Executable First-Order Queries in the Logic of Information Flows

The logic of information flows (LIF) has recently been proposed as a general framework in the field of knowledge representation. In this framework, tasks of procedural nature can still be modeled in a declarative, logic-based fashion. In this paper, we focus on the task of query processing under limited access patterns, a well-studied problem in the database literature. We show that LIF is well-suited for modeling this task. Toward this goal, we introduce a variant of LIF called"forward"LIF (FLIF), in a first-order setting. FLIF takes a novel graph-navigational approach; it is an XPath-like language that nevertheless turns out to be equivalent to the"executable"fragment of first-order logic defined by Nash and Lud\"ascher. One can also classify the variables in FLIF expressions as inputs and outputs. Expressions where inputs and outputs are disjoint, referred to as io-disjoint FLIF expressions, allow a particularly transparent translation into algebraic query plans that respect the access limitations. Finally, we show that general FLIF expressions can always be put into io-disjoint form.


Introduction
An information source is said to have a limited access pattern if it can only be accessed by providing values for a specified subset of the attributes; the source will then respond with tuples giving values for the remaining attributes.A typical example is a restricted telephone directory D(name; tel) that will show the phone numbers for a given name, but not the other way around.For another example, the public bus company may provide its weekdays schedule as a relation Route(stop, interval; time, line, next, duration) that, given a (1) We offer a new perspective on databases with access limitations, by viewing them as a graph.The nodes of the graph are valuations; the edges denote access to information sources.The start node of an edge provides values to input variables, and the end node provides values to output variables.(2) Our perspective opens the door to using a graph query language to query databases with access limitations.Standard navigational graph query languages [PAG10, FGL + 15, LMV13, SFG + 15, AAB + 17] have a logical foundation in Tarski's algebra of binary relations [Tar41,Mad91,Pra92,tCM07].However, in our situation, nodes in a graph are not abstract elements, but valuations that give values to variables.(3) Interestingly, LIF, in its first-order version, can be understood exactly as the desired extension of Tarski's algebra to binary relations of valuations.LIF is a dynamic logic: like first-order dynamic logic [HKT00] or dynamic predicate logic [GS91], expressions of LIF are not satisfied by single valuations, but by pairs of valuations.Such pairs represent transitions of information.However, LIF is very general and has operators, such as converse, or cylindrification, which do not rhyme with the limited access to information sources that we want to target in this work.Therefore, in this paper, we introduce FLIF, an instantiation of the LIF framework where information can only flow forward.Like navigational graph query languages, FLIF expressions define sets of pairs of valuations so that there is a path in the graph from the first valuation of the pair to the second.(4) We show that FLIF is equivalent in expressive power to executable FO, an elegant syntactic fragment of first-order logic introduced by Nash and Ludäscher [NL04].Formulas of executable FO can be evaluated over information sources in such a way that the limited access patterns are respected.Furthermore, the syntactical restrictions are not very severe and become looser the more free variables are declared as inputs.
The notion of database instance remains the standard one.Formally, we fix a countably infinite universe dom of atomic data elements, also called constants.Now an instance D of a schema S assigns to each relation name R an ar (R)-ary relation D(R) on dom.We say that D is finite if every relation D(R) is finite.The active domain of D, denoted by adom(D), is the set of all constants appearing in the relations of D.
The syntax and semantics of first-order logic (FO, relational calculus) over S is well known [AHV95].The set of free variables of an FO formula φ is denoted by fvars(φ).Moreover, in formulas, we allow constants only in equalities of the form x = c, where x is a variable and c is a constant.As we mentioned earlier, in writing relation atoms, we find it clearer to separate input arguments from output arguments by a semicolon.Thus, we write relation atoms in the form R(x; ȳ), where x and ȳ are tuples of variables such that the length of x is iar (R) and the length of ȳ is oar (R).For example, the relation atom R(x, z; y, y, z) indicates that R is a relation name with ar (R) = 5 and iar (R) = 2; consequently, oar (R) = 3.
We use the "natural" semantics [AHV95] and let variables in formulas range over the whole of dom.Formally, an X-valuation is a valuation defined on a set X of variables, and precisely, it is a mapping ν : X → dom.We will often not specify the set X of variables a valuation is defined on when it is clear from context.It is convenient to be able to apply valuations also to constants, agreeing that ν(c) = c for any valuation ν and any c ∈ dom.Moreover, in general, for a valuation ν, a variable x, and a constant c, we use ν[x := c] for the valuation that is the same as ν except that x is mapped to c. Additionally, we say that two valuations ν 1 and ν 2 agree on (outside) a set of variables X when ν 1 (x) = ν 2 (x) for every variable x ∈ X (x ̸ ∈ X).Finally, given an instance D of S, an FO formula φ over S, and a valuation ν defined on fvars(φ), the definition of when φ is satisfied by D and ν, denoted by D, ν |= φ, is standard.6:5

Forward LIF
In this section, we introduce the language FLIF. 1 The language itself is a form of dynamic logic.Indeed, the semantics of any FLIF expression is defined as a set of pairs of valuations.The operators are an algebraization of first-order logic connectives.Although FLIF is a dynamic algebraic form of first-order logic, it is notable that it lacks quantification operators, which makes it especially simple.
Syntax and semantics of FLIF: atomic expressions.The central idea is to view a database instance as a graph.The nodes of the graph are all possible valuations on some set of variables (hence the graph is infinite.)The edges in the graph are labeled with atomic FLIF expressions.Some of the edges are merely tests (i.e., self-loops), while other edges represent a change in the state.
Syntactically, over a schema S and a set of variables V, there are five kinds of atomic expressions τ , given by the following grammar: Here, R(x; ȳ) is a relation atom over S as in first-order logic with x and ȳ being tuples of variables in V, x and y are variables from V, and c is a constant.The atomic expressions (x = y) and (x = c) are equality tests, while the expressions (x := y) and (x := c) are assignment expressions.From the grammar, we see that any atomic expression τ is defined such that vars(τ ) ⊆ V where vars(τ ) is the set of variables used in τ .
Semantically, given an instance D of S, a set of variables V, and an atomic expression τ over S and V, we define the set of τ -labeled edges in the graph view of D as a set τ V D of ordered pairs of V-valuations, as follows.
(1) R(x; ȳ) V D is the set of all pairs (ν 1 , ν 2 ) of V-valuations such that the concatenation ν 1 (x) • ν 2 (ȳ) belongs to D(R), and ν 1 and ν 2 agree outside the variables in ȳ. (2 Note that each τ V D , being a set of ordered pairs of valuations, is a binary relation on valuations.When V is understood, we will feel free to omit the superscript in τ V D .Example 2.2.Consider a set of variables V = {x, y, z} and a schema S with two binary relation names B and T , both of input arity one.In the rest of the example, assume that dom ⊇ {1, 2, 3, 4, 5} and that we have an instance D of S that assigns the relation names to the following binary relations: Intuitively, you could think of B and T as relations of source-destination pairs of stations that could be reached by bus (B) or train (T ) respectively.Figure 1 shows a tiny fragment of the graph view of D. It shows only three valuations and all labeled edges between these three valuations.We depict valuations by three consecutive squares with the first being the value of x, the second being the value of y, and the third being the value of z.
For another illustration of the same graph view, let us consider the following atomic expressions: B(x; x), B(x; y), T (y; z), (x := z), and (x = z).Figure 2 depicts the entire binary relations on valuations τ V D for these five atomic expressions τ .For each of these examples, we give a table below that shows its semantics (i.e., pairs of V-valuations).In this depiction, ' * ' means that the value of the variable could be anything in the domain, i.e., the variable in that valuation is not restricted to a specific value.Furthermore, when, in some pair, we put '−' in both slots for some variable u, we mean that the value for u could be anything on condition that it is the same on the left and right.
Syntax and semantics of FLIF: operators.The syntax of all FLIF expressions α (still over schema S and set of variables V) is now given by the following grammar: x y z x y z Here, τ ranges over atomic expressions over S and V, as defined above.The semantics of the composition operator ';' is defined as follows: Note that we are simply taking the standard composition of two binary relations on valuations.
Similarly, the semantics of the set operations are standard union and set difference on binary relations on valuations.
We see that FLIF expressions describe paths in the graph, in the form of source-target pairs.Composition is used to navigate through the graph, and to conjoin paths.Paths can be branched using union, and excluded using set difference.
Remark 2.4.Sometimes, in writing FLIF expressions, we omit parentheses around (sub)expressions involving composition since it is an associative operator.Also, we give precedence to composition over the set operations.
Example 2.5.Consider a simple Facebook abstraction with a single binary relation F of input arity one.When given a person as input, F returns all their friends.We assume that this relation is symmetric.
To illustrate the dynamic nature of FLIF, over just a single variable V = {x}, the expression F (x; x); F (x; x); F (x; x) describes all pairs (ν 1 , ν 2 ) such that there is a path of length three from ν 1 (x) to ν 2 (x).
For another example, suppose, for an input person x (say, a famous person), we want to find all people who are friends with at least two friends of x.Formally, we want to navigate from a valuation ν 1 giving a value for x, to all valuations ν 2 giving values to variables y 1 , y 2 , and z, such that • ν 2 (y 1 ) and ν 2 (y 2 ) are both friends with ν 1 (x); • ν 2 (z) is friends with both ν 2 (y 1 ) and ν 2 (y 2 ); and This can be done by the FLIF expression α − (α ; (y 1 = y 2 )), where α is the expression F (x; y 1 ) ; F (x; y 2 ) ; F (y 1 ; z) ; F (y 2 ; z 1 ) ; (z = z 1 ).
Note that using the extra variable z 1 is needed, since using F (y 2 ; z) instead would result in overwriting the value of the variable z set by the variable y 1 .
Without the use of the extra variable, we could alternatively define α by the intersection α 1 ∩ α 2 , where α i is the expression F (x; y 1 ) ; F (x; y 2 ) ; F (y i ; z).We are using the intersection operator here, which is formally not part of FLIF as defined, but easily expressible as Remark 2.6.In the above example, it would be more efficient to simply write α ; (y 1 ̸ = y 2 ).For simplicity, we have not added nonequality tests in FLIF as they are formally redundant in the presence of set difference, but they can easily be added in practice.The purpose of this paper is to introduce the formal foundation of FLIF; clearly, a practical language based on FLIF will include arithmetic comparisons and operations.
The evaluation problem for FLIF expressions.Given that FLIF expressions navigate paths in the graph view of a database instance D, the natural use of FLIF is to provide an input valuation ν in to an expression α, and ask for all output valuations ν out such that (ν in , ν out ) ∈ α D .Formally, we define: Definition 2.7 (The evaluation problem Eval V α (D, ν in ) for FLIF expression α over V).Given a database instance D and a V-valuation ν in , the task is to compute the set Assume we have effective access to the relations R of D, in the following sense.If R has input arity i and output arity o, and given an i-tuple t 1 , we can effectively retrieve the set of o-tuples t 2 such that t 1 • t 2 belongs to D(R).Moreover, this set is assumed to be finite.Assuming such effective access, which is needed for the evaluation of atomic expressions of the form R(x; ȳ), it is now obvious how more complex expressions can be evaluated.Indeed, other atomic expressions are just assignments or tests, and operations of FLIF are standard operations on binary relations.In Section 7, we will give an explicit description of this evaluation algorithm, for the "io-disjoint" fragment of FLIF, in terms of relational algebra plans.Nevertheless, the obvious evaluation algorithm described informally above can always be applied, also for FLIF expressions that are not io-disjoint.
Example 2.8.Recall the expression F (x; x) ; F (x; x) ; F (x; x) from Example 2.5 over V = {x}.On input a valuation ν in on {x}, the evaluation will return all valuations ν out on {x} such that there is a path of length three from ν in (x) to ν out (x).

Executable FO
Let us recall the language known as executable FO (cf. the Introduction).Executability of formulas is a syntactic notion.In the literature, a lot of work has focused on the problem of trying to rewrite arbitrary FO formulas into executable form [NL04, RSU95, Li03, DLN07, CM08b, BLT15, BtCT16, CMRU17].However, in this paper, we are focusing instead on using executable FO as a gauge for accessing the expressiveness of our new language FLIF.(Indeed, we will show that FLIF and executable FO are equivalent.)Hence, in this paper, we work only with executable FO formulas and not with arbitrary FO formulas.
The notion of when a formula is executable is defined relative to a set of variables V, which specifies the variables for which input values are already given.Beware (in line with established work in the area [Li03,NL04]) that the notion of executability here is syntactic, and dependent on how subformulas are ordered within the formula.One may think of the notion of executability discussed in this paper as a "left-to-right" executability, which shall be clear from the following examples.Indeed, we begin with a few examples.
• Let φ be the formula R(x; y).As mentioned above, this notation makes clear that the input arity of R is one.If we provide an input value for x, then the database will give us all y values such that R(x, y) holds.Indeed, φ will turn out to be {x}-executable.
Giving a value for the first argument of R is mandatory, so φ is neither ∅-executable nor {y}-executable.However, it is certainly allowed to provide input values for both x and y; in that case we are merely testing if R(x, y) holds for the given pair (x, y).Thus, φ is also {x, y}-executable.In general, a V-executable formula will also be V ′ -executable for any V ′ ⊇ V. • Also, the formula ∃y R(x; y) is {x}-executable.In contrast, the formula ∃x R(x; y) is not, because even if a value for x is given as input, it will be ignored due to the existential quantification.In fact, the latter formula is not V-executable for any V. • The formula R(x; y) ∧ S(y; z) is {x}-executable, intuitively because each y returned by the formula R(x; y) can be fed into the formula S(y; z), which is {y}-executable in itself.
In contrast, the semantically equivalent formula S(y; z) ∧ R(x; y) is not {x}-executable, because we need a value for y to execute the formula S(y; z).However, the entire formula is {y, x}-executable.• The formula R(x; y) ∨ S(x; z) is not {x}-executable, because any y returned by R(x; y) would already satisfy the formula, leaving the variable z unconstrained.This would lead to an infinite number of satisfying valuations.The formula is neither {x, z}-executable; if S(x, z) holds for the given values for x and z, then y is left unconstrained.Of course, the formula is {x, y, z}-executable.• For a similar reason, ¬R(x; y) is only V-executable for V containing x and y.
V-executable Formulas.We now define, formally, for any set of variables V, the set of V-executable formulas are defined as follows.Our definition closely follows the original definition by Nash and Ludäscher [NL04]; we only add equalities and constants to the language.
• An equality x = y, for variables x and y, is V-executable if at least one of x and y belongs to V. • An equality x = c, for a variable x and a constant c, is always V-executable.
Note that universal quantification is not part of the syntax of executable FO.
Example 3.2.Recall the query considered in Example 2.5, asking for all triples (y 1 , y 2 , z) such that, for some input x, we have F (x; y 1 ), F (x; y 2 ), F (y 1 ; z), F (y 2 ; z), and y 1 and y 2 are different.The natural FO formula for this query is indeed {x}-executable: Note that the above executable FO formula and FLIF expression from Example 2.5 are quite similar in their structure.The main difference is the use of the extra variable z 1 which was explained in Example 2.5.
Remark 3.3.Continuing Remark 1.1, in an extended setting where multiple access patterns are possible for the same relation, the simple syntax we use both in FLIF and in executable FO needs to be changed.Instead of relation atoms of the form R(x; ȳ) we would use adornments, which is a standard syntax in the literature on access limitations.For example, if a ternary relation R can be accessed by giving inputs to the first two arguments, or to the first and the third, then both R iio (x, y, z) and R ioi (x, y, z) would be allowed relation atoms.
Given an FO formula φ and a finite set of variables V such that φ is V-executable, we describe the following task: Definition 3.4 (The evaluation problem Eval φ,V (D, ν in ) for φ with input variables V).Given a database instance D and a valuation ν in on V, compute the set of all valuations ν on V ∪ fvars(φ) such that ν in ⊆ ν and D, ν |= φ.
As mentioned in the Introduction, this problem is known to be solvable by a relational algebra plan respecting the access patterns.In particular, if D is finite, the output is always finite: each valuation ν in the output can be shown to take only values in adom(D) ∪ ν in (V). 2 3.1.From Executable FO to FLIF.After introducing FLIF and executable FO, we observe that executable FO formulas translate rather nicely to FLIF expression as given by the following Theorem.
Theorem 3.5.Let φ be a V-executable formula over a schema S.There exists an FLIF expression α over S and a set of variables V ⊇ fvars(φ)∪V such that for every D, V-valuation ν in , and Example 3.6.Before giving the proof, we give a few examples.Note that in all the following examples, we only consider sets of input variables V with V ⊆ fvars(φ).
2 Actually, a stronger property can be shown: only values that are "accessible" from νin in D can be taken [BLtCT16], and if this accessible set is finite, the output of the evaluation problem is finite.
• Suppose φ is R(x; y) with input variable x.Then, as expected, α can be taken to be R(x; y).Suppose we have the same formula with V = {x, y}.Intuitively, the formula asks for outputs (u) where u equals y.Hence, α can be taken to be R(x; u); (u = y).Note that the FLIF expression R(x; y) is not a correct translation since the value of y may change from the value given by V. • Now, consider T (x; x, y), again with input variable x.Intuitively, the formula asks for outputs (u, y) where u equals x.Hence, a suitable FLIF translation is T (x; u, y) ; (u = x).
Note that the FLIF expression T (x; x, y) is not semantically equivalent since the value of x is changeable due to the dynamic semantics of FLIF.• If φ is R(x; y) ∧ S(y; z), still with input variable x, we can take R(x; y) ; S(y; z) for α.The same expression also serves for the formula ∃y φ.
Similarly, S(y; ) is translated to S(y; ).Then, the final α can be taken to be R(x; u) ; (x = u) ∪ S(y; ).• A new trick must be used for negation.For example, if φ is ¬R(x; y) with V = {x, y}, then α can be taken to be (u := 42) − R(x; u) ; (u = y) ; (u := 42).Composing each side of '−' with the same dummy assignment to u is required since the value of the u in the second operand should not affect the result of the needed negation.
Proof Sketch of Theorem 3.5.We only describe the translation; its correctness is proven in Section 6.1.If φ is a relation atom R(x; ȳ), then α is R(x; z);ξ, where z is obtained from ȳ by replacing each variable from V by a fresh variable.The expression ξ consists of the composition of all equalities (y i = z i ) where y i is a variable from ȳ that is in V and z i is the corresponding fresh variable. If then by induction we have an expression α 1 for φ 1 and V ∩ fvars(φ 1 ), and an expression α 2 for φ 2 and (V ∪ fvars(φ 1 )) ∩ fvars(φ 2 ).Now α can be taken to be If φ is ∃x φ 1 , then without loss of generality we may assume that x / ∈ V.By induction, we have an expression α 1 for φ 1 and V.This expression also works for φ.
If φ is φ 1 ∨ φ 2 , then by induction we have an expression α i for φ i and V, for i = 1, 2. Now α can be taken to be Finally, if φ is ¬φ 1 , then by induction we have an expression α 1 for φ 1 and V. Fix an arbitrary constant c, and let ξ be the composition of all expressions (z := c) for z ∈ vars(α 1 ) − V. (If that set is empty, we add an extra fresh variable.)Then α can be taken to be ξ − α 1 ; ξ.

3.2.
From FLIF to executable FO.The previous translation shows that FLIF is expressive enough, in the sense that executable FO formulas can be translated into FLIF expressions such that they evaluate to the same set of valuations starting from the same assignment.It turns out that the converse translation is also possible, so, FLIF exactly matches executable FO in expressive power.
Actually, two distinct translations from FLIF to executable FO are possible: (1) A somewhat rough translation, which translates every FLIF expression on a set of variables V to an equivalent V-executable formula that uses thrice the number of variables in V; (2) A much finer translation, which often results in V-executable formulas with a much smaller set V than the entire V.This set V will consist of the "input variables" of the given FLIF expression.We will this idea further in Sections 4 and 5. Next, we proceed with the rough translation.Assume V = {x 1 , . . ., x n }.Since the semantics of FLIF expressions on V involves pairs of V-valuations, we introduce a copy V y = {y 1 , . . ., y n } disjoint from V. For clarity, we also write V x for V.By FO[k] we denote the fragment of first-order logic that uses only k distinct variables [Lib04].
The following proposition is a variant of a result shown in our companion paper on LIF [ABS + 23, Proposition 7.9].That result is for a larger language LIF, but it does not talk about executability.
Proposition 3.7.Let S be a schema, and V x a set of n variables.Then, for every FLIF expression α over S and V x , there exists a V x -executable FO[3n] formula φ α over S with free variables in The proof is by induction on the structure of α.First, we introduce a third copy V z = {z 1 , . . ., z n } of V.Moreover, for every u, v ∈ {x, y, z} we define ρ uv as follows: Using these functions, we can translate a valuation ν on V = V x to a corresponding valuation on V u with u ∈ {y, z}.Clearly, the function composition in ν • ρ ux does this job.
In the first part of the proof, we actually show a stronger statement by induction, namely that for each α and for every u ̸ = v ∈ {x, y, z} there is a formula Since the notations x, y, z, u and v are taken, we use notations a, b and c for variables and d for constants.
In the rest of the proof, we verify that φ uv α is indeed V u -executable.As for the atomic FLIF expressions, this is clear.
In case α = α 1 ∪ α 2 , we know by induction that both φ uv α 1 and φ uv α 2 are V u -executable.For φ uv α to be V u -executable, it must be the case that fvars( Now, consider the case α = α 1 − α 2 .We know by induction that both φ uv α 1 and φ uv α 2 are V u -executable.For φ uv α to be V u -executable, it must be the case that fvars(φ uv α 2 ) ⊆ fvars(φ uv α 1 ) which is true since fvars(φ uv α 1 ) = V u ∪ V v = fvars(φ uv α 2 ).Finally, consider the case α = α 1 ; α 2 .We know by induction that φ uw α 1 is V u -executable and φ wv α 2 is V w -executable.It is clear that V w ⊆ fvars(φ uw α 1 ), consequently, the formula φ uw α 1 ∧ φ wv α 2 is V u -executable.Hence, since V u and V u are disjoint, the same formula is (V u − V w )-executable which is sufficient to show that φ uv α itself is V u -executable.Although the previous translations show that FLIF and executable FO are effectively equivalent in expressive power, the translation from FLIF to executable FO overlooks some of the interesting relations between both formalisms and moreover, it uses lots of variables unnecessarily.This is best shown by example.
Example 3.8.Consider the FLIF expression α = R(x 1 ; x 1 ) ; R(x 1 ; x 1 ) ; R(x 1 ; x 1 ) where V x = {x 1 }.According to the procedure given in the proof of Proposition 3.7, the resultant φ α would be In contrast, consider the FLIF expression α = R(x 1 ; x 2 ) ; R(x 2 ; x 3 ) ; R(x 3 ; x 4 ) where However, it is clear that taking φ α to be R(x 1 ; x 2 ) ∧ R(x 2 ; x 3 ) ∧ R(x 3 ; x 4 ) would work fine, in the sense that given an arbitrary {x 1 }-valuation ν and any V x -valuation ν ′ that is an extension of ν (i.e., ν ′ ⊇ ν), α and φ α would evaluate to the same set of V x -valuations as stated below (where D below is an arbitrary instance): ) This shows that the values provided for {x 2 , x 3 , x 4 } in ν ′ to evaluate the expression α are not important since their values would be overwritten regardless of what ν ′ sets them to.Stated differently, variables x 2 , x 3 , x 4 are outputs of α, but not inputs; the only input variables for α is x 1 .
In the next section, we develop the notions of input and output variables of FLIF expressions more formally.Then in Section 5.2, we will give an improved translation from FLIF to executable FO taking inputs into account.

Inputs and outputs of forward LIF
In this section, we introduce inputs and outputs of FLIF expressions.In every expression, we can identify the input and the output variables.Intuitively, the output variables are those that can change value along the execution path; the input variables are those whose values at the beginning of the path are needed in order to know the possible values for the output variables.These intuitions will be formalized below.We first give some examples.
Table 1: Input and output variables of FLIF expressions.In the case of R(x; ȳ), the set X is the set of variables in x, and the set Y is the set of variables in ȳ.Recall that △ is symmetric difference.
• In both expressions given for α from Example 2.5, the only input variable is x, and the other variables are output variables.• FLIF, in general, allows expressions where a variable is both input and output.For example, consider the relation Swap of input arity two that holds of quadruples of the form (a, b, b, a) for a and b in the dom, so the values of the first two arguments are swapped in the second two.Then, using the expression Swap(x, y; x, y) would result in having the values of x and y swapped.Formally, this expression defines all pairs of valuations (ν 1 , ν 2 ) such that ν 2 (x) = ν 1 (y) and ν 2 (y) = ν 1 (x) (and ν 2 agrees with ν 1 on all other variables).• On the other hand, for the expression R(x; y 1 ) ∪ S(x; y 2 ), the output variables are y 1 and y 2 .Indeed, consider an input valuation ν 1 with ν 1 (x) = a.The expression pairs ν 1 either with a valuation giving a new value for y 1 , or with a valuation giving a new value for y 2 .However, y 1 and y 2 are also input variables (together with x).Indeed, when pairing ν 1 with a valuation ν 2 that sets y 2 to some b for which S(a, b) holds, we must know the value of ν 1 (y 1 ) so as to preserve it in ν 2 .A similar argument holds for y 2 .
The semantic properties that we gave above as intuitions for the notions of inputs and outputs are undecidable in general (see related work Section 8).Here, we will work with syntactic approximations.Definition 4.2.For any FLIF expression α, its sets I(α) and O(α) of input and output variables are defined in Table 1.
Note that previously we have used vars(α) to denote the set of all variables occurring in the expression α.Since FLIF has no explicit quantification, this is precisely the union of I(α) and O(α).From now on, we will also refer to this set as the free variables.
Next we establish three propositions that show that our definition of inputs and outputs, which is purely syntactic, reflects actual properties of the semantics.(See Section 8 on related work for their proofs.) The first proposition confirms an intuitive property and can be straightforwardly verified by induction.
The second proposition confirms, as announced earlier, that the semantics of expressions depends only on the free variables; outside vars(α), the binary relation α D is cylindrical, i.e., contains all possible data elements. 3An illustration of this was already given in Figure 2, using the asterisk indications.
Proposition 4.4 (Free variable property).Let (ν 1 , ν 2 ) ∈ α D and let ν ′ 1 and ν ′ 2 be valuations such that • ν ′ 1 agrees with ν 1 on vars(α), and 2 agrees with ν 2 on vars(α), and agrees with ν ′ 1 outside vars(α).Then also The third proposition is the most important one.It confirms that the values for the input variables determine the values for the output variables.
Proposition 4.5 (Input-output determinacy).Let (ν 1 , ν 2 ) ∈ α D and let ν ′ 1 be a valuation that agrees with ν 1 on I(α).Then there exists a valuation ν ′ 2 that agrees with ν 2 on O(α), such that (ν ′ 1 , ν ′ 2 ) ∈ α D .By inertia, we can see that the valuation ν ′ 2 given by the above proposition is unique.Moreover, using the free variable property, we showed the input-output determinacy property is equivalent to the following alternative form.Lemma 4.6 (Input-output determinacy, alternative form).Let (ν 1 , ν 2 ) ∈ α D and let ν ′ 1 be a valuation that agrees with ν 1 on I(α) as well as outside O(α).Then also (ν ′ 1 , ν 2 ) ∈ α D .Intuitively, it is easier to work with the alternative form since we have to consider only three valuations instead of four in the original form.
We are now in a position to formulate a new version of the FLIF evaluation problem that takes the inputs into consideration.Given an expression α, we consider the following task:4 Definition 4.8 (The evaluation problem Eval α (D, ν in ) for α).Given a database instance D and a valuation ν in on I(α), the task is to compute the set Vol. 20:2

EXECUTABLE FO & FLIF 6:17
By inertia and input-output determinacy, the choice of ν ′ in in the above definition of the output does not matter.We show this formally in the next Remark.
Remark 4.9.The above definition improves on Definition 2.7 in that it is formally independent of the encompassing universe V of variables; it intrinsically only depends on the input and output variables of α.Indeed, formally, given any FLIF expression α on V, and any V-valuation ν, it is not hard to see that the following equivalence holds: It suffices to show the '⊆' direction; the other direction is clear from the definitions.Let ν be a V-valuation.Suppose that there exists an arbitrary V-valuation ν in such that ν in ⊇ ν| I(α) (i.e., ν in = ν on I(α)) and (ν in , ν out ) ∈ α V D .We want to show that there exists a valuation ν ′ out such that (ν, ν ′ out ) ∈ α V D and ν out = ν ′ out on vars(α).From the facts that ν = ν in on I(α) and that (ν in , ν out ) ∈ α V D , it follows by input-output determinacy that there exists a valuation ν ′ out such that (ν, ν ′ out ) ∈ α V D and ν ′ out = ν out on O(α).It remains to verify that ν ′ out = ν out on I(α) − O(α).Indeed, this is true since , where the first and third equalities hold because of inertia and having both (ν in , ν out ) and (ν, ν ′ out ) in α V D .The middle equality follows from the fact that ν = ν in on I(α).
Consider an FLIF expression α for which the set O(α) is disjoint from I(α).Then any pair (ν 1 , ν 2 ) ∈ α D satisfies that ν 1 and ν 2 are equal on I(α).Put differently, every ν out ∈ Eval α (D, ν in ) is equal to ν in on I(α); all that the evaluation does is expand the input valuation with output values for the new output variables.This makes the evaluation process for expressions α where I(β) ∩ O(β) = ∅, for every subexpression β of α (including α itself), very transparent in which input slots remain intact while output slots are being filled.We call such expressions io-disjoint.
Example 4.10.Continuing Example 2.5 (friends), the expression F (x; x) is obviously not io-disjoint.Evaluating this expression will overwrite the variable x with a friend of the person originally stored in x.In contrast, both expressions given for α in Example 2.5 are io-disjoint.Also the expression R(x 1 ; x 2 ) ; R(x 2 ; x 3 ) ; R(x 3 ; x 4 ) from Example 3.8 is io-disjoint.Finally, the expression R(x; y 1 ) ∪ S(x; y2) already seen in Example 4.1 is not io-disjoint.
Formally, we have the following useful property, which follows from inertia and inputoutput determinacy.
Proposition 4.11 (Identity property).Let α be an io-disjoint expression and let D be an instance.
Intuitively, the identity property holds because, if in ν 1 the output slots would accidentally already hold a correct combination of output values, then there will exist an evaluation of α that merely confirms these values.This property can be interpreted to say that io-disjoint expressions can be given a "static" semantics; we could say that a single valuation ν satisfies α when (ν, ν) belongs to the dynamic semantics.This brings io-disjoint expressions closer to the conventional static semantics (single valuations) of first-order logic.Indeed, this will be confirmed in the next Section.
Example 4.12.The identity property clearly need not hold for expressions that are not io-disjoint.For example, continuing the friends example, for the expression F (x; x), a person need not be a friend of themselves.
The following proposition makes it easier to check if an expression is io-disjoint: Proposition 4.13.The following alternative definition of io-disjointness is equivalent to the definition given above: where X is the set of variables in x, and Y is the set of variables in ȳ. • Atomic expressions of the form (x = y), (x = c), (x := y) or (x := c) are io-disjoint.
• A composition α 1 ; α 2 is io-disjoint if α 1 and α 2 are, and moreover The fragment of io-disjoint expressions is denoted by FLIF io .In the next section, we are going to show that FLIF io is expressive enough, in the sense that FLIF expressions can be simulated by FLIF io expressions that have the same set of input variables.Furthermore, we will give the improved translation from FLIF io to executable FO, which takes inputs into account.

Io-disjoint FLIF
We begin this section by showing that any FLIF expression can be converted to an io-disjoint one.We will first discuss the problem and its complications by means of illustrative examples.After that, we formulate the precise theorem and give a constructive method to rewrite FLIF expressions into io-disjoint ones.

5.1.
From FLIF to io-disjoint FLIF.In this section, we are discussing a possible approach to translate general FLIF expressions into io-disjoint ones that simulate the original expressions; we also discuss what "simulate" can mean.For instance, we will see that we have to use extra variables in order to get io-disjointness.An appropriate notion of simulation will then involve renaming of output variables.
For example, we rewrite R(x; x) to R(x; y) and declare that the output value for x can now be found in slot y instead.This simple idea, however, is complicated when handling the different operators of FLIF.These complications are discussed next.

Complications of Translation.
When applying the simple renaming approach to the composition of two expressions, we must be careful, as an output of the first expression can be taken as input in the second expression.In that case, when renaming the output variable of the first expression, we must apply the renaming also to the second expression, but only on the input side.For example, R(x; x) ; S(x; x) is rewritten to R(x; y) ; S(y; z).Thus, the output x of the overall expression is renamed to z; the intermediate output x of the first expression is renamed to y, as is the input x of the second expression.
Obviously, we must also avoid variable clashes.For example, in R(x; x) ; S(y; y), when rewriting the subexpression R(x; x), we should not use y to rename the output x to, as this variable is already in use in another subexpression.
Another subtlety arises in the rewriting of set operations.Consider, for example, the union R(x; y) ∪ S(x; z).As discussed in Example 4.10, this expression is not io-disjoint: the output variables are y and z, but these are also input variables, in addition to x.To make the expression io-disjoint, it does not suffice to simply rename y and z, say, to y 1 and z 1 .We can, however, add assignments to both sides in such a way to obtain a formally io-disjoint expression: R(x; y 1 ) ; (z 1 := z) ∪ S(x; z 1 ) ; (y 1 := y).The above trick must also be applied to intermediate variables.For example, consider T (; ) ∪ (S(; y) ; R(y; y)).Note that T is a nullary relation.This expression is not io-disjoint with y being an input variable as well as an output variable.The second term is readily rewritten to S(; y 1 );R(y 1 ; y 2 ) with y 2 the new output variable.Note that y 1 is an intermediate variable.The io-disjoint form becomes T (; ) ; (y 1 := y) ; (y 2 := y) ∪ S(; y 1 ) ; R(y 1 ; y 2 ).
In general, it is not obvious that one can always find a suitable variable to set intermediate variables from the other subexpression to.In our proof of the theorem we prove formally that this is always possible.
A final complication occurs in the treatment of difference.Intermediate variables used in the rewriting must be reset to the same value in both subexpressions, since the difference operator is sensitive to the values of all variables.For example, let α be the expression S(; x) ; R(x; u, x) − T (; ).We have I(α) = O(α) = {x, u}.Suppose we want to rename the outputs x and u to x 1 and u 1 respectively.As before, the subexpression on the lhs of the difference operator is rewritten to S(; x 2 ) ; R(x 2 ; u 1 , x 1 ) introducing an intermediate variable x 2 .Also as before, x 1 and u 1 need to be added to the rewriting of T (; ) which does not have x and u as outputs.But the new complication is that x 2 needs to be reset to a common value (we use x here) for the difference of the rewritten subexpressions to have the desired semantics.We thus obtain the overall rewriting S(; x 2 ) ; R(x 2 ; u 1 , x 1 ) ; (x 2 := x) − T (; ) ; (x 2 := x) ; (u 1 := u) ; (x 1 := x).

Statement of the theorem.
As the overall idea behind the above examples was to rename the output variables, our aim is clearly the following theorem, with ρ playing the role of the renaming:5 Theorem 5.1.Let α be an FLIF expression and let ρ be a bijection from O(α) to a set of variables disjoint from vars(α).There exists an FLIF io expression β such that (1) (3) for every instance D and every valuation ν 1 , we have Here, V is any set of variables containing vars(α) and vars(β).
In the above theorem, we must allow O(β) to be a superset of ρ(O(α)) (rather than being equal to it), because we must allow the introduction of auxiliary (intermediate) variables.For example, let α be the expression S(x; ) − R(x; x).Note that O(α) is empty.Interpret S as holding bus stops and R as holding bus routes.Then α represents an information source with limited access pattern that takes as input x, and tests if x is a bus stop to where the bus would not return if we would take the bus at x. Assume, for the sake of contradiction, that there would exist an io-disjoint expression β as in the theorem, but with O(β) = O(α) = ∅.Since I(β) must equal I(α) = {x}, the only variable occurring in β is x.In particular, β can only mention R in atomic subexpressions of the form R(x; x), which is not io-disjoint.We are forced to conclude that β cannot mention R at all.Such an expression, however, can never be a correct rewriting of α.Indeed, let D be an instance for which α D is nonempty.Hence β D is nonempty as well.Now let D ′ be the instance with D ′ (S) = D(S) but D ′ (R) = ∅.Then α D ′ becomes clearly empty, but β D ′ = β D remains nonempty since β does not mention R.

Variable renaming.
In the proof of our theorem we need a rigorous way of renaming variables in FLIF expressions.The following lemma allows us to do this.It confirms that expressions behave under variable renamings as expected.The proof by structural induction is straightforward.
As to the notation used in the lemma, recall that V is defined to be the universe of variables.For a permutation θ of V, and an expression α, we use θ(α) for the expression obtained from α by replacing every occurrence of any variable x by θ(x).
Lemma 5.2 (Renaming Lemma).Let α be an FLIF expression and let θ be a permutation of V. Then for every instance D, we have 5.1.4.Rewriting procedure.In order to be able to give a constructive proof of Theorem 5.1 by structural induction, a stronger induction hypothesis is needed.Specifically, to avoid clashes, we introduce a set W of forbidden variables.So we will actually prove the following statement: Lemma 5.3.Let α be an FLIF expression, let W be a set of variables, and let ρ be a bijection from O(α) to a set of variables disjoint from vars(α).There exists an FLIF io expression β such that (1) (3) for every instance D and every valuation ν 1 , we have We proceed to formally describe an inductive rewriting procedure to produce β from α as prescribed by the above lemma.The procedure formalizes and generalizes the situations encountered in the examples discussed in the previous section.The correctness of the method is proven in Section 6.2.
Terminology.A bijection from a set of variables X to another set of variables is henceforth called a renaming of X.
Variable assignment.If α is of the form x := t, then β equals ρ(x) := t.Equality test.If α is an equality test, we can take β equal to α. Nullary expressions.An expression α is called nullary if it contains no variables, i.e., vars(α) is empty.Trivially, for nullary α, the desired β can be taken to be α itself.We will consider this to be an extra base case for the induction.
Elsewhere, θ is the identity.
) is empty, η 1 can be dropped from the expression.Otherwise, η 1 is the composition of all (y := z) for y ∈ O(β 2 ) − ρ(O(α 2 )), with z a fixed variable chosen as follows.
(a) If O(β 1 ) is nonempty, take z arbitrarily from there.(b) Otherwise, take z arbitrarily from vars(α 2 ).We know vars(α 2 ) is nonempty, since otherwise α 2 would be nullary, so β 2 would equal α 2 , and then O(β 2 ) would be empty as well (extra base case), which is not the case.
where the constituent expressions are defined as follows.
(a) If O(α 1 ) ∩ O(α 2 ) is nonempty, take z arbitrarily from ρ(O(α 1 ) ∩ O(α 2 )).(b) Otherwise, take z arbitrarily from vars(α 2 ) (which is nonempty by the same reasoning as given for the union case).• η 2 is defined symmetrically.5.1.5.Necessity of variable assignment.Our rewriting procedure intensively uses variable assignment.Is this really necessary?More precisely, suppose α itself does not use variable assignment.Can we still always find an io-disjoint rewriting β such that β does not use variable assignment either?Below, we answer this question negatively; in other words, the ability to do variable assignment is crucial for io-disjoint rewriting.
For our counterexample we work over the schema consisting of a nullary relation name S and a binary relation name T of input arity one.Let α be the expression S(; ) ∪ T (x; x) and let ρ rename x to x 1 .Note that our rewriting procedure would produce the rewriting S(; ) ; (x 1 := x) ∪ T (x; x 1 ), indeed using a variable assignment (x 1 := x) to ensure an io-disjoint expression.
For the sake of contradiction, assume there exists an expression β according to Theorem 5.1 that does not use variable assignment.Fix D to the instance where S is nonempty but T is empty.Then α D consists of all identical pairs of valuations.Take any valuation ν with ν(x) ̸ = ν(x 1 ).Since (ν, ν) ∈ α D , there should exist a valuation ν ′ with ν ′ (x 1 ) = ν(x) such that (ν, ν ′ ) ∈ β D .Note that ν ′ ̸ = ν, since ν(x 1 ) ̸ = ν(x).However, this contradicts the following two observations.Both observations are readily verified by induction.(Recall that D is fixed as defined above.)(1) For every expression β without variable assignments, either β D is empty, or β D = γ D for some expression γ that does not mention T and that has no variable assignments.(2) For every expression γ that does not mention T and that has no variable assignments, and any (ν 1 , ν 2 ) ∈ γ D , we have ν 1 = ν 2 .
5.2.Improved translation from io-disjoint FLIF to Executable FO.We now turn to the translation from FLIF io to executable FO.Here, a rather straightforward equivalence is possible, since executable FO has an explicit quantification operation which is lacking in FLIF.Recall the evaluation problem for executable FO (Definition 3.4, and the evaluation problem for α (Definition 4.8).
Procedurally, to evaluate the first expression, we retrieve values for the variables y and u that match the value given for the variable x in the relation R. We proceed to retrieve a (z, u)-binding from S for the given x, effectively overwriting the previous binding for u.Thus, a correct translation into executable FO is (∃u R(x; y, u)) ∧ S(x; z, u).
Interpreting relations as functions, this example can be likened to the following piece of code in Python: y,u = R(x) ; z,u = S(x) io-disjointness.Let i = 1, 2. Expression γ i is io-disjoint by the choice of ρ j .Then β i ; γ i is io-disjoint because both O(β i ) and the image of ρ j are disjoint from vars(α).Regarding η 1 , we have seen that either (a) ) is disjoint from vars(α).Using similar reasoning, the expressions β i ; γ i ; η 1 , η 2 , β i ; γ i ; η 1 ; η 2 , and finally β, are seen to be io-disjoint.
No clashes.Note that ρ(O(α)) = ρ 1 (O(α 1 )), and recall that The first term is disjoint from W by construction and induction.For the second term, note that O(β 2 ) can be written as a disjoint union Again by construction and induction, the second and third terms are disjoint from W 2 , which includes O(β 1 ), which includes ρ 1 (O(α 1 )).On the other hand, the first term is included in ρ 1 (O(α 1 )) since ρ 1 and ρ 2 agree on O(α 1 ) ∩ O(α 2 ).Hence, O(β 2 ) − ρ 1 (O(α 1 )) reduces to the union of the second and third terms, which are disjoint from W 2 , which includes W , as desired.
• Projection (π) produces a relation with a relation schema that is a subset of the input relation schema.
• Selection (σ) does not change the schema.• Renaming will not be needed.Instead, however, to accommodate the assignment expressions present in FLIF io , we will need the generalized projection operator that adds a new attribute with the same value as an existing attribute, or a constant.Let N be a relation with relation schema Z, let y ∈ Z, and let x be a variable not in Z. Then Plans are based on access methods, which have the following syntax and semantics.Let R(x; ȳ) be an atomic FLIF io -expression.Let X be the set of variables in x and let Y be the set of variables in ȳ (in particular, X and Y are disjoint).Let N be a relation with a relation schema Z that contains X but is disjoint from Y .Let D be a database instance.We define the result of the access join of N with R(x; ȳ), evaluated on D, to be the following relation with relation schema Z ∪ Y : This result relation can clearly be computed respecting the limited access pattern on R. Indeed, we iterate through the valuations in N , feed their X-values to the source R, and extend the valuations with the obtained Y -values.
Formally, over any database schema S and for any finite set of variables I, we define a plan over S with input variables I as an expression that can be built up as follows: • The special relation name In, with relation schema I, is a plan.• If R(x; ȳ) is an atomic FLIF io expression over S, with sets of variables X and Y as above, and E is a plan with output relation schema Z as above, then also E access ▷◁ R(x; ȳ) is a plan, with output relation schema Z ∪ Y .
• Plans are closed under union, difference, natural join, and projection.
Given a database instance D, a set N of valuations on I, and a plan E with input variables I, we can instantiate the relation name In by N and evaluate E on (D, N ) in the obvious manner.We denote the result by E(D, N ).
We establish: Theorem 7.1.For every FLIF io expression α over a database schema S there exists a plan E α over S with input variables I(α), such that Eval α (D, N ) = E α (D, N ), for every instance D of S and set N of valuations on I(α).
• Let α be R(x 1 ; y, u) ; S(x 2 , y; z, u).Recall that I(α) = {x 1 , x 2 }.A plan for α can be taken to be π x 1 ,x 2 ,y (In The joins with In ensure that the produced output values are equal to the given input values, which may be needed in case N has multiple tuples. Proof.To prove the theorem we need a stronger induction hypothesis, where we allow N to have a larger relation schema Z ⊇ I(α), while still being disjoint with O(α).The claim then is that In what follows we use the following notation.Let P and Q be plans.By Q(P ) we mean the plan obtained from Q by substituting P for In.
Suppose α is α 1 ; α 2 .Plan E α 1 , obtained by induction, assumes an input relation schema that contains I(α 1 ) and is disjoint from O(α 1 ).Since . Then E α is the plan E α 2 (P 1 ).(One can again verify that this is a legal plan.) Next, suppose α is α 1 ∪ α 2 .Then I(α) = I(α 1 ) ∪ I(α 2 ), which is disjoint from O(α 1 ) = O(α 2 ) (compare Proposition 4.13).Hence, for E α we can simply take the plan In general, in the above translations, we follow the principle that the result of a subplan E α i must be joined with In whenever O(α i ) may intersect with I(α).
Remark 7.3.When we extend plans with assignment statements such that common expressions can be given a name [BLtCT16], the translation given in the above proof leads to a plan E α of size linear of the length of α.Each time we do a substitution of a subexpression for In in the proof, we first assign a name to the subexpression and only substitute the name.
Example 7.4.Recall the query from Example 2.5 expressed in FLIF io slightly differently as follows: F (x; y 1 ) ; F (x; y 2 ) ; (F (y 1 ; z) ∩ F (y 2 ; z)) ; (y 1 ̸ = y 2 ) The plan equivalent to this expression is: where E is the partial plan In ▷◁ F (x; y 1 ) ▷◁ F (x; y 2 ) with In a relation name over {x} providing input values.

Related Work
Much of the work on the topic of information sources with access limitations has been on processing queries expressed in generic query languages, such as conjunctive queries, unions of conjunctive queries, conjunctive queries with negation, first-order logic (relational calculus), or Datalog.Here, the query is written as if the database has no access limitations; the challenge then is to find a query plan that does respect the limitations, but produces, ideally, the same answers, or, failing that, produces only correct answers (also known as sound rewritings) [DGL00].
Query plans could take the form of syntactically ordered fragments of the query languages that are used, like executable FO considered in the present paper [RSU95,Li03,NL04].Query plans can also be directly described in relational algebra, like the plans defined here in Section 7 [YLGMU99, FLMS99,BtCT16].An alternative approach to query processing under access limitations is to first retrieve the "accessible part" of the database; after that we can simply execute the original query on that part, which is a sound strategy for monotone queries.Computing the accessible part may require recursion; on the other hand, the computation can be optimized so as to contain only information needed for the specific query [CM08b].
When the query language used is first-order logic, the planning and optimization problems mentioned above are, of course, undecidable.Yet, a remarkable preservation theorem [BLtCT16] states that, assuming a given first-order query only depends on the accessible part of the database (for any database; this is a semantic and undecidable property), then, that query can actually be rewritten into an executable FO formula.
Interestingly, a variant of our translation results from FLIF to executable FO in Proposition 3.7 can be seen to follow from the preservation theorem just mentioned.It would suffice to express a given FLIF expression α by any first-order logic formula φ α in the free variables V x ∪ V y , without taking care that φ α is executable.Indeed, FLIF expressions are readily seen to be access-determined by the variables in V x , so, the preservation theorem would imply that φ α can be equivalently written by an executable formula.Of course, our result provides a much more direct translation, and moreover, shows a bound on the number of variables (free or bound) needed in φ α .
Furthermore, it is natural to expect (although we have not verified it formally) that any FLIF expression α is already access-determined by the set of its input variables I(α).In this manner, also Theorem 5.4 would be implied by the preservation theorem.Again, our theorem provides a direct and actually very efficient translation.
Incidentally, in the cited work [BLtCT16], Benedikt et al. define their own notion of executable FO, syntactically rather different from the one we use in the present paper (which was introduced much earlier by Nash and Ludäscher [NL04]).We prefer the language we use for its elegance, and because its treatment of input variables matches well with input variables for FLIF expressions.Still, both executable-FO languages are equivalent in expressive power, as they are both equivalent to the plans used here in Section 7 and also used by Benedikt et al.
In a companion paper [ABS + 23], first presented at the KR 2020 conference, we consider LIF in a broader (but still first-order) context, independently of access limitations.The companion paper considers the problem of sensitivity analysis for general LIF expressions and introduces semantic as well as syntactic definitions of input and output variables.the syntactic definitions were shown to be optimal approximations of the semantic definitions.We have adopted the syntactic treatment in this paper, and have shown its relevance, when applied it to FLIF, to querying information sources with access limitations.Propositions 4.3, 4.4 and 4.5 are adopted here from our companion paper (there, numbered Proposition 4.3, Lemma 4.4, and Lemma 4.6, respectively); the proofs can be found there.

Conclusion
We have presented a connection between executable queries on databases with access limitations on the one hand, and first-order dynamic logic frameworks on the other hand.Specifically, we have defined Forward LIF (FLIF), an instantiation of the Logic of Information Flows (LIF).FLIF presents itself as an XPath-like language for graphs of valuations, where edges represent information accesses.The main novelty of FLIF lies in its graph-navigational nature (without explicit quantification), its input-output mechanism, and the law of inertia that it obeys.Specifically for io-disjoint FLIF expressions, our work also presents a more transparent alternative to the result by Benedikt et al. on translating (their version of) executable first-order formulas to plans.We have also given renewed attention to Nash and Ludäscher's elegant executable FO language, which seemed to have been overlooked by more recent research in the field.Figure 3 illustrates our main technical results, which offer translations between various languages.Most of the translations are simple in their formulation, although the rigorous proof of correctness is not always that simple.
We are not claiming that FLIF is necessarily more user-friendly than previous languages, or necessarily easier to implement or optimize.Both of these aspects should be the topic of further research.Still we believe it offers a novel perspective.That FLIF can express all executable FO queries is something that is not obvious at first sight.
In closing, we note that querying under limited access patterns has applicability beyond traditional data or information sources.For instance in the context of distributed data, when performing tasks involving the composition of external services, functions, or modules, limited access patterns are a way for service providers to protect parts of their data, while still allowing their services to be integrated seamlessly in other applications.Limited access patterns also have applications in active databases, where we like to think of FLIF as an analog of Active XML [ABM08] for the relational data model.

Figure 1 :
Figure 1: Part of graph view of the database considered in Example 2.2.

Figure 3 :
Figure 3: Summary of the translations shown in the paper, where a dashed arrow denotes an input-respecting translation, a double arrow denotes a simple translation, and finally, a double dashed arrow denotes both.