seminar@krdb 2012 - montali - verification of relational data-centric systems with external services

a i S C Verification of

Relational Data-Centric Dynamic Systemswith External Services

Presented by Marco MontaliJoint work with B. Bagheri Hariri, D. Calvanese, G. De Giacomo, A. Deutsch

KRDB Research Center

KRDB Lunch Seminar, March 5, 2012

ACSI Project 257593

a i S C Artifact-Centric Process Verification in ACSI

• The Data is put on stage, and the Process considers it!

• And we get beautiful research results!

Verification of DCDSs ACSI Project 257593 M. Montali - KRDB 1/28

a i S C Data-Centric Dynamic Systems

• DCDS: system where the process controlling the dynamics and themanipulated data are equally central

I general, abstract frameworkI artifact-centric systems are a specialization of DCDSs

• Data Layer: holds the relevant information to be manipulated by the system• Process Layer: is formed by the invokable (atomic) actions and a process

based on themI Actions evolve the data of the data layer and update the state of the processI Interaction with external services to acquire new information from the

environment (other systems, user choices, . . . )

Process Layer

service

Data Layer

EnvironmentVerification of DCDSs ACSI Project 257593 M. Montali - KRDB 2/28

a i S C Data Layer

• Represents the information of interest in our application.

• We focus on relational data.

• Is a tuple D = 〈C,R, E , I0〉 where:I C is a countably infinite set of constants/values.I R = {R1, . . . , Rn} is a database schema (a finite set of relation schemas).I E is a finite set of equality constraints Qi →

Vj=1,...,k zij = yij .

I Qi is a domain independent FO query over R using constants from the activedomain adom(I0) and whose free variables are ~x.

I zij and yij are either variables in ~x or constants in adom(I0).I N.B.: they can be generalized to denials and arbitrary constraints!

I I0 is a database instance that represents the initial state of the data layer:I It conforms to the schema R.I It satisfies the constraints E: for each constraint Qi →

Vj=1,...,k zij = yij and

for each tuple θ ∈ ans (Qi, I0), zijθ = yijθ.

a i S C Process Layer

• Constitutes the progression mechanism for the DCDS.

• High-level: rule-based approach that can accommodate any process with afinite state control flow.

• Non-determinism represented by interleaving.

• A process layer P over a data layer D is a tuple P = 〈F ,A, %〉 where:I F is a finite set of functions representing external service interfaces whose

behavior is unknown to the DCDS;I A is a finite set of actions;I % is a finite set of condition-action rules that form the; specification of the

overall process.

a i S C Actions

An action ρ is constituted by:

• an action signature, i.e., a name, and a list of individual input parameters.Parameters are substituted by individuals/constants for the execution of theaction.

• an effect specification {e1, . . . , en}, where each ei is an effect.Effects are assumed to take place simultaneously.

An effect ei has the form q+i ∧Q−i Ei where:

• q+i ∧Q−i is a query over R and constants of adom(I0):

I may include some of the input parameters as terms of the queryI q+i is a UCQ over RI Q−i is a FOL query that acts as a filterI free variables of Q−i are included in those of q+i .

• Ei is a set of facts over R, which include as terms: constants in adom(I0),parameters, free variables of q+i , and functions calls that formalize call to(atomic) external services. These calls introduce new values!

a i S C Actions

An action ρ is constituted by:

• an action signature, i.e., a name, and a list of individual input parameters.Parameters are substituted by individuals/constants for the execution of theaction.

• an effect specification {e1, . . . , en}, where each ei is an effect.Effects are assumed to take place simultaneously.

An effect ei has the form q+i ∧Q−i Ei where:

• q+i ∧Q−i is a query over R and constants of adom(I0):

I may include some of the input parameters as terms of the queryI q+i is a UCQ over RI Q−i is a FOL query that acts as a filterI free variables of Q−i are included in those of q+i .

• Ei is a set of facts over R, which include as terms: constants in adom(I0),parameters, free variables of q+i , and functions calls that formalize call to(atomic) external services. These calls introduce new values!

a i S C Process and Action Execution

• Process: finite set of condition-action rules of the form Q 7→ α, whereI α is an action in AI Q is a FO query over R whose free variables are exactly the parameters of α,

and whose other terms can be either quantified variables or constants inadom(I0).

• To execute an action α in state s according to Q 7→ α:

1. evaluate Q over db(s) choosing a suitable parameters assignment σ for α;2. if such an assignment exists, then α is executable and instantiated with σ;3. ασ is executed: for each effect q+i ∧Q

−i Ei

3.1 (q+i ∧Q−i )σ is evaluated over db(s), getting variables assignments θ1, . . . , θn;3.2 for each θi, the grounded facts Eiθi are obtained;3.3 all service calls contained in Eiθi are issued;3.4 next state is obtained by asserting each Eiθi after the inclusion of all service

call results.

• We assume that services are deterministic:I if f(a) returns b, then from now on f(a) will always return b.

a i S C DCDS Example

Data Layer

Information about hotels and their price:

• Cur = 〈Currency〉• CurHotel = 〈Hotel, Currency〉• PEntry = 〈Hotel, Price,Date〉

Process Layer

Possibility of converting the price list of a hotel from USD dollars to anothercurrency.

• Service call for price conversion: conv usd(p, currency , date)• Process: Cur(c) ∧ CurHotel(h, ′US′) 7−→ Conv(h, c)• Conv(h, c) : PEntry(h, p, d) ∧ Cur(c) PEntry(h, conv usd(p, c, d), d)

CurHotel(h, cold) ∧ Cur(c) CurHotel(h, c)Copy Rest

a i S C DCDS Example: Execution

Initial State.

• Cur(′USD′) Cur(′EUR′)• CurHotel(h1,

′USD′) CurHotel(h2,′USD′)

• PEntry(h1, 80, 01/01/2012) PEntry(h2, 80, 01/01/2012)PEntry(h1, 60, 01/03/2012)

Initial State.

′USD′) CurHotel(h2,′USD′)

Execution of Conv(h1,′EUR′).

′EUR′) CurHotel(h2,′USD′)

Non-determinism in the returned values.

′EUR′) CurHotel(h2,′EUR′)

Deterministic value!

′EUR′) CurHotel(h2,′USD′)

Non-determinism in the returned values.

′EUR′) CurHotel(h2,′EUR′)

Deterministic value!Verification of DCDSs ACSI Project 257593 M. Montali - KRDB 8/28

a i S C Transition Systems

• Semantics of a DCDS in terms of transition system Υ = 〈∆,R,Σ, s0, db,⇒〉I ∆ is a countably infinite set of values;I R is a database schema;I Σ is a set of states;I s0 ∈ Σ is the initial state;I db is a function that, given a state s ∈ Σ, returns the database associated tos, which is made up of values in ∆ and conforms to R;

I ⇒ ⊆ Σ× Σ is a transition relation between pairs of states.

Note: Υ is in general infinite state.Verification of DCDSs ACSI Project 257593 M. Montali - KRDB 9/28

a i S C Transition System with Deterministic Services

• Semantics in terms of concrete transition system ΥS = 〈C,R,Σ, s0, db,⇒〉.• Each state s ∈ Σ remembers all previous service call results: s = 〈I,M〉,

where I is a database and M is a map from service calls to results in C.

• db(〈I,M〉) = I.

• Action execution:I before issuing a service call, it is checked whether the (deterministic) result is

already contained in M;I if it is, then the result is already known;I if not, the call is issued and the obtained result is stored in M.

a i S C Construction of ΥS

• start from s0 = 〈I0, ∅〉 ∈ Σ;

• repeat foreverI pick a state s ∈ ΣI for every action executable in s, every “legal” parameters assignment, every

possible service calls results’ configuration. . .I generate the successor state s′ and put it in Σ;I insert 〈s, s′〉 in ⇒.

Note: three sources of non-determinism in each step:

• actions non-determinism;

• parameters non-determinism;

• service call results non-determinism: leads to potentially infinite branching.

a i S C Construction of ΥS

• start from s0 = 〈I0, ∅〉 ∈ Σ;

• repeat foreverI pick a state s ∈ ΣI for every action executable in s, every “legal” parameters assignment, every

possible service calls results’ configuration. . .I generate the successor state s′ and put it in Σ;I insert 〈s, s′〉 in ⇒.

Note: three sources of non-determinism in each step:

• actions non-determinism;

• parameters non-determinism;

• service call results non-determinism: leads to potentially infinite branching.

a i S C Example

Consider a DCDS S = 〈D,P〉• Data layer D = 〈C,R, E , I0〉, where I0 = {P (a), Q(a, a)}• Process layer P = 〈F ,A, %〉

I F = {f/1, g/1}, A = {α}, % = {true 7→ α}I α :

Q(a, a) ∧ P (x) {R(x)},

P (x) {P (x), Q(f(x), g(x))}

P(a) Q(a,a)

f(a)7→b g(a) 7→b

P(a) R(a) Q(b,b)

f(a) 7→b g(a) 7→a

P(a) R(a) Q(b,a)

f(a) 7→a g(a) 7→b

P(a) R(a) Q(a,b)

f(a)7→a g(a) 7→a

P(a) R(a) Q(a,a)

f(a) 7→c g(a) 7→b

P(a) R(a) Q(c,b)

f(a) 7→b g(a) 7→c

P(a) R(a) Q(b,c)

f(a) 7→c g(a)7→c

P(a) R(a) Q(c,c)

f(a) 7→a g(a) 7→b

P(a) Q(a,b)

f(a) 7→b g(a) 7→a

P(a) Q(b,a)

f(a) 7→b g(a) 7→b

P(a) Q(b,b)

f(a) 7→c g(a) 7→b

P(a) Q(c,b)

f(a) 7→b g(a) 7→c

P(a) Q(b,c)

f(a) 7→c g(a)7→c

P(a) Q(c,c)

a i S C Verification

• We are interested in the verification of DCDSs

• Given a DCDS S and a formula Φ (in some FO temporal logic)I Construct the transition system ΥS of SI Check whether ΥS |= Φ

• Problem: ΥS is in general infinite state

• Idea:I Devise a finite-state transition system ΘS that is a faithful abstraction of ΥS ,I Reduce the verification problem ΥS |= Φ to the verification of ΘS |= Φ

• Procedure:

1. Do a syntactic check over S testing whether ΥS admits a finite-stateabstraction ΘS

2. If so, construct ΘS3. Model check Φ over ΘS with standard model checking techniques

a i S C Verification Formalism

• We adopt FO variants of the µ-calculusI µL is a very expressive logic!

• µLFO formulas over a DCDS S have the form:

Φ ::= Q | ¬Φ | Φ1 ∧ Φ2 | ∃x.Φ | 〈−〉Φ | Z | µZ.Φ

where Q is an FO query over the database schemaR of S, and Z is a predicate variable.

Example

An example of µL formula is:

∃x1, . . . , xn.∧i 6=j

xi 6= xj ∧∧

i∈{1,...,n}

µZ.[Stud(xi)∨〈−〉Z]

This defeats any kind of finite-state abstraction.

PDLLTL CTL

Φ ::= Q | ¬Φ | Φ1 ∧ Φ2 | ∃x.Φ | 〈−〉Φ | Z | µZ.Φ

Example

∃x1, . . . , xn.∧i 6=j

xi 6= xj ∧∧

i∈{1,...,n}

PDLLTL CTL

Φ ::= Q | ¬Φ | Φ1 ∧ Φ2 | ∃x.Φ | 〈−〉Φ | Z | µZ.Φ

Example

∃x1, . . . , xn.∧i 6=j

xi 6= xj ∧∧

i∈{1,...,n}

PDLLTL CTL

Φ ::= Q | ¬Φ | Φ1 ∧ Φ2 | ∃x.Φ | 〈−〉Φ | Z | µZ.Φ

Example

∃x1, . . . , xn.∧i 6=j

xi 6= xj ∧∧

i∈{1,...,n}

PDLLTL CTL

a i S C History Preserving Mu-Calculus (µLA)

• Restricts quantification over individuals to those present in the currentdatabase (denoted by live(x)).

• Syntax:

Φ ::= Q | ¬Φ | Φ1 ∧ Φ2 | ∃x.live(x) ∧ Φ | 〈−〉Φ | Z | µZ.Φ

• We abbreviate ¬(∃x.live(x) ∧ ¬Φ) as ∀x.live(x)→ Φ.

Example

νX.(∀x.live(x) ∧ Stud(x)→µY.(∃y.live(y) ∧Grad(x, y) ∨ 〈−〉Y ) ∧ [−]X)

Along every path, it is always true, for each student x, that there exists anevolution that eventually leads to a graduation of the student (with some finalmark y).

a i S C History Preserving Bisimulation for µLA

• Consider two transition systems Υ1 = 〈∆1,R,Σ1, s01, db1,⇒1〉 andΥ2 = 〈∆2,R,Σ2, s02, db2,⇒2〉.

• Problem: Υ1 and Υ2 are over different data domains ∆1 and ∆2, and acorrespondence between elements must be preserved over time.

• Is a relation B ⊆ Σ1 ×H × Σ2 such that 〈s1, h, s2〉 ∈ B implies that:1. h is a partial bijection between ∆1 and ∆2 that induces an isomorphism

between db1(s1) and db2(s2);2. for each s′1, if s1 ⇒1 s

′1 then there is an s′2 with s2 ⇒2 s

′2 and a bijection h′

that extends h, such that 〈s′1, h′, s′2〉 ∈ B;3. for each s′2, if s2 ⇒2 s

that extends h, such that 〈s′1, h′, s′2〉 ∈ B.

• We have Υ1 ≈ Υ2 if there exists a partial bijection h0 and a historypreserving bisimulation B between Υ1 and Υ2 such that 〈s01, h0, s02〉 ∈ B.

TheoremIf Υ1 ≈ Υ2, then for every µLA closed formula Φ, we have:

Υ1 |= Φ if and only if Υ2 |= Φ.

a i S C History Preserving Bisimulation for µLA

• Problem: Υ1 and Υ2 are over different data domains ∆1 and ∆2, and acorrespondence between elements must be preserved over time.

• Is a relation B ⊆ Σ1 ×H × Σ2 such that 〈s1, h, s2〉 ∈ B implies that:1. h is a partial bijection between ∆1 and ∆2 that induces an isomorphism

between db1(s1) and db2(s2);2. for each s′1, if s1 ⇒1 s

that extends h, such that 〈s′1, h′, s′2〉 ∈ B;3. for each s′2, if s2 ⇒2 s

that extends h, such that 〈s′1, h′, s′2〉 ∈ B.

• We have Υ1 ≈ Υ2 if there exists a partial bijection h0 and a historypreserving bisimulation B between Υ1 and Υ2 such that 〈s01, h0, s02〉 ∈ B.

TheoremIf Υ1 ≈ Υ2, then for every µLA closed formula Φ, we have:

a i S C (Un)decidability Results

TheoremThere exists a DCDS S with deterministic services, and a propositional LTL safetyproperty Φ, such that checking ΥS |= Φ is undecidable.

To gain decidability, we need restrictions on the DCDS: run-boundedness

• For every run τ in ΥS we have |⋃s state of τ adom(db(s))| < b

• I.e., there exists a bound b such that every run in ΥS encounters at most bdifferent values.

• A (data) unbounded run represents an execution in which infinitely manydifferent service calls are issued.

TheoremVerification of µLA properties on run-bounded DCDSs with deterministic servicesis decidable.

1. We devise a finite-state abstraction ΘS for a run-bounded DCDS S.

2. We prove that ΘS ≈ ΥS , hence they satisfy the same µLA formulae.

a i S C Ensuring Run-Boundedness

TheoremChecking run-boundedness of DCDSs with deterministic services is undecidable.

We have devised a sufficient syntactic condition that guarantees run-boundedness:weak acyclicity

• Depends only on action specifications, and not on data.

• Is polynomially checkable.

TheoremVerification of µLA properties for weakly acyclic DCDSs with deterministicservices is decidable, and can be reduced to model checking of propositionalµ-calculus over a finite transition system.

Data LayerSchema

Customer

In Debt Customer

Gold CustomerLoan

closedowes

peerInstance

Cust(ann)peer(mark, john)Gold(john)

owes(mark,@25 )

Process LayerConditions

peer(x, y) ∧ Gold(y)7−→ GetLoan(x)

Service Calls

UInput(x )

Actions

GetLoan(x) :

∃y.peer(x, y) {owes(x,UInput(x ))},Cust(z) {Cust(z)},Loan(z) {Loan(z)},

InDebt(z) {InDebt(z)},Gold(z) {Gold(z)}

Data LayerSchema

Customer

In Debt Customer

Gold CustomerLoan

closedowes

peerInstance

Cust(ann)peer(mark, john)Gold(john)

owes(mark,@25 )

Service Calls

UInput(x )

Actions

GetLoan(x) :

Data LayerSchema

Customer

In Debt Customer

Gold CustomerLoan

closedowes

peerInstance

Cust(ann)peer(mark, john)Gold(john)owes(mark,@25 )

Service Calls

UInput(x )

Actions

GetLoan(x) :

a i S C Non-Deterministic Services

• The same service call issued later may give a different result.• Can be used to model:

I user input;I unpredictable external environment.

TheoremThere exists a DCDS S with nondeterministic services, and a propositional LTLsafety property Φ, such that checking ΥS |= Φ is undecidable.

To gain decidability, we need again restrictions on the DCDS:

• Run-boundedness is too strong: it bounds the overall number of service calls.

• We consider instead state boundedness: there is a finite bound b such thatfor each state I of ΥS , |adom(I)| < b.

However . . .

TheoremVerification of µLA properties on state-bounded DCDSs with nondeterministicservices is undecidable.

However . . .

a i S C Persistence Preserving Mu-Calculus (µLP )

• Restricts quantification over individuals that continuously persist along thesystem evolution, i.e., that continue to be live(x).

• Syntax:

Φ ::= Q | ¬Φ | Φ1 ∧ Φ2 | ∃x.live(x) ∧ Φ |〈−〉(live(~x) ∧ Φ) | [−](live(~x) ∧ Φ) | Z | µZ.Φ

where in live(~x) ∧ 〈−〉Φ and live(~x) ∧ [−]Φ, the free variables of Φ are ~x.

• We abbreviate ¬[−](live(~x) ∧ ¬Φ) as 〈−〉(live(~x)→ Φ)and ¬〈−〉(live(~x) ∧ ¬Φ) as [−](live(~x)→ Φ).

Example

νX.(∀x.live(x) ∧ Stud(x)→µY.(∃y.live(y) ∧Grad(x, y) ∨ 〈−〉(live(x)Y )) ∧ [−]X)

Along every path, it is always true, for each student x, that there exists anevolution in which she eventually graduates.

• Syntax:

Example

νX.(∀x.live(x) ∧ Stud(x)→µY.(∃y.live(y) ∧Grad(x, y) ∨ 〈−〉(live(x) ∧ Y )) ∧ [−]X)

Along every path, it is always true, for each student x, that there exists anevolution in which x persists in the database until she eventually graduates.

• Syntax:

Example

νX.(∀x.live(x) ∧ Stud(x)→µY.(∃y.live(y) ∧Grad(x, y) ∨ 〈−〉(live(x) ∧ Y )) ∧ [−]X)

Along every path, it is always true, for each student x, that there exists anevolution in which x persists in the database until she eventually graduates.

• Syntax:

Example

νX.(∀x.live(x) ∧ Stud(x)→µY.(∃y.live(y) ∧Grad(x, y) ∨ 〈−〉(live(x)→ Y )) ∧ [−]X)

Along every path, it is always true, for each student x, that there exists anevolution in which either x does not persist, or she eventually graduates.

a i S C Persistence Preserving Bisimulation for µLP

• W.r.t. µLA, it is now sufficient to preserve the correspondence betweenelements of ∆1 and ∆2 that persist over time.

• Is a relation B ⊆ Σ1 ×H × Σ2 such that 〈s1, h, s2〉 ∈ B implies that:1. h is an isomorphism between db1(s1) and db2(s2);2. for each s′1, if s1 ⇒1 s

′1 then there exists an s′2 with s2 ⇒2 s

′2 and a bijection

h′ that extends h|adom(db1(s1))∩adom(db1(s′1)), such that 〈s′1, h′, s′2〉 ∈ B;

3. for each s′2, if s2 ⇒2 s′2 then there exists an s′1 with s1 ⇒1 s

h′ that extends h|adom(db1(s1))∩adom(db1(s′1)), such that 〈s′1, h′, s′2〉 ∈ B.

• We have Υ1 ∼ Υ2 if there exists a partial bijection h0 and a persistencepreserving bisimulation B between Υ1 and Υ2 such that 〈s01, h0, s02〉 ∈ B.

TheoremIf Υ1 ∼ Υ2, then for every µLP closed formula Φ, we have:

a i S C Persistence Preserving Bisimulation for µLP

• W.r.t. µLA, it is now sufficient to preserve the correspondence betweenelements of ∆1 and ∆2 that persist over time.

• Is a relation B ⊆ Σ1 ×H × Σ2 such that 〈s1, h, s2〉 ∈ B implies that:1. h is an isomorphism between db1(s1) and db2(s2);2. for each s′1, if s1 ⇒1 s

′1 then there exists an s′2 with s2 ⇒2 s

h′ that extends h|adom(db1(s1))∩adom(db1(s′1)), such that 〈s′1, h′, s′2〉 ∈ B;

3. for each s′2, if s2 ⇒2 s′2 then there exists an s′1 with s1 ⇒1 s

h′ that extends h|adom(db1(s1))∩adom(db1(s′1)), such that 〈s′1, h′, s′2〉 ∈ B.

• We have Υ1 ∼ Υ2 if there exists a partial bijection h0 and a persistencepreserving bisimulation B between Υ1 and Υ2 such that 〈s01, h0, s02〉 ∈ B.

TheoremIf Υ1 ∼ Υ2, then for every µLP closed formula Φ, we have:

a i S C Verification of State-Bounded Systems

TheoremVerification of µLP properties on state-bounded DCDSs with non-deterministicservices is decidable.

1. We devise a finite-state abstraction ΘS for a state-bounded DCDS S.

2. We prove that ΘS ∼ ΥS , hence they satisfy the same µLP formulae.

However . . .

TheoremChecking state-boundedness of DCDSs with non-deterministic services isundecidable.

a i S C Verification of State-Bounded Systems

TheoremVerification of µLP properties on state-bounded DCDSs with non-deterministicservices is decidable.

1. We devise a finite-state abstraction ΘS for a state-bounded DCDS S.

2. We prove that ΘS ∼ ΥS , hence they satisfy the same µLP formulae.

However . . .

TheoremChecking state-boundedness of DCDSs with non-deterministic services isundecidable.

a i S C Ensuring State-Boundedness

We have devised a sufficient syntactic condition that guaranteesstate-boundedness: generate-recall acyclicity

TheoremVerification of µLP properties for generate-recall acyclic DCDSs withnon-deterministic services is decidable, and can be reduced to model checking ofpropositional µ-calculus over a finite transition system.

a i S C Ensuring State-Boundedness

We have devised a sufficient syntactic condition that guaranteesstate-boundedness: generate-recall acyclicity

TheoremVerification of µLP properties for generate-recall acyclic DCDSs withnon-deterministic services is decidable, and can be reduced to model checking ofpropositional µ-calculus over a finite transition system.

a i S C Generate-Recall Acyclicity

Example

Consider I0 = {R(a)}, process {true 7−→ α}, and

action α ={R(x) R(x)R(x) Q(f(x))

• The resulting process layer is generate-recall acyclic.

• Service call f(a) is continuously issued, leading to possibly generate infinitelymany distinct values, but such values are not recalled.

• Since µLP formulae only focus on persisting values, the possibly infinitelymany distinct results obtained by issuing f(a) are irrelevant.

Example

Consider I0 = {R(a)}, process {true 7−→ α}, and

action α =

R(x) R(x)R(x) Q(f(x))Q(x) Q(x)

• The resulting process layer is not generate-recall acyclic.

• Service call f(a) is continuously issued, leading to possibly generate infinitelymany distinct values, which are recalled in Q.

• It is not possible to find a faithful finite abstraction, because there exist runsaccumulating unboundedly many distinct values inside their states.

Example

Consider I0 = {R(a)}, process {true 7−→ α, true 7−→ β}, and

actions α ={R(x) R(x)R(x) Q(f(x))

}and β = {Q(x) Q(x)}

• The resulting process layer is generate-recall acyclic.

• It resembles the previous case, but now effects belong to two distinct actions.

• While α is getting a new value for f(a), Q tuples are lost.

• While β is copying Q tuples, no new value is insterted.

a i S C Summary of Results on Verification of DCDSs

deterministic services nondeterministic services

µLFO µLA µLP µLFO µLA µLPunrestricted U ← U ← U unrestricted U ← U ← U

↑ ↑bounded-run ? D → D bounded-state U ← U D

D: Verification is decidable U: Verification is undecidable

seminar@krdb 2012 - montali - verification of relational data-centric systems with external services

Presentations & Public Speaking