Powerpoint 2006 PRESENTATION The University of Auckland New Zealand Marsden Fund A PVS Approach to Verifying ORA-SS Data Models Scott Uk-Jin Lee 1, Gillian Dobbie 1, Jing Sun 1, Lindsay Groves 2 1 The University of Auckland 2 Victoria University of Wellington New Zealand

Powerpoint 2006 SOFTWARE ENGINEERING The University of Auckland New Zealand Outline Introduction –Motivation –ORA-SS –PVS –Objectives =Verification criteria for ORA-SS diagrams =Formal semantics of ORA-SS diagram concepts =Formal verification of ORA-SS schema and instance diagrams =Conclusion and future works

Powerpoint 2006 SOFTWARE ENGINEERING The University of Auckland New Zealand Motivation Why do we want a formal semantic and verification for semistructured data ? =Increase in the usage of semistructured data has lead to the developments of various database systems for semistructured data =Database systems for semistructured data must optimize storage and utilize the data effectively while ensuring consistency of the data =For the reasons above, algorithms and process that transforms data/schema for semistructured data has been developed =Requires verification for the developed algorithms or processes to prove that they ensure the consistency of the data after the transformation

Powerpoint 2006 SOFTWARE ENGINEERING The University of Auckland New Zealand Object-Relationship-Attribute model for Semistructured data (ORA-SS) department home course student tutor hostel sh, 2, 1:1, 1:m dc, 2, 1:m, 1:1 cst, 3, 1:1, 1:m ct, 2, 1:m, 1:m cs, 2, 1:m, 1:8 tNo tName degree address hName roomNo deptName feedback title lab exam Venue lecture Theatre code Dept Prefix grade sNo sName netID cs course No Object Class Relatinoship Type Attribute Reference

Powerpoint 2006 SOFTWARE ENGINEERING The University of Auckland New Zealand Prototype Verification System (PVS) Specification and verification system developed by SRI (Stanford Research Institute) =Research prototype: evolving and improving continuously =PVS provides highly expressive and natural specifications =PVS contains type checkers, built-in theories and theorem provers used for verification =Many applications have adopted PVS to provide formal verification support to their system properties

Powerpoint 2006 SOFTWARE ENGINEERING The University of Auckland New Zealand Objectives Semistructured data concept Schema for application e.g.) XML schema Instance for application e.g.) XML verify 1.Describe verification criteria for schema and instance of semistructured data using ORA-SS 2.Formally specify and verify the semantics of ORA-SS using PVS

Powerpoint 2006 SOFTWARE ENGINEERING The University of Auckland New Zealand ORA-SS Verification Criteria department home course student tutor hostel sh, 2, 1:1, 1:m dc, 2, 1:m, 1:1 cst, 3, 1:1, 1:m ct, 2, 1:m, 1:m cs,, 1:m, 1:8 tNo tName degree address hName roomNo deptName feedback title lab exam Venue lecture Theatre code Dept Prefix grade sNo sName netID cs course No 3 cs s1 … … 3 Long Dr. Orakei 77 s1 … …

Powerpoint 2006 SOFTWARE ENGINEERING The University of Auckland New Zealand ORA-SS Schema Verification Criteria ORA-SS Schema Verification Criteria: =In a relationship type, the child object class must be related to either another object class or to a relationship type =A disjunctive relationship type must have two or more child object classes. =A disjunctive or composite attribute must have two or more sub-attributes =An object class can reference one object class only, but an object class can be referenced by multiple object classes ORA-SS Instance Verification Criteria: =Relationship instances must conform to the specified participation constraints =The objects in a relationship instance should be an instance of the object classes in the relationship types =Attributes must conform to the specified cardinality constraints

Powerpoint 2006 SOFTWARE ENGINEERING The University of Auckland New Zealand General Structure of Formal Semantics and Verification of Semistructured data ORA-SS Schema DiagramORA-SS Instance Diagram Formal Specification of ORA-SS Data Formal Specification of ORA-SS Schema Formal Specification of ORA-SS Concepts Formal Semantics of ORA-SS represent & verify verify

Powerpoint 2006 SOFTWARE ENGINEERING The University of Auckland New Zealand Formal Semantics of ORA-SS Basic Type Basic types used in the ORA-SS has been identified. Instance of Object Class Object instance function takes in an object class as argument and returns a set of objects that refers to all the instances of the object class. The axiom of the function defines that any two different object classes should have different set of objects as its instances. OC: TYPE+ O: TYPE+ ATT: TYPE+ ATTVALUE: TYPE+ objInstance(oc): set[O] objInstance_Ax: AXIOM FORALL(oc1,oc2:OC): oc1/=oc2 IMPLIES disjoint?(objInstance(oc1), objInstance(oc2))

Powerpoint 2006 SOFTWARE ENGINEERING The University of Auckland New Zealand Formal Semantics of ORA-SS Relationship Type Relationship type is defined as a list of finite sets of object classes with constraints of ‘no_cycle_oc’ function that disallows repetition of object classes in a relationship. The Axiom of the relationship describes that object classes can be related to other object classes as well as to other relationships. no_cycle_oc(loc): RECURSIVE bool = CASES loc OF null: TRUE, cons(ocs, subloc): (FORALL(subocs: finite_set[OC]): member(subocs, subloc) => disjoint?(ocs, subocs)) AND no_cycle_oc(subloc) ENDCASES MEASURE length(loc) Relationship: TYPE = {ocsList: list[finite_set[OC]] | (ocsList /= null) AND (length(ocsList) > 1) AND (no_cycle_oc(ocsList))} Relationship_Ax: AXIOM FORALL(rel: Relationship): (length(rel) > 2) => (EXISTS(subRel: Relationship): subRel = cdr(rel))

Powerpoint 2006 SOFTWARE ENGINEERING The University of Auckland New Zealand PVS Representation of ORA-SS Schema cs: Relationship = cons(singleton(student), cons(singleton(course), null)) csDegree: CONJECTURE Degree(dc) = 3 csConstraint_Ax: AXIOM parentConstraints(cs) = (1, many) AND childConstraints(cs) = (1, 8) … examVenueSet: set[ATT] = {a: ATT | a = lectureTheatre OR a = lab} examVenueDisj: DisjunctiveAtt = (examVenue, examVenueSet) courseObjAtt2: ObjAttribute = (course, examVenue) courseObjAtt3: ObjAttribute = (course, title) … studentObjAtt1: ObjAttribute = (student, sNo) studentCandKey1: CandidateKey = (student, sNo) studentPrimKey1: PrimaryKey = (student, sNo) studentObjAtt2: ObjAttribute = (student, sName) studentPrimKey2: PrimaryKey = (student, sName) csRelAtt: RelAttribute = (cs, grade) csRelAtt: RelAttribute = (cs, netID) studentCandKey3: CandidateKey = (cs, netID) … tutorRef_Ax: AXIOM reference(tutor4student) = tutor course student cs, 3, 1:m, 1:8 title lab exam Venue lecture Theatre cs netID cs sName sNo grade

Powerpoint 2006 SOFTWARE ENGINEERING The University of Auckland New Zealand Formal Verification of ORA-SS Schema Relationship having candidate key is verified by type checker The error message indicates that candidate key ‘netID’ is an invalid representation. This error can be immediately picked up by the PVS type checker, since the defined PVS semantics for candidate key only allows objects to have a candidate key. Incompatible types for cs Found: orass.Relationship Expected: orass.OC | = 3 Incorrect degree is verified by theorem prover PVS theorem prover results in an improvable state This shows that the definition of cs degree is incorrect unless 2 = 3 clause is proved. Thus the represented degree for relationship ‘cs’ is incorrect since 2 can never be 3. course student cs, 3, 1:m, 1:8 title lab exam Venue lecture Theatre cs netID cs sName sNo grade

Powerpoint 2006 SOFTWARE ENGINEERING The University of Auckland New Zealand Formal Verification of ORA-SS Schema Incorrect primary key is verified by theorem prover PVS theorem prover results in an improvable state, when unproved Type Correctness Condition (TCC) generated for incorrect primary key is verified. This shows that definition of ‘sName’ being a ‘PrimaryKey’ is only true if ‘sName’ is a candidate key of ‘student’. But there is no axiom or specification, stating ‘sName’ as a candidate key of ‘student’. Thus the primary key definition of ‘sName’ is verified to be incorrect. student cs netID cs sName sNo grade

Powerpoint 2006 SOFTWARE ENGINEERING The University of Auckland New Zealand Conclusion Defined criteria for verifying the ORA-SS data model both at the schema and instance levels =Represented semantics of semistructured data in PVS formal languages =Enhanced utilization of ORA-SS data modeling language =Provided semi-automated verification for semistructured data with guided proof steps =Demonstrated that inconsistencies can be recognized both by a type checker and theorem prover

Powerpoint 2006 SOFTWARE ENGINEERING The University of Auckland New Zealand Future works Derive basic transformation operators that are used to transform ORA-SS schemas =Provide formal specification and verification of the basic transformation operators =Provide verification for transformed schemas of semistructured data =Provide verification for algorithms and processes that transformed schemas of semistructured data such as normalization and view

Powerpoint 2006 PRESENTATION The University of Auckland New Zealand Marsden Fund Thank you !