automatic verification of database-driven systems: a...
TRANSCRIPT
Automatic Verification of Database-Driven Systems:A New Frontier
Victor Vianu∗
U.C. San DiegoLa Jolla, CA 92093
USA
ABSTRACTWe describe a novel approach to verification of software sys-tems centered around an underlying database. Instead of ap-plying general-purpose techniques with only partial guaran-tees of success, it identifies restricted but reasonably expres-sive classes of applications and properties for which soundand complete verification can be performed in a fully au-tomatic way. This leverages the emergence of high-levelspecification tools for database-centered applications thatnot only allow fast prototyping and improved programmerproductivity but, as a side effect, provide convenient tar-gets for automatic verification. We present theoretical andpractical results on verification of database-driven systems.The results are quite encouraging and suggest that, unlikearbitrary software systems, significant classes of database-driven systems may be amenable to automatic verification.This relies on a novel marriage of database and model check-ing techniques, of relevance to both the database and thecomputer aided verification communities.
1. INTRODUCTIONSoftware systems centered around a database are becom-
ing pervasive in numerous applications. They are encoun-tered in areas as diverse as electronic commerce, e-government,scientific applications, enterprise information systems, andbusiness process support. Such systems are often very com-plex and prone to costly bugs, whence the need for verifica-tion of critical properties.
Classical software verification techniques that can be ap-plied to such systems include model checking and theoremproving. However, both have serious limitations. Indeed,model checking usually requires performing finite-state ab-straction on the data, resulting in serious loss of semanticsfor both the system and properties being verified. Theoremproving is incomplete and requires expert user feedback.
Over the last decade, much work in the verification com-munity has focused on extending classical model checking to
∗Work supported in part by the National Science Founda-tion under award number IIS-0415257.
Permission to copy without fee all or part of this material is granted providedthat the copies are not made or distributed for direct commercial advantage,the ACM copyright notice and the title of the publication and its date appear,and notice is given that copying is by permission of the ACM. To copyotherwise, or to republish, to post on servers or to redistribute to lists,requires a fee and/or special permissions from the publisher, ACM.ICDT 2009, March 23–25, 2009, Saint Petersburg, Russia.Copyright 2009 ACM 978-1-60558-423-2/09/0003 ...$5.00
infinite-state systems, of which database-driven systems area special case (e.g., see [26] for a survey). However, in mostof this work the emphasis is on studying recursive control,with data either ignored or finitely abstracted. More recentwork has been focusing specifically on data as a source of in-finity. This includes augmenting recursive procedures withinteger parameters [18], rewriting systems with data [19, 17],Petri nets with data associated to tokens [53], automata andlogics over infinite alphabets [21, 20, 58, 32, 51, 15, 17], andtemporal logics manipulating data [32, 33]. However, therestricted use of data and the particular properties verifiedhave limited applicability to database-driven systems. Inparticular, model checking LTL properties in the presenceof data quickly becomes undecidable.
Recently, an alternative approach to verification of database-driven systems has been taking shape, at the confluence ofthe database and computer-aided verification areas. It aimsto identify restricted but sufficiently expressive classes ofdatabase-driven applications and properties for which soundand complete verification can be performed in a fully auto-matic way. This approach leverages another trend in database-driven applications: the emergence of high-level specifica-tion tools for database-centered systems. A representative,commercially successful example is WebML [27, 23], whichallows to specify a Web application using an interactive vari-ant of the E-R model augmented with a workflow formal-ism. Non-interactive variants of Web page specificationshave been proposed in Strudel [42], Araneus [54] and Weave[43], which target the automatic generation of Web sitesfrom an underlying database. Such tools automatically gen-erate the code for the Web application from the high-levelspecification. This not only allows fast prototyping and im-proves programmer productivity but, as a side effect, pro-vides new opportunities for automatic verification. Indeed,the high-level specification is a natural target for verifica-tion, as it addresses the most likely source of errors (theapplication’s specification, as opposed to the less likely er-rors in the automatic generator’s implementation).
The theoretical and practical results obtained so far con-cerning the verification of such systems are quite encour-aging. They suggest that, unlike arbitrary software sys-tems, significant classes of database-driven systems may beamenable to automatic verification. This relies on a novelmarriage of database and model checking techniques, andis relevant to both the database and the computer aidedverification communities.
In the rest of the paper, we describe several models andresults on automatic verification of database-driven systems.
1
We begin with a brief review of the classical automata-theoretic approach to model checking, including transitionsystems, linear temporal logic (LTL), and model checkingbased on Buchi automata. We then discuss extensions neededin the framework of database-driven systems, in which finitestates are replaced by database instances, and propositionsby properties of instances expressed in some appropriate lan-guage such as first-order logic (FO). Finally, we specializethis general framework to the more concrete scenario of in-teractive Web services, and describe several theoretical re-sults, as well as the implementation of a prototype verifier.
2. CLASSICAL MODEL CHECKINGWe briefly review here the automata-theoretic approach
to LTL model checking (see e.g. [28, 55]).Classical model checking applies to finite-state transition
systems. While finite-state systems may fully capture thesemantics of some systems to be verified (for example logi-cal circuits), most software systems are in fact infinite-statesystems, of which a finite-state transition system representsa rough abstraction. Properties of the actual system are alsoabstracted, using a finite set of propositions whose truth val-ues describe each of the finite states of the transition system.
More formally, a finite-state transition system T is a tu-ple (S, s0, T, P, σ) where S is a finite set of configurations(sometimes called states), s0 ∈ S the initial configuration,T a transition relation among the configurations such thateach configuration has at least one successor, P a finite set ofpropositional symbols, and σ a mapping associating to eachs ∈ S a truth assignment σ(s) for P . T may be specifiedusing various formalisms such as a non-deterministic finite-state automaton, or a Kripke structure [55]. A run ρ of Tis an infinite sequence of configurations s0, s1, . . . such that(si, si+1) ∈ T for each i ≥ 0. Intuitively, the informationabout configurations in S that is relevant to the propertyto be verified is provided by the corresponding truth assign-ments to P . The obvious extension of σ to a run ρ is denotedby σ(ρ). Thus, σ(ρ) is an infinite sequence of truth assign-ments to P corresponding to the sequence of configurationsin ρ.
Properties of runs are specified by extensions of proposi-tional logic with temporal operators. We recall here Linear-Time Logic (LTL). A minimal set of temporal operators forLTL consists of X (next) and U (until). Consider a runρ = s0, s1, . . . of T and let ρ≥j denote the run sj , sj+1, . . .,for j ≥ 0. Satisfaction of an LTL formula by a run is definedby structural recursion as follows:
• ρ |= p for p ∈ P iff p is true in σ(s0);
• ρ |= Xϕ iff ρ≥1 |= ϕ; and
• ρ |= ϕUψ iff there exists j ≥ 0 such that ρ≥j |= ψ andρ≥i |= ϕ for each i, 0 ≤ i < j.
The above temporal operators can simulate other com-monly used operators, including F (eventually), G (always),and B (before). Indeed, Fϕ ≡ true U ϕ and Gϕ ≡ ¬ F¬ϕ.For B (before), we take the definition ϕBψ ≡ ¬(¬ϕUψ)(if ψ holds at some point, then ϕ must hold in a previousconfiguration). We use the above operators as shorthand inLTL formulas whenever convenient.
Given a transition system T as above and an LTL formulaϕ using propositions in P , the associated model checking
start accept
p1
p2
true
Figure 1: Buchi automaton for ϕ = p1 U p2
problem is to verify whether every run of T satisfies ϕ, orequivalently, that no run of T satisfies ¬ϕ. This can bedone efficiently using a key result of [68], showing that fromeach LTL formula ϕ over P one can construct an automatonBϕ on infinite sequences, called a Buchi automaton, whosealphabet consists of the truth assignments to P , and whichaccepts precisely the runs of T that satisfy ϕ. This reducesthe model checking problem to checking the existence of arun ρ of T such that σ(ρ) is accepted by B¬ϕ.
We briefly recall Buchi automata. A Buchi automaton Ais defined in the same way as a nondeterministic finite stateautomaton, but with a special acceptance condition for infi-nite input sequences: a sequence is accepted iff there exists acomputation of A on the sequence that reaches some accept-ing state f infinitely often. For the purpose of model check-ing, the alphabet consists of truth assignments for somegiven set P of propositional variables. The results of [68]show that for every LTL formula ϕ there exists Buchi au-tomaton Bϕ of size exponential in ϕ that accepts preciselythe infinite sequences of truth assignments that satisfy ϕ.Furthermore, given a state p of Bϕ and a truth assignmentσ, the set of possible next states of Bϕ under input σ can becomputed directly from p and ϕ in polynomial space [63].This allows to generate computations of Bϕ without explic-itly constructing Bϕ.
Example 2.1. Figure 1 shows a Buchi automaton forp1Up2. Notice that the accepted infinite input sequences con-sist of an arbitrary-length prefix of satisfying assignments forp1, followed by a satisfying assignment for p2 and continuedwith an arbitrary infinite suffix.
Suppose we are given a transition system T and an LTLformula ϕ over the set P of propositions of T . The follow-ing outlines a non-deterministic pspace algorithm for check-ing whether there exists a run of T satisfying ¬ϕ: startingfrom the initial configuration s0 of T and q0 of B¬ϕ, non-deterministically extend the current run of T with a newconfiguration s, and transition to a next state of B¬ϕ un-der input σ(s), until an accepting state f of B¬ϕ is reached.At this point, make a non-deterministic choice: (i) remem-ber f and the current configuration s of S, or (ii) continue.If a previously remembered final state f of B¬ϕ and con-figuration s of T coincide with the current state in B¬ϕ
and configuration in T , then stop and answer “yes”. Thisshows that model checking is in non-deterministic pspace,and therefore in pspace. A deterministic model checkingalgorithm in O(|T |2|ϕ|) is exhibited in [29].
3. FROM FINITE-STATE TO DATABASE -DRIVEN TRANSITION SYSTEMS
Adapting classical model checking to database-driven sys-tems requires significant extensions. We informally discuss
2
the needed extensions in general terms, then show how theyspecialize to some specific scenarios.
The most critical extension is that transition systems areno longer finite state. Instead, in a database-driven transi-tion system, it is natural to model configurations as databaseinstances. The particular data model may vary according tothe application (it may be relational, XML, etc). At a min-imum, the transition relation among configurations must berecursively enumerable (but can be expected to be muchmore restricted in realistic situations). Thus, a run of atransition system is now an infinite sequence of databaseinstances reflecting the evolution of the system. In case ofan interactive system, this includes the input received andoutput produced at each step.
To describe properties of such runs, a finite set of propo-sitions is generally no longer adequate. Instead, the propo-sitions used in LTL are replaced by formulas in some richerlogic, tailored to the data model and evaluated on each con-figuration. For example, if the data model is relational, thelogic might be FO. If it is XML, a natural logic might bebased on tree patterns. Each such logic results in a differ-ent flavor of LTL with the same semantics for the temporaloperators. More specifically, suppose L is some logic, thatwe leave unspecified. The LTL extension corresponding toL, denoted LTL(L), is obtained as follows. An LTL(L) for-mula is obtained by taking an LTL formula ϕ using a set Pof propositions, and replacing each proposition p ∈ P by aformula π(p) of L, resulting in π(ϕ) ∈ LTL(L) (see Sections3.2 and 3.3 for examples). We refer to ϕ as a propositionalform of π(ϕ). If each π(p) is a sentence that can be evalu-ated to true or false in each configuration, the semantics ofπ(ϕ) is the obvious: a run of the transition system satisfiesπ(ϕ) iff the sequence of truth assignments for P induced byevaluating each π(p) on each configuration satisfies ϕ. Asbefore, ϕ can be evaluated using the Buchi automaton Bϕ,whose alphabet consists of the truth assignments of P .
One technical twist involves the use of variables in formu-las of the logic. It is extremely useful to be able to refer tothe same data value in different configurations. For exam-ple, when checking that every delivered product has beenpreviously paid, one has to make sure the payment and de-livery events refer to the same product, even if they occurat different times. To this end, assuming that the logic Luses variables to refer to data values, it is useful for theformulas used in LTL(L) to allow some of the variables tobe quantified globally with respect to the entire run, ratherthan locally with respect to each configuration. As naturalin most cases, the quantification can be assumed by defaultto be universal, ranging over the underlying domain.
We note that transition systems (or Kripke structures)whose configurations are relational structures, as well asfirst-order logic extended with modal operators, have previ-ously been studied in the context of first-order modal logics[48, 44] (see also [41]). The emphasis in this work is mostlyon sound and complete axiomatizations of first-order modallogics under various syntactic and semantic assumptions.
3.1 The Web Service ParadigmWhile database-driven systems occur in many kinds of
applications, they are especially prominent in the contextof Web services. We will illustrate the abstract scenarioof database-driven transition systems with two concrete ex-amples of database-driven Web services: one using a rela-
tional model [36, 37], and the other XML-based [5]. Anotherscenario, database-driven business processes, is consideredin [34]. Other work on database-driven Web services in-cludes [8, 9], where the emphasis is on automatic synthesisof compositions rather than verification. Before describingdatabase-driven Web services, we briefly provide some gen-eral pointers to other models for Web services.
The goal of the Web services paradigm is to enable theuse of Web-hosted services with a high degree of flexibilityand reliability. Web services can function in a stand-alonemanner, or, more interestingly, they can be “glued” togetherinto multi-peer compositions that implement complex appli-cations. To describe and reason about Web services, variousstandards and models have been proposed, focusing on dif-ferent levels of abstraction and targeting different aspects ofthe Web service (e.g., see [50] for a tutorial). At one extreme,the Web service is viewed as a black box, with its specifica-tion limited to a description of the sequences of input/outputmessages supported by the interface. At the other extreme,the internal logic of the Web service is available, and speci-fied, for example, using a high-level, workflow-based formal-ism.
The message-based perspective of Web services is cap-tured by the WSDL standard and has been formalized pri-marily using finite-state automata. Interacting Web servicesare modeled by distributed automata with various forms ofmessage passing [25, 49, 10]. This uses classical techniquesdeveloped in the context of process algebras [56] and in theautomata theory and verification communities [1, 59, 52,28].
Higher-level behavioral descriptions of Web services arecentered around the notions of event and activity, subjectto some form of control. This has been captured in theworkflows community by flowcharts, Petri nets [66, 67, 7],and state charts [47, 46, 57]. The semantic Web communityhas favored situation calculus [61], permitting the use oflogic-based reasoning about the effects of Web services andtherefore allowing the use of goal-based planning algorithmsfor automated constructions of compositions.
Other work approaches compositions using logic program-ming and description logics [13, 14, 12, 11]. Finally, anothercategory of related models are high-level workflow modelsgeared towards Web applications (e.g. [22, 30, 71]), andultimately to general workflows (see [70, 45, 46, 31, 16, 69]).
3.2 Relational-Based Web ServicesProceeding to database-driven Web services, we next con-
sider the common scenario of a service that takes input fromexternal users and responds by producing output. The Webservice can access an underlying relational database, as wellas state information updated as the interaction progresses.
As a concrete verification scenario, consider Web sitesspecified by a high-level tool in the spirit of WebML. Thecontents of a Web page is determined dynamically by query-ing the underlying database as well as the state. The outputof the Web site, transitions from one Web page to another,and state updates, are determined by the current input,state, and database, and defined by first-order queries.
Example 3.1. We illustrate a WebML-style specificationof an e-commerce Web site selling computers online. Newcustomers can register a name and password, while return-ing customers can login, search for computers fulfilling cer-tain criteria, add the results to a shopping cart, and finally
3
buy the items in the shopping cart. A demo Web site im-plementing this example, together with its full specification,is provided at http://db.ucsd.edu/WAVE. Figure 2 depicts theWeb pages of the demo in WebML style.
A run of the above Web site starts as follows. Customersbegin at the home page by providing their login name andpassword, and choosing one of the provided buttons (login,register, or cancel). Suppose the choice is to login. Thereaction of the Web site is determined by a query checkingif the name and password provided are found in the databaseof registered users. If the answer is positive, the login issuccessful and the customer proceeds to the Customer page orthe Administration page depending on his status. Otherwise,there is a transition to the Error page. This continues asdescribed by the flowchart in the figure.
A WebML-style specification S such as above generatesan infinite-state transition system TS whose configurationsare relational database instances. The schema of the config-urations has several components: the database of the Webapplication, the state relations, the input tuples, and theoutput relations. Given a configuration of TS , the specifica-tion S defines a set of possible next configurations, depend-ing on the user’s input. In particular, the transition relationof TS is decidable in ptime, and the size of each possiblenext configuration is polynomial in the current one.
We now turn to the specification of temporal properties.Since the underlying model here is relational, an appropriatelogic for describing configurations is FO. Thus, the logic Lis FO over the schema of configurations. For example, sup-pose price is a binary database relation providing the priceof each product, ship is a unary action relation providingshipped products, and pay is a binary input relation provid-ing a payment for a product. To say that every product thatis shipped must have been previously paid for, we use theLTL formula G (p B q), where q is interpreted as the formulaship(x) and p as ∃z(pay(x, z) ∧ price(x, z)) (the FO formu-las replacing propositions to yield an LTL(FO) formula arecalled FO components of the formula). Note that variable xis free in the above formulas, so is quantified universally atthe end. This yields the LTL(FO) formula
∀x (G (∃z(pay(x, z) ∧ price(x, z)) B ship(x)))
We note that variants of LTL(FO) have been introducedin [40, 3, 64]. The use of globally quantified variables is alsosimilar in spirit to the freeze quantifier defined in the contextof LTL extensions with data by Demri and Lazic [32, 33].
3.3 XML-Based Web ServicesAs a second example, we briefly mention an XML-based
model of database-driven Web services, developed at IN-RIA [2]. Active XML (AXML) integrates the XML andWeb service paradigms by allowing Web service calls to beembedded explicitly within XML documents. The Web ser-vice calls return as answers other Active XML documents,that are integrated into the caller document. The calls maybe made to other services participating in a composition, ormay model input from external users. Figure 3 depicts anAXML document that might arise in a mail order processingservice. Its internal nodes are labeled by tags, and its leafsby tags, data values, or embedded function calls (a call to afunction f is denoted by !f). In the example, new orders aregenerated by calls to the function Mailorder. Each mail or-der is a tree with root MailOrder that contains in turn calls
to services Bill, Deliver, and Reject, triggered at appropriatetimes in the processing of the order. The desired sequencingis ensured by guards associated with the function calls.
A mail order evolves as follows:
1. a call to Bill outputs an invoice for the ordered prod-uct and returns as answer a payment, modeled as adocument of the form
Paid
Pname Amount
where the circles stand for data values.
2. if the payment is in the correct amount, the productis delivered (modeled as a call to Deliver, returninga node labeled Delivered); otherwise the payment isrejected.
Suppose that we wish to verify the following property:
Every product for which a correct amount has been paid iseventually delivered.
To formulate the property, we use tree patterns with vari-ables binding to data values (without going into details, letus denote such a language of tree patterns by Tree). Theabove property can be expressed in the language LTL(Tree)as follows. We start out with the LTL formula G(p → Fq).The proposition p is replaced by the tree pattern
Main
Catalog
Product
Pname
X
Price
Z
MailOrder
Paid
Pname
X
Amount
Z
Order-Id
Y
checking that the payment received for product X of orderY is in the right amount Z. The proposition q is replacedby the tree pattern
Main
MailOrder
Pname
X
Order-Id
Y
Delivered
checking that product X of the same order Y is eventuallydelivered. Note that we wish X and Y to be the same in thetree patterns for p and q, so these are globally quantified; incontrast, Z is locally quantified. The resulting LTL(Tree)formula is the one in Figure 4.The verification of LTL(Tree) properties of Active XML sys-tems is studied in [5].
3.4 Model Checking Database-Driven SystemsSuppose we are given the specification S of a database-
driven system such as above. Its semantics is a transitionsystem TS whose configurations are database instances. LetL be a logic for describing these configurations, and considera property ϕ ∈ LTL(L). The model checking problem for Sand ϕ is to verify whether TS |= ϕ. Not surprisingly, thisis undecidable for most familiar logics L, such as FO. The
4
Hone page(HP)
Name
passwd
cancel
Desktop
My order laptop
Product detail page(PP)
Product detail
Add to cart
laptop Search(LSP)
Desktop search
Ram:
Hdd:
Display:
search
login
back
Cart detail
Continue shopping
submit
M
Error Message
homepage
Continue shopping
logout
View cart
Continue shopping
logout
View cart
Continue shopping
back Continue shopping
logoutlogout
back View cartView cart Continue shopping
View cart
Pending Order (POP)
Pending Order
logout
Order status(OSP)
Order status
cancel
back View cart Continue shopping
logout
Cancel confirmation page(CCP)
logout
View cart
Administrate order page (AP)
Order
logout
ship
back Continue contol
Shipment confirmation page(SCP)
Continue control
logout
register
register
Your registration is successful,
Now you are log in
Continue shopping
logout
Buy items in cartEmpty cart
delete
View cart Continue shoppingback
Continue Shopping
Credit Verification
Continue control
New user Page(NP)Error Message page(MP)
Name
Passwd
Re-passwd
clear back
Customer page(CP) logout
Sucessful Registration(RP)
Desktop Search(DSP)
Desktop search
Ram:
Hdd:
View Order page(VOP) logout
Order status
search
Product index page(PIP)logout
Matching products
back View cart
Deletion confirmation page(DCP)
logout
Cart Content(CC) logout
User payment(UPP) logout
Confirmation page(COP)Payment
CC No:
Expire date
Order detail
back View cart Continue shopping
Figure 2: Web pages in the computer shopping site.
5
Main
Catalog
Product
Pname
Canon
Price
120
Product
Pname
Nikon
Price
199
. . .
!Mailorder MailOrder
Order-Id
1234567
Cname
Serge
Pname
Nikon
!Bill !Deliver !Reject
Figure 3: An AXML document
∀X∀Y [G( Main
Catalog
Product
Pname
X
Price
Z
MailOrder
Paid
Pname
X
Amount
Z
Order-Id
Y
→ F( Main
MailOrder
Pname
X
Order-Id
Y
Delivered
))]
Figure 4: An LTL(Tree) formula
challenge then is to come up with restrictions on the sys-tems and properties that yield decidability, while remainingsufficiently expressive to be useful in practice.
Model checking S with respect to ϕ can be viewed as asearch for a counterexample run of TS , i.e. a run violat-ing ϕ. The immediate difficulty, compared to the classicalapproach, stems from the fact that TS is an infinite-statesystem. Consequently, the terminating procedure outlinedfor the finite-state case fails for two reasons. First, there areinfinitely many possible initial configurations for the runs.Second, runs need not have repeating configurations, so vi-olation of ϕ does not guarantee the existence of a periodiccounterexample run, with a finite representation. To obtaindecidability in this context, several approaches are possible.A first one is a variant of the “small model property” tech-nique used in logic to prove decidability of satisfiability forsome class of sentences. The idea is the following. Supposeone can show, for a given class of specifications and prop-erties, that the existence of a run of a system S violatingproperty ϕ can be checked by considering only finite pre-fixes of runs, whose size (length and configuration size) issmaller than a bound computable from S and ϕ. The abil-ity to consider only finite prefixes may be a consequence ofa periodicity-style property or of a restriction ensuring thatthe system terminates after a bounded number of transitions(extended artificially to an infinite run).
The small run property immediately yields an effectivemodel checking procedure that consists of explicitly explor-ing the finite space of “small” runs. For example, this isdone in [5] to show decidability of model checking for aclass of AXML systems and LTL(Tree) properties. How-ever, explicitly materializing runs can result in high com-plexity for model checking (co-2nexptime-complete in thecase of AXML [5]). A more efficient alternative consists ofusing symbolic representations of runs. This can be effec-tive if the size of the symbolic representation is smaller thanthat of the actual runs it represents. This approach is usedin [36, 37, 39] to obtain a pspace model checking procedurefor a class of relational-based systems, and is described inthe next section.
4. A FORMAL MODEL OF DATABASE-DRIVEN REACTIVE SYSTEMS
We present next a formal model called Extended AbstractState Machine Transducer, in brief ASM+ , that capturesin a simple way the essential features of relational database-driven reactive systems. The model is an extension of theAbstract State Machine (ASM) transducer previously stud-ied by Spielmann [64]. Similarly to the earlier relationaltransducers of Abiteboul et. al. [6], ASM+ transducersmodel database-driven reactive systems that respond to in-put events by producing some output, and maintain stateinformation in designated relations. The control of the de-vice is specified using first-order queries. The main moti-vation for ASM+ transducers is that they are sufficientlypowerful to simulate complex Web service specifications inthe style of WebML. Thus, they are a convenient vehicle fordeveloping the theoretical foundation for the verification ofsuch systems. As we shall see, they also provide the basisfor the implementation of a verifier.
4.1 ASM+ TransducersWe now formalize the ASM+ model. We assume a fixed
and infinite set of elements dom∞, equipped with a total,dense1 order ≤. A relational schema is a finite set of rela-tion symbols with associated arities. Relation symbols witharity zero are also called propositions. An instance of a re-lational schema consists of a mapping associating to eachrelation symbol of positive arity a finite relation of the samearity over dom∞, and to each propositional symbol a truthvalue. The active domain adom(I) of an instance I is thefinite subset of elements of dom∞ occurring in I, possiblyaugmented with a specified finite set of constants dependenton the context.
We assume familiarity with first-order logic (FO) over re-lational schemas. In addition to relations of the schema,FO formulas may use the interpreted relations = and ≤over dom∞, as well as a finite set of constants, consistingof elements of dom∞. As customary in relational calculus,
1The density assumption is used in the decidability results.It remains open whether they still hold for discrete orders.
6
constants are always interpreted as themselves (this differsfrom constants in classical logic). Unless otherwise speci-fied, FO formulas are evaluated with respect to the infinitedomain dom∞. However, in order to keep results finite,we will choose to evaluate some FO formulas on an instancewith respect to its active domain (this is referred to as activedomain semantics, e.g. see [4]).
Definition 4.1. An ASM+ transducer A is a tuple
〈D,S, I,O,R〉,
where:
• D, S, I, O are relational schemas called database,state, input, and output schemas. We denote by PrevI
the relational vocabulary {prevI | I ∈ I}, where prevI
has the same arity as I (intuitively, prevI refers to theinput I at the previous step in the run).
• R is a set containing the following:
– For each input relation R ∈ I of arity k > 0, apre-condition ϕR(x) where ϕR(x) is an FO for-mula over schema D ∪ S ∪ PrevI, with k freevariables x.
– For each state relation S ∈ S, the following staterules:
∗ an insertion rule S(x) ← ϕ+
S (x),
∗ a deletion rule ¬S(x) ← ϕ−S (x),
where the arity of S is k, x is a k-tuple of distinct
variables, and ϕ+/−S (x) are FO formulas over schema
D ∪ S ∪ PrevI ∪ I, with free variables x.
– For each output relation O ∈ O, an output rule,O(x) ← ϕO(x), where the arity of O is k, x is ak-tuple of distinct variables, and ϕO(x) is an FOformula over schema D∪S∪PrevI ∪ I, with freevariables x.
Intuitively, the state relations designate the portion of thedatabase that can be modified throughout the run of thetransducer. Distinguishing these from the database relationsthat stay unchanged in a run is useful in formulating therestrictions needed for decidability. The previous inputs areintroduced for the same reason. They are redundant in thegeneral model, since they could be simulated using states.However, they become useful, once again, when formulatingrestrictions for decidability.
We next define the notion of “run” of an ASM+ trans-ducer. Essentially, a run specifies the fixed database anda sequence of consecutive configurations, consisting of thecurrent states, inputs, previous inputs, and outputs . Thus,a run over database instance D is an infinite sequence
{〈Si, Ii, Pi, Oi〉}i≥0,
where Si is an instance of S, Ii is an instance of I, Pi isan instance of PrevI, and Oi is an instance of O. We call〈Si, Ii, Pi, Oi〉 a configuration of the run. We next defineruns formally.
Definition 4.2. Let A = 〈D,S, I,O,R〉 be an ASM+
transducer and D a database instance over schema D. A runof A for database D is an infinite sequence of configurations{〈Si, Ii, Pi, Oi〉}i≥0 where for each i ≥ 0:
• Si, Ii, Pi, Oi are instances of S, I, PrevI, and O, re-spectively;
• S0, O0, P0 are empty;
• for each relation R in I of arity k > 0, Ii(R) consistsof at most one tuple v that satisfies the pre-conditionϕR evaluated on D, Si, and Pi, with domain dom∞ ;
• for each proposition R in I, Ii(R) is a truth value;
• for each relation R in I, Pi+1(prevR) = Ii(R).
• for each relation S in S, Si+1(S) is the result of eval-uating
(ϕ+
S (x) ∧ ¬ϕ−S (x))∨
(S(x) ∧ ¬ϕ−S (x) ∧ ¬ϕ+
S (x))
on D, Si, Ii, and Pi, with active domain semantics.
• for each relation O ∈ O, Oi+1(A) is the result of eval-uating ϕO on D, Si, Ii, and Pi, again with active do-main semantics.
Note that the state and outputs specified at step i + 1in the run are those triggered at step i. Note also that alldatabase, state, and output relations in a run are finite, be-cause formulas in the corresponding rules are evaluated withactive domain semantics. However, there may be infinitelymany inputs satisfying the input pre-conditions, since theseare evaluated with respect to dom∞. Consequently, inputsmay introduce infinitely many new values in the course of arun. Finally, observe that inputs are allowed to be empty.This matches practical situations in which some inputs areoptional. For instance, in an e-commerce application such asthat in Example 3.1, a user may be shown several drop-downmenus, but a choice in just one of the menus may be suffi-cient to cause a transition to a new page. As it turns out,this semantics also has subtle consequences for verification.
4.2 Verification of LTL(FO) propertiesIn order to specify properties of ASM+ transducers, we
use the language LTL(FO). More specifically, for an ASM+
transducer A = 〈D,S, I,O,R〉, the FO components ofLTL(FO) formulas are over relational vocabulary
〈D,S, I,PrevI,O〉.
Satisfaction of LTL(FO) formulas by A is defined as de-scribed in the more general setup of Section 3.
It is easily seen that it is undecidable if an ASM+ trans-ducer satisfies an LTL(FO) formula, as a direct consequenceof Trakhtenbrot’s theorem (undecidability of finite satisfia-bility of FO sentences [65]). To obtain decidability, we mustrestrict both the transducers and the LTL(FO) sentences.To this end, we adapt a restriction proposed in [64] for ASMtransducers, called “input boundedness”. The core idea ofinput boundedness is that quantifications used in formulas ofthe specification and property are guarded by input atoms.For example, the LTL(FO) formula
∀x (G (∃z(pay(x, z) ∧ price(x, z)) B ship(x)))
is input bounded, since the quantification ∃z is guardedby pay(x, z) and pay is an input relation. This restrictionmatches naturally the intuition that the system modeled
7
by the transducer is input driven. The actual restriction isquite technical, but provides an appealing package. First,it turns out to be tight, in the sense that even small relax-ations lead to undecidability. Second, as argued in [36, 37],it remains sufficiently rich to express a significant class ofpractically relevant applications and properties. As a typ-ical example, the e-commerce Web application in Example3.1 can be modeled under this restriction, and many relevantnatural properties can be expressed. Third, the complexityof verification is pspace (for fixed-arity schemas), which isabout as low as one can hope for, given that model check-ing is already pspace-complete in the finite-state case [62].Moreover, the proof technique developed to show decidabil-ity in pspace provides the basis for the implementation ofan actual verifier.
Of course, the model and input-bounded restrictions alsohas many limitations. For example, the model includesno numerical domain with arithmetic operations. To dealwith such limitations, one can use a form of abstraction,at the cost of losing completeness. For example, one canmodel arithmetic operations as “black box” relations, ig-noring their semantics. This preserves soundness of verifica-tion (a system certified as correct is indeed so) but may yieldfalse negatives (a generated counterexample may violate thesemantics of the arithmetic operations).
We next discuss in more detail the input bounded restric-tion and the proof of decidability of verification. The input-bounded restriction is formulated as follows. Let
A = 〈D,S, I,O,R〉
be an ASM+ transducer. The set of input-bounded FO for-mulas over the schema D ∪ S ∪ I ∪ O ∪ PrevI is obtainedby replacing in the definition of FO the quantification for-mation rule by the following:
• if ϕ is a formula, α is a current or previous input atomusing a relational symbol from I∪PrevI, x ⊆ free(α),and x ∩ free(β) = ∅ for every state or output atom βin ϕ, then ∃x(α ∧ ϕ) and ∀x(α → ϕ) are formulas.
An ASM+ transducer is input-bounded if all formulas instate and output rules are input bounded, and all input pre-conditions are ∃∗FO formulas in which all state atoms areground, i.e. use only constants and no variables (note thatthe input pre-conditions do not have to obey the restrictedquantification formation rule above). An LTL(FO) sentenceover the schema of A is input-bounded if all of its FO com-ponents are input-bounded.
The input-bounded restriction explains some of the choicesmade in the definition of ASM+ transducers. Note how stateand database relations are subject to different treatmentunder the restriction. For example, state atoms can onlyappear ground in input pre-conditions, whereas databaseatoms are unrestricted. This explains the distinction madein the definition of ASM+ between fixed database relationsand updatable state relations. The ground state atom re-quirement also explains the need for explicit access to previ-ous inputs. While these could be inserted in states, they can-not be accessed by ground state atoms. Thus, the availabil-ity of previous inputs increases the power of input-boundedASM+ transducers. The additional expressiveness turns outto be very useful in modeling practical applications. Forinstance, in Example 3.1, this allows generating a list ofmatching products in response to previous input from the
user specifying desired characteristics.We next outline the proof that verification of input-bounded
ASM+ transducers can be done in pspace assuming a fixedbound on the arity of relations, and in expspace other-wise. Consider an ASM+ transducer A = 〈D,S, I,O,R〉.For simplicity of exposition, we assume that I consists ofonly one input relation (this easily extends to multiple in-put relations). In particular, a configuration of A is a tuple〈S, I, P, O〉 where S is an instance of S, O is an instance ofO, and I and P are instances of the unique input relationin I, each consisting of at most one tuple.
Consider an input-bounded ASM+ transducer A andLTL(FO) formula ϕ0 = ∀xψ0(x). Let ψ = ¬ψ0 and ϕ =¬ϕ0 = ∃xψ(x). Let c be a tuple of constants of the samearity as x. Verifying that all runs of a transducer A satisfyϕ0 is equivalent to checking that no run satisfies ψ(x ← c)(the formula obtained by substituting c for x in ψ(x)) forany choice of constants c. Let us denote ψ(x ← c) by ψc.Note that the FO components of ψc have no free variables (asvariables previously free have been replaced by the constantsin c). We need to check whether there exists some run of Asatisfying ψc.
As discussed in Section 3.4, the core difficulty of verifyingthe above is that A is an infinite-state system (as it has in-finitely many configurations), rather than a finite-state sys-tem as in classical model checking. Thus, exhaustive explo-ration of all possible runs of A is impossible. The solutionlies in avoiding explicit exploration of the state space. In-stead of materializing a full initial database and exploringthe possible runs on it, we generate symbolic representa-tions of equivalence classes of actual runs, called pseudoruns,in which every configuration retains just the informationneeded to check satisfaction of ψc. Moreover, this informa-tion is sufficient to obtain the same information about thenext configuration (so it is a “closed” representation systemwith respect to transitions of A). This makes crucial use ofthe input-bounded restriction.
We next outline in more detail the pseudorun technique.Let A, ϕ, c, and ψc be as above. Let D be a database in-stance of D, and let ρ = {〈Si, Ii, Pi, Oi〉}i≥0 be a run ofA on D. Let C be the set of all constants used in R andψc (this includes c). We henceforth include C in the ac-tive domain of all instances considered below. We say thattwo instances H and H ′ over the same database schemaare C-isomorphic iff there exists an isomorphism from Hto H ′ that is the identity on C and preserves ≤. The C-isomorphism type of H consists of all instances H ′ that areC-isomorphic to H. The critical observation is that, due toinput-boundedness, the truth value of each FO componentof ψc in a configuration ρi = 〈Si, Ii, Pi, Oi〉 is completely de-termined by the restriction2 of Si and Oi to C, together withthe C-isomorphism type of the subinstance of 〈Ii, Pi, D,≤〉restricted to adom(Ii ∪Pi). Since Ii and Pi contain at mostone tuple each, the number of such C-isomorphism types isfinite. Our pseudoruns, defined shortly, will essentially rep-resent such C-isomorphism types. This will allow us to limitourselves to inspecting a transition system whose configura-tions are the finitely many C-isomorphism types as aboveand essentially reduces verification back to a classical modelchecking problem and, with some care, yields a pspace ver-
2The restriction of a database instance K to a set T ofdomain elements is the instance consisting of the tuples inK using only elements in T .
8
ification algorithm.We next develop a symbolic representation for local runs,
leading to our notion of pseudorun. For a configurationρi = 〈Si, Ii, Pi, Oi〉, let us denote
ρ↓i = 〈Si|C, Ii, Pi, Oi|C, Di,≤i〉,
where Di and ≤i are the restrictions of D and ≤ to adom(Ii∪
Pi). We refer to ρ↓i as the local configuration corresponding
to ρi, and to {ρ↓i }i≥0 as the local run of {ρi}i≥0. The idea
is to represent local configurations using a fixed, finite setof symbols. Intuitively, symbols must be “reused” in sucha representation, so the same symbol occurring in differentsymbolic configurations may correspond to different domainelements in a real local run.
Let k = 2·arity(R), where R is the unique input relation.Let Vk = C ∪{v1, . . . , vk}, where v1, . . . , vk are distinct newsymbols. Intuitively, the v1, . . . , vk are used to represent in-put values that are not in C. Thus, v1, . . . , vk function asvariables: they may represent different values in differentconfigurations; in contrast, the elements in C have a fixedinterpretation (as themselves). We can clearly represent the
C-isomorphism type of ρ↓i by an instance whose domain is
Vk. To do so, it is enough to fix some injective mapping fi
from adom(ρ↓i ) to Vk that fixes C, and consider the instance
τi = fi(ρ↓i ) over Vk. By definition, τi is C-isomorphic to
ρ↓i . A pseudorun of A is an extension of this representa-
tion to an entire local run of A. The extension takes intoaccount the connection between consecutive local configu-rations, induced by the fact that Ii = Pi+1 for each i ≥ 0.Specifically, fi and fi+1 must agree on the elements in Ii.Thus, τ = {τi}i≥0 is a symbolic representation of the local
run ρ↓ = {ρ↓i }i≥0, using only elements in Vk, and τ |= ψc
iff ρ↓ |= ψc. We are on the right track, but this is not quitesufficient. Indeed, the symbolic runs would not be useful ifone would need local runs to generate them. Fortunately,there is a way around this. Symbolic runs using elementsin Vk can be generated independently, by directly apply-ing the transition rules of A. These are called pseudoruns.However, not all pseudoruns correspond to local runs on afinite database – some require an infinite database. To filterout the latter undesired pseudoruns, an additional criterionmust be used, consisting of a certain periodicity property(rather technical and omitted here). The most subtle partof the proof, complicated by the presence of the order onthe domain3 is showing that this criterion works: there ex-ists a local run satisfying ψc iff there exists a “periodic”pseudorun satisfying ψc. The verification algorithm thennon-deterministically searches for a “periodic” pseudorunsatisfying ψc. This can be done in pspace because configu-rations of pseudoruns are of size polynomial in A, states ofthe Buchi automaton corresponding to ψc are of size polyno-mial in ψc, and non-deterministic transitions in both A andthe Buchi automaton can be computed in pspace. Finally,the “periodicity” property ensures that acceptance can bechecked using a finite prefix of the pseudorun (recall also thediscussion in Section 3.4). This leads to the desired pspace
verification algorithm.
3A first proof without order is provided in [37], while the ex-tension to an ordered domain is shown in [34], in the frame-work of data-driven business processes.
Theorem 4.3. It is decidable, given an input-boundedASM+ transducer A and an input-bounded LTL(FO) for-mula ϕ, whether every run of A satisfies ϕ. Furthermore,the complexity of the decision problem is pspace-completefor fixed arity schemas, and expspace otherwise.
As mentioned earlier, the input-boundedness restrictionson transducers and properties are quite tight. We mentiona few small relaxations of the restrictions or of the modelthat lead to undecidability:
• relaxing the input-bounded quantification rule by al-lowing state projections;
• allowing non-ground state atoms in input pre-conditions(this holds even with just a single unary state);
• allowing previous input relations prevR to hold all pre-vious inputs to R rather than just the most recent one;
• requiring non-empty inputs at each transition;
• quantifying global variables in LTL(FO) formulas ex-istentially rather than universally;
• extending LTL(FO) by allowing path quantifiers (onealternation is sufficient).
The proofs are by reduction from the Post CorrespondenceProblem [60] or from implication for functional and inclusiondependencies (e.g., see [4]), both known to be undecidable.
Verification also becomes undecidable in the presence ofdatabase constraints such as functional dependencies (evenfor binary relations with just one key attribute). As in thecase of arithmetic operations, partial verification can stillbe carried out in this case, but completeness is lost. Thus,a counterexample run produced by the algorithm could bea false negative, because the database it uses violates thefunctional dependencies.
4.3 The WAVE VerifierWhile the pspace upper bound obtained for verification
in the input-bounded case is encouraging from a theoreticalviewpoint, it does not provide any indication of its practi-cal feasibility. Fortunately, it turns out that the pseudoruntechnique described above also provides a good basis for theefficient implementation of a verifier. Indeed, this techniquelies at the core of the wave verifier, targeted at data-drivenWeb services of the WebML flavor [39, 35].
The verifier, as well as its target specification framework,are both implemented from scratch. Thus, we first devel-oped a tool for high-level, efficient specification of data-driven Web services, in the spirit of WebML. Next, we im-plemented wave taking as input a specification of a Webservice using our tool, and an LTL(FO) property to be ver-ified. The starting point for the implementation is the pseu-dorun technique. Indeed, the verifier basically carries outa search for counterexample pseudoruns. However, verifica-tion becomes practical only in conjunction with an array ofadditional heuristics and optimization techniques, yieldingcritical improvements. Chief among these is dataflow analy-sis, allowing to dramatically prune the search for counterex-ample pseudoruns.
The verifier was evaluated on a set of practically signifi-cant Web application specifications, mimicking the core fea-tures of sites such as Dell, Expedia, and Barnes and Noble.
9
The experimental results are quite exciting: we obtainedsurprisingly good verification times (on the order of sec-onds), suggesting that automatic verification is practicallyfeasible for significant classes of properties and Web services.The implementation and experimental results are describedin [35]. A demo of the WAVE prototype is presented in [38]and is also available at http://db.ucsd.edu/wave.
4.4 Compositions of ASM+ TransducersThe verification results discussed so far apply to single
ASM+ transducers in isolation. These results were extendedin [39] to the more challenging but practically interestingcase of compositions of ASM+ transducers, modeling com-positions of database-driven Web services. Asynchronouscommunication between transducers adds another dimen-sion that has to be taken into account. We briefly describethe model and results of [39].
In an ASM+ composition, the transducers communicatewith each other by sending and receiving messages via one-way channels modeled as message queues. Each queue isassociated with a unique sender who places messages intothe queue, and a unique receiver who consumes messagesfrom it in FIFO order (thus, it is assumed messages arrivein the same order they were sent). The messages can be flator nested. Flat messages consist of single tuples, e.g. theage and social security number of a given customer. Nestedmessages consist of a set of tuples, e.g. the set of bookswritten by an author.
As in the stand-alone case, each transducer can receiveexternal inputs and produce outputs (sets of tuples). In acomposition, each peer additionally consumes messages fromits input queues, and generates output messages. A configu-ration of the composition consists of the configurations of allparticipating peers (the database, their local state relations,inputs, current output relations, and the message queues).A run of the composition is a sequence of consecutive config-urations. We only consider serialized runs, in which at everystep precisely one transducer performs a transition. Prop-erties of runs to be verified are specified in an extension ofLTL(FO) where the FO components may additionally referto the messages currently read and received.
In order to obtain decidability of verification, we needto extend the input-boundedness restriction. Naturally, weneed to also require input-boundedness of the queries defin-ing output messages. Additional restrictions must be placedon the message channels: they may be lossy, but are re-quired to be bounded. With these restrictions, verificationis again shown to be pspace-complete (for fixed-arity rela-tions, and expspace otherwise). The proof is by reductionto the single transducer case. In particular, flat messages aresimulated in the single transducer by new input relations,and nested messages by additional state relations. The non-deterministic choice of which ASM+ moves in each transi-tion of the composition is also simulated with an additionalinput.
As in the case of single transducers, verification becomesundecidable if some of the restrictions are relaxed. Notsuprisingly, verification is undecidable with unbounded queues(this already happens for finite-state systems [24]). More in-terestingly, lossiness of channels is essential: verification be-comes undecidable under the assumption that channels areperfect, i.e. messages are never lost (the proof is by reduc-tion of the Post Correspondence Problem). Another subtle
distinction involves how messages are observed. With lossychannels, there are two possibilities. Under the observer-at-sender semantics, messages are observed when sent. Underthe observer-at-recipient semantics, they are observed whenreceived. The semantics used in our model is the latter. Itturns out that verification becomes undecidable if observer-at-sender semantics is used instead.
The above model of compositions assumes that all speci-fications of participating peers are available to the verifier.However, compositions may also involve autonomous par-ties unwilling to disclose the internal implementation de-tails. In this case, the only information available is typicallya specification of their input-output behavior. This leads toan investigation of modular verification. It consists in ver-ifying that a subset of fully specified transducers behavescorrectly, subject to input-output properties of the othertransducers. Similar decidability results are obtained in [39]for verification, subject to an appropriate extension of theinput-boundedness restriction.
5. CONCLUSIONSDatabase-driven systems are increasingly prevalent, par-
ticularly in the context of Web services. They provide thebackbone of complex applications for which verification iscritically important. A fortunate development facilitatingthis task is the emergence of high-level specification toolscentered around database queries, that provide a naturaltarget for verification. The results we described suggest thatverification may indeed be feasible for significant classes ofdatabase-driven systems so specified. The theoretical re-sults, as well as the implementation of an actual verifierexhibiting suprisingly good performance, are made possi-ble by a novel coupling of techniques from database theoryand model checking. The encouraging results suggest thatthis approach is quite promising, and may be just the start-ing point of a fruitful marriage between the database andcomputer-aided verification areas.
Verification is just one of the static analysis problems thatarise in the context of database-driven systems. In the spe-cific context of Web services, synthesis of compositions, aswell as orchestration of services, are important issues thatare very challenging even for finite-state systems and remainlargely unexplored in the presence of data. Another inter-esting class of problems concerns abstraction, used either asa tool in verification or as a means to provide different high-level views of a system, aimed at different classes of users.These are important directions for future research.
Acknowledgement I wish to thank Serge Abiteboul, AlinDeutsch, Luc Segoufin and Moshe Vardi for providing veryuseful comments and suggestions on a draft of this paper.
6. REFERENCES[1] M. Abadi, L. Lamport, and P. Wolper. Realizable and
unrealizable specifications of reactive systems. InProc. ICALP Conference, 1989.
[2] S. Abiteboul, O. Benjelloun, and T. Milo. The ActiveXML project: an overview. VLDB Journal,17(5):1019–1040, 2008.
[3] S. Abiteboul, L. Herr, and J. V. den Bussche.Temporal versus first-order logic to query temporal
10
databases. In Proc. ACM Symp. on Principles ofDatabase Systems (PODS), pages 49–57, 1996.
[4] S. Abiteboul, R. Hull, and V. Vianu. Foundations ofDatabases. Addison-Wesley, 1995.
[5] S. Abiteboul, L. Segoufin, and V. Vianu. Staticanalysis of Active XML systems. In Proc. ACM Symp.on Principles of Database Systems (PODS), pages221–230, 2008.
[6] S. Abiteboul, V. Vianu, B. Fordham, and Y. Yesha.Relational transducers for electronic commerce.Journal of Computer and System Sciences (JCSS),61(2):236–269, 2000. Extended abstract in PODS 98.
[7] N. Adam, V. Atluri, and W. Huang. Modeling andanalysis of workflows using Petri nets. Journal ofIntelligent Information Systems, 10(2):131–158, 1998.
[8] D. Berardi, D. Calvanese, G. Giacomo, R. Hull, andM. Mecella. Automatic composition oftransisiton-based semantic web services withmessaging. In Proc. Int’l. Conf. on Very LargeDatabases (VLDB), 2005.
[9] D. Berardi, D. Calvanese, G. D. Giacomo, R. Hull,M. Lenzerini, and M. Mecella. Modeling data &processes for service specifications in Colombo. InEMOI-INTEROP, 2005.
[10] D. Berardi, D. Calvanese, G. D. Giacomo,M. Lenzerini, and M. Mecella. Automatic compositionof e-services that export their behavior. In Proc. Int’l.Conf on Service-Oriented Computing (ICSOC), pages43–58, 2003.
[11] D. Berardi, D. Calvanese, G. D. Giacomo,M. Lenzerini, and M. Mecella. E-service compositionby description logics based reasoning. In DescriptionLogics, 2003.
[12] D. Berardi, D. Calvanese, G. D. Giacomo,M. Lenzerini, and M. Mecella. A tool for automaticcomposition of services based on logics of programs. InTechnologies for E-Services, 5th InternationalWorkshop (TES), pages 80–94, 2004.
[13] D. Berardi, D. Calvanese, G. D. Giacomo,M. Lenzerini, and M. Mecella. Automatic servicecomposition based on behavioral descriptions. Int. J.Cooperative Inf. Syst., 14(4):333–376, 2005.
[14] D. Berardi, G. D. Giacomo, M. Lenzerini, M. Mecella,and D. Calvanese. Synthesis of underspecifiedcomposite e-services based on automated reasoning. InProc. Int’l. Conf on Service-Oriented Computing(ICSOC), pages 105–114, 2004.
[15] M. Bojanczyk, A. Muscholl, T. Schwentick,L. Segoufin, and C. David. Two-variable logic onwords with data. In Proc. IEEE Conf. on Logic inComputer Science (LICS), pages 7–16, 2006.
[16] A. J. Bonner and M. Kifer. An overview of transactionlogic. Theor. Comput. Sci., 133(2):205–265, 1994.
[17] A. Bouajjani, P. Habermehl, Y. Jurski, andM. Sighireanu. Rewriting systems with data. InFundamentals of Computation Theory, 16thInternational Symposium (FCT), volume 4639 ofLecture Notes in Computer Science, pages 1–22.Springer, 2007.
[18] A. Bouajjani, P. Habermehl, and R. Mayr. Automaticverification of recursive procedures with one integerparameter. Theoretical Computer Science, 295:85–106,
2003.
[19] A. Bouajjani, Y. Jurski, and M. Sighireanu. A genericframework for reasoning about dynamic networks ofinfinite-state processes. In TACAS’07, volume 4424 ofLecture Notes in Computer Science, pages 690–705.Springer, 2007.
[20] P. Bouyer. A logical characterization of datalanguages. Information Processing Letters,84(2):75–85, 2002.
[21] P. Bouyer, A. Petit, and D. Therien. An algebraicapproach to data languages and timed languages.Information and Computation, 182(2):137–162, 2003.
[22] BPML.org. Business process modeling language.http://www.bpmi.org.
[23] M. Brambilla, S. Ceri, S. Comai, P. Fraternali, andI. Manolescu. Specification and design ofworkflow-driven hypertexts. Journal of WebEngineering, 1(1), 2002.
[24] D. Brand and P. Zafiropulo. On communicatingfinite-state machines. J. of the ACM, 30(2):323–342,1983.
[25] T. Bultan, X. Fu, R. Hull, and J. Su. Conversationspecification: a new approach to design and analysisof e-service composition. In World Wide WebConference, pages 403–410, 2003.
[26] O. Burkart, D. Caucal, F. Moller, and B. Steffen.Verification of infinite structures. In Handbook ofProcess Algebra, pages 545–623. Elsevier Science, 2001.
[27] S. Ceri, P. Fraternali, A. Bongio, M. Brambilla,S. Comai, and M. Matera. Designing data-intensiveWeb applications. Morgan-Kaufmann, 2002.
[28] E. M. Clarke, O. Grumberg, and D. A. Peled. ModelChecking. MIT Press, 2000.
[29] C. Courcoubetis, M. Vardi, P. Wolper, andM. Yannakakis. Memory-efficient algorithms for theverification of temporal properties. Formal methods insystem design, 1:275–288, 1992.
[30] DAML-S Coalition (A. Ankolekar et al).DAML-S:Web service description for the semantic Web. In TheSemantic Web - ISWC, pages 348–363, 2002.
[31] H. Davulcu, M. Kifer, C. R. Ramakrishnan, and I. V.Ramakrishnan. Logic based modeling and analysis ofworkflows. In Proc. ACM Symp. on Principles ofDatabase Systems (PODS), pages 25–33, 1998.
[32] S. Demri and R. Lazic. LTL with the Freeze Quantifierand Register Automata. In Proc. IEEE Conf. on Logicin Computer Science (LICS), pages 17–26, 2006.
[33] S. Demri, R. Lazic, and A. Sangnier. Model checkingfreeze LTL over one-counter automata. In Proc. 11thInt’l. Conf. on Foundations of Software Science andComputation Structures (FoSSaCS’08), pages490–504, 2008.
[34] A. Deutsch, R. Hull, F. Patrizi, and V. Vianu.Automatic verification of data-centric businessprocesses. This proceedings.
[35] A. Deutsch, M. Marcus, L. Sui, V. Vianu, andD. Zhou. A verifier for interactive, data-driven webapplications. In Proc. ACM SIGMOD Int’l. Conf. onManagement of Data (SIGMOD), pages 539–550,2005.
[36] A. Deutsch, L. Sui, and V. Vianu. Specification and
11
verification of data-driven web services. In Proc. ACMSymp. on Principles of Database Systems (PODS),pages 71–82, 2004.
[37] A. Deutsch, L. Sui, and V. Vianu. Specification andverification of data-driven web services. Journal ofComputer and System Sciences (JCSS),73(3):442–474, 2007.
[38] A. Deutsch, L. Sui, V. Vianu, and D. Zhou. A systemfor specification and verification of interactive,data-driven Web applications. In Proc. ACMSIGMOD Int’l. Conf. on Management of Data(SIGMOD), pages 772–774, 2006.
[39] A. Deutsch, L. Sui, V. Vianu, and D. Zhou.Verification of communicating data-driven Webservices. In Proc. ACM Symp. on Principles ofDatabase Systems (PODS), pages 90–99, 2006.
[40] E. A. Emerson. Temporal and modal logic. In J. V.Leeuwen, editor, Handbook of Theoretical ComputerScience, Volume B: Formal Models and Sematics,pages 995–1072. North-Holland Pub. Co./MIT Press,1990.
[41] R. Fagin, J. Y. Halpern, Y. Moses, and M. Y. Vardi.Reasoning about knowledge. MIT Press, 1996.
[42] M. F. Fernandez, D. Florescu, A. Y. Levy, andD. Suciu. Declarative specification of web sites withStrudel. VLDB Journal, 9(1):38–55, 2000.
[43] D. Florescu, K. Yagoub, P. Valduriez, and V. Issarny.WEAVE: A data-intensive web site managementsystem(software demonstration). In Proc. of the Conf.on Extending Database Technology (EDBT), 2000.
[44] J. Garson. Quantification in modal logic. InD. Gabbay and F. Guenthner, editors, Handbook ofPhilosophical Logic, pages 249–307. Reidel, 1977.
[45] D. Georgakopoulos, M. F. Hornick, and A. P. Sheth.An overview of workflow management: From processmodeling to workflow automation infrastructure.Distributed and Parallel Databases, 3(2):119–153,1995.
[46] D. Harel. On the formal semantics of statecharts. InProc. IEEE Conf. on Logic in Computer Science(LICS), pages 54–64, 1987.
[47] D. Harel. Statecharts: A visual formulation forcomplex systems. Sci. Comput. Program,8(3):231–274, 1987.
[48] G. Hughes and M. Cresswell. An introduction to modallogic. Methuen, 1968.
[49] R. Hull, M. Benedikt, V. Christophides, and J. Su.E-services: a look behind the curtain. In Proc. ACMSymp. on Principles of Database Systems (PODS),pages 1–14, 2003.
[50] R. Hull and J. Su. Tools for design of composite webservices. In Proc. ACM SIGMOD Int’l. Conf. onManagement of Data (SIGMOD), pages 958–961,2004.
[51] M. Jurdzinski and R. Lazic. Alternation-free modalmu-calculus for data trees. In Proc. IEEE Conf. onLogic in Computer Science (LICS), pages 131–140,2007.
[52] O. Kupferman and M. Vardi. Synthesizing distributedsystems. In Proc. IEEE Conf. on Logic in ComputerScience (LICS), 2001.
[53] R. Lazic, T. Newcomb, J. Ouaknine, A. Roscoe, andJ. Worrell. Nets with tokens which carry data. InICATPN’07, volume 4546 of Lecture Notes inComputer Science, pages 301–320. Springer, 2007.
[54] G. Mecca, P. Merialdo, and P. Atzeni. Araneus in theera of XML. IEEE Data Engineering Bulletin,22(3):19–26, 1999.
[55] S. Merz. Model checking: a tutorial overview. InModeling and verification of parallel processes.Springer-Verlag New York, 2001.
[56] R. Milner. Communicating and mobile systems: the πcalculus. Cambridge University Press, 1999.
[57] W. Mok and D. Paper. Using harel’s statecharts tomodel business workflows. J. of DatabaseManagement, 13(3):17–34, 2002.
[58] F. Neven, T. Schwentick, and V. Vianu. Finite StateMachines for Strings Over Infinite Alphabets. ACMTransactions on Computational Logic, 5(3):403–435,2004.
[59] A. Pnueli and R. Rosner. Distributed reactive systemsare hard to synthesize. In Proc. IEEE Symp. onFoundations of Computer Science (FOCS), 1990.
[60] E. L. Post. Recursive unsolvability of a problem ofThue. J. of Symbolic Logic, 12:1–11, 1947.
[61] R. Reiter. Knowledge in action:logical foundations forspecifying and implementing dynamical systems. MITPress, 2001.
[62] A. Sistla and E. Clarke. The complexity ofpropositional linear temporal logic. J. of the ACM,32:733–749, 1985.
[63] A. P. Sistla, M. Y. Vardi, and P. Wolper. Thecomplementation problem for Buchi automata withapplications to temporal logic. Theoretical ComputerScience, 49:217–237, 1987.
[64] M. Spielmann. Verification of relational transducersfor electronic commerce. Journal of Computer andSystem Sciences (JCSS), 66(1):40–65, 2003. Extendedabstract in PODS 2000.
[65] B. Trankhtenbrot. The impossibility of an algorithmfor the decision problem for finite models. DokladyAcademii Nauk SSSR, 70:569–572, 1950.
[66] W. M. P. van der Aalst. The application of petri netsto workflow management. Journal of Circuits,Systems, and Computers, 8(1):21–66, 1998.
[67] W. M. P. van der Aalst and A. H. M. ter Hofstede.Workflow patterns: On the expressive power of(petri-net-based) workflow languages. In Proc. of theFourth International Workshop on Practical Use ofColoured Petri Nets and the CPN Tools, Aarhus,Denmark, August 28-30, 2002 / Kurt Jensen (Ed.),pages 1–20. Technical Report DAIMI PB-560, Aug.2002. InternalNote: Submitted by: hr available online:http://www.daimi.aau.dk/CPnets/workshop02/cpn/papers/.
[68] M. Y. Vardi and P. Wolper. An automata-theoreticapproach to automatic program verification. In Proc.IEEE Conf. on Logic in Computer Science (LICS),pages 332–344, 1986.
[69] D. Wodtke and G. Weikum. A formal foundation fordistributed workflow execution based on state charts.In Proc. of Intl. Conf. on Database Theory (ICDT),pages 231–246, 1997.
12
[70] Workflow management coalition, 2001.http://www.wfmc.org.
[71] Web Services Flow Language(WSFL 1.0), 2001.http://www-3.ibm.com/ software/ solutions/webservices/pdf/WSFL.pdf.
13