Logic-based languages, such as Datalog and Answer Set Programming, have been recently put forward as a data-centric model to specify and implement network services and protocols. This approach provides the basis for declarative distributed computing, where a distributed system consists of a network of computational nodes, each evolving an internal database and exchanging data with the other nodes. Verifying these systems against temporal dynamic specifications is of crucial importance. In this paper, we attack this problem by considering the case where the network is a fixed connected graph, and nodes can incorporate fresh data from the external environment. As a verification formalism, we consider branching-time, first-order temporal logics. We study the problem from different angles, delineating the decidability frontier and providing tight complexity bounds for the decidable cases.
It has been recently shown that declarative query languages, such as Datalog, could
naturally be used to specify and implement network services and protocols [
There are several variants of concrete languages for specifying DDSs [
In this paper, we provide a stepping stone towards a formal, systematic
characterization of verification of DDSs. As the basis for our investigation, we rely on the D2C
approach in [
In this work, starting from [
In this light, the formal model proposed in this paper can be seen as a distributed
version of data-aware business processes and artifact-centric systems [
To specify interesting properties over DDSs, we use a first-order (FO) variant of
CTL [
We show that, in general, verification is undecidable even for specific convergence
properties and extremely limited, single-node DDSs. To tame this strong negative result,
we leverage the notion of state-boundedness [
The general computational model of DDSs can be described as a network of uniquely
identified nodes, each running an input/output state machine, where outputs of some
machines become inputs of others [
A state in the state machine of a node is represented by a (relational) DB. State transitions occur when the node receives inputs, in the form of DBs, from external components (such as applications running in the node, or humans), and/or from state machines running in other nodes. A state change can also produce an output in the form of a DB that can be delivered to another node. Thus, every node has an input schema I, a state schema S, and a schema T , called transport, of the DBs used to communicate between nodes. Let I, S, and T denote all possible instances of I; S, and T , respectively. The state transition mapping in a node is a subset of S T I S T: given a pair (S ; T ) of state and transport DBs, and an input input DB I , the transition results in new pair (Sn; Tn) of state and transport DBs. In declarative distributed computing, this state transition mapping is defined using some dialect of Datalog. Intuitively, given a Datalog-like program P and an encoding of (S ; T ; I ) as an extensional DB D, (Sn; Tn) is extracted from the fixpoint computation over P [ D.
Since plain Datalog is too poor to express state changes, we adopt D2C, a declarative
programming language introduced in [
H if L1; : : : ; Ln; prev Ln+1; : : : ; Lm; C Like in Datalog, H is the head atom, but in D2C it is possibly annotated with a term of the form @t, where t is a variable or constant from a fixed domain (of, e.g., IP addresses or URLs) used to identify nodes. The Lis are literals (i.e., atoms or negated atoms), again possibly annotated with a term of the form @t. Finally, C is a set of (in)equality constraints over variables and constants.
The predicate names follow the standard correspondence of predicates and DB tables made by Datalog. All variables appearing in H, in C, or in any negated atom inside a rule must also appear in a non-negated atom among the Lis of the same rule3. The name of annotated atoms must correspond to relation names in the transport schema T of the node, and only names that correspond to transport or state tables can appear in H. Informally, a ground instance h if l1; : : : ; ln; prev ln+1; : : : ; lm; c of a rule says that h is in the current state or is an output of the current state if l1; : : : ; ln are true in the current state, ln+1; : : : ; lm were true in the previous state, and c is valid. As in Datalog with negation, we make the usual assumption on the stratification of negated atoms in l1; : : : ; ln w.r.t. h, so that the transition mapping can be computed using the standard Datalog fixpoint evaluation of Datalog.
Example 1. Consider the input predicate echo(m; d), where m is a message and d is a node. Rule say(M)@D if echo(M; D) models that the node sends m to d when the corresponding echo predicate is given as input. M and D are variables, which in this case are bound to constants m and d respectively. We denote variables by upper-case strings. Rule alive(S) if say(M)@S models that the node adds to its state the information that s is alive, whenever the transport tuple say( ) is received from node s (in this case, variable S is bound to s). This example shows that the meaning of an annotation depends on where it appears: if in the head of a rule, it indicates the destination of the transport tuple, if in the body, it points to the source. Thus, rule say(M)@Src if say(M)@Src “echoes” the say tuple back to the source node.
Notably, a D2C state transition mapping P can be reduced to a plain Datalog
program [P] following the technique in [
A DDS relies on an underlying network N of communicating nodes, each running a D2C program. In distributed computing, N is typically represented as a graph (V; A), where V are the computation nodes, and the arcs in A reflect communication ability in the physical network. Directed arcs denote non-symmetric communication.
There is a complex spectrum of different network models, depending on the topology of the graph, the degree of mobility of nodes, and on which extent the network may vary over time. Here we consider an interesting widespread class of networks with (i) fixed network topology; (ii) bidirectional communication channels; (iii) strongly connected nodes; (iv) the number of neighbors that a node can have bounded by a constant ; (v) the ability for every node to communicate with itself. This class of networks can be represented by fixed undirected, connected graphs with bounded degree, where each node has a self-loop. From now on, we always assume that the network is of this shape. To make nodes aware of their own name and that of their neighbors, each node has the following rules: my name(M) if prev my name(M): neighbor(N) if prev neighbor(N): This information is read-only, so no other rule has my name and neighbor in its head. Example 2. The following D2C program creates a rooted spanning tree in a network. parent(P) if join@X; choice(X; P); prev not parent( ): parent(P) if prev parent(P):
join@N if parent(P); neighbor(N); prev not parent( ): The first rule says that when a node receives a join request for the first time, it picks the sender as a parent. choice is used to handle the case where multiple join requests are received simultaneously; in this case, the node non-deterministically selects one of the senders as parent. The second rule is an inertial rule to keep the tree unchanged. The last rule is recursive and propagates the join request to its neighbors. Even though termination is not explicitly detected, in a reliable order-preserving network (cf. Section 2.3) the root can safely start using the tree as soon as it sends the join tuples. 2.3
We now formalize DDSs, adopting homogeneous nodes, i.e., all running the same program and with the same local DB schemas. Still, over time the behavior of different nodes might diverge, depending on: (i) the location in the network, (ii) nondeterministic choices, and (iii) the data obtained from the external world.
A DDS system M is a tuple hN ; I; T ; S; P; D0i, where: – N is the network graph (see Section 2.2); – I, T , and S denote the input, transport, and state schemas of every node in M; – P is the D2C program run by every node in M; – D0 is a local state DB over S, which represents the initial state of each node, without considering instances of my name and neighbor.
As common for dynamic systems over relational data, the execution semantics of a
DDS is given in terms of a relational transition system (RTS), i.e., a transition system
whose states are labeled by DBs [
Building an RTS from a DDS M poses three main challenges, resulting in variants of verification: (i) how to construct a global view of M from the local node DBs; (ii) which communication model M adopts; (iii) how M interacts with the environment. Global View. To obtain a global view of M = hN ; I; T ; S; P; D0i, we group all local DBs into a unique, global DB. To do so, we obtain schemas IG, SG, and TG from the corresponding local ones, by adding in the first position of each relation an extra argument, keeping track of the node to which a relation tuple belongs. This allows us to define the initial global DB D0;M of M, as the global DB over SG where each node stores D0, and the information about its own name and that of its neighbors, according to N = hV; Ai. Specifically D0;M = fp(n; t) j p(t) 2 D0; n 2 V g[fmy name(n; n) j n 2 V g [ fneighbor(n; n0) j (n; n0) 2 Ag. We denote by 0;M the set of values explicitly mentioned in D0;M, i.e., its active domain.
Also the local D2C program P can be turned into a global program PG, by: (i) introducing an additional node variable S in every predicate of P, and (ii) adding atom my name(S; S) to the body of each rule (so as to “bind” S). We denote by [PG] the Datalog program obtained from PG via the procedure in Section 2.1.
Communication Model. A communication model specifies how messages are exchanged by nodes, i.e., how output transport tuples are delivered to the destination. We assume reliable communication, i.e., messages are never lost. In a given computation step, we also assume that for each pair of neighbor nodes s and d, s concretely sends at most one message to d. The actual data payload of such messages consists of all transport tuples produced by s with destination d.
We consider here asynchronous communication, which decouples senders from receivers, as well as message exchanges: each message is delivered independently from the others, without any guarantee about “when” it will be received. However, we assume that all messages sent from a node to another node are delivered in the same relative order. Hence, asynchronous communication can be abstractly captured by equipping every node with one message queue per neighbor. The DDS evolution is then captured by iterating through these steps: (i) nondeterministically pick a non-empty queue, extracting its front message M ; (ii) the destination node performs a computation step triggered by M , possibly considering external input data; (iii) the node state is updated and the produced messages are inserted in the corresponding destination queues. Environment Interaction. In addition to considering closed DDS, which do not receive any external input, we distinguish two modes: (i) autonomous DDS (aDDS): nodes may receive an input DB only at startup, and then the input remains fixed throughout the execution; (ii) interactive DDS (iDDS): nodes may receive a new input DB when they are active and are about to process an incoming message.
The coupling of input and transport DBs is w.l.o.g., since nodes may send dummy messages to themselves just to process a new input.
Asynchronous, Interactive Execution Semantics. We show how to build the RTS for a DDS M = hN ; I; T ; S; P; D0i with network N = hV; Ai. Given a global DB D over TG ] SG, transp(D) and state(D) denote the projections of D over transport and state relations, respectively. As pointed out before, nodes are conceptually equipped with queues for incoming messages, whose relational representation obeys the special (global) schema QG. We abstract away from the concrete relational representation of queues. Given a global queue DB Q over QG and a pair of neighbor nodes s; d 2 V , notation insQ!d Q denotes the portion of Q that refers to the queue used by d to store messages from s.4 Given a global DB D over TG ] SG ] QG, queues(D) denotes the projection of D that maintains only the queue relations. Then, given a global DB D over SG ] TG ] QG, we introduce the following preliminary notions: – The enqueue result of D, written enqueueMsg M(D), is the global queue DB over QG that results from the queues in D by incorporating all the output transport tuples into the corresponding input queues: enqueueMsg M(D) = insD!d:enqueue(ms!d) j
(s; d) 2 A; and ms!d = fp(x) j s p(s; d; x) 2 Dgg – The active nodes in D are those nodes that have at least a non-empty queue in D: activeM(D) = fd j there exists s such that (s; d) 2 A and :(insD!d:isEmpty ()) – Given a node d 2 activeM(D) and a neighbor s of d s.t. :(insD!d:isEmpty ()), the dequeue result of D w.r.t. s and d, written dequeueMsg s!d(D), is a pair hQnew; T i, M where, given hnewins!d; ms!di = insD!d:dequeue():
Qnew is the global queue DB obtained by extracting the front message from queue insD!d, while maintaining all other queues unaltered:
Qnew = (queues(D) n insD!d) [ newins!d T is the global transport DB obtained by transforming the tuples contained inside message ms!d into corresponding input transport tuples for d:
T = fr p(d; s; x) j p(x) 2 ms!dg 4 Recall that every node is connected to itself, hence there is a special queue where each node stores the messages sent to itself.
Let QG be the set of possible DB instances over QG. To formalize the asynchronous execution semantics, we introduce a relation C-STEPM SG TG QG V IG SG TG QG that substantiates the generic state transition mapping introduced in Section 2.1 by adding the current and next queue state, as well as the single node asynchronously triggering the transition. In particular, given two global DBs D, Dnew over SG ] TG ] IG, a node n 2 V , and a global input DB I over IG, we have that hbDor;nno;dIe; Dsnoefwniw2ithC-:SiTnEsDP!Mn:iisfEanmdpotyn(ly) aifnnd a2satacbtlievemModel M for the program [PG] [ (D), and there exists a neigh[D0] [ T [ Ijn such that Dnew = state(M) [ transp(M) [ enqueueMsg M(M [ Qn), where hQn; T i = dequeueMsg s!n(D). Finally, we define the asynchronous transition
M s–ysRtem=oSfGM], TwGri]tteQnGM;int , as0t;hMe RTS h; ; R; ; 0; db; )i, where: – db( 0) = D0;M [ Sn2V inn;!n:enqueue(start()), where start 2 TG is considered as a special, 0-ary transport tuple that is initially inserted in every self-queue of the system, so as to trigger the first computation step of the corresponding node; – and ) are defined by simultaneous induction as the smallest sets s.t. 0 2 and 1. given 2 s.t. db( ) = D and activeM(D) 6= ;, for every global DB Dnew over SG ] TG, every node n 2 V , and every global input DB I over IG, if hD; n; I; Dnewi 2 C-STEPM then new 2 and ) new, with db( new)=D^ ; 2. given 2 s.t. db( ) = D and activeM(D) = ; (i.e., the system is quiescent), we have ) .
Observe that, also in this case, ) is guaranteed to be serial.
Execution Semantics for Autonomous DDSs. In the case of autonomous DDSs, the execution semantics needs to be modified so as to take into account that the input is provided only at the beginning of the computation, and then stays rigid over time. Clearly, each computation may be associated with a different initial input. We can then imagine that the execution semantics is given, in this case, by an infinite set of RTSs, each associated to a different global input DB. Given a DDS M, we write J MautK to denote the set of RTSs obtained by variying the rigid input DB under the autonomous semantics. 3
To specify interesting properties over DDSs, we need a logic that captures: (i) the DDS
dynamics, (ii) queries over the data stored in the node DBs, and (iii) conditions about
the evolution of such data over time. The first requirement calls for temporal logics,
the second for FO logic, and the third for their combination, where FO quantification
interacts with temporal modalities. Several logics have been introduced for that purpose
(see, e.g., [
Example 3. Given the standard abbreviation AG = :E(trueU: ), the formula AG(8n; p:Parent(n; p) ! AG Parent(n; p)) expresses that Parent is rigid: whenever n stores that p is its parent, then it will keep this information forever. This property is satisfied by any DDS using the D2C program of Example 2. tu
Given a DDS M, we assume, without loss of generality, that the finite set 0 over
which is defined coincides with 0;M. Given a closed FO-CTL property ,
verifying whether holds in M gives rise to a different model checking problems, each
one obtained by fixing a certain execution semantics for M. Specifically, for aDDSs
it is interesting to study whether the DDS satisfies a given FO-CTL property
independently from the given input (that is, for every possible input DB provided at the system
startup). This verification problem resembles the classical verification problem for
relational transducers and their distributed variants [
Convergence properties are then defined by mixing two dimensions: (i) number of faulty nodes in a run, with the two extreme cases of global (no faulty node) vs partial (at least one non-faulty node) correctness; (ii) quantification over runs, considering the case in which the DDS sometimes (i.e., for at least one run) vs always (i.e., for all runs) converges. Given a DDS M, this gives rise to four variants of convergence: – M sometimes converges when totally/partially correct if there is a run of M reaching a state where all nodes are quiescent, and all are/at least one is not faulty. – M always converges when totally/partially correct if every run of M in which all nodes stay/at least one node stays non-faulty eventually converges.
All four convergence properties can be formalized in FO-CTL. Moreover, in FOCTL we can model variants of convergence properties that better reflect the conditions under which the DDS is desired to converge. In this way, checking convergence is reduced to FO-CTL model checking, for which well known techniques are available. 4
We investigate the decidability frontier of verification over DDSs. To stress the tightness
of our results, we establish undecidability for convergence properties, and decidability
for full FO-CTL. While input, state, and transport schemas are fixed in advance, the
extension of such relations is not, and could grow unboundedly over time. If no bound
is imposed on the data manipulated by the DDS, verification of convergence properties
(and even propositional reachability) is undecidable even for a single-node DDS [
Building on the notion of state-boundedness [
In our analysis, a key observation is that the notion of uniformity [
In the wide spectrum of declarative distributed computing, we have studied verification
in the important case of reliable communication with order-preserving asynchronous
strategies. We plan to build on our foundational results to implement verification
techniques for DDSs, relying on existing ASP techniques for D2C, and in particular on the
implementation in [
Acknowledgements. This work is supported by the Spanish Ministry of Economy and Competitiveness under grants MDM-2015-0502 and TIN2016-81032-P, and by the REKAP project funded by unibz through the 2017 research budget. 5 Observe that, in the single-node case, partial and global correctness, coincide.