In: J.Göers, A.Heuer, G.Saake (Eds.): Proceedings of the 3rd International Workshop
on Foundations of Models and Languages for Data and Objects (Aigen, Sept. 1991)
Informatik-Bericht 91/3, TU Clausthal 1991, pp.115-130
Monitoring Dynamic Integrity Constraints
on Finite State Sequences and Existence Intervals
Udo W. Lipeck
Institut für Informatik, Universität Hannover, Lange Laube 22, D-W 3000 Hannover 1
[email protected]
Heren Zhou
FB Informatik, Universität Dortmund, Postfach 500 500, D-W 4600 Dortmund 50
[email protected]
Abstract: Correct database behaviour in the course of time can be specified by requiring dynamic integrity constraints. These constraints can be
expressed as temporal logic formulae which, however, usually are interpreted
in infinite state sequences. Since in practice only a partial, finite prefix of
an infinite sequence is known, notions of partial admissibility of finite sequences with respect to constraints have been introduced. Admissibility can
be checked on each state transition by following corresponding paths in transition graphs, which can be constructed for arbitrary temporal formulae.
In this paper we modify temporal logic and transition graphs as introduced
in our former work by giving them an interpretation in the empty state sequence so that the theory can be extended to complete finite sequences. Since
practical dynamic constraints are to refer to database objects only during their
existence intervals, this extension is utilized to handle integrity checks on the
deletion of objects.
1
Introduction
Correct database behaviour can be specified by requiring dynamic integrity constraints
which restrict the admissible evolutions of stored information. The dynamic behaviour of
a system can be characterized by sequences of its states, and dynamic constraints can be
expressed by temporal logic formulae which are interpreted just in such state sequences.
Temporal logic is an extension of classic predicate logic by temporal quantifiers and
operators like always , sometime , next , etc. It has primarily been used for program
verification [MaP81, Wo83, MaW84, ClES86, Kr87], but has also been applied to database
specifications by many authors in the last decade [Se80, CaCF82, EhLG84, Ku84, LiEG85,
CaS87, LiS87, FiS88, Li90, Sa91].
1
Temporal formulae, however, usually are interpreted in infinite state sequences. Since
in practice only a partial, finite prefix of an infinite sequence is known (the prefix up
to the present state), notions of partial admissibility of finite sequences with respect to
constraints have been introduced in [LiS87, Li88]. A finite prefix is called potentially
admissible iff there exists an infinite continuation to an admissible complete, infinite sequence; it is provisionally admissible iff no constraint violation has occurred up to the
present state. Such kinds of admissibility can be monitored in state sequences by following corresponding paths in transition graphs which can be constructed from arbitrary
temporal formulae.
The nodes of transition graphs are labelled by temporal formulae indicating what remains
to be monitored in the future, whereas their edges are labelled by nontemporal formulae
which have to be checked in the respective next state. Such graphs can be derived by
iterated transformation of temporal formulae into disjunctive normalform [LiS87, Li88],
or they can be composed from simpler graphs for subformulae in a bottom-up manner
corresponding to the formula structure [LiF88, Li88]. Both constructions rely on important laws of temporal logic, the so-called temporal recursion rules, to deliver graphs
which are correctly labelled with respect to the constraints. Using these graphs restricts
the analysis of constraints from tests on entire past and (potential) future state sequences
to only local tests on single state transitions.
In this paper we want to extend the theory of temporal logic and transition graphs
as introduced in our former work to include not only partial, but also complete finite
sequences. To this end, we appropriately modify the semantics of temporal formulae and
the notion of correct transition graphs. One approach in this direction has already been
followed in [Sa88, SaL89, Sa91]: To replace the critical operator next which refers to
a (perhaps non-existing) next state, new temporal quantifiers existsnext and allnext
were introduced; they require the validity of a formula in the tail sequence starting from
the next state either together with the existence of the state (existsnext) or on condition
that the state exists ( allnext ). Formulae of that logic can be interpreted in infinite and
in finite (but nonempty) sequences such that necessary laws like temporal recursions still
hold. The construction of transition graphs based on formula normalization [LiS87] could
be adapted to this logic such that final nodes, which have to be reached at the end of a
finite state sequence, can be detected during the construction.
That approach, however, does not support other construction methods for transition
graphs like the bottom-up composition [LiF88], since it lacks a criterion how to detect
final nodes in a graph that is given already and that is known to have correct node
and edge labels. In this paper, we have found a simpler way to modify the semantics
of temporal formulae: since finite sequences eventually have empty tail sequences, we
integrate an appropriate interpretation of formulae in the empty state sequence such
that the temporal recursions still hold for nonempty sequences. Then the final nodes of
transition graphs can simply be detected by checking the validity of their formula labels
in the empty sequence.
As mentioned above, transition graphs with final nodes are needed to monitor constraints
at the end of a sequence. Since ordinary dynamic constraints in practice only refer to
2
database objects during their existence intervals between insertion and deletion, the socalled object life cycles [Sa91], the extension above can be utilized to handle objectwise
integrity checks on deletions. Here we will give a monitor algorithm in the style of [LiS87],
but specialized and hence optimized for such existence-restricted constraints.
The remainder of the paper is structured as follows: In Section 2, we redefine the interpretation of temporal formulae in state sequences including empty and finite sequences.
In Section 3, the notion of strong correctness of transition graphs is introduced that requires a correct choice of the final nodes in addition to usual correctness. It is proved
that a finite state sequence is admissible iff it is accepted by a strongly correct transition
graph such that its last state transition has induced a final node. This results leads to a
general monitor scheme given there, too. Existence-restricted constraints are considered
in Section 4 together with the relevant, specialized monitoring algorithm.
2
Linear Temporal Logic
At first we modify our former approach to the semantics of temporal logic as given in
[LiS87, Li88, Li90] to make it applicable to complete finite state sequences. In particular,
the treatment of the empty sequence has been revised.
Notation 2.1 Temporal formulae are interpreted in infinite or finite state sequences
σ = hσ0 , σ1 , . . .i or σ = hσ0 , . . . σn−1 i, n ≥ 0.
For n = 0, σ is a empty state sequence, to be denoted as λ. I(σ) denotes the index range
of σ, i.e. I(hσ0 , σ1 , . . .i) = IN , and I(hσ0 , . . . σn−1 i) = {0, . . . , n − 1}. A state sequence σ
can be written as σ = h σi | i I(σ) i.
|σ| defines the length of σ, i.e. |hσ0 , σ1 , . . .i| = ∞, and |hσ0 , . . . , σn−1 i| = n. For λ holds
I(λ) = ∅ and |λ| = 0. σ i , i IN , denotes the i-th tail sequence of σ, i.e.
σ i = h σj | j ≥ i ∧ j I(σ) i,
which is empty for i ≥ |σ|.
2
Notation 2.2 If a temporal formula ϕ is valid in σ for a substitution θ of its free variables, this is denoted as [σ, θ] |= ϕ. If ϕ is valid in σ for all substitutions, σ is called
admissible wrt ϕ what is denoted as σ |= ϕ.
2
Syntax and semantics of temporal formulae are given in the following definition. Note
the impact of having defined tail sequences even for sequences of length 1 or 0: for the
empty state sequence, λ, λ0 and λ1 etc. are identical ! Now, validity of a next ϕ formula
can be reduced to validity of the argument formula ϕ in the tail sequence which is defined
in any case.
Definition 2.3 Let ϕ, ϕ1 , ϕ2 , τ, α be temporal formulae and ρ an atomic nontemporal
formula, i.e. true , false , or a expression p(t1 , . . . , tn ) with a predicate p and terms ti .
Let σ be a state sequence, and let θ be a substitution, which maps variables to possible
objects in a given universe of discourse.
3
(0)
Nontemporal atoms:
[σ, θ] |= ρ
(1)
Propositional connectives:
[σ, θ] |= ¬ϕ
[σ, θ] |= ϕ1 ∧ ϕ2
[σ, θ] |= ϕ1 ∨ ϕ2
(2)
Tail operator:
[σ, θ] |= next ϕ
(3)
(3a)
(3b)
(4)
(4a)
(4b)
(4c)
(4d)
(4e)2
iff [σ0 , θ] |= ρ for a nonempty state sequence σ.
For σ = λ, [λ, θ] |= ρ holds for ρ ≡ true only1 .
iff not [σ, θ] |= ϕ
iff [σ, θ] |= ϕ1 and [σ, θ] |= ϕ2
iff [σ, θ] |= ϕ1 or [σ, θ] |= ϕ2
iff [σ 1 , θ] |= ϕ. (!)
Thus for |σ| = 0 or |σ| = 1,
[σ, θ] |= next ϕ holds iff [λ, θ] |= ϕ.
Unbounded temporal quantification:
[σ, θ] |= always ϕ
iff for all i I(σ), [σ i , θ] |= ϕ.
Thus always ϕ is valid in σ = λ.
[σ, θ] |= sometime ϕ
iff there exists an i I(σ), such that [σ i , θ] |= ϕ.
Thus sometime ϕ is not valid in σ = λ.
Bounded temporal quantification:
Let µτ be the index of the first occurrence of τ ,
i.e. µτ = min({j I(σ)| [σ j , θ] |= τ } ∪ {∞}).
[σ, θ] |= always ϕ before τ
iff for all i I(σ): i < µτ ⇒ [σ i , θ] |= ϕ
[σ, θ] |= sometime ϕ before τ iff there exists an i I(σ): i < µτ und [σ i , θ] |= ϕ
iff for all i I(σ): i ≤ µτ ⇒ [σ i , θ] |= ϕ
[σ, θ] |= always ϕ until τ
[σ, θ] |= sometime ϕ until τ iff there exists an i I(σ): i ≤ µτ und [σ i , θ] |= ϕ
[σ, θ] |= from α holds ϕ
2
iff µα = ∞ or [σ µα , θ] |= ϕ
This definition could easily be extended to include object quantifications (∀, ∃) over possible objects (from the universe) and actual objects (from a single state). The interested
reader should consult our former papers. The theory in the following sections works for
temporal formulae which may indeed have arbitrary predicate logic formulae (possibly
including object quantifiers) as basic constituents, but only propositional or temporal
connectives as defined above.
Example 2.4 Here are a few examples of formulae distinguishing certain state sequences.
1)
2)
3)
4)
5)
σ
σ
σ
σ
σ
|=
|=
|=
|=
|=
sometime true
next sometime true
always false
¬ sometime true
sometime true ∧
always next sometime true
iff
iff
iff
iff
|σ| ≥ 1,
|σ| ≥ 2,
|σ| = 0,
|σ| = 0,
i.e.
i.e.
i.e.
i.e.
0 I(σ).
0, 1 I(σ).
σ = λ.
σ = λ.
iff |σ| = ∞, i.e. I(σ) = IN .
As an abbreviation of (3) or (4), we introduce a standard predicate isempty which holds
in the empty sequence only.
2
1
2
≡ stands for syntactic identity.
This quantifier is introduced here for convenience only; actually, it is a special case of (4c) [Li88].
4
The new definition still guarantees the correctness of temporal recursion rules [LiS87]
for nonempty state sequences. These rules split a temporal formula into a present nontemporal part to be checked in the first state and into a future temporal part with the
next -operator to be checked in the tail sequence.
Lemma 2.5 The following equivalences hold for arbitrary temporal formulae ϕ and τ
in state sequences σ, provided σ is nonempty, i.e. ¬ isempty can be taken as a general
premise.
(i)
always ϕ
(ii)
sometime ϕ
(iii)
always ϕ before τ
(iv) sometime ϕ before τ
(v)
always ϕ until τ
(vi)
sometime ϕ until τ
⇐⇒
⇐⇒
⇐⇒
⇐⇒
⇐⇒
⇐⇒
ϕ ∧ next always ϕ
ϕ ∨ next sometime ϕ
τ ∨ (ϕ ∧ next (always ϕ before τ ))
¬τ ∧ (ϕ ∨ next (sometime ϕ before τ ))
(ϕ ∧ τ ) ∨ (ϕ ∧ next (always ϕ until τ ))
ϕ ∨ (¬τ ∧ next (sometime ϕ until τ ))
2
Here, proofs for infinite state sequences that rely on the existence of a first state only
can be literally adapted from [Li88] to nonempty state sequences. For instance, we prove
rule (iii):
[σ, θ] |= τ ∨ (ϕ ∧ next (always ϕ before τ ))
Def
⇐⇒
[σ 0 , θ] |= τ or ([σ 0 , θ] |= ϕ and [σ 1 , θ] |= always ϕ before τ )
Def
⇐⇒ [σ 0 , θ] |= τ or ([σ 0 , θ] |= ϕ and for each i I(σ 1 ), i < µτ1 ⇒ [σ i , θ] |= ϕ)
Def
⇐⇒
[σ 0 , θ] |= τ or (for each i I(σ), i < µτ1 ⇒ [σ i , θ] |= ϕ)
(*)
⇐⇒ for each i I(σ), i < µτ ⇒ [σ i , θ] |= ϕ
Def
⇐⇒
[σ, θ] |= always ϕ before τ
(*): [σ 0 , θ] |= τ means µτ = 0, otherwise µτ1 = µτ .
3
2
Acceptance by Transition Graphs
Temporal formulae are used to express dynamic database integrity constraints. In order to
monitor such constraints at database runtime, i.e. in state sequences, we utilize transition
graphs that can be constructed from temporal formulae at schema definition time and
that reduce analysis of state sequences to state transitions.
Definition 3.1 A transition graph T = hV, E, F, ν, η, v0 i for a temporal formula ϕ consists of
• a directed graph hV, Ei having a finite set V of nodes
and a set E ⊆ V × V of edges,
• a set of final nodes F ⊆ V ,
• a node labelling ν with temporal formulae,
• an edge labelling η with propositional formulae,
each constructed from the basic nontemporal constituents of ϕ,
• and an initial node v0 V with ν(v0 ) = ϕ.
5
2
A transition graph is used to analyze a state sequence by searching for a corresponding
path, whose edge labels successively hold in the states of the sequence. For that, the nodes
which have been reached at each moment must be “marked”. This is done separately for
each relevant object or object combination, or to be formally, for each substitution θ of
the free variables in the constraint in question. We assume θ to be given for the following
definitions and propositions.
Definition 3.2 The marking MT (θ, σ, i) of a transition graph T for an arbitrary (finite
or infinite) state sequence σ = hσ0 , σ1 , . . .i at moment i (i ≥ 0) is inductively defined as
the following sets of nodes:
MT (θ, σ, 0) = {v0 }
(
trans(MT (θ, σ, i), σi ) if i I(σ)
MT (θ, σ, i + 1) =
MT (θ, σ, i)
if i / I(σ), i.e. σ i = λ
0
trans(MT (θ, σ, i), σ) = {v V |∃v MT (θ, σ, i), ∃e = (v, v 0 ) E : [σ, θ] |= η(e)}
2
trans defines a transition rule which formalizes the stepwise processing of a transition
graph. A node v 0 is marked after passing a state σ iff there exists an edge e = (v, v 0 )
such that the edge label η(e) is valid in σ. If no edge satisfies this condition, trans yields
the empty set und the state sequence will not be processed. Please note that markings
MT (θ, σ, i) are even defined for sequences σ of length shorter than i; the last marking
MT (θ, σ, |σ|) simply remains unchanged.
The following notion of acceptance is usually applied to prefixes, i.e. incomplete finite
sequences.
Definition 3.3 A finite state sequence σ = hσ0 , . . . , σn−1 i is accepted by a transition
2
graph T iff there is a node marked at moment n, i.e. MT (θ, σ, n) 6= ∅ holds.
In addition to this requirement, a complete finite sequence must have induced the marking
of a final node. This notion of definitive acceptance is due to [Sa88, Sa91]
Definition 3.4 σ is definitively accepted by T iff the last marking MT (θ, σ, |σ|) contains
at least one final node, i.e. MT (θ, σ, |σ|) ∩ F 6= ∅.
2
These conditions, however, have not yet involved the given constraint which is to be
monitored. We must put additional requirements on the node and edge labels of the
transition graph. Intuitively, we want the nodes to be labelled by temporal formulae
indicating what remains to be monitored in the future (as it is the case for the initial
node), whereas the edges are labelled by nontemporal formulae which have to be checked
in the next state such that the right target nodes get marked.
Definition 3.5 A transition graph T is correct, iff the following equivalence holds in arbitrary nonempty state sequences σ for each node v with outgoing edges ek = (v, vk ), k =
1, . . . , d:
ν(v)
⇐⇒
d
_
(η(ek ) ∧ next ν(vk ))
k=1
2
6
This definition can be reformulated:
Lemma 3.6 The transition graph T is correct iff the following conditions are equivalent
at each node v V for nonempty state sequences σ:
1. [σ, θ] |= ν(v)
2. there exists an k, so daß [σ0 , θ] |= η(ek ) und [σ 1 , θ] |= ν(vk )
3.
[σ 1 , θ] |=
d
_
ν(vk )
k=1
[σ0 ,θ]|=η(ek )
2
I.e.: Each node label must be valid in a nonempty state sequence if and only if there is
at least one outgoing edge whose label is valid in the first state and whose corresponding
target node label is valid in the tail sequence. This tail sequence may, of course, become
empty: if σ 1 = λ, validity in σ depends on λ |= ν(vk ) in the case [σ0 , θ] |= η(ek ).
The following basic theorem [LiS87, Li88] states the basic relationship between the validity of a formula ϕ in a nonempty sequence σ and the acceptance of σ by a correct
transition graph T for ϕ. We have to re-prove it in our new semantical framework to
include finite state sequences σ and still arbitrary moments n IN :
Theorem 3.7 Let ϕ be a temporal formula, T a correct transition graph wrt ϕ, and σ
a nonempty state sequence, i.e. 0 I(σ). For each n IN holds :
[σ, θ] |= ϕ iff T accepts all prefixes of σ up to a length of n and [σ n , θ] |= ϕT (θ, σ, n)
where
_
ϕT (θ, σ, n) =
ν(v)
vMT (θ,σ,n)
2
Proof: The acceptance of prefixes follows from the second assertion. This can be concluded by induction on n. For n = 0, σ n = σ, ϕT (θ, σ, 0) = ν(v0 ) = ϕ, so the theorem
holds. For 0 < n < |σ|, we assume:
(1) [σ, θ] |= ϕ ⇐⇒ [σ n , θ] |= ϕT (θ, σ, n) =
_
ν(v)
vMT (θ,σ,n)
Since T is a correct transition graph, the following holds for each node v MT (θ, σ, n)
with outgoing edges ek = (v, vk ) based on lemma 3.6 :
(2) [σ n , θ] |= ν(v) ⇐⇒ [σ n+1 , θ] |=
_
ν(vk ) = ϕT (θ, σ, n + 1)
[σn ,θ]|=η(ek )
For n ≥ |σ| we have σ n = σ n+1 = . . . = λ and
(3) ϕT (θ, σ, n) = ϕT (θ, σ, n + 1) = . . .
So (1), (2), and (3) together imply for arbitrary n:
[σ n+1 , θ] |= ϕT (θ, σ, n + 1) iff [σ n , θ] |= ϕT (θ, σ, n) iff [σ, θ] |= ϕ
2
7
Corollary 3.8 ϕ is potentially valid in a finite prefix σ of a state sequence (i.e. there
exists a continuation of σ to a state sequence where ϕ is valid) iff T accepts σ and the
formula ϕT (θ, σ, |σ|) is satisfiable.
2
The graph constructions in [LiS87, Li88, LiF88] are known to deliver correct transition
graphs. The above theorem guarantees that they accept at least all potentially admissible
state sequences; the constructions guarantee that they accept at most all provisionally
admissible sequences (where no constraint violation has occurred up to the current state).
To get full validity, the label of one node in the last marking must be valid in the empty
tail sequence. Therefore we require the final nodes to be labelled correspondingly.
Definition 3.9 A transition graph T is strongly correct iff it is correct, and for each node
v F in T with node labelling ν(v) holds
isempty ⇒ ν(v), i.e. λ |= ν(v)
2
Now we can complete the above theorem:
Corollary 3.10 Let a strongly correct transition graph T for a formula ϕ be given.
2
ϕ is valid in a finite state sequence σ iff σ is definitively accepted by T .
Proof: Let σ = hσ0 , . . . , σn−1 i, n ≥ 0. By theorem 3.7, [σ, θ] |= ϕ holds iff
σ n = λ |= ϕT (σ, n) =
_
ν(v)
vMT (θ,σ,n)
If this is the case, then there exists a node v MT (θ, σ, n) with λ |= ν(v). According
to definition 3.9, v should be a final node. The other direction holds since definitive
acceptance (definition 3.4) implies the existence of such a node, too. For σ = λ, the last
marking is MT (θ, σ, 0) = v0 , and σ = λ |= ϕ holds iff v0 is a final node.
2
Corollary 3.11 If F = ∅ in a strongly correct transition graph T wrt a formula ϕ, then
ϕ is unsatisfiable in any finite state sequence.
2
In order to determine the final nodes F in transition graphs during graph construction,
the following test function for node labels can be derived from the semantics of formulae
in the empty state sequence (definition 2.3):
Definition 3.12 Let Φ be the set of temporal formulae and α, ϕ, τ, ρ Φ, ρ being a
nontemporal atom. The finality function L: Φ → {true , false } is recursively defined as
follows:
L(ρ) := ρ ≡ true
L(¬ϕ) := ¬L(ϕ)
L(next ϕ) := L(ϕ)
L(ϕ ∧ τ ) := L(ϕ) ∧ L(τ )
L(ϕ ∨ τ ) := L(ϕ) ∨ L(τ )
8
L(always ϕ) := true
L(sometime ϕ) := false
L(always ϕ before τ ) := true
L(sometime ϕ before τ ) := false
L(always ϕ until τ ) := true
L(sometime ϕ until τ ) := false
L(from α holds ϕ) := true
2
This function is obviously computable. It decides whether a formula is valid in the empty
sequence or not, i.e. whether a node is a final node or not.
Lemma 3.13 For any nontemporal formula ψ holds L(ψ) = true iff λ |= ψ.
Example 3.14 Consider the formula ϕ = always (A ⇒ sometime B) (A, B propositional variables) and a corresponding correct transition graph:
always (A ⇒ sometime B) ¬A ∨ B
Node 1 :
6
Node 2 :
A ∧ ¬B
B
?
always (A ⇒ sometime B) ∧ sometime B ¬B
By the criterion 3.13, we can determine that Node 1 is a final node and Node 2 is a
non-final node based on the following computations.
L(ν(1)) = L(always (A ⇒ sometime B)) = true
L(ν(2)) = L(always (A ⇒ sometime B)) ∧ L(sometime B)
= true ∧ false = false
2
Example 3.15 Here are further examples of strongly correct transition graphs. Final
nodes are circled twice, and there is an implicit loop labelled true at each true -node.
always A A
sometime A ¬A
A
? true 9
always sometime A A
6
¬A
?
A
sometime A ∧ always sometime A ¬A
sometime always A ¬A
6
A
?
¬A
always A ∨ sometime always A A
2
Algorithmically, monitoring dynamic integrity constraints in a nonempty state sequence
works as follows: For each substitution, the monitor follows corresponding correct transition graphs on each state transition to check whether the current prefix is accepted,
i.e. the constraint is partially valid. For an infinite state sequence, only violation of
constraints can be determined, but for a complete finite state sequence, full validity of
constraints can be decided: this is checked at the sequence end by looking for a marked
final node. For refinement in the next section, we repeat the monitoring scheme as it has
been introduced in [LiS87, Li88] except for handling definitive acceptance.
Algorithm 3.16 We assume that a strongly correct transition graph Tϕ with final node
set F has been constructed for each constraint ϕ. Let markingϕ (θ) denote the set
of marked nodes for substitution θ. The following procedure MONITOR has to be
called after each transition from an old database state σold into a state σ, including
the initialization into σ = σ0 (σold undefined) as well as the exit after the last state (σ
undefined).
procedure MONITOR :
/* global variables: σold , σ, markingϕ (θ) */
if σold undefined /* initial preparation */ then
for each constraint ϕ and each substitution θ
do markingϕ (θ) :={initial node v0 of Tϕ };
if σ defined /* initial or normal transition */ then
for each constraint ϕ and each substitution θ
do CHECK ACCEPTANCE(θ, ϕ)
/* The current state sequence up to σ is accepted
and thus ϕ is partially valid there. */
elseif σ undefined /* final transition */ then
for each constraint ϕ and each substitution θ
do CHECK DEFINITIVE ACCEPTANCE(θ, ϕ)
/* ϕ is valid in the complete state sequence. */
endproc
10
procedure CHECK ACCEPTANCE(θ, ϕ)
/* get a new marking by the transition rule */
for each node v markingϕ (θ)
for each outgoing edge e = (v, v 0 ) from v
do if [σ, θ] |= η(e) then mark v 0 ;
markingϕ (θ) :={newly marked nodes}
if markingϕ (θ) = ∅ then ERROR(“not accepted: no edge applicable”)
endproc
procedure CHECK DEFINITIVE ACCEPTANCE(θ, ϕ) :
/* Let F be the set of final nodes of Tϕ . */
if markingϕ (θ) ∩ F = ∅ then ERROR(“no final node reached after final state”)
endproc
2
4
Existence-Restricted Integrity Constraints
Whereas in theory general dynamic integrity constraints have to be checked in state
sequences for all substitutions with arbitrary possible objects, in practice ordinary constraints only affect objects which exist in the database and that only during their time
of existence. We will call such constraints existence-restricted. Since objects may be inserted and deleted during database runtime, their existence intervals, the so-called object
life cycles [Sa91], form subsequences of the complete database state sequence. Since a
deletion means completion of the existence interval, we need the monitoring criterion of
corollary 3.10 for finite state sequences. The section will be concluded by a monitoring
algorithm which specializes the above scheme to existence-restricted integrity constraints.
Since in general several free variables may occur in a constraint formula, we have to
consider object combinations which can serve as substitutions for those variables.
Definition 4.1 Let X = {x1 , . . . , xm } be a set of object variables, S a set of object sorts,
θ an arbitrary substitution of X and σ(s) the set of actual objects of sort s (s S) in the
state σ. We define a standard predicate exists for each sort combination as follows:
[σ, θ] |= exists (X) iff θ(xk ) σ(sk ), for all xk X of sort sk k = 1, ..., m
Additionally, we derive standard predicates inserted and deleted for states σ i within
a state sequence σ, i.e. 0 < i < |σ|:
[σi , θ] |= inserted (X) iff (i = 0 and [σ0 , θ] |= exists (X))
or ([σi−1 , θ] |= ¬ exists (X) and [σi , θ] |= exists (X))
[σi , θ] |= deleted (X) iff (i > 0 and [σi−1 , θ] |= exists (X) and [σi , θ] |= ¬ exists (X))
2
Definition 4.2 Let σ = hσ0 , σ1 , . . .i be an arbitrary state sequence and X, θ as above.
The existence interval σ θ of the substitution θ is defined as the subsequence
11
σ θ = hσθ.0 , σθ.1 , . . . , σθ.l i
where the start and end states σθ.0 and σθ.l are uniquely determined by:
[σθ.0 , θ] |= inserted (X),
[σ(θ.l)+1 , θ] |= deleted (X)
Here we assume that an object (combination) will not be re-inserted after it has been
deleted.
2
When constraints are to refer only to existence intervals of substitutions, admissibility of
state sequences wrt such constraints has to be defined anew. The respective constraints
are declared by a new quantifier:
Definition 4.3 Let ϕ be a formula with free object variables X = {x1 , . . . , xm }. An
existence-restricted integrity constraint ψ is of the form
ψ ≡ during−existence (X) : ϕ.
ϕ is called the constraint body. A state sequence σ is admissible wrt to the constraint ψ
iff ϕ is valid in the existence interval σ θ of each substitution θ for the object variables,
i.e. [σ θ , θ] |= ϕ. Here, only relevant substitutions with defined (and thus nonempty)
existence intervals need to be considered.
2
By the following corollary, existence-restricted constraints need not be resolved into formulae consisting only of basic temporal operators/quantifiers by utilizing the exists
predicate, as it had been necessary in [Li88] to construct transition graphs. We can
rather make direct use of the transition graph for the constraint body when monitoring the complete constraint. This statement follows from the above definition and from
corollary 3.10:
Corollary 4.4 Let T be a strongly correct transition graph for ϕ. σ is admissible
wrt during−existence (X) : ϕ iff σ θ is definitively accepted for each relevant substitution θ.
2
Thus, in order to monitor existence-restricted constraints the transition graphs corresponding to their bodies need only be followed during the existence intervals of inserted
objects, but not on the entire state sequence. This operationalization is made precise by
the following refinement of the algorithm 3.16.
Algorithm 4.5 We assume that a strongly correct transition graph Tϕ with final node
set F has been constructed for each existence-restricted constraint with body ϕ. The
following procedure MONITOR-EX again has to be called after each state transition
σold → σ. The function KIND OF SUBST is used to determine whether a substitution
has been inserted or deleted or whether it remained actual on that transition.
procedure MONITOR-EX :
/* global variables: σold , σ, markingϕ (θ) */
for each constraint ϕ and
for each substitution θ with objects from σold ∪ σ only
12
do case KIND OF SUBST(θ) of
inserted: markingϕ (θ) := {initial node v0 of Tϕ }
/* create marking */
CHECK ACCEPTANCE(θ, ϕ)
actual: CHECK ACCEPTANCE(θ, ϕ)
deleted: CHECK DEFINITIVE ACCEPTANCE(θ, ϕ)
/* and delete marking */
endproc
function KIND OF SUBST(θ) :
if [σ, θ] |= inserted (X) then inserted
elseif [σold , θ] |= exists (X) ∧ [σ, θ] |= exists (X) then actual
elseif [σ, θ] |= deleted (X) then deleted
2
Example 4.6 Here is an example for an existence-restricted integrity constraint; it is
taken from the famous “automobile registration” context [ISO82].
data/object sorts:
object functions:
data/object variables:
constraint:
Bool, Y ear / CAR
destroyed : CAR → Bool
thisyear :→ Y ear
y : Y ear / c : CAR
during−existence (c) : from destroyed(c) holds
(thisyear = y ⇒ sometime thisyear > y + 2)
/* The information about a car has to be stored after it has
been destroyed until the beginning of the third year. */
Let A = destroyed(c)
B = thisyear = y
C = thisyear > y + 2
ϕ = from destroyed(c) holds
(this − year = y ⇒ sometime this − year > y + 2)
Then the following transition graph is strongly correct wrt ϕ:
<1>
from A holds (B ⇒ sometime C) ¬A
A ∧ B ∧ ¬C
A∧C
?
? -
C
true
¬C sometime C
<2>
<3>
To monitor the given constraint, markings and the year of destruction y have to be
maintained for all cars c which belong to the database at some time. Such a marking
need only be generated when a car has been inserted; it is stored until the car object
13
is deleted from the database. Deletions are only allowed in node < 3 > (indicating that
the third year after destruction has been reached) or in node < 1 > (indicating that the
car has not yet been destroyed; it may perhaps be deleted due to a transfer to another
registration authority). Please note that we need not consider arbitrary values of y
(different from the destruction year) for monitoring, since the usage of substitutions for
data variables can be optimized to a certain extent [HüS91].
2
5
Conclusions
In this paper we have presented a natural extension of temporal logic to interpret formulae
not only in infinite, but also in finite sequences. In particular, the definition of the critical
next operator was simplified by considering eventually empty tail sequences and by
giving formulae an appropriate interpretation in the empty sequence. We have proved
that important laws which are relevant for the construction of corresponding transition
graphs remain valid. This is the case also for the basic connection between the validity
of a formula in a state sequence and the acceptance of the state sequence by a transition
graph which is correct wrt to the formula. By utilizing the validity check in the empty
sequence as a test for finality of graph nodes, that connection could be tightened to
definitive acceptance and strong correctness.
Of course, many other basic logical laws also still hold. It might be interesting to adapt
known axiomatizations of temporal logic to our extended and modified semantics.
We have derived algorithmic schemes for monitoring dynamic database integrity constraints, in particular for monitoring existence-restricted constraints which refer to the
(usually finite) existence intervals of objects only. Constraints are expressed by temporal
formulae from which strongly correct transition graphs are constructed. If we additionally assume that the graphs have already been reduced in the sense of [Sa91] (parts not
leading to final nodes are erased), then all remaining node labels must be satisfiable in
finite state sequences, and every constraint violation can be detected even at the earliest
possible moment.
An important practical alternative to universal runtime monitor schemes like those above
lies in the transformation of constraints into transaction specifications already at database
design time. In [Li88, Li90] we have given general transformation rules for dynamic
constraints: the stepwise processing of a transition graph can be coded into the pre/postconditions of transactions if the current markings are maintained by all transactions on
the database. Since this additional information represents situations in object life cycles
(wrt constraints), it can be interpreted by users.
Given existence-restricted constraints and insertion/deletion transactions, such transformation rules can be spezialized so that resulting specifications get more simplified.
Insertions, of course, have to to check the edges starting from the initial node, whereas
deletions may be executed only when the marking is a final node already; the latter
requirement leads to an additional precondition. The development of these new rules
14
for different kinds of transactions, which may involve several insertions and deletions in
combination, is part of our current research. Besides that, our group is implementing
graph constructions based on the theory above as well as transformation rules within an
integrity-centered environment for database design [ICE90].
Acknowledgement
The authors wish to thank Stefan Braß who asked us about the relationship between final nodes
and empty tail sequences. We are especially grateful to Gunter Saake for our former cooperation
and many fruitful discussions on the subject.
References
[CaCF82]
Castilho, J.M.V.de, Casanova, M.A., and Furtado, A.L.: A Temporal Framework for Database Specification. Proc. Int. Conf. on Very Large Databases,
Mexico 1982, 280–291.
[CaS87]
Carmo, J. and Sernadas, A.: A Temporal Framework for a Layered Approach to Systems Specification and Verification. Proc. IFIP Work. Conf.
on Temporal Aspects in Information Systems (C.Rolland et al., eds.), NorthHolland Publ.Co., Amsterdam 1987, 31–46.
[ClES86]
Clarke, E.M., Emerson, E.A., and Sistla, A.P.: Automatic Verification of
Finite-State Concurrent Systems Using Temporal Logic Specifications. ACM
Trans. on Programming Languages and Systems, Vol. 8 (1986), 244–263.
[EhLG84]
Ehrich, H.-D., Lipeck, U.W., and Gogolla, M.: Specification, Semantics, and
Enforcement of Dynamic Database Constraints. Proc. Int. Conf. on Very
Large Databases, Singapore 1984, 301–308.
[FiS88]
Fiadeiro, J. and Sernadas, A.: Specification and Verification of Database
Dynamics. Acta Informatica, Vol. 25 (1988), 625–661.
[HüS91]
Hülsmann, K. and Saake, G.: Theoretical Foundations of Handling Large
Substitution Sets in Temporal Integrity Monitoring. Acta Informatica,
Vol. 28 (1991), 365–407.
[ICE90]
Projektgruppe ICE: Werkzeuge für den integritätszentrierten Entwurf von
Datenbank-Anwendungssystemen (Tools for the Integrity-Centered Design
of Database Application Systems). Internal Report, Fachbereich Informatik,
Universität Dortmund 1990.
[ISO82]
ISO/TC97/SC5/WG3 (J.J.van Griethuysen, ed.): Concepts and Terminology for the Conceptual Schema and the Information Base. 1982.
[Kr87]
Kröger, F.: Temporal Logic of Programs. Springer–Verlag, Berlin 1987.
[Ku84]
Kung, C.H.: A Temporal Framework for Database Specification and Verification. Proc. Int. Conf. on Very Large Databases, Singapore 1984, 91–99.
15
[LiEG85]
Lipeck, U.W., Ehrich, H.-D., and Gogolla,M: Specifying Admissibility of Dynamic Database Behaviour Using Temporal Logic. Proc. IFIP Work. Conf.
on Theoretical and Formal Aspects of Information Systems (A.Sernadas et
al., eds.), North-Holland Publ.Co., Amsterdam 1985, 145–157.
[LiS87]
Lipeck, U.W. and Saake, G.: Monitoring Dynamic Integrity Constraints
Based on Temporal Logic. Information Systems, Vol. 12 (1987), 255–269.
[LiF88]
Lipeck, U.W. and Feng, D.: Construction of Deterministic Transition
Graphs from Dynamic Integrity Constraints. Proc. 14th Int. Workshop on
Graph-Theoretic Concepts in Computer Science (J.v.Leeuwen, ed.), LNCS
344, Springer–Verlag, Berlin 1988, 166–179.
[Li88]
Lipeck, U.W.: Zur dynamischen Integrität von Datenbanken: Grundlagen der Spezifikation und Überwachung (Dynamic Database Integrity:
Foundations of Specification and Monitoring). Informatik-Fachbericht 209,
Springer–Verlag, Berlin 1989 (original version: Habilitation Thesis,
Techn. Univ. Braunschweig 1988).
[Li90]
Lipeck, U.W.: Transformation of Dynamic Integrity Constraints into Transaction Specifications. Theoretical Computer Science, Vol. 76 (1990), 115–142
[MaP81]
Manna, Z. and Pnueli, A.: Verification of Concurrent Programs: The
Temporal Framework. The Correctness Problem in Computer Science
(R.S.Boyer, J.S.Moore, eds.), Academic Press, London 1981, 215–273.
[MaW84]
Manna, Z. and Wolper, P.: Synthesis of Communicating Processes from
Temporal Logic Specifications. ACM Transactions on Programming Languages and Systems, Vol. 6 (1984), 68–93.
[Sa88]
Saake, G.: Spezifikation, Semantik und Überwachung von Objektlebensläufen
in Datenbanken (Specification, Semantics, and Monitoring of Object Life Cycles in Databases). Doctoral Thesis, Informatik, Techn. Univ. Braunschweig
1988.
[SaL89]
Saake, G. and Lipeck, U.W.: Using Finite-Linear Temporal Logic for Specifying Database Dynamics. Proc. 2nd Workshop on Computer Science Logic
(E.Börger et al., eds.), LNCS 385, Springer-Verlag, Berlin 1989, 288–300.
[Sa91]
Saake, G.: Descriptive Specification of Database Object Behaviour. Data &
Knowledge Engineering, Vol. 6 (1991), 47–73.
[Se80]
Sernadas, A.: Temporal Aspects of Logical Procedure Definition. Information Systems, Vol. 5 (1980), 167–187.
[Wo83]
Wolper, P.: Temporal Logic Can Be More Expressive. Information and Control, Vol. 56 (1983), 72–99.
16