Seminar@KRDB 2012 - Montali - Verification of Relational Data-Centric Systems with External Services

a

iSC

Veriﬁcation of
Relational Data-Centric Dynamic Systems
with External Services
Presented by Marco Montali
Joint work with B. Bagheri Hariri, D. Calvanese, G. De Giacomo, A. Deutsch
KRDB Research Center
KRDB Lunch Seminar, March 5, 2012
ACSI Project 257593

a

iSC

Artifact-Centric Process Veriﬁcation in ACSI
• The Data is put on stage, and the Process considers it!
Veriﬁcation of DCDSs ACSI Project 257593 M. Montali - KRDB 1/28

a

iSC

Artifact-Centric Process Veriﬁcation in ACSI
• The Data is put on stage, and the Process considers it!
• And we get beautiful research results!

a

iSC

Data-Centric Dynamic Systems
• DCDS: system where the process controlling the dynamics and the
manipulated data are equally central
general, abstract framework
artifact-centric systems are a specialization of DCDSs
• Data Layer: holds the relevant information to be manipulated by the system
• Process Layer: is formed by the invokable (atomic) actions and a process
based on them
Actions evolve the data of the data layer and update the state of the process
Interaction with external services to acquire new information from the
environment (other systems, user choices, . . . )
DCDS
Process Layer
service
service
service
Data Layer
Environment

a

iSC

Data Layer
• Represents the information of interest in our application.
• We focus on relational data.
• Is a tuple D = C, R, E, I0 where:
C is a countably infinite set of constants/values.
R = {R1, . . . , Rn} is a database schema (a finite set of relation schemas).
E is a finite set of equality constraints Qi →
V
j=1,...,k zij = yij.
Qi is a domain independent FO query over R using constants from the active
domain adom(I0) and whose free variables are x.
zij and yij are either variables in x or constants in adom(I0).
N.B.: they can be generalized to denials and arbitrary constraints!
I0 is a database instance that represents the initial state of the data layer:
It conforms to the schema R.
It satisfies the constraints E: for each constraint Qi →
V
j=1,...,k zij = yij and
for each tuple θ ∈ ans(Qi, I0), zijθ = yijθ.

a

iSC

Process Layer
• Constitutes the progression mechanism for the DCDS.
• High-level: rule-based approach that can accommodate any process with a
finite state control flow.
• Non-determinism represented by interleaving.
• A process layer P over a data layer D is a tuple P = F, A, where:
F is a finite set of functions representing external service interfaces whose
behavior is unknown to the DCDS;
A is a finite set of actions;
is a finite set of condition-action rules that form the; specification of the
overall process.

a

iSC

Actions
An action ρ is constituted by:
• an action signature, i.e., a name, and a list of individual input parameters.
Parameters are substituted by individuals/constants for the execution of the
action.
• an effect specification {e1, . . . , en}, where each ei is an effect.
Effects are assumed to take place simultaneously.

a

iSC

Actions
An action ρ is constituted by:
• an action signature, i.e., a name, and a list of individual input parameters.
Parameters are substituted by individuals/constants for the execution of the
action.
• an effect specification {e1, . . . , en}, where each ei is an effect.
Effects are assumed to take place simultaneously.
An effect ei has the form q+
i ∧ Q−
i Ei where:
• q+
i ∧ Q−
i is a query over R and constants of adom(I0):
may include some of the input parameters as terms of the query
q+
i is a UCQ over R
Q−
i is a FOL query that acts as a filter
free variables of Q−
i are included in those of q+
i .
• Ei is a set of facts over R, which include as terms: constants in adom(I0),
parameters, free variables of q+
i , and functions calls that formalize call to
(atomic) external services. These calls introduce new values!

a

iSC

Process and Action Execution
• Process: finite set of condition-action rules of the form Q → α, where
α is an action in A
Q is a FO query over R whose free variables are exactly the parameters of α,
and whose other terms can be either quantified variables or constants in
adom(I0).
• To execute an action α in state s according to Q → α:
1. evaluate Q over db(s) choosing a suitable parameters assignment σ for α;
2. if such an assignment exists, then α is executable and instantiated with σ;
3. ασ is executed: for each effect q+
i ∧ Q−
i Ei
3.1 (q+
i ∧ Q−
i )σ is evaluated over db(s), getting variables assignments θ1, . . . , θn;
3.2 for each θi, the grounded facts Eiθi are obtained;
3.3 all service calls contained in Eiθi are issued;
3.4 next state is obtained by asserting each Eiθi after the inclusion of all service
call results.
• We assume that services are deterministic:
if f(a) returns b, then from now on f(a) will always return b.

a

iSC

DCDS Example
Data Layer
Information about hotels and their price:
• Cur = Currency
• CurHotel = Hotel, Currency
• PEntry = Hotel, Price, Date
Process Layer
Possibility of converting the price list of a hotel from USD dollars to another
currency.
• Service call for price conversion: conv usd(p, currency, date)
• Process: Cur(c) ∧ CurHotel(h, US ) −→ Conv(h, c)
• Conv(h, c) :


PEntry(h, p, d) ∧ Cur(c) PEntry(h, conv usd(p, c, d), d)
CurHotel(h, cold) ∧ Cur(c) CurHotel(h, c)
Copy Rest




a

iSC

DCDS Example: Execution
Initial State.
s0
• Cur( USD ) Cur( EUR )
• CurHotel(h1, USD ) CurHotel(h2, USD )
• PEntry(h1, 80, 01/01/2012) PEntry(h2, 80, 01/01/2012)
PEntry(h1, 60, 01/03/2012)

a

iSC

Initial State.
s0
• CurHotel(h1, USD ) CurHotel(h2, USD )
• PEntry(h1, 80, 01/01/2012) PEntry(h2, 80, 01/01/2012)
PEntry(h1, 60, 01/03/2012)
Execution of Conv(h1, EUR ).
s1
• CurHotel(h1, EUR ) CurHotel(h2, USD )
• PEntry(h1, 70, 01/01/2012) PEntry(h2, 80, 01/01/2012)
PEntry(h1, 50, 01/03/2012)
Non-determinism in the returned values.

a

iSC

s1
• CurHotel(h1, EUR ) CurHotel(h2, USD )
• PEntry(h1, 70, 01/01/2012) PEntry(h2, 80, 01/01/2012)
PEntry(h1, 50, 01/03/2012)
Non-determinism in the returned values.
s2
• CurHotel(h1, EUR ) CurHotel(h2, EUR )
• PEntry(h1, 70, 01/01/2012) PEntry(h2, 70, 01/01/2012)
PEntry(h1, 50, 01/03/2012)
Deterministic value!Veriﬁcation of DCDSs ACSI Project 257593 M. Montali - KRDB 8/28

a

iSC

Transition Systems
• Semantics of a DCDS in terms of transition system Υ = ∆, R, Σ, s0, db, ⇒
∆ is a countably inﬁnite set of values;
R is a database schema;
Σ is a set of states;
s0 ∈ Σ is the initial state;
db is a function that, given a state s ∈ Σ, returns the database associated to
s, which is made up of values in ∆ and conforms to R;
⇒ ⊆ Σ × Σ is a transition relation between pairs of states.
s0
s1
s3
s4
s6
s7
Note: Υ is in general inﬁnite state.

a

iSC

Transition System with Deterministic Services
• Semantics in terms of concrete transition system ΥS = C, R, Σ, s0, db, ⇒ .
• Each state s ∈ Σ remembers all previous service call results: s = I, M ,
where I is a database and M is a map from service calls to results in C.
• db( I, M ) = I.
• Action execution:
before issuing a service call, it is checked whether the (deterministic) result is
already contained in M;
if it is, then the result is already known;
if not, the call is issued and the obtained result is stored in M.

a

iSC

Construction of ΥS
• start from s0 = I0, ∅ ∈ Σ;
• repeat forever
pick a state s ∈ Σ
for every action executable in s, every “legal” parameters assignment, every
possible service calls results’ conﬁguration. . .
generate the successor state s and put it in Σ;
insert s, s in ⇒.

a

iSC

Construction of ΥS
• start from s0 = I0, ∅ ∈ Σ;
• repeat forever
pick a state s ∈ Σ
for every action executable in s, every “legal” parameters assignment, every
possible service calls results’ conﬁguration. . .
generate the successor state s and put it in Σ;
insert s, s in ⇒.
Note: three sources of non-determinism in each step:
• actions non-determinism;
• parameters non-determinism;
• service call results non-determinism: leads to potentially inﬁnite branching.

a

iSC

Example
Consider a DCDS S = D, P
• Data layer D = C, R, E, I0 , where I0 = {P(a), Q(a, a)}
• Process layer P = F, A,
F = {f/1, g/1}, A = {α}, = {true → α}
α :

Q(a, a) ∧ P(x) {R(x)},
P(x) {P(x), Q(f(x), g(x))}
ﬀ
P(a) Q(a,a)
f(a)→b g(a)→b
P(a) R(a) Q(b,b)
f(a)→b g(a)→a
P(a) R(a) Q(b,a)
f(a)→a g(a)→b
P(a) R(a) Q(a,b)
f(a)→a g(a)→a
P(a) R(a) Q(a,a)
f(a)→c g(a)→b
P(a) R(a) Q(c,b)
f(a)→b g(a)→c
P(a) R(a) Q(b,c)
f(a)→c g(a)→c
P(a) R(a) Q(c,c)
f(a)→a g(a)→b
P(a) Q(a,b)
f(a)→b g(a)→a
P(a) Q(b,a)
f(a)→b g(a)→b
P(a) Q(b,b)
f(a)→c g(a)→b
P(a) Q(c,b)
f(a)→b g(a)→c
P(a) Q(b,c)
f(a)→c g(a)→c
P(a) Q(c,c)
. . .

a

iSC

Verification
• We are interested in the verification of DCDSs
• Given a DCDS S and a formula Φ (in some FO temporal logic)
Construct the transition system ΥS of S
Check whether ΥS |= Φ
• Problem: ΥS is in general infinite state
• Idea:
Devise a finite-state transition system ΘS that is a faithful abstraction of ΥS ,
Reduce the verification problem ΥS |= Φ to the verification of ΘS |= Φ
• Procedure:
1. Do a syntactic check over S testing whether ΥS admits a finite-state
abstraction ΘS
2. If so, construct ΘS
3. Model check Φ over ΘS with standard model checking techniques

a

iSC

Veriﬁcation Formalism
• We adopt FO variants of the µ-calculus
µL is a very expressive logic!
• µLF O formulas over a DCDS S have the form:
Φ ::= Q | ¬Φ | Φ1 ∧ Φ2 | ∃x.Φ | − Φ | Z | µZ.Φ
where Q is an FO query over the database schema
R of S, and Z is a predicate variable.
HML
PDLLTL CTL
µL
µLFO

a

iSC

Φ ::= Q | ¬Φ | Φ1 ∧ Φ2 | ∃x.Φ | − Φ | Z | µZ.Φ
Example
An example of µL formula is:
∃x1, . . . , xn.
i=j
xi = xj ∧
i∈{1,...,n}
µZ.[Stud(xi)∨ − Z]
HML
PDLLTL CTL
µL
µLFO

a

iSC

Φ ::= Q | ¬Φ | Φ1 ∧ Φ2 | ∃x.Φ | − Φ | Z | µZ.Φ
Example
∃x1, . . . , xn.
i=j
xi = xj ∧
i∈{1,...,n}
This defeats any kind of ﬁnite-state abstraction.
HML
PDLLTL CTL
µL
µLFO

a

iSC

Φ ::= Q | ¬Φ | Φ1 ∧ Φ2 | ∃x.Φ | − Φ | Z | µZ.Φ
Example
∃x1, . . . , xn.
i=j
xi = xj ∧
i∈{1,...,n}
This defeats any kind of ﬁnite-state abstraction.
HML
PDLLTL CTL
µL
µLFO
µLA

a

iSC

History Preserving Mu-Calculus (µLA)
• Restricts quantiﬁcation over individuals to those present in the current
database (denoted by live(x)).
• Syntax:
Φ ::= Q | ¬Φ | Φ1 ∧ Φ2 | ∃x.live(x) ∧ Φ | − Φ | Z | µZ.Φ
• We abbreviate ¬(∃x.live(x) ∧ ¬Φ) as ∀x.live(x) → Φ.
Example
νX.(∀x.live(x) ∧ Stud(x) →
µY.(∃y.live(y) ∧ Grad(x, y) ∨ − Y ) ∧ [−]X)
Along every path, it is always true, for each student x, that there exists an
evolution that eventually leads to a graduation of the student (with some ﬁnal
mark y).

a

iSC

History Preserving Bisimulation for µLA
• Consider two transition systems Υ1 = ∆1, R, Σ1, s01, db1, ⇒1 and
Υ2 = ∆2, R, Σ2, s02, db2, ⇒2 .
• Problem: Υ1 and Υ2 are over diﬀerent data domains ∆1 and ∆2, and a
correspondence between elements must be preserved over time.
• Is a relation B ⊆ Σ1 × H × Σ2 such that s1, h, s2 ∈ B implies that:
1. h is a partial bijection between ∆1 and ∆2 that induces an isomorphism
between db1(s1) and db2(s2);
2. for each s1, if s1 ⇒1 s1 then there is an s2 with s2 ⇒2 s2 and a bijection h
that extends h, such that s1, h , s2 ∈ B;
that extends h, such that s1, h , s2 ∈ B.
• We have Υ1 ≈ Υ2 if there exists a partial bijection h0 and a history
preserving bisimulation B between Υ1 and Υ2 such that s01, h0, s02 ∈ B.

a

iSC

History Preserving Bisimulation for µLA
Υ2 = ∆2, R, Σ2, s02, db2, ⇒2 .
• Problem: Υ1 and Υ2 are over diﬀerent data domains ∆1 and ∆2, and a
correspondence between elements must be preserved over time.
1. h is a partial bijection between ∆1 and ∆2 that induces an isomorphism
between db1(s1) and db2(s2);
that extends h, such that s1, h , s2 ∈ B;
that extends h, such that s1, h , s2 ∈ B.
• We have Υ1 ≈ Υ2 if there exists a partial bijection h0 and a history
Theorem
If Υ1 ≈ Υ2, then for every µLA closed formula Φ, we have:
Υ1 |= Φ if and only if Υ2 |= Φ.

a

iSC

(Un)decidability Results
Theorem
There exists a DCDS S with deterministic services, and a propositional LTL safety
property Φ, such that checking ΥS |= Φ is undecidable.

a

iSC

Theorem
To gain decidability, we need restrictions on the DCDS: run-boundedness
• For every run τ in ΥS we have | s state of τ adom(db(s))| < b
• I.e., there exists a bound b such that every run in ΥS encounters at most b
different values.
• A (data) unbounded run represents an execution in which infinitely many
different service calls are issued.

a

iSC

Theorem
To gain decidability, we need restrictions on the DCDS: run-boundedness
• For every run τ in ΥS we have | s state of τ adom(db(s))| < b
• I.e., there exists a bound b such that every run in ΥS encounters at most b
different values.
• A (data) unbounded run represents an execution in which infinitely many
different service calls are issued.
Theorem
Verification of µLA properties on run-bounded DCDSs with deterministic services
is decidable.
1. We devise a finite-state abstraction ΘS for a run-bounded DCDS S.
2. We prove that ΘS ≈ ΥS, hence they satisfy the same µLA formulae.

a

iSC

Ensuring Run-Boundedness
Theorem
Checking run-boundedness of DCDSs with deterministic services is undecidable.

a

iSC

Theorem
We have devised a suﬃcient syntactic condition that guarantees run-boundedness:
weak acyclicity
• Depends only on action speciﬁcations, and not on data.
• Is polynomially checkable.

a

iSC

Theorem
We have devised a sufficient syntactic condition that guarantees run-boundedness:
weak acyclicity
Theorem
Verification of µLA properties for weakly acyclic DCDSs with deterministic
services is decidable, and can be reduced to model checking of propositional
µ-calculus over a finite transition system.

a

iSC

DCDS Example Data LayerSchema
Customer
In Debt Customer
Gold CustomerLoan
closed
owes
peer
Instance
Cust(ann)
peer(mark, john)
Gold(john)

a

iSC

Customer
In Debt Customer
Gold CustomerLoan
closed
owes
peer
Instance
Cust(ann)
peer(mark, john)
Gold(john)
Process Layer
Conditions
peer(x, y) ∧ Gold(y)
−→ GetLoan(x)
Service Calls
UInput(x)
Actions
GetLoan(x) :
∃y.peer(x, y) {owes(x, UInput(x))},
Cust(z) {Cust(z)},
Loan(z) {Loan(z)},
InDebt(z) {InDebt(z)},
Gold(z) {Gold(z)}

a

iSC

Customer
In Debt Customer
Gold CustomerLoan
closed
owes
peer
Instance
Cust(ann)
peer(mark, john)
Gold(john)
owes(mark, @25)
Process Layer
Conditions
peer(x, y) ∧ Gold(y)
−→ GetLoan(x)
Service Calls
UInput(x)
Actions
GetLoan(x) :
∃y.peer(x, y) {owes(x, UInput(x))},
Cust(z) {Cust(z)},
Loan(z) {Loan(z)},
InDebt(z) {InDebt(z)},
Gold(z) {Gold(z)}

a

iSC

Non-Deterministic Services
• The same service call issued later may give a diﬀerent result.
• Can be used to model:
user input;
unpredictable external environment.

a

iSC

user input;
Theorem
There exists a DCDS S with nondeterministic services, and a propositional LTL
safety property Φ, such that checking ΥS |= Φ is undecidable.

a

iSC

user input;
Theorem
To gain decidability, we need again restrictions on the DCDS:
• Run-boundedness is too strong: it bounds the overall number of service calls.
• We consider instead state boundedness: there is a ﬁnite bound b such that
for each state I of ΥS, |adom(I)| < b.
However . . .

a

iSC

user input;
Theorem
To gain decidability, we need again restrictions on the DCDS:
• Run-boundedness is too strong: it bounds the overall number of service calls.
• We consider instead state boundedness: there is a ﬁnite bound b such that
for each state I of ΥS, |adom(I)| < b.
However . . .
Theorem
Veriﬁcation of µLA properties on state-bounded DCDSs with nondeterministic
services is undecidable.

a

iSC

Persistence Preserving Mu-Calculus (µLP )
• Restricts quantiﬁcation over individuals that continuously persist along the
system evolution, i.e., that continue to be live(x).
• Syntax:
Φ ::= Q | ¬Φ | Φ1 ∧ Φ2 | ∃x.live(x) ∧ Φ |
− (live(x) ∧ Φ) | [−](live(x) ∧ Φ) | Z | µZ.Φ
where in live(x) ∧ − Φ and live(x) ∧ [−]Φ, the free variables of Φ are x.
• We abbreviate ¬[−](live(x) ∧ ¬Φ) as − (live(x) → Φ)
and ¬ − (live(x) ∧ ¬Φ) as [−](live(x) → Φ).

a

iSC

• Syntax:
Φ ::= Q | ¬Φ | Φ1 ∧ Φ2 | ∃x.live(x) ∧ Φ |
Example
µY.(∃y.live(y) ∧ Grad(x, y) ∨ − (live(x) ∧ Y )) ∧ [−]X)
evolution in which x persists in the database until she eventually graduates.

a

iSC

• Syntax:
Φ ::= Q | ¬Φ | Φ1 ∧ Φ2 | ∃x.live(x) ∧ Φ |
Example
µY.(∃y.live(y) ∧ Grad(x, y) ∨ − (live(x) → Y )) ∧ [−]X)
evolution in which either x does not persist, or she eventually graduates.

a

iSC

Persistence Preserving Bisimulation for µLP
Υ2 = ∆2, R, Σ2, s02, db2, ⇒2 .
• W.r.t. µLA, it is now suﬃcient to preserve the correspondence between
elements of ∆1 and ∆2 that persist over time.
1. h is an isomorphism between db1(s1) and db2(s2);
2. for each s1, if s1 ⇒1 s1 then there exists an s2 with s2 ⇒2 s2 and a bijection
h that extends h|adom(db1(s1))∩adom(db1(s1)), such that s1, h , s2 ∈ B;
h that extends h|adom(db1(s1))∩adom(db1(s1)), such that s1, h , s2 ∈ B.
• We have Υ1 ∼ Υ2 if there exists a partial bijection h0 and a persistence

a

iSC

Persistence Preserving Bisimulation for µLP
Υ2 = ∆2, R, Σ2, s02, db2, ⇒2 .
• W.r.t. µLA, it is now suﬃcient to preserve the correspondence between
elements of ∆1 and ∆2 that persist over time.
1. h is an isomorphism between db1(s1) and db2(s2);
h that extends h|adom(db1(s1))∩adom(db1(s1)), such that s1, h , s2 ∈ B;
h that extends h|adom(db1(s1))∩adom(db1(s1)), such that s1, h , s2 ∈ B.
• We have Υ1 ∼ Υ2 if there exists a partial bijection h0 and a persistence
Theorem
If Υ1 ∼ Υ2, then for every µLP closed formula Φ, we have:
Υ1 |= Φ if and only if Υ2 |= Φ.

a

iSC

Verification of State-Bounded Systems
Theorem
Verification of µLP properties on state-bounded DCDSs with non-deterministic
services is decidable.
1. We devise a finite-state abstraction ΘS for a state-bounded DCDS S.
2. We prove that ΘS ∼ ΥS, hence they satisfy the same µLP formulae.
However . . .

a

iSC

Verification of State-Bounded Systems
Theorem
Verification of µLP properties on state-bounded DCDSs with non-deterministic
services is decidable.
1. We devise a finite-state abstraction ΘS for a state-bounded DCDS S.
2. We prove that ΘS ∼ ΥS, hence they satisfy the same µLP formulae.
However . . .
Theorem
Checking state-boundedness of DCDSs with non-deterministic services is
undecidable.

a

iSC

Ensuring State-Boundedness
We have devised a suﬃcient syntactic condition that guarantees
state-boundedness: generate-recall acyclicity

a

iSC

Ensuring State-Boundedness
We have devised a sufficient syntactic condition that guarantees
state-boundedness: generate-recall acyclicity
Theorem
Verification of µLP properties for generate-recall acyclic DCDSs with
non-deterministic services is decidable, and can be reduced to model checking of
propositional µ-calculus over a finite transition system.

a

iSC

Generate-Recall Acyclicity
Example
Consider I0 = {R(a)}, process {true −→ α}, and
action α =
R(x) R(x)
R(x) Q(f(x))
• The resulting process layer is generate-recall acyclic.
• Service call f(a) is continuously issued, leading to possibly generate inﬁnitely
many distinct values, but such values are not recalled.
• Since µLP formulae only focus on persisting values, the possibly inﬁnitely
many distinct results obtained by issuing f(a) are irrelevant.

a

iSC

Example
Consider I0 = {R(a)}, process {true −→ α}, and
action α =



R(x) R(x)
R(x) Q(f(x))
Q(x) Q(x)



• The resulting process layer is not generate-recall acyclic.
• Service call f(a) is continuously issued, leading to possibly generate infinitely
many distinct values, which are recalled in Q.
• It is not possible to find a faithful finite abstraction, because there exist runs
accumulating unboundedly many distinct values inside their states.

a

iSC

Example
Consider I0 = {R(a)}, process {true −→ α, true −→ β}, and
actions α =
R(x) R(x)
R(x) Q(f(x))
and β = {Q(x) Q(x)}
• The resulting process layer is generate-recall acyclic.
• It resembles the previous case, but now eﬀects belong to two distinct actions.
• While α is getting a new value for f(a), Q tuples are lost.
• While β is copying Q tuples, no new value is insterted.

a

iSC

Summary of Results on Verification of DCDSs
deterministic services nondeterministic services
µLFO µLA µLP µLFO µLA µLP
unrestricted U ← U ← U unrestricted U ← U ← U
↑ ↑
bounded-run ? D → D bounded-state U ← U D
D: Verification is decidable U: Verification is undecidable

Seminar@KRDB 2012 - Montali - Verification of Relational Data-Centric Systems with External Services

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (6)

Similar to Seminar@KRDB 2012 - Montali - Verification of Relational Data-Centric Systems with External Services

Similar to Seminar@KRDB 2012 - Montali - Verification of Relational Data-Centric Systems with External Services (20)

More from Faculty of Computer Science - Free University of Bozen-Bolzano

More from Faculty of Computer Science - Free University of Bozen-Bolzano (20)

Recently uploaded

Recently uploaded (20)

Seminar@KRDB 2012 - Montali - Verification of Relational Data-Centric Systems with External Services