On Correctness of Nonserializable Executions

Journal of Computer and System Scences 56, 688 (1998) Artcle No. SS971536 On Correctness of Nonseralzable Executons Rajeev Rastog,* Sharad Mehrotra, - Yur Bretbart, [,1 Henry F. Korth,* and Av Slberschatz* *Bell laboratores, 600 Mountan Avenue, Murray Hll, New Jersey 07974-0636; - Department of Computer Scence, Unversty of Illnos, Urbana, Ilnos 61801; [ Department of Computer Scences, Unversty of Kentucky, Lexngton, Kentucky 40506 Receved July 4, 1996 In a number of applcaton envronments (e.g., computer aded desgn), seralzablty, the tradtonally accepted noton of correctness has been found to be too restrctve, and a number of alternate crtera have been proposed n the lterature. One such crteron s predcate-wse seralzablty (PWSR) whch requres only restrctons of schedules that access subsets of the database over whch ntegrty constrants are defned to be seralzable. In ths paper, we dentfy restrctons on the structure of transacton programs, ther concurrent executon, and ther access characterstcs under whch PWSR schedules preserve database consstency. ] 1998 Academc Press Key Words: transactons; schedules; concurrency control; ntegrty constrants; database states 1. INTRODUCTION In the standard transacton model [3], a database state s sad to be consstent f all database ntegrty constrants are satsfed. Each transacton, when executed n solaton, maps a consstent database state to another consstent database state. In the case of concurrent transacton executons, database consstency s ensured by requrng that the resultng executon be seralzable; that s, equvalent to some seral executon of the transactons. Snce each transacton, when executed alone, preserves database consstency, a seralzable executon preserves database consstency. Whle ths theory s attractve from the pont of vew of smplcty, n recent years, several papers have shown that employng the standard transacton model for certan ``new'' database applcatons or n a dstrbuted database envronment has unacceptable practcal consequences. For example, n applcatons such as computer-aded desgn, where transactons are of a long duraton, the standard transacton model may result n long-duraton wats mposed by the lockng protocols. In dstrbuted database applcatons, a potental loss of the local autonomy of the partcpatng databases may result. These problems are not only ssues concernng performance but also ssues concernng usablty, snce many of the ``new'' applcatons are nteractve andor dstrbuted. 1 Work supported n part by SNF Grant IRI-890493. The approaches taken to allevate the above-mentoned problems can be broadly classfed nto the followng three categores: v The frst approach s to explot the semantcs of the database operatons, whle stll ensurng seralzablty of executons. A transacton can be consdered as a sequence of hgh-level operatons (e.g., ncrement.) Commutatvty among operatons, and not the set of read and wrtes resultng from ther executon, s used to determne conflcts between transactons, thus enhancng concurrency. Early work n ths area ncludes [10]. More recent work ncludes [,5,9,15]. v The second approach s to explot the semantcs of transactons [68]. In ths approach, a transacton s broken nto a set of subtransactons, wth each of whch a type s assocated. The applcaton admnstrator, then determnes the set of nterleavngs of the subtransactons that are acceptable and that would not result n the volaton of database consstency. As an example, consder the saga transacton model n whch a transacton T s broken nto a sequence of subtransactons T 1, T,..., T n. Each T s an ndependent actvty by tself. After the termnaton of T the locks on data tems held by T can be released and the effects of T externalzed. Thus, n the saga transacton model all possble nterleavngs of the subtransactons are permtted. v The thrd approach s to explot the knowledge of the ntegrty constrants of the system. A fundamental technque used n several applcaton domans s to partton the database nto subdatabases, each wth ts own consstency constrants. Based on the applcaton doman, assumptons can be made regardng the degree to whch these subdatabases are ndependent (as n the concept of global and local data used n some work n multdatabase systems [1]) or regardng the nature of transactons executng aganst these subdatabases (such as an assumpton of preservaton of subdatabase consstency). One such applcaton doman s the computer-aded desgn and manufacturng envronment for whch predcate-wse seralzablty (PWSR) was ntroduced as a correctness crteron n [11]. In a nutshell, the PWSR correctness crteron states that f the 00-000098 5.00 Copyrght 1998 by Academc Press All rghts of reproducton n any form reserved. 68

CORRECTNESS OF NONSERIALIZABLE EXECUTIONS 69 database consstency constrant s expressed as a conjuncton of predcates, then for each possble schedule S, the restrcton of S to operatons that access data tems n every conjunct s seralzable. In [14], the authors propose the noton of setwse seralzablty whch s smlar to that of PWSR. The database s parttoned nto atomc data sets the consstency of every one of whch mples the consstency of the entre database. A setwse seralzable schedule s one whose restrcton to each atomc data set s seralzable. Whle substantal research has been done towards developng approaches to relax the seralzablty requrement, very lttle work has been done on dentfyng what consstency guarantees result from the above approaches to extendng the standard transacton model. For example, lttle work exsts on characterzng the applcaton domans n whch the usage of the saga transacton model ensures database consstency. In ths paper, we study the formal mplcatons of choosng PWSR as the correctness crteron. The mportance of the PWSR correctness crteron has been demonstrated n [4, 11]. In [11], t was shown that the PWSR correctness crteron can be used to allevate the long-duraton wats assocated wth long-duraton transactons n computeraded desgn and manufacturng envronments. More recently, n [4] t was shown that the PWSR correctness crteron (referred to as the local seralzablty (LSR) crteron) can be used to help allevate the autonomy-nduced problems n multdatabase system applcatons. In ths paper, we explore the formal mplcatons of the assumptons that may be requred n order to ensure database consstency when PWSR s employed as the correctness crteron. The assumptons examned nclude: v Parttonng of the database nto subdatabases. v Restrctng the form of consstency constrants. v Restrctng the structure of programs that generate transactons. v Restrctng the concurrent executon of transactons. v Restrctng the order n whch transactons access data. We show what combnaton of assumptons are and are not suffcent to guarantee consstency. In [14], the authors show that setwse seralzable schedules due to the executon of straght lne transactons preserve database consstency. Our work dffers from the work n [14] n a number of ways. Frst, n addton to restrctons on the structure of transactons (e.g., straght lne), we also consder addtonal restrctons on schedules and the order n whch transactons access data (ths enables us to relax all restrctons on the structure of transactons). Second, compared to [14], we follow a more rgorous approach to provng that schedules preserve database consstency. For example, n [14], n addton to not formally defnng the noton of straght lne transactons, the authors also do not use the fact that transactons are straght lne n any of ther proofs. We further elaborate on the shortcomngs of ther proof technques n Secton 3.1. In ths paper, not only do we dentfy the restrctons under whch PWSR schedules preserve database consstency, but we also develop rgorous methodologes based on nducton arguments for showng that database consstency s ndeed preserved by the schedules. The remander of the paper s organzed as follows. In Secton, we develop our transacton and schedule models that are suted for provng that nonseralzable executons preserve database consstency. In Secton 3, we dentfy the restrctons that must be placed on PWSR schedules so that database consstency s preserved. Fnally, concludng remarks are offered n Secton 4.. PRELIMINARIES In ths secton, we develop the basc notaton that wll be used n the remander of the paper. We frst formalze the noton of database consstency n terms of the preservaton of ntegrty constrants. We then develop our transacton model to help us n reasonng about nonseralzable executons. Fnally, we dscuss our noton of correctness of a schedule..1. Database Consstency In the standard transacton model [13], a consstent database state s mplctly defned by assumng that each transacton, when executed n solaton, maps a consstent database state to another consstent database state. Correctness n case of concurrent executon s defned n terms of seralzablty. In order to develop a theory of nonseralzable executons, we must explctly defne what a consstent database state s. We do ths n terms of ntegrty constrants, whch are dscussed below. A database conssts of a fnte set, D, of data tems. For each data tem d$#d, Dom(d$) denotes the doman of d$. A database state maps every data tem d$ to a value v$, where v$ # Dom(d$). Thus, a database state, denoted by DS, can be expressed as a set of ordered pars of data tems n D and ther values, DS=[(d$, v$): d$#d and v$ # Dom(d$)]. DS has the property that f (d$, v$ 1 )#DS and (d$, v$ )#DS, then v$ 1 =v$. The restrcton of DS to data tems n dd, s denoted by DS d. Thus, DS d =[(d$, v$): d$#d and (d$, v$) # DS]. Let d 1 D, d D, and DS 1, DS be database states. The unon of DS d 1 and DS d s denoted by DS d 1 _ DS d. 1 1 The operaton s smlar to the one tradtonally defned

70 RASTOGI ET AL. for sets, except that DS d 1 _ DS d s undefned f (d$, v$ 1 1)# DS d 1,(d$, v$ 1 )#DS d, and v$ 1 {v$. Integrty constrants n a database, denoted by IC, dstngush nconsstent database states from consstent ones. Tradtonally, ntegrty constrants are defned as a subset of all the possble database states, and a database state s consstent f t belongs to that subset [13]. In our model, ntegrty constrants are quantfer-free frst order formulae over the language consstng of: v Numercal and strng constants (e.g., 5, 100, ``Jm''), v Functons over numerc and strng constants (e.g., +, max), v Comparson operators (e.g., >, =), and v Set of varables (data tems n D). The terms and well-formed formulae are defned as n [1]. Snce a database state maps data tems (varables) to values t can be vewed as a varable assgnment [1]. A database state, DS, s consstent f t does not volate the ntegrty constrants. Let I be the standard nterpretaton for numercal and strng constants, functon symbols, and comparson operators. Thus, a database state DS s consstent ff I < DS IC. We shall use DS < IC to denote I < DS IC. For example, consder a database consstng of data tems a, b, and an ntegrty constrant, IC=(a=b). The database state DS 1 =[(a, 5),(b, 5)] s consstent. However, the database state DS =[(a, 5),(b, 6)] s not consstent. The restrcton of a database state, DS, to data tems n dd, DS d s consstent ff there exsts a consstent database state DS 1 such that DS d =DS d 1. That s, DS d s consstent ff there exst values for the data tems that are not n d whch extend DS d to some DS 1 that s consstent. Thus, even though DS s not consstent, ts restrctons may be consstent. For example, DS above s not consstent. However, ts restrctons, DS [a] =[(a, 5)] and DS [b] = [(b, 6)] are consstent. In the remander of the paper, we shall assume that IC=C 1 7 C 7 }}} 7 C l, where IC, C e are defned over data tems n D, d e, respectvely, such that d e & d f =< for all e{ f. Thus, we assume that the database can be parttoned nto data sets d 1,..., d l such that no ntegrty constrants are present between tems n any two data sets. In the followng lemma, we establsh the relatonshp between the consstency of database states and the consstency of ts subsets. The lemma bascally states that consstency of each data set d e mples the consstency of the entre database (see Fg. 1). Thus, followng the termnology of [14], each d e would be an atomc data set. Lemma 1. Let d$ e d e and DS be a database state. l DS d$ e e=1 s consstent ff for all e=1,,..., l, DS d$ e s consstent. Proof. (o ) If l DS d$ e e=1 s consstent, then for all e=1,,..., l, DS d$ e s consstent. Ths follows drectly from the defnton of database consstency. ( O ) We now prove that f for all e=1,,..., l, DS d$ e s consstent, then l DS d$ e e=1 s consstent. Snce DS d$ e are consstent, there exst consstent database states, DS e, such that DS d$ e =DS d$ e e, e=1,,..., l. Let DS0 be a database state such that DS d e =DS d e, e=1,,..., l (such a DS 0 e 0 exsts snce d e & d f =<, e{ f ). Snce DS e < C e, DS d e =DS d e, and C 0 e e s defned only over data tems n d e, DS 0 < C e, e=1,,..., l. Thus, DS 0 < C 1 7 C 7 }}} 7 C l. Also, l DS d$ e e=1 DS0. Thus, there exsts a consstent database state DS 0 such that l DS d$ e e=1 DS0. Hence, by defnton of database consstency, l e=1 DS d$ e s consstent. K Note that t s essental for the data tems over whch conjuncts are defned to be dsjont, f Lemma 1 s to hold. If data tems over whch conjuncts are defned are not dsjont, then database state DS 0 n the proof of Lemma 1 may not exst. For example, let IC=((a=5 b=5) 7 (c =5 b = 6)). Consder d$ 1 = [a] and d$ = [c]. Let FIG. 1. Lemma 1.

CORRECTNESS OF NONSERIALIZABLE EXECUTIONS 71 DS d$ 1 =[(a, 5)] and DS d$ =[(c, 5)]. Thus, even though DS d$ 1 and DS d$ are consstent, DS d$ 1 _ DS d$ s nconsstent... Transactons and Schedules In ths secton, we develop the transacton model, whch devates from the standard development to facltate reasonng about nonseralzable executons. A transacton s a sequence of operatons resultng from the executon of a transacton program. A transacton program s usually wrtten n a hgh-level programmng language wth assgnments, loops, condtonal statements, and other complex control structures. Executon of a transacton program startng at dfferent database states may result n dfferent transactons. Ths observaton has serous mplcatons when dealng wth nonseralzable executons, as wll become evdent later n the paper. Formally, a transacton T =(O T, O T ), where O T = [o 1, o,..., o n ] s a set of operatons and O T s a total order on O T. An operaton o s a 3-tuple ((acton(o ), entty(o ), value(o )): acton(o ) denotes an operaton type whch s ether a read (r) or wrte (w) operaton; entty(o ) s the data tem on whch the operaton s performed. If the operaton s a read operaton, value(o ) s the value returned by the read operaton for the data tem read. For a wrte operaton, value(o ) s the value assgned to the data tem by the wrte operaton. For smplcty of the exposton, we assume that each transacton reads and wrtes a data tem at most once and that t does not read a data tem after wrtng the data tem. Our transacton defnton dffers from the way they are tradtonally defned n the lterature (see, for example, [3, 13]). We nclude, along wth every operaton, a value attrbute, n addton to acton and entty attrbutes. Snce we relax the requrement of seralzablty as the correctness crteron, we need to deal wth certan nonseralzable executons. The value attrbute helps us n provng that such nonseralzable executons preserve database consstency. A schedule s a sequence of operatons resultng from the concurrent executon of a set of transacton programs. Formally, a schedule S=({ S, O S ) s a fnte set { S of transactons, together wth a total order, O S, on all operatons of the transactons such that for any two operatons o 1, o n S and some transacton T # { S, f o 1 O T o, then o 1 O S o. We use the notaton [DS 1 ]TP [DS ] to denote the fact that when a transacton program TP executes from a database state DS 1, t results n a database state DS. Smlar notaton s used to denote executon of operatons, transactons, and schedules (the ntended meanng wll be clear from the context). We next ntroduce some notaton for sequences of operatons. Let seq=o 1 o }}}o n be a subsequence of a schedule S (seq may be a transacton), and let dd. We defne the followng: v RS(seq) denotes the set of data tems read by operatons n seq: RS(seq)=[y: o # seq 7 y=entty(o ) 7 acton(o )=r]. v read(seq) denotes the database state ``seen'' as a result of the read operatons n seq: read(seq)=[( y, z): o # seq 7 y=entty(o ) 7 z =value(o ) 7 acton(o )=r]. v WS(seq) denotes the set of data tems wrtten by operatons n seq: WS(seq)=[y: o # seq 7 y=entty(o ) 7 acton(o )=w]. v wrte(seq) denotes the effects that the wrte operatons n seq have on the database: wrte(seq)=[( y, z): o # seq 7 y=entty(o ) 7 z =value(o ) 7 acton(o )=w]. v seq d denotes the subsequence of seq consstng of all operatons o such that entty(o )#d. We llustrate the above notaton n Example 1 below, where T s used to denote the transacton resultng from the executon of the transacton program TP. Operatons belongng to transacton T are subscrpted by. Thus, a read operaton on data tem a belongng to transacton T 1 s denoted by r 1 (a, v), where v s the value returned by the read operaton (ths notaton s used throughout the paper). Example 1. Consder the transacton programs TP 1 and TP : RP 1 : f(a0) then b :=c else c :=d TP : d :=a Consder the schedule S below resultng from the executon of TP 1 and TP from database state DS 1 =[(a, 0),(b, 10), (c, 5),(d, 10)], S: r 1 (a, 0),r 1 (a, 0),w (d, 0),r 1 (c, 5),w 1 (b, 5). In S, the transactons correspondng to TP 1 and TP are T 1 : r 1 (a, 0), r 1 (c, 5), w 1 (b, 5) T : r (a, 0), w (d, 0).

7 RASTOGI ET AL. Note that [DS 1 ]S[DS ], where DS =[(a, 0),(b, 5), (c, 5),(d, 0)]. The followng assertons can be made about transactons T 1 and T : RS(T 1 )==[a, c] read(t 1 )=[(a, 0),(c, 5)] WS(T 1 )=[b] wrte(t 1 )=[(b, 5)] T [b] 1 =w 1 (b, 5) S [a, c] =r (a, 0), r 1 (a, 0), r 1 (c, 5)..3. Strong Correctness In the tradtonal transacton model, transacton programs, when executed n solaton, are assumed to be correct; that s, transactons preserve the ntegrty constrants of the database. The task of the concurrency control scheme s to ensure that schedules resultng from the concurrent executon of the transacton programs preserve database consstency. However, a concurrency control scheme whch ensures that schedules preserve the database ntegrty constrants does not necessarly prevent transactons from ``seeng'' nconsstent database states. To overcome ths, we defne the noton of strong correctness, whch requres that transactons n a schedule read consstent data values, n addton to the requrement that schedules preserve database ntegrty constrants. Defnton 1. A schedule S s strongly correct ff v for all consstent database states DS 1, f t s the case that [DS 1 ]S[DS ], then DS s consstent, and v for all transactons T # { S, read(t ) s consstent. Every seralzable schedule s strongly correct, but there are strongly correct schedules that are not seralzable. For example, consder a database n a unversty envronment n whch there s one relaton for every course beng offered durng the semester that contans the students regstered for the course, and a relaton contanng the total hours that each student s regstered for durng the semester. An ntegrty constrant on each course relaton specfes the maxmum number of students that can be regstered for the course, and an ntegrty constrant on the student relaton specfes that each regstered student must be regstered for a certan mnmum number of hours. A regstraton transacton that updates the database s executed when a student regsters for courses at the start of the semester. Each regstraton transacton for a student conssts of subtransactons, each of whch nserts a record for the student n the relatons for the courses that the student wshes to regster for (the student record s not nserted nto a course relaton f the number of students regstered for the course exceeds the maxmum number of students that can be regstered for In ths paper, unless stated otherwse, by seralzablty we refer to conflct seralzablty (CSR) [13]. the course) and a fnal subtransacton that nserts the student record nto the students database, and updates the number of hours that the student s regstered for (f the number of hours that the student s regstered for s less than the mnmum, then the entre regstraton transacton s aborted and ts updates are rolled back). Thus, t follows that each regstraton transacton, when executed n solaton, preserves the database ntegrty constrants. Furthermore, the ntegrty constrants are also preserved by schedules that are not seralzable wth respect to regstraton transactons, but seralzable wth respect to ther subtransactons (snce ntegrty constrants do not span multple relatons, and each subtransacton updates a sngle relaton and preserves the ntegrty constrants for the relaton). In the next secton, we show that PWSR schedules are strongly correct f transacton programs and ntegrty constrants are of a restrcted nature. In the remander of the paper, we assume that all transacton programs and transactons are correct. 3. PREDICATEWISE SERIALIZABILITY The noton of predcate-wse seralzablty (PWSR) was ntroduced as an alternatve consstency crteron to seralzablty for applcatons wth long-duraton transactons, CADCAM applcatons, etc. [11]. Formally, PWSR s defned as follows. Defnton. A schedule S s sad to be PWSR f for all e, e=1,,..., l, S d e s seralzable. Snce PWSR schedules may not be seralzable, they, n general, do not preserve database consstency. Ths s llustrated by the followng example. Example. Consder a database contanng data tems D=[a, b, c] and the followng transacton programs TP 1 and TP : TP 1 : a :=1 ; f(c>0) then b := b +1; TP : f(a>0) then c :=b. Let IC=(C 1 7 C ), where C 1 =(a>0 b>0) and C = (c>0). The conjuncts are defned over dsjont sets of data tems. Consder the followng schedule resultng from the executon of TP 1 and TP from database state [(a, &1), (b, &1),(c, 1)], S: w 1 (a, 1),r (a, 1),r (b, &1),w (c, &1),r 1 (c, &1). The database state resultng from the executon of the above schedule s [(a, 1),(b, &1),(c, &1)], whch s nconsstent. Thus, PWSR schedules may not be strongly correct.

CORRECTNESS OF NONSERIALIZABLE EXECUTIONS 73 In the followng three subsectons, we dentfy dfferent sets of restrctons under whch PWSR schedules are strongly correct. We consder 1. restrctng the structure of transacton programs to be straght lne,. restrctng schedules to be ACA-lke, and 3. restrctng transactons to access data tems n conjuncts n an ordered fashon. Restrctons 1 and 3 permt a hgh degree of concurrency, but mpose orthogonal sets of constrants on the nature of transactons. Restrcton, on the other hand, permts arbtrary transactons, but could result n a lower degree of concurrency. Only restrcton 1 s consdered n [14]. 3.1. Restrctng Transacton Programs Let us examne the transacton programs whose concurrent executon resulted n a loss of database consstency n Example. In Example, transacton program TP 1 read the value of data tem c as beng less than 0. Thus, t dd not execute ts wrte operaton on data tem b. One way of preventng ths s to restrct transacton programs such that the structure of the transacton that results from ther executon s ndependent of the state from whch the transacton program executes. We refer to such transacton programs as fxed-structured transacton programs. In order to defne and reason about fxed-structured transacton programs, we need some addtonal notaton. Let seq be a subsequence of a schedule S and let p be an operaton n S: v struct(seq) denotes the structure assocated wth seq, whch s derved from seq by gnorng the values assocated wth the operatons n seq. Thus every operaton o n struct(seq) s a -tuple (acton(o ), entty(o )). v before(seq, p, S) denotes the subsequence of seq consstng of all the operatons that precede p n S. Ifp belongs to seq, then before(seq, p, S) ncludes p. v after(seq, p, S) denotes the subsequence of seq consstng of all operatons not n before(seq, p, S). Thus, n Example 1, f p=w (d, 0), then struct(t 1 )=r 1 (a), r 1 (c), w 1 (b); before(t, p, S)=r (a, 0),w (d, 0); after(t 1, p, S)=r 1 (c, 5),w 1 (b, 5). We are now n a poston to defne fxed-structured transacton programs. Defnton 3. Transacton program TP has a fxedstructure f for all pars (DS 1, DS ) of database states, struct(t 1 )=struct(t ), where T 1 and T are transactons resultng from the executon of TP from DS 1 and DS, respectvely. Note that n Example, the transacton program TP 1 does not have a fxed-structure. However, t s easy to see that TP 1 can be converted nto the followng fxed-structured transacton program TP$ 1 : TP$ 1 : a :=1 ; f(c>0) then b := b +1 else b :=b. If we replace TP 1 wth TP$ 1 n Example, then the schedule n the example would not be PWSR snce the restrcton of the schedule to the set of data tems n conjunct C 1 would not be seralzable. It can be shown that PWSR schedules that result from the executon of fxed-structured transacton programs are strongly correct. To prove ths, we need to frst show that every transacton n a PWSR schedule S ``sees'' a consstent database state. Snce a PWSR schedule may not be seralzable, correctness cannot be smply proved usng nducton over the order n whch transactons are seralzed n the schedule. In [14], the authors use nducton over the seralzaton order of transactons accessng each d e n order to prove correctness of schedules. However, ths approach to provng that PWSR schedules preserve database consstency s ncorrect snce a transacton T that may be frst n the seralzaton order of transactons accessng d e may not necessarly be frst n the seralzaton order of transactons accessng d f. As a result, snce when performng nducton, t s not known f data tems n d f read by T are consstent (the data tems n d f read by T could have been wrtten by a dfferent transacton T j seralzed before T ), we cannot conclude that T leaves d e n a consstent state. In Example, the seralzaton order of transactons s T 1 T on d 1 and T T 1 on d. Both T 1 and T read nconsstent data on d and d 1 (wrtten by T and T 1 ), respectvely. As a result, t s not possble to prove the correctness of PWSR schedules by nductng on the seralzaton order of transactons on data sets. Rather, to prove that transactons see a consstent database state, we use nducton over the order n whch operatons occur n the schedule. We show that for each operaton p and transacton T n a schedule S, the set of data tems that T reads before the occurrence of p, that s, read(before(t, p, S)), s consstent. Thus, by consderng p to be the last operaton n S, we can show that every transacton reads consstent data and leaves the database n a consstent state. It s trval to see that the clam holds f p s the frst operaton n S. Assume that the clam holds for every operaton n S before the occurrence of p. We need to show that for

74 RASTOGI ET AL. FIG.. Lemma. each transacton T, read(before(t, p, S)) s consstent. Let p belong to some transacton T and, further, let entty( p)#d k, where d k s the set of data tems n conjunct C k. By nducton hypothess, read(before(t j, p, S)) for each T j {T s consstent. We, therefore, only need to prove that read(before(t, p, S)) s consstent. To do so, we frst dentfy the subset of data tems n d k that T can possbly read before the occurrence of p. We refer to the above set as the vew set of transacton T, before operaton p, wth respect to data tems n d k. The followng lemma states that before p, a transacton T can read all tems except those wrtten after p by transactons seralzed before t (see Fg. ). Lemma. Let S be a schedule and dd such that S d s seralzable. Let T 1, T,..., T n be a seralzaton order of transactons n S d and let p be an operaton n S. For all =1,,..., n, RS(before(T d, p, S))VS(T, p, d, S), where VS(T, p, d, S) f = {d, VS(T &1, p, d, S)&WS(after(T d &1, p, S)), =1; f >1. Proof. RS(before(T d, p, S))d=VS(T 1 1, p, d, S). Thus, the result holds for T 1. To show that the result holds for any T, =, 3,..., n we wll show that f d$#d, and d$ VS(T, p, d, S), then d$ RS(before(T d, p, S)). From the defnton of the vew set of a transacton, we have the followng property about data tems whch do not belong to a transacton's vew set. If d$#d, and d$ VS(T, p, d, S), then for some j<, d$#ws(after(t d, p, S)). Snce S d j s seralzable and T j s seralzed before T,fT reads d$, then T must read the value of d$ after t s wrtten by T j. Thus, before p, T cannot read d$; that s, d$ RS(before(T d, p, S)). K wth respect to data tems n d s defned as follows (see Fg. 3): state(t, d, S, DS 1 ) DS d 1, f =1 ={state(t &1, d, S, DS 1 ) d&ws(t d &1 ) _ wrte(t d ), &1 f >1. In the above defnton, state(t &1, d, S, DS 1 ) d&ws(t d &1 ) denotes the restrcton of state(t &1, d, S, DS 1 ) to data tems n d&ws(t d ). For data tems not n WS(T d ), &1 &1 the values are the same n the states seen by T &1 and T ; however, for data tems n WS(T d &1 ), the values n the state seen by T are those wrtten by T &1. Thus, state(t, d, S, DS 1 ) s the state of the database wth respect to data tems n d as seen by T. Note that from the defnton of state and seralzablty, t follows that v read(t d )state(t, d, S, DS), and v f t the case that [DS 1 ]S[DS ], then t must be the case that [state(t n, d, S, DS 1 )]T d n [DSd]. The state of a transacton depends on the ntal state and the seralzaton order chosen and thus, may not be unque. In Example 1, S s seralzable wth seralzaton orders T 1, T or T, T 1. Wth seralzaton order T 1, T : state(t, [a, b, c], S, DS 1 )=[(a, 0),(b, 5),(c, 5)]. We next assocate the noton of a ``state'' wth a transacton. The state assocated wth the transacton s a possble state of the data tems n a conjunct that the transacton may have seen. The state seen by the transacton s an abstract noton and may never have been physcally realzed n a schedule. Defnton 4. Let S be a schedule resultng from database state DS 1 and dd such that S d s seralzable. Let T 1, T,..., T n be a seralzaton order of transactons n S d. The state of the database before the executon of each transacton FIG. 3. State of a transacton.

CORRECTNESS OF NONSERIALIZABLE EXECUTIONS 75 FIG. 4. Lemma 3. However, wth seralzaton order T, T 1 : state(t, [a, b, c], S, DS 1 )=[(a, 0),(b, 10),(c, 5)]. Recall that our task s to show that under the nducton hypothess, read(before(t, p, S)) s consstent, where p s an operaton belongng to transacton T and, further, entty( p)#d k. In order to do so, we need to establsh condtons under whch database consstency s preserved durng the executon of transactons. For an arbtrary transacton, t s dffcult to make any asserton about the consstency of the database state durng ts executon, snce all we know about a transacton s that, as an atomc unt, t s correct. However, f we restrct transactons to those resultng from the executon of fxed-structured transacton programs, we can make the followng asserton about the states whch exst durng ts executon. The followng lemma states that f before p, a fxed-structure transacton program sees a consstent state, then the state of tems (excludng tems wrtten by T after p) s also consstent (see Fg. 4). Lemma 3. Let S be a schedule consstng of a transacton T whch results from the executon of a fxed-structure transacton program TP (note that S=T ). Let DS 1, DS be database states such that [DS 1 ]T [DS ], and let p be an operaton n S. If DS d _ read(before(t 1, p, S)) s consstent, then DS d&ws(after(t, p, S)) s consstent. Proof. Let DS 3 be a consstent state such that DS d _ RS(before(T, p, S)) 3 =DS d _ read(before(t 1, p, S)). Let [DS 3 ]TP [DS 4 ]. Let T$ be the transacton and let S$ be the schedule resultng from the executon of TP from DS 3 (note that S$=T$ ). Snce TP has fxed-structure, struct(t$ ) =struct(t ). Thus, there exsts an operaton p$ n S$ such that Snce DS RS(before(T, p, S)) 3 =read(before(t, p, S)) and struct(t$ )=struct(t ), read(before(t, p, S))=read(before(T$, p$, S$)). Snce wrtes are a functon of the reads before them, T and T$ result from the executon of the same transacton program TP, DS d 1 =DS d 3 and struct(t$ )=struct(t ), DS d _ WS(before(T$, p$, S$))&WS(after(T$, p$, S$)) 4 =DS d _ WS(before(T, p, S))&WS(after(T, p, S)). Snce TP s a correct transacton program, DS 4 s consstent, and the lemma has been proven. K In Lemma 3, f transacton program TP does not have a fxed-structure, then struct(t$ ) may not be equal to struct(t ). As a result, WS(after(T$, p$, S$)) may not be equal to WS(after(T, p, S)) and thus, t followsthatds d&w(after(t, p, S)) may not be consstent. Ths s llustrated by the followng example. Example 3. Consder a database contanng data tems D=[a, b, c] and the followng transacton programs TP 1 and TP : TP 1 : a :=1 ; f(c>0) then b := b +1 TP : f(a>0) then c :=b. RS(before(T, p, S))=RS(before(T$, p$, S$)) WS(after(T, p, S))=WS(after(T$, p$, S$)). and Let IC=(C 1 7 C ), where C 1 =(a>0 b>0) and C = (c>0). The conjuncts are defned over dsjont sets of data tems. Consder the followng schedule resultng from the

76 RASTOGI ET AL. executon of TP 1 and TP from database state [(a, &1), (b, &1),(c, 1)]: S: w 1 (a, 1),r (a, 1),r (b, &1),w (c, &1),r 1 (c, &1). Let p=w 1 (a, 1). The database state resultng from the executon of the above schedule s DS =[(a, 1), (b, &1), (c, &1)], whch s nconsstent. Thus, although DS d _ 1 read(before(t 1, p, S)) s consstent, DS d&ws(after(t 1, p, S)) s nconsstent ([(a, 1),(b, &1)]). Ths s due to the fact that TP 1 does not have fxed-structure. Our goal s to show that for every transacton T and every operaton p, read(before(t, p, S)) s consstent. We show ths n Lemma 5 usng nducton. However, before that, n the followng lemma, usng the property of fxedstructured transacton programs dentfed n Lemma 3, we show that f for a transacton T and an operaton p for all transactons T j seralzed before T, read(before)(t j, p, S)) s consstent, then T 's vew set s consstent (see Fg. 5). Lemma 4. Let S be a schedule resultng from the executon of transacton programs wth fxed-structure from database state DS, and let p be an operaton n S. For any k, k=1,,..., l, f S d k s seralzable wth seralzaton order T 1, T,..., T n, DS d k s consstent, and for all j=1,,..., &1, read(before(t j, p, S)) s consstent, then state(t, d k, S, DS) VS(T, p, d k, S) s consstent, =1,,..., n. Proof. The proof s by nducton on the number of transactons. Bass (=1). Trval, as state(t 1, d k, S, DS) d k =DS d k, whch s gven to be consstent. Inducton. Assume true for =m (1m<n); that s, f for all j=1,,..., m&1, read(before(t j, p, S)), s consstent, then state(t m, d k, S, DS) VS(T m, p, d k, S) s consstent. We need to show the above to be true for =m+1. By IH, we know state(t m, d k, S, DS) T m, p, d k, S) s consstent. By Lemma, RS(before(T d k, p, S))VS(T m m, p, d k, S), and thus, state(t m, d k, S, DS) VS(T m, p, d k, S) _ read(before(t d k, p, S)) s conss- m tent. Snce d e & d f =<, e{ f, and read(before(t m, p, S)) s consstent, by Lemma 1, t follows that state(t m, d k, S, DS) VS(T m, p, d k, S) _ read(before(t m, p, S)) s consstent. As transacton program TP m has fxed-structure, by Lemma 3, state(t m+1, d k, S, DS) d s consstent (d=vs(t m, p, d k, S) &WS(after(T d k, p, S))). Snce VS(T m m+1, p, d k, S)=d, state(t m+1, d k, S, DS) VS(T m+1, p, d k, S) s consstent. Snce RS(before(T d k, p, S)) s a subset of the vew set, we have proved that read(before(t d k, p, S)) s consstent. Further, snce the sets of data tems over whch conjuncts are defned are dsjont, t follows from Lemma 1 that read(before(t, p, S)) s consstent. In the followng lemma, we use nducton to show that for every transacton T and operaton p, read(before(t, p, S)) s consstent. For an operaton p n S, depth( p, S) denotes the number of operatons precedng operaton p (but not ncludng p) n schedule S. Thus, n Example 1, f p=w (d, 0), then depth( p, S)=. Lemma 5. Let S be a schedule consstng of transactons resultng from the executon of transacton programs wth fxed-structure from a consstent database state DS, and let p be an arbtrary operaton n S. If S s a PWSR schedule, then for all transactons T # S, read(before(t, p, S)) s consstent. K FIG. 5. Lemma 4.

CORRECTNESS OF NONSERIALIZABLE EXECUTIONS 77 Proof. The proof s by nducton on depth( p, S). Bass (depth( p, S)=0). There are two cases: Case 1. ( p T ). read(before(t, p, S))=<, whch s consstent. Case. ( p # T ). Snce depth( p, S)=0, t follows that read(before(t, p, S))DS, whch s consstent. Inducton. Assume true for depth( p, S)=m (m0), that s, for all transactons T # S, read(before(t, p, S)) s consstent. We need to show that for depth( p, S)=m+1, for all transactons T # S, read(before(t, p, S)) s consstent. Consder two cases: Case 1. ( p T ). Trvally by IH, read(before(t, p, S)) s consstent. Case. ( p # T ). Let entty( p)#d k for some k=1,,..., l. Snce S s PWSR, S d k s seralzable. Let a seralzaton order of transactons n S d k be T1, T,..., T &1, T, T +1,..., T n.asp# T, p T j, for all j=1,,..., &1. Thus, by Case 1 of the nducton step above, read(before)(t j, p, S)) s consstent for all j=1,,..., &1. Hence, snce transacton programs have fxed-structure, from Lemma 4, state(t, d k, S, DS) VS(t, p, d k, S) s consstent. By Lemma, RS(before(T d k, p, S))VS(T, p, d k, S). Thus, read(before(t d k, p, S)) s consstent. By IH, read(before(t D&d k, p, S)) s consstent. Snce d e & d f =<, e{ f, by Lemma 1, read(before(t, p, S)) s consstent. K We have, therefore, establshed the followng theorem. Theorem 1. Let S be a schedule consstng of transactons resultng from the executon of transacton programs wth fxed-structure. If S s a PWSR schedule, then t s strongly correct. Proof. Let DS 1 be a consstent database state from whch schedule S results. Let [DS 1 ]S[DS ]. By Lemma 5, for all T # { S, read(t ) s consstent (choose p to be the last operaton n the schedule). We now show that DS d k for any k=1,,..., l s consstent. Let T 1, T,..., T n be a seralzaton order of transactons n S d k. Snce DS d k s consstent, 1 and d e & d f =<, e{ f, by Lemma 4, state(t n, d k, DS 1, S) s consstent (choose p to be the last operaton n the schedule). DS d k can be shown to be consstent by a smple applcaton of Lemma 3. Thus, by Lemma 1, DS s consstent, and, hence, S s strongly correct. K 3.. Restrctng Schedules In ths secton, we examne how, nstead of restrctng transacton programs, restrctng the nature of schedules may enable us to ensure strong correctness. To develop the ntuton, let us examne Example once agan. Note that n Example, n schedule S, transacton program TP reads data tem a wrtten by transacton program TP 1 before TP 1 fnshes executon (snce TP 1 executes the operaton r 1 (c, &1) after TP performs ts read operaton on a). Had the read operaton of TP been delayed untl after TP 1 fnshed executon, the schedule n Example that resulted n a loss of database consstency would not have been permtted. We refer to a schedule S n whch a transacton T cannot read a data tem wrtten by transacton T j untl after T j has completed all ts operatons as a delayed read (DR) schedule. In ths secton, we wll show that f S s a DR schedule, then the hypothess of Theorem 1 (that requres transacton programs to have fxed-structure f PWSR schedules are to be strongly correct) can be relaxed. Our nterest n DR schedules results from practcal consderatons. In practce, schedules produced by most DBMSs avod cascadng aborts; that s, most DBMSs produce ACA schedules [3]. It s trval to see that every ACA schedule s also DRhence our nterest. In order to formally defne the class of DR schedules, we frst defne the reads from relaton over operatons n a schedule. Let o, o j # S such that acton(o )=w, acton, (o j )=r, entty(o )=entty(o j ), and a O S o j. Operaton o j reads from o f for all o k # S such that o O S o k O S o j, ether entty(o k ){entty(o j ), or acton(o k ){w. We can now formally defne the class of DR schedules. Defnton 5. A schedule S s referred as a delayed read (DR) schedule f for all operatons o, o j # S, o # T 1, o j # T, f o j reads from o, then after(t 1, o j, S)==, the empty sequence. In a DR schedule, a transacton T does not read a data tem wrtten by transacton T j untl T j completes executon. However, note that T could wrte a data tem that s readwrtten by T j before T j completes executon. As a result, t s possble for a transacton T to read a data tem wrtten by T j before T j completes executon f some other transacton T k has overwrtten the tem after T j and has completed executon before T performs ts read operaton. Thus, the vew set of a transacton T n a DR schedule s restrcted to exclude data tems wrtten by ncomplete transactons (seralzed before T ) and that have not been subsequently overwrtten by a completed transacton (seralzed before T ), and s as stated n the followng lemma (see Fg. 6). Lemma 6. Let S be a DR schedule and dd such that S d s seralzable. Let T 1, T,..., T n be a seralzaton order of transactons n S d and let p be an operaton n S. For all =1,,..., n, RS(before(T d, p, S))VS(T, p, d, S), where f =1 VS(T &1, p, d, S)&WS(T VS(T, p, d, S)={d, d &1), f after (T &1, p, S){= VS(T &1, p, d, S) _ WS(T d ), &1 f after (T &1, p, S)==.

78 RASTOGI ET AL. FIG. 6. Lemma 6. Proof. RS(before(T d, p, S))d=VS(T 1 1, p, d, S). Thus the result holds for T 1. To show that the result holds for any T, =, 3,..., n, we wll show that f d$#d, and d$ VS(T, p, d, S), then d$ RS(before(T d, p, S)). From the defnton of the vew set of a transacton, we have the followng property about data tems whch do not belong to a transacton's vew set. If d$#d, and d$ VS(T, p, d, S), then for some j<, d$#ws(t d), such that after(t j j, p, S) {=, and for all k, k= j+1,..., &1, d$ WS(T d ). Let o k 1 be T j 's wrte operaton on d$. Suppose that d$#rs(before(t d, p, S)) and o s T 's read operaton of d$ such that o O S p or o = p. Snce T j s seralzed before T, t must be the case that o 1 O S o and, further, o reads from o 1. However, f o 1 O S o, and o reads from o 1, then snce S s DR, after(t j, o, S)== whch leads to a contradcton. Thus, before p, T cannot read d$; that s, d$ RS(before(T d, p, S)). K In the prevous secton, n our nductve proof of the correctness of PWSR schedules, the only place where we requred transacton programs to have fxed-structure was n Lemma 4 n whch we showed that for a transacton T, a conjunct C k, and an operaton p, f every transacton T j seralzed before T n S d k reads consstent data before p, then the vew set of T, before p, wth respect to d k, s consstent. We could prove the above n case transacton programs have fxed-structure snce t s possble to make clams about the consstency of the data tems durng the executon of fxed-structured transacton programs (Lemma 3). If, however, transacton programs are not fxed-structured, then the only clam we can make s that a transacton, f t executes from a consstent state, leaves the database n a consstent state (see Fg. 7). Lemma 7. Let S be a schedule consstng of a transacton T whch results from the executon of a transacton program TP (note that S=T ). Let DS 1 be a database state such that [DS 1 ]T [DS ]. If DS d _ read(t 1 ) s consstent, then DS d _ WS(T ) s consstent. Proof. Let DS 3 be a consstent database state such that DS d _ RS(T ) =DS d _ read(t 3 1 ). Furthermore, let [DS 3 ] TP [DS 4 ]. Let T$ be the transacton and let S$ be the schedule resultng from the executon of TP from DS 3 (note that S$=T$ ). Snce DS RS(T ) =read(t 3 ), read(t )=read(t$ ). Snce wrtes are a functon of the reads before them, T and T$ result from the executon of the same transacton program TP we have that T =T$. Snce, DS d=ds d and 1 3 T =T$, DS d _ WS(T ) 4 =DS d _ WS(T ). Snce TP s a correct transacton program, DS 4 s consstent, and the lemma has been proven. K Note that Lemma 7 requres DS d _ read(t 1 ) to be consstent f DS d _ WS(T ) s to be consstent. Consstency of DS d 1 and read(t ) does not ensure consstency of DS d _ WS(T ) snce DS d _ read(t 1 ) may not be consstent. As a result, even f DS d and read(t 1 ) are consstent, a consstent state DS 3 such that DS d _ RS(T ) =DS d _ read(t 3 1 ) may not exst. FIG. 7. Lemma 7.

CORRECTNESS OF NONSERIALIZABLE EXECUTIONS 79 Example 4. Consder a database wth data tems D= [a, b, c] and the transacton program TP 1, TP 1 : a :=c. Let IC=(a=b 7 b=c). Let d=[a, b] and let DS 1 = [(a, &1),(b, &1),(c, 1)]. Consder the executon of transacton program TP 1 from DS 1 that results n transacton T 1 : r 1 (c, 1), w 1 (a, 1). The database state DS, resultng from the executon of TP 1 from DS 1 s [(a, 1),(b, &1),(c, 1)]. Thus, even though DS d and read(t 1 1) are consstent, ther unon [(a, &1), (b, &1),(c, 1)] s nconsstent and, as a result, DS d _ WS(T 1 ) =[(a, 1),(b, &1)] s nconsstent. In Lemma 9, we use nducton to show that for every transacton T and operaton p, read(before(t, p, S)) s consstent. However, before that, as n Lemma 4, we show that f for a transacton T and an operaton p, f for all transactons T j seralzed before T, read(before(t j, p, S)) s consstent, then T 's vew set s consstent (see Fg. 5). Note that snce n the case that schedules are DR, the vew set of transactons s restrcted to contan data tems wrtten by only completed transactons. Thus, we do not need to consder partal transacton executons, and as long as an entre transacton executon preserves database consstency, the requrement n Lemma 4 for transacton programs to be fxed-structured can be relaxed. We, thus, can prove the followng lemma. Lemma 8. Let S be a DR schedule resultng from database state DS, and let p be an operaton n S. For any k, k=1,,..., l f S d k s seralzable wth seralzaton order T 1, T,..., T n, DS d k s consstent, and for all j=1,,..., &1, read(before(t j, p, S)) s consstent, then state(t, d k, S, DS) VS(T, p, d k, S) s consstent, =1,,..., n. Proof. The proof s by nducton on the number of transactons. Bass (=1). Trval, as state(t 1, d k, S, DS) d k =DS d k, whch s gven to be consstent. Inducton. Assume true for =m (1m<n), that s, f for all j=1,,..., m&1, read(before(t j, p, S)), s consstent, then state(t m, d k, S, DS) VS(T m, p, d k, S) s consstent. We need to show the above to be true for =m+1. There are two cases to consder: Case 1(after(T m, p, S){=). By IH, we know that state(t m, d k, S, DS) VS(T m, p, d k, S) s consstent. We need to show that state(t m+1, d k, S, DS) VS(T m, p, d k, S)&WS(T d k ) m s consstent, snce VS(T m+1, p, d k, S)=VS(T m, p, d k, S) &WS(T d k). From the defnton of state, we have m state(t m+1, d k, S, DS) VS(T m, p, d k, S)&WS(T d k m ) =state(t m, d k, S, DS) VS(T m, p, d k, S)&WS(T d k m ) (snce T m does not wrte data d tems n VS(T m, p, d k, S)&WS(T k m )). Snce state(t m, d k, S, DS) VS(T m, p, d k, S) s consstent, state(t m, d k, S, DS) VS(T m, p, d k, S)&WS(T d k ) m s consstent. Thus, state(t m+1, d k, S, DS) VS(T m+1, p, d k, S) s consstent. Case (after(t m, p, S)==). Snce after(t m, p, S) ==, RS(before(T m, p, S))=RS(T m ). By IH, we know that state(t m, d k, S, DS) VS(T m, p, d k, S) s consstent. By Lemma 6, RS(before(T d k, p, S))=RS(T d k )VS(T m m m, p, d k, S). Snce d e & d f =<, e{ f, and read(before(t m, p, S)) s consstent, by Lemma 1, state(t m, d k, S, DS) VS(T m, p, d k, S) _ read(t m ) s consstent. Thus, by Lemma 7, state(t m+1, d k, S, DS) VS(T m, p, d k, S) _ WS(T d k ) m s consstent. As VS(T m+1, p, d d k, S)=VS(T m, p, d k, S) _ WS(T k m ), state(t m+1, d k, S, DS) VS(T m+1, p, d k, S) s consstent. Hence t s proved. K Usng the above lemma, t s easy to see that the proof developed n the prevous secton can be used to show that for every operaton p and transacton T n a schedule S, read(before(t, p, S)) s consstent. Lemma 9. Let S be a schedule resultng from a consstent database state DS, and let p be an arbtrary operaton n S. If S s a PWSR schedule as well as DR, then for all transactons T # S, read(before(t, p, S)) s consstent. Proof. The proof s by nducton on depth( p, S). Bass (depth( p, S)=0). There are two cases: Case 1(pT ). read(before(t, p, S)=<, whch s consstent. Case (p # T ). Snce depth( p, S)=0, t follows that read(before(t, p, S))DS, whch s consstent. Inducton. Assume true for depth( p, S)=m (m0), that s, for all transactons T # S, read(before(t, p, S)) s consstent. We need to show for depth( p, S)=m+1, for all transactons T # S, read(before(t, p, S)) s consstent. Consder two cases: Case 1(pT ). Trvally by IH, read(before(t, p, S)) s consstent. Case (p # T ). Let entty( p)#d k, for some k=1,,..., l. Snce S s PWSR, S d k s seralzable. Let a seralzaton order of transactons n S d k be T1, T,..., T &1, T, T +1,..., T n.asp# T, p T j, for all j=1,,..., &1. Thus, by Case 1 of the nducton step above, read(before(t j, p, S)) s consstent, for all j=1,,..., &1. Hence, snce S s DR, by Lemma 8, state(t, d k, S, DS) VS(t, p, d k, S) s consstent. By Lemma 6, RS(before(t d k, p, S))VS(T, p, d k, S). Thus, read(before(t d k, p, S)) s consstent. By IH, read(before(t d&d k, p, S)) s consstent. Snce d e & d f =<, e{ f, by Lemma 1, read(before(t, p, S)) s consstent. K

80 RASTOGI ET AL. Thus, we can establsh the followng theorem. Theorem. Let S be a schedule that results from the executon of transactons programs. If S s both PWSR and DR, then S s strongly correct. Proof. Let DS 1 be a consstent database state that results n schedule S. Let [DS 1 ]S[DS ]. By Lemma 9, for all T # { S, read(t ) s consstent (choose p to be the last operaton n the schedule). We now show that DS d k for any k=1,,..., l s consstent. Let T 1, T,..., T n be a seralzaton order of transactons n S d k. Snce DS d k s consstent, 1 and d e & d f =<, e{ f, by Lemma 8, state(t n, d k, DS 1, S) s consstent (choose p to be the last operaton n the schedule). DS d k can be shown to be consstent by a smple applcaton of Lemma 7. Thus, by Lemma 1, DS s consstent, and hence, S s strongly correct. K 3.3. Restrctng Data Accesses In the prevous sectons, we showed that PWSR schedules are strongly correct f ether transacton programs are fxedstructured, or the schedules are DR. If, however, we can order the conjuncts n a manner that ensures that no transacton reads a data tem belongng to a hgher numbered conjunct and wrtes a data tem belongng to a lower numbered conjunct, then these requrements are unnecessary. In Example, transacton T 1 reads data tem c from conjunct C and wrtes data tem a n conjunct C 1, whle T reads data tem a from conjunct C 1 and wrtes data tem c n conjunct C. Thus, transactons T 1 and T access data tems n the conjuncts n a cyclc fashon that causes database consstency to be volated. We can formalze the requrement for the orderng between conjuncts by defnng a drected graph whch we refer to as the data access graph. The data access graph for S and IC, denoted by DAG(S, IC), conssts of a set of nodes, one for every conjunct C n IC. Furthermore, for conjuncts C, C j n IC, C {C j, there s a drected edge (C, C j ) n DAG(S, IC) f there exsts a transacton n S that reads a data tem n d and wrtes a data tem n d j. In the followng, we show that a PWSR schedule S s strongly correct f DAG(S, IC) s acyclc. We denote by { w (d, S), the set of transactons n S that have at least one wrte operaton on some data tem n d. Formally, { w (d, S)=[T # { S :(WS(T ) & d){<]. Thus, n Example 1, { w ([a, b], S)=[T 1 ]. Earler, n Lemma 7, we specfed condtons under whch the executon of a transacton preserves the consstency of a set of data tems. We now use Lemma 7 to develop condtons under whch schedules preserve the consstency of a set of data tems. Lemma 10. Let S be a schedule, dd, and DS 1 be a database state such that [DS 1 ]S[DS ]. If v S d s seralzable (let T 1, T,..., T n be a seralzaton order of transactons n S d ), v for all T # { w (d, S), f state(t, d, S, DS 1 ) s consstent, then state(t, s, S, DS 1 ) _ read(t ) s consstent, and v DS d 1 s consstent, then DS d s consstent and state(t, d, S, DS 1 ) s consstent for all, =1,,..., n. Proof. The proof s by nducton on. Bass (=1). state(t 1, d, S, DS 1 )=DS d 1, whch s gven to be consstent. Inducton. Assume true for =m (1m<n), that s, state(t m, d, S, DS 1 ) s consstent. We need to show the above for =m+1; that s, state(t m+1, d, S, DS 1 ) s consstent. Consder the followng two cases: Case 1 (T m { w (d, S)). Snce T m { w (d, S), t follows that state(t m+1, d, S, DS 1 )=state(t m, d, S, DS 1 ). By IH, snce state(t m, d, S, DS 1 ) s consstent, state(t m+1, d, S, DS 1 ) s consstent. Case (T m # { w (d, S)). Snce state(t m, d, S, DS 1 )s consstent, state(t m, d, S, DS 1 ) _ read(t m ) s consstent. By Lemma 7, state(t m+1, d, S, DS 1 ) s consstent. Thus, state(t, d, S, DS 1 ) s consstent for all, =1,,..., n. In partcular, state(t n, d, S, DS 1 ) s consstent. Thus, by Lemma 7 (usng a smlar argument as above) DS d s consstent. K Theorem 3. Let S be a PWSR schedule. If DAG(S, IC) s acyclc, then S s strongly correct. Proof. Wthout loss of generalty, let C 1, C,..., C l be a topologcal orderng of nodes n DAG(S, IC). Thus, every transacton that updates a data tem n d k only reads data tems belongng to conjuncts d 1, d,..., d k. Let DS 1 be a consstent database state that results n schedule S. Let [DS 1 ]S[DS ]. We prove by nducton on k that for all k=1,,..., l, DS d k s consstent, and for every transacton T # { S, read(t d k) s consstent. Bass (k=1). Let T 1, T,..., T n be a seralzaton order of transactons n S d 1. Snce transactons that update data tems n d 1 can only read data tems n d 1, RS(T )d 1 for all T # { w (d 1, S). Thus, for every transacton T # { w (d 1, S), snce read(t )state(t, d 1, S, DS 1 ), n state(t, d 1, S, DS 1 ) s consstent, then state(t, d 1, S, DS 1 ) _ read(t ) s consstent. Thus, by Lemma 10, DS d 1 s consstent and for all, =1,,..., n, state(t, d 1, S, DS 1 ) s consstent. Thus, for all =1,,..., n, snce read(t d 1)state(T, d 1, S, DS 1 ), read(t d 1) s consstent.