Verification of Data-Aware Processes Boundaries of Decidability: Positive Results Diego Calvanese, Marco Montali Research Centre for Knowledge and Data (KRDB) Free University of Bozen-Bolzano, Italy KRDB 1 29th European Summer School in Logic, Language, and Information (ESSLLI 2017) Toulouse, France – 17–28 July 2017
Bisimulations Weaker Bisimulations Towards Decidability Infinite Branching Infinite Runs Decidability Results Outline Genericity and Bisimulations 1 Weaker Forms of Bisimulation 2 Towards Decidability of Verification 3 Dealing with Infinite Branching 4 Dealing with Infinite Runs 5 Decidability Results 6 Calvanese, Montali (FUB) Verification of Data-Aware Processes ESSLLI 2017 – 24–28/07/2017 (1/39)
Bisimulations Weaker Bisimulations Towards Decidability Infinite Branching Infinite Runs Decidability Results Understanding and comparing DCDSs Before moving into verification, we need to understand how to characterize the (branching) behavior induced by a DCDS. How to compare the behaviors induced by two DCDSs? How does behavioral equivalence relate with satisfaction of verification formulae? In the propositional case, the main tool for answering such questions is that of bisimulation . Calvanese, Montali (FUB) Verification of Data-Aware Processes ESSLLI 2017 – 24–28/07/2017 (2/39)
Bisimulations Weaker Bisimulations Towards Decidability Infinite Branching Infinite Runs Decidability Results A crash course on bisimulation Bisimulation between propositional transition systems Consider two propositional transition systems A = � S A , s A 0 , prop A , ⇒ A � and 0 , prop B , ⇒ B � . Two states s A ∈ S A and s B ∈ S B bisimilar if: B = � S B , s B s A and s B are isomorphic (local condition). 1 1 of A such that s A ⇒ A s A If there exists a state s A 1 , then there exists a 2 1 of B such that s B ⇒ B s B state s B 1 , and s A 1 and s B 1 are bisimilar (forth c.). The other direction (back condition). 3 A and B are bisimilar, if their initial states are bisimilar. A B s A s B 1 1 s A s B s A s B 2 2 Calvanese, Montali (FUB) Verification of Data-Aware Processes ESSLLI 2017 – 24–28/07/2017 (3/39)
Bisimulations Weaker Bisimulations Towards Decidability Infinite Branching Infinite Runs Decidability Results Two fundamental theorems Consider two propositional transition systems A and B . Theorem If A and B are bisimilar, then they satisfy exactly the same µ L properties. Intuitively, µ L is not able to distinguish bisimilar transition systems. Theorem If A and B satisfy exactly the same µ L properties, then they are bisimilar. Intuitively, µ L is the maximal logic that captures bisimulation . Calvanese, Montali (FUB) Verification of Data-Aware Processes ESSLLI 2017 – 24–28/07/2017 (4/39)
Bisimulations Weaker Bisimulations Towards Decidability Infinite Branching Infinite Runs Decidability Results Correspondence Theorems for DCDSs Can we lift these fundamental correspondence theorems to the case of DCDSs? In the general case, we are doomed, since relational transition systems are simply too rich. We proceed as follows: We single out key properties of the RTSs induced by DCDSs. 1 We introduce suitable notions of bisimulations for the FO temporal logics 2 introduced before. We reconstruct correspondence theorems. 3 Calvanese, Montali (FUB) Verification of Data-Aware Processes ESSLLI 2017 – 24–28/07/2017 (5/39)
Bisimulations Weaker Bisimulations Towards Decidability Infinite Branching Infinite Runs Decidability Results Two key properties of DCDSs We have already seen the two properties of DCDSs to exploit: Markovian, i.e., the next state only depends on the current state and the input. Based on generic queries, which do not distinguish structures that are identical modulo uniform renaming of (new) data objects. DCDSs are generic , which implies that, modulo isomorphisms on the results of service calls, successor states are “indistinguishable” from each other. Calvanese, Montali (FUB) Verification of Data-Aware Processes ESSLLI 2017 – 24–28/07/2017 (6/39)
Bisimulations Weaker Bisimulations Towards Decidability Infinite Branching Infinite Runs Decidability Results Bisimulation between RTSs Consider Υ 1 , Υ 2 over disjoint data domains ∆ 1 , ∆ 2 , with states S 1 , S 2 . A bisimulation between Υ 1 and Υ 2 is a binary relation connecting pairs of states under a global bijection . In particular, ≈ ⊆ S 1 × S 2 is a bisimulation between Υ 1 and Υ 2 if there exists a bijection h : ∆ 1 �→ ∆ 2 such that s 1 ≈ s 2 implies that: h induces an isomorphism between db 1 ( s 1 ) and db 2 ( s 2 ) ; 1 for each s ′ 1 , if s 1 ⇒ 1 s ′ 1 then there is an s ′ 2 with s 2 ⇒ 2 s ′ 2 s.t. s ′ 1 ≈ s ′ 2 ; 2 the other direction. 3 Υ 1 ≈ Υ 2 if s 01 ≈ s 02 . The classical result on indistinguishability of bisimilar TSs by µ L formulas extends to µ L FO . Theorem If Υ 1 ≈ Υ 2 , then for every µ L FO closed formula Φ , we have that: Υ 1 | = Φ if and only if Υ 2 | = Φ . Calvanese, Montali (FUB) Verification of Data-Aware Processes ESSLLI 2017 – 24–28/07/2017 (7/39)
Bisimulations Weaker Bisimulations Towards Decidability Infinite Branching Infinite Runs Decidability Results Outline Genericity and Bisimulations 1 Weaker Forms of Bisimulation 2 Towards Decidability of Verification 3 Dealing with Infinite Branching 4 Dealing with Infinite Runs 5 Decidability Results 6 Calvanese, Montali (FUB) Verification of Data-Aware Processes ESSLLI 2017 – 24–28/07/2017 (8/39)
Bisimulations Weaker Bisimulations Towards Decidability Infinite Branching Infinite Runs Decidability Results Weakening the bisimulations The notion of bisimulation as just defined is suitable for µ L FO (and LTL-FO), but is too strong for our purposes. Note: µ L FO allows for quantifying over the whole domain. � Captured by the global bijection in the definition of bisimulation. In µ L A , instead we can quantify only over the active domain of the current state, and the evolution of its elements over time. � The bijection should consider the history so far plus the new objects. In µ L P , we can quantify only over the objects that persist. � The bijection should consider elements that persist in the state. We suitably adjust the definition of bisimulation to reflect these restrictions. Calvanese, Montali (FUB) Verification of Data-Aware Processes ESSLLI 2017 – 24–28/07/2017 (9/39)
Bisimulations Weaker Bisimulations Towards Decidability Infinite Branching Infinite Runs Decidability Results History-preserving bisimulation Consider Υ 1 , Υ 2 over disjoint data domains ∆ 1 , ∆ 2 , with states S 1 , S 2 . Let H be the set of all partial bijections between ∆ 1 and ∆ 2 . A history-preserving bisimulation between Υ 1 and Υ 2 is a ternary relation ≈ A ⊆ S 1 × H × S 2 , connecting pairs of states under a bijection that tracks the history. In particular, � s 1 , h, s 2 � ∈ ≈ A h , denoted s 1 ≈ A h s 2 , implies that: h ∈ H induces an isomorphism between db 1 ( s 1 ) and db 2 ( s 2 ) ; 1 for each s ′ 1 , if s 1 ⇒ 1 s ′ 1 then there is an s ′ 2 with s 2 ⇒ 2 s ′ 2 and a bijection 2 h ′ that extends h , such that s ′ 1 ≈ A h ′ s ′ 2 ; the other direction. 3 Υ 1 ≈ A Υ 2 if there exists a partial bijection h 0 such that s 01 ≈ A h 0 s 02 . Theorem If Υ 1 ≈ A Υ 2 , then for every µ L A closed formula Φ , we have that: Υ 1 | = Φ if and only if Υ 2 | = Φ . Calvanese, Montali (FUB) Verification of Data-Aware Processes ESSLLI 2017 – 24–28/07/2017 (10/39)
Bisimulations Weaker Bisimulations Towards Decidability Infinite Branching Infinite Runs Decidability Results History-preserving bisimulation � P ( x ) � del { R ( x ) } , add { Q ( f ( x ) , g ( x )) } a () : Q ( a, a ) ∧ P ( x ) � del { Q ( a, a ) } , add { R ( x ) } f(a) �→ a g(a) �→ a I 0 = { P ( a ) , Q ( a, a ) } P(a) R(a) Q(a,a) h ′ 1 ( a ) = a f(a) �→ b g(a) �→ b f(a) �→ b g(a) �→ b h ′′ 2 = h ′ P(a) Q(a,a) 2 P(a) R(a) Q(b,b) P(a) Q(b,b) h ′′ 3 = h ′ f(a) �→ c g(a) �→ c f(a) �→ c g(a) �→ c 3 f(a) �→ a g(a) �→ a P(a) R(a) Q(c,c) P(a) Q(c,c) P(a) R(a) Q(a,a) f(a) �→ a g(a) �→ b f(a) �→ a g(a) �→ b . . . h ′ 2 ( a ) = a P(a) R(a) Q(a,b) P(a) Q(a,b) h ′ 3 ( a ) = a h ′ 2 ( b ) = b h ( a ) = a h ′ 3 ( c ) = b f(a) �→ b g(a) �→ a f(a) �→ b g(a) �→ a P(a) Q(a,a) P(a) R(a) Q(b,a) P(a) Q(b,a) f(a) �→ b g(a) �→ b f(a) �→ b g(a) �→ b The two transition systems are history-preserving bisimilar. P(a) R(a) Q(b,b) P(a) Q(b,b) Hence, they satisfy the same set f(a) �→ b g(a) �→ c f(a) �→ b g(a) �→ c of µ L A / LTL-FO A properties. P(a) R(a) Q(b,c) P(a) Q(b,c) Calvanese, Montali (FUB) Verification of Data-Aware Processes ESSLLI 2017 – 24–28/07/2017 (11/39)
Recommend
More recommend