Datalog As a Lingua Franca for Provenance Querying and Reasoning

Home , Numbers (season 1), Numbers (season 4), Numbers (season 5), Numbers (season 6), Provenance (Numbers)

Datalog as a Lingua Franca for Provenance Querying and Reasoning

Saumen Dey∗ Sven Kohler¨ ∗ Shawn Bowers† Bertram Ludascher¨ ∗

read1 write1 read2 write2 1 Introduction x Pa y Pb z read3 The Open Provenance Model (OPM) [20] provides a was-derived-from small, extensible core for representing and exchanging

provenance information in a technology-neutral manner. Fig. 2: z was-derived-from x. Does tread2 < twrite2 follow? By design, OPM is a least common denominator, leav- ing aside certain aspects, including how to query provenance information. Similarly, OPM comes with a set of from Figure1 that x was used by P before y was gener- inference rules (e.g., for transitively closing some rela- ated by P, i.e., that tread < twrite holds in our notation? tions, or for stating temporal constraints that are implied Again, the somewhat surprising answer is: No! For ex- by provenance assertions), but as pointed out by [15], ample, the use (reading) and generation (writing) of x the temporal semantics of OPM graphs is only partially and y by P are not necessarily the only things that hap- defined in [20], leading to ambiguous or incompletely pened. In particular, there might be another derivation of specified situations. y from x (which gave rise to the was-derived-from edge in the first place), making tread > twrite a real possibility.

read write x P y used gen-by Example 2. Consider the provenance graph in Figure2,

was-derived-from ?? asserting that z was-derived-from x. Does tread2 < twrite2 or tread3 < twrite2 follow? As before, if no further infor- Fig. 1: Do the observables x read→ P and P write→ y imply that mation is available, we cannot infer either proposition: we simply don’t know whether the path x.Pa.y.Pb.z or the y was-derived-from x? Or that tread < twrite holds? path x.Pb.z (or yet another one, not included in the figure) are the reason for the was-derived-from edge in Fig.2. Example 1. Consider the provenance graph in Figure1. The OPM semantics also handles this case correctly and In OPM, it shows a (data) artifact x that was used by does not imply that treadi < twrite j (for any i ≤ j). On the process P, and another artifact y that was-generated-by other hand, OPM also does not provide a means to spec- (short: gen-by) P. In the terminology used in the rest of ify when such inferences would indeed be correct, e.g., the paper, we say that the graph records a “read” and a in the common case where the result of a write is in fact read write directly dependent on an earlier read. “write” observable, denoted x → P and P → y, respectively. Given this information, it may seem natural to as- When employing OPM as a model for provenance sume that (1) y was-derived-from x (the dotted line), and recorded by a scientific workflow system [8], another that (2) the read event (tread) occurred before the write limitation becomes apparent: OPM only deals with event (twrite), i.e., tread < twrite. However, neither (1) nor retroactive provenance (the usual data lineage captured (2) are logical consequences of the provenance in Fig- in a trace graph T), but not with so-called prospective ure1, i.e., we cannot infer that y was-derived-from x! provenance2, i.e., workflow specifications W, which are Indeed, OPM correctly treats was-derived-from as a sep- recipes for future (and past) derivations [18]. These were arate observable, e.g., P might have written y first, then out of scope for OPM and, apparently, are also out of read x afterwards, and so we should not assume (and thus scope for current W3C standardization efforts [21]. not infer) that y was-derived-from x.1 On the other hand, it is easy to see that distinguishing If, on the other hand, the fact that y was-derived-from between traces T and workflows W (and then interpreting x has been (independently) asserted, can we then infer the former as instances of the latter) can provide valuable information and additional functionality for provenance ∗UC Davis, (scdey | svkoehler | ludaesch)@ucdavis.edu applications. †Gonzaga University, [email protected] 1If the computation P is a function or service call, then P indeed 2This “near-oxymoron” captures a practically useful notion: When first consumes all inputs, then produces all outputs. This assumption a scientist is asked to explain how a certain result was obtained, in the is often correct, but a process P is not necessarily limited to such strict absence of runtime traces, he can point to the script/workflow that was behavior and may interleave read/write events in many ways [13, 17]. used to generate the data products; so workflows are provenance, too. firing data Workflow W Y in write y read out constraint constraint B a read write b A in out x X in out in out X A Y B Z

in Fig. 3: Trace T (left) and workflow W (right). homomorphism h read Example 3. Consider the graphs in Figure3: executing read write read write workflow W, might have produced the trace T. In order x a y b z to validate T’s structure, i.e., to check whether T can be an instance of W, we link its nodes and edges to W: e.g., ≤f ≤d Trace T edges x read→ a and a write→ y in T (data x was read and data y was written by process invocation a), have correponding Fig. 4: Workflow W (top) vs Trace T (bottom): Traces edges X →in A and A out→ Y in W, linking data containers are associated to workflows, guaranteeing structural con- X and Y to the process (or: actor) A. Clearly, in order to sistency; workflow-level (firing or data) constraints in- validate T’s structure, we have to have a representation duce temporal constraints ≤f and ≤d on traces. of the workflow structure W in the first place. However, even if T is structurally valid w.r.t. W, other (here: temporal) inconsistencies may arise: The cycle in and in which way, they can be stateful; how they con- T indicates an inconsistent trace,3 but we cannot be sure sume their inputs, produce their outputs; and so on. As (for similar reasons as those in the previous examples). a result, different systems use different models of prove- On the other hand, the cycle in W is usually not a con- nance (MoPs), with different temporal semantics. Thus, cern: it simply means that W has a feedback loop, which instead of “hard-wiring” a fixed temporal semantics to is a rather common workflow pattern (cf. AppendixA). a particular graph-based MoP, we again use logic constraints to obtain a “customizable” temporal semantics. (3) We illustrate this concept by providing firing con- Overview and Contributions. We propose logic rules straints at the workflow level, which induce temporal as a formal foundation for graph-based, temporal models constraints ≤f at the level of traces (cf. Figure4). These of provenance, for querying provenance graphs (traces), temporal-constraint generating rules can be chosen to and for reasoning about traces and their connection to the conform to the temporal axioms in [15], or to accom- workflows that generated them. In particular, we argue modate a different temporal semantics, as implied by the that Datalog provides a “lingua franca” for provenance: MoC of a specific workflow or workflow system. (1) We adopt a semistructured data model, i.e., graphs Due to limited space, we only illustrate some of the ` with labeled edges x → y, as a uniform representation of many ways in which logic rules and Datalog can be har- all provenance information, i.e., traces (a` la OPM) and nessed for provenance querying and reasoning; a detailed associated workflows of which they are instances. This exposition is reserved for a long version of this paper. In allows us to employ regular path queries [3] as a con- the remainder, we give an overview of our approach and venient “macro-language” for concisely expressing gen- provide a few illustrative examples; additional examples eralized reachability queries on traces and workflows. and rules can be found in the appendix. By representing schema-level information (workflows) and instance-level information (traces) together in a single model, structural constraints can be expressed and 2 Unified Provenance Model checked easily using Datalog rules. (2) We propose to use integrity constraints, i.e., rules We would like to accommodate trace-level provenance 4 of the form falseic(Y¯ ) ← denial(X¯ ) as a way to express information, schema-level information (workflow speci- provenance semantics. Workflow systems differ in their fications), and temporal information in a single, uniform models of computation (MoCs) and thus make differ- representation. To this end, we employ an underlying ent assumptions about how workflow components (a.k.a. semistructured data model, which consists of labeled, di- actors, processors, modules, etc.) work, i.e., whether, rected graphs of the form G = (V,E,L), with vertices V, labels L, and labeled edges E ⊆ V ×L×V. In the follow- 3 If read and write observables are temporally or causally linked, a ing, we view workflows W and traces T as subgraphs of strict partial order is implied and a cycle shouldn’t have been observed. 4The rule body denial(X¯ ) specifies the “bad” situations to be G. Similarly, our temporal model will consist of labeled avoided; Y¯ ⊆ X¯ are witnesses of constraint violations. edges (modeling one or more “before” relations).

2 Workflows. A workflow W = (VW ,EW ,LW ) is a la- Temporal Model. We obtain a temporal semantics on beled graph whose nodes VW = C ∪P are data containers top of the graph-based model by using rules to define C and processes P. Processes are computational entities a “before” relation (e.g., ≤f and ≤d in Fig.4) amongst (often consisting of smaller internal steps, a.k.a. invoca- events. During workflow execution, the following events tions or firings) that can send and receive data. Contain- are observed: When a process is executed an invocation ers represent structures, e.g., FIFO queues, that hold data event is recorded, when a data artifact is read by an invo- during the communication between processes. In a work- cation a read event is recorded, and when an invocation flow W, edges EW = Ein ∪ Eout are either input edges writes a data artifact a write event is recorded. In the tem- Ein ⊆C×{in}×P, or output edges Eout ⊆ P×{out}×C, poral model we constrain the order of events: bf(E1,E2) so LW = {in,out}. We also write in(C,P) and out(P,C) to means that E1 happened before E2 and bfs(E1,E2) means in out denote edges C → P and P → C, respectively. The former that E1 happened before or simultaneously with E2. out means process P can read data artifacts from container A data-constraint between out-edges PA → CY and in- in C, while the latter means that process P can write data edges CY → PB of a data container CY at the workflow- artifacts to container C. level, implies an obvious temporal constraint at the trace- level: A write (creation) of data y must come before any Traces. A trace T = (VT ,ET ,LT ) is a labeled graph read of y (also see Figure4): whose nodes VT = D ∪ I are data artifacts D or process bf(write(I,D), read(D,J)) :− write(I,D), read(D,J). invocations I; edges ET = Eread ∪ Ewrite ∪ Edf are read Read, write, and derived-from edges in T capture edges Eread = D × {read} × I, write edges Ewrite = I × dataflow. This information gives rise to a temporal or- {write} × D, or derived-from edges Edf = D × {df} × D, der (“flow-time”) among events. We infer this tempo- so LT = {read,write,df}. The link between traces and workflows is established through homomorphisms: ral order and create the corresponding temporal relations bf and bfs using the rules described here (and in the ap- 0 0 0 0 Definition 1. Let G = (V,E,L) and G = (V ,E ,L ) be pendix). We make (safe) use of Skolem functions, e.g., labeled graphs, and let h = (h1,h2) be a pair of mappings to create unique identifiers, and to reify edges as nodes 0 0 h1 : V → V and h2 : L → L . Then h is a homomorphism of a temporal structure: e.g., the (unspecified) execution 0 from G to G if time of an invocation is represented by a term invoc(I). ` h2(`) 0 Before an invocation reads data, it must have started: (x → y) ∈ E implies (h1(x) → h1(y)) ∈ E . bfs(invoc(I), read(D,I)) :− read(D,I). The functions h and h map nodes and labels from 1 2 Similarly, a data artifact could not have been written G to corresponding ones in G0. The model described after an invocation has been completed: here associates read and write edges in T with in and bfs(write(I,D), invoc(I)) :− write(I,D). out edges in W, so h2 = {read7→in,write7→out}. The mapping h1 is usually given as part of a trace, i.e., when When a data artifact is written by a process invocation testing whether T is valid w.r.t. a workflow W, we do and read by another invocation, the former must not have not have to search for h. Instead, traces needing vali- started after the latter has completed: dation already have corresponding workflow annotations embedded within them: We use mappings cont: D → C bfs(invoc(I), invoc(J)) :− write(I,D), read(D,J). and proc: I → P to associate data items and process invo- When a data artifact is derived from another data arti- cations with data containers and processes, respectively. fact, the latter must have been written before the fomer: The following rules derive false iff trace T with workflow bf(write(J,Y), write(I,X)) :− df(X,Y), write(I,X), write(J,Y). mappings cont and proc are not a homomorphism: in falseHom(read(D,I),in(C,P)) :− A firing-constraint between in-edges CX → PA and out- read(D,I), cont(D,C), proc(I,P), ¬ in(C,P). out edges PA → CY of a process PA is defined via a relation false (write(I,D),out(P,C)) :− Hom fc(C ,P ,C ) write(I,D), cont(D,C), proc(I,P), ¬ out(P,C). X A Y . This constraint ensures that any invocation of process PA that reads data from container CX and that Thus, if false is empty, trace T is structurally-valid Hom writes into container CY has an associated temporal con- w.r.t. workflow W. Additional structural constraints for straint: the invocation output depends on the read input. traces can be easily defined in a similar manner: If a user-defined constraint is provided by fc(X,B,Z) as A write-conflict occurs when a data artifact has mul- shown in Figure4, then the bf(read(x,b),write(b,z)) tempo- tiple incoming write edges; a type-conflict occurs when ral relation at the trace-level can be infered: edges link nodes of the wrong type (e.g., directly linking bf(read(X,I), write(I,Y)) :− invocations, instead of going through data nodes). Rules fc(C1,P,C2), read(X,I), proc(I,P), for checking such constraints are listed in AppendixC. write(I,Y), cont(X,C1), cont(Y,C2).

3 Wall-Clock Time: In addition to temporal dependen- Acknowledgements. Work supported in part by NSF cies inferred from dataflow observables (“flow-time”), award OCI-0722079 and DOE award DE-FC02- a provenance recorder may record events with a wall- 07ER25811. clock timestamp. The observable time(E,T) means that event E was recorded with wall-clock time T. Wall-clock References time and flow-time constraints can combined to infer additional temporal information for a trace: [1]A CAR,U.,BUNEMAN, P., CHENEY,J.,VANDEN BUSSCHE, J.,KWASNIKOWSKA,N., AND VANSUMMEREN, S. A graph bf(E1, E2) :− time(E1, T1), time(E2, T2), T1 < T2. model of data and workflow provenance. In TaPP (2010). bfs(E1, E2) :− time(E1, T1), time(E2, T2), T1 ≤ T2. [2]B UNEMAN, P., KHANNA,S., AND WANG-CHIEW, T. Why and where: A characterization of data provenance. In ICDT (2001). [3]C ALVANESE,D.,DE GIACOMO,G.,LENZERINI,M., AND 3 Conclusions VARDI, M. Reasoning on regular path queries. ACM SIGMOD Record 32, 4 (2003), 83–92. The theory and practice of provenance are not always as [4]C HENEY, J. Causality and the semantics of provenance. Arxiv preprint arXiv:1004.3241 (2010). well aligned as one may wish for.5 The DBLP (databases [5]C HENEY,J.,AHMED,A., AND ACAR, U. Provenance as depen- & programming languages) community, among others, dency analysis. In DBPL (Vienna, Austria, 2007), LNCS 4797, has been advancing our understanding of fundamental pp. 138–152. principles of provenance, and notions such as Why, How, [6]C HENEY,J.,CHITICARIU,L., AND TAN, W. Provenance in and Where provenance [2,6], provenance semirings [11], databases: Why, how, and where. Foundations and Trends in provenance as proof-trees, dependencies, program slic- Databases 1, 4 (2009), 379–474. ing [5], relationships to causal reasoning [19,4], etc. [7]D ANTSIN,E.,EITER, T., GOTTLOB,G., AND VORONKOV,A. Complexity and expressive power of logic programming. ACM are slowly becoming more widely known and under- Computing Surveys 33, 3 (2001), 374–425. stood better. At the same time, the many practical ap- [8]D AVIDSON,S., AND FREIRE, J. Provenance and scientific work- plications of provenance have led practitioners and sys- flows: challenges and opportunities. In SIGMOD (2008). tem developers to move ahead rapidly with “provenance- [9]D IJKSTRA, E. W. Hamming’s exercise in sasl, 1981. EWD-792. enabling” their systems, proposing models, languages, [10]G OTTLOB,G.,GRADEL¨ ,E., AND VEITH, H. Datalog lite: and even W3C standards. As a contribution to further A deductive query language with linear time model checking. grow the connections between theory and practice of TOCL 3, 1 (2002), 42–79. provenance [1], we have proposed to use logic rules, and [11]G REEN, T., KARVOUNARAKIS,G., AND TANNEN, V. Prove- nance semirings. In PODS (2007), pp. 31–40. Datalog in particular for querying provenance, checking [12]H EMMENDINGER, D. The “hamming problem” in prolog. ACM structural constraints (e.g., whether a trace is valid, i.e., SIGPLAN Notices 23, 4 (1988), 81–86. homomorph to its associated workflow), and specifying [13]K AHN, G. The semantics of a simple language for parallel pro- temporal constraints. gramming. IFIP 74 (1974), 471–475. Datalog seems particularly well-suited as a “lingua [14]K OHLER¨ ,S.,LUDASCHER¨ ,B., AND SMARAGDAKIS, Y. franca” and bridge between theory and practice: On the Declarative datalog debugging for mere mortals. submitted, one hand, there is a rich body of research and formal 2012. results about the complexity and expressiveness of Dat- [15]K WASNIKOWSKA,N.,MOREAU,L., AND VANDEN BUSSCHE, J. A formal account of the open provenance model. Tech. Rep. alog and numerous fragments or extensions [7]. Queries 21819, University of Southampton, December 2010. on labeled graphs are well supported, e.g., regular path [16]L AUSEN,G.,LUDASCHER¨ ,B., AND MAY, W. On active deduc- queries have a direct encoding in Datalog, and theoreti- tive databases: The statelog approach. Transactions and Change cal results on query containment and view-based query in Logic Databases (1998), 69–106. processing [3] can be exploited in various ways. Simi- [17]L EE,E., AND PARKS, T. Dataflow process networks. Proceed- larly, Datalog variants such as Statelog [16] or Datalog- ings of the IEEE 83, 5 (1995), 773–801. LITE [10] provide means to naturally express temporal [18]L IM,C.,LU,S.,CHEBOTKO,A., AND FOTOUHI, F. Prospec- tive and retrospective provenance collection in scientific work- queries over provenance graphs. From a practitioner’s flow environments. In Services Computing (SCC) (2010). point of view, Datalog is also attractive: powerful Dat- [19]M ELIOU,A.,GATTERBAUER, W., HALPERN,J.,KOCH,C., alog engines are available for experimentation with rule MOORE,K., AND SUCIU, D. Causality in databases. IEEE sets (e.g., to test and compare different provenance se- Data Eng. Bull 33, 3 (2010), 59–67. mantics, to query and debug programs [14] etc.), and can [20]M OREAU,L.,CLIFFORD,B.,FREIRE,J.,FUTRELLE,J.,GIL, be used to deploy provenance querying and reasoning Y., GROTH, P., KWASNIKOWSKA,N.,MILES,S.,MISSIER, P., MYERS,J., ETAL. The open provenance model core specifica- systems. Datalog prototypes for our approach are under tion (v1.1). Future Generation Computer Systems 27, 6 (2011), development and can be demonstrated at the workshop. 743–756. [21] W3C. Provenance working group. http://www.w3.org/ 5In theory, there is no difference between theory and practice. But 2011/prov/. accessed 4/9/2012. in practice, there is.

4 A Hamming Workﬂow Variants s2:1 1

m1:1 1 To illustrate the earlier definitions of this paper, we use s3:1 1 two variants of a workflow to compute the Hamming 6 i j k numbers H = {2 ·3 ·5 | i, j,k ≥ 0} incrementally, i.e., m2:1 1 s5:1 1 as an ordered sequence 1,2,3,4,5,6,8,9,10,12,15,... Two workflow variants H1 and H3 are shown in Fig.5. Note that the workflow graphs contain the same nodes x2:1 2 s2:2 2 (processes and containers), but are wired slightly differ- m1:2 2 ently (as it turns out, this makes a big difference). The x3:1 3 s3:2 3 data containers Qi are queues (FIFO buffers); Q8 is the m2:2 2 distinguished output, where the Hamming numbers will x5:1 5 s5:2 5 appear in the correct order. M1 and M2 are merge actors, i.e., processes which take two ordered input sequences and merge them into an ordered output sequence. If pre- x2:2 4 s2:3 4 m1:3 3 m2:3 3 sented with the same item in both streams, the output

stream will only contain one copy of the element, so du- x3:2 6 s3:3 6 m1:4 4 m2:4 4 plicates are removed. The actors X2, X3, and X5 multiply their inputs with 2, 3, and 5, respectively. Last not least, x5:2 10 s5:3 10 the sample-delay actors S2, S3, S5 are used “to prime the pump”: initially (i.e., before reading any input), they output the number 1 to get the loop(s) going. Subsequently, x2:3 6 s2:4 6 m1:5 6 m2:5 5 they simply output whatever they received as an input. x3:3 9 s3:4 9 By design, the Hamming workflows H1 and H3 define an infinite output stream, i.e., the processes “run forever”. x5:3 15 s5:4 15

X2 Q1 S2 Q4 Fig. 6: Excerpt of a Hamming workﬂow trace TH containing solid (black) and dashed (red) edges: This trace is homomorph M1 Q7 X3 Q2 S3 Q5 to H1 in Fig. 5(a) but it is not homomorph to H3 in Fig. 5(b) since the dashed (red) edges in TH cannot be mapped to corre- M2 Q8 X5 Q3 S5 Q6 sponding edges in H3.

(a) Hamming workﬂow H1: “one loop” variant H1 of the Hamming workﬂow in Figure 5(a) can be es-

X2 Q1 S2 Q4 tablished. However, when attempting to ﬁnd a homomorphism between the same trace and the 3-loop variant H3 M1 Q7 in Figure 5(b), corresponding in-edges cannot be found X3 Q2 S3 Q5 for the dashed (red) read-edges in Figure6. Note that the M2 Q8 “bad” (missing) edges can be found automatically with X5 Q3 S5 Q6 the Datalog (denial) rules for falseHom in Section2.

(b) Hamming workflow H3: “three loops” variant A.2 User-Defined Provenance Queries Fig. 5: Workflow variants H , H ; output queue is Q . 1 3 8 Our unified provenance model can easily be queried further using Datalog. For example, a user might want to know the lineage of a particular Hamming number (i.e., A.1 Structural Validity which other Hamming numbers “went into it”), or how many duplicates were derived in their particular work- Figure6 shows a (partial) trace TH , i.e., for computing the Hamming numbers n ≤ 15.7 In order to test if a trace flow variant, etc. The dependencies between data items T is structurally-valid w.r.t. a workflow W, we check if can be obtained by focusing on the read/write observ- there is a homomorphism from T to W. Here, a homo- ables of certain processes P: morphism between TH , in Figure6 and the 1-loop variant q(D1,P,D2) :− read(D1,I), write(I,D2), proc(I,P), focus(P).

6a.k.a. regular numbers; see [9, 12] for details Here, focus is a user-deﬁned predicate to limit query 7Fig.7 shows user-deﬁned trace-views for n ≤ 1000. answers to processes of interest, e.g., we may focus on

5 x2+ 512 256 768 384 16 128 640 x2+ x2+ x2+ 192 576 x2+.x3+ 64 320 960 x2+ 288 864 x2+ 8 x2+ x3+ 96 480 32 x2+ 4 160 800 x2+ x2+.x3+

144 432 x2+.x3+ x3+ 24 48 240 720 x2+ 16 2 80 400 x2+.x3+ x5+ 12 216 648 x2+ 256 512 64 128 x3+ 72 360 x2+.x3+ 640 32 160 320 768 x2+ 24 120 600 384 8 x3+ 16 80 96 192 x2+ x2+ 40 200 1000 960 40 48 400 800 324 972 8 108 24 200 240 480 576 540 20 100 120 600 288 36 180 x2+.x3+ 6 x3+ 4 900 1 x2+ 864 12 60 300 12 60 500 144 720 x3+ x5+ 4 2 10 50 250 300 1000 432 20 100 500 486 3 x2+ 1 5 25 125 625 72 360 162 x2+.x3+ 810 54 270 6 30 150 750 x3+ 3 x2+.x3+ 18 15 75 375 180 900 18 90 450 x5+ 36 450 216 6 30 150 750 18 2 x3+ x3+ x2+ 9 90 108 540 10 50 250 243 729 45 648 81 405 x5+ 9 x3+ 225 270 27 324 54 675 27 135 675 972 27 810 135 162 9 45 225 x3+ 486 1 3 81 405 15 75 375 x5+ 10 x2+ 20 5 x2+ 243 729 25 125 625 x2+ x3+

5 (a) (b) x3+

x2+ 15 30

x5+ x2+.x3+

Fig. 7: User-deﬁned provenance for Hamming numbers x5+ up to 1000: (a) for H1 (“Fish”) and (b) for H3 (“Sail”) 25 x2+.x3+.x5+

+ + + X2, X3, and X5. Thus, tuples in the answer relation q Fig. 8: Result of regular path query x2 · x3 · x5 on a subset p of the Hamming graph (for nodes N ≤ 30) in Fig. 7(a). Solid can be viewed as edges d1 → d2, linking data items to each other, with the label p denoting the process (multi- edges have labels R1 · R2 (blue: intermediate results; bold, red: + plication factor) involved. Figure7 shows the resulting final results), while dashed edges have labels R . Base edges graph structure8 for a trace containing the computation x2,x3, and x5 are omitted here. of Hamming numbers up to 1000. Edge labels are represented via colors (here: green, red, and blue are used to as well as R+ (transitive closure), R∗ (reflexive transitive represent labels “x2”, “x3”, and “x5”, respectively). closure), etc. A number of additional operations can be One can clearly see on the in-degree of nodes that in defined, e.g., R? (optional edge), (any label), Rc (com- Fig. 7(a) many Hamming numbers are produced in mul- plement of R), etc. On labeled graphs, also R− (inverse tiple ways, i.e., the custom-provenance graph is a DAG. edge direction) is common. It is easy to see that RPQs In contrast, Hamming numbers in H3 are produced by can be easily expresses in Datalog: e.g., for R · R0, R | R0, one path only without unnecessary duplicates as can be and R+, the rules are (similarly for other expressions): seen in Fig. 7(b), i.e., this graph is a tree. g(X,R1 conc R2,Y) :− conc(R1,R2, R1 conc R2), g(X,R1,Z), g(Z,R2,Y). B Regular Path Queries g(X,R1 or R2,Y) :− or(R1, , R1 or R2), g(X,R1,Y). Our unified provenance model in Section2 is based on g(X,R1 or R2,Y) :− or( ,R2, R1 or R2), a semistructured data model, i.e., all information is rep- g(X,R2,Y). resented using a labeled, directed graph G = (V,E,L). g(X,R plus,Y) :− plus(R, R plus), Edges in this graph can be represented as triples g(x,`,y), g(X,R,Y). where nodes x,y ∈V are connected via an `-labeled edge. g(X,R plus,Y) :− plus(R, R plus), g(X,R,Z), A standard method to query such graphs is using reg- g(Z,R plus,Y). ular path queries (RPQ) [3]. Let Σ = {`1,...,`n} be a set of base labels (here: Σ = L). Regular expressions over Σ The relations conc, or, and plus in the body can be defined, are built in the usual way: if R,R0 are regular expressions, e.g., using Skolem functions as follows: 0 0 then so are R | R (alternation) and R · R (concatenation), conc(R1, R2, R3) :− R3 = f conc(R1,R2). or(R1, R2, R3) :− R3 = f or(R1,R2). 8Nodes are not intended to be readable, but if desired can be plus(R1, R2) :− R2 = f plus(R1). zoomed-into in the PDF version.

6 However, these rules are not safe under the standard C Further Examples bottom-up Datalog evaluation procedure9, so instead we create a finite set of facts, consisting only of the subex- In the remainder, we present some further examples and pressions of a given user query R. For example consider rules, to illustrate our definitions in earlier sections. In the RPQ expression R = (x2+ · x3+) · x5+. The bold, red our integrity constraint rules we employ the following relation in Fig.8 shows the answer to the query: auxilliary view for transitive dependencies: ans(X,R,Y) :− g(X,R,Y), X ≤ 30, Y ≤ 30, derived(R). dep(X,Y) :− read(X,Y). dep(X,Y) :− write(X,Y). where derived is defined as: tcdep(X,Y) :− dep(X,Y). derived(R) :− conc( , ,R). tcdep(X,Y) :− tcdep(X,Z), tcdep(Z,Y). derived(R) :− or( , ,R). derived(R) :− plus( ,R). cycle(X,Y) :−tcdep(X,Y), tcdep(Y,X), ¬ X=Y.

and where the facts in conc and plus are obtained via the subexpressions of the top-level user query: C.1 Structural Integrity Constraints conc((’x2+).(x3+)’, ’x5+’, ’((x2+).(x3+)).x5+’). conc(’x2+’, ’x3+’, ’(x2+).(x3+)’). We compute the processes involved in a write-conﬂict using the following rule: plus(’x2’, ’x2+’). plus(’x3’, ’x3+’). falsewc(X,Y) :− plus(’x5’, ’x5+’). write(X,D), write(Y,D), ¬ X=Y. We compute type-conﬂict using the rule:

Hamming Workflow Revisited. Consider again the falsetc(X,Y) :− Hamming workflow variants in Fig.5 and the resulting dep(X,Y), cont(X,C1), cont(Y,C2). user-defined provenance graphs in Fig.7. It is easy to see falsetc(X,Y) :− dep(X,Y), proc(X,P1), proc(Y,P2). that the “Sail” variant in Fig. 7(b) produces only paths that match the RPQ x2∗ · x3∗ · x5∗, whereas the more re- dundant “Fish” variant in Fig. 7(a) contains paths that C.2 Temporal Integrity Constraints match (x2 | x3 | x5)∗. In this way, RPQs can be used to query and inspect the structure of provenance graphs. An invocation must have started in order to read a data Note that via the construction outlined above, we can artifact: view RPQs as syntactic sugar for Datalog queries and falserbi(D, I) :− freely mix them with other Datalog rules, including tem- bf(read(D,I), invoc(I)). poral queries in the style of Datalog-LITE [10]. A write event must occur while the invocation is still executing:

falseibw(I, D) :− bf(invoc(I), write(I,D)). A dependent data must not be written before the write event of the data artifact on which it is dependent on:

falsedbd(X,Y) :− df(X,Y), bf(write(I,X), write(J,Y)). When two nodes of a read event are in cycle, then data artifact must not be read before the invocation. When two nodes of a write event are in cycle, then invocation must not be completed before the write:

falsecdt(X,Y) :− cycle(X,Y), bf(read(X,Y), invoc(Y)). falsecdt(X,Y) :− cycle(X,Y), bf(invoc(X), write(X,Y)).

9The usual top-down SLD-resolution of Prolog can handle such rules, however would in turn not be safe for the recursive RPQ rules.