Introduction

The Unified Modeling Language (UML) has become a de facto standard in conceptual modeling of information systems. In UML, a conceptual schema is represented by means of a class diagram, with its graphical constraints, together with a set of user-defined constraints, which are usually specified in the Object Constraint Language (OCL). In every application domain the set of instances that can be stored or managed is necessarily finite and, thus, a schema has not only to be consistent, but also finitely satisfiable [13]. It is well-known that reasoning with OCL integrity constraints in their full generality is undecidable since it amounts to full FOL reasoning [4]. Thus, reasoning with UML conceptual schemas in the presence of OCL constraints has been approached in the following alternative ways: teeing termination in all cases [9,6,15]. 2. Allowing general constraints and ensuring termination without guaranteeing completeness of the result [1,17,12]. 3. Ensuring both termination and completeness of finite reasoning by allowing only specific kinds of constraints [13,11,18]. 4. Ensuring terminating and complete reasoning by disallowing OCL constraints and admitting unrestricted models [8,5,10,3,2].

To our knowledge, none of the existing approaches guarantees complete and terminating reasoning on UML schemas coupled with OCL constraints able to capture those in Figure 1. With approaches of the first kind, a result may not be obtained in some particular cases. On the contrary, the second kind of approaches may fail to find existing valid solutions. Approaches of the third kind do not allow arbitrary constraints as the ones in Figure 1. Finally, the last approaches are based on a Description Logic (DL) encoding of a UML schema. These methods do not consider OCL constraints and they usually check unrestricted satisfiability.

The main purpose of this paper is to identify a fragment of OCL, which we call OCL-Lite, that guarantees finite satisfiability while being significantly expressive at the same time. In other words, we propose the specification of arbitrary constraints within the bounds of OCL-Lite in a UML conceptual schema to ensure completeness and decidability of reasoning. Such nice properties are due to the finite model property (FMP) of the language, i.e., it is guaranteed that a satisfiable UML/OCL-Lite schema is always finitely satisfiable. The proposed OCL-Lite is the result of identifying a fragment of OCL that can be encoded into the DL ALCI [7], which has interesting reasoning properties. In particu-lar, ALCI enjoys the FMP, i.e., every satisfiable set of constraints formalized in ALCI admits a finite model. Thus, the FMP is also guaranteed for any fragment of OCL that fits into ALCI.

The contributions of this paper can be summarized as follows:

-The identification of a fragment of OCL that enjoys the FMP. To our knowledge, the reasoning properties of OCL had not been studied before, except that full OCL leads to undecidability. -A mapping from OCL-Lite to the DL ALCI to prove that the proposed fragment has the same reasoning properties as ALCI. To our knowledge, this is the first attempt to encode OCL constraints in DLs. As a side result, a DL reasoner can be used to verify the correctness of a schema. -Thanks to the mapping to ALCI we are able to show both the FMP and that checking satisfiability in UML/OCL-Lite is an ExpTime-complete problem.

OCL-Lite Syntax and Semantics

In this section we present the fragment of OCL that corresponds to OCL-Lite. We start by an overview of basic concepts of UML and OCL.

A UML class diagram represents the static view of the domain basically by means of classes and associations between them, representing, respectively, sets of objects and relations between objects. An association is constrained by a set of participating classes. An association end is a part of an association that defines the participation of a class in the association. The name of the role played by a participant in an association is placed in the association end near the corresponding class. If the role name is omitted, the role played by the participant is the name of its class.

An OCL constraint (or invariant) has the form: context C inv: OCLExpr , where C is the contextual class, i.e., the class to which the constraint belongs, and OCLExpr is an expression that results in a boolean value. An OCL constraint is satisfied by an instantiation of the schema if OCLExpr evaluates to true for each instance of the contextual class. An OCL expression is defined by means of navigation paths, combined with predefined OCL operations to specify conditions on those paths. A navigation path is a sequence of role names defined in the associations of the class diagram. Each role name used in a path indicates the direction of the navigation.

OCL-Lite Syntax

In this section we specify the syntax rules that allow one to construct OCL constraints belonging to the fragment of OCL that we call OCL-Lite. An OCL-Lite constraint has the form: context C inv: OCL-LiteExpr . In the syntax rules, shown in Figure 2, an OCL-Lite expression OCL-LiteExpr is defined recursively. Intuitively, OCL-LiteExpr allows one to construct a boolean OCL-Lite expression, which can correspond to the whole constraint, or can be the condition specified as a parameter in a select operation (see SelectExpr ) or in exists and forall operations (see BooleanOp ). An OCL-LiteExpr can be either a Path to which a SelectExpr is applied, a check of whether an object is of a certain type, or boolean combinations of these OCL-Lite expressions.

The label Path indicates how a navigation path can be constructed as a non-empty sequence of PathItem s. Each PathItem can be either a role name r i specified in the class diagram, or a role name preceded by the operation oclAsType(C) , when we need to access a role name of a particular class C . When OCL-LiteExpr corresponds to the whole constraint, each path starts from a role that is accessible from the contextual class (or a subclass C of the contextual class, in which case oclAsType(C ) must be specified first). Otherwise, when OCL-LiteExpr is inside a select, exists, or forall operation, then, the starting role name will depend on the context where the operation is used. After a Path , one can apply a (possibly empty) sequence of selections on the collection of objects obtained through the path, always followed by a BooleanOp .

The intuitive meaning of the OCL collection operations included in this fragment of OCL is as follows. Let col denote the collection of objects reachable along a path, and let o denote a single object, then:

col ->select(OCL-LiteExpr ): returns the subset of elements of col that satisfy OCL-LiteExpr ; col ->exists(OCL-LiteExpr ): returns true iff there is some element of col that satisfies OCL-LiteExpr ; col ->forall(OCL-LiteExpr ): returns true iff all the elements of col satisfy OCL-LiteExpr ; col ->size(): returns the number of elements of col ; col ->isEmpty(): returns true iff col is empty; col ->notEmpty(): returns true iff col is not empty; o .oclIsTypeOf(C ): returns true iff o is an instance of the class C ; All constraints in Figure 1 are examples of well-formed OCL-Lite expressions.

OCL-Lite Semantics

OCL-Lite operations, except for oclIsTypeOf and oclAsType, can be expressed only in terms of select, isEmpty, and notEmpty. Thus, to specify the seman-

Original expression

Normalized expression a) col ->exists(cond)

col ->select(cond)->notEmpty() b) col ->forall(cond) col ->select(not cond)->isEmpty() c) col ->select(cond1)->select(cond2) col ->select(cond1 and cond2) d) col ->size()>0 col ->notEmpty() e) col ->size()=0 col ->isEmpty() f) not col ->isEmpty() col ->notEmpty() g) not col ->notEmpty() col ->isEmpty()

tics of OCL-Lite expressions, we first rewrite each expression as an equivalent normalized one, which is expressed in terms of these operations only. Table 1 shows the OCL-Lite expressions together with their normal form. These normalizations, together with de Morgan's laws, are iteratively applied until the expression only contains the operations select, isEmpty, and notEmpty, and the boolean operator not only appears before oclIsTypeOf(C ). In the table, col and cond denote, respectively, a collection and a condition, which must be defined according to the syntax rules.

In our running example, the constraints in Figure 1 that have to be normalized are 1, 3, 4, and 5. The resulting expressions we get after applying the rules in Table 1 are: -Constraint 1. We apply rule a) and we get the normalized expression:

context Person inv: organized->select(oclIsTypeOf(CriticalEvent) and sponsor->isEmpty())->notEmpty() -Constraint 3. We first apply rule b) and we get:

context Person inv: audited->select(not sponsor->notEmpty())->isEmpty() We then apply rule g) to obtain the normalized expression: context Person inv: audited->select(sponsor->isEmpty())->isEmpty() -Constraint 4. We apply rule f) and we get:

context CriticalEvent inv: responsible.organized->notEmpty() -Constraint 5. We apply rule a) and we get:

context Sponsor inv: event->select(oclIsTypeOf(CriticalEvent))->notEmpty() or event->select(sibling->isEmpty() or sibling->select(sponsor->isEmpty())->notEmpty())->notEmpty()

It can be seen from Table 1 that the expressions resulting from the normalization conform to a limited set of patterns, basically consisting of an optional select operation followed either by isEmpty or notEmpty. Also, the expression may include the operation oclIsTypeOf.

In the following we consider OCL-Lite expressions in their normal form. For each of them we specify its semantics by means of an interpretation function, f , that maps each OCL-LiteExpr into a FOL formula OCL-LiteExpr f (x) with one free variable. Other approaches specify the semantics of OCL expressions using first-order terms instead of formulas [4]. However, as also argued in [4], using formulas is preferable when dealing with sets, as in our case.

We start by formalizing the semantics of an OCL-Lite constraint

context C inv: OCL-LiteExpr Its interpretation is: ∀x (C(x) → OCL-LiteExpr f (x))

where C is the unary predicate corresponding to class C .

To define the semantics of OCL-Lite expressions, we first introduce some notation to deal with navigation paths. Consider a navigation path p n ...p 1 in an OCL-Lite expression, where each p i is either a role name or oclAsType(C i ).r i . To formalize a (binary) association A i , we introduce a binary predicate, A i , whose first argument represents an instance of dom(A i ) (the domain of A i ) and whose second argument represents an instance of range(A i ) (the range of A i ). To fix a semantics for role names we conform to the UML convention about role names [16], i.e., a role name attached to an association end labeled with a class C is used to navigate from one object to another one belonging to the class C . Thus, in the following, p f i (x, y) = A i (x, y) when p i is a role name attached to the range(A i )-end of A i , and, viceversa, p f i (x, y) = A i (y, x) when p i is a role name attached to the dom(A i )-end of A i . Similarly, p f i (x, y) = C i (x) ∧ A i (x, y), when p i = oclAsType(C i ).r i and r i is a role name attached to the range(A i )-end of A i , while p f i (x, y) = C i (x) ∧ A i (y, x), when p i = oclAsType(C i ).r i and r i is a role name attached to the dom(A i )-end of A i .

1. OCL-LiteExpr = p n ...p 1 ->select(OCL-LiteExpr 0 )->notEmpty()

The semantics of this expression is

OCL-LiteExpr f (x) = ∃xn • • • ∃x1(p f n (x, xn) ∧ • • • ∧ p f 1 (x2, x1) ∧ OCL-LiteExpr f 0 (x1))

A particular case of this expression is when no select operation is applied on the objects obtained from the navigation, which corresponds to the expression OCL-LiteExpr = p n ...p 1 ->notEmpty(). In this case, we have

OCL-LiteExpr f (x) = ∃xn • • • ∃x1 (p f n (x, xn) ∧ • • • ∧ p f 1 (x2, x1))

2. OCL-LiteExpr = p n ...p 1 ->select(OCL-LiteExpr 0 )->isEmpty() The semantics of this expression is

OCL-LiteExpr f (x) = ∀xn • • • ∀x1(¬p f n (x, xn)∨• • •∨¬p f 1 (x2, x1)∨¬OCL-LiteExpr f 0 (x1))

Again, we have a particular case of this kind of expression in the absence of select, namely OCL-LiteExpr = p n ...p 1 ->isEmpty(). In this case, the semantics of the expression is

OCL-LiteExpr f (x) = ∀xn • • • ∀x1 (¬p f n (x, xn) ∨ • • • ∨ ¬p f 1 (x2, x1)) 3. OCL-LiteExpr = [not] oclIsTypeOf(C )

where the brackets denote optionality. The semantics of the expression is

OCL-LiteExpr f (x) = [¬]C(x)

4. OCL-LiteExpr = OCL-LiteExpr 1 and OCL-LiteExpr 2

The semantics of this expression is

OCL-LiteExpr f (x) = OCL-LiteExpr f 1 (x) ∧ OCL-LiteExpr f 2 (x)

5. OCL-LiteExpr = OCL-LiteExpr 1 or OCL-LiteExpr 2

The semantics of this expression is

OCL-LiteExpr f (x) = OCL-LiteExpr f 1 (x) ∨ OCL-LiteExpr f 2 (x) 6. OCL-LiteExpr = OCL-LiteExpr 1 implies OCL-LiteExpr 2

The semantics of this expression is

OCL-LiteExpr f (x) = OCL-LiteExpr f 1 (x) → OCL-LiteExpr f 2 (x)

Definition 1 (Satisfiability of OCL-Lite constraints). Let Γ be a set of OCL-Lite constraints and Γ f the resulting FOL theory. Then, Γ is said to be satisfiable if there exists a first order interpretation I = (∆ I , • I ) that satisfies Γ f . I is called a model of Γ .

Encoding UML/OCL-Lite in ALCI

In this section we show that the proposed fragments of OCL and UML can both be encoded in the DL ALCI. Thus, finite reasoning is guaranteed for every conceptual schema expressed in this language. We first present the fragment of UML we are interested in, and then we provide an encoding for the OCL-Lite fragment, too. We assume the encoding of a fragment of UML class diagrams in ALCI, based on the encoding in ALCQI proposed in [5]. Since ALCQI is an extension of ALCI that does not have the FMP [7] (i.e., a schema specified in ALCQI might be satisfiable only by an infinite number of instances), we focus on a fragment of UML that can be encoded into ALCI. In particular, we consider UML class diagrams where the domain of interest is represented through classes (representing sets of objects), possibly equipped with attributes and associations (representing relations among objects), and types (representing the domains of attributes, i.e., integer, string, etc.). The kind of UML constraints that we consider in this paper are the ones typically used in conceptual modeling, namely hierarchical relations between classes, disjointness and covering between classes, cardinality constraints for participation of entities in relationships, and multiplicity and typing constraints for attributes. To preserve the FMP we restrict both cardinality and multiplicity constraints to be of the form * or 1..* (meaning that either no constraint applies or the class participates at-least once, respectively).

The encoding, starting from a UML class diagram Σ, generates a satisfiability preserving ALCI knowledge base K Σ (see [5] for details on the encoding). Given the UML fragment chosen, a model of the knowledge base K Σ can be viewed as an instantiation of the UML class diagram Σ.

In the following, we provide a mapping to translate OCL-Lite constraints into ALCI. An OCL-Lite constraint, which has the general form context C inv: OCL-LiteExpr is encoded as the following ALCI inclusion assertion:

C OCL-LiteExpr †

where • † is a mapping function that assigns to each OCL-Lite expression its corresponding ALCI encoding. This inclusion assertion, according to the semantics of OCL constraints, states that each instance of C must satisfy OCL-LiteExpr . We now illustrate the encoding of OCL-Lite expressions in ALCI. We consider OCL-Lite expressions in their normal form, as provided in Section 2.2, and define OCL-LiteExpr † by induction on the structure of OCL-LiteExpr .

1. OCL-LiteExpr = p n ...p 1 ->select(OCL-LiteExpr 0 )->notEmpty() We define the ALCI concept OCL-LiteExpr † by induction on the length n of the navigation path. For convenience, we consider as base case n = 0, and in this case we set OCL-LiteExpr † = OCL-LiteExpr † 0 . For the inductive case, let OCL-LiteExpr n = p n ...p 1 ->select(OCL-LiteExpr 0 )->notEmpty(), let p n+1 be an additional path item, and let OCL-

LiteExpr n+1 = p n+1 .OCL-LiteExpr n . Then OCL-LiteExpr † n+1 = p † n+1 .(OCL-LiteExpr † n )

, where p † n+1 (for the various cases of p n+1 , cf. the OCL syntax in Section 2.1) is an abbreviation3 defined as follows (r denotes a role name of an association A , and dom(A ) and range(A ) denote respectively the domain and range of A ):

r † = ∃A if r is attached to range(A ) ∃A − if r is attached to dom(A ) (oclAsType(C ).r ) † = C ∃A if r is attached to range(A ) C ∃A − if r is attached to dom(A )

Note that the ALCI concept corresponding to OCL-LiteExpr has the form

p † n .(p † n−1 .(• • • (p † 1 .(OCL-LiteExpr † 0 )) • • • ))

Intuitively, this concept represents the fact that OCL-LiteExpr evaluates to true, for a given instance o in the domain of p n , if o is related through the path p n ...p 1 to some object o 1 that satisfies the condition specified by OCL-LiteExpr 0 . When there is no select operation, i.e., the OCL expression has the form p n ...p 1 ->notEmpty(), then OCL-LiteExpr † 0 = , and the constraint is encoded as p

† n .(p † n−1 .(• • • (p † 1 . )• • • )).

For example, once it has been normalized in Section 2.2, an expression that follows this pattern is the one in the body of constraint 4. The ALCI assertion that encodes this constraint is:

CriticalEvent ∃ResponsibleFor − .(∃Organizes. )

Note that, the first DL role, ResponsibleFor − , is inverted since the association ResponsibleFor has domain Person and range CriticalEvent, and the role name responsible is attached to Person. Thus, responsible † = ∃ResponsibleFor − . The next role name in the OCL-Lite expression is organized, which is attached to Event, the range of the association Organizes. Thus, organized † = ∃Organizes. Finally, since the OCL operation select does not appear in the constraint, no condition must be imposed on the instances reached at the end of the path. 2. OCL-LiteExpr = p n ...p 1 ->select(OCL-LiteExpr 0 )->isEmpty()

Similarly to the previous case, we define OCL-LiteExpr † by induction on n.

For the base case of n = 0, we set OCL-LiteExpr † = ¬OCL-LiteExpr † 0 . For the inductive case, let:

OCL-LiteExpr n = p n ...p 1 ->select(OCL-LiteExpr 0 )->isEmpty(), let p n+1 be an additional path item, and let OCL-LiteExpr n+1 = p n+1 .OCL-LiteExpr n . Then OCL-LiteExpr † n+1 = ¬p † n .(¬OCL-LiteExpr † n ), Considering that ¬¬C is equivalent to C, the ALCI concept corresponding to OCL-LiteExpr has the form

¬(p † n .(p † n−1 .(• • • (p † 1 .(OCL-LiteExpr † 0 )) • • • )))

Intuitively, this concept represents the fact that OCL-LiteExpr evaluates to true, for a given instance o, if o is not related through the path p n ...p 1 to any object that satisfies the condition specified by OCL-LiteExpr 0 . As in the previous case, if there is no select operation in the OCL expression, i.e., the OCL expression has the form p n ... To further illustrate the mapping, we apply it to some other constraints of our running example. For instance, consider the normalized expression of constraint 1. This constraint is of kind 1, and its subexpressions are respectively of kinds 4, 3, and 2. Applying the corresponding mapping rules we obtain:

Person ∃Organizes.(CriticalEvent ¬∃SponsoredBy. )

As an example of an OCL-Lite expression of kind 6 we have constraint 2. According to the mapping rule, its corresponding ALCI expression is:

Event ¬∃HeldWith. ¬CriticalEvent

Constraint 5 is of kind 5 once normalized. We recursively apply the mapping rules to each part of the disjunction: rules 1 and 3 to the first subexpression, and rules 5, 2, 1 to the second subexpression. The resulting ALCI expression is:

Company ∃SponsoredBy − .CriticalEvent ∃SponsoredBy − .(¬∃HeldWith. ∃HeldWith.¬∃SponsoredBy. )

The following theorem states that the mapping from OCL-Lite to ALCI is correct (we refer to [14] for the proof).

Theorem 1 (Correctness of the OCL-Lite encoding). Let Γ be a set of OCL-Lite constraints and K Γ its ALCI encoding. Then, Γ is satisfiable if and only if K Γ is satisfiable.

Concerning the complexity of reasoning over UML/OCL-Lite schemas we first notice that reasoning just over the UML diagrams as proposed in this paper is an NP-complete problem. Indeed, the UML language we consider here is a sub-language of ER bool which was proved to be NP-complete in [3], and the very same complexity proof applies to the UML language we use.

Theorem 2 (Complexity of UML/OCL-Lite). Checking the satisfiability of UML/OCL-Lite conceptual schemas is an ExpTime-complete problem.

The upper bound follows from the fact that the ALCI encoding is correct, and that reasoning in ALCI is in ExpTime. The lower bound is established by reducing satisfiability of ALC TBoxes, which is known to be ExpTime-complete, to satisfiability of OCL-Lite constraints (see [14] for the proof).