process: Cur(c) ∧ CurHotel(h, ch) ∧ ch = c −→ ApplyConv(h, c) • Service call for currency selection: conv(price, from, to, date) Models historical conversion with deterministic behavior: same-argument calls always return the same value along a run. • ApplyConv(h, c) :   PEntry(h, p, d) ∧ CH(h, cold) ∧ Cur(c) PEntry(h, conv(p, cold, c, d), d) PEntry(h , p, d) ∧ h = h PEntry(h , p, d) CH(h, cold) CH(h, c) CH(h , c ) ∧ h = h CH(h , c ) Cur(c) Cur(c)    Marco Montali Verification of Relational DCDSs PODS 2013 5 / 25
  8. 8. unibz.itunibz.it Run HC h1 eur h2 eur PEntry h1 95 apr-25 h1 80 sep-18 h2 80 sep-18 Marco Montali Verification of Relational DCDSs PODS 2013 6 / 25
  9. 9. unibz.itunibz.it Run HC h1 eur h2 eur PEntry h1 95 apr-25 h1 80 sep-18 h2 80 sep-18 ChooseCur(): uInputCurr() = ? Marco Montali Verification of Relational DCDSs PODS 2013 6 / 25
  10. 10. unibz.itunibz.it Run HC h1 eur h2 eur PEntry h1 95 apr-25 h1 80 sep-18 h2 80 sep-18 HC h1 eur h2 eur PEntry h1 95 apr-25 h1 80 sep-18 h2 80 sep-18 Cur usd ChooseCur(): uInputCurr() = usd Marco Montali Verification of Relational DCDSs PODS 2013 6 / 25
  11. 11. unibz.itunibz.it Run HC h1 eur h2 eur PEntry h1 95 apr-25 h1 80 sep-18 h2 80 sep-18 HC h1 eur h2 eur PEntry h1 95 apr-25 h1 80 sep-18 h2 80 sep-18 Cur usd ChooseCur(): uInputCurr() = usd ApplyConv(h1,usd) ChooseCur() ApplyConv(h2,usd) Marco Montali Verification of Relational DCDSs PODS 2013 6 / 25
  12. 12. unibz.itunibz.it Run HC h1 eur h2 eur PEntry h1 95 apr-25 h1 80 sep-18 h2 80 sep-18 HC h1 eur h2 eur PEntry h1 95 apr-25 h1 80 sep-18 h2 80 sep-18 Cur usd ChooseCur(): uInputCurr() = usd ApplyConv(h1,usd): conv(95,eur,usd,apr-25) = ? conv(80,eur,usd,sep-18) = ? Marco Montali Verification of Relational DCDSs PODS 2013 6 / 25
  13. 13. unibz.itunibz.it Run HC h1 eur h2 eur PEntry h1 95 apr-25 h1 80 sep-18 h2 80 sep-18 HC h1 eur h2 eur PEntry h1 95 apr-25 h1 80 sep-18 h2 80 sep-18 Cur usd HC h1 usd h2 eur PEntry h1 115 apr-25 h1 95 sep-18 h2 80 sep-18 Cur usd ChooseCur(): uInputCurr() = usd ApplyConv(h1,usd): conv(95,eur,usd,apr-25) = 115 conv(80,eur,usd,sep-18) = 95 Marco Montali Verification of Relational DCDSs PODS 2013 6 / 25
  14. 14. unibz.itunibz.it Run HC h1 eur h2 eur PEntry h1 95 apr-25 h1 80 sep-18 h2 80 sep-18 HC h1 eur h2 eur PEntry h1 95 apr-25 h1 80 sep-18 h2 80 sep-18 Cur usd HC h1 usd h2 eur PEntry h1 115 apr-25 h1 95 sep-18 h2 80 sep-18 Cur usd ChooseCur(): uInputCurr() = usd ApplyConv(h1,usd): conv(95,eur,usd,apr-25) = 115 conv(80,eur,usd,sep-18) = 95 ChooseCur() ApplyConv(h2,usd) Marco Montali Verification of Relational DCDSs PODS 2013 6 / 25
  15. 15. unibz.itunibz.it Run HC h1 eur h2 eur PEntry h1 95 apr-25 h1 80 sep-18 h2 80 sep-18 HC h1 eur h2 eur PEntry h1 95 apr-25 h1 80 sep-18 h2 80 sep-18 Cur usd HC h1 usd h2 eur PEntry h1 115 apr-25 h1 95 sep-18 h2 80 sep-18 Cur usd HC h1 usd h2 usd PEntry h1 115 apr-25 h1 95 sep-18 h2 95 sep-18 Cur usd ChooseCur(): uInputCurr() = usd ApplyConv(h1,usd): conv(95,eur,usd,apr-25) = 115 conv(80,eur,usd,sep-18) = 95 ApplyConv(h2,usd) conv(80,eur,usd,sep-18) = 95 Marco Montali Verification of Relational DCDSs PODS 2013 6 / 25
  16. 16. unibz.itunibz.it Execution Semantics Transition system accounting for all possible runs of the DCDS: • States: each linked to a DB - instance of the data layer; • Transitions: legal applications of action+params+service call evals. Action+params: executable according to the process rules. Deterministic services behave consistently with the previous results. We obtain a possibly infinite-state (relational) transition system: • from the initial DB; • by applying transitions in all possible ways. Marco Montali Verification of Relational DCDSs PODS 2013 7 / 25
  17. 17. unibz.itunibz.it Sources of Unboundedness/Infinity In general: service calls cause. . . ..... . ..... . . . . • Infinite branching (due to all possible results of service calls). • Infinite runs (usage of values obtained from unboundedly many service calls). • Unbounded DBs (accumulation of such values). HC h1 eur h2 eur PEntry h1 95 apr-25 h1 80 sep-18 h2 80 sep-18 Cur usd . . . . . . . . . . . . ApplyConv(h1,usd): exchange rate = 1.2 ApplyConv(h1,usd): exchange rate = 1.23 ApplyConv(h1,usd): exchange rate = 1.3 ApplyConv(h1,usd): exchange rate = ... Marco Montali Verification of Relational DCDSs PODS 2013 8 / 25
  18. 18. unibz.itunibz.it Verification of DCDSs Verification Given a DCDS S (with transition system ΥS), and a temporal/dynamic property Φ, check whether ΥS |= Φ Requirements for temporal/dynamic properties: • to capture data ; first-order queries; • to capture dynamics ; temporal modalities; • to capture evolution of data ; quantification across states. Marco Montali Verification of Relational DCDSs PODS 2013 9 / 25
  19. 19. unibz.itunibz.it Verification of DCDSs Verification Given a DCDS S (with transition system ΥS), and a temporal/dynamic property Φ, check whether ΥS |= Φ Requirements for temporal/dynamic properties: • to capture data ; first-order queries; • to capture dynamics ; temporal modalities; • to capture evolution of data ; quantification across states. Our goal Investigate “robust” conditions on decidability of verification: • for sophisticated branching- and linear-time temporal properties; • exploiting conventional, finite-state model checking via construction of a faithful (sound and complete), finite-state abstraction. Marco Montali Verification of Relational DCDSs PODS 2013 9 / 25
  20. 20. unibz.itunibz.it Design Space We employ variants of first-order µ-calculus (µLFO): Φ ::= Q | ¬Φ | Φ1 ∧ Φ2 | ∃x.Φ | − Φ | Z | µZ.Φ • Employs fixpoint constructs to express sophisticated properties defined via induction or co-induction. • Subsumes virtually all logics used in verification, such as LTL, CTL, CTL*. PDLLTL CTL µL µLFO Marco Montali Verification of Relational DCDSs PODS 2013 10 / 25
  21. 21. unibz.itunibz.it Design Space We employ variants of first-order µ-calculus (µLFO): Φ ::= Q | ¬Φ | Φ1 ∧ Φ2 | ∃x.Φ | − Φ | Z | µZ.Φ • Employs fixpoint constructs to express sophisticated properties defined via induction or co-induction. • Subsumes virtually all logics used in verification, such as LTL, CTL, CTL*. PDLLTL CTL µL µLFO Problem 1 Unrestricted first-order quantification: no hope of reducing verification to finite-state model checking. See: ∃x1, . . . , xn. i=j xi = xj ∧ i∈{1,...,n} − Q(xi) ; We need to consider fragments of µLFO with controlled quantification. Marco Montali Verification of Relational DCDSs PODS 2013 10 / 25
  22. 22. unibz.itunibz.it Design Space We employ variants of first-order µ-calculus (µLFO): Φ ::= Q | ¬Φ | Φ1 ∧ Φ2 | ∃x.Φ | − Φ | Z | µZ.Φ • Employs fixpoint constructs to express sophisticated properties defined via induction or co-induction. • Subsumes virtually all logics used in verification, such as LTL, CTL, CTL*. PDLLTL CTL µL µLFO Problem 1 Unrestricted first-order quantification: no hope of reducing verification to finite-state model checking. See: ∃x1, . . . , xn. i=j xi = xj ∧ i∈{1,...,n} − Q(xi) ; We need to consider fragments of µLFO with controlled quantification. Problem 2 Verification is undecidable for simple propositional CTL ∩ LTL properties. ; We need to pose restrictions on DCDSs. Marco Montali Verification of Relational DCDSs PODS 2013 10 / 25
  23. 23. unibz.itunibz.it History-Preserving µ-calculus (µLA) Active-domain quantification: restricted to those individuals present in the current database. ∃x.Φ ; ∃x.live(x) ∧ Φ where live(x) states that x is present in the current active domain. PDLLTL CTL µL µLA µLFO Example νX.(∀x.live(x) ∧ Stud(x) → µY .(∃y.live(y) ∧ Grad(x, y) ∨ − Y ) ∧ [−]X) Along every path, it is always true, for each student x, that there exists an evolution eventually leading to a graduation of the student (with some final mark y). Marco Montali Verification of Relational DCDSs PODS 2013 11 / 25
  24. 24. unibz.itunibz.it Persistence-Preserving µ-calculus (µLP) In some cases, objects maintain their identity only if they persist in the active domain (cf. business artifacts and their IDs). . . . StudId : 123 . . . StudId : 123 . . .dismiss(123) newStud() ID() = 123 Marco Montali Verification of Relational DCDSs PODS 2013 12 / 25
  25. 25. unibz.itunibz.it Persistence-Preserving µ-calculus (µLP) In some cases, objects maintain their identity only if they persist in the active domain (cf. business artifacts and their IDs). . . . StudId : 123 . . . StudId : 123 . . .dismiss(123) newStud() ID() = 123 µLP restricts µLA to quantification over persisting objects only, i.e., objects that continue to be live. ∃x.Φ ; ∃x.live(x) ∧ Φ − Φ(x) ; live(x) ∧ − Φ(x) [−]Φ(x) ; live(x) ∧ [−]Φ(x) PDLLTL CTL µL µLP µLA µLFO Marco Montali Verification of Relational DCDSs PODS 2013 12 / 25
  26. 26. unibz.itunibz.it Persistence-Preserving µ-calculus (µLP) In some cases, objects maintain their identity only if they persist in the active domain (cf. business artifacts and their IDs). . . . StudId : 123 . . . StudId : 123 . . .dismiss(123) newStud() ID() = 123 µLP restricts µLA to quantification over persisting objects only, i.e., objects that continue to be live. ∃x.Φ ; ∃x.live(x) ∧ Φ − Φ(x) ; live(x) ∧ − Φ(x) [−]Φ(x) ; live(x) ∧ [−]Φ(x) PDLLTL CTL µL µLP µLA µLFO Example (“strong persistence”) νX.(∀x.live(x) ∧ Stud(x) → µY .(∃y.live(y) ∧ Grad(x, y) ∨ (live(x) ∧ − Y )) ∧ [−]X) Along every path, it is always true, for each student x, that there exists an evolution in which x persists in the database until she eventually graduates. Marco Montali Verification of Relational DCDSs PODS 2013 12 / 25
  27. 27. unibz.itunibz.it Persistence-Preserving µ-calculus (µLP) In some cases, objects maintain their identity only if they persist in the active domain (cf. business artifacts and their IDs). . . . StudId : 123 . . . StudId : 123 . . .dismiss(123) newStud() ID() = 123 µLP restricts µLA to quantification over persisting objects only, i.e., objects that continue to be live. ∃x.Φ ; ∃x.live(x) ∧ Φ − Φ(x) ; live(x) ∧ − Φ(x) [−]Φ(x) ; live(x) ∧ [−]Φ(x) PDLLTL CTL µL µLP µLA µLFO Example (“weak persistence”) νX.(∀x.live(x) ∧ Stud(x) → µY .(∃y.live(y) ∧ Grad(x, y) ∨ (live(x) → − Y )) ∧ [−]X) Along every path, it is always true, for each student x, that there exists an evolution in which either x does not persist, or she eventually graduates. Marco Montali Verification of Relational DCDSs PODS 2013 12 / 25
  28. 28. unibz.itunibz.it Bisimulations We introduce two novel notions of bisimulation to account for µLA/µLP. History-Preserving Bisimulation Invariant Languages Persistence-Preserving Bisimulation Invariant Languages Propositional Bisimulation Invariant Languages PDLLTL CTL µL µLP µLA µLFO These bisimulation relations capture: • dynamics ; standard notion of bisimulation; • data ; DB isomorphism; • evolution of data ; compatibility of the bijections witnessing the isomorphisms along a run. Marco Montali Verification of Relational DCDSs PODS 2013 13 / 25
  29. 29. unibz.itunibz.it Bisimulations History-preserving bisimulation requires each isomorphism to be witnessed by a bijection that extends the bijection used in the previous step. Theorem If Υ1 and Υ2 are history-preserving bisimilar, then for every µLA closed formula Φ, we have: Υ1 |= Φ if and only if Υ2 |= Φ. Marco Montali Verification of Relational DCDSs PODS 2013 14 / 25
  30. 30. unibz.itunibz.it Bisimulations History-preserving bisimulation requires each isomorphism to be witnessed by a bijection that extends the bijection used in the previous step. Theorem If Υ1 and Υ2 are history-preserving bisimilar, then for every µLA closed formula Φ, we have: Υ1 |= Φ if and only if Υ2 |= Φ. Persistence-preserving bisimulation requires each isomorphism to be witnessed by a bijection that extends the bijection used in the previous step, restricted only to the persisting objects. Theorem If Υ1 and Υ2 are persistence-preserving bisimilar, then for every µLP closed formula Φ, we have: Υ1 |= Φ if and only if Υ2 |= Φ. Marco Montali Verification of Relational DCDSs PODS 2013 14 / 25
  31. 31. unibz.itunibz.it Conditions for DCDSs We devise two conditions over the transition system ΥS of a DCDS S. Run boundedness Each run of ΥS accumulates only a bounded number of objects. • No bound on the overall number of objects: ΥS is still infinite-state, due to infinite branching induced by service calls. • Unboundedly many deterministic service calls can still be issued with a bounded number of inputs. • Only boundedly many nondeterministic service calls can be issued. Marco Montali Verification of Relational DCDSs PODS 2013 15 / 25
  32. 32. unibz.itunibz.it Conditions for DCDSs We devise two conditions over the transition system ΥS of a DCDS S. Run boundedness Each run of ΥS accumulates only a bounded number of objects. • No bound on the overall number of objects: ΥS is still infinite-state, due to infinite branching induced by service calls. • Unboundedly many deterministic service calls can still be issued with a bounded number of inputs. • Only boundedly many nondeterministic service calls can be issued. State boundedness Each state of ΥS contains only bounded number of objects. • Relaxation of run-boundedness: unboundedly many objects along a run, provided that they are not accumulated in the same state. • ΥS can contain infinite branches and infinite runs. Marco Montali Verification of Relational DCDSs PODS 2013 15 / 25
  33. 33. unibz.itunibz.it Summary of ResultsUnrestrictedDCDSs(Turingcomplete) Marco Montali Verification of Relational DCDSs PODS 2013 16 / 25
  34. 34. unibz.itunibz.it Summary of ResultsUnrestrictedDCDSs(Turingcomplete) Unrestricted µLFO U µLA U µLP U µL U D: decidable; U: undecidable; N: no finite abstraction. Marco Montali Verification of Relational DCDSs PODS 2013 16 / 25
  35. 35. unibz.itunibz.it Summary of ResultsUnrestrictedDCDSs(Turingcomplete) Finite-stateDCDSs Unrestricted Finite-state µLFO U D µLA U D µLP U D µL U D D: decidable; U: undecidable; N: no finite abstraction. Marco Montali Verification of Relational DCDSs PODS 2013 16 / 25
  36. 36. unibz.itunibz.it Summary of ResultsUnrestrictedDCDSs(Turingcomplete) Finite-stateDCDSs Finite-range DCDSs Unrestricted Finite-state µLFO U D µLA U D µLP U D µL U D D: decidable; U: undecidable; N: no finite abstraction. Marco Montali Verification of Relational DCDSs PODS 2013 16 / 25
  37. 37. unibz.itunibz.it Summary of ResultsUnrestrictedDCDSs(Turingcomplete) Run-boundedDCDSs Finite-stateDCDSs Finite-range DCDSs Unrestricted Run-bounded Finite-state µLFO U N D µLA U D D µLP U D D µL U D D D: decidable; U: undecidable; N: no finite abstraction. Marco Montali Verification of Relational DCDSs PODS 2013 16 / 25
  38. 38. unibz.itunibz.it Summary of ResultsUnrestrictedDCDSs(Turingcomplete) Run-boundedDCDSs Finite-stateDCDSs Weakly-acyclic DCDSs with det. services Finite-range DCDSs Unrestricted Run-bounded Finite-state µLFO U N D µLA U D D µLP U D D µL U D D D: decidable; U: undecidable; N: no finite abstraction. Marco Montali Verification of Relational DCDSs PODS 2013 16 / 25
  39. 39. unibz.itunibz.it Summary of ResultsUnrestrictedDCDSs(Turingcomplete) State-boundedDCDSs Run-boundedDCDSs Finite-stateDCDSs Weakly-acyclic DCDSs with det. services Finite-range DCDSs Unrestricted State-bounded Run-bounded Finite-state µLFO U U N D µLA U U D D µLP U D D D µL U D D D D: decidable; U: undecidable; N: no finite abstraction. Marco Montali Verification of Relational DCDSs PODS 2013 16 / 25
  40. 40. unibz.itunibz.it Summary of ResultsUnrestrictedDCDSs(Turingcomplete) State-boundedDCDSs Run-boundedDCDSs Finite-stateDCDSs GR-acyclic DCDSs Weakly-acyclic DCDSs with det. services Finite-range DCDSs Unrestricted State-bounded Run-bounded Finite-state µLFO U U N D µLA U U D D µLP U D D D µL U D D D D: decidable; U: undecidable; N: no finite abstraction. Marco Montali Verification of Relational DCDSs PODS 2013 16 / 25
  41. 41. unibz.itunibz.it Summary of ResultsUnrestrictedDCDSs(Turingcomplete) State-boundedDCDSs Run-boundedDCDSs Finite-stateDCDSs GR+-acyclic DCDSs GR-acyclic DCDSs Weakly-acyclic DCDSs with det. services Finite-range DCDSs Unrestricted State-bounded Run-bounded Finite-state µLFO U U N D µLA U U D D µLP U D D D µL U D D D D: decidable; U: undecidable; N: no finite abstraction. Marco Montali Verification of Relational DCDSs PODS 2013 16 / 25
  42. 42. unibz.itunibz.it Run-Bounded Systems: Decidability for µLA Theorem Verification of µLA over run-bounded DCDSs is decidable and can be reduced to model checking of propositional µL over a finite TS. Crux: construct a faithful abstraction ΘS for ΥS, collapsing infinite branching. .. . .. . .. . .. . . . . Marco Montali Verification of Relational DCDSs PODS 2013 17 / 25
  43. 43. unibz.itunibz.it Run-Bounded Systems: Decidability for µLA Theorem Verification of µLA over run-bounded DCDSs is decidable and can be reduced to model checking of propositional µL over a finite TS. Crux: construct a faithful abstraction ΘS for ΥS, collapsing infinite branching. • We use isomorphic types instead of actual service call results. .. . .. . .. . .. . . . . ≈ representatives for all isomorphic types Marco Montali Verification of Relational DCDSs PODS 2013 17 / 25
  44. 44. unibz.itunibz.it State-bounded Systems: Undecidability for µLA Theorem Verification of µLA over state-bounded DCDSs is undecidable. Intuition: µLA can use quantification to store and compare the unboundedly many values encountered along the runs. Crux: reduction from satisfiability of LTL with freeze quantifiers. • µLA can express LTL with freeze quantifier by making registers explicit. • There is a state-bounded DCDS that simulates all the possible traces with register assignments (i.e., data words). • Satisfiability via model checking. Marco Montali Verification of Relational DCDSs PODS 2013 18 / 25
  45. 45. unibz.itunibz.it State-bounded Systems: Decidability for µLP Theorem Verification of µLP over state-bounded DCDSs is decidable and can be reduced to model checking of propositional µ-calculus over a finite transition system. Crux: construct a faithful abstraction ΘS for ΥS, collapsing infinite branching and compacting infinite runs. 1 Prune infinite branching (isomorphic types). ..... . ..... . ..... . ..... . . . . Marco Montali Verification of Relational DCDSs PODS 2013 19 / 25
  46. 46. unibz.itunibz.it State-bounded Systems: Decidability for µLP Theorem Verification of µLP over state-bounded DCDSs is decidable and can be reduced to model checking of propositional µ-calculus over a finite transition system. Crux: construct a faithful abstraction ΘS for ΥS, collapsing infinite branching and compacting infinite runs. 1 Prune infinite branching (isomorphic types). ..... . ..... . ..... . ..... . . . . ∼ representatives for isomorphic types Marco Montali Verification of Relational DCDSs PODS 2013 19 / 25
  47. 47. unibz.itunibz.it State-bounded Systems: Decidability for µLP Theorem Verification of µLP over state-bounded DCDSs is decidable and can be reduced to model checking of propositional µ-calculus over a finite transition system. Crux: construct a faithful abstraction ΘS for ΥS, collapsing infinite branching and compacting infinite runs. 1 Prune infinite branching (isomorphic types). ..... . ..... . ..... . Marco Montali Verification of Relational DCDSs PODS 2013 19 / 25
  48. 48. unibz.itunibz.it State-bounded Systems: Decidability for µLP Theorem Verification of µLP over state-bounded DCDSs is decidable and can be reduced to model checking of propositional µ-calculus over a finite transition system. Crux: construct a faithful abstraction ΘS for ΥS, collapsing infinite branching and compacting infinite runs. 1 Prune infinite branching (isomorphic types). 2 Finite abstraction along the runs: Recycle old, non-persisting objects instead of inventing new ones. .. . .. . .. . Marco Montali Verification of Relational DCDSs PODS 2013 19 / 25
  49. 49. unibz.itunibz.it Sufficient Syntactic Conditions State- and run-boundedness are semantic conditions. We show they are undecidable to check. We then introduce two incomparable sufficient syntactic conditions: • Weak acyclicity (cf. data exchange), to check whether a DCDS with deterministic services is run-bounded. • Generate-recall acyclicity, to check whether a DCDS is state-bounded. Both conditions are checked against a dependency graph that abstracts the data-flow of the DCDS process layer. Marco Montali Verification of Relational DCDSs PODS 2013 20 / 25
  50. 50. unibz.itunibz.it Sufficient Syntactic Conditions - Example 1 Example Consider a DCDS S with process {true −→ α()}, action α() :    P(x) P(x) P(x) Q(f (x)) Q(x) Q(x)    P,1 Q,1* Consider nondeterministic service calls. S is not state-bounded. The problem comes from the interplay between: • a generate cycle that continuously feeds a path issuing service calls; • a recall cycle that accumulates the obtained results. • (+ the fact that both cycles are active at the same time) GR-acycliclity detects exactly these undesired situations. Marco Montali Verification of Relational DCDSs PODS 2013 21 / 25
  51. 51. unibz.itunibz.it Sufficient Syntactic Conditions - Example 2 Example Consider a DCDS S with process {true −→ α(), true −→ β()}, actions α() : {P(x) Q(f (x))} β() : {Q(x) P(x)} P,1 Q,1 * Consider deterministic service calls. S is not run-bounded. The problem comes from: • repeated calls to the same service. . . • every time using fresh values that are directly (or indirectly) obtained by manipulating previous results produced by the same service. Weak acycliclity detects these undesired situations. Marco Montali Verification of Relational DCDSs PODS 2013 22 / 25
  52. 52. unibz.itunibz.it Conclusions • Our work is grounded in real-world data-aware processes. • We study robust conditions for decidability. no conditions on the structure of the database; the database changes over time; suitable restrictions are posed on the process layer. • Complexity wise, our techniques are exponential in the size of the initial database. • However, most often processes change only a small (logarithmic ?) portion of the entire database. • Next step: formalize this intuition. Marco Montali Verification of Relational DCDSs PODS 2013 23 / 25
  53. 53. unibz.itunibz.it History-Preserving Bisimulation Given Υ1, Υ2 over = data domains ∆1 and ∆2, with states Σ1 and Σ2. . . • Is a ternary relation ≈⊆ Σ1 × H × Σ2, connecting pais of states under a bijection that tracks the history. • In particular, s1 ≈h s2 implies that: 1 h is a partial bijection between ∆1 and ∆2 that induces an isomorphism between db1(s1) and db2(s2); 2 for each s1, if s1 ⇒1 s1 then there is an s2 with s2 ⇒2 s2 and a bijection h that extends h, such that s1 ≈h s2; 3 for each s2, if s2 ⇒2 s2 then there is an s1 with s1 ⇒1 s1 and a bijection h that extends h, such that s1 ≈h s2. • Υ1 ≈ Υ2 if there exists a partial bijection h0 such that s01 ≈h0 s02. Marco Montali Verification of Relational DCDSs PODS 2013 24 / 25
  54. 54. unibz.itunibz.it History-Preserving Bisimulation Given Υ1, Υ2 over = data domains ∆1 and ∆2, with states Σ1 and Σ2. . . • Is a ternary relation ≈⊆ Σ1 × H × Σ2, connecting pais of states under a bijection that tracks the history. • In particular, s1 ≈h s2 implies that: 1 h is a partial bijection between ∆1 and ∆2 that induces an isomorphism between db1(s1) and db2(s2); 2 for each s1, if s1 ⇒1 s1 then there is an s2 with s2 ⇒2 s2 and a bijection h that extends h, such that s1 ≈h s2; 3 for each s2, if s2 ⇒2 s2 then there is an s1 with s1 ⇒1 s1 and a bijection h that extends h, such that s1 ≈h s2. • Υ1 ≈ Υ2 if there exists a partial bijection h0 such that s01 ≈h0 s02. Theorem If Υ1 ≈ Υ2, then for every µLA closed formula Φ, we have: Υ1 |= Φ if and only if Υ2 |= Φ. Marco Montali Verification of Relational DCDSs PODS 2013 24 / 25
  55. 55. unibz.itunibz.it Persistence-Preserving Bisimulation Given Υ1, Υ2 over = data domains ∆1 and ∆2, with states Σ1 and Σ2. . . • It is a ternary relation ∼⊆ Σ1 × H × Σ2, connecting pairs of states under a bijection that tracks the history of persisting objects. • In particular, s1 ∼h s2 implies that: 1 h is a partial bijection between ∆1 and ∆2 that induces an isomorphism between db1(s1) and db2(s2); 2 for each s1, if s1 ⇒1 s1 then there exists an s2 with s2 ⇒2 s2 and a bijection h that extends h restricted on adom(db1(s1)) ∩ adom(db1(s1)), such that s1 ∼h s2; 3 for each s2, if s2 ⇒2 s2 then there exists an s1 with s1 ⇒1 s1 and a bijection h that extends h restricted on adom(db1(s1)) ∩ adom(db1(s1)), such that s1 ∼h s2. • Υ1 ∼ Υ2 if there exists a partial bijection h0 such that s01 ∼h0 s02. Marco Montali Verification of Relational DCDSs PODS 2013 25 / 25
  56. 56. unibz.itunibz.it Persistence-Preserving Bisimulation Given Υ1, Υ2 over = data domains ∆1 and ∆2, with states Σ1 and Σ2. . . • It is a ternary relation ∼⊆ Σ1 × H × Σ2, connecting pairs of states under a bijection that tracks the history of persisting objects. • In particular, s1 ∼h s2 implies that: 1 h is a partial bijection between ∆1 and ∆2 that induces an isomorphism between db1(s1) and db2(s2); 2 for each s1, if s1 ⇒1 s1 then there exists an s2 with s2 ⇒2 s2 and a bijection h that extends h restricted on adom(db1(s1)) ∩ adom(db1(s1)), such that s1 ∼h s2; 3 for each s2, if s2 ⇒2 s2 then there exists an s1 with s1 ⇒1 s1 and a bijection h that extends h restricted on adom(db1(s1)) ∩ adom(db1(s1)), such that s1 ∼h s2. • Υ1 ∼ Υ2 if there exists a partial bijection h0 such that s01 ∼h0 s02. Theorem If Υ1 ∼ Υ2, then for every µLP closed formula Φ, we have: Υ1 |= Φ if and only if Υ2 |= Φ. Marco Montali Verification of Relational DCDSs PODS 2013 25 / 25

×