Integrity Constraints as Views in Deductive Databases

Integrity Constraints as Views in Deductive Databases Patrizia Asirelli Paola Inverardi ~ Giuseppe Plagenza

Istituto di Elaborazione dell'Informazione, Consiglio Nazionale delle Ricerche via Santa Maria 46, I-56126 Pisa, Italy ~ Dipartimento di Matematica Pura ed Applicata, Universita' di L'Aquila via Vetoio, 67010 Coppito (L'Aquila), Italy

fasirelli,

[email protected] [email protected]

Abstract

In this paper we present a refutation procedure to compute goals in a deductive database according to particular views of it. Views are de ned by a set of constraints rules. The declarative semantics of the constrained database is de ned and the given refutation procedure is proved correct and complete for positive range{restricted databases. The extension of the procedure to deal with negation is also outlined.

1 Introduction and Motivations

Deductive databases are the outcome of the combination of logic programs and databases ([1]). They are a generalization of relational databases to include recursion, negation and strati cation (Datalog, Datalog :, strati ed Datalog, etc.). Deductive databases have been mainly considered from the point of view of query languages, where the logic theory (Horn clauses) expresses the query to the underlying relational database ([1, 7]). work partially funded by the EC project: ERCIM Advanced Database Technology Network (EADTN) contract n. CHRX{CT94{0531 and \The Exploratory Activity EC-US" n. 033

1

Integrity constraints formulae and veri cation methods in this area have been proposed by dierent authors. Some authors denote integrity constraints formulae as denials A1; : : :; An (see [12, 17]), whereas some uses formulae as A ! B1 ; : : :; Bn (see [3, 10]). The intuitive semantics of a denial A1 ; : : :; An is that, for every ground instance of A1 ^ : : : ^ An, say (A1 ^ : : : ^ An ), there must exist at least one Ai which does not hold; in the case of formulae of the kind A ! B1 ; : : :; Bn , for every ground instance of A, say A, there must exist a ground instance of (B1 ^: : :^Bn) which holds. All proposed methods, as Kowalski summarizes [10], have tried to give a dierent formal characterization to the above informal semantics of integrity constraints. These include a: theoremhood view (see [12, 3]), consistency view (see [17]), epistemic (see [15]) or metalevel view (see [17]). Besides, the dierent integrity checking methods have followed dierent strategies. In fact, they can: i) assume the database is consistent, check at update time that the update preserves consistency and accept it or reject it. In this case all answered queries are correct since they are performed into a database which is consistent w.r.t. the integrity constraints. An ad{hoc proof procedure is needed to verify the correctness of the updates, while queries can be evaluated either top{down or bottom{up. ii) allow for updates, even those generating an inconsistent database, perform periodically a consistency checking and, in case of inconsistency, restore consistency ([9]). iii) pre{compile the integrity constraints and the database into a new database DB 0 such that, by de nition, DB 0 will satisfy the integrity constraints. In this case a query is answered in DB 0 and thus the situation is similar to i). All above cases assume that the integrity constraints and the knowledge are built at some stage and then given to a user who is only allowed to update the database. A change in the database rules, facts and constraints formulae, requires the integrity constraint checking to be performed and, in case iii), all the theory needs to be recompiled. In the paper we address the following issues: 2

1. Security , in the sense of making some knowledge hidden to the user. To this respect we consider views as retailing information, i.e. tuples from a relation. In fact, if views on one side can be considered as adding new query capabilities (adding new relations) as in the case of the Datalog family, here we also consider their aspect of hiding some knowledge as in [6]. 2. Prototyping applications. In fact we believe that this is one important role that deductive databases can play. In this case it is important to be able to modify the knowledge as fast as possible with no long recompilation and general proof of consistency. The above issues have led us to consider integrity constraints as a way of tackling security problems. The second consideration has led us to adopt an interpretative approach. More precisely, our main goal is to deal with de nite logic{based databases ([13]), and to present an intepretative method to answer database queries selectively with respect to integrity constraints. We recall that in this perspective a deductive database is considered as a logic theory (in particular a logic program), a query is a goal to be resolved and integrity constraints (IC) are a separate theory of logic formulae not restricted to be Horn. Note that this interpretation of logic{based databases is only slightly dierent from the Datalog oriented ones [1, 18] and our results can be easily adopted in that context. By selectively referred to the computed answer to a query with respect to constraints, we want to emphasize that the query should produce only those answers that satisfy the integrity constraints: to this respect this method uses constraints to lter out the information contained in the database. The integrity checking is thus performed during the resolution of the query, by modifying it in order to prove only those constraints which are relevant to the query itself. Our method deals with constraints independently from their meaning, thus we shall better use the words views constraints rather than integrity constraints in order to stress the interpretative nature of the proposed method. Analogously, the set of constraints IC shall be called views. The various approaches to Integrity Constraint Checking proposed in the literature so far, can in fact be also characterized according to the strategy the integrity checking methods are based on. Referring to this aspect, we introduce the distinction between interpretative (notably [12, 17]) and compilative (notably [2, 3, 6]) approaches. In this respect our method, that integrates query answering with integrity checking, can be seen as an interpretative version of the modi ed-program approach described in [3] and of the integrity constraint operators among theories of [2]. This use of constraints as a means to restrict the set of possible answers to a query on a database also appears in [6]. However, that method diers from 3

ours since it adopts a compilative approach. Another minor dierence concerns the syntax of constraints: their method uses denials. This detailed abstract is structured as follows. In the next section an informal introduction of the method is presented by means of simple examples. In section 3 the extension of the approach to deal with negative databases is outlined. Section 4 concludes. The appendix summarizes the theoretical aspects: formal de nition of the SRP IC (Selective Refutation Procedure w.r.t. IC); declarative semantics of the constrained database; furthermore, the main results of correctness and completeness of SRP IC are presented. This section does not contain all proofs due to lack of space1 .

2 Informal Presentation of the Method

2.1 Basic Ideas

In the following we will assume the rules in the database to be range restricted , i.e. every variable occurring in the head of the rule also occurs in the body. Furthermore, our method deals with constraint formulae of the \only{if" kind, i.e.

8Y1 : : :Ym (p(t1; : : :; tn) ! 9W1 : : :Wd (B(Y1 ; : : :Ym ; W1; : : :; Wd ))) where B is a non{empty conjunction of atoms.

It is important to note that variables are considered existentially quanti ed when local to the consequence part of the constraint. In the following, in order to simplify the presentation of the method, we will omit any quanti ers in constraints formulae, assuming variables to be implicitly quanti ed with respect to the convention above. Moreover, in this section we will assume there is only one constraint formula. Very roughly the intuition underlying the method is that: during the resolution of a query, whenever we have to resolve an instance of an atom A, say A, and there is a constraint A ! B1 ; : : :; Bn such that A and A unify with m.g.u. , then (B1 ; : : :; Bn ) must be added to the obtained subquery. Thus, as a consequence of applying a constraint, we propose to add the adequately instantiated consequence part of the constraint to the goal obtained by resolving the atom that uni es with the head of the constraint. We shall now

give a brief example:

Example 1 Let the database contain a rule: ri : A(x) 1

C(x); D(x)

The complete version of the approach can be found on the WWW at the following address:

ftp://rep1.iei.pi.cnr.it/pub/asirelli/view constr.ps

4

and let the view be Let follows:

v1 : A(x) ! B(x) A(a) be the goal we have to solve, then the resolution proceeds as A(a) # ri C(a); D(a) + v1 D(a); C(a); B(a) .. .

Here, # represents the usual resolution step by means of rule ri and + represents the application of the integrity formula to the goal (selected atom) just resolved (from now on selected{solved atom). In other words, we want to perform a meta-interpretation of the constraint A ! B1 ; : : :; Bn In fact, such a formula can be considered as a condition on the set of all ground instances A of A that are true and for which there must exist a ground instance of (B1 ; : : :; Bn) that is also true. Thus, the \only-if" constraint asserts that for all instances A of A for which A succeeds, then (B1 ; : : :; Bn) must also succeed. Despite the simplicity of the general idea its application, as we will show in the following, needs a careful treatment and analysis of the various instantiation situations that arise during the resolution due to the uni cation process.

2.2 A Simple Example

The following example should clarify the expected behavior of our proof procedure. We have a theory graph which de nes two extensional relations, node and edge, and one intentional relation, path, with the straightforward meaning.

5

Example 2 Theory

Graph

node(a) edge(d; c) node(b) edge(a; b) node(c) edge(d; b) node(d) path(X; Y) path(X; Y)

edge(X; Y) edge(X; Z); path(Z; Y)

We can now constrain the above database by means of rules which impose further restrictions on the relations. For example, the constraint v:

node(X) ! path(a; X)

establishes that we accept only nodes that are reachable from node a. Now, we show the results of some queries on the theory graph w.r.t. the constraint. The query node (d) violates the constraint. ← node(d)

v ← path(a,d) ← edge(a,d)

← edge(a,Z),path(Z,d) ← path(b,d)

fail

← edge(b,d)

← edge(b,W),path(W,d)

fail

fail

Instead, the query

node (b) satis es the constraint. node (b)

# 2 +v path (a; b) # edge (a; b) # 2 6

3 Work in Progress

The method as it has been presented so far does not cater for any use of negation. Obviously, this is a very restrictive condition. Our aim, in this section, is to show how to extend our framework in order to deduce positive as well as negative information. We would also like to deal with a richer class of databases than the one we have considered so far and with a richer class of view constraints. In particular, we would like to allow negative literals to appear both in the deductive clauses of the databases and in the consequence part of the constraints. In order to do that, we must rightly extend both the declarative and the procedural semantics which are presented respectively in sections B and A of the appendix. More precisely, in the rest of this section we will assume that: the database is a general logic program, i.e. a nite set of clauses of the form A L1 ; : : :; Ln, where A is an atom and L1 ; : : :; Ln are literals; the set of view constraints consists of \only{if" formulae of the form A ! B1 ; : : :; Bn , where A is an atom , B1 ; : : :; Bn are literals and each variable is assumed to be quanti ed exactly as de ned in section 2. One possible way to extend the notion of constrained model in order to fully capture the natural meaning of negation in logic programming consists in relaxing the totality assumption of our notion of model. In fact, the totality requirement for models of general programs has been proved too strong, since it does not cover the whole class of general programs (see [16, 19]). The simplest example is the program p :p, which has no total models. In [5] Fitting associates to each general program a monotone operator on a space of three{valued logic interpretations, or better partial interpretations. This space is not a complete lattice, and the operators are not, in general, continuous. However, least and other xpoints are shown to exist and to provide at the same time suitable three{valued models. This operator is shown to be a natural generalization of the classical immediate consequence operator TP ([13]), since its xpoints are proved to be closely related to the least and the greatest xpoints of TP . This approach allows for a natural treatment of negation. Hence, we can use the same technique described in [5] to generalize the mapping TDIC in appendix B, thus obtaining a new mapping IC D whose least xpoint can be chosen as the kernel of the three{valued counterpart of the Least Constrained Model. After generalizing the notion of Least Constrained Model to the case of general databases and view constraints with negative consequences, we must also extend the SRP IC proof procedure by implementing the Negation as Failure rule. This means that we just have to turn from the basic SLD computational paradigm to SLDNF. The property of soundness and completeness (at least in some case) of the extended SRP IC proof procedure can then be proved with respect to the new notion of Least Partial Constrained Model, which is exactly 7

the least xpoint of the operator IC D , properly augmented so as to be also a model of the Equality Theory.

4 Concluding Remarks

The proposed method is mainly the result of re-considering, in the interpretative perspective, the Modi ed Program approach to selectively answer queries, as de ned in [3]. The method has been extended ([14]) to deal with constraints that have more atoms in the head. It is worth stressing again that constraints are used to cut out solutions, i.e. as further conditions that have to be satis ed. Indeed the interpretation we give to rules such as P(x) ! R(x) is to eliminate those answers substitutions for P(x) for which it is not possible to prove the corresponding instance of R(x). Let us further analyze the potentiality of our method. First of all let us note that after a constraint is applied, it is more convenient to evaluate the added atoms rst. This would permit to optimize the computation by getting rid of, as soon as possible, solutions that do not satisfy the constraints. This optimization can be very important when it can save accesses to secondary memory where generally facts are kept. This method does not assume that constraints should be true in the intended model (minimal in this case) of the database. Instead, the theory describing the integrity constraints formulae can be considered as a view on the database, i.e. as a speci cation of the relevant facts. This means that IC are here dealt with in a more general way. They can be used for secrecy maintenance or for showing only the information that satisfy certain characteristics and, furthermore, to de ne some exceptions to database rules thus implementing Default Reasoning like in [11]. Moreover, due to its interpretative nature, our aproach permits both the database and the set of view constraints to dinamically change without aecting the resolution performance, since no recompilation due to modi cations is necessary. This makes views to become mechanisms complementar to queries in selecting information from a database: for example, views could be exploited to simplify queries on a database, whenever they ask for facts which are related in some way. Summarizing, our method gives the possibility of: dynamically modify both the IC and the database, without aecting the resolution performance; making no assumption on the database consistency before update operations and furthermore, to relax the hypotheses of the domain independence on clauses and constraints, at least in some cases; dealing, in a uniform way, with many more kinds of integrities formulae to naturally extend their expressive power. 8

References

[1] Abiteboul S., R. Hull and V. Vianu. \Foundations of Databases", Addison{ Wesley Pubs.Co., 1995 [2] Aquilino D., P. Asirelli, C. Renso and F. Turini. An Operator for Composing Deductive Databases with Theories of Constraints. Proceedings of LPNMR'95. [3] Asirelli P., M. De Santis, and M. Martelli. Integrity Constraints in Logic Databases. Journal of Logic Programming, 3:221{232, 1985. [4] Asirelli P., P. Inverardi and G. Plagenza. Correctness and Completeness of the SRP IC Refutation Procedure: Revised Version. Internal report IEI{ CNR B4{05, Jan 95. [5] Fitting M. A Kripke{Kleene Semantics for Logic programs, in The Journal of Logic Programming, 1985, Vol. 2, Num. 4, pp. 295{312. [6] Gaasterland, T., P. Godfrey, J. Minker and L. Novik. A Cooperative Answering System, Proceedings of the Logic Programming and Automated Reasoning Conference, edited by Andrei Voronkov, Lecture Notes in Arti cial Intelligence 624, Springer{Verlag, St. Petersburg, Russia, pages 478{480, July 1992. [7] Gallaire, H., J. Minker and J.M. Nicolas. Advances in Database Theory (vol. II), Proceedings of the Workshop on Logical Bases for Databases, Toulouse, 1982 [8] Jaar, J. and J.M. Maher. Constraint Logic Programming: a Survey. Journal of Logic Programming, 19:503{581, 1994. [9] Kowalski, R.A. Logic for Problem Solving. Elsevier, New York, 1979 [10] Kowalski, R.A. Using Meta{logic to Reconcile Reactive with Rational Agents, in Meta{logics and Logic Programming, K.R. Apt and F.Turini [eds.], MIT Press, 1995 [11] Kowalski R. and F. Sadri. Logic Programs with Exceptions. Proc. of the 7th Int. Conf on Logic Programming, DHD Warren and P. Szeredi (Eds), Israel, June 1990. The MIT Press, Cambridge, Mass. [12] Lloyd, J.W. and R.W. Topor, \A Basis for Deductive Database Systems", Journal of Logic Programming 2, 2 (1985), 93{109. [13] Lloyd J.W. Foundations of logic programming. Springer-Verlag, Berlin, 1987. Second edition. 9

[14] Pizzala G. Uso Interpretativo di Vincoli d'Integrita. Thesis of the University of Pisa, March 1992. [15] Reiter, R. On asking what a database knows. In J.W. Lloyd, editor, Computational Logic, pages 96{113. Springer Verlag, Esprit Basic Research Series, 1990 [16] Sacca D. and C. Zaniolo. Stable Models and Non{Determinism for Logic Programs with Negation, in Proceedings of the ACM SIGMOD{SIGACT Symposium on Principles of Database Systems, 1990, pp. 205{217. [17] Sadri F. and R. Kowalski. A Theorem-Proving Approach to Database Integrity. In J. Minker, editor, Foundation of Deductive Databases and Logic Programming, pages 313{362. Morgan-Kaufmann, 1987. [18] Ullman J.D. Principles of Databases and Knowledge Base Systems, Vol 1{2, Computer Science Press, 1989 [19] Van Gelder A., K.A. Ross and J.S. Schlipf. Unfounded Sets and the Well{ Founded Semantics for General Logic Programs, in Proceedings of the ACM SIGMOD{SIGACT Symposium on Principles of Database Systems, 1988, pp. 221{230.

A Procedural Semantics

In this section the formal de nition of the SRP IC refutation procedure is given and its correctness and completeness are proved. In fact, the SRP IC refutation procedure can deal with a set of view constraints consisting of more than one \only{if" formula. The idea is to iteratively apply the method to all the existing constraints. The following example should further clarify our aim.

Example 3 Let us consider the following database: DB : ::: ri : P(x) :::

Q(x)

View : v1 : P(a) ! R v2 : P(x) ! S(x) v3 : P(b) ! T

Moreover, assume that P(x) is the selected{solved atom during an SRP IC refutation and that ri is the input clause. Then, besides the properly instantiated body of the input clause, the procedure must also insert into the current goal all consequences of the constraints triggered by the selected{solved atom. This

10

can be depicted as follows: Q(x)

v1

v1

Q(a) ∧ R

Q(x) ∧ x ≠ a

v2

v2

Q(a) ∧ R ∧ S(a)

Q(x) ∧ x ≠ a ∧ S(x) v3 v3

Q(b) ∧ b ≠ a ∧ S(b) ∧ T

Q(x) ∧ x ≠ a ∧ S(x) ∧ x ≠ b

This approach can be formalized as follows. Let D be a database and IC a set of view constraints. The following de nitions will be useful to formalize our method.

De nition 1 (Def IC (P)) Let P be a predicate symbol. Then, Def IC (P) will be used to denote all constraints in IC having an instance of P in the left hand side.

De nition 2 (Restriction) For any substitution and for any rst order formula , we de ne:

j def = fx=t 2 j x is a variable in g In other words, j is the restriction of to the variables occurring into the term . Finally, tuples of terms such as ht1 ; : : :; tni will be often written as T. Moreover, if T1 and T2 are respectively ht01; : : :; t0ni and ht001 ; : : :; t00ni, the notation T1 6= T2 will stand for ht01 ; : : :; t0ni = 6 ht001 ; : : :; t00ni. Now, we are ready to formalize the phase where the consequences of the constraints are properly collected, as introduced in the previous example.

De nition 3 (Collecting Constraint Derivation) Let A P(T) be an atom and A Q a (possibly non{ground) instance of some clause in D. Then, a CC{derivation for hA; Qi is a nite sequence F0 Q; F1; : : :; Fn of conjunctions, a nite sequence v1 : : :; vn of view constraints in IC , and a nite sequence 1 ; : : :; n of substitutions such that, for all i = 0; : : :; n ? 1: vi+1 2 Def IC (P) n fvj j j = 1; : : :; ig. Suppose vi+1 is P(T) ! B, and let i be 1 : : : i . Then, P(Ti ) and

P(T) unify with some mgu . Moreover, Fi+1 and i+1 are obtained by applying one of the following steps: 11

(a) If jTi = fg, then: Fi+1 = (Fi ^ B) and i+1 = . (b) If jTi 6= fg, then Fi+1 and i+1 are computed non{deterministically in the following way: i) Fi+1 = (Fi ^ B) and i+1 = , or ii) Fi+1 = Fi ^ Ti 6= TjT and i+1 = jT . Obviously, it is not restrictive to consider Def IC (P) instead of IC in the previous de nition, since only constraints in the former may be violated by the instances of the selected{solved atom P(T).

De nition 4 (CC{Computed Answer) Given a CC{derivation for hA; Qi, we will talk about CC{computed answer in order to refer to the pair hF; i,

where: 1. F is obtained from the conjunction of atoms corresponding to the last step of the CC{derivation by applying the absorption rule (i.e. trueA^A ); 2. is the composition of all substitutions i used in the CC-derivation, restricted to the variables in A. De nition 5 (Safe Selection Rule) A selection rule R (for SRP IC derivations) is safe if R selects an atom of the form T1 6= T2 only if it is ground. De nition 6 (Goal) A goal is a clause of the form A1 ; : : :; An, where each Ai is an ordinary atom or an inequality of the form T1 6= T2 . Now we give the formal de nition of the SRP IC proof procedure. De nition 7 (SRP IC Derivation) Let G be a goal and R a safe selection rule. An SRP IC derivation of D [ fGg via R is a (possibly in nite) sequence G0 G; G1; : : : of goals, a (possibly in nite) sequence C1; C2; : : : of clauses in D (input clauses) and a (possibly in nite) sequence 1; 2; : : : of substitutions such that, for any i 0, Gi+1 and i+1 are obtained as follows: (a) Suppose that Gi is the goal A1 ; : : :; Am ; : : :; Ak , R selects Am and Am is a ground atom of the form T1 6= T2 such that T1 and T2 are distinct terms. Then, Gi+1 = A1 ; : : :; Am?1 ; Am+1 ; : : :; Ak and i+1 = . (b) Suppose that Gi is the goal A1 ; : : :; Am ; : : :; Ak , R selects Am and Am is some ordinary atom A P(T). Then, if Ci+1 is the clause A0 Q, A and A0 unify. Moreover, let be an mgu between A and A0 . Two cases may arise: i) Def IC (P) = fg. If this case arises, Gi+1 = (A1 ; : : :; Am?1 ; Q; Am+1; : : :; Ak ) and i+1 = . 12

ii) Def IC (P) 6= fg. In this case, Gi+1 = (A1 ; : : :; Am?1; F; Am+1 ; : : :; Ak )( ) and i+1 = , hF; i being a CC{computed answer for hA; Qi, De nition 8 (SRP IC Refutation) An SRP IC refutation of D [ fGg via R is a nite SRP IC derivation of D [ fGg via R such that the last goal is 2. Moreover, the composition of all the substitutions i, restricted to the variables in G, will be called SRP IC computed answer substitution of D [ fGg via R. De nition 9 (Success Set) Let D be a database and IC be a set of constraints. Moreover, let HB D[IC be the Herbrand Base of D [ IC . Then, the success set of D w.r.t. IC , which in the sequel will be denoted as SS (SRP IC ), is the set of all the A 2 HB D[IC such that D [f Ag has an SRP IC refutation.

B Declarative Semantics

In this section we will de ne the notion of Least Constrained Model , which represents the basic semantic concept in our framework. Notice that all the results regarding classical models of logic programs ([13]) apply to constrained models. All proofs can be found in the complete paper2 . De nition 10 (Constrained Model) Let D be a database and IC a set of view constraints. Let LD[IC be the rst order language of D [ IC , and let L=D[IC be LD[IC augmented with the equality predicate \=". Then, a Herbrand Interpretation M over L=D[IC is a constrained model of D with respect to IC if: M is a model of the Equality Theory (see x14 in [13]), and for all ground instances A Q of any clause in D: 1. if Q M, and 2. for all instances A ! B of any constraint in IC such that A = A, there exists a ground instance of B, say B0 , with B0 M, 3. then: A 2 M. The next example should clarify the previous de nition. Example 4 Let D and IC be as follows: D: p q

q

IC : p ! r

In this case, both M1 = fqg and M2 = fp; q; rg are constrained models. 2

available

on

the

WWW

at

the

ftp://rep1.iei.pi.cnr.it/pub/asirelli/view constr.ps.

13

following

address:

Notice that there may exist constrained models which are not models of D in the classical sense (see M1 in example 4), due to the fact that such models may not satisfy all the ground instances of the clauses in D. Vice versa there may exist also classical models which are not constrained, since they do not satisfy some constraint. The following proposition states that the intersection property holds for constrained models. Proposition 1 (Intersection) Let D be a database and IC be a set of constraints. Moreover, let TfMi gi2I be a non{empty set of constrained models of D w.r.t. IC. Then M = i2I Mi is a constrained model of D w.r.t. IC . Given a database D and a set IC of constraints, let HB D[IC and HU D[IC respectively be the Herbrand Base over LD[IC and its Herbrand Universe. Then, HB +D[IC = HB D[IC [ fs = s j s 2 HU D[IC g is a constrained model of D w.r.t. IC . Hence, the set of all the constrained models of D w.r.t. IC is never empty. Thus the intersection of all the constrained models of D is again a constrained model of D. We will refer to such a constrained model as Least Constrained Model , that will be often denoted as LCMIC D. Moreover, if \D j=IC " means that the formula holds in all the constrained models of D w.r.t. IC , we can further characterize LCMIC D as the set fA 2 HB =D[IC j D j=IC Ag, where HB =D[IC is the Herbrand Base over L=D[IC . Now we are going to give a more constructive characterization of LCMIC D by using elements from the Fixpoint=Theory. Let D be a database and IC be a set of view constraints. Then 2HBD[IC , which is the set of all the Herbrand interpretations over L=D[IC , is a complete lattice with respect to the partial order of the set inclusion. We are now in the position of giving the immediate consequence operator TDIC . De nition 11 Let D be a database and IC be a set of view constraints. The mapping TDIC : 2HB=D[IC ! 2HB=D[IC can be de ned as follows. Let I be a Herbrand interpretation. Then: TDIC (I) = fA 2 HB =D[IC j A Q is a ground instance of a clause in D with Q I; and for all instances A ! B of all view constraints in IC s: t: A = A; there exists a ground instance of B; say B0 ; with B0 I g Proposition 2 Let D be a database and IC be a set of constraints. Then, TDIC is continuous and, thus, monotonic.

Following the results of the classical declarative semantics of Logic Programming ([13]), we now give a xpoint characterization of the Least Constrained Model of a database w.r.t. to a set of constraints. Notice that the standard notion of ordinal power of a mapping, denoted by \"", is involved. The reader can 14

refer to [13] for any further detail about the formal de nition of this operator. Still assume HU D[IC denotes the Herbrand Universe of D [ IC .

Theorem 1 Let D be a database and IC a set of view constraints. Then: IC LCMIC D = TD " ! [ fs = s j s 2 HU D[IC g

C Correctness and Completeness C.1 Correctness

In this section the main correctness results of the SRP IC proof procedure are presented.

Theorem 2 (Correctness of SRP IC ) Let D be a database, IC be a set of view constraints and G = A1 ; : : :; Ak a goal. Moreover, let R be a safe selection rule. Then, if is an SRP IC computed answer substitution for D [ fGg via R, the following holds:

D j=IC 8((A1 ^ : : : ^ Ak ))

Corollary 1 Let D be a database and IC be a set of constraints. Then: SS (SRP IC ) LCMIC D

C.2 Completeness

As it has been de ned at the beginning of this section, our proof procedure may deal with inequalities of the form T1 6= T2 . The treatment of these atoms may produce some problems, which are basically the same ones which arise in the SLDNF proof procedure in handling negated atoms. Anyway, the hypotheses that we have made about the range restriction of the rules in the database permit to avoid this kind of problems. In fact, this assumption guarantees that no oundering may occur during an SRP IC derivation, since all the variables which appear in inequalities will be surely fully instantiated during the computation. Thus, some problems could arise only if a query containing some non{ground inequality was forced to the system. Of course, we do not allow a derivation to start with an inequality. The rst completeness statement is exactly the complement of corollary 1. Theorem 3 Let D be a range restricted database and IC be a set of constraints. Moreover, let HB D[IC be the Herbrand Base of D [ IC . Then: (LCMIC D \ HB D[IC ) SS (SRP IC ) 15

Now we can give the main completeness result for SRP IC .

Theorem 4 (Completeness of SRP IC ) Let D be a range restricted database, IC be a set of view constraints and G = A1 ; : : :; Ak a goal. Then, if D j=IC 8((A1 ^ : : : ^ Ak )), then there exists an SRP IC computed answer substitution for D [ fGg and a substitution such that = .

16