sign in sign up
<<
Home , Artifact (UML)

Model Checking Unbounded Artifact-Centric Systems

Alessio Lomuscio and Jakub Michaliszyn Department of Computing, Imperial College London, UK

Abstract important to establish at a fundamental level under what conditions an artifact-system can actually be verified. Artifact-centric systems are a recent paradigm for represent- The verification problem for ACS specified by quantified ing and implementing business processes. We present further results on the verification problem of artifact-centric systems temporal specifications is known to be undecidable (Deutsch specified by means of FO-CTL specifications. While the gen- et al. 2009; Hariri et al. 2011; Belardinelli, Lomuscio, and eral problem is known to be undecidable, results in the lit- Patrizi 2011) and considerable research has gone into the erature prove decidability for artifact systems with infinite exploration of decidable fragments. domains under boundedness and conditions such as unifor- Contribution. In this paper we explore novel boundaries mity. We here follow a different approach and investigate the in the decidability conditions for the model checking prob- general case with infinite domains. We show decidability of lem of ACS against quantified, temporal specifications. While the model checking problem for the class of artifact-centric much of the recent work has focused on the identification of systems whose schemas consist of a single unary relational properties on the generated models for complete relation, and we show that that the problem is undecidable if artifact systems are defined by using one binary relation or and decidable abstraction procedures, an alternative avenue of two unary relations. investigation consists in considering classes of specifications for the artifacts’ transitions. To this end, we here define the logic CARL which we use to model the artifacts’ lifecycles. 1 Introduction By using CARL to model the artifacts’ evolutions, we can ex- Artifact-centric systems (ACS) have been put forward as press Boolean combinations of the basic relational properties: a framework for reasoning about and implementing data- “check that the relation is empty, “add one arbitrary element aware business processes (Alonso et al. 2004; Hull 2008; to the relation”, “remove one arbitrary element”, and “leave Hull et al. 2011). Artifacts are constructs consisting of data the relation unchanged”. We show that model checking ACS and lifecycles. The data is given by means of described via CARL against reachability specifications is un- a relational database, i.e., a set of finite relations with fixed decidable thereby providing further insights on the difficulty schema. The lifecycles describe how the artifacts may interact of verifying data-aware systems. and evolve over time. We then focus on restricting the database schema appear- ACS can be programmed via the Guard-Stage-Milestone ing in the ACS. We show that the model checking problem (GSM) language (Hull et al. 2011). The iHub (Heath III remains undecidable if the schema contain either one rela- et al. 2013) is a production and execution suite for ACS tion of arity greater than one, or at least two arbitrary re- implemented in GSM. Both GSM and the iHub are designed lations. Our undecidability proofs involve the encoding of to help stakeholders encode business interactions intuitively two-counter machines (Minsky 1967). and efficiently. Finally, we show that the model checking problem is decid- A problem that naturally arises is whether ACS are cor- able if we consider only artifacts whose schema consists of a rect against specifications. GSMC, a model checking tool single unary relation and sentence-atomic temporal specifi- for GSM systems, has recently been put forward (Gonzalez, cations. We prove this result in three steps. Firstly, we study Griesmayer, and Lomuscio 2012) to assess this problem. the expressive power of first-order logic over unary relations While GSMC has shown considerable promise, verifying using Ehrenfeucht-Fraisse games. Then, we show how to GSM programs via model checking remains highly problem- transform an ACS and a specification into an infinite Kripke atic. Classical techniques based on model checking (Clarke, structure and a CTL specification. Finally, we prove that the resulting infinite Kripke structure can be encoded as a push- Grumberg, and Peled 1999) are typically insufficient as they ∗ normally tackle finite-state systems. Yet artifacts exhibit in- down system. We then define a CTL specification that the finitely many different possible configurations. It is therefore pushdown system satisfies if and only if the ACS satisfies the original FO-CTL specification. Since the former problem Copyright c 2014, Association for the Advancement of Artificial is decidable (Bozzelli 2007), we conclude that the latter is Intelligence (www.aaai.org). All rights reserved. decidable as well. Related Work. Previous research on verifying artifact- and a set of artifact transitions, which account for the artifact centric systems has focused on abstraction techniques where data models and the artifact lifecycles, respectively. semantical conditions such as “uniformity” and “weak Definition 1 (Database schema). A database schema is a set acyclicity” are shown to guarantee decidability under the D = {P1/a1,...,Pn/an} of relation (or predicate) symbols assumption that systems are bounded, i.e., either the states P , each associated with its arity a ∈ . or the runs do not contain more than a given number i i N of predicates (Belardinelli, Lomuscio, and Patrizi 2012b; Definition 2 (Database interpretation). Given a database Hariri et al. 2013). Differently from these approaches, the schema D, a D-interpretation (or D-instance) over an count- investigation here presented makes no assumption on the able interpretation domain U is a mapping D associating boundedness of the artifact-systems to be studied. each relation symbol Pi with a finite ai-ary relation over U, ai Model checking artifact-centric systems against a quan- i.e., D(Pi) ⊆ U . tified version of LTL was studied in (Deutsch et al. 2009). The set of all D-interpretations over a given domain U is It was shown that the problem is generally undecidable, but denoted by ID(U). The active domain of D, adom(D), is becomes decidable if one considers guarded artifact systems the set of all U-elements occurring in some tuple of some and guarded specifications, a form of quantification where predicate interpretation D(Pi). no variables appear free in a temporal context. A PSPACE model checking algorithm for fixed-arity schemas is also 2.1 Artifact systems shown in (Deutsch et al. 2009). While the results presented are positive, compared to the classes of artifacts studied here, To model transitions between states of the underlying the expressivity of the fragment studied is limited. , we use unprimed and primed relational symbols from D, that refer to relations in the current and the successor More recently (Hariri et al. 2013) presented results on state, respectively. Intuitively, given two states (i.e., two D- the model checking problem against specifications given interpretations) D and D0, the operator ⊕ constructs a new in the first-order extension of the µ-calculus. The problem “joint” interpretation D⊕D0, interpreting unprimed relational is undecidable in this setting; however, it is shown that by symbols in D, and primed in D0. adding additional restrictions, including forbidding fresh, unbounded data along a run, the problem is decidable. Also in As we study artifacts systems whose transitions are de- that line, and differently from this paper, systems are assumed scribed by various logics, below we introduce the notion of to be bounded and sufficient conditions based on acyclicity an artifact system over a logic LD. for boundedness are established. Definition 3 (LD-artifact system). An LD-artifact system is While all results above focus on complete procedures, in a tuple S = hD, U, D0, Ti, where: recent work (Belardinelli and Lomuscio 2013) partial model •D = {P /a ,...,P /a } is a database schema; checking procedures against the universal fragment of FO- 1 1 n n CTL have been explored. Differently from (Belardinelli, Lo- • U is a countable interpretation domain; muscio, and Patrizi 2012b) these are given for bounded but • D0 is an initial database instance; possibly non-uniform artifact-centric systems. Conversely, • T is a finite set of sentences of the logic LD, called artifact the results established in this paper concern unbounded, but transitions. uniform systems. In the definition above we assume that the sentences of Scheme of the paper. In Section 2 we provide the back- the logic L state properties of D ⊕ D0, i.e., the notion ground on ACS and relevant concepts, and we define the D “D ⊕ D0 |= Φ” is defined for every sentence Φ of L . model checking problem. We observe that the problem is LD D generally undecidable. In Section 3 we investigate the impli- The semantics of an artifact system is given in terms of its cations of restricting the database schemas and the expressive possible executions, captured by a Kripke structure, whose power of the language used to model the artifacts’ lifecycles. states are instances of the database schema and whose transi- We show that under various restrictions the problem remains tions correspond to executions of artifact transitions. undecidable. In Section 4 we characterise a scenario in which Definition 4 (Kripke structures). A Kripke structure is a tuple the model checking problem is decidable and explore its com- K = hΣ,D0, τ, πi, where Σ is the set of states; D0 ∈ Σ is plexity. Taken together the results in the two sections show the initial state; τ ⊆ Σ × Σ is the transition relation; π is the that the conditions we identify can be interpreted as being labelling function. maximal for decidability. We conclude in Section 5. For convenience, we assume a single initial state, but all the results presented below also hold if we allow any finite 2 Verifying Artifact Systems number of initial states. When the labelling function is irrel- evant, we will drop it and represent a Kripke structure as a Artifacts are operational models of business process (Cohn triple K = hΣ,D , τi. and Hull 2009). Each artifact is composed by two parts: a 0 data model, which captures a fragment of the structure of Note that in the definition above we include states not D τ the information relevant to the process, and a lifecycle model, reachable from 0 by . This is not the case below. which is a specification of their evolution. In this paper we Definition 5 (Model of an artifact system). Given an artifact follow the formalisation proposed in (Hariri et al. 2011) and system S = hD, U, D0, Ti over LD, the model of S is the define artifact systems by means of a (relational) database Kripke structure KS = hΣ,D0, τi, where: ∗ • Σ ⊆ ID(U) is the set of states reachable from D0 using over N, an N-assignment σ, and a FO-formula Φ ∈ FOD,C τ; over D, we inductively define whether D ⊕ D0 satisfies Φ 0 • D0 ∈ Σ is the initial state; under σ, written (D ⊕ D , σ) |= Φ, as follows: • τ is the transition relation such that τ(D,D0) for some (D ⊕ D0, σ) |= t = t iff σ(t) = σ(t) 0 artifact transition Φ ∈ T, D ⊕ D |=LD Φ. 0 (D ⊕ D , σ) |= Pi(~t) iff hσ(t1), . . . , σ(t`)i ∈ D(Pi) We denote the unique model of an artifact system S by (D ⊕ D0, σ) |= P 0(~t) iff hσ(t ), . . . , σ(t )i ∈ D0(P ) KS . i 1 ` i Following (Belardinelli, Lomuscio, and Patrizi 2011), we (D ⊕ D0, σ) |= ¬Φ iff (D ⊕ D0, σ) 6|= Φ define runs on a Kripke structure. (D ⊕ D0, σ) |= Φ ∨ Ψ iff (D ⊕ D0, σ) |= Φ Definition 6 (K-runs). Given an artifact system S and its or (D ⊕ D0, σ) |= Ψ model K = hΣ,D0, τi, a K-run r from a K-state D ∈ Σ is an infinite sequence of K-states r = D0 → D1 → · · · such (D ⊕ D0, σ) |= ∀xΦ iff for every u ∈ adom(D) 0 i i+1 that D = D and τ(D ,D ), for i ≥ 0. For every run r (D ⊕ D0, σx) |= Φ and i ≥ 0, we define r(i) as Di. u A formula Φ is true in D ⊕ D0, written D ⊕ D0 |= Φ, iff Note that, unlike much of the literature on the subject, we 0 (D ⊕ D , σ) |= Φ for all N-assignments σ. do not require the runs to be bounded. Also note that we consider only infinite, countable inter- Notice that two constants map the same element iff they pretation domains. To make the notation lighter, we assume are the same constant. without loss of generality that the interpretation domain is We focus on the problem of verifying an artifact system always the set of naturals . against a temporal specification of interest. We adjust the N notion of sentence-atomic FO-CTL (Belardinelli, Lomuscio, and Patrizi 2011) to the case of logic FO* . 2.2 Model checking artifact systems D,N sa In the following we use the logic FOV to define the tran- Definition 9 (FO CTL formulae). Given an artifact system D,C S = hD, ,D , i, the language of sentence-atomic FO- sitions of artifact-centric systems. The logic FOV is the N 0 T D,C CTL (denoted by FO sa CTL) formulae over S is inductively fragment of first-order logic in which formulae are built by us- defined as follows: ing predicates from D ⊕ D0, constants from C, and variables from V . ϕ ::= ΦP | ¬ϕ | ϕ ∨ ϕ | AXϕ | AϕUϕ | EϕUϕ Definition 7 FOV . Given a database schema D = where Φ is an FO* sentence where no primed terms nor (Logic D,C ) P D,N V primed predicates appear. {P1/a1,...,Pn/an}, the language of the logic FOD,C is defined by the following BNF: Note from above that while we use the FO* logic as D,N the building block for artifacts’ descriptions we do not use 0 ~ 0 ~ Φ ::= t = t | Pi(t) | Pi (t) | ¬Φ | Φ ∨ Φ | ∀xΦ, primed variables in the specifications. The notions of free and bound variables can be extended where t, t ∈ C ∪ V and ~t is an a -tuple of elements from i in the obvious way to FO sa CTL. We use the standard ab- C ∪ V . breviations EXϕ ≡ ¬AX¬ϕ, AF ϕ ≡ A>Uϕ, AGϕ ≡ We use parentheses as standard when required. ¬E>U¬ϕ, EF ϕ ≡ E>Uϕ, and EGϕ ≡ ¬A>U¬ϕ. sa Let * = {x, y, z, x1,... } be a countable set of variables For a system S, the semantics of FO CTL formulae is and 2 = {x, y}. We consider the following logics: FO* , K D,N provided in terms of its model S . * 2 sa FOD,∅, and FOD,∅. We denote formulae in these logics with Definition 10 (Satisfaction for FO CTL). Consider a sys- sa Greek upper case letters Φ, Ψ, while specifications against tem S and its model KS , a formula ϕ of FO CTL and a which systems are checked will be denoted by Greek lower KS -state D ∈ Σ, the satisfaction relation |= is inductively case letters ϕ, ψ. defined as follows: We use the standard abbreviations ∃, >, ⊥, ∧, ⇒, and 6=. (K ,D) |= Φ iff D |= Φ Free and bound variables are defined as standard. A sentence S P P is a formula with no free variables. (KS ,D) |= ¬ϕ iff (KS ,D) 6|= ϕ A U-assignment is a total function σ : V 7→ U. For (KS ,D) |= ϕ ∨ ψ iff (KS ,D) |= ϕ or (KS ,D) |= ψ technical convenience, we assume that every U-assignment σ (KS ,D) |= AXϕ iff for all KS -runs r s.t. r(0) = D, is extended to C and is the identity on it, i.e., ∀c ∈ C, σ(c) = x (KS , r(1)) |= ϕ c. Given an assignment σ, we denote by σu the U-assignment x x (KS ,D) |= AϕUψ iff for all KS -runs r s.t. r(0) = D, s.t. σu(x) = u and σu(x) = σ(x), for every x ∈ V s.t. x 6= x. ∃k ≥ 0 s.t. (KS , r(k)) |= ψ and We adjust the standard active-domain semantics used in ∀j s.t. 0 ≤ j < k, (KS , r(j)) |= ϕ the artifact systems literature (Belardinelli, Lomuscio, and (K ,D) |= EϕUψ iff for some K -run r, r(0) = D, Patrizi 2011; 2012a) to the setting here defined. S S ∃k ≥ 0 s.t. (K , r(k)) |= ψ, and Definition 8 (Active-Domain Semantics for FO-formulae). S Given a database schema D, two D-interpretations D,D0 ∀j s.t. 0 ≤ j < k, (KS , r(j)) |= ϕ A formula ϕ is true in KS , written KS |= ϕ, iff (KS ,D0) |= These properties are very basic and natural, but are sufficient ϕ. We say that S satisfies ϕ, written S |= ϕ, iff KS |= ϕ. to express interesting properties for artifact systems. However, Observe that satisfaction of FO* is defined on joins as we see below, even the properties above already induce D,N undecidability of the model checking problem. D ⊕ D0 as it deals with primed and unprimed predicates. Here we write D |= ΦP because we only need to interpret Definition 13 (Logic CARLD,C ). Given a database schema only the unprimed predicates. D = {P1/1,...,Pn/1}, the language of the logic In the rest of this paper we focus on the following problem. CARLD,C is inductively defined by the following BNF: 0 Definition 11 (Model checking problem). Given a logic LD, Φ ::= ¬Φ | Φ ∨ Φ | Pi(c) | Pi (c) | EMPTY(Pi) | an L -artifact system S and a FO sa CTL specification ϕ, D EQUAL(P ) | INSERT(P ) | DELETE(P ) the model checking problem involves establishing whether i i i KS |= ϕ. where c is an element of the set of constants C.

Observe that the input can be given in finite terms, as the Recall that Pi(c) refers to the relation Pi before the transi- 0 description of an LD-artifact system is finite; so the problem tion, and Pi (c) refers to the relation after the transition. For is well-defined. This problem can be shown to be undecidable convenience the formal semantics of CARLD,C is given by in the general case. translating it into FO2 . D,N * Theorem 12. Model checking an arbitrary FOD, -artifact Definition 14 (Semantics of CARLD, ). We define a trans- sa N N system against a FO CTL specification is undecidable. lation of T to FO2 as follows. D,N Proof idea. The proof in (Belardinelli, Lomuscio, and Patrizi T(¬Φ) = ¬T(Φ) 2011) can be adapted to this case. T(Φ1 ∨ Φ2) = T(Φ1) ∨ T(Φ2) In the following we will explore the decidability for re- T(Pi(c)) = Pi(c) strictions of the problem above. 0 0 T(Pi (c)) = Pi (c) 3 Model Checking CARLD,N–Artifact T(EMPTY(Pi)) = ∀x.¬Pi(x) 0 Systems T(EQUAL(Pi)) = ∀x.Pi (x) ⇔ Pi(x) One possibility to obtain decidability is to consider a weak 0 T(INSERT(Pi)) = ∃x.¬Pi(x) ∧ Pi (x) form of quantification when writing artifacts’ descriptions. 0 For example we could consider the two variable fragment ∧ ∀y.y 6= x ⇒ (Pi(y) ⇔ Pi (y)) 0 of first-order logic (Grädel, Kolaitis, and Vardi 1997) or the T(DELETE(Pi)) = ∃x.Pi(x) ∧ ¬Pi (x) guarded fragment (Grädel 1999). ∧ ∀y.y 6= x ⇒ (P (y) ⇔ P 0(y)) In this paper we follow a different approach and address i i the question of whether one can choose a reasonable logic Then, the semantics of CARLD,N is defined using the se- * 0 LD in the artifacts’ descriptions so that model checking LD- mantics of FO by considering (D ⊕ D , σ) |= Φ iff (D ⊕ D,N artifact systems is decidable. D0, σ) |= T(Φ). First, we identify some essential properties of the artifact systems. Then, we define the logic capable of expressing only 3.2 Undecidability of model checking Boolean combinations of such properties. Finally, we show CARLD, -artifacts systems that in most cases model checking artifact systems defined N A key result of this section is the following theorem. using this logic is undecidable. In the proofs that follow, we often use the FO sa CTL spec- Theorem 15. For any database schema D that contains two ification EG >. This is intended to show that the negative unary relation symbols, model checking CARLD,N-artifact results we present cannot be overcome by adopting a weaker systems against FO sa CTL is undecidable. specification language. The proof uses two-counter finite automata (Minsky ma- chines) defined as follows. 3.1 The logic CARL D,N Definition 16. A two-counter automaton is a tuple A = The logic CARLD, describes properties of unary relations N hQ, q0, qf ,Ri, where Q = {q0, q1, . . . , qf }, q0 is an initial only. CARLD, expresses Boolean combinations of the fol- N state, qf is a final state, and R : Q × {>, ⊥} × {>, ⊥} × lowing properties of an unary relation P : Q × {−1, 0, 1} × {−1, 0, 1} is the transition relation. • P contains a constant c; A configuration for a two-counter automata is a triple • P is empty; (qi, n, m) where qi ∈ Q and n, m ∈ N. Let Empty(x) 0 be equal > if x = 0 and ⊥ otherwise. We define a rela- • One element is added to P , i.e., P = P ∪ {x} for some R tion → such that for two configuration β1 = (qi, n, m), x 6∈ P ; 0 0 R 0 β2 = (qj, n , m ) we have β1 → β2 iff we have • One element is removed from P , i.e., P = P ∪ {x} for 0 0 0 (qi, Empty(n), Empty(m), qj, n − n, m − m) ∈ R.A some x 6∈ P ; run is a possibly infinite sequence of configurations such that 0 R • P does not change, i.e., P = P . for all consecutive configurations β1, β2 we have β1 → β2. A run is accepting if it contains a configuration containing A configuration β = (qi, n, m) will be encoded as q . β β β f a database interpretation D = (P1 ,P2 ) such that The following lemma follows from (Minsky 1967). β exactly({(q, ?, ?)},P1), exactly(∅,P2), |P1 | = n + 1 and Lemma 17. The problem whether there exists an infinite run β A |P2 | = m. So, the initial interpretation of S will be s.t. of a given two-counter automaton is undecidable. P1 = {(q0, ?, ?)} and P2 = ∅. We can now we prove Theorem 15. The update of a configuration is performed in several steps by using the rules described below. We will denote transi- Proof. For a given two-counter automaton A = tions informally; e.g., “add n to P1” stands for ¬P1(n) ∧ 0 hQ, q0, qf ,Ri, we show how to define a CARLD,N- P1(n) ∧ INSERT(P1), etc. The rules below should be de- A sa 0 artifact systems S and an FO CTL formula ϕ such that fined for all appropriate q, q ∈ Q, e1, e2 ∈ {⊥, >} and A S |= ϕ iff A has an infinite run. Firstly, we construct a ∆1, ∆2 ∈ {−1, 0, 1}. system with tree relations, and then we show how one of the We use the following example to illustrate the encoding. 0 R 0 relations can be removed. Let ν = (q1, 0, 1), ν = (q2, 1, 1), be such ν → ν and assume that |Q| = 5, i.e. Z contains only numbers less than A A A A Three relations. Let S = hD , N,D0 , T i, where 90. Assume that ν is encoded as P = {(q , ?, ?)},P = A A 1 1 2 D = {P1/1,P2/1,P3/1}, D0 be such that P1 and P2 {95}. are empty and P3 is a singleton relation containing 0. Our A aim is to define the set T so that each database interpre- 1. If P1((q, ?, ?)), then if EMPTY(P2), add (q, ?, >) to P2, D D D A tation D = {P1 ,P2 ,P3 } in the model KSA of S satis- otherwise add (q, ?, ⊥) to P2. In both cases, remove D fies |P3 ∩ {0, . . . , f}| = 1 and represents a configuration (q, ?, ?) from P1. D D D (qi, |P1 |, |P2 |) where qi ∈ P3 . In other words, the size of In the example, P1 and P2 change as follows: P1 = D D P1 /P2 represents the value of the first/second counter and {},P2 = {95, (q1, ?, >)}. P D contains the state. 3 2. If EMPTY(P1) and P2((q, ?, e2)), add (q, >, e2) to P1, Let empty>(R) = EMPTY(R) and empty⊥(R) = otherwise add (q, ⊥, e2) to P1. In both cases, remove ¬EMPTY(R). Let modify−1(R) = DELETE(R), (q, ?, ⊥) from P2. modify0(R) = EQUAL(R), and modify+1(R) = In the example, P1 and P2 change as follows: P1 = INSERT(R). {(q, >, ⊥)},P2 = {95}. For each tuple t = (qi, φ1, φ2, qj, ∆1, ∆2) ∈ R, we define 0 an artifact transition αt as: 3. If P1((q, e1, e2)) and (q, e1, e1, q , ∆1, ∆2) ∈ R, then add 0 (q , ∆1, ∆2) to P1. 0 P3(i) ∧ emptyφ1 (P1) ∧ emptyφ2 (P2) ∧ P3(j) In the example, P1 and P2 change as follows: P1 = 0 ^ {(q, >, ⊥), (q , +1, 0)},P2 = {95}. ∧ ¬P3(k) ∧ modify∆1 (P1) ∧ modify∆2 (P2) 0 k6=j,k≤f 4. If P1((q , ∆1, ∆2)) and P1((q, e1, e2)), remove (q, e1, e2) from P1 and modify P2 according to ∆2, i.e., if ∆2 = −1 A Finally, let T be the set of all αt. It can be observed that then remove one element and so forth. paths in KSA represent the computations of A. Therefore, In the example, P1 and P2 change as follows: P1 = 0 there is an infinite path in KSA if and only if there is an infi- {(q , +1, 0)},P2 = {95}. nite run in of A. The existence of an infinite path corresponds 0 0 0 5. If P1((q , ∆1, ∆2)) and P2 does not contain (q, e1, e2) to the truth of the formula EG>. 0 0 0 0 for any e1, e2, and ¬P2((q , ∆1, ∆2)), add (q , ∆1, ∆2) Two relations. We show that we do not need a relation to to P2. store the states. The configuration description of a configura- In the example, P1 and P2 change as follows: P1 = 0 0 tion (q, n1, n2) of A is a triple (q, v1, v2) for vi ∈ {>, ⊥, ?} {(q , +1, 0)},P2 = {95, (q , +1, 0)}. s.t. if v = > then n = 0, and if v = ⊥ then n > 0. i i i i 6. If P and P contain (q0, ∆ , ∆ ), remove (q0, ∆ , ∆ ) The transition description is a triple (q, ∆ , ∆ ) for ∆ ∈ 1 2 1 2 1 2 1 2 i from P and add (q0, ?, ?) to P . In the example, {−1, 0, 1} 1 2 that is intended to represent the artifact transition P and P change as follows: P = {},P = ∆ 1 2 1 2 “change the value of the i-th counter by i and change the {95, (q0, +1, 0), (q0, ?, ?)}. state to q”. 0 0 Let Zc = {0, 1,..., 9|Q| − 1} and Za = 7. If P2((q , ∆1, ∆2)) and ¬P1((q , ∆1, ∆2)), then modify 0 {9|Q|,..., 18|Q| − 1}. We choose an arbitrary bijection P1 according to ∆1 and remove (q , ∆1, ∆2) from P2. function encodec : Q × {⊥, >, ?} × {⊥, >, ?} → Zc In the example, P1 and P2 change as follows: P1 = 0 to encode the configuration descriptions as numbers and {1543},P2 = {95, (q , ?, ?)}. encodea : Q × {−1, 0, +1} × {−1, 0, +1} → Za to en- 0 0 8. If P2((q , ?, ?)), remove (q , ?, ?) from P2 and add it to code transition descriptions. Below we identify descriptions P . with their encodings. 1 In the example, P1 and P2 change as follows: P1 = To simplify the proof, we describe the set informally. 0 T {1543, (q , ?, ?)},P2 = {95}. For X ⊆ Za ∪ Zc, let exactly(X,R) be a formula stating 0 0 0 that R ∩ (Za ∪ Zc) = X. For R ∈ {P1,P1,P2,P2}, such a Clearly, P1 = {1543, (q , ?, ?)},P2 = {95} describes the 0 formula can be easily expressed in CARLD,N. configuration (q , 1, 1). Note that the rules above are formalised by means of con- modify the set of artifact transitions from the proof in case of junctions. For example, and instance of the rule 1 is for- three unary relations in the following manner: malised as P1((q, ?, ?)) ∧ EMPTY(P2) ∧ ¬P2((q, ?, >)) ∧ 0 0 • Replace P (t) by P (i, t) and P 0(t) by P 0(i, t) . P2((q, ?, >))∧¬P1((q, ?, ?))∧ INSERT(P2)∧ DELETE(P1). i 1 i 1 In this case, the conjunct DELETE(P1) assures that (q, ?, ?) • Replace EMPTY(Pi) by ∀x¬P1(i, x). is the only element deleted from P1, while INSERT(P2) and 0 • Replace EQUAL(Pi) by ∀x.P1(i, x) ⇔ P1(i, x). ¬P2((q, ?, >)) guarantee that (q, ?, >) is the only element 0 • Replace INSERT(Pi) by ∃x.¬P1(i, x)∧P1(i, x)∧∀y.y 6= added to P2. 0 x ⇒ (P1(i, x) ⇔ P1(i, x)). Paths in K A are such that each 8-th state represents the S 0 configuration of A, and the subpath containing every 8-th • Replace DELETE(Pi) by ∃x.¬P1(i, x)∧P1(i, x)∧∀y.y 6= x ⇒ (P (i, x) ⇔ P 0(i, x)). state of paths of KSA represents computations. So there exists 1 1 an infinite path in KSA if and only if there is an infinite run It can be checked that paths in K A represent the computa- of A. S tions of A. So an infinite path exists iff there exists an infinite 3.3 Undecidability of model checking computation of A. CARL -artifacts systems D,∅ 4 Model Checking FO* –Artifact Systems In the proof of Theorem 15 we use arbitrary many constants. D,N However, this is not the source of undecidability. with a Single Unary Relation While the results of the previous section are negative, in Theorem 18. Model checking CARLD,∅-artifact systems against FO sa CTL is undecidable. the following we identify a fragment for which the model checking problem is decidable. Proof. For a given two-counter automaton A, we show how Theorem 22. Model checking FO* -artifact systems sa D,N to define CARLD,∅-artifact systems SA and an FO CTL whose database consists of a single unary relation symbol formula ϕ such that S |= ϕ iff A has an infinite run. The against FO sa CTL is decidable. proof is similar to the proof of Theorem 15 in case of three relations, except that now we use additional relations to rep- The above identifies a restriction on the database schema, resent the state of A. but allows the most general logic here considered to define A A A A the transitions of the systems. It is instructive to see that More precisely, we define S as hD , N,D0 , T i, where D = {P1/1,...,P|Q|+2/1}, D0 is such that all Pi are empty restricting our attention to unary relations still enables us to except for P3 which is a singleton relation containing 0. define interesting classes of systems. For each tuple t = (qi, φ1, φ2, qj, ∆1, ∆2) ∈ R, we Example 23. An infinite state counter machine can help or- define an artifact transition αt as: ganising queues. The task of the machine is to print numbered ¬EMPTY(Pi+2) ∧ emptyφ1 (P1) ∧ emptyφ2 (P2) ∧ tickets, display the ticket number on a screen, and remove 0 V 0 ¬EMPTY(Pj+2) ∧ k6=j EMPTY(Pk+2) ∧ the number from memory. The machine has three states: ON modify∆1 (P1) ∧ modify∆2 (P2) where it prints tickets and displays numbers, CLOSING It can be shown that KSA represent the computations of where it displays numbers but will not print tickets, and OFF A. where it remains idle. The machine can be described as an artifact system with a 3.4 Further results database consisting of a single unary relation. We can use the Since there is a translation from CARL to FO2 , we constants 0, 1 and 2 to represent the states ON, CLOSING D,N D,N obtain the following. and OFF , and all other natural numbers to represent tickets. sa 2 An example of a property that may be expressed in FO CTL Corollary 19. Model checking FOD, -artifact systems sa N is whether it is always possible to remove all numbers from against FO CTL whose database schema contains two the machine’s memory. It follows from Theorem 22 that check- unary symbols is undecidable. ing this specification is decidable. 2 Corollary 20. Model checking FOD,∅-artifact systems sa The rest of this section is organised as follows. Firstly, we against FO CTL is undecidable. * investigate the expressive power of the logic FO 0 . In D⊕D ,N It can also be shown that including a single binary relation the following subsection we define the logic Card and we * leads to undecidability. This result can be extended to any show that any set of artifact transitions defined in FO 0 D⊕D ,N relations of arity greater that two. can be replaced by an equivalent set of formulae from the Theorem 21. Model checking FO2 -artifact systems logic Card. Then, in Subsection 4.2 we show how to trans- D,N 0 whose database contains a single binary relation against form an artifact system S into an infinite Kripke structure K sa and an FO sa CTL property ϕ into a CTL property ϕ0 such FO CTL is undecidable. 0 0 that KS |= ϕ iff K |= ϕ . In Subsection 4.3 we define a push- Proof. We use the constants 1, 2, 3 to simulate three rela- down system P and a CTL∗ formula ϕ00 such that K0 |= ϕ0 tions. iff P |= ϕ00. We conclude in Subsection 4.4 by giving the A A A A As before we define S as hD , N,D0 , T i. This time, algorithm solving the decidability of Theorem 22. we take D = {P1/2} and D0 is such that P1 = {(3, 0)}. We In the following we assume D = {P/1}. 4.1 The logic Card Let A and B be two structures such that A ∼C B and A grounded literal over D is one of the following formulae: cntn(A) = cntn(B). On these structures, duplicator has a P (c), ¬P (c), P 0(c), ¬P 0(c), where c stands for any constant. winning strategy and therefore Ψ cannot distinguish them. We construct a Card-transition Ψ 0 such that A Definition 24. A formula is called a Card-transition if it is A,A ,r,s,t,u satisfies Ψ 0 iff cnt (A) = (r, s, t, u) and A ∼ B. of the form Υ ∧ V ∃ xΦ where Υ is a conjunction A,A ,r,s,t,u n C i∈I γibi i Let r0 = r + |A ∩ (C \ A0)|, s0 = s + |(C \ A) ∩ A0|, of grounded literals, γi ∈ {≥, ≤}, bi are natural numbers t0 = t + |A ∩ A0| and u0 = u + |(C \ A) ∩ (C \ A0)|. Let (including 0), and Φi are a boolean combinations of P (x) Ψ 0 be the conjunction of the following formulae: and P 0(x). A,A ,r,s,t,u The formulae of the C are disjunctions of C V V logic ard ard- 1. c∈A P (c) ∧ c∈C\A ¬P (c) transitions. V 0 V 0 2. c∈A0 P (c) ∧ c∈C\A0 ¬P (c) Intuitively, ∃≤bxΦ(x) represents the fact that there are at 0 3. ∃ 0 x(P (x) ∧ P (x)) most b distinct elements satisfying Φ; conversely ∃≥bxΦ(x) ≥r 0 signifies that there are at least b distinct elements satisfying 4. only if r < n + 1: ∃≤r0 x(P (x) ∧ P (x)) 0 Φ. The formal semantics of the logic Card is defined by the 5. ∃≥s0 x(P (x) ∧ ¬P (x)) * translation into FO that simply replaces each ∃ Φ(x) 0 D, ≥b 6. only if s < n + 1: ∃ 0 x(P (x) ∧ ¬P (x)) V N V ≤s with ∃x1, . . . , xb. i6=j xi 6= xj ∧ i Φ(xi) and ∃≤bΦ(x) 0 V W 7. ∃≥t0 x(¬P (x) ∧ P (x)) with ∀x1, . . . , xb+1. i6=j xi 6= xj ⇒ i ¬Φ(xi). 0 8. only if t < n + 1: ∃≤t0 x(¬P (x) ∧ P (x)) * As we prove below, the logics Card and FOD, have the 0 N 9. ∃≥u0 x(¬P (x) ∧ ¬P (x)) same expressive power. 0 10. only if u < n + 1: ∃≤u0 x(¬P (x) ∧ ¬P (x)) Example 25. Consider the formula ∀y(y 6= c1 ⇒ (P (y) ⇔ 0 P (y))). This is equivalent to the disjunction of the following The formula ΨA,A0,r,s,t,u is indeed a Card-transition. formulae: Let XΨ be the set of all the formulae of the form 0 0 0 • P (c1) ∧ P (c1) ∧ ∃≤0x(P (x) ⇔ ¬P (x)) ΨA,A ,r,s,t,u such that there is a structure that satisfies 0 0 0 Ψ ∧ ΨA,A0,r,s,t,u, and let Ψ be the disjunction of all the •¬ P (c1) ∧ ¬P (c1) ∧ ∃≤0x(P (x) ⇔ ¬P (x)) 0 0 formulae in XΨ . We show that any structure A satisfies Ψ if • P (c1) ∧ ¬P (c1) ∧ ∃=1x(P (x) ∧ ¬P (x)) 0 0 and only if it satisfies Ψ . ∧ ∃≤0x(¬P (x) ∧ P (x)) A 0 0 Assume that A satisfies Ψ. Let A = {c ∈ C | P (c)}, •¬ P (c1) ∧ P (c1) ∧ ∃≤0x(P (x) ∧ ¬P (x)) 0 0A 0 A = {c ∈ C | P (c)} and (r, s, t, u) = cntn(A). Obvi- ∧ ∃=1x(¬P (x) ∧ P (x)) ously, A satisfies ΨA,A0,r,s,t,u ∧ Ψ, therefore ΨA,A0,r,s,t,u is 0 where ∃=1Φ stands for ∃≤1Φ ∧ ∃≥1Φ. in XΨ and A satisfies Ψ . 0 * Assume that A satisfies Ψ . It follows that A satisfies Lemma 26. Let Ψ be a FOD⊕D0, sentence. Then, there is 0 N Ψ 0 for some A, A , r, s, t, u such that there is a a Card formula Ψ 0 equivalent to Ψ such that the size of Ψ 0 is A,A ,r,s,t,u structure B satisfying Ψ 0 ∧ Ψ. So A ∼ B and exponential in the size of Ψ. A,A ,r,s,t,u C cntn(A) = cntn(B), and therefore, by the Ehrenfeucht- * Proof. The logic FO 0 is a fragment of first-order Fraisse argument presented above, A satisfies Ψ. D⊕D ,N logic, so we can use standard tools. The result follows by Therefore we have constructed a Card formula Ψ 0 that applying Ehrenfeucht-Fraisse games to the case of unary re- is equivalent to Ψ. A quick check shows that the number of * 2|C| 4 lations. Indeed, for any property Ψ of FO 0 there is a elements in X is bounded by 2 ·n , which is exponential D⊕D ,N Ψ number n ≤ |Ψ| such that if duplicator wins an n rounds in size of Ψ. Note that if we consider formulae with a fixed game on the two structures, then both structures satisfy Ψ or number of constants, then the resulting formula is polynomial none of them does. in size of Φ. Let C be the set of constants from Ψ. Given two structures The above proof is constructive and can be mechanised. A, B we write A ∼C B if for all constants c ∈ C we have A B 0A 0B As remarked, the construction gives a Card formula which is P (c) iff P (c) and P (c) iff P (c). * exponential in the size of the original FO 0 formula. Let cnt(Φ(x)) be the number of elements not from C D⊕D ,N satisfying Φ(x) and cntn(Φ(X)) be equal to min(n + Note that for any set of artifact transitions T and formulae Ψ Ψ 0 ∪ {Ψ,Ψ 0} ∪ {Ψ ∨ Ψ 0} 1, cnt(Φ(x))). For each model A, we define cntn(A) as a , , the sets T and T are equivalent; tuple (r, s, t, u) where i.e., they prescribe the same transitions. Therefore, in the rest 0 of this section we assume without loss of generality that all r = cntn(PA(x) ∧ PA(x)) the artifact transitions are Card-transitions. 0 s = cntn(PA(x) ∧ ¬PA(x)) 0 4.2 Infinite Kripke structures t = cntn(¬PA(x) ∧ PA(x)) 0 Let S = hD, N,D0, Ti be a Card-artifact system and let u = cntn(¬PA(x) ∧ ¬PA(x)) sa KS = hΣ,D0, τi be the model of S. Let ϕ be an FO CTL That is, if cntn(A) = (1, n + 1, 3, 4), then A contains 1 formula and Ca be the set of all constants appearing in T and 0 0 world not from C satisfying PA(x) ∧ PA(x), more than n ϕ. We define a Kripke structure K and a CTL specification 0 0 0 0 worlds not from C satisfying PA(x) ∧ ¬PA(x) and so on. ϕ such that KS |= ϕ iff K |= ϕ . Recall that the states of KS , the model of S, are in fact The remaining cases are similar and omitted. instances of P . The aim of this section is to define a Kripke Finite representation. For convenience above we as- structure K whose states represent the instances of P in the 0 following way: an instance D = {P } is represented by a pair sumed that the labelling π has an infinite codomain. How- ever, ϕ0 uses only finitely many propositional variables. In abs(D) = (P ∩ Ca, |P |), where P ∩ Ca is the set of relevant 0 constants that are in P and |P | is the number of elements in the rest of this section we assume that the codomain of π is Ca ∪ {e0, . . . , el}, where l is the greatest index such that el P . 0 Let us consider K0 = hΣ0, s0 , τ 0, π0i where: appears in ϕ . 0 While the relation τ 0 is infinite, we can give a finite de- 0 • Σ = {abs(s) | s ∈ Σ} is the set of abstractions of all scription for it. To do this, let b be the smallest natural number states in Σ, greater than all the numbers that appear in Card-transitions 0 • s0 = abs(D0), of S. Let boundb(n) = max(−b, min(n, b)) be a function 0 0 that returns −b if n < −b, b is n > b and n otherwise. • π : Σ → Ca ∪ {e0, e1,... } is a labelling such that 0 0 Let T be a set of tuples such that (A, nb,A , nb, ∆) ∈ T if π((A, n)) = A ∪ {e0, e1, . . . , en}, 0 0 and only if for some n, n such that nb = boundb(n), nb = • τ 0 = {(abs(D), abs(D0)) | τ(D,D0)} 0 0 0 0 0 . boundb(n ), ∆ = boundb(n − n) and τ ((A, n, ), (A , n )). sa 0 We define a translation TCTL from FO CTL formulae This representation is sufficient since τ is defined into CTL formulae. Let Ψ be a FO* sentence and Ψ 0 be an by Card-transitions that do not distinguish sets larger D,N equivalent sentence that is a disjunction of Card-transitions. than b. In other words, given a set T , we can con- We translate Ψ 0 into a CTL formula Ψ 00 by replacing every struct τ 0 as follows: τ 0((A, n, ), (A0, n0)) if and only if 0 0 0 P (ci) with ci, ∃≥kxP (x) with ek, ∃≤kxP (x) with ¬ek+1, (A, boundb(nb),A , boundb(nb), boundb(n − n)) ∈ T . 0 0 0 ∃≥kx¬P (x) with > (recall that P is always finite), and Clearly, for any (A, nb,A , nb, ∆) ∈ T we have A, A ⊆ 00 0 ∃≤kx¬P (x) with ⊥. Finally, we replace Ψ with Ψ . Ca, n, n ∈ {0, . . . , b} and ∆ ∈ {−b, . . . , b}, so T is finite. We define TCTL(ψ) as the result of applying the above translation to all the FO* sentences in ψ, and we define 4.3 Pushdown systems D,N ϕ0 = T (ϕ). Definition 28. A pushdown system is a tuple P = CTL P P P P P P P The following lemma follows from the fact that the logic (Σ , q0 ,Γ , ⊥ , τ , π ), where Σ is a set of states con- P P Card cannot distinguish between elements other than con- taining q0 , Γ is a set of stack symbols containing the P P P P P stants. So when checking for satisfaction there is no need to stack bottom symbol ⊥ , ∆ ⊆ (Σ × Γ ) × (Σ × P P ∗ P keep the precise information about the content of P . (Γ \ {⊥ }) ) is a finite set of transition rules, and π : ΣP × Γ P → V ar is a labelling function for some fixed set Lemma 27. For an artifact system S, its model KS , an sa 0 0 of propositional variables V ar. FO CTL specification ϕ, let K and ϕ be the infinite A configuration of a pushdown system is a pair (s, α), Kripke structure and the CTL specification defined as above. P P ∗ P Then, K |= ϕ iff K0 |= ϕ0. where s ∈ Σ and α ∈ Γ starts from ⊥ and does not S contain ⊥P at any other position. We define the transition 0 0 Proof (sketch). We show by induction that for every subfor- relation →P as follows: (s, αγ) →P (s , αα ), where γ ∈ P 0 P ∗ 0 0 P mula ψ of ϕ and every D ∈ Σ, we have KS ,D |= ψ iff Γ and α, α ∈ Γ , iff (s, γ, s , α ) ∈ τ . 0 K , abs(D) |= TCTL(ψ). Runs are defined as usual (Hopcroft and Ullman 1979). Consider the case when ψ = AXψ1 and let D 0 It is known that model checking pushdown systems against be any state of Σ. Firstly, assume that K , abs(D) |= CTL∗ is decidable (Bozzelli 2007). TCTL(ψ). Let D1,...,Dn be all successors of D (i.e. 0 In what follows, given a Kripke model we define a push- τ(D,Di) for all i). By the definition of τ , for each 0 down system whose configurations represent states (A, n) i we have τ (abs(D), abs(Di)). Since abs(D) satisfies of the Kripke structure by using the system states to en- TCTL(AXψ1), abs(Di) satisfies ψ1 and, by inductive as- code A and the stack to store n. In doing so we will ensure sumption, Di satisfies ψ1. Therefore, D satisfies ψ. 0 0 that the content of the stack is always a prefix of the word Assume that KS ,D |= ψ. Let (A , n ) be a successor of 012 ... (b − 1)bω. This will allow us to check easily the exact abs(D) = (A, n). This means that there are two states E, 0 0 0 0 value of n if n < b. Since we can remove only one element E such that abs(E) = (A, n), abs(E ) = (A , n ), and from the stack at a time, we will use a number of auxiliary 0 E E0 τ(E,E ). Let nc = |P ∩ P \ Ca| be the number of configurations to simulate a change of state of Kripke struc- common elements in the relation P of E and E0 except for ture. 0 D0 0 constants from Ca. Let D be such that P is a sum of A , Formally, let B = {−b, . . . , b}, B+ = {0, . . . , b} and 0 0 any nc elements of D and n − nc − |A | elements that are PC = {A | A ⊆ Ca}. Below we define a pushdown system D 00 00 ∗ not in P or Ca. Then, for any Card-transition Φ defined P = (PC ∪ PC × B × B, ∅,B+, 0, τ , π ) and a CTL 0 00 00 0 0 by using the constants from Ca we have E,E |= Φ iff formula ϕ s.t. P |= ϕ iff K |= ϕ . D,D0 |= Φ. We represent a configuration of P of the form (q, α) as 0 0 Therefore, we have τ(D,D ); so D satisfies ψ1 and, (q, |α|−1). Since (q, 0) is represented by (q, 0), no ambiguity by the induction hypothesis, abs(D0) = (A0, n0) satisfies arises. 0 0 TCTL(ψ1). Since (A , n ) was an arbitrary successor of A configuration of the form (A, n) represents the state 0 0 abs(D), we conclude that K , abs(D) |= TCTL(ψ). (A, n) of K . A configurations of the form ((A, n, k), m) for |n| < b is an auxiliary configuration that represents an inter- 4.4 Model checking mediate state such that min(b, n + m) = k and that the state In view of the translation defined above we can now give the precedes the state (A, n + m) that will appear in n + 1 steps. algorithm that establishes Theorem 22. Similarly, a configuration of the form ((A, b, k), m) repre- sents the situation where the value stored in the stack can be * Algorithm Input: FOD, -artifact system S built on a increased by any number greater than or equal to b. Finally, a sa N configuration of the form ((A, −b, k), m) encodes the situa- unary relation, FO CTL formula ϕ. tion where the value stored in the stack can be decreased by Output:TRUE or FALSE. any number greater than or equal to b. 1. Transform the set of artifact transitions to the set of Card- Let add_one(m) = m.(min(m + 1, b)) where “.” stands transitions as described in Subsection 4.1. 00 for concatenation. Formally, τ contains the following rules. 2. Generate a finite representation of the Kripke structure K0 • ((A, b, k), m, (A, b, k), add_one(m)) for all possible and a CTL formula ϕ0 as described in Subsection 4.2. A, k, m. 3. Generate a pushdown system P and a CTL∗ formula ϕ00 • ((A, n, k), m, (A, n − 1, k), add_one(m)) for all n > 0 as defined in Subsection 4.3. and all possible A, k, m. 4. Return the result of model checking P against ϕ00. • ((A, n, k), m, (A, n + 1, k), ∅) for all n < 0 and all possi- ble A, k, m. The Algorithm above gives the proof of Theorem 22. No- tice that in the last step we employ the algorithm for model • ((A, −b, k), m, (A, −b, k), ∅) for all possible A, k, m. checking the whole of CTL∗; so it can also be applied against 0 0 0 0 ∗ • (A, nb, (A , n, nb), nb) for all (A, nb,A , nb, n) ∈ T . sentence atomic FO-CTL . • ((A, 0, n0 ), n0 , A, n0 ) and all possible A, n0 . An upper bound for the model checking problem of b b b b Theorem 22 can be established by observing that model Example 29. Assume that τ 0((∅, 4), ({7}, 3)) and checking pushdown systems against CTL∗ is 2EXPTIME- b = 2. The corresponding computation of P complete (Bozzelli 2007) and it is applied to a pushdown is (∅, 01222) → (({7}, −1, 2), 01222) → P P system exponential in the size of the input. (({7}, 0, 2), 0122) →P ({7}, 0122). For τ 0(({7}, 3), (∅, 6)), the corresponding compu- Corollary 31. The problem of model checking artifact sys- tation is: ({7}, 0122) →P ((∅, 2, 2), 0122) →P tems whose database consists of a single unary relation ∗ ((∅, 2, 2), 01222) →P ((∅, 1, 2), 012222) →P against sentence-atomic FO-CTL is in 3EXPTIME. ((∅, 0, 2), 0122222) →P (∅, 0122222). Finally, we define π00 as π00((A, n, k), m) = ∅ and 5 Conclusions 00 π (A, m) = A ∪ {e0, . . . , em}. Artifact-centric systems have been put been forward as a new Note that not all runs of P correspond to runs of K0. For paradigm in data-aware services and they are increasingly be- example, for b = 2 the run ing used as a user-oriented architecture upon which services (∅, 0) →P ((∅, 2, 2), 0) →P ((∅, 2, 2), 01) →P can be deployed. The issue of verification of artifact-centric ((∅, 2, 2), 012) →P ... continuously increases the stack and systems remains of paramount importance both at theoretical will never reach a state of the form (A, m). To avoid such and at practical level. runs, we add a fairness constraint by considering only the A number of classes of artifact-centric systems have been paths satisfying e0 infinitely often. proposed for which the verification problem is decidable. As To transform ϕ0 to a CTL∗ formula ϕ00, we define a func- discussed in the related work part of the introduction, a key tion T∗ by induction as follows. requirement made of all these system is boundedness of the T∗(p) = p, where p is a propositional variable systems’ executions. While it has been shown this can be ∗ ∗ imposed on the system at program level (Belardinelli, Lo- T (¬ψ) = ¬T (ψ) muscio, and Patrizi 2011), there remain classes of scenarios ∗ ∗ ∗ T (ψ1 ∨ ψ2) = T (ψ1) ∨ T (ψ2) whereby no bound can in principle be set either on the states ∗ ∗ T (AXψ) = A(GF e0 ⇒ ¬e0U(e0 ∧ T (ψ))) or the runs of the system. ∗ ∗ To explore the implications of this we have here addressed T (Aψ1Uψ2) = A(GF e0 ⇒ (e0 ⇒ T (ψ1))U ∗ the verification of unbounded artifact-centric systems against (e0 ∧ T (ψ2))) sentence-atomic FO-CTL specifications. Our results show ∗ ∗ T (Eψ1Uψ2) = E(GF e0 ∧ (e0 ⇒ T (ψ1))U that not only the problem is undecidable in general, but ∗ (e0 ∧ T (ψ2))) that it remains so even when admitting only the simple artifact-centric descriptions built on the logics CARL Consider ϕ00 = T∗(ϕ0). We have the following. D,N and CARL . 0 D,∅ Lemma 30. For an infinite Kripke structure K and a CTL While this points to a bleak picture for the verification 0 00 specification ϕ , let P and ϕ be the pushdown system and of unbounded systems in general terms, we were able to ∗ 0 0 the CTL specification defined as above. Then, K |= ϕ iff identify a class of unbounded systems for which verification 00 P |= ϕ . against sentence-atomic FO-CTL is decidable. This class is in The proof of the above lemma follows from the construc- a way “maximal” with respect to the relations in the database tion of P and ϕ00. schema. References Heath III, F. T.; Boaz, D.; Gupta, M.; Vaculín, R.; Sun, Y.; Alonso, G.; Casati, F.; Kuno, H. A.; and Machiraju, V. 2004. Hull, R.; and Limonad, L. 2013. Barcelona: A design and Web Services - Concepts, Architectures and Applications. runtime environment for declarative artifact-centric BPM. In Data-Centric Systems and Applications. Springer. Proceedings of the 11th International Conference on Service- Oriented Computing (ICSOC13), volume 8274 of Lecture Belardinelli, F., and Lomuscio, A. 2013. Decidability of Notes in Computer Science, 705–709. Springer. model checking non-uniform artifact-centric quantified in- terpreted systems. In Proceedings of the 23rd International Hopcroft, J. E., and Ullman, J. D. 1979. Introduction to Joint Conference on Artificail Intelligence (IJCAI’13), 725– Automata Theory, Languages, and Computation. Adison- 731. AAAI Press. Wesley Publishing Company. Belardinelli, F.; Lomuscio, A.; and Patrizi, F. 2011. Verifica- Hull, R.; Damaggio, E.; De Masellis, R.; Fournier, F.; Gupta, tion of Deployed Artifact Systems via Data Abstraction. In M.; Heath, III, F. T.; Hobson, S.; Linehan, M.; Maradugu, Proceedings of the 9th International Conference on Service- S.; Nigam, A.; Sukaviriya, P. N.; and Vaculin, R. 2011. Oriented Computing (ICSOC’11), volume 7200 of Lecture Business Artifacts with Guard-Stage-Milestone Lifecycles: Notes in Computer Science, 142–156. Springer. Managing Artifact Interactions with Conditions and Events. Belardinelli, F.; Lomuscio, A.; and Patrizi, F. 2012a. An In Proceedings of the 5th ACM International Conference on abstraction technique for the verification of artifact-centric Distributed Event-Based Systems (DEBS’11), 51–62. ACM. systems. In Proceedings of the 13th International Confer- Hull, R. 2008. Artifact-Centric Business Process Models: ence Principles of Knowledge Representation and Reasoning Brief Survey of Research Results and Challenges. In Pro- (KR12), 319–328. AAAI Press. ceedings of the 2008 Confederated International Conferences Belardinelli, F.; Lomuscio, A.; and Patrizi, F. 2012b. Veri- CoopIS, DOA, GADA, IS, and ODBASE, volume 5332 of Lec- fication of gsm-based artifact-centric systems through finite ture Notes in Computer Science, 1152–1163. Springer. abstraction. In Proceedings of the 10th International Confer- Minsky, M. 1967. Computation: finite and infinite machines. ence on Service Oriented Computing (ISCOC’12), volume Prentice-Hall. 7636 of Lecture Notes in Computer Science, 17–31. Springer. Bozzelli, L. 2007. Complexity results on branching-time pushdown model checking. Theoretical computer science 379(1):286–297. Clarke, E. M.; Grumberg, O.; and Peled, D. A. 1999. Model Checking. Cambridge, Massachusetts: The MIT Press. Cohn, D., and Hull, R. 2009. Business Artifacts: A Data- Centric Approach to Modeling Business Operations and Pro- cesses. IEEE Data Engineering Bulletin 32(3):3–9. Deutsch, A.; Hull, R.; Patrizi, F.; and Vianu, V. 2009. Auto- matic verification of data-centric business processes. In Pro- ceedings of the 12th International Conference on Database Theory (ICDT’09), volume 361 of ACM International Con- ference Proceeding Series, 252–267. ACM. Gonzalez, P.; Griesmayer, A.; and Lomuscio, A. 2012. Veri- fying GSM-based business artifacts. In Proceedings of the 19th International Conference on Web Services (ICWS’12), 25–32. IEEE Press. Grädel, E.; Kolaitis, P. G.; and Vardi, M. Y. 1997. On the decision problem for two-variable first-order logic. Bulletin of Symbolic Logic 3(1):53–69. Grädel, E. 1999. On the restraining power of guards. Journal of Symbolic Logic 64(4):1719–1742. Hariri, B. B.; Calvanese, D.; Giacomo, G. D.; Masellis, R. D.; and Felli, P. 2011. Foundations of relational artifacts verifi- cation. In Proceedings of the 9th Int. Conference on Business Process Management (BPM’11), volume 6896 of Lecture Notes in Computer Science, 379–395. Springer. Hariri, B. B.; Calvanese, D.; Montali, M.; Giacomo, G. D.; and Deutsch, A. 2013. Verification of relational data-centric dynamic systems with external services. In Proceedings of the 32nd Symposium on Principles of Database Systems (PODS’13), 163–174. ACM.