Borders of Decidability in Verification of Data-Centric Dynamic Systems

Borders of Decidability in Verification ofData-Centric Dynamic Systems

Babak Bagheri Hariri, Diego Calvanese, Marco Montali1,Alin Deutsch2, Giuseppe De Giacomo3

KRDB Research Centre for Knowledge and DataFree University of Bozen - Bolzano

Knowledge Representation and Reasoning (KRR)Meraka Institute - CSIR, Pretoria, South Africa

March, 2013

Babak Bagheri Hariri Borders of Decidability in Verification of DCDSs March, 2013 1 / 34

Why Formal Verification?Errors in computerized systems can be costly.

Pentium chip (1994) Toyota Prius(2010) Ariane 5 (1996)Bug found in FPU. Intel of-fers to replace faulty chips.Estimated loss: 475m $

Software “glitch” found inanti-lock braking system.185,000 cars recalled.

Exploded 37secs afterlaunch. Cause: uncaughtoverflow exception.

Why verify?“Testing can only show the presence of errors,not their absence.” [Edsger W. Dijkstra]


Model Checking

System Specification

Design/Develop

Finite State Model

Temporal Properties¬EF fail

Model Checkere.g. NuSMV, Spin Verified

The finite state requirement is severe and restrictiveSpecially for settings that capture data and dynamics simultaneously,(e.g. Artifact-Centric Business Process Systems).


Model Checking

System Specification

Design/Develop

Finite State Model

Temporal Properties¬EF fail

Model Checkere.g. NuSMV, Spin Verified

The finite state requirement is severe and restrictiveSpecially for settings that capture data and dynamics simultaneously,(e.g. Artifact-Centric Business Process Systems).


A Concrete Example!


A much more Crucial Example!






Traditional Process Modeling• Structural modeling of the domain of interest:

conceptual models, domain ontologies, database schemasI UML, ORM, ER, . . .

• Behavioral modeling of the domain of interest:activities, services, business processes

I BPMN, EPC, UML, BPEL, SOA-related technologies, . . .

Lack of a coherent holistic view:• Two models are loosely connected;• The full combined behavior is never captured.


Traditional Process Modeling• Structural modeling of the domain of interest:

conceptual models, domain ontologies, database schemasI UML, ORM, ER, . . .

• Behavioral modeling of the domain of interest:activities, services, business processes

I BPMN, EPC, UML, BPEL, SOA-related technologies, . . .

Lack of a coherent holistic view:• Two models are loosely connected;• The full combined behavior is never captured.


Business Artifacts to the Rescue

• The artifact-centric approach emerged as a foundational proposal formerging data and processes together.

I Data must be modeled taking into account that they will bemanipulated by processes.

I Processes must be modeled by considering that they are meant tomanipulate data.

• Initial proposals by IBM (Nigam, Caswell 2003), and continued byRick Hull, Jianwen Su, Victor Vianu, ....

• ACSI Project for artifact-centric service interoperation.

a i S C








a i S C








a i S C


What is an Artifact?Consists of:

• information model - relevant data maintained by the artifact• lifecycle model - (implicit) description of the allowed information

model evolutions through the execution of a process.

Information model Lifecycle Artifact


Concrete Models for Artifacts

Some concrete information models:• Relational database (with nested records).• (Description Logic) knowledge base.

Some concrete lifecycle models:• Finite-state machines. State = phase; events trigger transitions.

I Implemented in the Siena IBM prototype.• Proclets (interacting Petri nets).

I Emphasise many-to-many relationships between artifacts.• Guard-Stage-Milestone lifecycles, based on declarative (even,

condition, action)-like rules.I Implemented in the Barcelona IBM prototype.


Data-Centric Dynamic Systems (DCDS)• Abstract model behind different variants of artifact-centric business

process systems;• semantically equivalent to the most expressive models for business

process systems (e.g., GSM).

Data Process Data+Process

• Data Layer: Relational databases / ontologiesI Data schemaI Data instance: state of the DCDS

• Process Layer:I Atomic actionsI Conditions for application of actionsI Service calls: communication with external environment

F Deterministic services

: e.g., historical exchange rate of POD/RAND

F Nondeterministic services

: e.g., current exchange rate of POD/RAND

Allow one also to take into account user-input.


Data-Centric Dynamic Systems (DCDS)Data Layer

Schema

Customer

In Debt Customer

Gold CustomerLoan

closedowes

peerInstance

Cust(ann)peer(mark, john)Gold(john)

Cust(ann)peer(mark, john)Gold(john)owes(mark,@25 )

Process Layer

Condition Action Rules

peer(x , y) ∧ Gold(y)7−→ GetLoan(x)

Service Calls

UInput(x)

Actions

GetLoan(x) :

Cust(z) {Cust(z)},Loan(z) {Loan(z)},

InDebt(z) {InDebt(z)},Gold(z) {Gold(z)}










Schema

Customer

In Debt Customer

Gold CustomerLoan

closedowes

peerInstance



Process Layer



Service Calls

UInput(x)

ActionsGetLoan(x) :

∃y.peer(x , y) {owes(x ,UInput(x))},Cust(z) {Cust(z)},Loan(z) {Loan(z)},











Schema

Customer

In Debt Customer

Gold CustomerLoan

closedowes

peerInstance



Process Layer



Service Calls

UInput(x)

ActionsGetLoan(x) :












Schema

Customer

In Debt Customer

Gold CustomerLoan

closedowes

peerInstance



Process LayerCondition Action Rules


Service Calls

UInput(x)

ActionsGetLoan(x) :












Schema

Customer

In Debt Customer

Gold CustomerLoan

closedowes

peerInstance



Process LayerCondition Action Rules


Service Calls

UInput(x)

ActionsGetLoan(x) :











Data-Centric Dynamic Systems (DCDS)












F Deterministic services: e.g., historical exchange rate of POD/RANDF Nondeterministic services: e.g., current exchange rate of POD/RAND















Semantics via Transition Systems{

P(x) P(x) ∧Q(f (x), g(x))Q(a, a) ∧ P(x) R(x),

I = {P(a),Q(a, a)}

P(a) Q(a,a)

f(a)7→b g(a) 7→a

P(a) R(a) Q(b,a)

f(a)7→a g(a) 7→b

P(a) R(a) Q(a,b)

f(a)7→

a

g(a)7→

a

P(a) R(a) Q(

a

,

a

)

f(a)7→b g(a)7→b

P(a) R(a) Q(b,b)

f(a)7→a g(a)7→b

P(a) Q(a,b)

f(a)7→b g(a)7→a

P(a) Q(b,a)

f(a) 7→b g(a)7→b

P(a) Q(b,b)

. . .




I = {P(a),Q(a, a)}

P(a) Q(a,a)

f(a)7→b g(a) 7→a

P(a) R(a) Q(b,a)

f(a)7→a g(a) 7→b

P(a) R(a) Q(a,b)

f(a)7→

a

g(a)7→

a

P(a) R(a) Q(

a

,

a

)

f(a)7→b g(a)7→b

P(a) R(a) Q(b,b)

f(a)7→a g(a)7→b

P(a) Q(a,b)

f(a)7→b g(a)7→a

P(a) Q(b,a)

f(a) 7→b g(a)7→b

P(a) Q(b,b)

. . .




I = {P(a),Q(a, a)}

P(a) Q(a,a)

f(a)7→b g(a) 7→a

P(a) R(a) Q(b,a)

f(a)7→a g(a) 7→b

P(a) R(a) Q(a,b)

f(a)7→

a

g(a)7→

a

P(a) R(a) Q(

a

,

a

)

f(a)7→b g(a)7→b

P(a) R(a) Q(b,b)

f(a)7→a g(a)7→b

P(a) Q(a,b)

f(a)7→b g(a)7→a

P(a) Q(b,a)

f(a) 7→b g(a)7→b

P(a) Q(b,b)

. . .




I = {P(a),Q(a, a)}

P(a) Q(a,a)

f(a)7→b g(a) 7→a

P(a) R(a) Q(b,a)

f(a)7→a g(a) 7→b

P(a) R(a) Q(a,b)

f(a)7→a g(a)7→

a

P(a) R(a) Q(a,

a

)

f(a)7→b g(a)7→b

P(a) R(a) Q(b,b)

f(a)7→a g(a)7→b

P(a) Q(a,b)

f(a)7→b g(a)7→a

P(a) Q(b,a)

f(a) 7→b g(a)7→b

P(a) Q(b,b)

. . .




I = {P(a),Q(a, a)}

P(a) Q(a,a)

f(a)7→b g(a) 7→a

P(a) R(a) Q(b,a)

f(a)7→a g(a) 7→b

P(a) R(a) Q(a,b)

f(a)7→a g(a)7→a

P(a) R(a) Q(a,a)

f(a)7→b g(a)7→b

P(a) R(a) Q(b,b)

f(a)7→a g(a)7→b

P(a) Q(a,b)

f(a)7→b g(a)7→a

P(a) Q(b,a)

f(a) 7→b g(a)7→b

P(a) Q(b,b)

. . .




I = {P(a),Q(a, a)}

P(a) Q(a,a)

f(a)7→b g(a) 7→a

P(a) R(a) Q(b,a)

f(a)7→a g(a) 7→b

P(a) R(a) Q(a,b)

f(a)7→a g(a)7→a

P(a) R(a) Q(a,a)

f(a)7→b g(a)7→b

P(a) R(a) Q(b,b)

f(a)7→a g(a)7→b

P(a) Q(a,b)

f(a)7→b g(a)7→a

P(a) Q(b,a)

f(a) 7→b g(a)7→b

P(a) Q(b,b)

. . .




I = {P(a),Q(a, a)}

P(a) Q(a,a)

f(a)7→b g(a) 7→a

P(a) R(a) Q(b,a)

f(a)7→a g(a) 7→b

P(a) R(a) Q(a,b)

f(a)7→a g(a)7→a

P(a) R(a) Q(a,a)

f(a)7→b g(a)7→b

P(a) R(a) Q(b,b)

f(a)7→a g(a)7→b

P(a) Q(a,b)

f(a)7→b g(a)7→a

P(a) Q(b,a)

f(a) 7→b g(a)7→b

P(a) Q(b,b)

. . .




I = {P(a),Q(a, a)}

P(a) Q(a,a)

f(a)7→b g(a) 7→a

P(a) R(a) Q(b,a)

f(a)7→a g(a) 7→b

P(a) R(a) Q(a,b)

f(a)7→a g(a)7→a

P(a) R(a) Q(a,a)

f(a)7→b g(a)7→b

P(a) R(a) Q(b,b)

f(a)7→a g(a)7→b

P(a) Q(a,b)

f(a)7→b g(a)7→a

P(a) Q(b,a)

f(a) 7→b g(a)7→b

P(a) Q(b,b)

. . .




I = {P(a),Q(a, a)}

P(a) Q(a,a)

f(a)7→b g(a) 7→a

P(a) R(a) Q(b,a)

f(a)7→a g(a) 7→b

P(a) R(a) Q(a,b)

f(a)7→a g(a)7→a

P(a) R(a) Q(a,a)

f(a)7→b g(a)7→b

P(a) R(a) Q(b,b)

f(a)7→a g(a)7→b

P(a) Q(a,b)

f(a)7→b g(a)7→a

P(a) Q(b,a)

f(a) 7→b g(a)7→b

P(a) Q(b,b)

. . .




I = {P(a),Q(a, a)}

P(a) Q(a,a)

f(a)7→b g(a) 7→a

P(a) R(a) Q(b,a)

f(a)7→a g(a) 7→b

P(a) R(a) Q(a,b)

f(a)7→a g(a)7→a

P(a) R(a) Q(a,a)

f(a)7→b g(a)7→b

P(a) R(a) Q(b,b)

f(a)7→a g(a)7→b

P(a) Q(a,b)

f(a)7→b g(a)7→a

P(a) Q(b,a)

f(a) 7→b g(a)7→b

P(a) Q(b,b)

. . .




I = {P(a),Q(a, a)}

P(a) Q(a,a)

f(a)7→b g(a) 7→a

P(a) R(a) Q(b,a)

f(a)7→a g(a) 7→b

P(a) R(a) Q(a,b)

f(a)7→a g(a)7→a

P(a) R(a) Q(a,a)

f(a)7→b g(a)7→b

P(a) R(a) Q(b,b)

f(a)7→a g(a)7→b

P(a) Q(a,b)

f(a)7→b g(a)7→a

P(a) Q(b,a)

f(a) 7→b g(a)7→b

P(a) Q(b,b)

. . .




I = {P(a),Q(a, a)}

P(a) Q(a,a)

f(a)7→b g(a) 7→a

P(a) R(a) Q(b,a)

f(a)7→a g(a) 7→b

P(a) R(a) Q(a,b)

f(a)7→a g(a)7→a

P(a) R(a) Q(a,a)

f(a)7→b g(a)7→b

P(a) R(a) Q(b,b)

f(a)7→a g(a)7→b

P(a) Q(a,b)

f(a)7→b g(a)7→a

P(a) Q(b,a)

f(a) 7→b g(a)7→b

P(a) Q(b,b)

. . .


Borders of Decidability in Model Checking of DCDSsMotivation: verification of artifact-centric business process systems indesign phase.

Artifacts (DCDSs) pose two challenging problems:1 properties to be verified need to query over the

artifact information model:

I µL is not expressive enough to compare overtime objects created by the process.

I Verification of µLFO is undecidable, even forvery restricted DCDSs!

I We need to look at fragments of µLFO.

2 Verification of DCDSs is undecidable even forpropositional reachability properties.

I We also need to look restrictions on DCDSsthemselves.

HML

PDLLTL CTL

µL

µLFO




artifact information model:

I µL is not expressive enough to compare overtime objects created by the process.

I Verification of µLFO is undecidable, even forvery restricted DCDSs!

I We need to look at fragments of µLFO.



HML

PDLLTL CTL

µL

µLFO




artifact information model:I µL is not expressive enough to compare over

time objects created by the process.I Verification of µLFO is undecidable, even for

very restricted DCDSs!I We need to look at fragments of µLFO.



HML

PDLLTL CTL

µL

µLFO









HML

PDLLTL CTL

µL

µLFO









HML

PDLLTL CTL

µL

µLFO


Verification Formalisms:

We introduce:µLP and µLA as extensions of µL with (restricted)first order quantification.

µLA: FO quantification over current active domain.

LTLFO : ∀x. Customer(x) =⇒ F Gold(x)µLA : ∀x. Customer(x) =⇒ µZ .Gold(x) ∨ [−]Z

µLP : FO quantification only holds over persistingindividuals.

LTLFO : ∀x. Gold(x) =⇒ G Gold(x)µLP : ∀x. Gold(x) =⇒ νZ .Gold(x) ∧ [−]Z

HML

PDLLTL CTL

µL

µLFO

µLA

µLP








HML

PDLLTL CTL

µL

µLFO

µLA

µLP








HML

PDLLTL CTL

µL

µLFO

µLA

µLP


Restrictions on DCDSs

Run-bounded DCDS: runs cannot accumulate more than a fixed boundof different values.

• Still infinite-state due to infinite branching.• A semantic condition, whose checking is undecidable.

I We introduce enough syntactic condition: Weak-acyclicity.

• Very restrictive for DCDSs with nondeterministic services.

State-bounded DCDS: states cannot contain more than a fixed bound ofdifferent values.

• Relaxation of run-boundedness.• Infinite runs are possible.• A semantic condition, whose checking is undecidable.

I We introduce enough syntactic condition: GR-acyclicity.





I We introduce enough syntactic condition: Weak-acyclicity.• Very restrictive for DCDSs with nondeterministic services.








I We introduce enough syntactic condition: Weak-acyclicity.• Very restrictive for DCDSs with nondeterministic services.





Results on DCDSsU

nres

tric

ted

DCD

Ss(T

urin

gco

mpl

ete)

Stat

e-bo

unde

dD

CDSs

Run-

boun

ded

DCD

Ss

Fini

te-s

tate

DCD

Ss

GR+-acyclic DCDSs

GR-acyclic DCDSs

Weak-acyclic DCDSs

Finite-range DCDSs

Unrestricted State-bounded Run-bounded Finite-state

µLFO

U U N D

µLA

U U D D

µLP

U D D D

µL

U D D D

D: Verification is decidable;U: Verification is undecidable;N: There is no finite representation.


Results on DCDSsU

nres

tric

ted

DCD

Ss(T

urin

gco

mpl

ete)

Stat

e-bo

unde

dD

CDSs

Run-

boun

ded

DCD

Ss

Fini

te-s

tate

DCD

Ss

GR+-acyclic DCDSs

GR-acyclic DCDSs

Weak-acyclic DCDSs

Finite-range DCDSs

Unrestricted

State-bounded Run-bounded Finite-state

µLFO U

U N D

µLA U

U D D

µLP U

D D D

µL U

D D D

D: Verification is decidable;U: Verification is undecidable;N: There is no finite representation.


Results on DCDSsU

nres

tric

ted

DCD

Ss(T

urin

gco

mpl

ete)

Stat

e-bo

unde

dD

CDSs

Run-

boun

ded

DCD

Ss

Fini

te-s

tate

DCD

Ss

GR+-acyclic DCDSs

GR-acyclic DCDSs

Weak-acyclic DCDSs

Finite-range DCDSs

Unrestricted

State-bounded Run-bounded

Finite-stateµLFO U

U N

DµLA U

U D

DµLP U

D D

DµL U

D D

DD: Verification is decidable;U: Verification is undecidable;N: There is no finite representation.


Results on DCDSsU

nres

tric

ted

DCD

Ss(T

urin

gco

mpl

ete)

Stat

e-bo

unde

dD

CDSs

Run-

boun

ded

DCD

Ss

Fini

te-s

tate

DCD

Ss

GR+-acyclic DCDSs

GR-acyclic DCDSs

Weak-acyclic DCDSs

Finite-range DCDSs

Unrestricted

State-bounded Run-bounded

Finite-stateµLFO U

U N

DµLA U

U D

DµLP U

D D

DµL U

D D

DD: Verification is decidable;U: Verification is undecidable;N: There is no finite representation.


Results on DCDSsU

nres

tric

ted

DCD

Ss(T

urin

gco

mpl

ete)

Stat

e-bo

unde

dD

CDSs

Run-

boun

ded

DCD

Ss

Fini

te-s

tate

DCD

Ss

GR+-acyclic DCDSs

GR-acyclic DCDSs

Weak-acyclic DCDSs

Finite-range DCDSs

Unrestricted

State-bounded

Run-bounded Finite-stateµLFO U

U

N DµLA U

U

D DµLP U

D

D DµL U

D

D DD: Verification is decidable;U: Verification is undecidable;N: There is no finite representation.


Results on DCDSsU

nres

tric

ted

DCD

Ss(T

urin

gco

mpl

ete)

Stat

e-bo

unde

dD

CDSs

Run-

boun

ded

DCD

Ss

Fini

te-s

tate

DCD

Ss

GR+-acyclic DCDSs

GR-acyclic DCDSs

Weak-acyclic DCDSs

Finite-range DCDSs

Unrestricted

State-bounded

Run-bounded Finite-stateµLFO U

U

N DµLA U

U

D DµLP U

D

D DµL U

D

D DD: Verification is decidable;U: Verification is undecidable;N: There is no finite representation.


Results on DCDSsU

nres

tric

ted

DCD

Ss(T

urin

gco

mpl

ete)

Stat

e-bo

unde

dD

CDSs

Run-

boun

ded

DCD

Ss

Fini

te-s

tate

DCD

Ss

GR+-acyclic DCDSs

GR-acyclic DCDSs

Weak-acyclic DCDSs

Finite-range DCDSs

Unrestricted State-bounded Run-bounded Finite-stateµLFO U U N DµLA U U D DµLP U D D D

µL U D D DD: Verification is decidable;U: Verification is undecidable;N: There is no finite representation.


Results on DCDSsU

nres

tric

ted

DCD

Ss(T

urin

gco

mpl

ete)

Stat

e-bo

unde

dD

CDSs

Run-

boun

ded

DCD

Ss

Fini

te-s

tate

DCD

Ss

GR+-acyclic DCDSs

GR-acyclic DCDSs

Weak-acyclic DCDSs

Finite-range DCDSs




Results on DCDSsU

nres

tric

ted

DCD

Ss(T

urin

gco

mpl

ete)

Stat

e-bo

unde

dD

CDSs

Run-

boun

ded

DCD

Ss

Fini

te-s

tate

DCD

SsGR+-acyclic DCDSs

GR-acyclic DCDSs

Weak-acyclic DCDSs

Finite-range DCDSs




Towards the Decidability ResultsSources of infinity in DCDSs:

• Infinite branching;• Infinite runs.

P(a) P(a)

P(b)

. . .

. . .

. . .

. . .

To prove decidability of model checking for a given restriction andverification formalism:

• we use bisimulation as a tool;• show the restricted DCDSs have a finite-state bisimilar transition

system.


BisimulationStates sA and sB of transition systems A and B are bisimilar :

1 If sA and sB are isomorphic;2 If there exists a state sA1 of A such that sA ⇒A sA1 , then there exists

a state sB1 of B such that sB ⇒B sB1 , and sA1 and sB1 are bisimilar;3 the other direction!

A and B are bisimilar, if their initial states are bisimilar.






A B

sA sB



1 If sA and sB are isomorphic;

2 If there exists a state sA1 of A such that sA ⇒A sA1 , then there existsa state sB1 of B such that sB ⇒B sB1 , and sA1 and sB1 are bisimilar;

3 the other direction!


A B

sA sB



1 If sA and sB are isomorphic;2 If there exists a state sA1 of A such that sA ⇒A sA1 ,

then there existsa state sB1 of B such that sB ⇒B sB1 , and sA1 and sB1 are bisimilar;



A B

sA sB

sA1




a state sB1 of B such that sB ⇒B sB1 ,

and sA1 and sB1 are bisimilar;3 the other direction!


A B

sA sB

sA1 sB1




a state sB1 of B such that sB ⇒B sB1 , and sA1 and sB1 are bisimilar;



A B

sA sB

sA1 sB1






A B

sA sB

sA1 sB1

sB2sA2






A B

sA sB

sA1 sB1

sB2sA2






µL invariance property of bisimulation:Bisimilar transition systems satisfy the same set of µL properties.


Verification Formalisms (continue)

History PreservingBisimulation Invariant Languages

Persistence PreservingBisimulation Invariant Languages

Bisimulation Invariant Languages

L

CTL

µL

LPµLP

LAµLA

µLFOP

ropositionalTem

poralLogicsFirst

Order

TemporalLogics






L

CTL

µL

LPµLP

LAµLA

µLFOP

ropositionalTem

poralLogicsFirst

Order

TemporalLogics






L

CTL

µL

LPµLP

LAµLA

µLFOP

ropositionalTem

poralLogicsFirst

Order

TemporalLogics


Decidability Results for Run-bounded Systems:TheoremVerification of µLA over run-bounded DCDSs is decidable and can bereduced to model checking of propositional µ-calculus over a finitetransition system.

Idea: use isomorphic types instead ofactual values.

Remember: runs are bounded!

...

...

...

...

. . .

a-bisimilar

non a-bisimilar





...

...

...

...

. . .

a-bisimilar

non a-bisimilar





...

...

...

...

. . .

a-bisimilar

non a-bisimilar


History Preserving Bisimulation{P(x) P(x) ∧ Q(f (x), g(x))Q(a, a) ∧ P(x) R(x),

I0 = {P(a), Q(a, a)}

P(a) Q(a,a)

f(a) 7→b g(a)7→b

P(a) R(a) Q(b,b)

f(a) 7→a g(a) 7→a

P(a) R(a) Q(a,a)

f(a) 7→c g(a) 7→c

P(a) R(a) Q(c,c)

f(a) 7→b g(a)7→b

P(a) Q(b,b)

f(a) 7→c g(a) 7→c

P(a) Q(c,c)

. . .

P(a) Q(a,a)

f(a) 7→b g(a) 7→a

P(a) R(a) Q(b,a)

f(a) 7→a g(a) 7→b

P(a) R(a) Q(a,b)

f(a) 7→a g(a)7→a

P(a) R(a) Q(a,a)

f(a)7→b g(a) 7→b

P(a) R(a) Q(b,b)

f(a)7→b g(a) 7→c

P(a) R(a) Q(b,c)

f(a)7→a g(a)7→b

P(a) Q(a,b)

f(a)7→b g(a)7→a

P(a) Q(b,a)

f(a)7→b g(a)7→b

P(a) Q(b,b)

f(a) 7→b g(a) 7→c

P(a) Q(b,c)

Two transition systems are historypreserving bisimilar.

Consequently, satisfy the same setof µLA properties.


History Preserving Bisimulation

P(a) Q(a,a)

f(a) 7→b g(a)7→b

P(a) R(a) Q(b,b)

f(a) 7→a g(a) 7→a

P(a) R(a) Q(a,a)

f(a) 7→c g(a) 7→c

P(a) R(a) Q(c,c)

f(a) 7→b g(a)7→b

P(a) Q(b,b)

f(a) 7→c g(a) 7→c

P(a) Q(c,c)

. . .

P(a) Q(a,a)

f(a) 7→b g(a) 7→a

P(a) R(a) Q(b,a)

f(a) 7→a g(a) 7→b

P(a) R(a) Q(a,b)

f(a) 7→a g(a)7→a

P(a) R(a) Q(a,a)

f(a)7→b g(a) 7→b

P(a) R(a) Q(b,b)

f(a)7→b g(a) 7→c

P(a) R(a) Q(b,c)

f(a)7→a g(a)7→b

P(a) Q(a,b)

f(a)7→b g(a)7→a

P(a) Q(b,a)

f(a)7→b g(a)7→b

P(a) Q(b,b)

f(a) 7→b g(a) 7→c

P(a) Q(b,c)





P(a) Q(a,a)

f(a) 7→b g(a)7→b

P(a) R(a) Q(b,b)

f(a) 7→a g(a) 7→a

P(a) R(a) Q(a,a)

f(a) 7→c g(a) 7→c

P(a) R(a) Q(c,c)

f(a) 7→b g(a)7→b

P(a) Q(b,b)

f(a) 7→c g(a) 7→c

P(a) Q(c,c)

. . .

P(a) Q(a,a)

f(a) 7→b g(a) 7→a

P(a) R(a) Q(b,a)

f(a) 7→a g(a) 7→b

P(a) R(a) Q(a,b)

f(a) 7→a g(a)7→a

P(a) R(a) Q(a,a)

f(a)7→b g(a) 7→b

P(a) R(a) Q(b,b)

f(a)7→b g(a) 7→c

P(a) R(a) Q(b,c)

f(a)7→a g(a)7→b

P(a) Q(a,b)

f(a)7→b g(a)7→a

P(a) Q(b,a)

f(a)7→b g(a)7→b

P(a) Q(b,b)

f(a) 7→b g(a) 7→c

P(a) Q(b,c)





P(a) Q(a,a)

f(a) 7→b g(a)7→b

P(a) R(a) Q(b,b)

f(a) 7→a g(a) 7→a

P(a) R(a) Q(a,a)

f(a) 7→c g(a) 7→c

P(a) R(a) Q(c,c)

f(a) 7→b g(a)7→b

P(a) Q(b,b)

f(a) 7→c g(a) 7→c

P(a) Q(c,c)

. . .

P(a) Q(a,a)

f(a) 7→b g(a) 7→a

P(a) R(a) Q(b,a)

f(a) 7→a g(a) 7→b

P(a) R(a) Q(a,b)

f(a) 7→a g(a)7→a

P(a) R(a) Q(a,a)

f(a)7→b g(a) 7→b

P(a) R(a) Q(b,b)

f(a)7→b g(a) 7→c

P(a) R(a) Q(b,c)

f(a)7→a g(a)7→b

P(a) Q(a,b)

f(a)7→b g(a)7→a

P(a) Q(b,a)

f(a)7→b g(a)7→b

P(a) Q(b,b)

f(a) 7→b g(a) 7→c

P(a) Q(b,c)





P(a) Q(a,a)

f(a) 7→b g(a)7→b

P(a) R(a) Q(b,b)

f(a) 7→a g(a) 7→a

P(a) R(a) Q(a,a)

f(a) 7→c g(a) 7→c

P(a) R(a) Q(c,c)

f(a) 7→b g(a)7→b

P(a) Q(b,b)

f(a) 7→c g(a) 7→c

P(a) Q(c,c)

. . .

P(a) Q(a,a)

f(a) 7→b g(a) 7→a

P(a) R(a) Q(b,a)

f(a) 7→a g(a) 7→b

P(a) R(a) Q(a,b)

f(a) 7→a g(a)7→a

P(a) R(a) Q(a,a)

f(a)7→b g(a) 7→b

P(a) R(a) Q(b,b)

f(a)7→b g(a) 7→c

P(a) R(a) Q(b,c)

f(a)7→a g(a)7→b

P(a) Q(a,b)

f(a)7→b g(a)7→a

P(a) Q(b,a)

f(a)7→b g(a)7→b

P(a) Q(b,b)

f(a) 7→b g(a) 7→c

P(a) Q(b,c)





P(a) Q(a,a)

f(a) 7→b g(a)7→b

P(a) R(a) Q(b,b)

f(a) 7→a g(a) 7→a

P(a) R(a) Q(a,a)

f(a) 7→c g(a) 7→c

P(a) R(a) Q(c,c)

f(a) 7→b g(a)7→b

P(a) Q(b,b)

f(a) 7→c g(a) 7→c

P(a) Q(c,c)

. . .

P(a) Q(a,a)

f(a) 7→b g(a) 7→a

P(a) R(a) Q(b,a)

f(a) 7→a g(a) 7→b

P(a) R(a) Q(a,b)

f(a) 7→a g(a)7→a

P(a) R(a) Q(a,a)

f(a)7→b g(a) 7→b

P(a) R(a) Q(b,b)

f(a)7→b g(a) 7→c

P(a) R(a) Q(b,c)

f(a)7→a g(a)7→b

P(a) Q(a,b)

f(a)7→b g(a)7→a

P(a) Q(b,a)

f(a)7→b g(a)7→b

P(a) Q(b,b)

f(a) 7→b g(a) 7→c

P(a) Q(b,c)





P(a) Q(a,a)

f(a) 7→b g(a)7→b

P(a) R(a) Q(b,b)

f(a) 7→a g(a) 7→a

P(a) R(a) Q(a,a)

f(a) 7→c g(a) 7→c

P(a) R(a) Q(c,c)

f(a) 7→b g(a)7→b

P(a) Q(b,b)

f(a) 7→c g(a) 7→c

P(a) Q(c,c)

. . .

P(a) Q(a,a)

f(a) 7→b g(a) 7→a

P(a) R(a) Q(b,a)

f(a) 7→a g(a) 7→b

P(a) R(a) Q(a,b)

f(a) 7→a g(a)7→a

P(a) R(a) Q(a,a)

f(a)7→b g(a) 7→b

P(a) R(a) Q(b,b)

f(a)7→b g(a) 7→c

P(a) R(a) Q(b,c)

f(a)7→a g(a)7→b

P(a) Q(a,b)

f(a)7→b g(a)7→a

P(a) Q(b,a)

f(a)7→b g(a)7→b

P(a) Q(b,b)

f(a) 7→b g(a) 7→c

P(a) Q(b,c)





P(a) Q(a,a)

f(a) 7→b g(a)7→b

P(a) R(a) Q(b,b)

f(a) 7→a g(a) 7→a

P(a) R(a) Q(a,a)

f(a) 7→c g(a) 7→c

P(a) R(a) Q(c,c)

f(a) 7→b g(a)7→b

P(a) Q(b,b)

f(a) 7→c g(a) 7→c

P(a) Q(c,c)

. . .

P(a) Q(a,a)

f(a) 7→b g(a) 7→a

P(a) R(a) Q(b,a)

f(a) 7→a g(a) 7→b

P(a) R(a) Q(a,b)

f(a) 7→a g(a)7→a

P(a) R(a) Q(a,a)

f(a)7→b g(a) 7→b

P(a) R(a) Q(b,b)

f(a)7→b g(a) 7→c

P(a) R(a) Q(b,c)

f(a)7→a g(a)7→b

P(a) Q(a,b)

f(a)7→b g(a)7→a

P(a) Q(b,a)

f(a)7→b g(a)7→b

P(a) Q(b,b)

f(a) 7→b g(a) 7→c

P(a) Q(b,c)





P(a) Q(a,a)

f(a) 7→b g(a)7→b

P(a) R(a) Q(b,b)

f(a) 7→a g(a) 7→a

P(a) R(a) Q(a,a)

f(a) 7→c g(a) 7→c

P(a) R(a) Q(c,c)

f(a) 7→b g(a)7→b

P(a) Q(b,b)

f(a) 7→c g(a) 7→c

P(a) Q(c,c)

. . .

P(a) Q(a,a)

f(a) 7→b g(a) 7→a

P(a) R(a) Q(b,a)

f(a) 7→a g(a) 7→b

P(a) R(a) Q(a,b)

f(a) 7→a g(a)7→a

P(a) R(a) Q(a,a)

f(a)7→b g(a) 7→b

P(a) R(a) Q(b,b)

f(a)7→b g(a) 7→c

P(a) R(a) Q(b,c)

f(a)7→a g(a)7→b

P(a) Q(a,b)

f(a)7→b g(a)7→a

P(a) Q(b,a)

f(a)7→b g(a)7→b

P(a) Q(b,b)

f(a) 7→b g(a) 7→c

P(a) Q(b,c)

Two transition systems are historypreserving bisimilar.Consequently, satisfy the same setof µLA properties.


Undecidability Results for State-bounded Systems

TheoremVerification of µLA over state-bounded DCDSs is undecidable.

Idea: the logic can arbitrarily quantify over the infinitely many valuesencountered during a single run, and start comparing them.

Technical proof: satisfiability of LTL with freeze quantifiers can be encodedas a model checking problem of µLA formulae over state-bounded DCDSs.


Decidability Results for State-bounded SystemsTheoremVerification of µLP over state-bounded DCDSs is decidable and can bereduced to model checking of propositional µ-calculus over a finitetransition system.

Steps:1 Prune infinite branching (isomorphic types).

2 Finite abstraction along the runs:I µLP looses track of previous values that do

not exist anymore.I New values can be replaced with old,

non-persisting ones.I This eventually leads to recycle the old values

without generating new ones.

......

......

......

......

. . .

p-bisimilar

non p-bisimilar



Steps:1 Prune infinite branching (isomorphic types).2 Finite abstraction along the runs:

I µLP looses track of previous values that donot exist anymore.

I New values can be replaced with old,non-persisting ones.

I This eventually leads to recycle the old valueswithout generating new ones.

......

......

......

......

. . .

p-bisimilar

non p-bisimilar







......

......

......

......

. . .

p-bisimilar

non p-bisimilar







......

...

...

...

. . .

p-bisimilar

non p-bisimilar


Weak-acyclicity

I0 = {P(a)}

α :{

P(x) R(x),R(x) P(f (x))

P(a)

R(a)

f (a) 7→ b

P(b)

f (a) 7→ b

R(b)

f (a) 7→ bf (b) 7→ c

P(c)

f (a) 7→ bf (b) 7→ c

R(c)

. . .

I0 = {P(a)}

α :

P(x) P(x),P(x) R(f (x))R(x) S(f (x))

P(a)

f (a) 7→ b

P(a),R(b)

f (a) 7→ bf (b) 7→ c

P(a),R(b), S(c)


Weak-acyclicity

I0 = {P(a)}

α :{

P(x) R(x),R(x) P(f (x))

P(a)

R(a)

f (a) 7→ b

P(b)

f (a) 7→ b

R(b)

f (a) 7→ bf (b) 7→ c

P(c)

f (a) 7→ bf (b) 7→ c

R(c)

. . .

I0 = {P(a)}

α :

P(x) P(x),P(x) R(f (x))R(x) S(f (x))

P(a)

f (a) 7→ b

P(a),R(b)

f (a) 7→ bf (b) 7→ c

P(a),R(b), S(c)


Weak-acyclicity

I0 = {P(a)}

α :{

P(x) R(x),R(x) P(f (x))

P(a)

R(a)

f (a) 7→ b

P(b)

f (a) 7→ b

R(b)

f (a) 7→ bf (b) 7→ c

P(c)

f (a) 7→ bf (b) 7→ c

R(c)

. . .

I0 = {P(a)}

α :

P(x) P(x),P(x) R(f (x))R(x) S(f (x))

P(a)

f (a) 7→ b

P(a),R(b)

f (a) 7→ bf (b) 7→ c

P(a),R(b), S(c)


Weak-acyclicity

I0 = {P(a)}

α :{

P(x) R(x),R(x) P(f (x))

P(a)

R(a)

f (a) 7→ b

P(b)

f (a) 7→ b

R(b)

f (a) 7→ bf (b) 7→ c

P(c)

f (a) 7→ bf (b) 7→ c

R(c)

. . .

I0 = {P(a)}

α :

P(x) P(x),P(x) R(f (x))R(x) S(f (x))

P(a)

f (a) 7→ b

P(a),R(b)

f (a) 7→ bf (b) 7→ c

P(a),R(b), S(c)


Weak-acyclicity

I0 = {P(a)}

α :{

P(x) R(x),R(x) P(f (x))

P(a)

R(a)

f (a) 7→ b

P(b)

f (a) 7→ b

R(b)

f (a) 7→ bf (b) 7→ c

P(c)

f (a) 7→ bf (b) 7→ c

R(c)

. . .

I0 = {P(a)}

α :

P(x) P(x),P(x) R(f (x))R(x) S(f (x))

P(a)

f (a) 7→ b

P(a),R(b)

f (a) 7→ bf (b) 7→ c

P(a),R(b), S(c)


Weak-acyclicity

I0 = {P(a)}

α :{

P(x) R(x),R(x) P(f (x))

P(a)

R(a)

f (a) 7→ b

P(b)

f (a) 7→ b

R(b)

f (a) 7→ bf (b) 7→ c

P(c)

f (a) 7→ bf (b) 7→ c

R(c)

. . .

I0 = {P(a)}

α :

P(x) P(x),P(x) R(f (x))R(x) S(f (x))

P(a)

f (a) 7→ b

P(a),R(b)

f (a) 7→ bf (b) 7→ c

P(a),R(b), S(c)


Weak-acyclicity

I0 = {P(a)}

α :{

P(x) R(x),R(x) P(f (x))

P(a)

R(a)

f (a) 7→ b

P(b)

f (a) 7→ b

R(b)

f (a) 7→ bf (b) 7→ c

P(c)

f (a) 7→ bf (b) 7→ c

R(c)

. . .

I0 = {P(a)}

α :

P(x) P(x),P(x) R(f (x))R(x) S(f (x))

P(a)

f (a) 7→ b

P(a),R(b)

f (a) 7→ bf (b) 7→ c

P(a),R(b), S(c)


Weak-acyclicity

I0 = {P(a)}

α :{

P(x) R(x),R(x) P(f (x))

P(a)

R(a)

f (a) 7→ b

P(b)

f (a) 7→ b

R(b)

f (a) 7→ bf (b) 7→ c

P(c)

f (a) 7→ bf (b) 7→ c

R(c)

. . .

I0 = {P(a)}

α :

P(x) P(x),P(x) R(f (x))R(x) S(f (x))

P(a)

f (a) 7→ b

P(a),R(b)

f (a) 7→ bf (b) 7→ c

P(a),R(b), S(c)


Weak-acyclicity

I0 = {P(a)}

α :{

P(x) R(x),R(x) P(f (x))

P(a)

R(a)

f (a) 7→ b

P(b)

f (a) 7→ b

R(b)

f (a) 7→ bf (b) 7→ c

P(c)

f (a) 7→ bf (b) 7→ c

R(c)

. . .

I0 = {P(a)}

α :

P(x) P(x),P(x) R(f (x))R(x) S(f (x))

P(a)

f (a) 7→ b

P(a),R(b)

f (a) 7→ bf (b) 7→ c

P(a),R(b), S(c)


Weak-acyclicity

I0 = {P(a)}

α :{

P(x) R(x),R(x) P(f (x))

P(a)

R(a)

f (a) 7→ b

P(b)

f (a) 7→ b

R(b)

f (a) 7→ bf (b) 7→ c

P(c)

f (a) 7→ bf (b) 7→ c

R(c)

. . .

I0 = {P(a)}

α :

P(x) P(x),P(x) R(f (x))R(x) S(f (x))

P(a)

f (a) 7→ b

P(a),R(b)

f (a) 7→ bf (b) 7→ c

P(a),R(b), S(c)


Weak-acyclicity

I0 = {P(a)}

α :{

P(x) R(x),R(x) P(f (x))

P(a)

R(a)

f (a) 7→ b

P(b)

f (a) 7→ b

R(b)

f (a) 7→ bf (b) 7→ c

P(c)

f (a) 7→ bf (b) 7→ c

R(c)

. . .

I0 = {P(a)}

α :

P(x) P(x),P(x) R(f (x))R(x) S(f (x))

P(a)

f (a) 7→ b

P(a),R(b)

f (a) 7→ bf (b) 7→ c

P(a),R(b), S(c)


Weak-acyclicity

I0 = {P(a)}

α :{

P(x) R(x),R(x) P(f (x))

P(a)

R(a)

f (a) 7→ b

P(b)

f (a) 7→ b

R(b)

f (a) 7→ bf (b) 7→ c

P(c)

f (a) 7→ bf (b) 7→ c

R(c)

. . .

I0 = {P(a)}

α :

P(x) P(x),P(x) R(f (x))R(x) S(f (x))

P(a)

f (a) 7→ b

P(a),R(b)

f (a) 7→ bf (b) 7→ c

P(a),R(b), S(c)


Weak-acyclicity

I0 = {P(a)}

α :{

P(x) R(x),R(x) P(f (x))

P R*

I0 = {P(a)}

α :

P(x) P(x),P(x) R(f (x))R(x) S(f (x))

PR

S

* *


Model checking of DCDSsSystem Specification

Design/Develop

Data-Centric System

FO Temporal Properties

Construct faithfulfinite-state abstraction

Finite-state abstraction

Construct faithful propositionaltemporal properties

Propositional Properties

Model Checking Verifiedaccepted

rejected

(Classic) Finite-state model checker


Knowledge and Action Bases (KAB)

Ontology

T

A

Process KAB

T

A

• To better capture the semantics of the domain of interestat conceptual level

• To take into account the incomplete information

Data Layer: Description logic KB• Data schema: (DL-Lite-A)TBox• Data instance: (DL-Lite-A) ABox

µLFO µLA µLP µLunrestricted U ← U ← U ← U D: decidable

weak-acyclicity ? D → D → D U: undecidable


Separation Principle and Semantic Layer

The evolution of the artifact system occurs at the artifact layer.• Processes are defined over the database schemas of the artifacts.

The semantic layer can be added on top of the artifact layer to:• Understand the artifact system in terms of concepts and relationships

relevant for the domain of interest.I Unified view of the whole system.I Interconnection of different artifacts that share information, though

with different representation.I Specification of queries as well as static and dynamic constraint at the

conceptual level.• Verify and monitor whether the artifact system satisfies dynamic

constraints specified over the semantic layer.


Semantically-governed Artifact-Centric ModelsSemantic layer: I-HUB’s conceptual schema (TBox) composed of semanticconstraints that define the “data boundaries” of the artifact system.

TBox


Semantically-governed Artifact-Centric ModelsReal data are concretely maintained at the artifact layer.Snapshot: database instances of artifacts.

Da

Db

Dc

Artifact System Snapshot

TBox


Semantically-governed Artifact-Centric ModelsEach snapshot is conceptualized in the ontology, in terms of an ABox.Mappings define how to obtain the virtual ABox from the data sources.

Da

Db

Dc


Mappings

Semantic Layer Snapshot

TBox

ABox1


Semantically-governed A3MThe system evolves using actions executed over the artifact layer.Semantic layer used to understand the evolution at the conceptual level.

Da

Db

Dc


D'a

D'b

D'c


Actionexecution

Mappings Mappings


TBox

ABox1

TBox


ABox2


Semantically-governed A3MSemantic governance: semantic layer used to regulate the actions’execution at the artifact layer.

Da

Db

Dc


D'a

D'b

D'c


Actionexecution

Mappings Mappings


TBox

ABox1

TBox


ABox2


Next steps• Relaxation of syntactic restrictions for state-boundedness.• Investigating the connection to other infinite-state formalisms.

I Petri nets;I LTL with freeze quantifier;I Well-structured transition systems.

• Investigate the connection to more classic notations in BPM.I BPMNs;I Petri Nets.

• Investigating the fragments with lower complexities.• Develop a fully-fledged model checker for DCDSs.


PublicationsJournal Articles

• Babak Bagheri Hariri, Diego Calvanese, Marco Montali, Giuseppe De Giacomo, Riccardo De Masellis, and Paolo Felli.“Description logic Knowledge and Action Bases”. Journal of Artificial Intelligence Research (JAIR), 2012. To appear.

Conference Papers• Babak Bagheri Hariri, Diego Calvanese, Marco Montali, Giuseppe De Giacomo, and Alin Deutsch. “Verification of

relational data-centric dynamic systems with external services”. In Proc. of the 32nd ACM SIGACT SIGMOD SIGARTSymp. on Principles of Database Systems (PODS 2013), 2013. To appear

• Babak Bagheri Hariri, Diego Calvanese, Marco Montali, Giuseppe De Giacomo, Riccardo De Masellis, and Paolo Felli.“Verification of description logic Knowledge and Action Bases”. In Proc. of the 20th European Conf. on ArtificialIntelligence (ECAI 2012), volume 242 of Frontiers in Artificial Intelligence and Applications, pages 103-108, 2012.

• Babak Bagheri Hariri, Diego Calvanese, Giuseppe De Giacomo, Riccardo De Masellis, and Paolo Felli. “Foundations ofrelational artifacts verification”. In Proc. of the 9th Int. Conference on Business Process Management (BPM 2011),volume 6896 of Lecture Notes in Computer Science, pages 379-395. Springer, 2011.

Workshop Papers• Babak Bagheri Hariri, Diego Calvanese, Giuseppe De Giacomo, and Riccardo De Masellis. ‘’Verification of

conjunctive-query based semantic artifacts”. In Proc. of the 24th Int. Workshop on Description Logics (DL 2011),volume 745 of CEUR Electronic Workshop Proceedings, pages 48-58, 2011.

Technical Reports• D. Calvanese, G. De Giacomo, B. Bagheri Hariri, R. De Masellis, D. Lembo, M. Montali,. “Techniques and Tools for

KAB to Manage Action Linkage with Artifact Layer”. ACSI Project Deliverable D2.4.1, 2012.• Babak Bagheri Hariri, Diego Calvanese, Giuseppe De Giacomo, Alin Deutsch, and Marco Montali. “Verification of

relational data-centric dynamic systems with external services”. CoRR Technical Report, March 2012.


Thanks!

Questions, Comments, Suggestions ?

a i S C


Education

Borders of Decidability in Verification of Data-Centric Dynamic Systems