UNIX files. the embedded approach by Stonebraker tary. for transactions, a observed. Both static may be specified on. Integrity constraints constraint base uhich.
- AN
AIM
INTEGRITY
MONITOR
A.
B.
Cremers
lnformatik
Abstract:
Entirely
of
a
batch
and
an
interactive
OUS
semantic
For
certain
whereas,
and
and
are consists
of
particular
may
a
separate
integrity UNIX
approach
by
prevention
requests, a
constraint
rate
on
base
The
AIM
Stonebraker
are
largely
tary.
The
design
goal
interface
nism.
others
UNIX
file resp. In
is
are
of
McLeod
[4
extend
the
a
be
into
to
be
checked
examined
periodically
with
is
as
an integrity
The
two
every
stored
relevant
in
base
a
separate
constraint
the
integrity
1I
AIM
subsystem
may
DUEL
concerned
as and
be
for
an
model
briefly
AIM
by
a
be
specified
of
INGRES.
Besides
well
as
AIM
of
a
DUEL
component
terms
for
has
been
component
by the
successfully
of
AIM
the
update
will
system
The of
AIM,
6.
and
by
G.
running
present
Version
incorpo-
data-independent
implemented
computer
be
Domann
under
paper
the
describes
operational
the
September
INGRES
is
betueen
be
for
identi-
key
[7],
Version
detected
periodic
data way
the
and
output
The
actions
integrity
the of
the
of constraint
constraint
this
component
along
with
the
be
performed.
not of
the
(quite
all
validated the
so of
values,
their as a
keys
to
enable
constraint.
decision
as
to
is
on
the
based
kind
of
instances given
objects
and uith
way
the
relevant uniquely
data
together violation
on a
of
tuples
appropriate
Typical value
of
the
are
update
which data
operation
conditions
numeric
is
the
domain,
name, name, name,
requires
e.g.:
based or
foreign
of Primary
a
database key
in
"number:"
distance) floor,
room,
name,
salary,
dept,
price,
city,
fan
taxclass) name,
a
example relations.
attribute
citytnuaber,
data(number,
standard)
follouing
dept(nuMber,
AIM
167
of data
after REPLACE)
is
Old
upon
to and
relation
tions,
violating
retrieval
refers.
otherwise,
supplier(number,
many
an
recover
date,
are In
in
have
pers -
The
instanteneous
checker.
to
item(nuwber,
negation
constraint.
DELETE,
constraint
inserted
employee(nuMbcr,
of
(APPEND,
conditions.
each
violation by
is the
INGRES.
validated
identification it
postoperative,
is are
efficient
integrity
saved
mean
request
For
newly
be
consisting
implemented
The
as
Consider
syntax;
control
constraints
which
alone,
the
integrity
update
specified
to
by
an
to
system
on
constraints
of
contains
to
integrity
relevant
every
objects
every
this
mode
constraints
database
relevant
checked.
constraint
of
of
computed.
uell
objects
is
the
whose qualification query stated in predicate
coaponent:
triggered
provide
defined.
implementation
of
and
the
done
identify to
the
of
is
This
which
distinguishes
Action
version
UNIX,
all
Unless
control.
cases
effect
ought
syntax
predicate,
parser
predicates
constraint
of
required
a
checker:
integrity a
the
information constraint.
procedures each
given
the
simple part
definition
the
DUEL
a
a DUEL a
incorporates of
for
submitting of
the
as
as
qualification in
contains
constraint set
objects of
is,
named
Hammer
characterized
developed The
to
translation
Integrity by
have
is
categorizing
Translation: the
We
constraint
fying
yet
coapound
checking
constraints
11/60
normal
that
(relations)
constraints.
integrity
updates.
not
resetting
for
system.
constraints,
component.
language:
integrity
language
been PDP
and
the
for
integrity
under
mecha-
follows:
Descriptive
the
2. Scope and format
INGRES
control
partitioned
category
serves
interactive
terms
are
to
Each
which
to semantic
are
that
that
request.
batch
AIM nontrivial
conditions
uadate
and
a
constraints
Integrity
and
for
with
categories:
does
6.1/10.
I. Introduction USCP
of
operating
1982
however,
A subsequent routines
has
design
AIM,
interactive
violating
transactions.)
of
DEC
the
addition,
resetting
automatically
checker:
a
UNIX
complemen-
of
set
AIM on
and
of
version i.e.
validity
In
required. capable
for
a
uhich
concept
be
facility
Validity
static
INGRES
FRG
is
present
a
constraints
files.
will
(The
specified
be
Integrity
Dortmund,
interface.
Both
SYSTEM
Domann
subsystem
transactions,
observed.
G.
tuples
instantanea
for is
qualifications.
ordinary
embedded
implements
DATABASE
UniversitSt
consists
user
THE
and
control
an
the
constraints
DUEL in
AIM
strategy
integrity of
stored
the
in
recovery
dynamic basis
provides at
updates
AIM
integrity
which
mechanism
VI,
EDUEL.
periodic
component simple
strategy,
in
for
control
detection the
programmed
component
FOR
nonempty
manager) manager, qoh, status,
startdate)
supplier) children,
birth-
variable
declara-
city) list
of
tuple
item the quantity-on-hand “For no sales of that item is unless the supplier 2,500 miles away:” I536
aggregate
of
by the
illustrated
in
functions
follouing
employee
There
may
be
given
different
more
constraints
with
than
relation,
by
one
the
is
3
variable
“All
dept
:
dl,
dept
dl.number To
show
that
with
:
have
dl.name
!=
d2.name
3.
or
has
1608 supplier
the
city
: s, city
count(s.city
condition, in
let
constraint relation agree the
supplier
where
s.city
=
Consider
cies
within
trolled
a
other
a
than
AIM
straints
to
for
which
such
syntactical W-condition. Since for
the
sake
to A
the
the
their
kind
is
being
is
DELETE,"
of
course,
of
the
update
refers
to
request:
item
i;
:
constraint
1134A
case
employee the
the
tuples
:
case
is
e;
to be
show
be
constraint
constraints
they
are
(A,
0,
and
for
with
supposed R).
AIM,
take
transactions ON-conditions,
Relevant
delayed
to
hold
all assertions
objects
implemented
by
to means
IS
employee
e (salary
= e.salary
e.name
- 1500)
= "Jones"
employee
e.salary
dispatched
-
which
RETRIEVE
APPEND"
- 1500)
1500
outputs
for values:
the
new
ICY
>
12000.
those
tuples
in
an
error
update
values
control
in
immediate after
every
the
sense
elementary
accomodates
constraints, into are
except checked
that
while
update for
those
(1)
assertions. upon
the
end
a transaction.
preserving
incomplete
by
the
some
and
delayed
largely of
embedded
the e.g.
modes
interrelational of integrity
mitigates
the
those
advantages
of
a
problems subsystem
approach.
in
control ON DELETE, in
on
[3]. AIM
search
based problems,
duplicate-respecting
transition
and
Integrity
specified
serious
updates,
state
out
is
control
entail
constraints The tion. is
168
integrity
deletion, ruled
- 1500 > 12000)
however,
comparison,
designed
transactions,
delayed
that
periodic are
In
= "Jones"
(e.salary
may, with
constraints;
satisfy
(e.all)
e.name
fact
values
in connection aggregates,
REPLACE, the
Rerror
AND NOT The
new
INTO
where
refers
Similarly, the
also
change
data
automatic
enterprise:
the
qualification
unless
however,
in
the
catalogue,
constraint
e (salary = e.salary where e.name = "Jones11
= 1983.
to
are
are
REPLACE
The
constraint. All
Constraints
into
after "ON
joins
the
inserted.
rejected
defined
a
request
only
immediately
a
APPEND,
pertains
to
specified
e.startdate
of
qualification
request
To
[a],
in
relation:
a new employee
that
checking
of the constraint in the integration guarantees the prevention of certain integrity violations. In order to obtain all tuples that satisfy qualification but whose alteration would the original would have to violate the constraint, a second query
the Just
= 0. is
name.
the
In the
i.qoh
key
employee
OF e IS
AND
e?ecution
of
OF e IS
restrict
to
Stonebraker
stored
RANGE
requires
reasonable
measures
specified elementary
approach
transformed
introduced
validation
provide Delayed
request
where
termed
not
> 1200@
REPLACE
validated.
be
does
primary
description
CONSTRAINT
update
RANGE con-
facility are
seems
ON-condition
consider
of
ON-conditions
INGRES
be
The
the
specify
to
The
affected.
to this
and
not
preoperative
is
for
contuples
zero: 11050
to
are of
constraint
be
place:
the
those
OF e IS
e.salary
dependen-
tuples that qualify, the deletion vi11 For instance, consider the constraint that items may be deleted whose quantity-on-hand sales
for effect. is
a
element
"ON
before
changed
facility
economy,
constraint
tuples
takes
class
relations, it validity constraints.
temporary them
of
be
a
AIM
to may
request
important
providing
by
update
The
an
or
constraints)
update
ones
for
values
single
(validity
given
the
allows
of
tuple
before
to
option condition.
transaction:
the
by
are
the
INTEGRITY refer
uniquely
the
query modification:
RANGE that
embedded
refer.
complete. be
Stronger has been case of
automatic
approach
the
they
OH-Conditions Conditions
an
to
is
on.
embedded
proximity
Example:
= c.number).
with
the
constraints
of
: c; count(s.city)
switched
is
key
AIM
a
of
in
and, the
integrity which
relation:
been
Comparison
In
key
foreign
city value entry in the
a number
d2;
an
whether
of
case
are allowed
request
provides
assertions. ON-condition
"soft"
whether on
option
the
does
transactions)
must
primary
version
present in
the
following
request
undo
objects AIM
of
the
change
the
these
purpose.
assertion)
updates,
= d2.number
a
every
the
are on
of
this
undo
(immediate
declared
keys check
that
triggered
further
until
affected
automatic
depend
no
case,
primary For
We stress
names:"
1465
objects the
an
for
30000.
departments
second
identifiable.
same manager
e.manager)
tuple
in:
e.g.
the
the
assertions
avg(e.salary
: e:
on
In
Clearly, of
average salary of employees must be less than 30000 $" 1392
undone.
example:
"The
be
than
: i , supplier : s, city : c ; i.qoh < 100 or i.supplier !- s.number or s.city !- c.number or c.dirtance > 2500 use
a
more
item
The
for
For integrity violations AIM implements Either the update maintenance strategy: not take effect (ON-conditions, even inside or all implied by the violating changes
100
exceeds located
for terms
with
AIM. is
not
based
violating
tuples of
the on
a
RETRIEVE
exception query a
of
modificaconstraint query
whose
is the inverted predicate. Since qualification entirely delegated to INGRES. conplex task is from the subsystem point are handled, straints as easily as simple ones. view, (2)
An update causing a violation (violation of an ON-condition) For
the
only ON
straints the user tion or partial (3)
form of DELETE)
to either to abort
or
a modified AIU provides
is its
either effect
conof
decisive that the monitor be independent of the extant INGRES processes. As a further consequence, AIM is easily adaptable to different versions of the database system. Finally, AIM could perfectly well coexist with an embedded integrity control based on query modification.
aborted undone.
qualification the option
proceed with the modified to avoid an in order
favors change. Extendability: separation Conceptual It is not only easy to extend the integrity base, the modular design of the AIM software also supports quick For this purpose it is changes in control strategy.
this
(confor
qualificaundesirable
4. Structure
deletion.
The AIM feature ON DELETE closes a serious gap of the integrated approach. This is probably the most important case of a preoperative constraint.
(5)
All constraints for which no ON-condition has been specified are validated after execution of the request. Therefore, AIM is capable of detecting the violation of e.g. foreign key conditions due to deletions. Transactions can be handled by Means of delaying the point of control. Periodic control also becomes oossible, an important point in view of complex constraints.
(6)
The present version transition constraints to incorvorate.
(7)
Constraints may be arbitrarily complex, in principle. Their validation sets of tuples from may encompass several relations. Implementation-dependent restrictions on lengths, number of items etc. are rather liberal
and
of
AIR does but this
accomodate
We conclude the AIM design in the the ingrated approach.
most
discussion light of
4.1.
The
decision
to
implement
the
integrity
of UNIX files entails ease of change. bases for several user views may be
4.2.
of The
the
user
Interactive
may execute
other
actions
in
the
foreground.
component
The interactive component uses a protocol file in uhich to log all database requests, the changes performed, the integrity constraints selected, all detected violations, and the recovery measures taken. If necessary, the protocol file together with the last system checkpoint allows the reconstruction of a consistent database. However, in all except for transactions, AIM cases, will be capable of maintaining a consistent database 0" its We mention that, in analogy to the own power.
the for
base
key the
Different supported.
to
of effort: With ON-conditions just the tuples Adequacy to be changed have to be checked. Compared to Stonebraker's there is greater flexibility in that conoroposal. straints may be specified e.g. ON APPEND but not ON REPLACE. On the other hand it seems desirable to adopt Stonebraker's more flexible unit of control for a more advanced version of AIN. A separate Subsystem security: separate requires security version of AIM we have not subsystem security beyond the by the system.
AIM consists component. aore discussion.
Batch component
while
Simple constraints: modification is presumably Query mope efficient for very simple conditions, whereas for more demanding constraints the AIM mechanism is clearly opeferable. Storage: by means integrity
Introduction, an interactive and requires
in periodic intervals, a simple UNIX command procedure takes care of this. AIM provides the option for the user to execute the batch component in dialogue mode. In this mode the user may uatch the output on the screen and, for every constraint in the file, has the choice of either requesting the constraint to be checked or skipping it suitching the monitor off). In view (or of highly complex constraints this option seems to be very useful. If the mode of activation is batch then all constraints in the file are checked and results uritten in an output file. In this mode it is possible for UNIX to process the component in the background
examples.
by an evaluation of advantages conceivable
monitor
The purpose of this program is to detect violations of integrity constraints and, in that case, to identify the inconsistent parts of the database. The constraints to be checked by the batch component are stored in a separate file. Typically these are either low priority or more demanding constraints which are to be checked in greater intervals. If the batch program is to be -xecuted not only by user activation but also automatically
not accomodate state feature is not hard
practical
the integrity
As mentioned in the a batch component and latter builds on the first,
Due to the separation of request execution and integricontrol no difficulty with aggregate there is ty Due to the implementation of the primary functions. checking insertions to option AIM restricts key a single tuple per APPEND. Houever, a single REPLACE change several tuples as long as primary keys w are not affected.
(A)
of
check, user. be in
the (Yet,
protocol normally
option may we would
be switched excpect the
off by option
effect.)
Our
description follows the menue technique offered component. After giving the names by the interactive of the database and integrity base to be accessed, the user may choose between the following modes of operation:
read / urite
/ transaction
/ quit.
The transaction mode is independent of and read write modes: As part of a transaction arbitrarily many read and write requests (i.e. read/write mode alternations) are possible. The selection of the next INGRES command and the transmission of the parameters is the same inside The user remains in the and outside of transactions. mode selected until he requests a change of mode instead of the execution of a further INGRES command. A transaction
integrity base, of course, For the present measures. taken any steps to increase standard protection provided
169
request
finished
is
In are
read
mode
relation
names)
for
the
given
in
the
dialogue the
RETRIEVE
dialogue and
INGRES
is
a
mode
of
a
oun
control
to
either a temporary
with
As
soon
it
is
and
the
transaction
In
as
of
Only
of
after
the
not
much
case
on
note
the
that
KBytes
and
components,
the
The
load
modules
KBytes
for
the
in
by
a
relevant
present
version
from
violations
a
transaction. affected
being, by
the
stored the
time
provided
for of
constraints, are
relations
the
support
35
postoperative
all
APPEND
checked,
recovery
of
For
for
Instead
caused
copy
inefficient.
relies We
a
database,
is. are
checked.
constraints
keeping
commands:
the
That
automatic
resp.
differen-
transactions,
are
support
postoperative
too
of
means
APPEND
in
modified
end
by
update
effect
of
its has
inverted,
following of
employed.
relations
constraints does
Clearly,
17
control
the
postoperative
is
mode has
constraint
(ON
ON-conditions
modification
subsequent
the
complete.
the
write
validated, or
where program
tuples.
are taken
be
in
predicate
processing
has
,
by command
is
new
there
the
only
names
AIN
of
to
query
list.
database
INGRES
EQUEL
a
the
changed
update
considered
immediate
it uith
tuple
the
in
When
relation
to
an
REPLACE
the
AIM.
of
and
of
Every
relevant
mode,
respect
DELETE
in be
names
enabled
REPLACE.
that
validation
accomodated
commands
of
fact necessitates
programmed be
RETRIEVE
REPLACE)
way the
the
relation
is
and
procedure
against
ces
of
can
INGRES
triggered
to
transmission
request
DELETE,
determined a
efficient due
for
the
write
The
APPEND,
transmitted
(ON-condition)
changes
variables.
been
this
changes
necessary
are
is
AIM
the
of
log
AIM
batch
is
in
this
subsystem.
require
and
some
interactive
resp.
References 1.
2.
Esuaran VLOB,
Framingham.
a
Gardarin,
HXrder Carl
in ham.
a
0.0.: for
1975,
G.;
Data
Functional Ease
Specifica-
Integrity,
Proc.
48-68.
Melkanoff,
Transactions.
Proving
N.: Proc.
VLDB.
Consistency Rio
de
Janeiro,
2gl-zg6. ,
Theo:
Hanser
Hammer
Chamberlin,
Subsystem
Database
1979,
4.
K.P.;
of
of
3.
,
tion
,
M.M.;
Relational 1975.
Impleaentierung
Verlag,
MUnchen, MC Data
Leod, Base
von Nien, O.J.: System,
Datenbanksystemen,
1976. Semantic Proc.
VLOB,
Integrity Framing-
25-47.
170
-
1.:
Monitoring
like
DBMS,
Stonebraker,
Michael;
Held,
The
Gerald: 1976.
Stonebraker, SI6ltO0,
to
for
Associative
Hardware
Integrity
Control,
ACM
Integrity Proc.
VLOB,
Constraints Rio
de
Janeiro,
209-218.
Design
and San
Wow, and
Eugene;
Kreps,
Implementation
Peter; of
INGRES.
169-222.
Michael:
Constraints
paramecommand
string
relations
Therefore, for
8.
excessive
Y.W.:
416-440.
COOASYL
ACM TOOS,
of
single
complete
possible
constraints
commands
uithout
the
INGRES
banduidth
of
original
been
consecutive
the
ordinary
full
buffering
("modify"),
not
temporary
preoperative several
the
available of
The
has
variables.
by the
7.
are
1961,
Stanley, Techniques
Rubens, a
1979,
instance RETRIEVE
6,
Relo. in
storage
current for
6.
user. stored
pipe.
UNIX
use
no
transmission
transmission the
the
way
made
the
Y.C.; Software
TOOS
(i.e.
type,
Inputs
is
simplified.
owner.
required
is
There
with
Hong, and
RETRIEVE two
information
PRINT.
this
command
urite
In
as
In
the
through
of
way
overhead:
ters
of
Upon
same
dialogue
(name,
displayed.
and
former
dictionary
is
monitor.
PRINT. the
in
the
5.
HELP,
obtained
etc.).
relation
mode.
for
specified
size
structure, of
commands
outputs
relation
the
the
parameters
are
AIM
HELP,
changing
the
The
possible.
upon
by
Jo&,
Implementation Views 1975,
by 65-78.
Query
of Modification,
Integrity ACM
