ANR-07-SESUR-003

Using Constraints to Verify Properties of Rule

Programs

Bruno Berstel, University of Freiburg & IBM

Michel Leconte, IBM

CSTVA’10 – April 10th, 2010

ANR-07-SESUR-003

ANR-07-SESUR-003

What are Business Rules?

ANR-07-SESUR-003

What are business rules?

Rule upgrade-to-platinumif

the category of the customer is Gold andthe value of the shopping cart is more than $1500

thenchange the category of the customer to Platinum

ANR-07-SESUR-003

Agenda

• What are Business Rules?• Verification

– rules as transition constraints– properties as constraint problems

• Impact on CP Solver– slow propagation– how to cope with it

• Conclusion

ANR-07-SESUR-003

Example rules

Rule gold-discountwhen category = Gold & value ≥ 2000then discount := discount + 10

Rule platinum-discountwhen category = Platinum & value ≥ 1000then discount := discount + 15

Rule upgradewhen category = Gold & age ≥ 60then category := Platinum

Verification

ANR-07-SESUR-003

Conflict (example)Verification

cat = Goldage = 65

value = 2500discount = 0

cat = Goldage = 65

value = 2500discount = 10

cat = Platinumage = 65

value = 2500discount = 25

cat = Platinumage = 65

value = 2500discount = 0

cat = Platinumage = 65

value = 2500discount = 15

gold-discount

≠

upgrade

upgrade +

platinum-

discount

platinum-discount

cat = Goldage ≥ 60

cat := Plat

cat = Goldvalue ≥ 2000disc += 10

cat = Platvalue ≥ 1000disc += 15

cat = Goldage ≥ 60

value ≥ 1000cat := Platdisc += 15

ANR-07-SESUR-003

Conflict (general principle)Verification

initialstate

finalstate #1

finalstate #2

execution #1

= ?

execution #2

ANR-07-SESUR-003

• Compute the transition constraints for all executions– e.g. ρ(upgrade ∘ platinum-discount) is

c =Gold ∧ a ≥60 ∧ v ≥1000 ∧ c’ =Plat ∧ d’ = d +15 ∧ a’ =a ∧ v’ =v

– interested in maximal executions only– bound length of traces to cope with infinite

executions– many unfeasible executions: ρ ⊨ ⊥

• Look for conflicting executions– s ⇝ s’1 s ⇝ s’2 s’1 ≇ s’2

– init ∧ ρ1 ∧ ρ2 ∧ ∨ ξ’1 ≠ ξ’2

• Is one of these constraint problems satisfiable?– Yes: we found a witness!– No: there is no conflict in the rule program.– Don’t know

Conflict (general principle)Verification

ξ∈Var

ANR-07-SESUR-003Conflict (example with constraints)

Verification

category ↦ cage ↦ a

value ↦ vdiscount ↦ d

category ↦ c’2

age ↦ a’2

value ↦ v’2

discount ↦ d’2

category ↦ c’1

age ↦ a’1

value ↦ v’1

discount ↦ d’1

=?

gold-discount ∘ upgrade ∘ platinum-discount

upgrade ∘ platinum-discount

c =Gold ∧ a ≥60 ∧ v  ≥1000 ∧ c’1 =Plat ∧ d’1 = d +15 ∧ a’1 =a ∧ v’1 

=v

c =Gold ∧ a ≥60 ∧ v  ≥2000 ∧ c’2 =Plat ∧ d’2 = d +25 ∧ a’2 =a ∧ v’2 

=v

v  ≥ 1000v  ≥ 2000

d’1 = d  + 15d’2 = d  + 25

d’1 ≠ d’2

ANR-07-SESUR-003

Challenging the CP Solverwith the conjunction of

• Large Domains– variables are ranging over machine-

representable values– typically 232 or 264 values for integers

• Slow Propagation– when the time of domain reduction is

proportional to the size of the domain– e.g. d’ = d  + 15

d’ = d  + 25

ANR-07-SESUR-003Slow convergence of propagation

d’ = d  + 15d’ = d  + 25

d, d’ ∈ [-231, 231-1]d’ = d + 15

d’ ∈ [-231 + 15, 231-1]

d’ = d + 25d ∈ [-231, 231-1 - 25]

d’ = d + 15d’ ∈ [-231 + 15, 231-1 - 10]

d’ = d + 25d ∈ [-231, 231-1 - 35]

d’ = d + 15d’ ∈ [-231 + 15, 231-1 - 20]

etc.

It takes approx. 859 000 000 steps to reduce the domains to the empty set.

✘

ANR-07-SESUR-003Slow propagation ⇏ unsatisfiability

x > uxx ∈ [-231, 231-1]u ∈ {0, 1}

x ≥ y + 1y = uxx, y ∈ [-231, 231-1]u ∈ {0, 1}

x ≥ y + 1

y = ux

231 steps of interval reduction

u = 1

+ 231 steps of interval reduction to empty domains

x ∈ [1, 231-1]y ∈ [0, 231-1]u ∈ {0, 1}

ANR-07-SESUR-003Slow propagation ⇏ unsatisfiability

x > uxx ∈ [-231, 231-1]u ∈ {0, 1}

x ≥ y + 1y = uxx, y ∈ [-231, 231-1]u ∈ {0, 1}

x ≥ y + 1

y = ux

231 steps of interval reduction

u = 0

x ≥ 1

solution found in 231+1 steps (best case)

x ∈ [1, 231-1]y ∈ [0, 231-1]u ∈ {0, 1}

ANR-07-SESUR-003Fighting against slow propagation

• From specialized procedures– linear normalization (x = x +1)– cycle detection (x < y ∧ y < x)– congruence domains (2x+2y = 1)

– …

• To pragmatic techniques– Let the user specify domains (age in [0,

100])– Stop the propagation before fix point

ANR-07-SESUR-003

Conclusion

• Using constraints for rule program verification– to translate rules into transition constraints– to express properties– to find answers using a CP Solver

• It scales because– problems are small in practice– techniques are put in place to fight against

slow propagation