safety checking for domain relational calculus queries
play

Safety Checking for Domain Relational Calculus Queries Using Alloy - PowerPoint PPT Presentation

M asters Project Safety Checking for Domain Relational Calculus Queries Using Alloy Analyzer Abhabongse Plane Janthong Department of Computer Science, University of California, Santa Barbara CREATED AND EDITABLE USING IPE (


  1. Database queries Query: the process of fetching the stored data from the database. Example 1. All students and their year of birth who were born strictly before 1995. Example of SQL query : SELECT Name, BirthYear FROM PersonalData WHERE BirthYear < 1995 PersonalData For example, PersonalData ( ‘ Alice ’ , 1994 ) is true, Example of Domain Relational Calculus ( drc ) query : whereas PersonalData ( ‘ Bob ’ , 1993 ) is false. Name BirthYear PersonalData Qery Result ‘ Alice ’ 1994 Q before 1995 = { name , year ∣ PersonalData ( name , year ) ∧ ( year < 1995 )} ‘ Bob ’ 1995 Name BirthYear Name BirthYear ‘ Carol ’ 1994 ‘ Alice ’ ‘ Alice ’ 1994 1994 ‘ David ’ 1993 � Use set comprehension notation, in first-order logic. ‘ Bob ’ ‘ Carol ’ 1995 1994 ‘ Carol ’ ‘ David ’ 1994 1993 � Identifiers always represent scalar values. ‘ David ’ 1993 � Table names: predicate to indicate whether a specified tuple exists in such table. 4 I SAFETY CHECKING FOR DRC QUERIES USING ALLOY ANALYZER | ABHABONGSE JANTHONG

  2. Database queries Query: the process of fetching the stored data from the database. Example 1. All students and their year of birth who were born strictly before 1995. Example of SQL query : SELECT Name, BirthYear FROM PersonalData WHERE BirthYear < 1995 Example of Domain Relational Calculus ( drc ) query : PersonalData Qery Result Q before 1995 = { name , year ∣ PersonalData ( name , year ) ∧ ( year < 1995 )} Name BirthYear Name BirthYear ‘ Alice ’ ‘ Alice ’ 1994 1994 � Use set comprehension notation, in first-order logic. ‘ Bob ’ ‘ Carol ’ 1995 1994 ‘ Carol ’ ‘ David ’ 1994 1993 � Identifiers always represent scalar values. * ‘ David ’ There are other variant of Relational Calculus, 1993 namely Tuple Relational Calculus . � Table names: predicate to indicate whether a specified tuple exists in such table. Other types of queries include Datalog, etc. 4 J SAFETY CHECKING FOR DRC QUERIES USING ALLOY ANALYZER | ABHABONGSE JANTHONG

  3. More examples of drc queries Example 2. All friends of Bob. Q Bob’s friend = { name ∣ Friendship ( name , ‘ Bob ’ ) ∨ Friendship ( ‘ Bob ’ , name )} 5 A SAFETY CHECKING FOR DRC QUERIES USING ALLOY ANALYZER | ABHABONGSE JANTHONG

  4. More examples of drc queries Example 2. All friends of Bob. Q Bob’s friend = { name ∣ Friendship ( name , ‘ Bob ’ ) ∨ Friendship ( ‘ Bob ’ , name )} Example 3. All pairs of students who share a common friend. Q friend of friend = { x , y ∣ ( x < y ) ∧ ∃ z [( Friendship ( x , z ) ∨ Friendship ( z , x )) ∧ ( Friendship ( y , z ) ∨ Friendship ( z , y ))]} 5 B SAFETY CHECKING FOR DRC QUERIES USING ALLOY ANALYZER | ABHABONGSE JANTHONG

  5. More examples of drc queries Example 2. All friends of Bob. Q Bob’s friend = { name ∣ Friendship ( name , ‘ Bob ’ ) ∨ Friendship ( ‘ Bob ’ , name )} Example 3. All pairs of students who share a common friend. Q friend of friend = { x , y ∣ ( x < y ) ∧ ∃ z [( Friendship ( x , z ) ∨ Friendship ( z , x )) ∧ ( Friendship ( y , z ) ∨ Friendship ( z , y ))]} * Notice that identifiers do not have explicit domain in the query. Is this okay? 5 C SAFETY CHECKING FOR DRC QUERIES USING ALLOY ANALYZER | ABHABONGSE JANTHONG

  6. Domain in drc queries Is it fine that identifiers in drc query do not have explicit domain ? 6 A SAFETY CHECKING FOR DRC QUERIES USING ALLOY ANALYZER | ABHABONGSE JANTHONG

  7. Domain in drc queries Is it fine that identifiers in drc query do not have explicit domain ? not always 6 B SAFETY CHECKING FOR DRC QUERIES USING ALLOY ANALYZER | ABHABONGSE JANTHONG

  8. Domain in drc queries Is it fine that identifiers in drc query do not have explicit domain ? not always Example 1. All students and their year of birth who were born strictly before 1995. Q ∗ before 1995 = { name , year ∣ year < 1995 } 6 C SAFETY CHECKING FOR DRC QUERIES USING ALLOY ANALYZER | ABHABONGSE JANTHONG

  9. Domain in drc queries Is it fine that identifiers in drc query do not have explicit domain ? not always Example 1. All students and their year of birth who were born strictly before 1995. Q ∗ before 1995 = { name , year ∣ year < 1995 } Mathematically speaking, we cannot determine the result if the domain is not established . 6 D SAFETY CHECKING FOR DRC QUERIES USING ALLOY ANALYZER | ABHABONGSE JANTHONG

  10. Domain in drc queries Is it fine that identifiers in drc query do not have explicit domain ? not always Example 1. All students and their year of birth who were born strictly before 1995. Q ∗ before 1995 = { name , year ∣ year < 1995 } Mathematically speaking, we cannot determine the result if the domain is not established . � If the domain of year is a set of integers , then ( ‘ Alice ’ , -80 ) is part of the result. 6 E SAFETY CHECKING FOR DRC QUERIES USING ALLOY ANALYZER | ABHABONGSE JANTHONG

  11. Domain in drc queries Is it fine that identifiers in drc query do not have explicit domain ? not always Example 1. All students and their year of birth who were born strictly before 1995. Q ∗ before 1995 = { name , year ∣ year < 1995 } Mathematically speaking, we cannot determine the result if the domain is not established . � If the domain of year is a set of integers , then ( ‘ Alice ’ , -80 ) is part of the result. � If the domain of year is a set of positive integers , then ( ‘ Alice ’ , -80 ) is not part of the result. c ounterexample 6 F SAFETY CHECKING FOR DRC QUERIES USING ALLOY ANALYZER | ABHABONGSE JANTHONG

  12. Domain in drc queries Is it fine that identifiers in drc query do not have explicit domain ? not always Example 1. All students and their year of birth who were born strictly before 1995. Q ∗ before 1995 = { name , year ∣ year < 1995 } Mathematically speaking, we cannot determine the result if the domain is not established . � If the domain of year is a set of integers , then ( ‘ Alice ’ , -80 ) is part of the result. � If the domain of year is a set of positive integers , then ( ‘ Alice ’ , -80 ) is not part of the result. c ounterexample 6 G SAFETY CHECKING FOR DRC QUERIES USING ALLOY ANALYZER | ABHABONGSE JANTHONG

  13. Domain in drc queries Is it fine that identifiers in drc query do not have explicit domain ? not always Example 1. All students and their year of birth who were born strictly before 1995. Q ∗ before 1995 = { name , year ∣ year < 1995 } Mathematically speaking, we cannot determine the result if the domain is not established . Other way to look at this: it queries for data that might not be bounded by the database . � If the domain of year is a set of integers , then ( ‘ Alice ’ , -80 ) is part of the result. � If the domain of year is a set of positive integers , then ( ‘ Alice ’ , -80 ) is not part of the result. c ounterexample 6 H SAFETY CHECKING FOR DRC QUERIES USING ALLOY ANALYZER | ABHABONGSE JANTHONG

  14. Domain in drc queries Is it fine that identifiers in drc query do not have explicit domain ? not always Example 1. All students and their year of birth who were born strictly before 1995. Q ∗ before 1995 = { name , year ∣ year < 1995 } Mathematically speaking, we cannot determine the result if the domain is not established . Other way to look at this: it queries for data that might not be bounded by the database . � If the domain of year is a set of integers , then ( ‘ Alice ’ , -80 ) is part of the result. � If the domain of year is a set of positive integers , then ( ‘ Alice ’ , -80 ) is not part of the result. Or even: the result is infinite , which implies that the result depends on the domain. c ounterexample 6 I SAFETY CHECKING FOR DRC QUERIES USING ALLOY ANALYZER | ABHABONGSE JANTHONG

  15. Domain-independency (safety) A drc query is domain-independent if the result of the query depends on only the data in the database and not on the domain set . 7 A SAFETY CHECKING FOR DRC QUERIES USING ALLOY ANALYZER | ABHABONGSE JANTHONG

  16. Domain-independency (safety) A drc query is domain-independent if the result of the query depends on only the data in the database and not on the domain set . Q before 1995 = { name , year ∣ PersonalData ( name , year ) ∧ ( year < 1995 )} Q Bob’s friend = { name ∣ Friendship ( name , ‘ Bob ’ ) ∨ Friendship ( ‘ Bob ’ , name )} Q friend of friend = { x , y ∣ ( x < y ) ∧ ∃ z [( Friendship ( x , z ) ∨ Friendship ( z , x )) ∧ ( Friendship ( y , z ) ∨ Friendship ( z , y ))]} Q ∗ before 1995 = { name , year ∣ year < 1995 } 7 B SAFETY CHECKING FOR DRC QUERIES USING ALLOY ANALYZER | ABHABONGSE JANTHONG

  17. Domain-independency (safety) A drc query is domain-independent if the result of the query depends on only the data in the database and not on the domain set . ⎧ ⎪ ⎪ Q before 1995 = { name , year ∣ PersonalData ( name , year ) ∧ ( year < 1995 )} ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ Q Bob’s friend = { name ∣ Friendship ( name , ‘ Bob ’ ) ∨ Friendship ( ‘ Bob ’ , name )} ⎪ ⎨ safe ⎪ ⎪ ⎪ Q friend of friend = { x , y ∣ ( x < y ) ∧ ∃ z [( Friendship ( x , z ) ∨ Friendship ( z , x )) ⎪ ⎪ ⎪ ⎪ ∧ ( Friendship ( y , z ) ∨ Friendship ( z , y ))]} ⎪ ⎪ ⎩ Q ∗ before 1995 = { name , year ∣ year < 1995 } 7 C SAFETY CHECKING FOR DRC QUERIES USING ALLOY ANALYZER | ABHABONGSE JANTHONG

  18. Domain-independency (safety) A drc query is domain-independent if the result of the query depends on only the data in the database and not on the domain set . ⎧ ⎪ ⎪ Q before 1995 = { name , year ∣ PersonalData ( name , year ) ∧ ( year < 1995 )} ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ Q Bob’s friend = { name ∣ Friendship ( name , ‘ Bob ’ ) ∨ Friendship ( ‘ Bob ’ , name )} ⎪ ⎨ safe ⎪ ⎪ ⎪ Q friend of friend = { x , y ∣ ( x < y ) ∧ ∃ z [( Friendship ( x , z ) ∨ Friendship ( z , x )) ⎪ ⎪ ⎪ ⎪ ∧ ( Friendship ( y , z ) ∨ Friendship ( z , y ))]} ⎪ ⎪ ⎩ Q ∗ unsafe before 1995 = { name , year ∣ year < 1995 } 7 D SAFETY CHECKING FOR DRC QUERIES USING ALLOY ANALYZER | ABHABONGSE JANTHONG

  19. Domain-independency (safety) A drc query is domain-independent if the result of the query depends on only the data in the database and not on the domain set . ⎧ ⎪ ⎪ Q before 1995 = { name , year ∣ PersonalData ( name , year ) ∧ ( year < 1995 )} ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ Q Bob’s friend = { name ∣ Friendship ( name , ‘ Bob ’ ) ∨ Friendship ( ‘ Bob ’ , name )} ⎪ ⎨ safe ⎪ ⎪ ⎪ Q friend of friend = { x , y ∣ ( x < y ) ∧ ∃ z [( Friendship ( x , z ) ∨ Friendship ( z , x )) ⎪ ⎪ ⎪ ⎪ ∧ ( Friendship ( y , z ) ∨ Friendship ( z , y ))]} ⎪ ⎪ ⎩ Q ∗ unsafe before 1995 = { name , year ∣ year < 1995 } ...and more ... 7 E SAFETY CHECKING FOR DRC QUERIES USING ALLOY ANALYZER | ABHABONGSE JANTHONG

  20. More example of drc unsafe query We have the database table Example 4. People who do not follow Alice. Follows ( fan , idol ) representing the fact that fan is following idol on a social network. 8 A SAFETY CHECKING FOR DRC QUERIES USING ALLOY ANALYZER | ABHABONGSE JANTHONG

  21. More example of drc unsafe query We have the database table Example 4. People who do not follow Alice. Follows ( fan , idol ) representing the fact that fan is following idol on a social network. Q not following Alice = { x ∣ ¬ Follows ( x , ‘ Alice ’ )} 8 B SAFETY CHECKING FOR DRC QUERIES USING ALLOY ANALYZER | ABHABONGSE JANTHONG

  22. More example of drc unsafe query We have the database table Example 4. People who do not follow Alice. Follows ( fan , idol ) representing the fact that fan is following idol on a social network. Q not following Alice = { x ∣ ¬ Follows ( x , ‘ Alice ’ )} Suppose that D 1 , D 2 are distinct domain sets such that D 2 = D 1 ∪ { c } where Follows ( c , ‘ Alice ’ ) is false . Then, 8 C SAFETY CHECKING FOR DRC QUERIES USING ALLOY ANALYZER | ABHABONGSE JANTHONG

  23. More example of drc unsafe query We have the database table Example 4. People who do not follow Alice. Follows ( fan , idol ) representing the fact that fan is following idol on a social network. Q not following Alice = { x ∣ ¬ Follows ( x , ‘ Alice ’ )} Suppose that D 1 , D 2 are distinct domain sets such that D 2 = D 1 ∪ { c } where Follows ( c , ‘ Alice ’ ) is false . Then, � Result of the query under D 1 does not contain ( c ) . 8 D SAFETY CHECKING FOR DRC QUERIES USING ALLOY ANALYZER | ABHABONGSE JANTHONG

  24. More example of drc unsafe query We have the database table Example 4. People who do not follow Alice. Follows ( fan , idol ) representing the fact that fan is following idol on a social network. Q not following Alice = { x ∣ ¬ Follows ( x , ‘ Alice ’ )} Suppose that D 1 , D 2 are distinct domain sets such that D 2 = D 1 ∪ { c } where Follows ( c , ‘ Alice ’ ) is false . Then, � Result of the query under D 1 does not contain ( c ) . � Result of the query under D 2 contains ( c ) . 8 E SAFETY CHECKING FOR DRC QUERIES USING ALLOY ANALYZER | ABHABONGSE JANTHONG

  25. More example of drc unsafe query We have the database table Example 4. People who do not follow Alice. Follows ( fan , idol ) representing the fact that fan is following idol on a social network. Q not following Alice = { x ∣ ¬ Follows ( x , ‘ Alice ’ )} unsafe Suppose that D 1 , D 2 are distinct domain sets such that D 2 = D 1 ∪ { c } where Follows ( c , ‘ Alice ’ ) is false . Then, c ounterexample � Result of the query under D 1 does not contain ( c ) . � Result of the query under D 2 contains ( c ) . 8 F SAFETY CHECKING FOR DRC QUERIES USING ALLOY ANALYZER | ABHABONGSE JANTHONG

  26. Even more examples of drc unsafe queries Example 5. Set of pairs of people such that the first person follows Alice or the second person follows Bob. Q weird pairing = { x , y ∣ Follows ( x , ‘ Alice ’ ) ∨ Follows ( y , ‘ Bob ’ )} 9 A SAFETY CHECKING FOR DRC QUERIES USING ALLOY ANALYZER | ABHABONGSE JANTHONG

  27. Even more examples of drc unsafe queries Example 5. Set of pairs of people such that the first person follows Alice or the second person follows Bob. Q weird pairing = { x , y ∣ Follows ( x , ‘ Alice ’ ) ∨ Follows ( y , ‘ Bob ’ )} As long as there is a person y following Bob, then ( x , y ) would be in the result for ev ery x in the domain. c ounterexample 9 B SAFETY CHECKING FOR DRC QUERIES USING ALLOY ANALYZER | ABHABONGSE JANTHONG

  28. Even more examples of drc unsafe queries Example 5. Set of pairs of people such that the first person follows Alice or the second person follows Bob. Q weird pairing = { x , y ∣ Follows ( x , ‘ Alice ’ ) ∨ Follows ( y , ‘ Bob ’ )} unsafe As long as there is a person y following Bob, then ( x , y ) would be in the result for ev ery x in the domain. Example 6. People who follows everyone. c ounterexample Q follows all = { x ∣ ∀ y [ Follows ( x , y )]} 9 C SAFETY CHECKING FOR DRC QUERIES USING ALLOY ANALYZER | ABHABONGSE JANTHONG

  29. Even more examples of drc unsafe queries Example 5. Set of pairs of people such that the first person follows Alice or the second person follows Bob. Q weird pairing = { x , y ∣ Follows ( x , ‘ Alice ’ ) ∨ Follows ( y , ‘ Bob ’ )} unsafe As long as there is a person y following Bob, then ( x , y ) would be in the result for ev ery x in the domain. Example 6. People who follows everyone. c ounterexample Q follows all = { x ∣ ∀ y [ Follows ( x , y )]} If the result is not empty under some particular domain, then adding an alien to the domain will make counterexample the result empty. 9 D SAFETY CHECKING FOR DRC QUERIES USING ALLOY ANALYZER | ABHABONGSE JANTHONG

  30. Even more examples of drc unsafe queries Example 5. Set of pairs of people such that the first person follows Alice or the second person follows Bob. Q weird pairing = { x , y ∣ Follows ( x , ‘ Alice ’ ) ∨ Follows ( y , ‘ Bob ’ )} unsafe As long as there is a person y following Bob, then ( x , y ) would be in the result for ev ery x in the domain. Example 6. People who follows everyone. c ounterexample Q follows all = { x ∣ ∀ y [ Follows ( x , y )]} unsafe If the result is not empty under some particular domain, then adding an alien to the domain will make The result of query in Example 6 is guaranteed to be bounded even if the domain was infinite, but counterexample the result empty. regardless of that, it is still domain-dependent (unsafe) . 9 E SAFETY CHECKING FOR DRC QUERIES USING ALLOY ANALYZER | ABHABONGSE JANTHONG

  31. 2 main problem Formulation of main verification problem and introducing the main verification tool. 10 SAFETY CHECKING FOR DRC QUERIES USING ALLOY ANALYZER | ABHABONGSE JANTHONG

  32. Main problem Suppose that we have a database schema and a drc query of the form Q = { x 1 , x 2 , . . . , x m ∣ P ( x 1 , x 2 , . . . , x m ) } ���������������������������������������������������������������������������������������������������� boolean expression 11 A SAFETY CHECKING FOR DRC QUERIES USING ALLOY ANALYZER | ABHABONGSE JANTHONG

  33. Main problem Suppose that we have a database schema and a drc query of the form We will get into the structure of Q = { x 1 , x 2 , . . . , x m ∣ P ( x 1 , x 2 , . . . , x m ) } ���������������������������������������������������������������������������������������������������� the boolean expression P later. boolean expression 11 B SAFETY CHECKING FOR DRC QUERIES USING ALLOY ANALYZER | ABHABONGSE JANTHONG

  34. Main problem Suppose that we have a database schema and a drc query of the form We will get into the structure of Q = { x 1 , x 2 , . . . , x m ∣ P ( x 1 , x 2 , . . . , x m ) } ���������������������������������������������������������������������������������������������������� the boolean expression P later. boolean expression To verify that query Q is safe , we check that 11 C SAFETY CHECKING FOR DRC QUERIES USING ALLOY ANALYZER | ABHABONGSE JANTHONG

  35. Main problem Suppose that we have a database schema and a drc query of the form We will get into the structure of Q = { x 1 , x 2 , . . . , x m ∣ P ( x 1 , x 2 , . . . , x m ) } ���������������������������������������������������������������������������������������������������� the boolean expression P later. boolean expression To verify that query Q is safe , we check that � for ev ery pair of domain sets D 1 and D 2 , and � for every database instance under the schema (which is also valid under both domains D 1 and D 2 ) 11 D SAFETY CHECKING FOR DRC QUERIES USING ALLOY ANALYZER | ABHABONGSE JANTHONG

  36. Main problem Suppose that we have a database schema and a drc query of the form We will get into the structure of Q = { x 1 , x 2 , . . . , x m ∣ P ( x 1 , x 2 , . . . , x m ) } ���������������������������������������������������������������������������������������������������� the boolean expression P later. boolean expression To verify that query Q is safe , we check that � for ev ery pair of domain sets D 1 and D 2 , and � for every database instance under the schema (which is also valid under both domains D 1 and D 2 ) Then, the result of the query under the assumption of domain D 1 (denoted Q [ D 1 ] ) is equal to that under the assumption of domain D 2 (denoted Q [ D 2 ] ) . 11 E SAFETY CHECKING FOR DRC QUERIES USING ALLOY ANALYZER | ABHABONGSE JANTHONG

  37. Main problem Suppose that we have a database schema and a drc query of the form We will get into the structure of Q = { x 1 , x 2 , . . . , x m ∣ P ( x 1 , x 2 , . . . , x m ) } ���������������������������������������������������������������������������������������������������� the boolean expression P later. boolean expression To verify that query Q is safe , we check that � for ev ery pair of domain sets D 1 and D 2 , and � for every database instance under the schema (which is also valid under both domains D 1 and D 2 ) Then, the result of the query under the assumption of domain D 1 (denoted Q [ D 1 ] ) is equal to that under the assumption of domain D 2 (denoted Q [ D 2 ] ) . i.e., the result is always the same, Q [ D 1 ] = Q [ D 2 ] , for any pairs of domains D 1 and D 2 . 11 F SAFETY CHECKING FOR DRC QUERIES USING ALLOY ANALYZER | ABHABONGSE JANTHONG

  38. Main problem Suppose that we have a database schema and a drc query of the form We will get into the structure of Q = { x 1 , x 2 , . . . , x m ∣ P ( x 1 , x 2 , . . . , x m ) } ���������������������������������������������������������������������������������������������������� the boolean expression P later. boolean expression To verify that query Q is safe , we check that � for ev ery pair of domain sets D 1 and D 2 , and � for every database instance under the schema (which is also valid under both domains D 1 and D 2 ) Then, the result of the query under the assumption of domain D 1 (denoted Q [ D 1 ] ) is equal to that under the assumption of domain D 2 (denoted Q [ D 2 ] ) . i.e., the result is always the same, Q [ D 1 ] = Q [ D 2 ] , for any pairs of domains D 1 and D 2 . We can model all of this in Alloy. 11 G SAFETY CHECKING FOR DRC QUERIES USING ALLOY ANALYZER | ABHABONGSE JANTHONG

  39. What is Alloy Analyzer? Alloy Analyzer is a tool for modeling objects with specifications regarding their related structure , and formally verifying whether some properties hold for such objects based on some other pre-assumed properties. 12 A SAFETY CHECKING FOR DRC QUERIES USING ALLOY ANALYZER | ABHABONGSE JANTHONG

  40. What is Alloy Analyzer? Alloy Analyzer is a tool for modeling objects with specifications regarding their related structure , and formally verifying whether some properties hold for such objects based on some other pre-assumed properties. Model signature definitions 12 B SAFETY CHECKING FOR DRC QUERIES USING ALLOY ANALYZER | ABHABONGSE JANTHONG

  41. What is Alloy Analyzer? Alloy Analyzer is a tool for modeling objects with specifications regarding their related structure , and formally verifying whether some properties hold for such objects based on some other pre-assumed properties. Model signature definitions Assumed facts or properties 12 C SAFETY CHECKING FOR DRC QUERIES USING ALLOY ANALYZER | ABHABONGSE JANTHONG

  42. What is Alloy Analyzer? Alloy Analyzer is a tool for modeling objects with specifications regarding their related structure , and formally verifying whether some properties hold for such objects based on some other pre-assumed properties. ? Model signature definitions Target asserted property Assumed facts or properties 12 D SAFETY CHECKING FOR DRC QUERIES USING ALLOY ANALYZER | ABHABONGSE JANTHONG

  43. What is Alloy Analyzer? Alloy Analyzer is a tool for modeling objects with specifications regarding their related structure , and formally verifying whether some properties hold for such objects based on some other pre-assumed properties. ? Model signature definitions Target asserted property Assumed facts or properties Actually, Alloy Analyzer will attempt to find a counterexample to the asserted property. * If Alloy does not find a counterexample, it does not mean that the asserted property is true. 12 E SAFETY CHECKING FOR DRC QUERIES USING ALLOY ANALYZER | ABHABONGSE JANTHONG

  44. What is Alloy Analyzer? Alloy Analyzer is a tool for modeling objects with specifications regarding their related structure , and formally verifying whether some properties hold for such objects based on some other pre-assumed properties. ? Model signature definitions Target asserted property Assumed facts or properties Actually, Alloy Analyzer will attempt to find a counterexample to the asserted property. The tool was developed by Daniel Jackson and his team at * If Alloy does not find a counterexample, the Massachusetts Institute of it does not mean that the asserted property Technology ( mit ). is true. http://alloy.mit.edu/ 12 F SAFETY CHECKING FOR DRC QUERIES USING ALLOY ANALYZER | ABHABONGSE JANTHONG

  45. Task summary Coming up next ... For a given database tables R 1 , . . . , R k and a given drc query Q , 13 A SAFETY CHECKING FOR DRC QUERIES USING ALLOY ANALYZER | ABHABONGSE JANTHONG

  46. Task summary Coming up next ... For a given database tables R 1 , . . . , R k and a given drc query Q , � we provide a method to translate the tables into Alloy model signature 13 B SAFETY CHECKING FOR DRC QUERIES USING ALLOY ANALYZER | ABHABONGSE JANTHONG

  47. Task summary Coming up next ... For a given database tables R 1 , . . . , R k and a given drc query Q , � we provide a method to translate the tables into Alloy model signature � and the query into an Alloy function . 13 C SAFETY CHECKING FOR DRC QUERIES USING ALLOY ANALYZER | ABHABONGSE JANTHONG

  48. Task summary Coming up next ... For a given database tables R 1 , . . . , R k and a given drc query Q , � we provide a method to translate the tables into Alloy model signature � and the query into an Alloy function . We also provide additional components to set-up the verification task in Alloy to determine whether the given query is safe or not. 13 D SAFETY CHECKING FOR DRC QUERIES USING ALLOY ANALYZER | ABHABONGSE JANTHONG

  49. Task summary Coming up next ... For a given database tables R 1 , . . . , R k and a given drc query Q , � we provide a method to translate the tables into Alloy model signature � and the query into an Alloy function . We also provide additional components to set-up the verification task in Alloy to determine whether the given query is safe or not. Additional components include � model signatures for domain sets , scalar values , and optional query result � and safety assertion statement for the query. 13 E SAFETY CHECKING FOR DRC QUERIES USING ALLOY ANALYZER | ABHABONGSE JANTHONG

  50. Task summary Coming up next ... For a given database tables R 1 , . . . , R k and a given drc query Q , � we provide a method to translate the tables into Alloy model signature 2 � and the query into an Alloy function . 3 We also provide additional components to set-up the verification task in Alloy to determine whether the given query is safe or not. Additional components include 5 1 � model signatures for domain sets , scalar values , and optional query result � and safety assertion statement for the query. 4 13 F SAFETY CHECKING FOR DRC QUERIES USING ALLOY ANALYZER | ABHABONGSE JANTHONG

  51. 3.1 translation to alloy model Example 4. People who do not follow Alice. Q not following Alice = { x ∣ ¬ Follows ( x , ‘ Alice ’ )} We demonstrate how to translate database schema and drc queries into Alloy syntax with an example. 14 SAFETY CHECKING FOR DRC QUERIES USING ALLOY ANALYZER | ABHABONGSE JANTHONG

  52. Example 4. People who do not follow Alice. Domain sets and scalar values 1 Q not following Alice = { x ∣ ¬ Follows ( x , ‘ Alice ’ )} 15 A SAFETY CHECKING FOR DRC QUERIES USING ALLOY ANALYZER | ABHABONGSE JANTHONG

  53. Example 4. People who do not follow Alice. Domain sets and scalar values 1 Q not following Alice = { x ∣ ¬ Follows ( x , ‘ Alice ’ )} 1 sig Superparticle {} { 2 Superparticle = Universe . Element 3 } 4 abstract sig Universe { Element : some Superparticle } 5 one sig UniverseAlpha , UniverseBeta extends Universe {} 6 7 8 some sig Particle in Superparticle {} { 9 Particle = UniverseAlpha . Element & UniverseBeta . Element 10 } This definition is always static for all verification tasks . We need to be able to consider different domain sets in order to ultimately determine if a query is domain-dependent . 15 B SAFETY CHECKING FOR DRC QUERIES USING ALLOY ANALYZER | ABHABONGSE JANTHONG

  54. Example 4. People who do not follow Alice. Domain sets and scalar values 1 Q not following Alice = { x ∣ ¬ Follows ( x , ‘ Alice ’ )} a set of all possible scalar values across all 1 sig Superparticle {} { domains 2 Superparticle = Universe . Element 3 } 4 a collection of e xactly two domain sets abstract sig Universe { Element : some Superparticle } 5 1 st domain one sig UniverseAlpha , UniverseBeta extends Universe {} 6 2 nd domain 7 8 some sig Particle in Superparticle {} { 9 Particle = UniverseAlpha . Element & UniverseBeta . Element a set of scalar values allowed in the actual 10 } database instances This definition is always static for all verification tasks . We need to be able to consider different domain sets in order to ultimately determine if a query is domain-dependent . 15 C SAFETY CHECKING FOR DRC QUERIES USING ALLOY ANALYZER | ABHABONGSE JANTHONG

  55. Example 4. People who do not follow Alice. Domain sets and scalar values 1 Q not following Alice = { x ∣ ¬ Follows ( x , ‘ Alice ’ )} fact: each Superparticle must belong to at 1 sig Superparticle {} { least one universe 2 Superparticle = Universe . Element 3 } 4 the field of Universe representing the abstract sig Universe { Element : some Superparticle } 5 subset of Superparticle one sig UniverseAlpha , UniverseBeta extends Universe {} 6 7 8 some sig Particle in Superparticle {} { fact: Particle is the intersection of both 9 Particle = UniverseAlpha . Element & UniverseBeta . Element universes 10 } This definition is always static for all verification tasks . We need to be able to consider different domain sets in order to ultimately determine if a query is domain-dependent . 15 D SAFETY CHECKING FOR DRC QUERIES USING ALLOY ANALYZER | ABHABONGSE JANTHONG

  56. Example 4. People who do not follow Alice. Database instances 2 Q not following Alice = { x ∣ ¬ Follows ( x , ‘ Alice ’ )} 16 A SAFETY CHECKING FOR DRC QUERIES USING ALLOY ANALYZER | ABHABONGSE JANTHONG

  57. Example 4. People who do not follow Alice. Database instances 2 Q not following Alice = { x ∣ ¬ Follows ( x , ‘ Alice ’ )} 11 one sig Table { 12 Follows : Particle -> Particle 13 } Each database table is declared as a field of the main signature Table , and the multiplicity must reflect the number of columns in the table. 16 B SAFETY CHECKING FOR DRC QUERIES USING ALLOY ANALYZER | ABHABONGSE JANTHONG

  58. Example 4. People who do not follow Alice. Database instances 2 Q not following Alice = { x ∣ ¬ Follows ( x , ‘ Alice ’ )} 11 one sig Table { definition of the table Follows 12 Follows : Particle -> Particle with 2 columns 13 } Each database table is declared as a field of the main signature Table , and the multiplicity must reflect the number of columns in the table. 16 C SAFETY CHECKING FOR DRC QUERIES USING ALLOY ANALYZER | ABHABONGSE JANTHONG

  59. Example 4. People who do not follow Alice. Database instances 2 Q not following Alice = { x ∣ ¬ Follows ( x , ‘ Alice ’ )} 11 one sig Table { 12 Follows : Particle -> Particle , hypothetical! 13 User : set Particle /* assume we have another table */ 14 } Each database table is declared as a field of the main signature Table , and the multiplicity must reflect the number of columns in the table. � If there is more than 1 table in the schema, then the field signature of each table must be separated by comma. 16 D SAFETY CHECKING FOR DRC QUERIES USING ALLOY ANALYZER | ABHABONGSE JANTHONG

  60. Example 4. People who do not follow Alice. Database instances 2 Q not following Alice = { x ∣ ¬ Follows ( x , ‘ Alice ’ )} 11 one sig Table { 12 Follows : Particle -> Particle , hypothetical! 13 User : set Particle /* assume we have another table */ 14 } Each database table is declared as a field of the main signature Table , and the multiplicity must reflect the number of columns in the table. � If there is more than 1 table in the schema, then the field signature of each table must be separated by comma. � If the table has exactly 1 column , then the field signature is set Particle . Otherwise, it is the keyword Particle repeated with the number of times equal to the number of columns, separated by -> . 16 E SAFETY CHECKING FOR DRC QUERIES USING ALLOY ANALYZER | ABHABONGSE JANTHONG

  61. Example 4. People who do not follow Alice. Database instances 2 Q not following Alice = { x ∣ ¬ Follows ( x , ‘ Alice ’ )} 11 one sig Table { 12 Follows : Particle -> Particle 13 } Each database table is declared as a field of the main signature Table , and the multiplicity must reflect the number of columns in the table. � If there is more than 1 table in the schema, then the field signature of each table must be separated by comma. � If the table has exactly 1 column , then the field signature is set Particle . Otherwise, it is the keyword Particle repeated with the number of times equal to the number of columns, separated by -> . 16 F SAFETY CHECKING FOR DRC QUERIES USING ALLOY ANALYZER | ABHABONGSE JANTHONG

  62. Example 4. People who do not follow Alice. Query function 3 Q not following Alice = { x ∣ ¬ Follows ( x , ‘ Alice ’ )} 17 A SAFETY CHECKING FOR DRC QUERIES USING ALLOY ANALYZER | ABHABONGSE JANTHONG

  63. Example 4. People who do not follow Alice. Query function 3 Q not following Alice = { x ∣ ¬ Follows ( x , ‘ Alice ’ )} 14 one sig Constant { 15 Alice : Particle 16 } the input to the query function in Alloy is 17 the domain set fun query[u : Universe] : set Superparticle { 18 { x : u . Element | not (x -> Constant . Alice in Table . Follows) } 19 20 } 17 B SAFETY CHECKING FOR DRC QUERIES USING ALLOY ANALYZER | ABHABONGSE JANTHONG

  64. Example 4. People who do not follow Alice. Query function 3 Q not following Alice = { x ∣ ¬ Follows ( x , ‘ Alice ’ )} * Non-highlighted codes are always static for all verification tasks . 14 one sig Constant { 15 Alice : Particle definition of constant appeared in query 16 } 17 output signature (same format as table’s fun query[u : Universe] : set Superparticle { field signature) 18 { x : u . Element | not (x -> Constant . Alice in Table . Follows) } 19 boolean expression 20 } all identifiers separated by commas The translation of b oolean expression is mostly straightforward. 17 C SAFETY CHECKING FOR DRC QUERIES USING ALLOY ANALYZER | ABHABONGSE JANTHONG

  65. Example 4. People who do not follow Alice. Query function 3 Q not following Alice = { x ∣ ¬ Follows ( x , ‘ Alice ’ )} 14 one sig Constant { 15 Alice : Particle 16 } 17 fun query[u : Universe] : set Superparticle { 18 { x : u . Element | not (x -> Constant . Alice in Table . Follows) } 19 20 } The translation of b oolean expression is mostly straightforward. � For a conjunction ( ∧ ), a disjunction ( ∨ ), a negation ( ¬ ), a conditional ( ⇒ ), a bi-conditional ( ⇔ ), or a universal ( ∀ ) or existential ( ∃ ) quantification of other boolean expressions ; the translation propagates down the expression tree. 17 D SAFETY CHECKING FOR DRC QUERIES USING ALLOY ANALYZER | ABHABONGSE JANTHONG

  66. Example 4. People who do not follow Alice. Query function 3 Q not following Alice = { x ∣ ¬ Follows ( x , ‘ Alice ’ )} 14 one sig Constant { 15 Alice : Particle 16 } 17 fun query[u : Universe] : set Superparticle { 18 { x : u . Element | not (x -> Constant . Alice in Table . Follows) } 19 20 } The translation of b oolean expression is mostly straightforward. � For a conjunction ( ∧ ), a disjunction ( ∨ ), a negation ( ¬ ), a conditional ( ⇒ ), a bi-conditional ( ⇔ ), or a universal ( ∀ ) or existential ( ∃ ) quantification of other boolean expressions ; the translation propagates down the expression tree. � For a boolean predicate in terms of table name ; the tuple is constructed using arrow products ( -> ), and the set member operation ( in ) checks if the tuple belongs to the specified table. 17 E SAFETY CHECKING FOR DRC QUERIES USING ALLOY ANALYZER | ABHABONGSE JANTHONG

  67. Query function � Translating boolean expression 3 TranslateBooleanExp ( P ) : 1 if P is a table-name predicate T ( x 1 , x 2 , . . . , x m ) : 2 return "${ x 1 } → ${ x 2 } → . . . → ${ x m } in Table.${ T }" 3 else if P is the equality predicate x 1 = x 2 : 4 return "(${ x 1 } = ${ x 2 })" 5 else if P has the form ¬ Q : 6 return "(not ${TranslateBooleanExp( Q )})" 7 else if P has the form Q ∨ R : 8 return "(${TranslateBooleanExp( Q )} or ${TranslateBooleanExp( R )})" 9 else if P has the form Q ∧ R : 10 return "(${TranslateBooleanExp( Q )} and ${TranslateBooleanExp( R )})" 11 else if P has the form Q ⇒ R : 12 return "(${TranslateBooleanExp( Q )} implies ${TranslateBooleanExp( R )})" 13 else if P has the form Q ⇔ R : 14 return "(${TranslateBooleanExp( Q )} iff ${TranslateBooleanExp( R )})" 15 else if P has the form ∃ y [ Q ] : 16 return "(some ${ y }: u.Element | ${TranslateBooleanExp( Q )})" 17 else if P has the form ∀ y [ Q ] : 18 return "(all ${ y }: u.Element | ${TranslateBooleanExp( Q )})" 19 18 SAFETY CHECKING FOR DRC QUERIES USING ALLOY ANALYZER | ABHABONGSE JANTHONG

  68. Example 4. People who do not follow Alice. Safety verification for query 4 Q not following Alice = { x ∣ ¬ Follows ( x , ‘ Alice ’ )} 19 A SAFETY CHECKING FOR DRC QUERIES USING ALLOY ANALYZER | ABHABONGSE JANTHONG

  69. Example 4. People who do not follow Alice. Safety verification for query 4 Q not following Alice = { x ∣ ¬ Follows ( x , ‘ Alice ’ )} 21 assert queryIsSafe { 22 all u , u’ : Universe | query[u] = query[u’] 23 } 24 check queryIsSafe for 4 This definition is always static for all verification tasks . 19 B SAFETY CHECKING FOR DRC QUERIES USING ALLOY ANALYZER | ABHABONGSE JANTHONG

  70. Example 4. People who do not follow Alice. Safety verification for query 4 Q not following Alice = { x ∣ ¬ Follows ( x , ‘ Alice ’ )} 21 assert queryIsSafe { 22 all u , u’ : Universe | query[u] = query[u’] 23 } 24 check queryIsSafe for 4 upper limit of number of objects This definition is always static for all verification tasks . � Except for the upper limit of the number of object of each model to be constructed by Alloy Analyzer while looking for counterexample. 19 C SAFETY CHECKING FOR DRC QUERIES USING ALLOY ANALYZER | ABHABONGSE JANTHONG

  71. Example 4. People who do not follow Alice. Safety verification for query 4 Q not following Alice = { x ∣ ¬ Follows ( x , ‘ Alice ’ )} 21 assert queryIsSafe { 22 all u , u’ : Universe | query[u] = query[u’] 23 } 24 check queryIsSafe for 4 This definition is always static for all verification tasks . � Except for the upper limit of the number of object of each model to be constructed by Alloy Analyzer while looking for counterexample. All of the Alloy codes up to this point is sufficient for the verification. � Unless the visualization of the counterexample is wanted. 19 D SAFETY CHECKING FOR DRC QUERIES USING ALLOY ANALYZER | ABHABONGSE JANTHONG

  72. Example 4. People who do not follow Alice. Optional results placeholder 5 Q not following Alice = { x ∣ ¬ Follows ( x , ‘ Alice ’ )} 20 A SAFETY CHECKING FOR DRC QUERIES USING ALLOY ANALYZER | ABHABONGSE JANTHONG

  73. Example 4. People who do not follow Alice. Optional results placeholder 5 Q not following Alice = { x ∣ ¬ Follows ( x , ‘ Alice ’ )} 25 abstract sig Result { 26 Output : set Superparticle 27 } 28 one sig ResultAlpha , ResultBeta extends Result {} { ResultAlpha . @Output = query[UniverseAlpha] 29 ResultBeta . @Output = query[UniverseBeta] 30 31 } This definition is always static for all verification tasks . 20 B SAFETY CHECKING FOR DRC QUERIES USING ALLOY ANALYZER | ABHABONGSE JANTHONG

  74. Example 4. People who do not follow Alice. Optional results placeholder 5 Q not following Alice = { x ∣ ¬ Follows ( x , ‘ Alice ’ )} 25 abstract sig Result { 26 Output : set Superparticle output signature of the result 27 } 28 one sig ResultAlpha , ResultBeta extends Result {} { ResultAlpha . @Output = query[UniverseAlpha] 29 ResultBeta . @Output = query[UniverseBeta] 30 31 } This definition is always static for all verification tasks . � Except for the signature fo the Output field of the query Result object, which will be exactly the same as the output signature of the Alloy function query . 3 20 C SAFETY CHECKING FOR DRC QUERIES USING ALLOY ANALYZER | ABHABONGSE JANTHONG

  75. Example 4. People who do not follow Alice. Optional results placeholder 5 Q not following Alice = { x ∣ ¬ Follows ( x , ‘ Alice ’ )} 25 abstract sig Result { 26 Output : set Superparticle 27 } 28 one sig ResultAlpha , ResultBeta extends Result {} { fact: the output for each case of a domain ResultAlpha . @Output = query[UniverseAlpha] 29 set is binded to the result of the query ResultBeta . @Output = query[UniverseBeta] 30 under that domain 31 } This definition is always static for all verification tasks . � Except for the signature fo the Output field of the query Result object, which will be exactly the same as the output signature of the Alloy function query . 3 The output is binded to the query result when the domain is applied. 20 D SAFETY CHECKING FOR DRC QUERIES USING ALLOY ANALYZER | ABHABONGSE JANTHONG

  76. Example 4. People who do not follow Alice. Summarized Alloy code � Q not following Alice = { x ∣ ¬ Follows ( x , ‘ Alice ’ )} 1 /* Scalar values */ 24 /* Lists all people who are not following Alice */ sig Superparticle {} { fun query[u : Universe] : set Superparticle { 2 25 3 Superparticle = Universe . Element 26 { x : u . Element | not (x -> Constant . Alice in Table . Follows) } 4 } 27 } 5 28 6 /* Domains */ 29 /* Safety assertion */ 7 abstract sig Universe { Element : some Superparticle } 30 assert queryIsSafe { 8 one sig UniverseAlpha , UniverseBeta extends Universe {} 31 all u , u’ : Universe | query[u] = query[u’] 9 32 } 10 /* Common domain */ 33 11 some sig Particle in Superparticle {} { 34 /* Results placeholder */ 12 Particle = UniverseAlpha . Element & UniverseBeta . Element 35 abstract sig Result { 13 } 36 Output : set Superparticle 14 37 } 15 /* Database Instance */ 38 one sig ResultAlpha , ResultBeta extends Result {} { one sig Table { ResultAlpha . @Output = query[UniverseAlpha] 16 39 17 Follows : Particle -> Particle 40 ResultBeta . @Output = query[UniverseBeta] 18 } 41 } 19 42 20 /* Constant Values */ 43 /* Invoke the verification on the assertion */ 21 one sig Constant { 44 check queryIsSafe for 4 Alice : Particle 22 23 } 21 SAFETY CHECKING FOR DRC QUERIES USING ALLOY ANALYZER | ABHABONGSE JANTHONG

  77. Example 4. People who do not follow Alice. Verification outcome | Q not following Alice = { x ∣ ¬ Follows ( x , ‘ Alice ’ )} Once the code is run, Alloy Analyzer finds a counterexample . 22 A SAFETY CHECKING FOR DRC QUERIES USING ALLOY ANALYZER | ABHABONGSE JANTHONG

  78. Example 4. People who do not follow Alice. Verification outcome | Q not following Alice = { x ∣ ¬ Follows ( x , ‘ Alice ’ )} Once the code is run, Alloy Analyzer finds a counterexample . ResultAlpha UniverseAlpha UniverseBeta ResultBeta Output Element Element Element Superparticle0 Element Superparticle1 Element Follows Superparticle2 Follows (Alice) 22 B SAFETY CHECKING FOR DRC QUERIES USING ALLOY ANALYZER | ABHABONGSE JANTHONG

  79. Example 4. People who do not follow Alice. Verification outcome | Q not following Alice = { x ∣ ¬ Follows ( x , ‘ Alice ’ )} Once the code is run, Alloy Analyzer finds a counterexample . ResultAlpha UniverseAlpha UniverseBeta ResultBeta Output Element Element Element Superparticle0 Element Superparticle1 Element Follows Particles Superparticle2 Follows (Alice) 22 C SAFETY CHECKING FOR DRC QUERIES USING ALLOY ANALYZER | ABHABONGSE JANTHONG

  80. Example 4. People who do not follow Alice. Verification outcome | Q not following Alice = { x ∣ ¬ Follows ( x , ‘ Alice ’ )} Once the code is run, Alloy Analyzer finds a counterexample . ResultAlpha UniverseAlpha UniverseBeta ResultBeta Output Element Element Element Superparticle0 Element Superparticle1 Element Follows Superparticle2 Follows (Alice) 22 D SAFETY CHECKING FOR DRC QUERIES USING ALLOY ANALYZER | ABHABONGSE JANTHONG

  81. Example 4. People who do not follow Alice. Verification outcome | Q not following Alice = { x ∣ ¬ Follows ( x , ‘ Alice ’ )} Once the code is run, Alloy Analyzer finds a counterexample . ResultAlpha UniverseAlpha UniverseAlpha has 3 elements: Superparticle0 , Superparticle1 , and Output Element Element Superparticle2 (a.k.a Alice ). Superparticle0 is the only person not Superparticle0 Element Superparticle1 following Alice so it is the only person in the output. Follows Superparticle2 Follows (Alice) 22 E SAFETY CHECKING FOR DRC QUERIES USING ALLOY ANALYZER | ABHABONGSE JANTHONG

  82. Example 4. People who do not follow Alice. Verification outcome | Q not following Alice = { x ∣ ¬ Follows ( x , ‘ Alice ’ )} Once the code is run, Alloy Analyzer finds a counterexample . UniverseBeta has only 2 elements: UniverseBeta ResultBeta Superparticle1 and Element Superparticle2 (or Alice ). Both are following Alice so the Superparticle1 Element result is empty . Follows Superparticle2 Follows (Alice) 22 F SAFETY CHECKING FOR DRC QUERIES USING ALLOY ANALYZER | ABHABONGSE JANTHONG

Recommend


More recommend