Abductive Analysis of Modular Logic Programs - Semantic Scholar

Abductive Analysis of Modular Logic Programs

Roberto Giacobazzi

LIX, Laboratoire d'Informatique E cole Polytechnique 91128 Palaiseau cedex (France) E-mail: [email protected]

Abstract

We introduce a practical method for abductive analysis of modular logic programs. This is obtained by reversing the deduction process, which is usually applied in static-data ow analysis of logic programs. The approach is validated in the framework of abstract interpretation. The abduced information provides an abstract speci cation for program modules which can be of assistance both in top-down development of programs and in compile-time optimization. To the best of our knowledge this is the rst application of abductive reasoning in data ow analysis of logic programs.

1 Introduction Data ow analysis by abstract interpretation is typically intended to statically derive approximated information (the analysis) about run-time properties of programs, by applying rules (clauses) to initial states (goals), with the inference of a result. This deductive approach to logic program analysis is usually based on abstract unfolding (i.e. replacement + abstract uni cation) and is shared by several of the frameworks proposed in the literature (e.g., see [2, 4, 5, 6, 10, 20]). In [6] this approach has been applied to modular logic programs providing a compositional analysis in presence of modules. Compositional abstract interpretation is essential for large program development so that altering one module does not require re-analysis of the entire program. A logic program is viewed as consisting of a set of modules, each module de ning a subset of the program's predicates. Analyses are constructed by considering abstract interpretations of the compositional semantics introduced in [3]. The abstract meaning of a module corresponds to its analysis and composition of abstract meanings corresponds to composition of analyses. In this paper we consider the converse of this process in the context of static program analysis, i.e., inferring the possible extensions for open predicates of a module by assuming a given (abstract) property on their composition. The process of reversing deduction is logically justi ed by the abductive reasoning (an excellent survey on the wide literature on abduction is in [18]). Abductive reasoning is formulated as follows: \given a set of rules

(clauses) P and a conjunction of atoms (an observation or simply a goal) G , nd the set of atoms Q (the hypothesis) such that G is a logical consequence of P [ Q " (see [18, 21]). Atoms in Q are indicated as abducible information. From the abstract interpretation viewpoint, the abductive reasoning can be statically used to derive program properties of modules once the speci cation of the properties of their composition is given. We call this analysis abductive. The idea is to show which abstract properties a program module Q (or the semantics of Q ) have to satisfy, so that the composition with a program module P (i.e., P [ Q ) satis es a given observation. This application of abduction can be understood as generating hypothesis which are causes for observations which are eects. This approach is particularly useful for the analysis and development of modular logic programs, as it provides a systematic way for automatically (and statically) generate abstract speci cations for program modules. Therefore it could be of assistance in the top-down development of a program to meet a speci cation. Indeed, there is an interesting relation between abduction and speci cation techniques based on weakest-prespeci cations [16]. In particular we prove that our abductive analysis corresponds precisely to compute an abstract weakestprespeci cation with respect to program composition de ned by set-union, i.e., the weakest observation (or speci cation) that must be met by the program module Q in order that the composition P [ Q will accomplish the original task speci ed by its observation. A semantic account of this is provided by showing that abstract abduction corresponds to the abstract weak-op-inverse (see [16]) of the traditional TP -based semantics described in [12]. This result further justi es the use of abductive analysis in systematic program development. From the program optimization viewpoint, it is worth noting that the applicability of optimization techniques to a program module may depend on the de nition of its open predicates. This speci es a kind of \precondition" on the semantics of the module which has to be assumed in order to perform program optimizations. This precondition can be speci ed in terms of an assumption on the possible semantics for the open predicates, providing an abstract speci cation for the development of possible extensions of the module which are consistent with the intended program behavior and optimization. While concrete speci cations for programs are usually oriented to provide a complete description of the program meaning, an abstract speci cation is only intended to describe a speci c program property: the one interesting for the analysis and optimization. The rest of this paper is structured as follows: Section 2 presents some preliminary de nitions and notations. Section 3 resumes some results on compositional semantics and analysis of modular logic programs. The main contribution is in Section 4, where we characterize abduction as composition inverse, and we introduce a practical method for abductive analysis of modular logic programs. Some applications are discussed in Section 5.

2 Preliminaries In the following we assume familiarity with the standard de nitions and notation for logic programs [1], constraint logic programs [17, 15] and abstract interpretation [9]. The powerset of a set X is denoted by }(X ). A poset with domain X and partial order v is denoted Xv . We write f : A ! B to mean that f is a total function of A into B . The identity operator x :x is often denoted id . Function composition is denoted . The ordinal power of f is denoted f "  for an ordinal . Throughout, we assume a xed set of function symbols , a nite set of predicate symbols  and a xed denumerable set of variables Var . The set of variables occurring in a syntactic object t is denoted by var (t ). The set of terms de ned on  and Var is denoted Term . Herbrand constraints are nite conjunctions of equations between terms; the system of such Herbrand constraints is denoted by H. Constraints are (possibly in nite) disjunctions of Herbrand constraints. We often view a disjunction of Herbrand constraints as a set of Herbrand constraints. We let false denote the unsatis able constraint (e.g., the empty disjunction) and true the always satis able constraint (e.g., the empty conjunction). We write   0 if  logically implies 0 . C denotes the set of disjunctions of Herbrand constraints over Term modulo logical equivalence. Thus C is a complete lattice ordered by  with bottom element false and top element true , and ^ as glb . We abuse by denoting (C ; ^) the corresponding concrete constraint system. The set of atoms constructed from predicate symbols in  and terms from Term is denoted Atom . It is well known that \ordinary" logic programs can be characterized as constraint logic programs on H (see, for example, [17]). This simpli es somehow the presentation. A goal is of the form  [] a , where  is a Herbrand constraint and a is a sequence of atoms; we occasionally abuse notation and treat the sequence of atoms a as a set, and write b 2 a to refer to an element of this set. The empty sequence of atoms is denoted by true . We let hai ini=1 denote the sequence a1 ; : : :; an . The concatenation of sequences b1 and b2 is written b1 :: b2. A (constrained) Horn clause is an object of the form h ?  [] b where h is an atom (the head), and  [] b is a goal (the body). When  = true we write h ? b. A logic program (or module) is a nite set of clauses. The set of clauses constructed from elements of Atom is denoted Clause . We will abuse by considering unit clauses as atoms. We say that a clause h ?  [] b is normalized if  is in solved form and h ? b is linear, i.e., contains no multiple occurrences of any variable, and at, i.e., contains no function symbols or constants. The satis ability of a Herbrand constraint  , denoted H j=  , is determined by computing a solution (a set of equations in solved form or most general uni er) of  . In the following of this paper we will often abuse notation by using j= to denote dierent notions of satis ability. We let the reader to distinguish them according to the context. We x a partial function mgu which maps a pair of syntactic objects (i.e., terms, atoms or clauses) to an idempotent most general uni er of the objects if it exists. For a syntactic

object t and constraint  , we write  (t ) to denote t  where  = mgu ( ). For a set of constraints , (t ) = f (t )j 2 g. Equivalence up to renaming for arbitrary syntactic objects is denoted . For any two sets of constraints 1 ; 2 2 C : 1  2 i for any syntactic object s : 1 (s )  2 (s ). For a syntactic object s and a set of equivalence classes of objects I under , we denote by hc1 ; : : :; cn i > > > bi ini=1 i i > > > > i =1 i > > : ; 0 H j=  unf is a binary associative operator (see [11]) on Int , which is additive on its rst argument and continuous on its second one. A bottom-up semantics for open logic programs is de ned in [3] in terms of \iterated unfolding" | that is, repeatedly unfolding the clauses in a program until further unfolding produces no change. The xpoint semantics of a program P is then given by the function F : Int ! Int , de ned as F (P ) = lfp (TP ), where TP : Int ! Int is de ned as TP (I ) = unf (P ; I [ P ), and for any program P , we denote by P the set f[p (x ) ? p (x )] jp 2 open (P )g. The idea of Bossi et al. [3], is to unfold only those predicates which have a de nition, so that the meaning of a program becomes dependent on the meaning of its open predicates. Technically, this is obtained by adding the tautological clauses P for the open predicates of a program P and unfolding all predicates in the body of a clause. Notice that the unfolding of an open predicate in a clause body with a tautological clause is basically a \no-op". Moreover, note that if open (P ) = ; then P = ; and TP (I ) = unf (P ; I ). When I consists of unit clauses (facts), the xpoint operator gives precisely the (non-ground) xpoint semantics of Falaschi et al. [12]. The following formalizes the notion of compositional semantics based on clause unfolding and provides the basis for the compositional analyses described below. 8 > > > >
?  [ ] g ; : : :; g 2 P > 1 n > 1 > < = n a  h h ?  [ ] b i < < P A a a 0   i i i c i =1 2 unf (P1 ; P2 ) = >h ?  [] b1 ::


:: bn n > 0 > > :  =  (i A (gi = hi )); i =1

Likewise concrete unfolding, unf A is proved to be associative, additive and continuous (see [14]). The abstract semantics F A : AInt ! AInt is de ned for a program module P as F A ((P )) = lfp (TA(P )) where TA(P ) : AInt ! AInt is de ned by TA(P )(I a ) = unf A ((P ); I a t (P )). By correctness, F A is correct with respect to F ([6, 14]).

4 Abductive Analysis

4.1 Abduction as composition inverse

Given a program module P , our goal is to nd a speci cation (property) for open (P ) once a speci cation of P is given3 . A formal account of this process can be given in terms of the well known Dijkstra's weakest precondition or weakest prespeci cation [16].

De nition 4.1 [weak-op-inverse]

f ? is a weak-op-inverse of f : D ! D 0 i (D ; f ; D 0; f ? ) is a Galois connection.

This terminology has been introduced in [16] to generalize the inverse of sequential command composition ; on speci cations. Given a program speci cation R , the weak-op-inverse fR? of fR = X :X ;R (when it exists) provides the weakest-prespeci cation, i.e., the weakest speci cation that must be met by the subprogram P in order that, given the speci cation W , P ;R will accomplish the task W . It is immediate that: f ? exists i f is additive, and f ? is uniquely determined by f (e.g., see [9]). We consider a program property as any element in }(Int ). Let F : Int ! Int be an idempotent operator which is compositional (in the sense of Theorem 3.1), i.e., for any P1 ; P2 2 Int : F (P1 [ P2 ) = F (F (P1) [ F (P2)), and let F (P ) be the semantics of P . A program P satis es a property P 2 }(Int ) (written P j= P ) i F (P ) 2 P . An additive semantics for logic programs can be provided by lifting F on program properties. For any property X 2 }(Int ), the deductive semantics for composition of P is SP (X ) = fF (P [ X ) j X 2 Xg. The weak-op-inverse of SP exists and it is uniquely de ned by SP? (X ) = fY j F (P [ Y ) 2 Xg. The following result provides an alternative view of abduction, relating abducible information with weak-op-inverses of deductive semantics for composition.

Theorem 4.2 ?

Q j= SP (P ) i P [ Q j= P .

SP? is often useless even when computed on abstract domains as it is not constructively de ned from F . In the following of this section we provide:

(1) a concise de nition of program properties that can be easily used in conjunction with abstract domains for analysis; and (2) a practical method to approximate abduction on abstract domains, providing terminating abductive analysis of modular logic programs. We will be mainly concerned with properties of successful computations, therefore we will always refer to properties as collections of sets of unit-clauses in }(Int ). 3 We are considering a rather simple notion of abduction, which is specialized for positive logic programs without integrity constraints.

4.2 Program properties as (abstract) observations

We introduce the notion of abstract observation for a module. Intuitively, an abstract observation for a program has to describe the meaning of its de ned predicates, so that they satisfy a given property. In our case, abstract observations for a program module P will be abstract goals on the predicates de ned in P . A goal  [] b is then intended to describe any program P providing meaning for the atoms in b , so that the constraint  is satis ed in any successful derivation for b in P .

Example 2 The abstract observation x $ y [] p (x ; y ) is intended to describe

any possible de nition for p: p (x ; y ) ? , such that  ! (x $ y ). It is easy to see that any program with abstract semantics: p (x ; y ) ? x ^ y satis es the observation. In the concrete semantics, for a program P and goal G =  [] b, G has a successful derivation in P i, by extending G to a clause: ans ? G with a new atom ans such that var (ans ) = var (b), there exists ans ?  0 [] true 2 unf (fans ? G g; F (P )) (e.g., see [19]). In this case we say that  0 is the answer constraint. In the following, for any set of variables V we denote ans (V ) a at and linear atom such that var (ans (V )) = V . To simplify the notation, for any syntactic object s , we denote ans (s ) the atom ans (var (s )), and we will omit V when it can be deduced from the context. We extend this notation to abstract goals (observations) and programs: let P be a program module and G a be an abstract observation (or simply an abstract goal), the goal G a has an abstract successful derivation in (P ) i ans ?  [] true 2 unf A (fans ? G a g; F A((P ))). The correctness of abstract successful derivations is a consequence of the following

Lemma 4.3

Let unf A be a safe and monotone approximation for unf , and F A be the induced abstract xpoint semantics in a Galois insertion (Int ; ; AInt ; ). For a program module P and goal G a : unf ( (fans ? G a g); F (P )) 

(unf A (fans ? G a g; F A((P )))). A program satis es an abstract observation  [] b if  is weaker than (logically implied by) any successful (abstract) derivation for b in (P ).

De nition 4.4

A program P satis es an abstract observation  [] b with respect to a set of variables V , relatively to an abstract constraint ~, denoted P j=V~  [] b, i for each ans (V [ var (b)) ? 0 [] b0 2 unf A (fans (V [ var (b)) ? ~ [] bg; F A((P ))); we have b0 = true and A (0 )(ans (V [ var (b))) 

A ()(ans (V [ var (b))). The condition A (0)(ans (V [ var (b)))  A ()(ans (V [ var (b))) speci es that 0 is stronger than  when restricted to the variables in V [ var (b). We

assume that a program satis es an observation relatively to a constraint. This will be essential to record the constraint in the abduced observation obtained in one step of unfolding in Theorem 4.7 and 4.8. If P j=V~  [] b and V  var (b) and ~ = true , we simply say that P satis es  [] b (denoted P j=  [] b). This notion can be easily extended to cope with abstract programs (interpretations) in the obvious way. The following example shows the relevance of the set V in the relation P j=V G a .

Example 3 Consider the abstract observation x [] p (y ). It is easy to see that

for any program P = fp (y ) ?  [] true g (i.e., where  de nes a constraint on y): P j= x [] p (y )((9x x ) ^  = ) but P 6j=fx g x [] p (y ) (x ^  6= ).

Proposition 4.5 [downward closure of observations] Given an abstract observation G a ,  2 A, V  Var and I a ; J a 2 AInt de ning the same set of predicates: if I a j=V G a and (J a )  (I a ) then J a j=V G a .

An abstract program property (i.e., an element in }(AInt )) can be associated with each abstract observation G a ,  2 A and V  Var :

PV (G a ) = fI a 2 AInt j I a j=V G a and I a contains only factsg

PV (G a ) is an abstract program property which is downward closed as spec-

i ed in Proposition 4.5. It is a straightforward consequence of the previous results that P j=V G a , F A ((P )) 2 PV (G a ) and, by correctness, F A((P )) 2 PV (G a ) ) (F (P )) 2 PV (G a ).

Theorem 4.6 [correctness of abstract observations]

If a program module P satis es an abstract observation  [] b , then for any successful derivation for b in P with answer constraint  ,  (b) 2 A ()(b).

4.3 Abductive analysis

In the case of program modules with open predicates, any abstract observation speci es implicitly an abstract observation on the semantics of the open predicates. The abstract observations for the open predicates of a module P can be derived from any observation of P via unfolding. Notice that given an abstract observation G a for P , unf A (fans ? G a g; F A((P ))) contains only abstract observations for predicates in open (P ). They are called the abduced observations. Correctness as speci ed in Theorem 3.2 is not enough to de ne abductive analysis based on F A. For abductive analysis we distinguish between two forms of composition. We say that F A is compositional correct i F A((P [ Q )) v F A(F A((P )) tF A((Q ))) and F A is compositional complete i F A((P [ Q )) = F A(F A((P )) t F A((Q ))). The reason of this distinction will be more clear in Section 5, where the weaker notion of compositional correctness characterizes the loss of precision resulting from some

termination strategies. In the following, when not speci ed otherwise, we assume compositional correctness for F A. Moreover, we say that Q extends P i open (Q ) = ; and open (P [ Q ) = ;, namely when Q provides a complete de nition for the meaning of the open predicates in P . The following theorem justi es the use of \abstract abduction" for abductive analysis of modular logic programs.

Theorem 4.7 [abductive analysis I] Let P ; Q be modules such that Q extends P, and  [] b be an abstract observation for P. If for each ans ? ~ [] g 2 unf A (fans ? b g; F A((P ))): ~ Q j=var ~ [] g, then P [ Q j=  [] b . (b )   Notice that, because Q extends P , Q can also be joined with the semantics of all the modules that de ne predicates in open (P ). The converse of Theorem 4.7 holds only for compositional complete abstract semantics:

Theorem 4.8 [abductive analysis II] Let P ; Q be modules such that Q extends P, F A be compositional complete and  [] b be an abstract observation for P. P [ Q j=  [] b i for each ~  ~ [] g. ans ? ~ [] g 2 unf A (fans ? bg; F A((P ))): Q j=var (b ) It is worth noting that this result provides an ecient and concise way to approximate, on generic abstract domains, the weak-op-inverse of program composition (see Theorem 4.2).

Example 4 Let P = fp (x ; z ) ? q (x ; y ); q (y ; z )g be an open program, and

G a = x $ y [] p (x ; y ) be an abstract observation for P. As shown in the previous example, Q = fq (x ; y ) ? x $ y [] true g satis es the abstract observation for the open predicate q: x $ z [] q (x ; y ); q (y ; z ) which is obtained by solving the observation G a in the compositional abstract semantics for P. By Theorem 4.7: P [ Q satis es G a .

The unfolding of an abstract observation for a module P into the abstract semantics of P produces a set of abstract observations for the open predicates yet specifying relations on the original predicates de ned in P . Projecting out this information (on the variables of the new observation only) may lead to an inconsistent result, as shown in the following

Example 5 Consider the program P = fp (x ; y ) ? q (y )g and the abstract

observation x [] p (x ; y ). By unfolding we obtain the observation x [] q (y ). Intuitively, no de nition for q can instantiate x to ground. However, as shown in Example 3, projecting out x can lead to a contradiction, because for any Q = fq (x ) ?  [] true g: Q j= x [] q (y ), but Q 6j=fx g x [] q (y ).

5 Applications Termination in abductive analysis boils down into termination of compositional analysis. As observed in [6], compositional analysis based on unfolding may not terminate even with nite or noetherian abstract domains for substitutions (constraints). This because the xpoint iteration may introduce clauses with bodies containing an arbitrary number of open atoms. Some solutions to this problem have been proposed in [6, 13]. In [6] an additional (and orthogonal) layer of abstraction, the ?-abstraction4, is applied to deal with unbounded clause bodies in the abstract semantics. This approach provides nitary descriptions for arbitrary large clauses, but makes the analysis less precise. Clause bodies are restricted to contain at most one occurrence of each (open) predicate symbol. In this case, since  is nite, the domain of abstract interpretations AInt results a nite-height lattice. The ?-abstracted compositional semantics is denoted F?A. This semantics is compositional correct (see [6]), therefore (by Theorem 4.7) it can be correctly used in abstract abduction. The approach in [13] is oriented to provide a compositional complete abstract semantics. This is obtained by taking, as semantics of P , the result of a nite number of iterations of the TA(P ) operator, without reaching the xpoint. While this would not be correct in general, for nite abstract domains (e.g., for Prop or Sharing ) the resulting denotation has the same compositionality properties of the concrete xpoint semantics. The xpoint iteration sequence TA(P )"n (n  1) is stopped when T-stability is reached, i.e., whenever for each Q 2 AInt containing only unit clauses with predicates in open (P ): unf A (TA(P )"n ; Q ) = unf A (TA(P )"(n + 1); Q ). This corresponds to test if the same patterns for the intensional part of clauses in TA(P ) " n and TA(P ) " (n + 1) are generated, once any de nition for their extensional (open) part is provided. In this case, any additional unfolding step does not add information with respect to the possible extensions of P . The T -stable semantics, denoted FTA, is proved to be compositional complete in [13, 14].

Example 6 In this example we consider the simpler abstract domain Dep adopted from [7]. Elements in Dep are propositional formulae on Var with connectives ^ and $, ordered by implication. It is straightforward to derive Dep by abstract interpretation of Prop. In the following of this example we assume condensing over all solutions i.e., interpretations can only contain single occurrences for any clause. Therefore, any two clauses h ?  [] b and h ? 0 [] b generated for h ? b in F A are condensed into (approximated by) a single clause h ?  tA 0 [] b. This restriction reduces the search space for T-stability. Moreover, as proved in [6], ?-abstraction for Dep with condensing is compositional correct. Consider the \naive reverse" routine Prev

rev([],[]). rev([X|Xs],Zs) :- rev(Xs,Ys), append(Ys,[X],Zs).

4 This technique was originally proposed in [7] as state-approximation for suspension analysis of concurrent logic programs.

where the append procedure is open. A nite compositional abstract semantics can be obtained by iterating unfolding until a T-stable sequence is reached. This is obtained after two iterations: ( ) rev ( x 1; x2) ? x1 ^ x2 [] true A FT ((Prev )) = rev (x ; x ) ? x $ x ^ x $ x ^ x [] append (x ; x ; x ) 1 2 1 6 2 7 5 5 6 7 A ?-abstracted semantics is generated by collapsing all occurrences of the same predicate in a body to one \canonical" atom. The collapsing of the sequence p (x1); : : :; p (xn ) is an atom p (x ) with x 6= xi and a dependency relation  such that each argument xj of p (x ) represents the set of the j th arguments (xij for i = 1:::n) in p (x1 ); : : :; p (xm ):  =x ^2x (xj $ (i =1 ^n xij )). (

j

)

? x1 ^ x2 [] true ? x1 $ x6 ^ x7 $ (x2 ^ x5) [] append (x5; x6; x7) By Theorem 4.7 with abstract observation G a = x1 $ x2 [] rev (x1; x2) for Prev , we abduce the observations ans (x1; x2) ? ~i [] append (x5; x6; x7) 2 unf A (fans ? rev (x1; x2)g; FiA((Prev ))) for i 2 f?; T g, where: ~ T = x1 $ x6 ^ x2 $ x7 ^ x5 and ~? = x1 $ x6 ^ x7 $ (x2 ^ x5 ). It is easy to observe that for i 2 f?; T g: (i ^ x5 ^ (x6 $ x7)) ! (x1 $ x2 ). Therefore, for any de nition Q of append with semantics fappend (x1; x2; x3) ? x1 ^ (x2 $ x3 ) [] true g and i 2 f?; T g: Q j=f~xi 1 ;x2 g (x1 $ x2)^~i [] append (x5; x6; x7) and, by Theorem 4.7, Prev [Q satis es the observation G a . Note that the standard de nition of append, i.e., fappend (x1; x2; x3) ? (x1 ^ x2 ) $ x3 [] true g satis es the abduced observation for i = T, i.e., (T ^ (x5 ^ x6 ) $ x7 ) ! (x1 $ rev (x1; x2) F?A((Prev ))= rev (x1; x2)

x2 ), while being ? weaker than T , we need a stronger de nition for append to satisfy the observation for i = ?.

Abductive analysis can be used in conjunction with ?-abstraction to reduce the search space for T -stability check. It is known that while T -stable semantics provides a compositionally complete abstract semantics (i.e., with no loss of precision), testing for T -stability is expensive. Indeed, this test is performed by searching over any possible de nition (semantics) for open predicates. The search space is huge, often exponential in the number of arguments of open predicates. Here we propose an improvement by statically restricting by abduction the number of possible semantics that the open predicate can have, according to a given program speci cation. This leads to a notion of relative T-stability, where only a xed number of possible patterns are allowed to be imported from open predicates. In this case, if P is a program module and Q 2 }(AInt ) contains only unit clauses with predicates in open (P ), then TA(P )"n is T-stable with respect to Q i for each Q 2 Q: unf A (TA(P )"n ; Q ) = unf A (TA(P )"(n + 1); Q ). Q can be the result of the abductive analysis on P based on ?-abstraction. Example 7 Consider the program module Prev de ned in Example 6. Let DepV be the domain of dependencies on V . Assume the observation G a =

x1 $ x2 [] rev (x1; x2) on Prev , then ans (x1; x2) ? ~ [] append (x5; x6; x7) 2 unf A (fans ? rev (x1; x2)g; F?A((Prev ))) where ~ = (x1 $ x6 ) ^ x7 $ (x5 ^ x2 ). Denote Q the set of possible de nitions Q for append that satisfy the observation, i.e., Q j=f~x1 ;x2 g ~ ^ (x1 $ x2 ) [] append (x5; x6; x7). Then Q = fappend (x5; x6; x7) ? j 2 Kg where K = fx6 ^ x7; x5 ^ x6 ^ x7; x5 ^ (x7 $ x6 ); x7 ^ (x5 $ x6 )g. It is worth noting that jKj < jDepfx5 ;x6 ;x7 gj, therefore Q provides a restricted search space for possible de nitions of append all leading to a de nition of rev where the rst argument is ground i the second is. A T-stable compositional semantics for Prev can be eciently computed relatively to Q. It is compositional complete with respect to any of the de nitions of append in Q. However, note that because of compositional correctness of ?-abstraction, (i.e., because of the application of Theorem 4.7), Q does not provide (in general) a complete characterization of extensions for Prev such that G a holds.

Theorem 4.7 gives also a characterization of the invariance of module composition with respect to an abstract observation. A module P is invariant with respect to open (P ) for an abstract observation G a i for each extension Q of P : P [ Q j= G a .

Corollary 5.1

Let  [] b be an abstract observation for a module P. If for each ans ? 0 [] g 2 unf A (fans ? bg; F A((P ))): A (0)(b :: g) = A ( 0 )(b :: g) then P is invariant with respect to open (P ) for  [] b.

Example 8 Consider an \insertion sort" routine de ned in terms of the following modules: Psort Pins Pgl

sort([],[]). sort([X|Xs],Ys) :- sort(Xs,Zs),ins(X,Zs,Ys). ins(X,[],X). ins(X,[Y|Ys],[Y|Zs]) :- gt(X,Y),ins(X,Ys,Zs). ins(X,[Y|Ys],[X,Y|Ys]) :- le(X,Y). gt(s(X), X). gt(s(X), Y) :- gt(X, Y). gt(s(X), s(Y)) :- gt(X, Y).

le(X, X). le(X, s(Y)) :- le(X,Y). le(s(X), s(Y)) :- le(X, Y).

The compositional semantics for Psort (ins is open) is obtained in two steps as T-stable semantics. ( ) sort ( x 1 ; x2) ? x1 ^ x2 [] true A FT ((Psort )) = sort (x1; x2) ? (x1 $ x5) ^ (x2 $ x7) ^ x6 [] ins (x5; x6; x7) Given the abstract observation G a = x1 $ x2 [] sort (x1 ; x2), we abduce ans (x1; x2) ? ~ [] ins (x5; x6; x7) where ~ = x1 $ x5 ^ x2 $ x7 ^ x6 . As before, it is easy to observe that the program Pins [ Pgl satis es the abduced observation, i.e., Pins [ Pgl j=f~x1 ;x2 g (x1 $ x2 ) ^ ~ [] ins (x5; x6; x7). By Theorem 4.7, Psort [ Pins [ Pgl satis es the observation G a .

However, notice that Psort [ Pins is invariant with respect to gt and le for the observation (on sort) G a . To prove this invariance, we apply Corollary 5.1. FTA ((Psort [ Pins )) contains the following de nitions for sort:

? x1 $ x2 [] true ? (x1 $ x2 $ x40 ) ^ x50 [] le (x40 ; x50 ) ? (x1 $ x2 $ x40 ) ^ x50 [] gt (x40 ; x50 ) ? (x1 $ x2 $ x40 $ x400) ^ x50 ^ x500 [] gt (x40 ; x50 ); le (x400; x500) For each ans ? 0 [] b 2 unf A (fans ? sort (x1 ; x2)g; FTA((Psort [ Pins ))): 0 = 0 ^ (x1 $ x2 ). Therefore, independently on the de nition Q of gt and le: Psort [ Pins [ Q j= G a . This is enough to conclude that a dierent de nition for gt and le, e.g., Plg [ Pnum de ned below, does not aect the 8 > > > < > > > :

9 > > > =

sort (x1 ; x2) sort (x1 ; x2) sort (x1 ; x2) sort (x1 ; x2)

> > > ;

ground dependency of sort, always giving ground bindings for sort. Plg : gt(s(X),0) :- num(X). Pnum : num(0). gt(s(X),s(Y)) :- gt(X,Y). le(0,Y) :- num(Y). le(s(X),s(Y)) :- le(X,Y).

num(s(X)) :- num(X).

Acknowledgments

The stimulating discussions with Mike Codish, Patrick Cousot, Saumya Debray and Giorgio Levi are gratefully acknowledged. This work has been partly supported by the EEC Human Capital and Mobility individual grant: \Semantic De nitions, Abstract Interpretation and Constraint Reasoning", N. ERB4001GT930817.

References

[1] K. R. Apt. Introduction to Logic Programming. In J. van Leeuwen, editor, Handbook of Theoretical Computer Science, volume B: Formal Models and Semantics, pages 495{574. Elsevier, Amsterdam, 1990. [2] R. Barbuti, R. Giacobazzi, and G. Levi. A General Framework for Semanticsbased Bottom-up Abstract Interpretation of Logic Programs. ACM Transactions on Programming Languages and Systems, 15(1):133{181, 1993. [3] A. Bossi, M. Gabbrielli, G. Levi, and M. C. Meo. A Compositional Semantics for Logic Programs. Theoretical Computer Science, 122(1{2):3{47, 1994. [4] M. Bruynooghe. A Practical Framework for the Abstract Interpretation of Logic Programs. Journal of Logic Programming, 10:91{124, 1991. [5] M. Codish, D. Dams, and E. Yardeni. Bottom-up Abstract Interpretation of Logic Programs. Theoretical Computer Science, 124(1):93{126, 1994. [6] M. Codish, S. K. Debray, and R. Giacobazzi. Compositional Analysis of Modular Logic Programs. In Proc. Twentieth Annual ACM Symp. on Principles of Programming Languages, pages 451{464. ACM Press, 1993.

[7] M. Codish, M. Falaschi, and K. Marriott. Suspension Analysis for Concurrent Logic Programs. In K. Furukawa, editor, Proc. Eighth Int'l Conf. on Logic Programming, pages 331{ 345. The MIT Press, Cambridge, Mass., 1991. [8] A. Cortesi, G. File, and W. Winsborough. Prop revisited: Propositional Formula as Abstract Domain for Groundness Analysis. In Proc. Sixth IEEE Symp. on Logic In Computer Science, pages 322{327. IEEE Press, 1991. [9] P. Cousot and R. Cousot. Systematic Design of Program Analysis Frameworks. In Proc. Sixth ACM Symp. Principles of Programming Languages, pages 269{ 282. ACM Press, 1979. [10] S. K. Debray. Ecient Data ow Analysis of Logic Programs. Journal of the ACM, 39(4):949{984, 1992. [11] F. Denis and J.-P. Delahaye. Unfolding, Procedural and Fixpoint Semantics of Logic Programs. In C. Chorut and M. Jantzen, editors, STACS 91, volume 480 of Lecture Notes in Computer Science, pages 511{522. Springer-Verlag, Berlin, 1991. [12] M. Falaschi, G. Levi, M. Martelli, and C. Palamidessi. Declarative Modeling of the Operational Behavior of Logic Languages. Theoretical Computer Science, 69(3):289{318, 1989. [13] M. Gabbrielli, R. Giacobazzi, and D. Montesi. Modular logic programs over nite domains. In D. Sacca, editor, Proc. Eight Italian Conference on Logic Programming, pages 663{678, 1993. Also Technical Report LIX { Ecole Polytechnique LIX/RR/94/04. [14] R. Giacobazzi. Semantic Aspects of Logic Program Analysis. PhD thesis, Dipartimento di Informatica, Universita di Pisa, 1993. TD { 18/93. [15] R. Giacobazzi, S. K. Debray, and G. Levi. A Generalized Semantics for Constraint Logic Programs. In Proceedings of the International Conference on Fifth Generation Computer Systems 1992, pages 581{591, 1992. [16] C.A.R. Hoare, I.J. Hayes, H. Jifeng, C.C. Morgan, A.W. Roscoe, J.W. Sanders, I.H. Sorensen, J.M. Spivey, and B.A. Sufrin. Laws of programming. Comm. of the ACM, 30(8):672{686, 1987. [17] J. Jaar and J.-L. Lassez. Constraint Logic Programming. In Proc. Fourteenth Annual ACM Symp. on Principles of Programming Languages, pages 111{119. ACM Press, 1987. [18] A.C. Kakas, R.A. Kowalski, and F. Toni. Abductive Logic Programming. Journal of Logic and Computation, 2(6):719{770, 1993. [19] G. Levi. Models, Unfolding Rules and Fixpoint Semantics. In R. A. Kowalski and K. A. Bowen, editors, Proc. Fifth Int'l Conf. on Logic Programming, pages 1649{1665. The MIT Press, Cambridge, Mass., 1988. [20] K. Marriott and H. Sndergaard. Bottom-up Data ow Analysis of Normal Logic Programs. Journal of Logic Programming, 13(2 & 3):181{204, 1992. [21] D. Poole. A logical framework for default reasoning. Arti cial Intelligence, 36:27{47, 1988.