Model Checking Unbounded Artifact-Centric Systems Alessio Lomuscio and Jakub Michaliszyn Department of Computing, Imperial College London, UK Abstract important to establish at a fundamental level under what conditions an artifact-system can actually be verified. Artifact-centric systems are a recent paradigm for represent- The verification problem for ACS specified by quantified ing and implementing business processes. We present further results on the verification problem of artifact-centric systems temporal specifications is known to be undecidable (Deutsch specified by means of FO-CTL specifications. While the gen- et al. 2009; Hariri et al. 2011; Belardinelli, Lomuscio, and eral problem is known to be undecidable, results in the lit- Patrizi 2011) and considerable research has gone into the erature prove decidability for artifact systems with infinite exploration of decidable fragments. domains under boundedness and conditions such as unifor- Contribution. In this paper we explore novel boundaries mity. We here follow a different approach and investigate the in the decidability conditions for the model checking prob- general case with infinite domains. We show decidability of lem of ACS against quantified, temporal specifications. While the model checking problem for the class of artifact-centric much of the recent work has focused on the identification of systems whose database schemas consist of a single unary relational properties on the generated models for complete relation, and we show that that the problem is undecidable if artifact systems are defined by using one binary relation or and decidable abstraction procedures, an alternative avenue of two unary relations. investigation consists in considering classes of specifications for the artifacts’ transitions. To this end, we here define the logic CARL which we use to model the artifacts’ lifecycles. 1 Introduction By using CARL to model the artifacts’ evolutions, we can ex- Artifact-centric systems (ACS) have been put forward as press Boolean combinations of the basic relational properties: a framework for reasoning about and implementing data- “check that the relation is empty, “add one arbitrary element aware business processes (Alonso et al. 2004; Hull 2008; to the relation”, “remove one arbitrary element”, and “leave Hull et al. 2011). Artifacts are constructs consisting of data the relation unchanged”. We show that model checking ACS and lifecycles. The data component is given by means of described via CARL against reachability specifications is un- a relational database, i.e., a set of finite relations with fixed decidable thereby providing further insights on the difficulty schema. The lifecycles describe how the artifacts may interact of verifying data-aware systems. and evolve over time. We then focus on restricting the database schema appear- ACS can be programmed via the Guard-Stage-Milestone ing in the ACS. We show that the model checking problem (GSM) language (Hull et al. 2011). The iHub (Heath III remains undecidable if the schema contain either one rela- et al. 2013) is a production and execution suite for ACS tion of arity greater than one, or at least two arbitrary re- implemented in GSM. Both GSM and the iHub are designed lations. Our undecidability proofs involve the encoding of to help stakeholders encode business interactions intuitively two-counter machines (Minsky 1967). and efficiently. Finally, we show that the model checking problem is decid- A problem that naturally arises is whether ACS are cor- able if we consider only artifacts whose schema consists of a rect against specifications. GSMC, a model checking tool single unary relation and sentence-atomic temporal specifi- for GSM systems, has recently been put forward (Gonzalez, cations. We prove this result in three steps. Firstly, we study Griesmayer, and Lomuscio 2012) to assess this problem. the expressive power of first-order logic over unary relations While GSMC has shown considerable promise, verifying using Ehrenfeucht-Fraisse games. Then, we show how to GSM programs via model checking remains highly problem- transform an ACS and a specification into an infinite Kripke atic. Classical techniques based on model checking (Clarke, structure and a CTL specification. Finally, we prove that the resulting infinite Kripke structure can be encoded as a push- Grumberg, and Peled 1999) are typically insufficient as they ∗ normally tackle finite-state systems. Yet artifacts exhibit in- down system. We then define a CTL specification that the finitely many different possible configurations. It is therefore pushdown system satisfies if and only if the ACS satisfies the original FO-CTL specification. Since the former problem Copyright c 2014, Association for the Advancement of Artificial is decidable (Bozzelli 2007), we conclude that the latter is Intelligence (www.aaai.org). All rights reserved. decidable as well. Related Work. Previous research on verifying artifact- and a set of artifact transitions, which account for the artifact centric systems has focused on abstraction techniques where data models and the artifact lifecycles, respectively. semantical conditions such as “uniformity” and “weak Definition 1 (Database schema). A database schema is a set acyclicity” are shown to guarantee decidability under the D = fP1=a1;:::;Pn=ang of relation (or predicate) symbols assumption that systems are bounded, i.e., either the states P , each associated with its arity a 2 . or the runs do not contain more than a given number i i N of predicates (Belardinelli, Lomuscio, and Patrizi 2012b; Definition 2 (Database interpretation). Given a database Hariri et al. 2013). Differently from these approaches, the schema D, a D-interpretation (or D-instance) over an count- investigation here presented makes no assumption on the able interpretation domain U is a mapping D associating boundedness of the artifact-systems to be studied. each relation symbol Pi with a finite ai-ary relation over U, ai Model checking artifact-centric systems against a quan- i.e., D(Pi) ⊆ U . tified version of LTL was studied in (Deutsch et al. 2009). The set of all D-interpretations over a given domain U is It was shown that the problem is generally undecidable, but denoted by ID(U). The active domain of D, adom(D), is becomes decidable if one considers guarded artifact systems the set of all U-elements occurring in some tuple of some and guarded specifications, a form of quantification where predicate interpretation D(Pi). no variables appear free in a temporal context. A PSPACE model checking algorithm for fixed-arity schemas is also 2.1 Artifact systems shown in (Deutsch et al. 2009). While the results presented are positive, compared to the classes of artifacts studied here, To model transitions between states of the underlying the expressivity of the fragment studied is limited. databases, we use unprimed and primed relational symbols from D, that refer to relations in the current and the successor More recently (Hariri et al. 2013) presented results on state, respectively. Intuitively, given two states (i.e., two D- the model checking problem against specifications given interpretations) D and D0, the operator ⊕ constructs a new in the first-order extension of the µ-calculus. The problem “joint” interpretation D⊕D0, interpreting unprimed relational is undecidable in this setting; however, it is shown that by symbols in D, and primed in D0. adding additional restrictions, including forbidding fresh, unbounded data along a run, the problem is decidable. Also in As we study artifacts systems whose transitions are de- that line, and differently from this paper, systems are assumed scribed by various logics, below we introduce the notion of to be bounded and sufficient conditions based on acyclicity an artifact system over a logic LD. for boundedness are established. Definition 3 (LD-artifact system). An LD-artifact system is While all results above focus on complete procedures, in a tuple S = hD; U; D0; Ti, where: recent work (Belardinelli and Lomuscio 2013) partial model •D = fP =a ;:::;P =a g is a database schema; checking procedures against the universal fragment of FO- 1 1 n n CTL have been explored. Differently from (Belardinelli, Lo- • U is a countable interpretation domain; muscio, and Patrizi 2012b) these are given for bounded but • D0 is an initial database instance; possibly non-uniform artifact-centric systems. Conversely, • T is a finite set of sentences of the logic LD, called artifact the results established in this paper concern unbounded, but transitions. uniform systems. In the definition above we assume that the sentences of Scheme of the paper. In Section 2 we provide the back- the logic L state properties of D ⊕ D0, i.e., the notion ground on ACS and relevant concepts, and we define the D “D ⊕ D0 j= Φ” is defined for every sentence Φ of L . model checking problem. We observe that the problem is LD D generally undecidable. In Section 3 we investigate the impli- The semantics of an artifact system is given in terms of its cations of restricting the database schemas and the expressive possible executions, captured by a Kripke structure, whose power of the language used to model the artifacts’ lifecycles. states are instances of the database schema and whose transi- We show that under various restrictions the problem remains tions correspond to executions of artifact transitions. undecidable. In Section 4 we characterise a scenario in which Definition 4 (Kripke structures). A Kripke structure is a tuple the model checking problem is decidable and explore its com- K = hΣ; D0; τ; πi, where Σ is the set of states; D0 2 Σ is plexity. Taken together the results in the two sections show the initial state; τ ⊆ Σ × Σ is the transition relation; π is the that the conditions we identify can be interpreted as being labelling function. maximal for decidability. We conclude in Section 5. For convenience, we assume a single initial state, but all the results presented below also hold if we allow any finite 2 Verifying Artifact Systems number of initial states.