Simplified Integrity Checking for an Expressive Class of Denial Constraints

Abstract

Data integrity is crucial for ensuring data correctness and quality and is maintained through integrity constraints that must be continuously checked, especially in data-intensive systems like OLTP. While DBMSs handle very simple cases of constraints (such as primary key and foreign key constraints) well, more complex constraints often require ad hoc solutions. Research since the 1980s has focused on automatic and simplified integrity constraint checking, leveraging the assumption that databases are consistent before updates. This paper presents program transformation operators to generate simplified integrity constraints, focusing on complex constraints expressed in denial form. In particular, we target a class of integrity constraints, called extended denials, which are more general than tuple-generating dependencies and equality-generating dependencies. One of the main contributions of this study consists in the automatic treatment of such a general class of constraints, encompassing the all the most useful and common cases of constraints adopted in practice. Another contribution is the applicability of the proposed technique with a “preventive” approach; unlike all other methods for integrity maintenance, we check whether an update will violate the constraints before executing it, so we never have to undo any work, with potentially huge savings in terms of execution overhead. These techniques can be readily applied to standard database practices and can be directly translated into SQL.

1. Introduction

Data integrity is a ubiquitous concern that is at the basis of crucial objectives such as data correctness and data quality. Typically, a specification of the correct states of a database is given through integrity constraints, which can be thought of as formulas that need to be kept satisfied throughout the life of the database. In any data-intensive scenario, such as an OLTP system, data are updated all the time and, therefore, integrity constraints need to be checked continuously. While DBMSs are able to optimally handle common constraints such as key and foreign key constraints, the standard practice is to resort to ad hoc solutions (for instance, at the application level or through manually designed triggers) when the integrity constraints to be maintained are more complex. Automatic integrity constraint checking—and simplified integrity constraint checking in particular—is a topic that has spurred numerous research attempts since the 1980s [1,2,3,4,5,6,7,8,9,10,11,12,13] with the objective of mechanically producing the best possible set of conditions to check against a database in the face of updates. The main idea, common to the majority of the approaches, is to exploit the assumption that a database is consistent (i.e., satisfies the integrity constraints) before an update; with this, the formula to be checked, corresponding to the original integrity constraints, may be simplified so as to avoid checks of subformulas that are already guaranteed to hold thanks to the consistency assumption.

For instance, consider the relation $b(I,T)$, indicating that there is a book with an ISBN I and a title T. The fact that the ISBN univocally identifies a book can be expressed as the integrity constraint $T_1=T_2\leftarrow b(I,T_1)\wedge b(I,T_2)$ (with all variables implicitly universally quantified). Now, assume that the tuple $b(i,t)$ is added to the database. Under the consistency assumption, one just needs to check that there is no other book with the same ISBN i and a different title than t (we are using set semantics, so having more than one occurrence of $b(i,t)$ is harmless), which could be expressed by the simplified formula $T=t\leftarrow b(i,T)$. Without the consistency assumption, instead, we would have had to check for satisfaction of the original constraint for all the books already present in the database. The difference between the simplified formula and the original one bears heavy implications from the point of view of the complexity of the corresponding check, which, in turn, may depend on the way in which the data are physically organized in the database. In the absence of indices, the simplified formula requires a linear scan of all the books; the original formula, instead, requires checking that, for every book present in the database, there is no other book with the same ISBN and a different title, which entails a quadratic (i.e., much higher) cost in the size of the table. With indices (say, a hash-based index on the ISBN), the original check would simply require a linear scan of the books, as an ISBN-based lookup would then take constant time; however, with the same index, the simplified formula would no longer require a linear scan, because a single (constant-time, thus much faster) lookup of the hash-based index would suffice.

Overall, simplified integrity checking aims to maintain satisfaction of the integrity constraints (specified at database schema design time) after each update to the data without overburdening the system with checks that would be too long to carry out. So, “simplification” in this sense means to obtain tests that are simpler to verify than the original constraints, while achieving the same verification effects. As rooted in the defining properties of databases, integrity constraints are one of the building blocks of relational technology and their maintenance is one of the core aspects of DBMSs, which have to guarantee integrity constraint satisfaction at all times.

In this paper, we discuss the use of program transformation operators to the generation of simplified integrity constraints. We implement these operators in terms of rewrite rules based on resolution, subsumption, and replacement of specific patterns. In particular, one of the main contributions of this study is the broad applicability of these operators to a large class of integrity constraints that encompasses all the most common dependencies that are used in standard database design practice, including tuple-generating dependencies (TGDs) and equality-generating dependencies (EGDs), which we express in denial form with negated existential quantifiers, possibly nested.

Another important contribution is the “preventive” perspective of the proposed technique. Traditional methods for simplified integrity checking work as follows: first, a pending update is executed on the database; then, the simplified check is tested against the updated database; and, if the test fails, the update needs to be retracted (typically, with a rollback of the enclosing transaction). Unlike all such methods, we advocate an approach that checks constraint violation before the execution of the pending update. This means that, if we detect that the update will harm consistency, we will not even execute it, thereby saving a significant amount of unneeded work consisting of the execution and subsequent retraction of an update.

The techniques described here can be immediately applied to standard database practice, since our logical notation can be easily translated into SQL. In particular, denials correspond to queries whose result must be empty and their maintenance could be enforced through native database constructs such as triggers [13], whose importance is gaining momentum even outside the scope of relational databases [14].

Our results build on the operators informally presented in [15]. To the best of our knowledge, there is no other approach to date that has considered such an expressive class of constraints for the problem of simplified integrity constraint checking.

Outline. After reviewing related work in Section 2, we introduce some preliminary technical notions in Section 3 in order to set the notation and terminology commonly adopted in relational and deductive databases. We formally introduce the main operators used in the integrity constraint simplification process in Section 4. The core of this proposal is presented in Section 5, where we extend the scope of our operators to a very expressive class of integrity constraints that we call extended denials, for which we offer a comparison with other methods discussed in the pertinent literature along with practical considerations showing how to integrate the procedure into practical systems. Finally, we discuss the extent of our results and provide some concluding remarks in Section 6.

2. Related Work

The idea of simplifying integrity constraints has been long recognized, dating back to at least [1,2], as discussed in the previous section. We continued this line of research in [15,16]. In particular, in [15], we considered an expressive language, ${\mathcal{L}}_{\mathsf{H}}$, for formulating schemata and constraints, for which we could provide a sound and terminating simplification procedure. An important distinction between our work and other simplification techniques is the “preventive” approach that we adopt; we check whether an update is legal before executing it, so that no work needs to be undone if an illegal update is detected. All other approaches in the literature adopt a “corrective” approach instead, i.e., the update is always executed, then the updated databases is checked for integrity violations, and, if needed, the update is undone. Evidently, a preventive approach allows one to avoid a lot of unneeded work in case of illegal updates (their execution and the subsequent retraction).

The simplification problem is also tightly connected to query containment (QC) [17], i.e., the problem of establishing whether, given two queries $q_1$ and $q_2$, the answer to $q_1$ is always a subset of the answer to $q_2$ for all database instances. Indeed, “perfect” simplifications may be generated if and only if QC is decidable. Unfortunately, QC is already undecidable for datalog databases without negation [18,19].

The kind of integrity constraints considered here are the so-called static integrity constraints, in that they refer to properties that must be met by the data in each database state. Dynamic constraints, instead, are used to impose restrictions on the way the database states can evolve over time, be it on successive states or on arbitrary sets of states. Dynamic constraints have been considered, e.g., in [20,21].

Another important distinction can be made between hard (or strong) constraints and soft (or deontic) constraints. The former ones are used to model necessary requirements of the world that the database represents, like the constraints studied here. Deontic constraints govern what is obligatory but not necessary of the world, so violations of deontic constraints correspond to violations of obligations that have to be reported to the user or administrator of the database rather than inconsistencies proper. The wording “soft constraint” sometimes refers to a condition that should preferably be satisfied, but may also be violated. Deontic constraints have been considered, e.g., in [22] and soft constraints in [23]. Soft constraints are akin to preferences, covered by an abundant literature [24,25,26,27,28,29,30].

Other kinds of constraints, of a more structural nature, are the so-called access constraints, or access patterns, whose interaction with integrity constraints proper has also been studied [31].

Often, integrity constraints are characterized as dependencies. Many common dependencies are used in database practice. Among those involving a single relation, we mention functional dependencies [32] (including key dependencies) and multi-valued dependencies [33,34]. For the inter-relation case, the most common ones are inclusion dependencies (i.e., referential constraints). All of these can straightforwardly be represented as extended denials. In particular, many authors acknowledge tuple-generating dependencies (TGDs) and equality-generating dependencies (EGDs) to be the most important types of dependencies in a database, since they encompass most others [35] and are also commonly used for schema mappings in data exchange [36]. The dependencies can be expressed by our extended denials, as we will show in Section 5. So our framework captures the most representative cases of constraints used in the literature.

More detailed classifications of integrity constraints for deductive databases have been attempted by several authors, e.g., [37,38,39].

Once illegal updates are detected, it must be decided how to restore a consistent database state. We targeted a preventive approach that avoids illegal updates completely. Other approaches, instead, prefer to restore consistency via corrective actions after an illegal update—typically a rollback—but several works compute a repair that changes, adds, or deletes tuples of the database in order to satisfy the integrity constraints again. The generation of repairs is a nontrivial issue; see, e.g., [40,41,42,43,44] for surveys on the topic.

In some scenarios, a temporary violation of integrity constraints may be accepted provided that consistency is quickly repaired; if, by nature of the database application, the data are particularly unreliable, inconsistencies may be even considered unavoidable. Approaches that cope with the presence of inconsistencies have been studied and gave rise to inconsistency-tolerant integrity checking [45,46,47]. Besides being checked and tolerated, inconsistency can also be measured, and numerous indicators have been studied to address this problem [48,49,50,51,52].

An orthogonal research avenue is that of allowing inconsistencies to occur in databases but to filter the data during query processing so as to provide a consistent query answer [40], i.e., the set of tuples that answer a query in all possible repairs (without, of course, actually having to compute all the repairs). This, however, has repercussions on the complexity of query answering.

Integrity checking has been applied to a number of different contexts, including data integration [53], the presence of aggregates [54,55], the interaction with transaction management [56], the use of symbolic constraints [57], approximate constraints [58], big data [59], and data clouds [60].

We also observe that integrity checking is also commonly included as a typical part of complex data preparation pipelines for subsequent processing based, e.g., on machine learning or clustering algorithms [61,62,63,64] on data collected from various sources, such as RFID [65,66], pattern mining [67], crowdsourcing applications [68,69,70], and streaming data [71].

More recent works in integrity checking have covered a wide spectrum of application contexts, including a blockchain-based data integrity checking [72], possibly to detect insider attacks in DBMSs [73], privacy-preserving integrity checking for the cloud [74], and inconsistency management through repairs for databases under universal constraints [75], a form of integrity constraints that also captures TGDs and EGDs. However, the adopted perspective is that of tolerating and repairing inconsistencies rather than preventing their onset, as is done here.

3. Relational and Deductive Databases

In this chapter, we present the basic notation related to deductive databases, and use the syntax of the datalog language as a basis to formulate the main concepts. We refer to standard texts in logic, logic programming, and databases such as [37,38,76] for further discussion. As a notational convention, we use lowercase letters to denote predicates (p, q, …) and constants (a, b, …) and uppercase letters (X, Y, …) to denote variables. A term is either a variable or a constant; conventionally, terms are also denoted by lowercase letters (t, s, …) and sequences of terms are indicated by vector notation, e.g., $\overrightarrow{t}$. The language also includes standard connectives (∧, ∨, ¬, ←), quantifiers, and punctuation.

In quantified formulas such as $(\forall XF)$ and $(\exists XF)$, X is said to be bound; a variable not bound is said to be free. A formula with no free variables is said to be closed. Free variables are indicated in boldface ($\mathbf{a}$, $\mathbf{b}$, …) and referred to as parameters; the other variables, unless otherwise stated, are assumed to be universally quantified.

Formulas of the form $p(t_1,\dots ,t_n)$ are called atoms. An atom preceded by a ¬ symbol is a negated atom; a literal is either an atom or a negated atom.

Predicates are divided into three pairwise disjoint sets: intensional, extensional, and built-in predicates. Intensional and extensional predicates are collectively called database predicates; atoms and literals are classified similarly according to their predicate symbol. There is one built-in binary predicate for term equality (=), written using infix notation; $t_1\ne t_2$ is a shorthand for $\neg (t_1=t_2)$ for any two terms $t_1$, $t_2$.

A substitution $\{\overrightarrow{X}/\overrightarrow{t}\}$ is a mapping from the variables in $\overrightarrow{X}$ to the terms in $\overrightarrow{t}$; its application is the expression arising when each occurrence of a variable in $\overrightarrow{X}$ is simultaneously replaced by the corresponding term in $\overrightarrow{t}$. A formula or term which contains no variables is called ground. A substitution $\{\overrightarrow{X}/\overrightarrow{Y}\}$ is called a renaming if $\overrightarrow{Y}$ is a permutation of $\overrightarrow{X}$. Formulas F, G are variants of one another if $F=G\rho$ for some renaming $\rho$. A substitution $\sigma$ is said to be more general than $\theta$ if there exists a substitution $\eta$ such that $\theta =\sigma \eta$. A unifier of $t_1,\dots ,t_n$ is a substitution $\sigma$ such that $t_1\sigma =\dots =t_n\sigma$; $\sigma$ is a most general unifier (mgu) of $t_1,\dots ,t_n$ if it is more general than any other unifier thereof.

A clause is a disjunction of literals $L_1\vee \dots \vee L_n$. In the context of deductive databases, clauses are expressed in implicational form, $A\leftarrow L_1\wedge \dots \wedge L_n$, where A is an atom and $L_1,\dots ,L_n$ are literals; A is called the head and $L_1\wedge \dots \wedge L_n$ the body of the clause. The head is optional and, when it is omitted, the clause is called a denial. A rule is a clause whose head is intensional, and a fact is a clause whose head is extensional and ground and whose body is empty (understood as $\mathit{true}$). Two clauses are standardized apart if they have no bound variable in common. As customary, we also assume clauses to be range-restricted, i.e., each variable must occur in a positive database literal in the body.

Deductive databases are characterized by three components: facts, rules, and integrity constraints. An integrity constraint can, in general, be any (closed) formula. In the context of deductive databases, however, it is customary to express integrity constraints in some canonical form; we adopt here the denial form, which gives a clear indication of what must not occur in the database.

Definition 1 

(Schema, database). A database schema S is a pair $\langle \mathit{IDB},\mathit{IC}\rangle$, where $\mathit{IDB}$ (the intensional database) is a finite set of range-restricted rules, and $\mathit{IC}$ (the constraint theory) is a finite set of denials. A database D on S is a pair $\langle \mathit{IDB},\mathit{EDB}\rangle$, where $\mathit{EDB}$ (the extensional database) is a finite set of facts; D is said to be based on $\mathit{IDB}$.

If the $\mathit{IDB}$ is understood, the database is identified with $\mathit{EDB}$ and the schema with $\mathit{IC}$.

For the semantics of a deductive database, we refer to standard texts, such as [77]. There are database classes for which the existence of a unique intended minimal model is guaranteed. One such class is that of stratified databases, i.e., those in which no predicate depends negatively on itself. This can be checked syntactically by building a graph with a node for each predicate and an arc between p and q each time p is in the body and q in the head of the same clause; the arc is labeled with a “−” if p occurs negated. The database is stratified if the graph has no cycle including arcs labeled with a “−”.

Stratified databases admit a unique “intended” minimal model, called the standard model [78,79]. Other minimal models are known, e.g., the perfect model for locally stratified deductive databases [80], the stable model semantics [81], and the well-founded model semantics [82]. We adopt the semantics of stratified databases and write $D\vDash \varphi$, where D is a database and $\varphi$ a closed formula, to indicate that $\varphi$ holds in D’s standard model.

We now introduce a notation for querying and updating a database. A query is an expression of the form $\Leftarrow A$, where A is an atom whose predicate is intensional. When no ambiguity arises, a given query may be indicated directly by means of its defining formula (instead of the predicate name).

Definition 2 

(Update). An update for an extensional predicate p in a database D is an expression of the form $p(\overrightarrow{X})\Leftarrow p^{\prime }(\overrightarrow{X})$ where $\Leftarrow p^{\prime }(\overrightarrow{X})$ is a query for D. For an update U, the updated database $D^U$ has the same EDB as D but in which, for every extensional predicate p updated as $p(\overrightarrow{X})\Leftarrow p^{\prime }(\overrightarrow{X})$ in U, the subset $\{p(\overrightarrow{t})\mid D\vDash p(\overrightarrow{t})\}$ of $\mathit{EDB}$ is replaced by the set $\{p(\overrightarrow{t})\mid D\vDash p^{\prime }(\overrightarrow{t})\}$.

Example 1. 

Consider ${\mathit{IDB}}_1=\{p^{\prime }(X)\leftarrow p(X),p^{\prime }(X)\leftarrow X=a\}.$ The following update $U_1$ describes the addition of fact $p(a)$: $\{p(X)\Leftarrow p^{\prime }(X)\}.$ For convenience, wherever possible, defining formulas instead of queries will be written in the body of predicate updates. Update $U_1$ will, e.g., be indicated as follows: $\{p(X)\Leftarrow p(X)\vee X=a\}.$

The constraint verification problem may be formulated as follows. Given a database D, a constraint theory $\Gamma$ such that $D\vDash \Gamma$, and an update U, does $D^U\vDash \Gamma$ hold too?

Since checking directly whether $D^U\vDash \Gamma$ holds may be too expensive, we aim to obtain a constraint theory ${\Gamma }^U$, called a pre-test, such that $D^U\vDash \Gamma$ if $D\vDash {\Gamma }^U$ and ${\Gamma }^U$ is easier to evaluate than $\Gamma$.

4. A Simplification Procedure for Obtaining a Pre-Test

We report here the main steps of the simplification procedure described in [15], whose operators will be used as building blocks in the next section to handle an expressive class of integrity constraints.

The procedure consists of two main steps, $\mathsf{After}$ and $\mathsf{Optimize}$, which, together, are the main components of the simplification procedure $\mathsf{Simp}$, as sketchily described in Figure 1. The former receives a schema S and an update U, and builds a schema $S^{\prime }$ that, while applying to the current state, represents the given integrity constraints in the state after the update U. The latter eliminates redundancies from $\mathsf{After}$’s output $S^{\prime }$ and exploits the consistency assumption, i.e., that the integrity constraints in S hold in the state before update U, so as to emit a simplified schema $S^{*}$.

We observe that these operators work at the program level instead of the data level, so they will target program specifications (in datalog) rather than datasets. In the experiments and examples discussed here and in Section 5, we shall indeed tests our operators against specifications of integrity constraints (most of which are taken from the cited literature).

For easier reference,

Table 1. Operators used for the simplification procedure, as defined in Section 4.

Notation	Explanation
$S^{\prime }={\mathsf{After}}^U(S)$	Schema $S^{\prime }$ is a WP of schema S wrt update U (Definition 7)
${\mathcal{L}}_{\mathsf{S}}$	A class of schemata that can be unfolded as a set of denials (Definition 6)
$\Gamma ={\mathsf{Unfold}}_{{\mathcal{L}}_{\mathsf{S}}}(S)$	For a schema $S=\langle IDB,IC\rangle \in {\mathcal{L}}_{\mathsf{S}}$, $\Gamma$ is the unfolding of $IC$ wrt $IDB$ (Definition 8)
$\Gamma ={\mathsf{After}}_{{\mathcal{L}}_{\mathsf{S}}}^U(S)$	The set of denials $\Gamma$ is a WP of schema $S\in {\mathcal{L}}_{\mathsf{S}}$ wrt update U, and is defined as $\Gamma ={\mathsf{Unfold}}_{{\mathcal{L}}_{\mathsf{S}}}({\mathsf{After}}^U(S))$
${\varphi }_1⊑{\varphi }_2$	Denial ${\varphi }_1$ subsumes denial ${\varphi }_2$ (Definition 9)
${\varphi }_1⊏{\varphi }_2$	Denial ${\varphi }_1$ strictly subsumes denial ${\varphi }_2$ (Definition 9)
${\varphi }^{-}$	Reduction: same as denial $\varphi$ but without redundancies (Definition 10)
${\varphi }^{+}$, ${\Phi }^{+}$	Expansion: same as denial $\varphi$ (or set of denials $\Phi$) with constants and repeated variables replaced by new variables and equalities; see [8]
$\Gamma {⊢}_R\varphi$	Denial $\varphi$ is derived from the set of denials $\Gamma$. In particular, there is a resolution derivation of a denial $\psi$ from ${\Gamma }^{+}$ such that ${\psi }^{-}⊑\varphi$ (Definition 11)
${\Gamma }^{\prime }={\mathsf{Optimize}}_{{\mathcal{L}}_{\mathsf{S}}}^{∆}(\Gamma )$	${\Gamma }^{\prime }$ is the result of applying denial elimination and literal elimination from the set of denials $\Gamma \in {\mathcal{L}}_{\mathsf{S}}$ as long as possible by trusting the set of denials $∆\in {\mathcal{L}}_{\mathsf{S}}$ (Definition 12)
$\Phi ={\mathsf{Simp}}_{{\mathcal{L}}_{\mathsf{S}}}^U(S)$	The set of denials $\Phi$ is a CWP of schema $S\in {\mathcal{L}}_{\mathsf{S}}$ wrt update U computed through ${\mathsf{Optimize}}_{{\mathcal{L}}_{\mathsf{S}}}$ and ${\mathsf{After}}_{{\mathcal{L}}_{\mathsf{S}}}$ (Definition 13)

summarizes the main operators and symbols defined in this section, along with a synthetic explanation of how they work.

A mere condition for checking integrity without actually executing the update is given by the notion of weakest precondition [6,83,84].

Definition 3 

(Weakest precondition). Let $S=\langle \mathit{IDB},\Gamma \rangle$ be a schema and U an update. A schema $S^{\prime }=\langle {\mathit{IDB}}^{\prime },{\Gamma }^{\prime }\rangle$ is a weakest precondition (WP) of S with respect to U whenever $D\vDash {\Gamma }^{\prime }\iff D^U\vDash \Gamma$ for any database D based on $\mathit{IDB}\cup {\mathit{IDB}}^{\prime }$.

To employ the consistency assumption, we extend the class of checks of interest as follows.

Definition 4 

(Conditional weakest precondition). Let $S=\langle \mathit{IDB},\Gamma \rangle$ be a schema and U an update. Schema $S^{\prime }=\langle {\mathit{IDB}}^{\prime },{\Gamma }^{\prime }\rangle$ is a conditional weakest precondition (CWP) of S wrt U whenever $D\vDash {\Gamma }^{\prime }\iff D^U\vDash \Gamma$ for any database D such that $D\vDash \Gamma$.

A WP is also a CWP but the reverse does not necessarily hold.

Example 2. 

Consider the update and IDB from Example 1 and let ${\Gamma }_1$ be the constraint theory $\{\leftarrow p(X)\wedge q(X)\}$ stating that p and q are mutually exclusive. Then, $\{\leftarrow q(a)\}$ is a CWP (but not a WP) of ${\Gamma }_1$ with respect to $U_1$.

4.1. The Core Language ${\mathcal{L}}_{\mathsf{S}}$

We now formally characterize a language, that we call ${\mathcal{L}}_{\mathsf{S}}$, on which a core simplification procedure can be applied. We introduce a few technical notions that are needed in order to precisely identify the class of predicates, integrity constraints, and updates that are part of ${\mathcal{L}}_{\mathsf{S}}$, which is a non-recursive, function-free language equipped with negation.

Definition 5 

(Starred dependency graph). Let $S=\langle \mathit{IDB},\Gamma \rangle$ be a schema in which the $\mathit{IDB}$ consists of a set of disjunctive (range-restricted) predicate definitions and Γ is a set of range-restricted denials. Let $\mathcal{G}$ be a graph that has a node $N^p$ for each predicate p in S plus another node named ⊥, and no other node; if p’s defining formula has variables not occurring in the head, then $N^p$ is marked with a “*”. For any two predicates p and $p^{\prime }$ in S, $\mathcal{G}$ has an arc from $N^p$ to $N^{p^{\prime }}$ for each occurrence of p in an $\mathit{IDB}$ rule in which $p^{\prime }$ occurs in the head; similarly, there is an arc from $N^p$ to ⊥ for each occurrence of p in the body of a denial in Γ. In both cases, the arc is labelled with a “−” (and said to be negative) if p occurs negatively. $\mathcal{G}$ is the starred dependency graph for S.

Example 3. 

Let $S_1=\langle {\mathit{IDB}}_1,{\Gamma }_1\rangle$ and $S_2=\langle {\mathit{IDB}}_2,{\Gamma }_2\rangle$ be schemata with

$$\begin{array}{ccc}\hfill {\mathit{IDB}}_1& =\{\hfill & s_1(X)\leftarrow r_1(X,Y)\},\hfill \\ \hfill {\Gamma }_1& =\{\hfill & \leftarrow p_1(X)\wedge \neg s_1(X)\},\hfill \\ \hfill {\mathit{IDB}}_2& =\{\hfill & s_2(X)\leftarrow r_2(X,Y),\hfill \\ & & q_2(X)\leftarrow \neg s_2(X)\wedge t_2(X)\},\hfill \\ \hfill {\Gamma }_2& =\{\hfill & \leftarrow p_2(X)\wedge \neg q_2(X)\}.\hfill \end{array}$$

The starred dependency graphs of $S_1$ and $S_2$ are shown in Figure 2.

Definition 6 

(${\mathcal{L}}_{\mathsf{S}}$). A schema S is in ${\mathcal{L}}_{\mathsf{S}}$ if its starred dependency graph $\mathcal{G}$ is acyclic and, in every path in $\mathcal{G}$ from a starred node to ⊥, the number of arcs labelled with “−” is even. An update $\{p_1({\overrightarrow{X}}_1)\Leftarrow q_1({\overrightarrow{X}}_1),\dots ,p_m({\overrightarrow{X}}_m)\Leftarrow q_m({\overrightarrow{X}}_m)\}$ is in ${\mathcal{L}}_{\mathsf{S}}$ if the graph obtained from $\mathcal{G}$ by adding an arc from $N^{q_i}$ to $N^{p_i}$, $1\le i\le m$ meets the above condition.

Acyclicity corresponds to absence of recursion. The second condition requires that the unfolding of the intensional predicates in the constraint theory does not introduce any negated existentially quantified variable. In particular, starred nodes correspond to literals with existentially quantified variable (called non-distinguished). In order to avoid negated existential quantifiers, the number of “−” signs must be even, as an even number of negations means no negation. This requirement will be removed in the next section.

Example 4. 

Consider $S_1$ and $S_2$ from Example 3. Clearly, $S_1$ is not in ${\mathcal{L}}_{\mathsf{S}}$, as in its starred dependency graph ${\mathcal{G}}_1$ in Figure 2, there is a path from $s_1^{*}$ to ⊥ containing one “−” arc, while $S_2$ is in ${\mathcal{L}}_{\mathsf{S}}$, as in ${\mathcal{G}}_2$, the only path from $s_2^{*}$ to ⊥ contains two “−” arcs.

The plan is now to refine the sketch shown in Figure 1 so as to specialize the application of the $\mathsf{After}$ and $\mathsf{Optimize}$ operators for the ${\mathcal{L}}_{\mathsf{S}}$ language. This will require the introduction of further operators and procedures, which are sketchily described in Figure 3. In particular, the overall procedure receives a schema S and an update U and first transforms the schema in ato new schema $S^{\prime }$, whose integrity constraints hold in the state before the update if and only if the original constraints in S hold in the updated state. Then, the intensional database in $S^{\prime }$ is completely eliminated (through “unfolding”), because its definitions are going to be embedded in the integrity constraints themselves, thereby producing a set of integrity constraints $\Gamma$. Finally, the $\mathsf{Optimize}$ operator tries to remove all redundancies from $\Gamma$ by eliminating literals as well as whole denials as much as possible. This is done by exploiting the consistency assumption, i.e., the fact that the original integrity constraints in S hold before the update; to do this, $\mathsf{Optimize}$ receives as input the integrity constraints in S after embedding the definitions of its intensional database in the constraints (again, through unfolding), which are represented by the set $∆$ in the sketch. The overall output is the set of integrity constraints ${\Gamma }^{*}$ from which the redundancies are removed.

Generating Weakest Preconditions in ${\mathcal{L}}_{\mathsf{S}}$

The following syntactic transformation, $\mathsf{After}$, generates a WP.

Definition 7 

($\mathsf{After}$). Let $S=\langle \mathit{IDB},\Gamma \rangle$ be a schema and U an update $p(\overrightarrow{X})\Leftarrow p^U(\overrightarrow{X})$.

• Let us indicate with ${\Gamma }^U$ a copy of Γ in which any atom $p(\overrightarrow{t})$ is simultaneously replaced by the expression $p^U(\overrightarrow{t})$ and every intensional predicate q is simultaneously replaced by a new intensional predicate $q^U$ defined in ${\mathit{IDB}}^U$ below.
• Similarly, let us indicate with ${\mathit{IDB}}^U$ a copy of $\mathit{IDB}$ in which the same replacements are simultaneously made, and let ${\mathit{IDB}}^{*}$ be the biggest subset of $\mathit{IDB}\cup {\mathit{IDB}}^U$ including only definitions of predicates on which ${\Gamma }^U$ depends.

We define ${\mathsf{After}}^U(S)=\langle {\mathit{IDB}}^{*},{\Gamma }^U\rangle$.

Example 5. 

Consider the updates and $\mathit{IDB}$ definitions of Example 1. Let schema $S_1$ be $\langle {\mathit{IDB}}_1,{\Gamma }_1\rangle$, where ${\Gamma }_1=\{\leftarrow p(X)\wedge q(X)\}$ states that p and q are mutually exclusive. We have ${\mathsf{After}}^{U_1}(S_1)=\langle {\mathit{IDB}}_1,{\Gamma }_1^{U_1}\rangle$, where ${\Gamma }_1^{U_1}=\{\leftarrow p^{\prime }(X)\wedge q(X)\}.$ We replace $p^{\prime }(X)$ by its defining formula and thus omit the intensional database:

$$\begin{array}{ccccc}{\mathsf{After}}^{U_1}({\Gamma }_1)=\Sigma =& \{& \leftarrow \hfill & p(X)\wedge q(X),\hfill & \\ & & \leftarrow \hfill & X=a\wedge q(X)\hfill & \}.\hfill \end{array}$$

Clearly, ${\mathsf{After}}^U(S)$ is a WP of S with respect to U, and, trivially, a CWP.

For ${\mathcal{L}}_{\mathsf{S}}$, we use unfolding [85] to replace every intensional predicate by its definition until only extensional predicates appear. To this end, we use the ${\mathsf{Unfold}}_{{\mathcal{L}}_{\mathsf{S}}}$ operator below.

Definition 8 

(Unfolding). Let $S=\langle \mathit{IDB},\Gamma \rangle$ be a database schema in ${\mathcal{L}}_{\mathsf{S}}$. Then, ${\mathsf{Unfold}}_{{\mathcal{L}}_{\mathsf{S}}}(S)$ is the schema $\langle \varnothing ,{\Gamma }^{\prime }\rangle$, where ${\Gamma }^{\prime }$ is the set of denials obtained by iterating the two following steps as long as possible:

• replace, in Γ, each atom $p(\overrightarrow{t})$ by $F^p\{\overrightarrow{X}/\overrightarrow{t}\}$, where $F^p$ is p’s defining formula and $\overrightarrow{X}$ its head variables. If no replacement was made, then stop;
• transform the result into a set of denials according to the following patterns:
  • $\leftarrow A\wedge (B_1\vee B_2)$ is replaced by $\leftarrow A\wedge B_1$ and $\leftarrow A\wedge B_2$;
  • $\leftarrow A\wedge \neg (B_1\vee B_2)$ is replaced by $\leftarrow A\wedge \neg B_1\wedge \neg B_2$;
  • $\leftarrow A\wedge \neg (B_1\wedge B_2)$ is replaced by $\leftarrow A\wedge \neg B_1$ and $\leftarrow A\wedge \neg B_2$.

Due to the implicit outermost universal quantification of the variables, non-distinguished variables in a predicate definition are existentially quantified to the right-hand side of the arrow, as shown in Example 6 below. For this reason, with no indication of the quantifiers, the replacements in Definition 8 preserve equivalence if no predicate containing non-distinguished variables occurs negated in the resulting expression.

Example 6. 

Consider $S_1$ from Example 3, which, as shown, is not in ${\mathcal{L}}_{\mathsf{S}}$. With the explicit indication of the quantifiers, we have ${\mathit{IDB}}_1\equiv \{\forall X(s_1(X)\leftarrow \exists Y{r}_1(X,Y))\}.$ The replacement, in ${\Gamma }_1$, of $s_1(X)$ by its definition in ${\mathit{IDB}}_1$ would determine the formula ${\Gamma }_1^{\prime }=\{\forall X,Y(\leftarrow p_1(X)\wedge \neg r_1(X,Y))\}.$ However, this replacement is not equivalence-preserving, because a predicate ($r_1$) containing a non-distinguished variable occurs negated: ${\Gamma }_1\equiv \{\forall X(\leftarrow p_1(X)\wedge \neg \exists Y{r}_1(X,Y))\}\not\equiv {\Gamma }_1^{\prime }.$

We shall cover the cases in which $\neg \exists$ may occur in denials in Section 5.

The language ${\mathcal{L}}_{\mathsf{S}}$ is closed under unfolding and ${\mathsf{Unfold}}_{{\mathcal{L}}_{\mathsf{S}}}$ preserves equivalence. We then refine $\mathsf{After}$ for ${\mathcal{L}}_{\mathsf{S}}$ as ${\mathsf{After}}_{{\mathcal{L}}_{\mathsf{S}}}^U(S)={\mathsf{Unfold}}_{{\mathcal{L}}_{\mathsf{S}}}({\mathsf{After}}^U(S))$.

Example 7. 

Consider again a database containing information about books, where the binary predicate b contains the ISBN (first argument) and the title (second argument). We expect, for this database, updates of the form $U=\{b(X,Y)\Leftarrow b^U(X,Y)\}$, where $b^U$ is a query defined by the predicate definition $b^U(X,Y)\leftarrow b(X,Y)$$\vee (X=\mathbf{i}\wedge Y=\mathbf{t})$, i.e., U is the addition of the tuple $\langle \mathbf{i},\mathbf{t}\rangle$ to b. The following integrity constraint is given:

$$\varphi =\leftarrow b(X,Y)\wedge b(X,Z)\wedge Y\ne Z$$

meaning that no ISBN can be associated with two different titles. First, each occurrence of b is replaced by $b^U$, obtaining

$$\leftarrow b^U(X,Y)\wedge b^U(X,Z)\wedge Y\ne Z.$$

Then, ${\mathsf{Unfold}}_{{\mathcal{L}}_{\mathsf{S}}}$ is applied to this integrity constraint. The first step of Definition 8 generates the following:

$$\{\leftarrow (b(X,Y)\vee (X=\mathbf{i}\wedge Y=\mathbf{t}))\wedge (b(X,Z)\vee (X=\mathbf{i}\wedge Z=\mathbf{t}))\wedge Y\ne Z\}.$$

The second step translates it to clausal form:

$$\begin{array}{cc}\hfill {\mathsf{After}}_{{\mathcal{L}}_{\mathsf{S}}}^U(\{\varphi \})=\{& \leftarrow b(X,Y)\wedge b(X,Z)\wedge Y\ne Z,\hfill \\ & \leftarrow b(X,Y)\wedge X=\mathbf{i}\wedge Z=\mathbf{t}\wedge Y\ne Z,\hfill \\ & \leftarrow X=\mathbf{i}\wedge Y=\mathbf{t}\wedge b(X,Z)\wedge Y\ne Z,\hfill \\ & \leftarrow X=\mathbf{i}\wedge Y=\mathbf{t}\wedge X=\mathbf{i}\wedge Z=\mathbf{t}\wedge Y\ne Z\hfill & \}.\hfill \end{array}$$

4.2. Simplification in ${\mathcal{L}}_{\mathsf{S}}$

The result returned by ${\mathsf{After}}_{{\mathcal{L}}_{\mathsf{S}}}$ may contain redundant parts (e.g., $a=a$) and does not exploit the consistency assumption. For this purpose, we define a transformation ${\mathsf{Optimize}}_{{\mathcal{L}}_{\mathsf{S}}}$ that optimizes a given constraint theory using a set of trusted hypotheses. We describe here an implementation in terms of sound and terminating rewrite rules. Among the tools we use are subsumption, reduction, and resolution.

Definition 9 

(Subsumption). Given two denials ${\varphi }_1$ and ${\varphi }_2$, ${\varphi }_1$ subsumes ${\varphi }_2$ (via σ), written ${\varphi }_1⊑{\varphi }_2$, if there is a substitution σ such that each literal in ${\varphi }_1\sigma$ occurs in ${\varphi }_2$. The subsumption is strict, written ${\varphi }_1⊏{\varphi }_2$, if ${\varphi }_1$ is not a variant of ${\varphi }_2$.

The subsumption algorithm (see, e.g., [86]), besides checking subsumption, also returns the substitution $\sigma$. As is well known, the subsuming denial implies the subsumed one.

Example 8. 

$\leftarrow p(X,Y)\wedge q(Y)$ subsumes $\leftarrow p(X,b)\wedge X\ne a\wedge q(b)$ via $\{Y/b\}$.

Reduction [87] characterizes the elimination of redundancies within a single denial.

Definition 10 

(Reduction). For a denial ϕ, the reduction ${\varphi }^{-}$ of ϕ is the result of applying the following rules on ϕ as long as possible, where L is a literal, $c_1,c_2$ are distinct constants, X is a bound variable, t is a term, A is an atom, C, D (possibly empty) are conjunctions of literals, and $vars$ indicates the set of bound variables occurring in its argument.

$$\begin{array}{ccc}\hfill \leftarrow L\wedge C& \Rightarrow & \leftarrow Cif L is of the form t=t or c_1\ne c_2\hfill \\ \hfill \leftarrow L\wedge C& \Rightarrow & \mathit{true}if L is of the form t\ne t or c_1=c_2\hfill \\ \hfill \leftarrow X=t\wedge C& \Rightarrow & \leftarrow C\{X/t\}\hfill \\ \hfill \leftarrow A\wedge \neg A\wedge C& \Rightarrow & \mathit{true}\hfill \\ \hfill \leftarrow C\wedge D& \Rightarrow & \leftarrow Dif(\leftarrow C)⊑(\leftarrow D) with a substitution \sigma s.t.\hfill \\ & & \mathrm{dom}(\sigma )\cap \mathrm{vars}(D)=\varnothing \hfill \end{array}$$

Clearly, ${\varphi }^{-}\equiv \varphi$. The last rewrite rule is called subsumption factoring [88] and includes the elimination of duplicate literals from a denial as a special case. An additional rule for handling parameters may be considered in the reduction process:

$$\leftarrow \mathbf{a}=c_1\wedge C\Rightarrow \leftarrow \mathbf{a}=c_1\wedge C\{\mathbf{a}/c_1\}$$

(1)

This may replace parameters with constants and possibly allow further reduction. For example, the denial $\leftarrow \mathbf{a}=c\wedge b=\mathbf{a}$ would be transformed into $\leftarrow \mathbf{a}=c\wedge b=c$, and, thus, into $\mathit{true}$, since b and c are different constants.

We now briefly recall the definition of resolvent and derivation for the well-known principle of resolution [89,90] and cast it to the context of deductive databases.

Definition 11. 

Let ${\varphi }_1^{\prime }=\leftarrow L_1\wedge \dots \wedge L_m,{\varphi }_2^{\prime }=\leftarrow M_1\wedge \dots \wedge M_n$ be two standardized apart variants of denials ${\varphi }_1,{\varphi }_2$. If θ is a mgu of $\{L_i,\neg M_j\}$, then the clause

$$\leftarrow (L_1\wedge \dots \wedge L_{i-1}\wedge L_{i+1}\wedge \dots L_m\wedge M_1\wedge \dots \wedge M_{j-1}\wedge M_{j+1}\wedge \dots \wedge M_n)\theta$$

is a binary resolvent of ${\varphi }_1$ and ${\varphi }_2$ and $L_i,M_j$ are said to be the literals resolved upon.

The resolution principle is a sound inference rule, in that a resolvent is a logical consequence of its parent clauses, and preserves range restriction [91].

We also refer to the notion of expansion [8]: the expansion of a clause consists of replacing every constant or parameter in a database predicate (or variable already appearing elsewhere in database predicates) by a new variable and adding the equality between the new variable and the replaced item. We indicate the expansion of a (set of) denial(s) with a “+” superscript.

Example 9. 

Let $\varphi =\leftarrow p(X,a,X)$. Then, ${\varphi }^{+}=\leftarrow p(X,Y,Z)\wedge Y=a\wedge Z=X$.

For a constraint theory $\Gamma$ in ${\mathcal{L}}_{\mathsf{S}}$ and a denial $\varphi$ in ${\mathcal{L}}_{\mathsf{S}}$, the notation $\Gamma {⊢}_R\varphi$ indicates that there is a resolution derivation of a denial $\psi$ from ${\Gamma }^{+}$ and ${\psi }^{-}⊑\varphi$. The ${⊢}_R$ procedure is sound; additionally, it is guaranteed to terminate on any input provided that, in each resolution step, the resolvent has at most as many literals as those in the largest denial in ${\Gamma }^{+}$ (i.e., by forcing an upper bound on the size of the clauses).

We can now provide a possible implementation of an optimization operator that eliminates redundant literals and denials from a given constraint theory $\Gamma$ assuming that another theory $∆$ holds. Informally, ${⊢}_R$, subsumption and reduction are used to approximate entailment. In the following, $A\bigsqcup B$ indicates the union of disjoint sets.

Definition 12. 

Given two constraint theories ∆ and Γ in ${\mathcal{L}}_{\mathsf{S}}$, ${\mathsf{Optimize}}_{{\mathcal{L}}_{\mathsf{S}}}^{∆}(\Gamma )$ is the result of applying the following rewrite rules on Γ as long as possible. In the following, ϕ, ψ are denials in ${\mathcal{L}}_{\mathsf{S}}$, ${\Gamma }^{\prime }$ is a constraint theory in ${\mathcal{L}}_{\mathsf{S}}$.

$$\begin{array}{ccc}\hfill \{\varphi \}\bigsqcup {\Gamma }^{\prime }& \Rightarrow & {\Gamma }^{\prime }if{\varphi }^{-}=\mathit{true}\hfill \\ \hfill \{\varphi \}\bigsqcup {\Gamma }^{\prime }& \Rightarrow & {\Gamma }^{\prime }if({\Gamma }^{\prime }\cup ∆){⊢}_R\varphi \hfill \\ \hfill \{\varphi \}\bigsqcup {\Gamma }^{\prime }& \Rightarrow & \{{\varphi }^{-}\}\cup {\Gamma }^{\prime }if\varphi \ne {\varphi }^{-}\ne \mathit{true}\hfill \\ \hfill \{\varphi \}\bigsqcup {\Gamma }^{\prime }& \Rightarrow & \{{\psi }^{-}\}\cup {\Gamma }^{\prime } if (\{\varphi \}\bigsqcup {\Gamma }^{\prime }\cup ∆){⊢}_R\psi and {\psi }^{-}⊏\varphi \hfill \end{array}$$

The first two rules attempt the elimination of a whole denial, whereas the last two try to remove literals from a denial. We can now fully define simplification for ${\mathcal{L}}_{\mathsf{S}}$:

Definition 13. 

Let $S=\langle \mathit{IDB},\Gamma \rangle \in {\mathcal{L}}_{\mathsf{S}}$ and U be an update in ${\mathcal{L}}_{\mathsf{S}}$ with respect to S. Let ${\mathsf{Unfold}}_{{\mathcal{L}}_{\mathsf{S}}}(S)=\langle \varnothing ,{\Gamma }^{\prime }\rangle$. We define ${\mathsf{Simp}}_{{\mathcal{L}}_{\mathsf{S}}}^U(S)={\mathsf{Optimize}}_{{\mathcal{L}}_{\mathsf{S}}}^{{\Gamma }^{\prime }}({\mathsf{After}}_{{\mathcal{L}}_{\mathsf{S}}}^U(S)).$

Clearly, ${\mathsf{Simp}}_{{\mathcal{L}}_{\mathsf{S}}}^U(S)$ is a CWP of S with respect to U.

Example 10. 

Consider again Example 7. The reduction of each denial in ${\mathsf{After}}_{{\mathcal{L}}_{\mathsf{S}}}^U(\{\varphi \})$ generates the following set.

$$\begin{array}{ccc}\hfill \{& \leftarrow \hfill & b(X,Y)\wedge b(X,Z)\wedge Y\ne Z,\hfill \\ & \leftarrow \hfill & b(\mathbf{i},Y)\wedge Y\ne \mathbf{t},\hfill \\ & \leftarrow \hfill & b(\mathbf{i},Z)\wedge \mathbf{t}\ne Z\hfill & \}.\hfill \end{array}$$

Then, the third denial is removed, as it is subsumed by the second one; the first constraint is subsumed by ϕ and, thus, removed, so ${\mathsf{Simp}}_{{\mathcal{L}}_{\mathsf{S}}}^U(\{\varphi \})=\{\leftarrow b(\mathbf{i},Y)\wedge Y\ne \mathbf{t}\}.$ This result indicates that, for the database to be consistent after update U, a book with ISBN $\mathbf{i}$ must not be already associated with a title Y different from $\mathbf{t}$.

5. Denials with Negated Existential Quantifiers

In the definition of ${\mathcal{L}}_{\mathsf{S}}$, we limited the level of interaction between negation and existential quantification in the constraint theories. We now relax this limitation and extend the syntax of denials so as to allow the presence of negated existential quantifiers. The simplification procedure can be adapted to such cases, provided that its components are adjusted so as to handle conjuncts starting with a negated existential quantifier.

In this section, we address the problem of simplification of integrity constraints in hierarchical databases, in which all clauses are range-restricted and the schemata are non-recursive, but there is no other restriction on the occurrence of negation. We refer to the language of such schemata as ${\mathcal{L}}_{\mathsf{H}}$.

Definition 14 

(${\mathcal{L}}_{\mathsf{H}}$). Let S be a schema. S is in ${\mathcal{L}}_{\mathsf{H}}$ if its starred dependency graph is acyclic.

Similarly to the previous section, we summarize the notation and operators used in this section in tabular form (see

Table 2. Operators used for the simplification procedure, as defined in Section 5.

Notation	Explanation
${\mathcal{L}}_{\mathsf{H}}$	A class of schemata that can be unfolded as a set of extended denials (Definition 14)
$\Gamma ={\mathsf{Unfold}}_{{\mathcal{L}}_{\mathsf{H}}}(S)$	For a schema $S=\langle IDB,IC\rangle \in {\mathcal{L}}_{\mathsf{H}}$, $\Gamma$ is the unfolding of $IC$ wrt $IDB$ (Definition 16)
$\Gamma ={\mathsf{After}}_{{\mathcal{L}}_{\mathsf{H}}}^U(S)$	The set of extended denials $\Gamma$ is a WP of schema $S\in {\mathcal{L}}_{\mathsf{H}}$ wrt update U (Definition 17)
${\varphi }_1\widehat{⊑}{\varphi }_2$	Extended denial ${\varphi }_1$ extended-subsumes extended denial ${\varphi }_2$ (Definition 19)
${\varphi }^{-}$	Reduction: same as extended denial $\varphi$ but without redundancies (Definition 20)
${\Gamma }^{\prime }={\mathsf{Optimize}}_{{\mathcal{L}}_{\mathsf{H}}}^{∆}(\Gamma )$	${\Gamma }^{\prime }$ is the result of applying (possibly nested) extended denial elimination and general literal elimination from constraint theory $\Gamma \in {\mathcal{L}}_{\mathsf{H}}$ as long as possible by trusting constraint theory $∆\in {\mathcal{L}}_{\mathsf{H}}$ (Definition 21)
$\Phi ={\mathsf{Simp}}_{{\mathcal{L}}_{\mathsf{H}}}^U(S)$	The set of extended denials $\Phi$ is a CWP of schema $S\in {\mathcal{L}}_{\mathsf{H}}$ wrt update U computed through ${\mathsf{Optimize}}_{{\mathcal{L}}_{\mathsf{H}}}$ and ${\mathsf{After}}_{{\mathcal{L}}_{\mathsf{H}}}$ (Definition 22)

), which add to those summarized in Table 1. A diagram showing the main blocks composing the simplification procedure in ${\mathcal{L}}_{\mathsf{H}}$ would look exactly like the one shown in Figure 3, after taking care of replacing each occurrence of ${\mathcal{L}}_{\mathsf{S}}$ with ${\mathcal{L}}_{\mathsf{H}}$.

Unfolding predicates in integrity constraints with respect to their definitions cannot be done in the same way as ${\mathsf{Unfold}}_{{\mathcal{L}}_{\mathsf{S}}}$. For this purpose, we extend the syntax of denials so as to allow negated existential quantifiers to occur in literals.

Definition 15 

(Extended denials). A negated existential expression or NEE is an expression of the form $\neg \exists \overrightarrow{X}B$, where B is called the body of the NEE, $\overrightarrow{X}$ are some (possibly all) of the variables occurring in B, and B has the form $L_1\wedge \dots \wedge L_n$, where each $L_i$ is a general literal, i.e., either a literal or an NEE.

A formula of the form $\forall \overrightarrow{X}(\leftarrow B)$, where B is the body of an NEE and $\overrightarrow{X}$ are some (possibly all) of the free variables in B, is called an extended denial. When there is no ambiguity on the variables in $\overrightarrow{X}$, extended denials are simply written $\leftarrow B$.

Example 11. 

The formula $\leftarrow parent(X)\wedge \neg \exists Ychild\_of(X,Y)$ is an extended denial. It reads as follows: there is inconsistency if there is a parent X that does not have a child. Note that this is different from the (non-range-restricted) denial $\leftarrow parent(X)\wedge \neg child\_of(X,Y)$, which states that if X is a parent then all individuals must be his/her children.

We observe that variables under a negated existential quantifier conform with the intuition behind safeness, so we could conclude that the first formula in Example 11 is safe, whereas the second one is not.

The framework we have defined so far is very expressive, since it captures the most common and useful kinds of dependencies, such as TGDs and EGDs. A TGD is a formula of the form $\forall \overrightarrow{X}(\varphi (\overrightarrow{X})\to \exists \overrightarrow{Y}\psi (\overrightarrow{X},\overrightarrow{Y}))$, where $\varphi (\overrightarrow{X})$ is a conjunction of atomic formulas, all with variables among the variables in $\overrightarrow{X}$; every variable in $\overrightarrow{X}$ appears in $\varphi (\overrightarrow{X})$ (but not necessarily in $\psi$), and $\psi (\overrightarrow{X},\overrightarrow{Y})$ is a conjunction of atoms, all with variables among $\overrightarrow{X}$ and $\overrightarrow{Y}$. Clearly, such a TGD can be expressed with our notation as the extended denial $\leftarrow \varphi (\overrightarrow{X})\wedge \neg \exists \overrightarrow{Y}\psi (\overrightarrow{X},\overrightarrow{Y})$. EGDs are formulas of the form $\forall \overrightarrow{X}(\varphi (\overrightarrow{X})\to X_1=X_2)$, where $X_1$ and $X_2$ are variables in $\overrightarrow{X}$. Clearly, this is expressed as a denial $\leftarrow \varphi (\overrightarrow{X})\wedge X_1\ne X_2$.

We can now apply unfolding in ${\mathcal{L}}_{\mathsf{H}}$ to obtain extended denials. In doing so, attention needs to be paid when replacing negated intensional predicates by their definition, since they may contain non-distinguished variables, meaning that existential quantifiers have to be explicitly indicated. As was the case for ${\mathsf{Unfold}}_{{\mathcal{L}}_{\mathsf{S}}}$, the replacements may result in disjunctions and negated conjunctions. Therefore, additional steps are needed to restore the extended denial form.

Definition 16. 

Let $S=\langle \mathit{IDB},\Gamma \rangle$ be a database schema in ${\mathcal{L}}_{\mathsf{H}}$. We define ${\mathsf{Unfold}}_{{\mathcal{L}}_{\mathsf{H}}}(S)$ as the set of extended denials obtained by iterating the two following steps as long as possible:

• replace, in Γ, each occurrence of a literal of the form $\neg p(\overrightarrow{t})$ by $\neg \exists \overrightarrow{Y}{F}^p\{\overrightarrow{X}/\overrightarrow{t}\}$ and of a literal of the form $p(\overrightarrow{t})$ by $F^p\{\overrightarrow{X}/\overrightarrow{t}\}$, where $F^p$ is p’s defining formula, $\overrightarrow{X}$ its head variables and $\overrightarrow{Y}$ its non-distinguished variables. If no replacement was made, stop;
• transform the resulting formula into a set of extended denials according to the following patterns; $\Phi (Arg)$ is an expression indicating the body of an NEE in which $Arg$ occurs; $\overrightarrow{X}$ and $\overrightarrow{Y}$ are disjoint sequences of variables:
  • $\leftarrow A\wedge (B\vee C)$ is replaced by $\leftarrow A\wedge B$ and $\leftarrow A\wedge C$;
  • $\leftarrow A\wedge \neg (B\vee C)$ is replaced by $\leftarrow A\wedge \neg B\wedge \neg C$;
  • $\leftarrow A\wedge \neg (B\wedge C)$ is replaced by $\leftarrow A\wedge \neg B$ and $\leftarrow A\wedge \neg C$;
  • $\leftarrow A\wedge \neg \exists \overrightarrow{X}\Phi (\neg \exists \overrightarrow{Y}[B\wedge (C\vee D)])$ is replaced by
    $\leftarrow A\wedge \neg \exists \overrightarrow{X}\Phi (\neg \exists \overrightarrow{Y}[B\wedge C]\wedge \neg \exists \overrightarrow{Y}[B\wedge D])$.

Without loss of generality, we can assume that, for any NEE $N=\neg \exists \overrightarrow{X}B$ occurring in an extended denial $\varphi$, the variables $\overrightarrow{X}$ do not occur outside N in $\varphi$. This can simply be obtained by renaming the variables appropriately and we refer to such an extended denial as standardized. The level of an NEE in an extended denial is the number of NEEs that contain it plus 1. The level of a variable X in a standardized extended denial is the level of the NEE starting with $\neg \exists \overrightarrow{X}$, where X is one of the variables in $\overrightarrow{X}$, or 0 if there is no such NEE. The level of an extended denial is the maximum level of its NEEs, or 0 if there is no NEE. In Example 11, the extended denial has level 1, X has level 0, and Y has level 1.

With a slight abuse of notation, we write in the following $S\equiv \Psi$ (or $\Psi \equiv S$), where $S=\langle \mathit{IDB},\mathit{IC}\rangle$ is a schema and $\Psi$ is a set of extended denials, to indicate that, for every database D based on $\mathit{IDB}$, $D\vDash \mathit{IC}$ if $D\vDash \Psi$. We can now claim the correctness of ${\mathsf{Unfold}}_{{\mathcal{L}}_{\mathsf{H}}}$. We state the following proposition without a proof, since all steps in Definition 16 are trivially equivalence-preserving.

Proposition 1. 

Let $S\in {\mathcal{L}}_{\mathsf{H}}$. Then ${\mathsf{Unfold}}_{{\mathcal{L}}_{\mathsf{H}}}(S)\equiv S$.

Since the variables under a negated existential quantifier conform with the intuition behind safeness, the unfolding of a schema in which all the clauses are range-restricted yields a set of extended denials that still are safe in this sense. We also note that the language of extended denials is very expressive. In [92], it was shown that any closed formula of the form $\forall \overrightarrow{X}(\leftarrow B)$, where B is a first-order formula and $\overrightarrow{X}$ are its open variables, can be equivalently expressed by a set of Prolog rules plus the denial $\leftarrow q(\overrightarrow{X})$, where q is a fresh predicate symbol. The construction is such that, if B is function-free, then the resulting rule set is also function-free (no skolemization is needed), i.e., it is that of a schema in ${\mathcal{L}}_{\mathsf{H}}$. The unfolding of the obtained schema is therefore an equivalent set of extended denials.

A simplification procedure can now be constructed for extended denials in a way similar to what was achieved in ${\mathcal{L}}_{\mathsf{S}}$.

Definition 17. 

Let S be a schema in ${\mathcal{L}}_{\mathsf{H}}$ and U an update. We define

$${\mathsf{After}}_{{\mathcal{L}}_{\mathsf{H}}}^U(S)={\mathsf{Unfold}}_{{\mathcal{L}}_{\mathsf{H}}}({\mathsf{After}}^U(S)).$$

The optimization step needs to take into account the nesting of NEEs in extended denials. Besides the elimination of disjunctions within NEEs, which is performed by ${\mathsf{Unfold}}_{{\mathcal{L}}_{\mathsf{H}}}$, we can also eliminate, from an NEE, equalities and non-equalities referring to variables of lower level with respect to the NEE.

Definition 18. 

Let $A,B,C$ be (possibly empty) conjunctions of general literals, $\overrightarrow{Y},\overrightarrow{Z}$ disjoint (sequences of) variables, W a variable of level lower than the level of $\overrightarrow{Z}$, and $\Phi (Arg)$ an expression indicating an NEE in which $Arg$ occurs. The following rewrite rules are, respectively, the equality elimination and non-equality elimination rules.

$$\begin{array}{c}\leftarrow A\wedge \Phi (\neg \exists \overrightarrow{Y}[B\wedge \neg \exists \overrightarrow{Z}(C\wedge W=c)])\Rightarrow \hfill \\ \leftarrow A\wedge \Phi (\neg \exists \overrightarrow{Y}[B\wedge W=c\wedge \neg \exists \overrightarrow{Z}(C)]\wedge \neg \exists \overrightarrow{Y}[B\wedge W\ne c])\hfill \end{array}$$

$$\begin{array}{c}\leftarrow A\wedge \Phi (\neg \exists \overrightarrow{Y}[B\wedge \neg \exists \overrightarrow{Z}(C\wedge W\ne c)])\Rightarrow \hfill \\ \leftarrow A\wedge \Phi (\neg \exists \overrightarrow{Y}[B\wedge W\ne c\wedge \neg \exists \overrightarrow{Z}(C)]\wedge \neg \exists \overrightarrow{Y}[B\wedge W=c])\hfill \end{array}$$

The above (non-)equality elimination rewrite rules are equivalence-preserving, as stated below.

Proposition 2. 

Let ψ be an extended denial and ${\psi }^{\prime }$ (resp. ${\psi }^{″}$) be the extended denial obtained after an application of the equality (resp. non-equality) elimination rule. Then $\psi \equiv {\psi }^{\prime }$ and $\psi \equiv {\psi }^{″}$.

Proof. 

Using the notation of Definition 18, we have the following:

$$\begin{array}{cc}& \neg \exists \overrightarrow{Y}[B\wedge \neg \exists \overrightarrow{Z}(C\wedge W=c)]\hfill \\ \hfill \equiv & \neg \exists \overrightarrow{Y}[B\wedge (W=c\vee W\ne c)\wedge \neg \exists \overrightarrow{Z}(C\wedge W=c)]\hfill \\ \hfill \equiv & \neg \exists \overrightarrow{Y}[B\wedge W=c\wedge \neg \exists \overrightarrow{Z}(C\wedge W=c)]\wedge \hfill \\ & \neg \exists \overrightarrow{Y}[B\wedge W\ne c\wedge \neg \exists \overrightarrow{Z}(C\wedge W=c)]\hfill \\ \hfill \equiv & \neg \exists \overrightarrow{Y}[B\wedge W=c\wedge \neg \exists \overrightarrow{Z}(C)]\wedge \neg \exists \overrightarrow{Y}[B\wedge W\ne c]\hfill \end{array}$$

In the first step, we added the tautological conjunct $(W=c\vee W\ne c)$. In the second step, we used de Morgan’s laws in order to eliminate the disjunction (as in the definition of ${\mathsf{Unfold}}_{{\mathcal{L}}_{\mathsf{H}}}$). The formula $W=c\wedge \neg \exists \overrightarrow{Z}(C\wedge W=c)$ can be rewritten as $W=c\wedge \neg (\exists \overrightarrow{Z}C\wedge W=c)$, and then as $W=c\wedge (\neg \exists \overrightarrow{Z}(C)\vee W\ne c)$, which, with a resolution step, results in the first NEE in the last extended denial. Similarly, $W\ne c\wedge \neg \exists \overrightarrow{Z}(C\wedge W=c)$ can be rewritten as $W\ne c\wedge (\neg \exists \overrightarrow{Z}(C)\vee W\ne c)$, which results (by absorption) in the second NEE in the last extended denial.

The proof is similar for non-equality elimination. □

In cases where only levels 0 and 1 are involved, the rules look simpler. For example, equality elimination can be conveniently formulated as follows.

$$\begin{array}{cc}\hfill \leftarrow B\wedge \neg \exists \overrightarrow{X}[C\wedge W=c]& \Rightarrow \begin{array}{cc}\hfill \{& \leftarrow B\{W/c\}\wedge \neg \exists \overrightarrow{X}C\{W/c\}\hfill \\ \hfill & \leftarrow B\wedge W\ne c\hfill & \}.\hfill \end{array}\end{array}$$

(2)

Although (non-)equality elimination does not necessarily shorten the input formula (in fact, it can also lengthen it), it always reduces the number of literals in higher-level NEEs. Therefore, convergence to termination can still be guaranteed if this rewrite rule is applied during optimization. Repeated application of such rules “pushes” outwards the involved (non-)equalities until they reach an NEE whose level is the same as the level of the variable in the (non-)equality. Then, in case of an equality, the usual equality elimination step of reduction can be applied.

Example 12. 

The following rewrites show the propagation of a variable of level 0 (X) from level 2 to level 0 via two equality eliminations and one non-equality elimination.

$$\begin{array}{ccccc}& & & \leftarrow \hfill & p(X)\wedge \neg \exists Y\{q(X,Y)\wedge \neg \exists Z[r(X,Y,Z)\wedge X=a]\}\hfill \\ \\ & \equiv & & \leftarrow \hfill & p(X)\wedge \neg \exists Y\{q(X,Y)\wedge X=a\wedge \neg \exists Z[r(X,Y,Z)]\}\hfill \\ & & & & \wedge \neg \exists Y[q(X,Y)\wedge X\ne a]\hfill \\ \\ & \equiv & \{\hfill & \leftarrow \hfill & p(a)\wedge \neg \exists Y[q(a,Y)\wedge \neg \exists Zr(a,Y,Z)]\wedge \neg \exists Y[q(a,Y)\wedge a\ne a],\hfill \\ & & & \leftarrow \hfill & p(X)\wedge X\ne a\wedge \neg \exists Y[X\ne a\wedge q(X,Y)]\hfill & \}\hfill \\ \\ & \equiv & \{\hfill & \leftarrow \hfill & p(a)\wedge \neg \exists Y[q(a,Y)\wedge \neg \exists Zr(a,Y,Z)]\wedge \neg \exists Y[q(a,Y)\wedge a\ne a],\hfill \\ & & & \leftarrow \hfill & p(X)\wedge X\ne a\wedge \neg \exists Yq(X,Y),\hfill \\ & & & \leftarrow \hfill & p(a)\wedge X\ne a\wedge X=a\hfill & \}\hfill \\ \\ & \equiv & \{\hfill & \leftarrow \hfill & p(a)\wedge \neg \exists Y[q(a,Y)\wedge \neg \exists Zr(a,Y,Z)],\hfill \\ & & & \leftarrow \hfill & p(X)\wedge X\ne a\wedge \neg \exists Yq(X,Y)\hfill & \}\hfill \end{array}$$

In the first step, we applied equality elimination to $X=a$ at level 2. In the second step, we applied the rewrite rule (2) for equality elimination to $X=a$ at level 1. Then, we applied non-equality elimination to $X\ne a$ at level 1 in the second denial. In the last step, we removed, by standard application of reduction, the last extended denial and the last NEE in the first extended denial, which are clearly tautological.

We observe that the body of an NEE is structurally similar to the body of an extended denial. The only difference is that, in the former, there are variables that are quantified at a lower level. According to this observation, such (free) variables in the body of an NEE are to be treated as parameters during the different optimization steps, since, as was indicated on page 5, parameters are free variables.

Reduction (Definition 10) can then take place in NEE bodies exactly as in ordinary denials, with the proviso above of treating free variables as parameters.

The definition of resolution (Definition 11) can be adapted for extended denials by applying it to general literals instead of literals.

Subsumption (Definition 9) can also be applied to extended denials without changing the definition. However, we can slightly modify the notion of subsumption to explore the different levels of NEEs in an extended denial. This is captured by the following definition.

Definition 19. 

Let $\varphi =\leftarrow A\wedge B$ and $\psi =\leftarrow C\wedge D$ be two extended denials, where A and C are (possibly empty) conjunctions of literals and B and D are (possibly empty) conjunctions of NEEs. Then ϕ extended-subsumes ψ, written $\varphi \widehat{⊑}\psi$, if both conditions (1) and (2) below hold.

(1)

$\leftarrow A$ subsumes $\leftarrow C$ with substitution σ.

(2)

For every NEE $\neg \exists {\overrightarrow{X}}_{N}N$ in B, there is an NEE $\neg \exists {\overrightarrow{X}}_{M}M$ in D such that $\leftarrow N\sigma$ is extended-subsumed by $\leftarrow M$.

Example 13. 

The extended denial $\leftarrow p(X)\wedge \neg \exists Y,Z[q(X,Y)\wedge r(Y,Z)]$ extended-subsumes the extended denial $\leftarrow p(a)\wedge \neg \exists T[q(a,T)]\wedge \neg \exists W[s(T)]$, since $\leftarrow p(X)$ subsumes $\leftarrow p(a)$ with substitution $\{X/a\}$ and, in turn, $\leftarrow q(a,T)$ subsumes $\leftarrow q(a,Y)\wedge r(Y,Z)$.

This definition encompasses ordinary subsumption, in that it coincides with it if B and D are empty. Furthermore, it captures the desired property that if $\varphi$ extended-subsumes $\psi$, then $\varphi \vDash \psi$; the reverse, as in subsumption, does not necessarily hold.

Proposition 3. 

Let ϕ and ψ be extended denials. If $\varphi \widehat{⊑}\psi$, then $\varphi \vDash \psi$.

Proof. 

Let $\varphi ,\psi ,A,B,C,D$ be as in Definition 19. If B and D are empty, the claim holds, since $\varphi$ and $\psi$ are ordinary denials. The claim also holds if D is not empty, since $\leftarrow C$ entails $\leftarrow C\wedge D$. We now show the general claim with an inductive proof on the level of extended denials.

The base case (level 0) is already proven.

Inductive step. Suppose now that $\varphi$ is of level $n+1$ and that the claim holds for extended denials of level n or less. Assume as a first case that B is empty. Then, $\varphi$ entails $\psi$, since $\varphi$ entails $\leftarrow C$ ($\leftarrow A$ subsumes $\leftarrow C$ by hypothesis). Assume for the moment that $B=\neg \exists {\overrightarrow{X}}_{N}N$ is an NEE of level 1 in $\varphi$ and that D contains an NEE (of level 1) $\neg \exists {\overrightarrow{X}}_{M}M$, such that ${\varphi }^{\prime }=\leftarrow N\sigma$ is extended-subsumed by ${\psi }^{\prime }=\leftarrow M$, as assumed in the hypotheses. However, ${\varphi }^{\prime }$ and ${\psi }^{\prime }$ are extended denials of level n and, therefore, if ${\psi }^{\prime }$ subsumes ${\varphi }^{\prime }$, then ${\psi }^{\prime }$ entails ${\varphi }^{\prime }$ by inductive hypothesis. Clearly, since $\leftarrow A$ entails $\leftarrow C\wedge D$ (by hypothesis) and $\leftarrow M$ entails $\leftarrow N\sigma$ (as a consequence of the inductive hypothesis), then $\leftarrow A\wedge B$ entails $\leftarrow C\wedge D$, which is our claim. If B contains more than one NEE of level 1, the argument is iterated by adding one NEE at a time. □

The inductive proof also shows how to check extended subsumption with a finite number of subsumption tests. This implies that extended subsumption is decidable, since subsumption is. Now that a correct extended subsumption is introduced, it can be used instead of subsumption in the subsumption factoring rule of reduction (Definition 10). In the following, when referring to an NEE $N=\neg \exists \overrightarrow{X}B$, we can also write it as a denial $\leftarrow B$, with the understanding that the free variables in N are considered parameters.

Definition 20. 

For an extended denial ϕ, the reduction ${\varphi }^{-}$ of ϕ is the result of applying on ϕ equality and non-equality elimination as long as possible, and then the rules of Definition 10 (reduction) on ϕ and its NEEs as long as possible, where “literal” is replaced by “general literal”, “subsumes” by “extended-subsumes”, and “denial” by “extended denial”.

Without reintroducing similar definitions, we assume that the same word replacements are made for the notion of ${⊢}_R$. The underlying notions of substitution and unification also apply to extended denials and general literals; however, after substitution with a constant or parameter, the existential quantifier of a variable is removed. For example, the extended denials $\varphi =\leftarrow p(X,b)\wedge \neg \exists Z[q(Z,X)]$ and $\psi =\leftarrow p(a,Y)\wedge \neg q(c,a)$ unify with substitution $\{X/a,Y/b,Z/c\}$. By virtue of the similarity between denial bodies and NEE bodies, we extend the notion of optimization as follows.

Definition 21. 

Given two sets of extended denials ∆ and Γ, ${\mathsf{Optimize}}_{{\mathcal{L}}_{\mathsf{H}}}^{∆}(\Gamma )$ is the result of applying the following rewrite rules and the rules of Definition 12 (${\mathsf{Optimize}}_{{\mathcal{L}}_{\mathsf{S}}}$) on Γ as long as possible. In the following, ϕ and ψ are NEEs, ${\Gamma }^{\prime }$ is a set of extended denials, and $\Phi (Arg)$ is an expression indicating the body of an extended denial in which $Arg$ occurs.

$$\begin{array}{ccc}\hfill \{\leftarrow \Phi (\varphi )\}\bigsqcup {\Gamma }^{\prime }& \Rightarrow & \{\leftarrow \Phi (\mathit{true})\}\cup {\Gamma }^{\prime }if{\varphi }^{-}=\mathit{true}\hfill \\ \hfill \{\leftarrow \Phi (\varphi )\}\bigsqcup {\Gamma }^{\prime }& \Rightarrow & \{\leftarrow \Phi (\mathit{true})\}\cup {\Gamma }^{\prime }if({\Gamma }^{\prime }\cup ∆){⊢}_R\varphi \hfill \\ \hfill \{\leftarrow \Phi (\varphi )\}\bigsqcup {\Gamma }^{\prime }& \Rightarrow & \{\leftarrow \Phi ({\varphi }^{-})\}\cup {\Gamma }^{\prime }if\varphi \ne {\varphi }^{-}\ne \mathit{true}\hfill \\ \hfill \{\leftarrow \Phi (\varphi )\}\bigsqcup {\Gamma }^{\prime }& \Rightarrow & \{\leftarrow \Phi ({\varphi }^{-})\}\cup {\Gamma }^{\prime }if((\{\varphi \}\cup \{\leftarrow \Phi (\varphi )\})\bigsqcup {\Gamma }^{\prime }\cup ∆){⊢}_R\psi \hfill \\ & & and {\psi }^{-} strictly extended\text{-}subsumes \varphi \hfill \end{array}$$

Finally, the simplification procedure for ${\mathcal{L}}_{\mathsf{H}}$ is composed in terms of ${\mathsf{After}}_{{\mathcal{L}}_{\mathsf{H}}}$ and ${\mathsf{Optimize}}_{{\mathcal{L}}_{\mathsf{H}}}$.

Definition 22. 

Consider a schema $S=\langle \mathit{IDB},\Gamma \rangle \in {\mathcal{L}}_{\mathsf{H}}$ and an update U. Let ${\Gamma }^{\prime }=$${\mathsf{Unfold}}_{{\mathcal{L}}_{\mathsf{H}}}(S)$. We define

$${\mathsf{Simp}}_{{\mathcal{L}}_{\mathsf{H}}}^U(S)={\mathsf{Optimize}}_{{\mathcal{L}}_{\mathsf{H}}}^{{\Gamma }^{\prime }}({\mathsf{After}}_{{\mathcal{L}}_{\mathsf{H}}}^U(S)).$$

Similarly to ${\mathcal{L}}_{\mathsf{S}}$, soundness of the optimization steps and the fact that $\mathsf{After}$ returns a WP entail the following.

Proposition 4. 

Let $S\in {\mathcal{L}}_{\mathsf{H}}$ and U be an update. Then, ${\mathsf{Simp}}_{{\mathcal{L}}_{\mathsf{H}}}^U(S)$ is a CWP of S with respect to U.

Practical Applications

We now discuss the most complex non-recursive examples that we found in the literature for testing the effectiveness of the proposed simplification procedure.

Example 14. 

This example is taken from [10]. Consider a schema $S=\langle \mathit{IDB},\Gamma \rangle$ with three extensional predicates a, b, c, two intensional predicates p, q, a constraint theory Γ, and a set of trusted hypotheses ∆.

$$\begin{array}{cc}\hfill \mathit{IDB}=\{& p(X,Y)\leftarrow a(X,Z)\wedge b(Z,Y),\hfill \\ & q(X,Y)\leftarrow p(X,Z)\wedge c(Z,Y)\hfill & \}\hfill \\ \hfill \Gamma =\{& \leftarrow p(X,X)\wedge \neg q(1,X)\}\hfill \\ \hfill ∆=\{& \leftarrow a(1,5)\}\hfill \end{array}$$

This schema S is not in ${\mathcal{L}}_{\mathsf{S}}$ and the unfolding of S is as follows.

$${\mathsf{Unfold}}_{{\mathcal{L}}_{\mathsf{H}}}(S)=\{\leftarrow a(X,Y)\wedge b(Y,X)\wedge \neg \exists W,Z(a(1,W)\wedge b(W,Z)\wedge c(Z,X))\}.$$

We want to verify that the update $U=\{b(X,Y)\Leftarrow b(X,Y)\wedge X\ne 5\}$ (the deletion of all b-tuples in which the first argument is 5) does not affect consistency. ${\mathsf{After}}_{{\mathcal{L}}_{\mathsf{H}}}^U(S)$ results in the following extended denial:

$$\leftarrow a(X,Y)\wedge b(Y,X)\wedge Y\ne 5\wedge \neg \exists W,Z(a(1,W)\wedge b(W,Z)\wedge W\ne 5\wedge c(Z,X)).$$

As previously described, during the optimization process, the last conjunct can be processed as a separate denial $\varphi =\leftarrow a(1,W)\wedge b(W,Z)\wedge W\ne 5\wedge c(Z,\mathbf{X})$, where $\mathbf{X}$ is a free variable that can be treated as a parameter (and thus indicated in bold). With a resolution step with ∆, the literal $W\ne 5$ is proved to be redundant and can thus be removed from ϕ. The obtained formula is then subsumed by ${\mathsf{Unfold}}_{{\mathcal{L}}_{\mathsf{H}}}(S)$ and therefore ${\mathsf{Simp}}_{{\mathcal{L}}_{\mathsf{H}}}^U(S)=\varnothing$, i.e., the update cannot violate the integrity constraint, which is the same result that was found in [10].

In order to simplify the notation for tuple additions and deletions, we write $p(\overrightarrow{\mathbf{a}})$ as a shorthand for the database update $p(\overrightarrow{X})\Leftarrow p(\overrightarrow{X})\vee \overrightarrow{X}=\overrightarrow{\mathbf{a}}$ and $\neg p(\overrightarrow{\mathbf{a}})$ for $p(\overrightarrow{X})\Leftarrow p(\overrightarrow{X})\wedge \overrightarrow{X}\ne \overrightarrow{\mathbf{a}}$.

Example 15. 

The following schema S is the relevant part of an example described in [11] on page 24.

$$\begin{array}{cccc}\hfill S=\langle \{& \hfill married\_to(X,Y)& \leftarrow & parent(X,Z)\wedge parent(Y,Z)\wedge \hfill \\ & & & man(X)\wedge woman(Y),\hfill \\ & \hfill married\_man(X)& \leftarrow & married\_to(X,Y),\hfill \\ & \hfill married\_woman(X)& \leftarrow & married\_to(Y,X),\hfill \\ & \hfill unmarried(X)& \leftarrow & man(X)\wedge \neg married\_man(X),\hfill \\ & \hfill unmarried(X)& \leftarrow & woman(X)\wedge \neg married\_woman(X)\hfill & \},\hfill \\ \hfill \{& & \leftarrow & man(X)\wedge woman(X),\hfill \\ & & \leftarrow & parent(X,Y)\wedge unmarried(X)\hfill & \}\rangle \hfill \end{array}$$

If we reformulate the example using the shorthand notation, the database is updated with $U=\{man(\mathbf{a})\}$, where $\mathbf{a}$ is a parameter. The unfolding given by ${\mathsf{Unfold}}_{{\mathcal{L}}_{\mathsf{H}}}(S)$ is as follows, where m, w, p respectively, abbreviate $man$, $woman$, $parent$, which are the only extensional predicates.

$$\begin{array}{cc}\hfill \{& \leftarrow m(X)\wedge w(X),\hfill \\ & \leftarrow p(X,Y)\wedge m(X)\wedge \neg \exists (T,Z)[p(X,Z)\wedge p(T,Z)\wedge m(X)\wedge w(T)],\hfill \\ & \leftarrow p(X,Y)\wedge w(X)\wedge \neg \exists (T,Z)[p(X,Z)\wedge p(T,Z)\wedge w(X)\wedge m(T)]\hfill & \}\hfill \end{array}$$

We start the simplification process by applying ${\mathsf{After}}_{{\mathcal{L}}_{\mathsf{H}}}$ to S wrt U.

$$\begin{array}{ccc}\hfill {\mathsf{After}}_{{\mathcal{L}}_{\mathsf{H}}}^U(S)\equiv \{& \leftarrow \hfill & (m(X)\vee X=\mathbf{a})\wedge w(X),\hfill \\ & \leftarrow \hfill & p(X,Y)\wedge (m(X)\vee X=\mathbf{a})\wedge \hfill \\ & & \neg \exists (T,Z)[p(X,Z)\wedge p(T,Z)\wedge (m(X)\vee X=\mathbf{a})\wedge w(T)],\hfill \\ & \leftarrow \hfill & p(X,Y)\wedge w(X)\wedge \hfill \\ & & \neg \exists (T,Z)[p(X,Z)\wedge p(T,Z)\wedge w(X)\wedge (m(T)\vee T=\mathbf{a})]\hfill & \}\hfill \end{array}$$

After eliminating the disjunctions at level 0, ${\mathsf{After}}_{{\mathcal{L}}_{\mathsf{H}}}^U(S)$ is as follows:

$$\begin{array}{cc}\hfill \{\leftarrow & m(X)\wedge w(X),\hfill \\ \hfill \leftarrow & X=\mathbf{a}\wedge w(X),\hfill \\ \hfill \leftarrow & p(X,Y)\wedge m(X)\wedge \neg \exists (T,Z)[p(X,Z)\wedge p(T,Z)\wedge (m(X)\vee X=\mathbf{a})\wedge w(T)],\hfill \\ \hfill \leftarrow & p(X,Y)\wedge X=\mathbf{a}\wedge \neg \exists (T,Z)[p(X,Z)\wedge p(T,Z)\wedge (m(X)\vee X=\mathbf{a})\wedge w(T)],\hfill \\ \hfill \leftarrow & p(X,Y)\wedge w(X)\wedge \neg \exists (T,Z)[p(X,Z)\wedge p(T,Z)\wedge w(X)\wedge (m(T)\vee T=\mathbf{a})]\hfill & \}\hfill \end{array}$$

Now, we can eliminate the disjunctions at level 1 and obtain the following set.

$$\begin{array}{cc}\hfill \{\leftarrow & m(X)\wedge w(X),\hfill \\ \hfill \leftarrow & X=\mathbf{a}\wedge w(X),\hfill \\ \hfill \leftarrow & p(X,Y)\wedge m(X)\wedge \neg \exists (T,Z)[p(X,Z)\wedge p(T,Z)\wedge m(X)\wedge w(T)]\wedge \hfill \\ & \neg \exists (T,Z)[p(X,Z)\wedge p(T,Z)\wedge X=\mathbf{a}\wedge w(T)],\hfill \\ \hfill \leftarrow & p(X,Y)\wedge X=\mathbf{a}\wedge \neg \exists (T,Z)[p(X,Z)\wedge p(T,Z)\wedge m(X)\wedge w(T)]\wedge \hfill \\ & \neg \exists (T,Z)[p(X,Z)\wedge p(T,Z)\wedge X=\mathbf{a}\wedge w(T)],\hfill \\ \hfill \leftarrow & p(X,Y)\wedge w(X)\wedge \neg \exists (T,Z)[p(X,Z)\wedge p(T,Z)\wedge w(X)\wedge m(T)]\wedge \hfill \\ & \neg \exists (T,Z)[p(X,Z)\wedge p(T,Z)\wedge w(X)\wedge T=\mathbf{a}]\hfill & \}\hfill \end{array}$$

We can now proceed with the optimization of this set of extended denials by using the ${\mathsf{Optimize}}_{{\mathcal{L}}_{\mathsf{H}}}$ transformation. Clearly, the first, the third, and the fifth extended denial are extended-subsumed by the first, the second, and the third extended denial, respectively, in ${\mathsf{Unfold}}_{{\mathcal{L}}_{\mathsf{H}}}(S)$ and are thus eliminated. The second denial reduces to $\leftarrow w(\mathbf{a})$. In the fourth denial, the equality $X=\mathbf{a}$ at level 0 is eliminated, thus substituting X with $\mathbf{a}$ in the whole extended denial. We obtain the following.

$$\begin{array}{cc}\hfill \{\leftarrow & w(\mathbf{a}),\hfill \\ \hfill \leftarrow & p(\mathbf{a},Y)\wedge \neg \exists (T,Z)[p(\mathbf{a},Z)\wedge p(T,Z)\wedge m(\mathbf{a})\wedge w(T)]\wedge \hfill \\ & \neg \exists (T,Z)[p(\mathbf{a},Z)\wedge p(T,Z)\wedge \mathbf{a}=\mathbf{a}\wedge w(T)]\hfill & \}\hfill \end{array}$$

For the last extended denial, first we can eliminate the trivially succeeding equality $\mathbf{a}=\mathbf{a}$ from the body of the second NEE. Then, we can consider that

$$\leftarrow \neg \exists (T,Z)[p(\mathbf{a},Z)\wedge p(T,Z)\wedge m(\mathbf{a})\wedge w(T)]$$

extended-subsumes

$$\leftarrow p(\mathbf{a},Y)\wedge \neg \exists (T,Z)[p(\mathbf{a},Z)\wedge p(T,Z)\wedge w(T)]$$

so we can eliminate by subsumption factoring the subsuming part and leave the subsumed one. The simplification procedure for ${\mathcal{L}}_{\mathsf{H}}$ applied to S and U returns the following result.

$$\begin{array}{cc}\hfill {\mathsf{Simp}}_{{\mathcal{L}}_{\mathsf{H}}}^U(S)=\{& \leftarrow w(\mathbf{a}),\hfill \\ & \leftarrow p(\mathbf{a},Y)\wedge \neg \exists (T,Z)[p(\mathbf{a},Z)\wedge p(T,Z)\wedge w(T)]\hfill & \}\hfill \end{array}$$

This coincides with the result given in [11], rewritten with our notation, with the only difference being that they do not assume disjointness of $\mathit{IDB}$ and $\mathit{EDB}$, so, in the latter extended denial, they have the extra conjunct $\neg \exists V[married\_to(\mathbf{a},V)]$.

We conclude this section by discussing the potential for practical integration of the proposed technique into concrete systems. As is well known, integrity constraints represent properties of the data that should always be kept satisfied. As such, they are typically defined at database design time. However, when the nature of the constraints is more complex than the mere primary or foreign key constraints natively supported by relational databases, their maintenance is almost always delegated to the applications using the DBMS or, more rarely, to manually defined triggers residing in the database along the lines indicated in [13].

We observe that the reactive behavior of triggers is suitable for implementing integrity constraint maintenance policies, since they are able to respond with corrective reactions to potentially offending actions (such as the execution of updates that violate the constraints). Additionally, triggers are expressive enough so as to be able to include in their behavior any SQL query, possibly embedded in a procedural language, so that complex properties of the data are easily captured. Besides being expressive from the point of view of the language, triggers also offer suitable execution modes that would allow one to implement integrity maintenance both according to the usual “corrective” policy (first, the illegal update is executed, then the trigger reacts and checks the constraints, and finally, the update is undone) and to the “preventive” policy that we advocate here (first, check if the update is potentially illegal and, if so, do nothing). The corrective policy corresponds to the ‘AFTER’ execution mode of triggers, while the prevention policy can be obtained through ‘BEFORE’ triggers, available in all the main DBMSs.

The main drawback regarding trigger-based integrity constraint maintenance is that the DBMSs have no built-in way to automatically derive triggers that would implement a simplified integrity check for any upcoming update, which means that the database or application designers need to manually define proper triggers. Our $\mathsf{Simp}$ operator, instead, could be used on top of triggers, at database schema design time, to automatically produce, for each relation r in the database, the simplified checks to be executed in the face of updates to r. Such simplified checks can then be translated into SQL queries installed within triggers responding to updates to r. The translation from the datalog form to SQL is a straightforward process that poses no particular technical challenge.

The use of triggers is but one of the ways in which the $\mathsf{Simp}$ operator could greatly extend the capabilities of a DBMS to automatize the checking process so as to fully support in DBMSs much more expressive kinds of integrity constraints than primary and foreign key constraints. Yet, there is more than augmenting the expressiveness of the constraints: our simplification procedure also allows for expressing complex parametric update patterns that go beyond the single addition/deletion/update of a record from the database. In particular, we have shown how to deal with complex transactional patterns that may be executed in an all-or-nothing fashion and whose effect on the satisfaction of the integrity constraints might even be complex to compute by hand, while $\mathsf{Simp}$ would make this part completely transparent. In particular, we envision a catalog of pre-designed update patterns (much in the same way as standard prepared statements in DBMSs) that users and applications can seamlessly use without having to pay any attention to integrity constraint maintenance, which could be completely taken care of by the system.

We also observe that the interest in integrity constraint maintenance and detection of constraint violations is very high even outside of classical relational database. In particular, the advent of different data models has, if anything, fortified the attention to these topics. A notable example is that of the so-called graph databases, whose representation of nodes and arcs typically comes with additional properties and labels that can be queried through very recently standardized languages such as GQL [93]. While the model of graph databases is different from the relational one, their structure is also very conveniently represented through datalog-like formalisms. This representation has allowed several new research efforts to target the incremental maintenance of complex data properties of graph data [94]. On top of this, triggers are also gaining momentum within the graph database community and are now part of the overall movement towards a standardization process [14], which, together with the availability of standard techniques for translating datalog notation to graph query languages, provides an even stronger basis for the widespread diffusion of well-founded techniques for integrity checking and maintenance even outside relational DBMSs.

As regards the experimental evaluation of our framework, we refrain from trying to quantitatively assess the effectiveness of the proposed simplification procedure against synthetically generated datasets, as such an analysis would lead to potentially very unreliable results, due to several reasons:

• The proposed operators work at the schema (program) level, not at the data level, so the synthetic generation would need to concern schemas (and update patterns) instead of datasets.
• Although a few efforts exist to generate schemas, such as [95], there is no proper benchmark that comes with the generation of integrity constraints or update patterns and, even more importantly, with a ground truth indicating the ideal kind of simplification that one should aim to obtain.
• Although data-independent measures of the quality of a simplification could be defined, there is no univocally correct way of doing this, as was shown in [15]. The “easy way” is to just count the remaining literals in the simplified formula, with no guarantee, however, that the obtained formula is indeed easier to check. To this end, the (non-)equality elimination steps shown in Definition 18 naturally follow in this direction by consistently reducing the number of literals in higher-level NEEs.
• Database schema design activities require expertise and finesse that would be annihilated by a synthetic generation, leading to results of questionable utility.
• Datasets would of course come into play when checking the (simplified) integrity constraints against data proper, and a comparison with other techniques at that level could certainly provide favorable time measurements each time an illegal update is encountered, since its execution and retraction would be completely avoided with our preventive approach. However, even ignoring all the previous considerations on the lack of suitable synthetically generated tests, the number and incidence of illegal updates in such tests could be increased at will, thereby unfairly magnifying the advantages of our technique as well.
• In light of all the above considerations, we have preferred to focus on the few examples existing in the literature of simplification procedures that work on constraints outside the (simpler) ${\mathcal{L}}_{\mathsf{S}}$ language and show that, even in those ad hoc built cases, our general procedure produces similar or identical simplified checks (with the additional advantage of guaranteeing the possibility of a preventive approach).

6. Conclusions

We applied program transformation operators to the generation of simplified integrity constraints, targeting an expressive class termed extended denials, which includes negated existential quantifiers. We believe that this is an important class, as it encompasses very common dependencies such as tuple-generating dependencies and equality-generating dependencies.

An immediate application of our operators is an automated process that, upon requests from an application, communicates with the database and transparently carries out the required simplified integrity checking operations. The would imply benefits in terms of efficiency and could leverage a compiled approach, since simplifications can be generated at design time for the most common update patterns.

Although we used a logical notation, standard ways of translating integrity constraints into SQL exist. Further investigation is needed in order to handle additional language concepts of SQL like null values. In [13], Decker showed how to implement integrity constraint checking by translating first-order logic specifications into SQL triggers. The result of our transformations can be combined with similar translation techniques and thus integrated in an active database system, according to the idea of embedding integrity control in triggers. In this way, the advantages of declarativity are combined with the efficiency of execution.

Other possible enhancements of the proposed framework may be developed using statistical measures on the data, such as estimated relation sizes and cost measurements for performing join and union operations. Work in this area is closely related to methods for dynamic query processing, e.g., [96,97].

The proposed procedure is guaranteed to terminate, as we approximated entailment with rewrite rules based on resolution, subsumption, and replacement of specific patterns. While [15] discusses a few cases in which, besides termination, the procedure guarantees also completeness, it would be interesting to pinpoint more specifically what is left out in more expressive cases. A careful evaluation of the effectiveness of a simplification procedure for integrity checking is still an open problem: besides the lack, even in theory, of a univocal definition of “perfect” simplification, there is no benchmark specifically designed for this task and, even though some attempts exist at synthetically generating complex database schemata (as in [95]), these are not matched with update patterns and integrity constraints and, therefore, do not offer any ground truth to compare with. Additionally, the very interest and practical relevance of a synthetic schema generation, which is the typical result of a careful design by database experts, would be debatable at the very least.

Another line of research regards the combination of extended denials with other expressive scenarios, also individually described in [15], such as the addition of aggregates and arithmetic built-ins. While all these extensions could be trivially handled by a rule set comprising all rewrite rules defined for each specific scenario (such rules are mutually exclusive), it should be interesting to study whether further improvements can be obtained by exploiting the interaction between these rules. This is a limitation of our study which could be addressed by future work.