Verification of Object Relational Maps Krishna K. Mehra Sriram K. Rajamani Microsoft Research India A. Prasad Sistla University of Illinois at Chicago Sumit K. Jha Carnegie Melon University Abstract Enterprise software systems need to deal with two dom- inant data models. While object oriented languages (such as Java, C#, C++) are the dominant ways to write busi- ness logic, relational databases are the dominant ways to store data. Object-Relational (OR) maps are widely used to mediate between these two data models. We present a system to verify correctness of OR maps. We formulate sim- ple correctness conditions for OR maps, and convert these conditions to validity of formulas in first order logic. We have built a verification tool called ROUNDTRIP that is able to both validate and find errors in OR maps defined in the ESQL language of the Microsoft EDM data model. 1 Introduction Automated methods for verifying the correctness of computer systems have gained prominence in the last decade due to their successful application to certain classes of practical problems. Such classes include verification of hardware systems such as processors, pipelines and cache coherency protocols, and low-level software such as device drivers. The area of database software has been largely untouched by these developments partly due to the com- plexity of these systems. Mainstream application software, that interfaces with databases, needs to deal with both ob- ject oriented and relational data models. While object ori- ented languages such as Java and C# are in widespread use for writing business logic, relational databases continue to dominate persistent storage of data. Mediating between the object oriented and relational data models is an important problem [10, 7]. Object-Relational maps (OR maps) are the most common ways to do this mediation. In this paper, we describe methods based on theorem provers for verifying OR maps and describe a tool that is based on these meth- ods. To the best of our knowledge, ours is the first effort in this area. There are several ways to write or semi-automatically generate OR maps, and several tools and techniques have been developed [3]. Regardless of the technique used to generate the maps, OR maps can be specified using two queries (or views): 1. a query view, Q, that maps relations in the database to objects in the program, and 2. an update view, U , that maps objects in the program to relations in the database. If the user writes an object into a database and reads it back, it is reasonable to expect to obtain the same value that was written. More formally, the compositions Q ◦ U and U ◦ Q need to be identity maps (with appropriate integrity constraints on input domains). This condition is called the round tripping condition. In practice, round tripping is validated using testing. Thus, several test instances of data models are generated, either manually, or automatically, and the round tripping condition is checked on these instances. In this paper, we propose to use formal verification to validate round tripping of OR maps. We formulate the round tripping condition as validity of a first order logic formula. Then, we use tech- niques from first order logic theorem proving to check this formula. The approach has the same benefits as other suc- cessful uses of formal verification. In several cases, we can prove that an OR map works for all test inputs. In several cases, we can also automatically generate counterexamples which are test cases that do not satisfy the round tripping condition. Any effort to formally verify OR maps encounters two major technical difficulties: • In order to model object oriented features present in OR maps, the relational schema needs to be extended to include features such as complex types and inheri- tance, and the relational algebra needs to be extended with operators such as field reference, type casting, ad- dress and dereference. While translating standard rela- 1