Seminar on "Verification of Relational Data-Centric Systems with External Services" at the KRDB Research Centre for Knowledge and Data, Faculty of Computer Science, Free University of Bozen-Bolzano (Italy), 03/05/2012.
Seminar@KRDB 2012 - Montali - Verification of Relational Data-Centric Systems with External Services
1. a
iSC
Verification of
Relational Data-Centric Dynamic Systems
with External Services
Presented by Marco Montali
Joint work with B. Bagheri Hariri, D. Calvanese, G. De Giacomo, A. Deutsch
KRDB Research Center
KRDB Lunch Seminar, March 5, 2012
ACSI Project 257593
2. a
iSC
Artifact-Centric Process Verification in ACSI
• The Data is put on stage, and the Process considers it!
Verification of DCDSs ACSI Project 257593 M. Montali - KRDB 1/28
3. a
iSC
Artifact-Centric Process Verification in ACSI
• The Data is put on stage, and the Process considers it!
Verification of DCDSs ACSI Project 257593 M. Montali - KRDB 1/28
4. a
iSC
Artifact-Centric Process Verification in ACSI
• The Data is put on stage, and the Process considers it!
• And we get beautiful research results!
Verification of DCDSs ACSI Project 257593 M. Montali - KRDB 1/28
5. a
iSC
Data-Centric Dynamic Systems
• DCDS: system where the process controlling the dynamics and the
manipulated data are equally central
general, abstract framework
artifact-centric systems are a specialization of DCDSs
• Data Layer: holds the relevant information to be manipulated by the system
• Process Layer: is formed by the invokable (atomic) actions and a process
based on them
Actions evolve the data of the data layer and update the state of the process
Interaction with external services to acquire new information from the
environment (other systems, user choices, . . . )
DCDS
Process Layer
service
service
service
Data Layer
Environment
Verification of DCDSs ACSI Project 257593 M. Montali - KRDB 2/28
6. a
iSC
Data Layer
• Represents the information of interest in our application.
• We focus on relational data.
• Is a tuple D = C, R, E, I0 where:
C is a countably infinite set of constants/values.
R = {R1, . . . , Rn} is a database schema (a finite set of relation schemas).
E is a finite set of equality constraints Qi →
V
j=1,...,k zij = yij.
Qi is a domain independent FO query over R using constants from the active
domain adom(I0) and whose free variables are x.
zij and yij are either variables in x or constants in adom(I0).
N.B.: they can be generalized to denials and arbitrary constraints!
I0 is a database instance that represents the initial state of the data layer:
It conforms to the schema R.
It satisfies the constraints E: for each constraint Qi →
V
j=1,...,k zij = yij and
for each tuple θ ∈ ans(Qi, I0), zijθ = yijθ.
Verification of DCDSs ACSI Project 257593 M. Montali - KRDB 3/28
7. a
iSC
Process Layer
• Constitutes the progression mechanism for the DCDS.
• High-level: rule-based approach that can accommodate any process with a
finite state control flow.
• Non-determinism represented by interleaving.
• A process layer P over a data layer D is a tuple P = F, A, where:
F is a finite set of functions representing external service interfaces whose
behavior is unknown to the DCDS;
A is a finite set of actions;
is a finite set of condition-action rules that form the; specification of the
overall process.
Verification of DCDSs ACSI Project 257593 M. Montali - KRDB 4/28
8. a
iSC
Actions
An action ρ is constituted by:
• an action signature, i.e., a name, and a list of individual input parameters.
Parameters are substituted by individuals/constants for the execution of the
action.
• an effect specification {e1, . . . , en}, where each ei is an effect.
Effects are assumed to take place simultaneously.
Verification of DCDSs ACSI Project 257593 M. Montali - KRDB 5/28
9. a
iSC
Actions
An action ρ is constituted by:
• an action signature, i.e., a name, and a list of individual input parameters.
Parameters are substituted by individuals/constants for the execution of the
action.
• an effect specification {e1, . . . , en}, where each ei is an effect.
Effects are assumed to take place simultaneously.
An effect ei has the form q+
i ∧ Q−
i Ei where:
• q+
i ∧ Q−
i is a query over R and constants of adom(I0):
may include some of the input parameters as terms of the query
q+
i is a UCQ over R
Q−
i is a FOL query that acts as a filter
free variables of Q−
i are included in those of q+
i .
• Ei is a set of facts over R, which include as terms: constants in adom(I0),
parameters, free variables of q+
i , and functions calls that formalize call to
(atomic) external services. These calls introduce new values!
Verification of DCDSs ACSI Project 257593 M. Montali - KRDB 5/28
10. a
iSC
Process and Action Execution
• Process: finite set of condition-action rules of the form Q → α, where
α is an action in A
Q is a FO query over R whose free variables are exactly the parameters of α,
and whose other terms can be either quantified variables or constants in
adom(I0).
• To execute an action α in state s according to Q → α:
1. evaluate Q over db(s) choosing a suitable parameters assignment σ for α;
2. if such an assignment exists, then α is executable and instantiated with σ;
3. ασ is executed: for each effect q+
i ∧ Q−
i Ei
3.1 (q+
i ∧ Q−
i )σ is evaluated over db(s), getting variables assignments θ1, . . . , θn;
3.2 for each θi, the grounded facts Eiθi are obtained;
3.3 all service calls contained in Eiθi are issued;
3.4 next state is obtained by asserting each Eiθi after the inclusion of all service
call results.
• We assume that services are deterministic:
if f(a) returns b, then from now on f(a) will always return b.
Verification of DCDSs ACSI Project 257593 M. Montali - KRDB 6/28
11. a
iSC
DCDS Example
Data Layer
Information about hotels and their price:
• Cur = Currency
• CurHotel = Hotel, Currency
• PEntry = Hotel, Price, Date
Process Layer
Possibility of converting the price list of a hotel from USD dollars to another
currency.
• Service call for price conversion: conv usd(p, currency, date)
• Process: Cur(c) ∧ CurHotel(h, US ) −→ Conv(h, c)
• Conv(h, c) :
PEntry(h, p, d) ∧ Cur(c) PEntry(h, conv usd(p, c, d), d)
CurHotel(h, cold) ∧ Cur(c) CurHotel(h, c)
Copy Rest
Verification of DCDSs ACSI Project 257593 M. Montali - KRDB 7/28
15. a
iSC
Transition Systems
• Semantics of a DCDS in terms of transition system Υ = ∆, R, Σ, s0, db, ⇒
∆ is a countably infinite set of values;
R is a database schema;
Σ is a set of states;
s0 ∈ Σ is the initial state;
db is a function that, given a state s ∈ Σ, returns the database associated to
s, which is made up of values in ∆ and conforms to R;
⇒ ⊆ Σ × Σ is a transition relation between pairs of states.
s0
s1
s3
s4
s6
s7
Note: Υ is in general infinite state.
Verification of DCDSs ACSI Project 257593 M. Montali - KRDB 9/28
16. a
iSC
Transition System with Deterministic Services
• Semantics in terms of concrete transition system ΥS = C, R, Σ, s0, db, ⇒ .
• Each state s ∈ Σ remembers all previous service call results: s = I, M ,
where I is a database and M is a map from service calls to results in C.
• db( I, M ) = I.
• Action execution:
before issuing a service call, it is checked whether the (deterministic) result is
already contained in M;
if it is, then the result is already known;
if not, the call is issued and the obtained result is stored in M.
Verification of DCDSs ACSI Project 257593 M. Montali - KRDB 10/28
17. a
iSC
Construction of ΥS
• start from s0 = I0, ∅ ∈ Σ;
• repeat forever
pick a state s ∈ Σ
for every action executable in s, every “legal” parameters assignment, every
possible service calls results’ configuration. . .
generate the successor state s and put it in Σ;
insert s, s in ⇒.
Verification of DCDSs ACSI Project 257593 M. Montali - KRDB 11/28
18. a
iSC
Construction of ΥS
• start from s0 = I0, ∅ ∈ Σ;
• repeat forever
pick a state s ∈ Σ
for every action executable in s, every “legal” parameters assignment, every
possible service calls results’ configuration. . .
generate the successor state s and put it in Σ;
insert s, s in ⇒.
Note: three sources of non-determinism in each step:
• actions non-determinism;
• parameters non-determinism;
• service call results non-determinism: leads to potentially infinite branching.
Verification of DCDSs ACSI Project 257593 M. Montali - KRDB 11/28
19. a
iSC
Example
Consider a DCDS S = D, P
• Data layer D = C, R, E, I0 , where I0 = {P(a), Q(a, a)}
• Process layer P = F, A,
F = {f/1, g/1}, A = {α}, = {true → α}
α :
Q(a, a) ∧ P(x) {R(x)},
P(x) {P(x), Q(f(x), g(x))}
ff
P(a) Q(a,a)
f(a)→b g(a)→b
P(a) R(a) Q(b,b)
f(a)→b g(a)→a
P(a) R(a) Q(b,a)
f(a)→a g(a)→b
P(a) R(a) Q(a,b)
f(a)→a g(a)→a
P(a) R(a) Q(a,a)
f(a)→c g(a)→b
P(a) R(a) Q(c,b)
f(a)→b g(a)→c
P(a) R(a) Q(b,c)
f(a)→c g(a)→c
P(a) R(a) Q(c,c)
f(a)→a g(a)→b
P(a) Q(a,b)
f(a)→b g(a)→a
P(a) Q(b,a)
f(a)→b g(a)→b
P(a) Q(b,b)
f(a)→c g(a)→b
P(a) Q(c,b)
f(a)→b g(a)→c
P(a) Q(b,c)
f(a)→c g(a)→c
P(a) Q(c,c)
. . .
Verification of DCDSs ACSI Project 257593 M. Montali - KRDB 12/28
20. a
iSC
Verification
• We are interested in the verification of DCDSs
• Given a DCDS S and a formula Φ (in some FO temporal logic)
Construct the transition system ΥS of S
Check whether ΥS |= Φ
• Problem: ΥS is in general infinite state
• Idea:
Devise a finite-state transition system ΘS that is a faithful abstraction of ΥS ,
Reduce the verification problem ΥS |= Φ to the verification of ΘS |= Φ
• Procedure:
1. Do a syntactic check over S testing whether ΥS admits a finite-state
abstraction ΘS
2. If so, construct ΘS
3. Model check Φ over ΘS with standard model checking techniques
Verification of DCDSs ACSI Project 257593 M. Montali - KRDB 13/28
21. a
iSC
Verification Formalism
• We adopt FO variants of the µ-calculus
µL is a very expressive logic!
• µLF O formulas over a DCDS S have the form:
Φ ::= Q | ¬Φ | Φ1 ∧ Φ2 | ∃x.Φ | − Φ | Z | µZ.Φ
where Q is an FO query over the database schema
R of S, and Z is a predicate variable.
HML
PDLLTL CTL
µL
µLFO
Verification of DCDSs ACSI Project 257593 M. Montali - KRDB 14/28
22. a
iSC
Verification Formalism
• We adopt FO variants of the µ-calculus
µL is a very expressive logic!
• µLF O formulas over a DCDS S have the form:
Φ ::= Q | ¬Φ | Φ1 ∧ Φ2 | ∃x.Φ | − Φ | Z | µZ.Φ
where Q is an FO query over the database schema
R of S, and Z is a predicate variable.
Example
An example of µL formula is:
∃x1, . . . , xn.
i=j
xi = xj ∧
i∈{1,...,n}
µZ.[Stud(xi)∨ − Z]
HML
PDLLTL CTL
µL
µLFO
Verification of DCDSs ACSI Project 257593 M. Montali - KRDB 14/28
23. a
iSC
Verification Formalism
• We adopt FO variants of the µ-calculus
µL is a very expressive logic!
• µLF O formulas over a DCDS S have the form:
Φ ::= Q | ¬Φ | Φ1 ∧ Φ2 | ∃x.Φ | − Φ | Z | µZ.Φ
where Q is an FO query over the database schema
R of S, and Z is a predicate variable.
Example
An example of µL formula is:
∃x1, . . . , xn.
i=j
xi = xj ∧
i∈{1,...,n}
µZ.[Stud(xi)∨ − Z]
This defeats any kind of finite-state abstraction.
HML
PDLLTL CTL
µL
µLFO
Verification of DCDSs ACSI Project 257593 M. Montali - KRDB 14/28
24. a
iSC
Verification Formalism
• We adopt FO variants of the µ-calculus
µL is a very expressive logic!
• µLF O formulas over a DCDS S have the form:
Φ ::= Q | ¬Φ | Φ1 ∧ Φ2 | ∃x.Φ | − Φ | Z | µZ.Φ
where Q is an FO query over the database schema
R of S, and Z is a predicate variable.
Example
An example of µL formula is:
∃x1, . . . , xn.
i=j
xi = xj ∧
i∈{1,...,n}
µZ.[Stud(xi)∨ − Z]
This defeats any kind of finite-state abstraction.
HML
PDLLTL CTL
µL
µLFO
µLA
Verification of DCDSs ACSI Project 257593 M. Montali - KRDB 14/28
25. a
iSC
History Preserving Mu-Calculus (µLA)
• Restricts quantification over individuals to those present in the current
database (denoted by live(x)).
• Syntax:
Φ ::= Q | ¬Φ | Φ1 ∧ Φ2 | ∃x.live(x) ∧ Φ | − Φ | Z | µZ.Φ
• We abbreviate ¬(∃x.live(x) ∧ ¬Φ) as ∀x.live(x) → Φ.
Example
νX.(∀x.live(x) ∧ Stud(x) →
µY.(∃y.live(y) ∧ Grad(x, y) ∨ − Y ) ∧ [−]X)
Along every path, it is always true, for each student x, that there exists an
evolution that eventually leads to a graduation of the student (with some final
mark y).
Verification of DCDSs ACSI Project 257593 M. Montali - KRDB 15/28
26. a
iSC
History Preserving Bisimulation for µLA
• Consider two transition systems Υ1 = ∆1, R, Σ1, s01, db1, ⇒1 and
Υ2 = ∆2, R, Σ2, s02, db2, ⇒2 .
• Problem: Υ1 and Υ2 are over different data domains ∆1 and ∆2, and a
correspondence between elements must be preserved over time.
• Is a relation B ⊆ Σ1 × H × Σ2 such that s1, h, s2 ∈ B implies that:
1. h is a partial bijection between ∆1 and ∆2 that induces an isomorphism
between db1(s1) and db2(s2);
2. for each s1, if s1 ⇒1 s1 then there is an s2 with s2 ⇒2 s2 and a bijection h
that extends h, such that s1, h , s2 ∈ B;
3. for each s2, if s2 ⇒2 s2 then there is an s1 with s1 ⇒1 s1 and a bijection h
that extends h, such that s1, h , s2 ∈ B.
• We have Υ1 ≈ Υ2 if there exists a partial bijection h0 and a history
preserving bisimulation B between Υ1 and Υ2 such that s01, h0, s02 ∈ B.
Verification of DCDSs ACSI Project 257593 M. Montali - KRDB 16/28
27. a
iSC
History Preserving Bisimulation for µLA
• Consider two transition systems Υ1 = ∆1, R, Σ1, s01, db1, ⇒1 and
Υ2 = ∆2, R, Σ2, s02, db2, ⇒2 .
• Problem: Υ1 and Υ2 are over different data domains ∆1 and ∆2, and a
correspondence between elements must be preserved over time.
• Is a relation B ⊆ Σ1 × H × Σ2 such that s1, h, s2 ∈ B implies that:
1. h is a partial bijection between ∆1 and ∆2 that induces an isomorphism
between db1(s1) and db2(s2);
2. for each s1, if s1 ⇒1 s1 then there is an s2 with s2 ⇒2 s2 and a bijection h
that extends h, such that s1, h , s2 ∈ B;
3. for each s2, if s2 ⇒2 s2 then there is an s1 with s1 ⇒1 s1 and a bijection h
that extends h, such that s1, h , s2 ∈ B.
• We have Υ1 ≈ Υ2 if there exists a partial bijection h0 and a history
preserving bisimulation B between Υ1 and Υ2 such that s01, h0, s02 ∈ B.
Theorem
If Υ1 ≈ Υ2, then for every µLA closed formula Φ, we have:
Υ1 |= Φ if and only if Υ2 |= Φ.
Verification of DCDSs ACSI Project 257593 M. Montali - KRDB 16/28
28. a
iSC
(Un)decidability Results
Theorem
There exists a DCDS S with deterministic services, and a propositional LTL safety
property Φ, such that checking ΥS |= Φ is undecidable.
Verification of DCDSs ACSI Project 257593 M. Montali - KRDB 17/28
29. a
iSC
(Un)decidability Results
Theorem
There exists a DCDS S with deterministic services, and a propositional LTL safety
property Φ, such that checking ΥS |= Φ is undecidable.
To gain decidability, we need restrictions on the DCDS: run-boundedness
• For every run τ in ΥS we have | s state of τ adom(db(s))| < b
• I.e., there exists a bound b such that every run in ΥS encounters at most b
different values.
• A (data) unbounded run represents an execution in which infinitely many
different service calls are issued.
Verification of DCDSs ACSI Project 257593 M. Montali - KRDB 17/28
30. a
iSC
(Un)decidability Results
Theorem
There exists a DCDS S with deterministic services, and a propositional LTL safety
property Φ, such that checking ΥS |= Φ is undecidable.
To gain decidability, we need restrictions on the DCDS: run-boundedness
• For every run τ in ΥS we have | s state of τ adom(db(s))| < b
• I.e., there exists a bound b such that every run in ΥS encounters at most b
different values.
• A (data) unbounded run represents an execution in which infinitely many
different service calls are issued.
Theorem
Verification of µLA properties on run-bounded DCDSs with deterministic services
is decidable.
1. We devise a finite-state abstraction ΘS for a run-bounded DCDS S.
2. We prove that ΘS ≈ ΥS, hence they satisfy the same µLA formulae.
Verification of DCDSs ACSI Project 257593 M. Montali - KRDB 17/28
31. a
iSC
Ensuring Run-Boundedness
Theorem
Checking run-boundedness of DCDSs with deterministic services is undecidable.
Verification of DCDSs ACSI Project 257593 M. Montali - KRDB 18/28
32. a
iSC
Ensuring Run-Boundedness
Theorem
Checking run-boundedness of DCDSs with deterministic services is undecidable.
We have devised a sufficient syntactic condition that guarantees run-boundedness:
weak acyclicity
• Depends only on action specifications, and not on data.
• Is polynomially checkable.
Verification of DCDSs ACSI Project 257593 M. Montali - KRDB 18/28
33. a
iSC
Ensuring Run-Boundedness
Theorem
Checking run-boundedness of DCDSs with deterministic services is undecidable.
We have devised a sufficient syntactic condition that guarantees run-boundedness:
weak acyclicity
• Depends only on action specifications, and not on data.
• Is polynomially checkable.
Theorem
Verification of µLA properties for weakly acyclic DCDSs with deterministic
services is decidable, and can be reduced to model checking of propositional
µ-calculus over a finite transition system.
Verification of DCDSs ACSI Project 257593 M. Montali - KRDB 18/28
34. a
iSC
DCDS Example Data LayerSchema
Customer
In Debt Customer
Gold CustomerLoan
closed
owes
peer
Instance
Cust(ann)
peer(mark, john)
Gold(john)
Verification of DCDSs ACSI Project 257593 M. Montali - KRDB 19/28
35. a
iSC
DCDS Example Data LayerSchema
Customer
In Debt Customer
Gold CustomerLoan
closed
owes
peer
Instance
Cust(ann)
peer(mark, john)
Gold(john)
Process Layer
Conditions
peer(x, y) ∧ Gold(y)
−→ GetLoan(x)
Service Calls
UInput(x)
Actions
GetLoan(x) :
∃y.peer(x, y) {owes(x, UInput(x))},
Cust(z) {Cust(z)},
Loan(z) {Loan(z)},
InDebt(z) {InDebt(z)},
Gold(z) {Gold(z)}
Verification of DCDSs ACSI Project 257593 M. Montali - KRDB 19/28
36. a
iSC
DCDS Example Data LayerSchema
Customer
In Debt Customer
Gold CustomerLoan
closed
owes
peer
Instance
Cust(ann)
peer(mark, john)
Gold(john)
owes(mark, @25)
Process Layer
Conditions
peer(x, y) ∧ Gold(y)
−→ GetLoan(x)
Service Calls
UInput(x)
Actions
GetLoan(x) :
∃y.peer(x, y) {owes(x, UInput(x))},
Cust(z) {Cust(z)},
Loan(z) {Loan(z)},
InDebt(z) {InDebt(z)},
Gold(z) {Gold(z)}
Verification of DCDSs ACSI Project 257593 M. Montali - KRDB 19/28
37. a
iSC
Non-Deterministic Services
• The same service call issued later may give a different result.
• Can be used to model:
user input;
unpredictable external environment.
Verification of DCDSs ACSI Project 257593 M. Montali - KRDB 20/28
38. a
iSC
Non-Deterministic Services
• The same service call issued later may give a different result.
• Can be used to model:
user input;
unpredictable external environment.
Theorem
There exists a DCDS S with nondeterministic services, and a propositional LTL
safety property Φ, such that checking ΥS |= Φ is undecidable.
Verification of DCDSs ACSI Project 257593 M. Montali - KRDB 20/28
39. a
iSC
Non-Deterministic Services
• The same service call issued later may give a different result.
• Can be used to model:
user input;
unpredictable external environment.
Theorem
There exists a DCDS S with nondeterministic services, and a propositional LTL
safety property Φ, such that checking ΥS |= Φ is undecidable.
To gain decidability, we need again restrictions on the DCDS:
• Run-boundedness is too strong: it bounds the overall number of service calls.
• We consider instead state boundedness: there is a finite bound b such that
for each state I of ΥS, |adom(I)| < b.
However . . .
Verification of DCDSs ACSI Project 257593 M. Montali - KRDB 20/28
40. a
iSC
Non-Deterministic Services
• The same service call issued later may give a different result.
• Can be used to model:
user input;
unpredictable external environment.
Theorem
There exists a DCDS S with nondeterministic services, and a propositional LTL
safety property Φ, such that checking ΥS |= Φ is undecidable.
To gain decidability, we need again restrictions on the DCDS:
• Run-boundedness is too strong: it bounds the overall number of service calls.
• We consider instead state boundedness: there is a finite bound b such that
for each state I of ΥS, |adom(I)| < b.
However . . .
Theorem
Verification of µLA properties on state-bounded DCDSs with nondeterministic
services is undecidable.
Verification of DCDSs ACSI Project 257593 M. Montali - KRDB 20/28
41. a
iSC
Persistence Preserving Mu-Calculus (µLP )
• Restricts quantification over individuals that continuously persist along the
system evolution, i.e., that continue to be live(x).
• Syntax:
Φ ::= Q | ¬Φ | Φ1 ∧ Φ2 | ∃x.live(x) ∧ Φ |
− (live(x) ∧ Φ) | [−](live(x) ∧ Φ) | Z | µZ.Φ
where in live(x) ∧ − Φ and live(x) ∧ [−]Φ, the free variables of Φ are x.
• We abbreviate ¬[−](live(x) ∧ ¬Φ) as − (live(x) → Φ)
and ¬ − (live(x) ∧ ¬Φ) as [−](live(x) → Φ).
Verification of DCDSs ACSI Project 257593 M. Montali - KRDB 21/28
42. a
iSC
Persistence Preserving Mu-Calculus (µLP )
• Restricts quantification over individuals that continuously persist along the
system evolution, i.e., that continue to be live(x).
• Syntax:
Φ ::= Q | ¬Φ | Φ1 ∧ Φ2 | ∃x.live(x) ∧ Φ |
− (live(x) ∧ Φ) | [−](live(x) ∧ Φ) | Z | µZ.Φ
where in live(x) ∧ − Φ and live(x) ∧ [−]Φ, the free variables of Φ are x.
• We abbreviate ¬[−](live(x) ∧ ¬Φ) as − (live(x) → Φ)
and ¬ − (live(x) ∧ ¬Φ) as [−](live(x) → Φ).
Example
νX.(∀x.live(x) ∧ Stud(x) →
µY.(∃y.live(y) ∧ Grad(x, y) ∨ − (live(x) ∧ Y )) ∧ [−]X)
Along every path, it is always true, for each student x, that there exists an
evolution in which x persists in the database until she eventually graduates.
Verification of DCDSs ACSI Project 257593 M. Montali - KRDB 21/28
43. a
iSC
Persistence Preserving Mu-Calculus (µLP )
• Restricts quantification over individuals that continuously persist along the
system evolution, i.e., that continue to be live(x).
• Syntax:
Φ ::= Q | ¬Φ | Φ1 ∧ Φ2 | ∃x.live(x) ∧ Φ |
− (live(x) ∧ Φ) | [−](live(x) ∧ Φ) | Z | µZ.Φ
where in live(x) ∧ − Φ and live(x) ∧ [−]Φ, the free variables of Φ are x.
• We abbreviate ¬[−](live(x) ∧ ¬Φ) as − (live(x) → Φ)
and ¬ − (live(x) ∧ ¬Φ) as [−](live(x) → Φ).
Example
νX.(∀x.live(x) ∧ Stud(x) →
µY.(∃y.live(y) ∧ Grad(x, y) ∨ − (live(x) ∧ Y )) ∧ [−]X)
Along every path, it is always true, for each student x, that there exists an
evolution in which x persists in the database until she eventually graduates.
Verification of DCDSs ACSI Project 257593 M. Montali - KRDB 21/28
44. a
iSC
Persistence Preserving Mu-Calculus (µLP )
• Restricts quantification over individuals that continuously persist along the
system evolution, i.e., that continue to be live(x).
• Syntax:
Φ ::= Q | ¬Φ | Φ1 ∧ Φ2 | ∃x.live(x) ∧ Φ |
− (live(x) ∧ Φ) | [−](live(x) ∧ Φ) | Z | µZ.Φ
where in live(x) ∧ − Φ and live(x) ∧ [−]Φ, the free variables of Φ are x.
• We abbreviate ¬[−](live(x) ∧ ¬Φ) as − (live(x) → Φ)
and ¬ − (live(x) ∧ ¬Φ) as [−](live(x) → Φ).
Example
νX.(∀x.live(x) ∧ Stud(x) →
µY.(∃y.live(y) ∧ Grad(x, y) ∨ − (live(x) → Y )) ∧ [−]X)
Along every path, it is always true, for each student x, that there exists an
evolution in which either x does not persist, or she eventually graduates.
Verification of DCDSs ACSI Project 257593 M. Montali - KRDB 21/28
45. a
iSC
Persistence Preserving Bisimulation for µLP
• Consider two transition systems Υ1 = ∆1, R, Σ1, s01, db1, ⇒1 and
Υ2 = ∆2, R, Σ2, s02, db2, ⇒2 .
• W.r.t. µLA, it is now sufficient to preserve the correspondence between
elements of ∆1 and ∆2 that persist over time.
• Is a relation B ⊆ Σ1 × H × Σ2 such that s1, h, s2 ∈ B implies that:
1. h is an isomorphism between db1(s1) and db2(s2);
2. for each s1, if s1 ⇒1 s1 then there exists an s2 with s2 ⇒2 s2 and a bijection
h that extends h|adom(db1(s1))∩adom(db1(s1)), such that s1, h , s2 ∈ B;
3. for each s2, if s2 ⇒2 s2 then there exists an s1 with s1 ⇒1 s1 and a bijection
h that extends h|adom(db1(s1))∩adom(db1(s1)), such that s1, h , s2 ∈ B.
• We have Υ1 ∼ Υ2 if there exists a partial bijection h0 and a persistence
preserving bisimulation B between Υ1 and Υ2 such that s01, h0, s02 ∈ B.
Verification of DCDSs ACSI Project 257593 M. Montali - KRDB 22/28
46. a
iSC
Persistence Preserving Bisimulation for µLP
• Consider two transition systems Υ1 = ∆1, R, Σ1, s01, db1, ⇒1 and
Υ2 = ∆2, R, Σ2, s02, db2, ⇒2 .
• W.r.t. µLA, it is now sufficient to preserve the correspondence between
elements of ∆1 and ∆2 that persist over time.
• Is a relation B ⊆ Σ1 × H × Σ2 such that s1, h, s2 ∈ B implies that:
1. h is an isomorphism between db1(s1) and db2(s2);
2. for each s1, if s1 ⇒1 s1 then there exists an s2 with s2 ⇒2 s2 and a bijection
h that extends h|adom(db1(s1))∩adom(db1(s1)), such that s1, h , s2 ∈ B;
3. for each s2, if s2 ⇒2 s2 then there exists an s1 with s1 ⇒1 s1 and a bijection
h that extends h|adom(db1(s1))∩adom(db1(s1)), such that s1, h , s2 ∈ B.
• We have Υ1 ∼ Υ2 if there exists a partial bijection h0 and a persistence
preserving bisimulation B between Υ1 and Υ2 such that s01, h0, s02 ∈ B.
Theorem
If Υ1 ∼ Υ2, then for every µLP closed formula Φ, we have:
Υ1 |= Φ if and only if Υ2 |= Φ.
Verification of DCDSs ACSI Project 257593 M. Montali - KRDB 22/28
47. a
iSC
Verification of State-Bounded Systems
Theorem
Verification of µLP properties on state-bounded DCDSs with non-deterministic
services is decidable.
1. We devise a finite-state abstraction ΘS for a state-bounded DCDS S.
2. We prove that ΘS ∼ ΥS, hence they satisfy the same µLP formulae.
However . . .
Verification of DCDSs ACSI Project 257593 M. Montali - KRDB 23/28
48. a
iSC
Verification of State-Bounded Systems
Theorem
Verification of µLP properties on state-bounded DCDSs with non-deterministic
services is decidable.
1. We devise a finite-state abstraction ΘS for a state-bounded DCDS S.
2. We prove that ΘS ∼ ΥS, hence they satisfy the same µLP formulae.
However . . .
Theorem
Checking state-boundedness of DCDSs with non-deterministic services is
undecidable.
Verification of DCDSs ACSI Project 257593 M. Montali - KRDB 23/28
49. a
iSC
Ensuring State-Boundedness
We have devised a sufficient syntactic condition that guarantees
state-boundedness: generate-recall acyclicity
• Depends only on action specifications, and not on data.
• Is polynomially checkable.
Verification of DCDSs ACSI Project 257593 M. Montali - KRDB 24/28
50. a
iSC
Ensuring State-Boundedness
We have devised a sufficient syntactic condition that guarantees
state-boundedness: generate-recall acyclicity
• Depends only on action specifications, and not on data.
• Is polynomially checkable.
Theorem
Verification of µLP properties for generate-recall acyclic DCDSs with
non-deterministic services is decidable, and can be reduced to model checking of
propositional µ-calculus over a finite transition system.
Verification of DCDSs ACSI Project 257593 M. Montali - KRDB 24/28
51. a
iSC
Generate-Recall Acyclicity
Example
Consider I0 = {R(a)}, process {true −→ α}, and
action α =
R(x) R(x)
R(x) Q(f(x))
• The resulting process layer is generate-recall acyclic.
• Service call f(a) is continuously issued, leading to possibly generate infinitely
many distinct values, but such values are not recalled.
• Since µLP formulae only focus on persisting values, the possibly infinitely
many distinct results obtained by issuing f(a) are irrelevant.
Verification of DCDSs ACSI Project 257593 M. Montali - KRDB 25/28
52. a
iSC
Generate-Recall Acyclicity
Example
Consider I0 = {R(a)}, process {true −→ α}, and
action α =
R(x) R(x)
R(x) Q(f(x))
Q(x) Q(x)
• The resulting process layer is not generate-recall acyclic.
• Service call f(a) is continuously issued, leading to possibly generate infinitely
many distinct values, which are recalled in Q.
• It is not possible to find a faithful finite abstraction, because there exist runs
accumulating unboundedly many distinct values inside their states.
Verification of DCDSs ACSI Project 257593 M. Montali - KRDB 26/28
53. a
iSC
Generate-Recall Acyclicity
Example
Consider I0 = {R(a)}, process {true −→ α, true −→ β}, and
actions α =
R(x) R(x)
R(x) Q(f(x))
and β = {Q(x) Q(x)}
• The resulting process layer is generate-recall acyclic.
• It resembles the previous case, but now effects belong to two distinct actions.
• While α is getting a new value for f(a), Q tuples are lost.
• While β is copying Q tuples, no new value is insterted.
Verification of DCDSs ACSI Project 257593 M. Montali - KRDB 27/28
54. a
iSC
Summary of Results on Verification of DCDSs
deterministic services nondeterministic services
µLFO µLA µLP µLFO µLA µLP
unrestricted U ← U ← U unrestricted U ← U ← U
↑ ↑
bounded-run ? D → D bounded-state U ← U D
D: Verification is decidable U: Verification is undecidable
Verification of DCDSs ACSI Project 257593 M. Montali - KRDB 28/28