Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Seminar@KRDB 2012 - Montali - Verification of Relational Data-Centric Systems with External Services

164 views

Published on

Seminar on "Verification of Relational Data-Centric Systems with External Services" at the KRDB Research Centre for Knowledge and Data, Faculty of Computer Science, Free University of Bozen-Bolzano (Italy), 03/05/2012.

  • Be the first to comment

  • Be the first to like this

Seminar@KRDB 2012 - Montali - Verification of Relational Data-Centric Systems with External Services

  1. 1. a   iSC   Verification of Relational Data-Centric Dynamic Systems with External Services Presented by Marco Montali Joint work with B. Bagheri Hariri, D. Calvanese, G. De Giacomo, A. Deutsch KRDB Research Center KRDB Lunch Seminar, March 5, 2012 ACSI Project 257593
  2. 2. a   iSC   Artifact-Centric Process Verification in ACSI • The Data is put on stage, and the Process considers it! Verification of DCDSs ACSI Project 257593 M. Montali - KRDB 1/28
  3. 3. a   iSC   Artifact-Centric Process Verification in ACSI • The Data is put on stage, and the Process considers it! Verification of DCDSs ACSI Project 257593 M. Montali - KRDB 1/28
  4. 4. a   iSC   Artifact-Centric Process Verification in ACSI • The Data is put on stage, and the Process considers it! • And we get beautiful research results! Verification of DCDSs ACSI Project 257593 M. Montali - KRDB 1/28
  5. 5. a   iSC   Data-Centric Dynamic Systems • DCDS: system where the process controlling the dynamics and the manipulated data are equally central general, abstract framework artifact-centric systems are a specialization of DCDSs • Data Layer: holds the relevant information to be manipulated by the system • Process Layer: is formed by the invokable (atomic) actions and a process based on them Actions evolve the data of the data layer and update the state of the process Interaction with external services to acquire new information from the environment (other systems, user choices, . . . ) DCDS Process Layer service service service Data Layer Environment Verification of DCDSs ACSI Project 257593 M. Montali - KRDB 2/28
  6. 6. a   iSC   Data Layer • Represents the information of interest in our application. • We focus on relational data. • Is a tuple D = C, R, E, I0 where: C is a countably infinite set of constants/values. R = {R1, . . . , Rn} is a database schema (a finite set of relation schemas). E is a finite set of equality constraints Qi → V j=1,...,k zij = yij. Qi is a domain independent FO query over R using constants from the active domain adom(I0) and whose free variables are x. zij and yij are either variables in x or constants in adom(I0). N.B.: they can be generalized to denials and arbitrary constraints! I0 is a database instance that represents the initial state of the data layer: It conforms to the schema R. It satisfies the constraints E: for each constraint Qi → V j=1,...,k zij = yij and for each tuple θ ∈ ans(Qi, I0), zijθ = yijθ. Verification of DCDSs ACSI Project 257593 M. Montali - KRDB 3/28
  7. 7. a   iSC   Process Layer • Constitutes the progression mechanism for the DCDS. • High-level: rule-based approach that can accommodate any process with a finite state control flow. • Non-determinism represented by interleaving. • A process layer P over a data layer D is a tuple P = F, A, where: F is a finite set of functions representing external service interfaces whose behavior is unknown to the DCDS; A is a finite set of actions; is a finite set of condition-action rules that form the; specification of the overall process. Verification of DCDSs ACSI Project 257593 M. Montali - KRDB 4/28
  8. 8. a   iSC   Actions An action ρ is constituted by: • an action signature, i.e., a name, and a list of individual input parameters. Parameters are substituted by individuals/constants for the execution of the action. • an effect specification {e1, . . . , en}, where each ei is an effect. Effects are assumed to take place simultaneously. Verification of DCDSs ACSI Project 257593 M. Montali - KRDB 5/28
  9. 9. a   iSC   Actions An action ρ is constituted by: • an action signature, i.e., a name, and a list of individual input parameters. Parameters are substituted by individuals/constants for the execution of the action. • an effect specification {e1, . . . , en}, where each ei is an effect. Effects are assumed to take place simultaneously. An effect ei has the form q+ i ∧ Q− i Ei where: • q+ i ∧ Q− i is a query over R and constants of adom(I0): may include some of the input parameters as terms of the query q+ i is a UCQ over R Q− i is a FOL query that acts as a filter free variables of Q− i are included in those of q+ i . • Ei is a set of facts over R, which include as terms: constants in adom(I0), parameters, free variables of q+ i , and functions calls that formalize call to (atomic) external services. These calls introduce new values! Verification of DCDSs ACSI Project 257593 M. Montali - KRDB 5/28
  10. 10. a   iSC   Process and Action Execution • Process: finite set of condition-action rules of the form Q → α, where α is an action in A Q is a FO query over R whose free variables are exactly the parameters of α, and whose other terms can be either quantified variables or constants in adom(I0). • To execute an action α in state s according to Q → α: 1. evaluate Q over db(s) choosing a suitable parameters assignment σ for α; 2. if such an assignment exists, then α is executable and instantiated with σ; 3. ασ is executed: for each effect q+ i ∧ Q− i Ei 3.1 (q+ i ∧ Q− i )σ is evaluated over db(s), getting variables assignments θ1, . . . , θn; 3.2 for each θi, the grounded facts Eiθi are obtained; 3.3 all service calls contained in Eiθi are issued; 3.4 next state is obtained by asserting each Eiθi after the inclusion of all service call results. • We assume that services are deterministic: if f(a) returns b, then from now on f(a) will always return b. Verification of DCDSs ACSI Project 257593 M. Montali - KRDB 6/28
  11. 11. a   iSC   DCDS Example Data Layer Information about hotels and their price: • Cur = Currency • CurHotel = Hotel, Currency • PEntry = Hotel, Price, Date Process Layer Possibility of converting the price list of a hotel from USD dollars to another currency. • Service call for price conversion: conv usd(p, currency, date) • Process: Cur(c) ∧ CurHotel(h, US ) −→ Conv(h, c) • Conv(h, c) :   PEntry(h, p, d) ∧ Cur(c) PEntry(h, conv usd(p, c, d), d) CurHotel(h, cold) ∧ Cur(c) CurHotel(h, c) Copy Rest    Verification of DCDSs ACSI Project 257593 M. Montali - KRDB 7/28
  12. 12. a   iSC   DCDS Example: Execution Initial State. s0 • Cur( USD ) Cur( EUR ) • CurHotel(h1, USD ) CurHotel(h2, USD ) • PEntry(h1, 80, 01/01/2012) PEntry(h2, 80, 01/01/2012) PEntry(h1, 60, 01/03/2012) Verification of DCDSs ACSI Project 257593 M. Montali - KRDB 8/28
  13. 13. a   iSC   DCDS Example: Execution Initial State. s0 • Cur( USD ) Cur( EUR ) • CurHotel(h1, USD ) CurHotel(h2, USD ) • PEntry(h1, 80, 01/01/2012) PEntry(h2, 80, 01/01/2012) PEntry(h1, 60, 01/03/2012) Execution of Conv(h1, EUR ). s1 • Cur( USD ) Cur( EUR ) • CurHotel(h1, EUR ) CurHotel(h2, USD ) • PEntry(h1, 70, 01/01/2012) PEntry(h2, 80, 01/01/2012) PEntry(h1, 50, 01/03/2012) Non-determinism in the returned values. Execution of Conv(h2, EUR ). Verification of DCDSs ACSI Project 257593 M. Montali - KRDB 8/28
  14. 14. a   iSC   DCDS Example: Execution Execution of Conv(h1, EUR ). s1 • Cur( USD ) Cur( EUR ) • CurHotel(h1, EUR ) CurHotel(h2, USD ) • PEntry(h1, 70, 01/01/2012) PEntry(h2, 80, 01/01/2012) PEntry(h1, 50, 01/03/2012) Non-determinism in the returned values. Execution of Conv(h2, EUR ). s2 • Cur( USD ) Cur( EUR ) • CurHotel(h1, EUR ) CurHotel(h2, EUR ) • PEntry(h1, 70, 01/01/2012) PEntry(h2, 70, 01/01/2012) PEntry(h1, 50, 01/03/2012) Deterministic value!Verification of DCDSs ACSI Project 257593 M. Montali - KRDB 8/28
  15. 15. a   iSC   Transition Systems • Semantics of a DCDS in terms of transition system Υ = ∆, R, Σ, s0, db, ⇒ ∆ is a countably infinite set of values; R is a database schema; Σ is a set of states; s0 ∈ Σ is the initial state; db is a function that, given a state s ∈ Σ, returns the database associated to s, which is made up of values in ∆ and conforms to R; ⇒ ⊆ Σ × Σ is a transition relation between pairs of states. s0 s1 s3 s4 s6 s7 Note: Υ is in general infinite state. Verification of DCDSs ACSI Project 257593 M. Montali - KRDB 9/28
  16. 16. a   iSC   Transition System with Deterministic Services • Semantics in terms of concrete transition system ΥS = C, R, Σ, s0, db, ⇒ . • Each state s ∈ Σ remembers all previous service call results: s = I, M , where I is a database and M is a map from service calls to results in C. • db( I, M ) = I. • Action execution: before issuing a service call, it is checked whether the (deterministic) result is already contained in M; if it is, then the result is already known; if not, the call is issued and the obtained result is stored in M. Verification of DCDSs ACSI Project 257593 M. Montali - KRDB 10/28
  17. 17. a   iSC   Construction of ΥS • start from s0 = I0, ∅ ∈ Σ; • repeat forever pick a state s ∈ Σ for every action executable in s, every “legal” parameters assignment, every possible service calls results’ configuration. . . generate the successor state s and put it in Σ; insert s, s in ⇒. Verification of DCDSs ACSI Project 257593 M. Montali - KRDB 11/28
  18. 18. a   iSC   Construction of ΥS • start from s0 = I0, ∅ ∈ Σ; • repeat forever pick a state s ∈ Σ for every action executable in s, every “legal” parameters assignment, every possible service calls results’ configuration. . . generate the successor state s and put it in Σ; insert s, s in ⇒. Note: three sources of non-determinism in each step: • actions non-determinism; • parameters non-determinism; • service call results non-determinism: leads to potentially infinite branching. Verification of DCDSs ACSI Project 257593 M. Montali - KRDB 11/28
  19. 19. a   iSC   Example Consider a DCDS S = D, P • Data layer D = C, R, E, I0 , where I0 = {P(a), Q(a, a)} • Process layer P = F, A, F = {f/1, g/1}, A = {α}, = {true → α} α :  Q(a, a) ∧ P(x) {R(x)}, P(x) {P(x), Q(f(x), g(x))} ff P(a) Q(a,a) f(a)→b g(a)→b P(a) R(a) Q(b,b) f(a)→b g(a)→a P(a) R(a) Q(b,a) f(a)→a g(a)→b P(a) R(a) Q(a,b) f(a)→a g(a)→a P(a) R(a) Q(a,a) f(a)→c g(a)→b P(a) R(a) Q(c,b) f(a)→b g(a)→c P(a) R(a) Q(b,c) f(a)→c g(a)→c P(a) R(a) Q(c,c) f(a)→a g(a)→b P(a) Q(a,b) f(a)→b g(a)→a P(a) Q(b,a) f(a)→b g(a)→b P(a) Q(b,b) f(a)→c g(a)→b P(a) Q(c,b) f(a)→b g(a)→c P(a) Q(b,c) f(a)→c g(a)→c P(a) Q(c,c) . . . Verification of DCDSs ACSI Project 257593 M. Montali - KRDB 12/28
  20. 20. a   iSC   Verification • We are interested in the verification of DCDSs • Given a DCDS S and a formula Φ (in some FO temporal logic) Construct the transition system ΥS of S Check whether ΥS |= Φ • Problem: ΥS is in general infinite state • Idea: Devise a finite-state transition system ΘS that is a faithful abstraction of ΥS , Reduce the verification problem ΥS |= Φ to the verification of ΘS |= Φ • Procedure: 1. Do a syntactic check over S testing whether ΥS admits a finite-state abstraction ΘS 2. If so, construct ΘS 3. Model check Φ over ΘS with standard model checking techniques Verification of DCDSs ACSI Project 257593 M. Montali - KRDB 13/28
  21. 21. a   iSC   Verification Formalism • We adopt FO variants of the µ-calculus µL is a very expressive logic! • µLF O formulas over a DCDS S have the form: Φ ::= Q | ¬Φ | Φ1 ∧ Φ2 | ∃x.Φ | − Φ | Z | µZ.Φ where Q is an FO query over the database schema R of S, and Z is a predicate variable. HML PDLLTL CTL µL µLFO Verification of DCDSs ACSI Project 257593 M. Montali - KRDB 14/28
  22. 22. a   iSC   Verification Formalism • We adopt FO variants of the µ-calculus µL is a very expressive logic! • µLF O formulas over a DCDS S have the form: Φ ::= Q | ¬Φ | Φ1 ∧ Φ2 | ∃x.Φ | − Φ | Z | µZ.Φ where Q is an FO query over the database schema R of S, and Z is a predicate variable. Example An example of µL formula is: ∃x1, . . . , xn. i=j xi = xj ∧ i∈{1,...,n} µZ.[Stud(xi)∨ − Z] HML PDLLTL CTL µL µLFO Verification of DCDSs ACSI Project 257593 M. Montali - KRDB 14/28
  23. 23. a   iSC   Verification Formalism • We adopt FO variants of the µ-calculus µL is a very expressive logic! • µLF O formulas over a DCDS S have the form: Φ ::= Q | ¬Φ | Φ1 ∧ Φ2 | ∃x.Φ | − Φ | Z | µZ.Φ where Q is an FO query over the database schema R of S, and Z is a predicate variable. Example An example of µL formula is: ∃x1, . . . , xn. i=j xi = xj ∧ i∈{1,...,n} µZ.[Stud(xi)∨ − Z] This defeats any kind of finite-state abstraction. HML PDLLTL CTL µL µLFO Verification of DCDSs ACSI Project 257593 M. Montali - KRDB 14/28
  24. 24. a   iSC   Verification Formalism • We adopt FO variants of the µ-calculus µL is a very expressive logic! • µLF O formulas over a DCDS S have the form: Φ ::= Q | ¬Φ | Φ1 ∧ Φ2 | ∃x.Φ | − Φ | Z | µZ.Φ where Q is an FO query over the database schema R of S, and Z is a predicate variable. Example An example of µL formula is: ∃x1, . . . , xn. i=j xi = xj ∧ i∈{1,...,n} µZ.[Stud(xi)∨ − Z] This defeats any kind of finite-state abstraction. HML PDLLTL CTL µL µLFO µLA Verification of DCDSs ACSI Project 257593 M. Montali - KRDB 14/28
  25. 25. a   iSC   History Preserving Mu-Calculus (µLA) • Restricts quantification over individuals to those present in the current database (denoted by live(x)). • Syntax: Φ ::= Q | ¬Φ | Φ1 ∧ Φ2 | ∃x.live(x) ∧ Φ | − Φ | Z | µZ.Φ • We abbreviate ¬(∃x.live(x) ∧ ¬Φ) as ∀x.live(x) → Φ. Example νX.(∀x.live(x) ∧ Stud(x) → µY.(∃y.live(y) ∧ Grad(x, y) ∨ − Y ) ∧ [−]X) Along every path, it is always true, for each student x, that there exists an evolution that eventually leads to a graduation of the student (with some final mark y). Verification of DCDSs ACSI Project 257593 M. Montali - KRDB 15/28
  26. 26. a   iSC   History Preserving Bisimulation for µLA • Consider two transition systems Υ1 = ∆1, R, Σ1, s01, db1, ⇒1 and Υ2 = ∆2, R, Σ2, s02, db2, ⇒2 . • Problem: Υ1 and Υ2 are over different data domains ∆1 and ∆2, and a correspondence between elements must be preserved over time. • Is a relation B ⊆ Σ1 × H × Σ2 such that s1, h, s2 ∈ B implies that: 1. h is a partial bijection between ∆1 and ∆2 that induces an isomorphism between db1(s1) and db2(s2); 2. for each s1, if s1 ⇒1 s1 then there is an s2 with s2 ⇒2 s2 and a bijection h that extends h, such that s1, h , s2 ∈ B; 3. for each s2, if s2 ⇒2 s2 then there is an s1 with s1 ⇒1 s1 and a bijection h that extends h, such that s1, h , s2 ∈ B. • We have Υ1 ≈ Υ2 if there exists a partial bijection h0 and a history preserving bisimulation B between Υ1 and Υ2 such that s01, h0, s02 ∈ B. Verification of DCDSs ACSI Project 257593 M. Montali - KRDB 16/28
  27. 27. a   iSC   History Preserving Bisimulation for µLA • Consider two transition systems Υ1 = ∆1, R, Σ1, s01, db1, ⇒1 and Υ2 = ∆2, R, Σ2, s02, db2, ⇒2 . • Problem: Υ1 and Υ2 are over different data domains ∆1 and ∆2, and a correspondence between elements must be preserved over time. • Is a relation B ⊆ Σ1 × H × Σ2 such that s1, h, s2 ∈ B implies that: 1. h is a partial bijection between ∆1 and ∆2 that induces an isomorphism between db1(s1) and db2(s2); 2. for each s1, if s1 ⇒1 s1 then there is an s2 with s2 ⇒2 s2 and a bijection h that extends h, such that s1, h , s2 ∈ B; 3. for each s2, if s2 ⇒2 s2 then there is an s1 with s1 ⇒1 s1 and a bijection h that extends h, such that s1, h , s2 ∈ B. • We have Υ1 ≈ Υ2 if there exists a partial bijection h0 and a history preserving bisimulation B between Υ1 and Υ2 such that s01, h0, s02 ∈ B. Theorem If Υ1 ≈ Υ2, then for every µLA closed formula Φ, we have: Υ1 |= Φ if and only if Υ2 |= Φ. Verification of DCDSs ACSI Project 257593 M. Montali - KRDB 16/28
  28. 28. a   iSC   (Un)decidability Results Theorem There exists a DCDS S with deterministic services, and a propositional LTL safety property Φ, such that checking ΥS |= Φ is undecidable. Verification of DCDSs ACSI Project 257593 M. Montali - KRDB 17/28
  29. 29. a   iSC   (Un)decidability Results Theorem There exists a DCDS S with deterministic services, and a propositional LTL safety property Φ, such that checking ΥS |= Φ is undecidable. To gain decidability, we need restrictions on the DCDS: run-boundedness • For every run τ in ΥS we have | s state of τ adom(db(s))| < b • I.e., there exists a bound b such that every run in ΥS encounters at most b different values. • A (data) unbounded run represents an execution in which infinitely many different service calls are issued. Verification of DCDSs ACSI Project 257593 M. Montali - KRDB 17/28
  30. 30. a   iSC   (Un)decidability Results Theorem There exists a DCDS S with deterministic services, and a propositional LTL safety property Φ, such that checking ΥS |= Φ is undecidable. To gain decidability, we need restrictions on the DCDS: run-boundedness • For every run τ in ΥS we have | s state of τ adom(db(s))| < b • I.e., there exists a bound b such that every run in ΥS encounters at most b different values. • A (data) unbounded run represents an execution in which infinitely many different service calls are issued. Theorem Verification of µLA properties on run-bounded DCDSs with deterministic services is decidable. 1. We devise a finite-state abstraction ΘS for a run-bounded DCDS S. 2. We prove that ΘS ≈ ΥS, hence they satisfy the same µLA formulae. Verification of DCDSs ACSI Project 257593 M. Montali - KRDB 17/28
  31. 31. a   iSC   Ensuring Run-Boundedness Theorem Checking run-boundedness of DCDSs with deterministic services is undecidable. Verification of DCDSs ACSI Project 257593 M. Montali - KRDB 18/28
  32. 32. a   iSC   Ensuring Run-Boundedness Theorem Checking run-boundedness of DCDSs with deterministic services is undecidable. We have devised a sufficient syntactic condition that guarantees run-boundedness: weak acyclicity • Depends only on action specifications, and not on data. • Is polynomially checkable. Verification of DCDSs ACSI Project 257593 M. Montali - KRDB 18/28
  33. 33. a   iSC   Ensuring Run-Boundedness Theorem Checking run-boundedness of DCDSs with deterministic services is undecidable. We have devised a sufficient syntactic condition that guarantees run-boundedness: weak acyclicity • Depends only on action specifications, and not on data. • Is polynomially checkable. Theorem Verification of µLA properties for weakly acyclic DCDSs with deterministic services is decidable, and can be reduced to model checking of propositional µ-calculus over a finite transition system. Verification of DCDSs ACSI Project 257593 M. Montali - KRDB 18/28
  34. 34. a   iSC   DCDS Example Data LayerSchema Customer In Debt Customer Gold CustomerLoan closed owes peer Instance Cust(ann) peer(mark, john) Gold(john) Verification of DCDSs ACSI Project 257593 M. Montali - KRDB 19/28
  35. 35. a   iSC   DCDS Example Data LayerSchema Customer In Debt Customer Gold CustomerLoan closed owes peer Instance Cust(ann) peer(mark, john) Gold(john) Process Layer Conditions peer(x, y) ∧ Gold(y) −→ GetLoan(x) Service Calls UInput(x) Actions GetLoan(x) : ∃y.peer(x, y) {owes(x, UInput(x))}, Cust(z) {Cust(z)}, Loan(z) {Loan(z)}, InDebt(z) {InDebt(z)}, Gold(z) {Gold(z)} Verification of DCDSs ACSI Project 257593 M. Montali - KRDB 19/28
  36. 36. a   iSC   DCDS Example Data LayerSchema Customer In Debt Customer Gold CustomerLoan closed owes peer Instance Cust(ann) peer(mark, john) Gold(john) owes(mark, @25) Process Layer Conditions peer(x, y) ∧ Gold(y) −→ GetLoan(x) Service Calls UInput(x) Actions GetLoan(x) : ∃y.peer(x, y) {owes(x, UInput(x))}, Cust(z) {Cust(z)}, Loan(z) {Loan(z)}, InDebt(z) {InDebt(z)}, Gold(z) {Gold(z)} Verification of DCDSs ACSI Project 257593 M. Montali - KRDB 19/28
  37. 37. a   iSC   Non-Deterministic Services • The same service call issued later may give a different result. • Can be used to model: user input; unpredictable external environment. Verification of DCDSs ACSI Project 257593 M. Montali - KRDB 20/28
  38. 38. a   iSC   Non-Deterministic Services • The same service call issued later may give a different result. • Can be used to model: user input; unpredictable external environment. Theorem There exists a DCDS S with nondeterministic services, and a propositional LTL safety property Φ, such that checking ΥS |= Φ is undecidable. Verification of DCDSs ACSI Project 257593 M. Montali - KRDB 20/28
  39. 39. a   iSC   Non-Deterministic Services • The same service call issued later may give a different result. • Can be used to model: user input; unpredictable external environment. Theorem There exists a DCDS S with nondeterministic services, and a propositional LTL safety property Φ, such that checking ΥS |= Φ is undecidable. To gain decidability, we need again restrictions on the DCDS: • Run-boundedness is too strong: it bounds the overall number of service calls. • We consider instead state boundedness: there is a finite bound b such that for each state I of ΥS, |adom(I)| < b. However . . . Verification of DCDSs ACSI Project 257593 M. Montali - KRDB 20/28
  40. 40. a   iSC   Non-Deterministic Services • The same service call issued later may give a different result. • Can be used to model: user input; unpredictable external environment. Theorem There exists a DCDS S with nondeterministic services, and a propositional LTL safety property Φ, such that checking ΥS |= Φ is undecidable. To gain decidability, we need again restrictions on the DCDS: • Run-boundedness is too strong: it bounds the overall number of service calls. • We consider instead state boundedness: there is a finite bound b such that for each state I of ΥS, |adom(I)| < b. However . . . Theorem Verification of µLA properties on state-bounded DCDSs with nondeterministic services is undecidable. Verification of DCDSs ACSI Project 257593 M. Montali - KRDB 20/28
  41. 41. a   iSC   Persistence Preserving Mu-Calculus (µLP ) • Restricts quantification over individuals that continuously persist along the system evolution, i.e., that continue to be live(x). • Syntax: Φ ::= Q | ¬Φ | Φ1 ∧ Φ2 | ∃x.live(x) ∧ Φ | − (live(x) ∧ Φ) | [−](live(x) ∧ Φ) | Z | µZ.Φ where in live(x) ∧ − Φ and live(x) ∧ [−]Φ, the free variables of Φ are x. • We abbreviate ¬[−](live(x) ∧ ¬Φ) as − (live(x) → Φ) and ¬ − (live(x) ∧ ¬Φ) as [−](live(x) → Φ). Verification of DCDSs ACSI Project 257593 M. Montali - KRDB 21/28
  42. 42. a   iSC   Persistence Preserving Mu-Calculus (µLP ) • Restricts quantification over individuals that continuously persist along the system evolution, i.e., that continue to be live(x). • Syntax: Φ ::= Q | ¬Φ | Φ1 ∧ Φ2 | ∃x.live(x) ∧ Φ | − (live(x) ∧ Φ) | [−](live(x) ∧ Φ) | Z | µZ.Φ where in live(x) ∧ − Φ and live(x) ∧ [−]Φ, the free variables of Φ are x. • We abbreviate ¬[−](live(x) ∧ ¬Φ) as − (live(x) → Φ) and ¬ − (live(x) ∧ ¬Φ) as [−](live(x) → Φ). Example νX.(∀x.live(x) ∧ Stud(x) → µY.(∃y.live(y) ∧ Grad(x, y) ∨ − (live(x) ∧ Y )) ∧ [−]X) Along every path, it is always true, for each student x, that there exists an evolution in which x persists in the database until she eventually graduates. Verification of DCDSs ACSI Project 257593 M. Montali - KRDB 21/28
  43. 43. a   iSC   Persistence Preserving Mu-Calculus (µLP ) • Restricts quantification over individuals that continuously persist along the system evolution, i.e., that continue to be live(x). • Syntax: Φ ::= Q | ¬Φ | Φ1 ∧ Φ2 | ∃x.live(x) ∧ Φ | − (live(x) ∧ Φ) | [−](live(x) ∧ Φ) | Z | µZ.Φ where in live(x) ∧ − Φ and live(x) ∧ [−]Φ, the free variables of Φ are x. • We abbreviate ¬[−](live(x) ∧ ¬Φ) as − (live(x) → Φ) and ¬ − (live(x) ∧ ¬Φ) as [−](live(x) → Φ). Example νX.(∀x.live(x) ∧ Stud(x) → µY.(∃y.live(y) ∧ Grad(x, y) ∨ − (live(x) ∧ Y )) ∧ [−]X) Along every path, it is always true, for each student x, that there exists an evolution in which x persists in the database until she eventually graduates. Verification of DCDSs ACSI Project 257593 M. Montali - KRDB 21/28
  44. 44. a   iSC   Persistence Preserving Mu-Calculus (µLP ) • Restricts quantification over individuals that continuously persist along the system evolution, i.e., that continue to be live(x). • Syntax: Φ ::= Q | ¬Φ | Φ1 ∧ Φ2 | ∃x.live(x) ∧ Φ | − (live(x) ∧ Φ) | [−](live(x) ∧ Φ) | Z | µZ.Φ where in live(x) ∧ − Φ and live(x) ∧ [−]Φ, the free variables of Φ are x. • We abbreviate ¬[−](live(x) ∧ ¬Φ) as − (live(x) → Φ) and ¬ − (live(x) ∧ ¬Φ) as [−](live(x) → Φ). Example νX.(∀x.live(x) ∧ Stud(x) → µY.(∃y.live(y) ∧ Grad(x, y) ∨ − (live(x) → Y )) ∧ [−]X) Along every path, it is always true, for each student x, that there exists an evolution in which either x does not persist, or she eventually graduates. Verification of DCDSs ACSI Project 257593 M. Montali - KRDB 21/28
  45. 45. a   iSC   Persistence Preserving Bisimulation for µLP • Consider two transition systems Υ1 = ∆1, R, Σ1, s01, db1, ⇒1 and Υ2 = ∆2, R, Σ2, s02, db2, ⇒2 . • W.r.t. µLA, it is now sufficient to preserve the correspondence between elements of ∆1 and ∆2 that persist over time. • Is a relation B ⊆ Σ1 × H × Σ2 such that s1, h, s2 ∈ B implies that: 1. h is an isomorphism between db1(s1) and db2(s2); 2. for each s1, if s1 ⇒1 s1 then there exists an s2 with s2 ⇒2 s2 and a bijection h that extends h|adom(db1(s1))∩adom(db1(s1)), such that s1, h , s2 ∈ B; 3. for each s2, if s2 ⇒2 s2 then there exists an s1 with s1 ⇒1 s1 and a bijection h that extends h|adom(db1(s1))∩adom(db1(s1)), such that s1, h , s2 ∈ B. • We have Υ1 ∼ Υ2 if there exists a partial bijection h0 and a persistence preserving bisimulation B between Υ1 and Υ2 such that s01, h0, s02 ∈ B. Verification of DCDSs ACSI Project 257593 M. Montali - KRDB 22/28
  46. 46. a   iSC   Persistence Preserving Bisimulation for µLP • Consider two transition systems Υ1 = ∆1, R, Σ1, s01, db1, ⇒1 and Υ2 = ∆2, R, Σ2, s02, db2, ⇒2 . • W.r.t. µLA, it is now sufficient to preserve the correspondence between elements of ∆1 and ∆2 that persist over time. • Is a relation B ⊆ Σ1 × H × Σ2 such that s1, h, s2 ∈ B implies that: 1. h is an isomorphism between db1(s1) and db2(s2); 2. for each s1, if s1 ⇒1 s1 then there exists an s2 with s2 ⇒2 s2 and a bijection h that extends h|adom(db1(s1))∩adom(db1(s1)), such that s1, h , s2 ∈ B; 3. for each s2, if s2 ⇒2 s2 then there exists an s1 with s1 ⇒1 s1 and a bijection h that extends h|adom(db1(s1))∩adom(db1(s1)), such that s1, h , s2 ∈ B. • We have Υ1 ∼ Υ2 if there exists a partial bijection h0 and a persistence preserving bisimulation B between Υ1 and Υ2 such that s01, h0, s02 ∈ B. Theorem If Υ1 ∼ Υ2, then for every µLP closed formula Φ, we have: Υ1 |= Φ if and only if Υ2 |= Φ. Verification of DCDSs ACSI Project 257593 M. Montali - KRDB 22/28
  47. 47. a   iSC   Verification of State-Bounded Systems Theorem Verification of µLP properties on state-bounded DCDSs with non-deterministic services is decidable. 1. We devise a finite-state abstraction ΘS for a state-bounded DCDS S. 2. We prove that ΘS ∼ ΥS, hence they satisfy the same µLP formulae. However . . . Verification of DCDSs ACSI Project 257593 M. Montali - KRDB 23/28
  48. 48. a   iSC   Verification of State-Bounded Systems Theorem Verification of µLP properties on state-bounded DCDSs with non-deterministic services is decidable. 1. We devise a finite-state abstraction ΘS for a state-bounded DCDS S. 2. We prove that ΘS ∼ ΥS, hence they satisfy the same µLP formulae. However . . . Theorem Checking state-boundedness of DCDSs with non-deterministic services is undecidable. Verification of DCDSs ACSI Project 257593 M. Montali - KRDB 23/28
  49. 49. a   iSC   Ensuring State-Boundedness We have devised a sufficient syntactic condition that guarantees state-boundedness: generate-recall acyclicity • Depends only on action specifications, and not on data. • Is polynomially checkable. Verification of DCDSs ACSI Project 257593 M. Montali - KRDB 24/28
  50. 50. a   iSC   Ensuring State-Boundedness We have devised a sufficient syntactic condition that guarantees state-boundedness: generate-recall acyclicity • Depends only on action specifications, and not on data. • Is polynomially checkable. Theorem Verification of µLP properties for generate-recall acyclic DCDSs with non-deterministic services is decidable, and can be reduced to model checking of propositional µ-calculus over a finite transition system. Verification of DCDSs ACSI Project 257593 M. Montali - KRDB 24/28
  51. 51. a   iSC   Generate-Recall Acyclicity Example Consider I0 = {R(a)}, process {true −→ α}, and action α = R(x) R(x) R(x) Q(f(x)) • The resulting process layer is generate-recall acyclic. • Service call f(a) is continuously issued, leading to possibly generate infinitely many distinct values, but such values are not recalled. • Since µLP formulae only focus on persisting values, the possibly infinitely many distinct results obtained by issuing f(a) are irrelevant. Verification of DCDSs ACSI Project 257593 M. Montali - KRDB 25/28
  52. 52. a   iSC   Generate-Recall Acyclicity Example Consider I0 = {R(a)}, process {true −→ α}, and action α =    R(x) R(x) R(x) Q(f(x)) Q(x) Q(x)    • The resulting process layer is not generate-recall acyclic. • Service call f(a) is continuously issued, leading to possibly generate infinitely many distinct values, which are recalled in Q. • It is not possible to find a faithful finite abstraction, because there exist runs accumulating unboundedly many distinct values inside their states. Verification of DCDSs ACSI Project 257593 M. Montali - KRDB 26/28
  53. 53. a   iSC   Generate-Recall Acyclicity Example Consider I0 = {R(a)}, process {true −→ α, true −→ β}, and actions α = R(x) R(x) R(x) Q(f(x)) and β = {Q(x) Q(x)} • The resulting process layer is generate-recall acyclic. • It resembles the previous case, but now effects belong to two distinct actions. • While α is getting a new value for f(a), Q tuples are lost. • While β is copying Q tuples, no new value is insterted. Verification of DCDSs ACSI Project 257593 M. Montali - KRDB 27/28
  54. 54. a   iSC   Summary of Results on Verification of DCDSs deterministic services nondeterministic services µLFO µLA µLP µLFO µLA µLP unrestricted U ← U ← U unrestricted U ← U ← U ↑ ↑ bounded-run ? D → D bounded-state U ← U D D: Verification is decidable U: Verification is undecidable Verification of DCDSs ACSI Project 257593 M. Montali - KRDB 28/28

×