Data-driven work ows, of which IBM's Business Artifacts are a prime exponent, have been successfully deployed in practice, adopted in industrial standards, and have spawned a rich body of research in academia, focused primarily on static analysis. The present research bridges the gap between the theory and practice of artifact veri cation by studying the implementation of a full- edged and e cient artifact veri er for a variant of the Hierarchical Artifact System (HAS) model presented in [9]. With a family of specialized optimizations to the classic Karp-Miller algorithm, our veri er performs >10x faster than a nontrivial Spin-based baseline on real-world work ows and is scalable to large synthetic work ows.
The past decade has witnessed the evolution of
workow speci cation frameworks from the traditional
processcentric approach towards data-awareness. Process-centric
formalisms focus on control ow while under-specifying the
underlying data and its manipulations by the process tasks,
often abstracting them away completely. In contrast,
dataaware formalisms treat data as rst-class citizens. A notable
exponent of this class is IBM's business artifact model
pioneered in [
In a nutshell, business artifacts (or simply \artifacts")
model key business-relevant entities, which are updated by a
set of services that implement business process tasks,
speci ed declaratively by pre-and-post conditions. A collection
of artifacts and services is called an artifact system. IBM
has developed several variants of artifacts, of which the most
recent is Guard-Stage-Milestone (GSM) [
Artifact systems deployed in industrial settings typically specify complex work ows prone to costly bugs, whence the need for veri cation of critical properties. Over the past few years, the veri cation problem for artifact systems was intensively studied. Rather than relying on general-purpose software veri cation tools su ering from well-known limitations, the focus of the research community has been to Proceedings of the VLDB 2017 PhD Workshop, August 28, 2017. Munich, Germany. Copyright (c) 2017 for this paper by its authors. Copying permitted for private and academic purposes. identify practically relevant classes of artifact systems and properties for which fully automatic veri cation is possible. This is an ambitious goal, since artifacts are in nite-state systems due to the presence of unbounded data. Along this line, decidability and complexity results were shown for different versions of the veri cation problem with various expressiveness of the artifact models, as reviewed in the next section.
The project described in this paper bridges the gap
between the theory and practice of artifact veri cation by
providing the rst implementation of a full- edged and e cient
artifact veri er. The artifact model we use is a variant of
the Hierarchical Artifact System (HAS) model of [
BACKGROUND AND RELATED WORK
[
In our previous work [
The artifact model used in our implementation is a variant
of the HAS model of [
We illustrate the HAS* model with a simpli ed example of order ful llment business process based on a real-world BPMN work ow. The work ow allows customers to place orders and suppliers to process the orders. It has the following database schema:
CUSTOMERS(id; name; address; record) ITEMS(id; item name; price; in stock) CREDIT RECORD(id; status)
In the schema, the id's are key attributes, and record is a foreign key referencing CREDIT RECORD. The CUSTOMERS table contains basic customer information and CREDIT RECORD provides each customer's credit rating. The ITEMS table contains information on all the items. The artifact system has 4 tasks: T1:ProcessOrders, T2:TakeOrder, T3:CheckCredit and T4:ShipItem, which form the hierarchy in Figure 1.
Intuitively, the root task ProcessOrders serves as a global coordinator which manages a pool of orders and the child tasks TakeOrder, CheckCredit and ShipItem implement the 3 processing stages of an order. At each point in a run, ProcessOrders nondeterministically picks an order from its pool, triggers one processing stage, and places it back into the pool upon completion.
T1: ProcessOrders T2: TakeOrder
T3: CheckCredit
T4: ShipItem
Pre: cust id 6= null^item id 6= null^status 6= \Failed" Post: cust id = null ^ item id = null ^ status = \Init" Update: f+ORDERS(cust id; item id; status)g
Pre: cust id = null ^ item id = null // Post: True Update: f ORDERS(cust id; item id; status)g TakeOrder: When this task is called, the customer enters the information of the order (cust id and item id) and the status of the order is initialized to \OrderPlaced". The task contains cust id, record and status as variables and all are return variables to the parent task. There are two services called EnterCustomer and EnterItem, that allow the customer to enter her and the item's information. The CUSTOMERS and ITEMS tables are queried to obtain the customer ID and item ID. These two services can be called multiple times to allow the customer to modify previously entered data. The task's termination condition is cust id 6= null ^ item id 6= null, at which time its variables are returned to its parent task ProcessOrders.
CheckCredit: This task checks the nancial record of a customer and decides whether the supplier will go ahead with the sale. It is called when status = \OrderPlaced". It has artifact variables cust id (input variable), record and status. When the credit record is good, status is set to \Passed", and otherwise to \Failed". After status is set, the task terminates and returns status to the parent task. The task has a single service Check performing the credit check.
Pre: true // Post: 9n9a CUSTOMERS(cust id; n; a; record)^ (CREDIT RECORD(record; \Good") ! status = \Passed")^ (:CREDIT RECORD(record; \Good") ! status = \Failed")
Note that in a service we can also specify a set of propagated variables whose values stay unchanged when the service is applied. In Check, only cust id is a propagated variable and others will be assigned new values.
ShipItem: This task checks whether the desired item is in stock by looking up the item id in the ITEMS table to see whether the in stock attribute equals \Yes". If so, the item ProcessOrders: The task has the artifact variables: cust id, is shipped to the customer (status is set to \Shipped") othitem id, status which store basic information of an order. erwise the order fails (status is set to \Failed"). This task It also has an artifact relation ORDERS(cust id; item id; status) is speci ed similarly to CheckCredit (details omitted). storing the orders to be processed. Properties of HAS* can be speci ed in LTL-FO. In the above work ow, we can specify a temporal property saying \If an order is taken and the ordered item is out of stock, then the item must be restocked before it is shipped." It can be written in LTL-FO as: 8i G(EnterItem ^ item id = i ^ instock = \No") !
(:(ShipItem ^ item id = i) U (Restock ^ item id = i))
Although decidability of veri cation was shown in [
In the representation, each snapshot is summarized by:
(i) the isomorphism type of the artifact variables, describing
symbolically the structure of the portion of the database
reachable from the variables by navigating foreign keys
(ii) for each artifact relation and isomorphism type, the
number of tuples in the relation that share that isomorphism
type
The heart of the proof in [
A direct implementation of the above algorithm is
impractical because the resulting VASS can have exponentially
many states and counters in the input size, and
state-of-theart VASS tools can only handle a small number of
counters (<100) [
State Pruning The classic Karp-Miler algorithm is
wellknown to be ine cient and pruning is a standard way to
improve its performance [
Data Structure Support When the above optimization is applied, a frequent operation during the search is to nd substates and superstates of a given candidate state in the current set of reached symbolic states. This operation becomes the performance bottleneck when there is a large number of reached states. We accelerate the superstate and substate queries with a Trie index and an Inverted-Lists index, respectively.
Static Analysis The veri er statically analyzes and simpli es the input work ow with a preprocessing step. We notice that in real work ows, some contraints in the speci cation can never be violated in a symbolic run, and thus can be removed. For example, for a constraint x = y in the speci cation, where x; y are variables, if x 6= y does not appear anywhere in the speci cation and is not implied by other constraints, then x = y can be safely removed from the speci cation without a ecting the result of the veri cation algorithm. 5.
We evaluated the performance of our veri er using both real-world and synthetic artifact speci cations.
The Real Set As the artifact approach is still new to
the industry, real-world processes available for evaluation
are limited. We therefore built an artifact system
benchmark speci c to business processes, by rewriting the more
widely available process-centric BPMN work ows as HAS*
speci cations. There are numerous sources of BPMN
workows, including the o cial BPMN website [
The Synthetic Set The second benchmark we used for evaluation is a set of randomly generated HAS speci cations. All components of each speci cation, including DB schema, task hierarchy and services, are generated fully at random of a certain size. The ones with empty search space due to unsatis able conditions are removed from the benchmark. Table 1 shows some statistics of the benchmarks.
Dataset Size #Relations #Tasks #Variables #Services
Synthetic 120
Baseline and Setup We compare our veri er with a
simpler implementation built on top of Spin, a widely used
software veri cation tool [
We implemented both veri ers in C++ with Spin version 6.4.6 for the Spin-based veri er. All experiments were performed on a Linux server with a quad-core Intel i7-2600 CPU and 16G memory. For each work ow in each dataset, we ran our veri ers to test a randomly generated liveness property. The time limit of each run was set to 10 minutes. For fair comparison, since the Spin-based veri er (Spin-Opt) cannot handle artifact relations, we ran both the full Karp-Millerbased veri er (KM), and the Karp-Miller-based veri er with artifact relations ignored (KM-NoSet).
Performance Table 2 shows the results on both sets of work ows. The Spin-based veri er achieves acceptable performance on the real set with an average elapsed time of few seconds and only 1 timeout instance. However, it failed on most runs (109/120) in the synthetic set of work ows. On the other hand, both KM and KM-NoSet achieve average running times below 1 second and with no timeout on the real set, and the average running time is in seconds on the synthetic set, with only 3 timeouts. The presence of artifact relations introduced only a negligible amount of overhead in the running time. Compared with the Spin-based verier, the KM-based approach is >10x faster in the average running time and more scalable to large work ows.
KM-NoSet
KM 3.111s .2635s .2926s 1 0 0 67.01s 3.214s 3.355s 109 3 2 5 10 15 20 25 30 35 40 45
Cyclomatic Complexity
Figure 2: Running Time vs. Cyclomatic Complexity Comparing Di erent Optimizations We show next the e ect of our 3 optimization techniques: state pruning (SP), static analysis (SA) and data structure support (DSS), by rerunning the experiment with the optimization turned o , and comparing the di erence. Table 3 shows the average
55.31x 1.80x 1.66x 1.90x 1.24x 180.82x 17.92x 0.92x 1.45x 1.27x