THE J O l J RX.X I . O F
I_OC~"~ A M M I N G The Journal of Logic Programming 39 {1999) 125- 176
ELSEVIER
Verification o f logic programs Dino Pedreschi *, Salvatore Ruggieri Dipart. di b!/brmatica. [.)ffct'rsita di Pi.va. Corso lt¢dia 40. 56100 Pi.~'d. Ira1)"
Received 10 February 1997: received in revised form 31 August 1998: accepted i 1 September 1998
Abstract
We present a p r o o f method in the style o f Hoare's logic, aimed at providing a unifying framework for the verification o f total correctness o f logic and Prolog programs. The method. which relies on purely declarative reasoning, has been designed as a trade-off between expressiveness and ease o f use. On the basis o f a few simple principles, we reason uniformly on several properties of logic and Prolog programs, including partial correctness, call patterns, absenco o f run-timL: errors, safe omission of the occur-check, computed instances, termination and m o d u l a , . - ~ r o g l a m development. We finally generalize the methu.d to general p~ograms. © 1999 Elsevier Selene Inc. All rights reserved. Kerwords: Verification: P r o o f theory: Logic programs: Prolog" Correctness; Total correctness; Partial correctness
I. I n t r o d u c t i o n
T h e f a m i l y o f logic p r o g r a m m i n g l a n g u a g e s is a d v o c a t e d as a n i d e a l s u p p o r t t o declarative p r o g r a m m i n g - an e n d e a v o r where p r o g r a m m e r s write specS'cations that c a n be d i r e c t l y u s e d as p r o g r a m s . T h i s ideal s i t u a t i o n , h o w e v e r , is u s u a l l y c o n t r a d i c t ed b y p r a c t i c a l e x p e r i e n c e . O n ~he c, ne h a n d , d i r e c t e x e c u t i o n o f s p e c i f i c a t i o n s m a y be h o p e l e s s l y inefficient, a n d , o n t h e o t h e r h a n d . logic p r o g r a m m i n g ~ystems o f t e n e x h i b i t s l i g h t l y d i f f e r e n t s e m a n t i c s . F o r t h e s e r e a s o n s , d e c l a r a t i v e p r o g r a m s m a y fail t o t e r m i n a t e , m a y e n d in r u n - t i m e error:~+ m a y d e l i v e r u n e x p e c t e d o u t p u t , m a y beh a v e d i f f e r e n t l y in d i f f e r e n t i m p l e m e n t a t i o n s . It is t h e r e f o r e i m p o r t a n t to assess t h e c o r r e c t n e s s o f a logic p r o g r a m w i t h r e s p e c t to its s p e c i f i c a t i o n , o r i n t e n d e d intetT~ret,ttion: a p r o b l e m t h a t h a s r e c e i v e d p a r t i c u l a r a t t e n t i o n in t h e r e c e n t y e a r s , as w i t n e s s e d by t h e b o d y o f r e s e a r c h c i t e d in t h e R e l a t ed W o r k s e c t i o n . M a n y p r o o f m e t h o d s a n d t e c h n i q u e s h a v e b e e n p u t f o r w a r d to a d d r e s s t h e v a r i o u s v e r i f i c a t i o n issues, i n c l u d i n g : {i) p a r t i a l c o r r e c t n e s s .
Corresponding author. Tel.: +39 i)51) 887_a_. fax: +39 05t) 887226: e-mail: pedre~qdi.unipi+it 0743-10o6/99/S - see t¥ont matter © 1999 Elsevier Science Inc. All rights reserved. PII: S 0 7 4 3 - 1 0 6 6 ( 9 8 ) 1 0 0 3 5 - 3
126
l). Pedr~:s'c/,i, S. Ruggieri I J. Logic P t v ~ r a m m h t g 39 ( 1 9 9 9 ) 125..-176
(ii) characterization o f call patterns, (iii) characterization o f correct and c o m p u t e d instances, (iv) universal termination, (v) absence o f type and run-time errors, (vi) safe omission o f the occur-check, (vii) m o d u l a r p r o g r a m development. However, no comprehensive f r a m e w o r k has been proposed, capable o f addressing the wlrious verification issues withhl a single p r o o f t h e o r y on the basis of a few simple, unifying principles. F o r instance, A p t ' s b o o k [8] presents a n u m b e r of different techniques, each devoted to the analysis o f specific issues by means o f specific tools. A striking c o m p a r i s o n naturally arises with imperative p r o g r a m m i n g , where H o a r e ' s logic t h o r o u g h l y encompasses verific~ttion o f sequential p r o g r a m s , and provides tile basis for verifying c o n c u r r e n t and distributed p r o g r a m s (see e.g. Apt and O l d e r o g [ ! 2].) This paper introduces a p r o o f theory designed as a c a n d i d a t e unifying f r a m e w o r k for the verification o f logic programs. The starting point o f the research reported in this p a p e r has been the recognition o f a few core principles, c o m m o n to several existing p r o o f m e t h o d s for logic p r o g r a m s . On this basis, a t h o r o u g h p r o o f theory has been developed, capable o f addressing a r e a s o n a b l y large s p e c t r u m o f properties t o t a r e a s o n a b l y large class o f p r o g r a m s . The s p e c t r n m o f properties is (i-vii) above, whereas the class o f p r o g r a m s is that o f logic p r o g r a m s , possibly with negation and arithmetic built-in's, which are designed to be executed according to a fixed selection rule. As a consequence, the p r o p o s e d p r o o f theory is general e n o u g h to enc o m p a s s verification o f Prolog programs. T h e p r o o f t h e o r y is based on H o a r e ' s style triples {h-c,} P {Post} wtaich, for a logic p r o g r a m P, specify the admissible inpt~t and expected o u t p u t by means o f pre- a n d postconditions. A l t h o u ~ h the logic p r o g r a m m i n g version o f a triple is defined on purely logical terms, it can be readily applied to reason a b o u t o p e r a t i o n a l a n d run-time properties, thus a b s t r a c t i n g away l¥om the subtleties o f the procedural interpretation o f logic p r o g r a m m i n g - unification and the logical variable, the search strategy, to mention a few. In this sense, the p r o p o s e d verification m e t h o d is caretkdly designed as a c o m p r o m i s e between generality and expressiveness l¥om the one side, and ease o f use from the o t h e r side. Technically speaking, the p r o o f theory is o b t a i n e d as a c o m b i n a t i o n o f (modifica•,ions of) existing proposals: the p r o o f m e t h o d for partial correctness o f Bossi a n d Cocco [16], and the p r o o f m e t h o d for t e r m i n a t i o n o f Apt and Pedreschi [13]. The advantage o f this o p e r a t i o n is that the expressiveness o f the c o m b i n e d m e t h o d strictly exceeds the expressiveness o f the separated m e t h o d s both from a theoretica; and a practical perspective. F r o m a theoretical perspective, the classes o f progr,lms a n d properties addressed by the combined m e t h o d is strictly larger than those of the sepa r a t e d methods. This claim is substantiated in the related work section, i-, om a practical perspective, the c o m b i n e d m e t h o d s u p p o r t s shorter a n d simpler proofs, with respect to the separated methods. In fact. fewer p r o o f obligations are required in the c o m b i n e d m e t h o d , a n d reasoning is p e r f o r m e d in purely logical terms - or, in the logic p r o g r a m m i n g j a r g o n , at the level o f g r o u n d objects - a b s t r a c t i n g a w a y from the complications of the logical variable. O n the basis o f the a b o v e discussion, the original c o n t r i b u t i o n o f this paper is the introduction o f a p r o o f relation I--, {/~'e} P {Posl} for total correctness, capable o f addressing properties li-vii) for logic p r o g r a m s with negation and arithmetic built-
D. Pe~h'e.~chL S. Ruggit'ri ! J. Logic Progran:mhtg 39 (1999) 125--176
127
in's. F o r o b v i o u s r e a s o n s o f p r e s e n t a t i o n , t h e I--, p r o o f m e t h o d is i n t r o d u c e d in a n i n c r e m e n t a l w a y , b y a s t e p , vise d e f i n i t i o n o f i n c r e a s i n g l y h i g h e r levels o f v e r i f i c a t i o n , f r o m a w e a k f o r m o f p a r t i a l c o r r e c t n e s s u p to full-fledged t o t a l c o r r e c t n e s s . T h i s is a s t a n d a r d p r e s e n t a t i o n style a d o p t e d in m a n y t e x t b o o k s o n H o a r e ' s logic f o r i m p e r a t i v e p r o g r a m m i n g , s u c h as R e f . [12]. It is w o r t h n o t i n g t h a t c e r t a i n f r a g m e n t s o f t h e p r o p o s e d m e t h o d a r e n o t n e w , as d i s c u s s e d in S e c t i o n 6. H o w e v e r , t h e c o m p l e t e m e t h o d is n e w b o t h in the s p e c t r u m o f a d d r e s s e d p r o p e r t i e s a n d in t h e class o f a d dressed programs. 1.1. Plan o f the p a p e r In S e c t i o n 2, we d i s c u s s w h i c h n o t i o n s o f s e m a n t i c s a n d s p e c i f i c a t i o n s are. a p p r o p r i a t e f o r p r o g r a m v e r i f i c a t i o n , a n d a d o p t a v a r i a n t o f the least H e r b r a n d m o d e l sem a n t i c s . T h e p r o o f m e t h o d b a s e d o n triples is i n t r o d u c e d in S e c t i o n 3. W e s h o w h o w to rea~.on a b o u t m o d u l a r p r o o f s , c o r r e c t n e s s , call p a t t e r n s , c o r r e c t a n d c o m p u t e d ins t a n c e s , a n d t e r m i n a t i o n . In S e c t i o n 4. we discus:~ ~'efinements o f t h e p r o o f m e t h o d to deal with arithmetic bui;t-in's and m o d u l a r p r o g r a m development, and some results o n t h e s a f e o m i s s i o n o f the o c c u r - c h e c k , v e r i f i c a t i o n o f r e c t a - i n t e r p r e t e r s a n d dec~.d a b i l i t y issues. F i n a l l y . in S e c t i o n 5. t h e m e t h o d is e x t e n d e d to r e a s o n o n g e n e r a l logic programs. 1.2. N o t a t i o n A w o r d o n t e r m i n o l o g y is in o r d e r . T h r o u g h o u t t h e p a p e r we use t h e s t a n d a r d n o t a t i o n o f logic p r o g r a m t n i n g , as in Relh. [7.41], unless specified o t h e r w i s e . In p a r t i c u lar, w e use q u e r i e s i n s t e a d o f g o a l s . L D ( N F ) - r e s o l u t i o n is S L D ( N F ) - r e s o l u t i o n w i t h t h e l e f t m o s t selection rule. A l a n g u a g e L is a p a i r ( S ! . HL) o f ( n o t n e c e s s a r i l y d i s j o i n t ) set o f f u n c t i o n a n d p r e d i c a t e s y m b o l s . T o e a c h s y m b o l a n o n - n e g a t i v e a r i t y is ass i g n e d . A m b i v a l e n t s y n t a x is a l l o w e d , in t h e sense t h a t f u n c t i o n a n d p r e d i c a t e s y m b o l s m a y o v e r l a p [40]. W e c o n s i d e r a fixed l a n g u a g e L in w h i c h p r o g r a m s a n d q u e r i e s a r e w r i t t e n , in o t h e r w o r d s , all the r e s u l t s a r e pttramt'trk" w i t h r e s p e c t to L. p r o v i d e d L is rich e n o u g h to c o n t a i n e v e r y s y m b o l o f t h e p r o g r a m s a n d q u e r i e s u n d e r c o n s i d e r a t i o n . AtomL is t h e set o f a t o m s o n t h e l a n g u a g e L. C~ t h e H e r b r a n d u n i v e r s e o f L, a n d BL is t h e H e r b r a n d b a s e o f L. 1.e is t h e l a n g u a g e g e n e r a t e d by t h e p r o g r a m P. Be is a n a b b r e v i a t i o n f o r BL,,. By Mfi we d e n o t e t h e least H e r b r a n d m o d e l o f P w i t h L as t h e u n d e r l y i n g l a n g u a g e . FF~ is t h e finite f a i l u r e set o f P. a n d FF~ is BL \ FF~. A n a t o m is called p u r e if it is o f t h e t\3rm p(.r~ . . . . . x,,) w h e r e .~:j. . . . . . r,, a r e different v a r i a b l e s . r e l ( A ) d e n o t e s t h e p r e d i c a t e s y m b o l o f t h e a t o m A. W e w r i t e ,4 ~--BI . . . . . B,, E g r o u n d , ( P ) iff,4 ~--B~ . . . . . B,, is a g r o a u d i n s t a n c e o f a c l a u s e f r o m P. G i v e n a H e r b r a n d i n t e r p r e t a t i o n I a n d a q u e r y Q we w r i t e I ~ Q i f I is a m o d e l o f Q. In p a r t i c u l a r , if A is a g r o u n d a t o m t h e n I ~ A iff,4 E I. F i n a l l y . Tt, is t h e classical b n m e d i a t c conseqttet~ce o p e r a t v r d e f i n e d as follows: Tp(l) = {A C BL I ~_A ~ B~ . . . . . B,, ~ groundL(P): I ~ B~ . . . . . B,,}. W e a d o p t the P r o l o g n o t a t i o n w h e n w r i t i n g lists. F o r ~ c UL. List(~) d e n o t e s t h e set o f g r o u n d lists w h o s e e l e m e n t s b e l o n g to ~. GList is t h e set o f g r o u n d lists, i.e. List(C~ ). T h e list-length f u n c t i o n l ¥ o m g r o t m d t e r m s i n t o n a t u r a l n u m b e r s is d e f i n e d a s follows: I f ( . . . ) 1 = 0 i f f is n o t t h e list c o n s t r u c t o r s y m b o l [.I-1. a n d ][-v[tjl --= It[ + 1 otherwise.
D. Pedreschi. S. Ruggieri I J. Logic P r o g r a m m i n g 39 ( 1 9 9 9 ) 125--176
128
T h e f o ! l o w i n g a s s u m p t i o n s o n n o t a t i o n will be useful: • a n i d e n t i f i e r w i t h l o w e r - c a s e initial letter, s u c h as x . y , - . x s , ) s , zs, is a m e t a - v a r i a b l e for ground terms: - a n i d e n t i f i e r w i t h u p p e r - c a s e initial letter, s u c h as X . Y. Z,.Es. Ys. Zs, is a m e t a - v a r i able for (not necessarily ground) terms; • s y m b o l s a n d e x p r e s s i o n s f r o m the u n d e r l y i n g l a n g u a g e L a r e w r i t t e n in t h e O'pe,,'riter style, such as m e m b e r ( x ) , X. X s , Y. W i t h t h e s e a s s u m p t i o n s , x is a g r o u n d t e r m . X a t e r m . a n d X a logic v a r i a b l e .
2. Declarative programming 2.1. tl/hich semantics /br p r o g r a m rer(h'cation? O f c o u r s e , w h e n v e r i f y i n g a logic p r o g r a m P, it w o u l d be helpful to use its d e c l a r a t i v e s e m a n t i c s . H o w e v e r . s e v e r a l d e c l a r a t i v e s e m a n t i c s h a v e b e e n p r o p o s e d as p r o m i s i n g a l t e r n a t i v e s to t h e least H e r b r a n d m o d e l 3/1~ ( a l s o k n o w n a s . / / - s e m a n t i c s ) f o r s u p p o r t i n g p r o g r a m v e r i f i c a t i o n in a n a t u r a l w a y . A m o n g t h e o t h e r s , we m a i n l y f o c u s o n t w o o f t h e m . n a m e l y the Z - s e m a n t i c s o f F a l a s c h i et al. [35] ( a l s o k n o w n as t h e least t e r m m o d e l o f C l a r k [22]) a n d t h e / f - s e m a n t i c s o f F a l a s c h i et al. [18.34]. Definition 2.1. F o r a logic p r o g r a m P we define: •if(P) = 1.4 E BL [ P ~ A}.
r(,(P) = {.4 E A t o m ,
[ P~,4}.
.V'(P) = {,4 E .4tO,nL ] .4 is a c o m p u t e d i n s t a n c e o f a p u r e a t o m } . In A p t et al. [gj. the r e l a t i v e i n f o r m a t i o n o r d e r i n g o f t h e t h r e e s e m a n t i c s is s t u d i e d a n d t h e s e m a n t i c s a r e r e l a t e d to e a c h o t h e r w i t h t h e c l a i m t h a t f o r a l a r g e class o f p r o g r a m s a n d p r o p e r t i e s o n e c a n restrict to c o n s i d e l --,ldy t h e s i m p l e . / / - s e m a n t i c s . U n d e r c e r t a i n c o n d i t i o n s , t h e ~,- a n d - ' / ' - s e m a n t i c s c a n be r e c o n s t r u c t e d s t a r t i n g f r o m the least H e r b r a n d m o d e l . T h e r e f o r e . . / / - s e m a n t i c s s e e m s to be a g o o d t r a d e - o E b e t w e e n e x p r e s s i v e n e s s , a b s t r a c t i o n a n d c o m p l e x i t y o f use in paper ~ ' p e n c i l p r o o f m e t h o d s . T h e n , a n a t u r a l a p p r o a c h c o n s i s t s o f c o n s i d e r i n g Mfi as the i n t e n d e d s p e c i f i c a t i o n - t h e r e f o r e , t h e v e r i f i c a t i o n o f a p r o g r a m i~, v i e w e d as c h e c k i n g t h a t t h e i n t e n d e d s p e c i f i c a t i o n o f p r o g r a m a n d its least H e r b r a n d m o d e l d o c o i n c i d e . T h i s a p p r o a c h , h o w e v e r , t u r n s o u t to be i n a d e q u a t e : s t r a n g e l y e n o u g h , t h e least H e r b r a n d m o d e l s s e m a n t i c s is n o t sufficiently a b s t r a c t . In f a c t . t h e a b s e n c e o f t y p e s i m p l i e s t h a t t h e least H e r b r a n d m o d e l is g e n e r a l l y p o l l u t e d w i t h u n i n t e n d e d a t o m s . C o n s i d e r t h e A P P E N D p r o g r a m t a k e n f r o m S t e r l i n g a n d S h a p i r o ~54]:
append
(Xs. Ys. Zs)
---- Zs is t h e c o n c a t e n a t i o n o f lists .E~ a n d Es-.
a p p e n d ([ ].Xs. Xs). a p p e n d ([XlXs ].Ys. [XlZs]) --a p p e n d (Xs. Ys. Zs). A P P E N D is i n t u i t i v e l y c o r r e c t w i t h r e s p e c t to its s p e c i f i c a t i o n b u t (if t h e r e a r e sufficiently m a n y s y m b o l s in t h e l a n g u a g e ) its intended interpretation is n o t a m o d e l o f the p r o g r a m .
In l~'~ct, in t h e leust H e r b r a n d
model
unintended
atoms
1). PedreschL S. Ruggieri i J. Logic Progranmffng 39 (1999) 125-176
129
appear, such as a p p e n d ( [ ] , f o o , f o o ) . F o r efficiency reasons run-time typechecks are dropped. As a consequence, reasoning a b o u t the whole least H e r b r a n d model implies having to take into a c c o u n t ill-typed atoms, thus m a k i n g the specification complex a n d counter-intuitive. This p r o b l e m becomes m u c h h a r d e r in m o d u l a r p r o g r a m development, since a d d i n g m o r e symbols to the language in the u p p e r m o d u l e s entails changing the least H e r b r a n d model o f lower modules, a n d hence their correctness properties. A clear point emerges f r o m the previous discussion: a semantics for verification should take the intended or ,'ell-typed queries into account.
2.2. Specifications and semantics Following a H o a r e ' s logic style o f defining partial a n d total correctness, we stipulate that a specification is a pair ( h e , Post) o f H e r b r a n d interpretations, i.e., subsets o f BL. T h e rationale under this choice is the following. The first interpretation, Pre, specifies the intended, or well-o'ped o n e - a t o m queries, i.e., those queries for which we designed the p r o g r a m u n d e r consideration. T h e second interpretation, Post, specifies some desired p r o p e r t y o f successful o n e - a t o m queries. In this sense, a specification (/:'re, Post) describes the i n p u t - o u t p u t b e h a v i o r o f a logic p r o g r a m , in a w a y that closely resembles t h a t in H o a r e ' s logic, where preconditions specify the admissible input, and postconditions specify (properties of) tile expected o u t p u t . Here, preconditions specify the admissible input queries, a n d postconditions specify the expected o u t p u t , n a m e l y properties o f the correct instances o f the input queries. A c c o r d i n g to this choice, the well-typed f r a g m e n t o f the least H e r b r a n d model is Met n / ' r e . W e are now ready to define o u r notions o f (weak) partial a n d (weak) total correctness. D e f i n i t i o n 2 . 2 . L e t P b e a logic p r o g r a m . • P is partially correct w.r.t, a specification (Pre, Post) iff Met t"t/:'re = Post. • P is totally correct w.r.t, a specification (t3"e, Post) iff M e t N P r e = P o s t and Pre c__ Met LI FFeL, where FFpL is the finite failure set o f P. In addition, P is weak partially or weak totally correct if the weaker requirement Met N Pre C Post holds instead o f Met N/:'re = Post.
As a consequence o f this definition, partial correctness o f a p r o g r a m P w.r.t, a specification (Pre, Post) entails that Post coincides with the well-typed fragment o f M~. As usual, the difference between partial and total correctness is that, in the latter case, we also require a weak form o f termination, namely t h a t every query in Pre either succeeds o r (finitely) fails. A l t h o u g h Pre is a set o f ground atoms, it should be stressed t h a t aomissible queries are not required to be necessarily ground. W e shall devise proo£ m e t h o d s to reason a b o u t aziy a t o m i c q u e r y Q such that Pre ~ Q, n a m e l y any q u e r y true in Pre, or equivalently, any q u e r y whose instances are included in Pre. -~ It .;hould be noted that both partial and total correctness are defined in purely declarative terms, as the sets Met and FFez can be c o n s t r u c t e d w i t h o u t reference to the procedural interpretation o f logic p r o g r a m m i n g [8,41]. In addition to the mentioned declarative notions, the m e c h a n i s m o f pre- a n d post-conditions is suitable
130
D. Peeh'eschi, S. Ruggieri I J. Logic Progrttmmittg 39 (1999) 125-176
to d e a l w i t h t h e o p e r a t i o n a l n o t i o n o f call p a t t e r n c h a r a c t e r i z a t i o n . In o t h e r w o r d s , we r e q u i r e t h a t e v e r y a t o m selected d u r i n g a d e r i v a t i o n s t a r t i n g f r o m a n i n t e , : d c d q u e r y is f u l l y c h a r a c t e r i z e d b y Pre. In s u c h a case, P r e c a n b e used to s p e c i f y c e r t a i n d e s i r e d r u n - t i m e p r o p e r t i e s , r a n g i n g f r o m p e r s i s t e n c y o f t y p e s u p to a b s e n c e o f r u n t i m e e r r o r s , safe o m i s s i o n o f the o c c u r - c h e c k a n d , for g e n e r a l p r o g r a m s , n o n - f l o u n dering. A s a n e x a m p l e , the A P P E N D p r o g r a a n is i n t u i t i v e l y t o t a l l y c o r r e c t w.r.t, the specilication: PreAv~zr~v -= { a p p e n d ( x s ,
y~, zs) l x s , ) , s ~ GList },
POStAvw,~D = { a p p e n d ( x s ,
ys, zs) l xs, vs E GList A z s - = xs . j,s },
w h e r e * is the list c o n c a t e n a t i o n o p e r a t o r . M o r e o v e r , PreAvp~z~,,,Dc h a r a c t e r i z e s the call p a t t e r n s o f the q u e r i e s w h e r e a p p e n d is c a l l e d w i t h the first two a r g u m e n t s filled in w i t h ( n o t n e c e s s a r i l y g r o u n d ) lists. N o t i c e t h a t the w e a k v e r s i o n o f e i t h e r n o t i o n s o f c o r r e c t n e s s e n t a i l s t h a t P o s t specifies s o m e p r o p e r ~ y o f Mfi n Pre. F o r i n s t a n c e , the APPEND p r o g r a m is w e a k t o t a l l y c o r r e c t w.r.t. (PreApp~.~D, Post), where: Po~s't = { a p p e n d ( x s .
ys, zs)[ [zs[ = I.,c.s'l + I.u~l}
a n d 1.[ is the l i s t - l e n g t h f u n c t i o n . T h e r e f o r e , a p o s t c o n d i t i o n in the sense o f the w e a k correctness describes a property of every correct instance of an intended query. It is w o r t h n o t i n g t h a t the d e f i n i t i o n s o f ( w e a k ) p a r t i a l a n d ( w e a k ) total c o r r e c t ness are stateti m full g e n e r a l t e r m s . A s a c o n s e q u e n c e o f o u r c o m m i t m e n t to t h e s t u d y o f fixed s e l e c t i o n rules, univ,:rsal t e r m i n a t i o n a n d call p a t t e r n charai_'terization, t h e r e s u l t i n g p r o o f m e t h o d is a sufficient m e t h o d for t h e n o t i o n s o f c o r r e c t n e s s m e n t i o n e d a b o v e . O n c e a g a i n , o u r o b j e c t i v e is to d e s i g n a m e t h o d t h a t is a t r a d e - o f f bet w e e n e x p r e s s i v e n e s s (i.e., the class o f p r o g r a m s a n d p r o p e r t i e s it is a b l e to r e a s o n a b o u t ) a n d ease o f use in p a p e r ~ p e n c i l p r o o f s .
3. P r o o f theory 3.1. T h e p r o o f m e t h o d W e n o w i n t r o d u c e a p r o o f m e t h o d for the v a r i o u s n o t i o n s o f c o r r e c t n e s s , b y m e a n s o f the c o n c e p t o f ( H o a r e ' s logic style) triples {Pre} P {Post} (for p r o g r a m s P ) a n d {Pre} Q {Post} (l'or q u e r i e s Q). T r i p l e s a r e the b a s i c t o o l s to p r o v e c o r r e c t ness. T h e p r o o f m e t h o d e s s e n t i a l l y c o n s i s t s in the d e f i n i t i o n o f a p r o o f r e l a t i o n i--, for triples, w h i c h , a s we will s h o w later, p r o v i d e s a tool for r e a s o n i n g a b o u t ( w e a k ) t o t a l c o r r e c t n e s s . A s d i s c u s s e d in the i n t r o d u c t i o n , we s h a l l s t u d y I--, in a n i n c r e m e n tal w a y , b y c o n s i d e r i n g first a s u b - r e l a t i o n I- o n triples, w h i c h p r o v i d e s a tool for reasoning about (weak) partial correctness. T h e n e x t key d e f i n i t i o n i n t r o d u c e s b o t h p r o o f r e l a t i o n s , ~-, a n d t-, b y e x p l a i n i n g the p r o o f o b l i g a t i o n s n e e d e d to p r o v e a t r i p l e in e i t h e r sense. F i r s t , we recall f r o m B e z e m [14] the n o t i o n o f level m a p p h t g ( o n a l a n g u a g e /,). D e f i n i t i o n 3.1. A leuel m a p p i n g (on L) is a f l m c t i o n [ I : Bt. --~ N natural numbers.
o f g r o u n d a t o m s to
D. Peth'eschi, S. Rt-'.ggieri l J. L o g i c P r o g r a n m d n g 3 9 ( 1 9 9 9 ) 125=-176
131
3.2. C o n s i d e r a p r o g r a m P, a q u e r y Q. a n d a s p e c i f i c a t i o n (~'e. Post). W e write: - ~, {/~'e} P { P o s t } iff there exists a level m a p p i n g I! s u c h t h a t for e v e r y Definition
A "-- B I . . . . .
(!)
for/c
B,,
E
_~roundL(P):
[l.n]"
t~-e ~ A A Post ~ B! . . . . . B~ t ¢~,) P r e ~ Oi a n d .,
~r~) IA[ > [B;I (~., P#'e ~ A / \ P o s t
~
Bi . . . . .
B,,
==a
Post
~
A.
."
W e w r i t e i-- {Pre} P { P o s t } w h e n ( l a ) a n d (2) hold. e r e is c a l l e d a p r e c o n d i t i o n and Post a postcondition. ® ~- { h ' e } Q { P o s t } iff for e v e r y g r o u n d i n s t a n c e .-Ii . . . . . . 4,, o f Q: (3) for i ~ [ l . n l Post ~ A~ . . . . . A+: ~ ~ i~-e ~ A+. • I--, {/~'e} Q { P o s t } iff t h e r e exist a level m a p p i n g ] I a n d k E N s u c h t h a t for e v e r y g r o u n d i n s t a n c e .4~,. . . . . 4,, o f Q: (4) for i E [l,n] Post ~ A I . . . . . Ai-~ ~ / ~ ' e ~ A+ A k > IA~I. I n t u i t i v e l y , for a c l a u s e C in ground+.(P) there a r e n + ! p r o o f o b l i g a t i o n s to c o n e l u d e t h a t t h e r e l a t i o n F-- {Pre} P { P o s t } holds: 1. e a c h a t o m B in the b o d y o f C is in P r e w h e n the the h e a d o f C is in P r e a n d all the a t o m s to the left o f B in the b o d y o f C a r e in Post: 2. the h e a d o f C is in P o s t w h e n it is in P r e a n d all the a t o m s in the b o d y o f C a r e in Post.
In the case o f F--, {/~'e} P { P o s t } the d e c r e a s i n g o f the level m a p p i n g is a l s o r e q u i r e d . i.e. the level m a p p i n g p l a y s the role o f a t e r m i n a t i o n f u n c t i o n . Strictly s p e a k i n g , the level m a p p i n g h a s to be d e f i n e d o n l y o n t h e p r e c o n d i t i o n Pre. T h e l e f t - t o - r i g h t p r o p a g a t i o n o f a s s u m p t i o n s in p r o o f o b l i g a t i o n s is b i a s e d b y the l e f t - t o - r i g h t e v a l u a t i o n s t r a t e g y o f P r o l o g . in the sense t h a t we r e q u i r e t h a t :,_ b o d y a t o m is r e a d y to be e x e c u t e d (i.e., it is in P r e ) w h e n the a t o m s to its left h a v e b e e n a l r e a d y e x e c u t e d (i.e.. t h e y a r e in P o s t ) . H o w e v e r . the p r e s e n t e d n o t i o n is p u r e l y dec l a r a t i v e , a n d n o p r o c e d u r a l i n t u i t i o n is n e e d e d to c a r r y o n the p r o o f o b l i g a t i o n s . M o r e o v e r , we o b s e r v e t h a t the p r o o f m e t h o d a p p l i e s to a r b i t r a r y fixed selection rules o t h e r t h a n l e f t m o s t ' s b y s i m p l y c o n s i d e r i n g p e r m u t a t i o n s o f the b o d y a t o m s . P r o v i n g t h a t a triple is in the r e l a t i o n P o r I--, for a g i v e n p r o g r a m o r q u e r y inv o l v e s r e a s o n i n g o n t h e i r g r o u n d i n s t a n c e s o n l y . B a s i c a l l y , the d e f i n i t i o n p r o v i d e s a s t a n d a r d w a y for lil'thtg up the results to n o n - g r o u n d q u e r i e s . T h e a d v a n t a g e is t h a t this lifting is m a d e a p o s t e r i o r i . F i n a l l y , we p o i n t o u t t h a t D e f i n i t i o n s 3.2 (3,4) for a q u e r y Q a l e d e r i v e d f r o m D e f i n i t i o n s 3.2 ( 1,2) b y c o n s i d e r i n g the p r o g r a m arts ~ Q, w h e r e a n s is a fresh p r e d i c a t e . T h i s f o l l o w s f r o m the f o l l o w i n g useful r e l a t i o n , w h i c h is i m m e d i a t e f r o m D e f i n i t i o n 3.2 (1.2): for t- {/~'e} P { P o s t } a o d A +- i3~ . . . . . B,, E g r o u n d t . ( P ) A E /~'e
implies
I-- {Pre} Bt . . . . . B , , { P o s t } .
A s e x p l a i n e d in the i n t r o d u c t i o n , t h e u l t i m a t e g o a l o f this p a p e r is to s h o w t h a t t h e r e l a t i o n ~, y i e l d s a l , r o o f t h e o r y for t o t a l c o r r e c t n e s s o f ( g e n e r a l ) logic p r o g r a m s . T h e s t u d y o f r e l a t i o n ~-t is p e r f o r m e d b y m e a n s o f s o m e i n t e r m e d i a t e steps. F i r s t , we s t u d y h o w the s u b r e l a t i o n i-- a l l o w s us to r e a s o n o n ( w e a k ) p a r t i a l c o r r e c t n e s s a n d to c h a r a c t e r i z e call p a t t e r n s : s e c o n d , we s t u d y h o w t- a l l o w s us to c h a r a c t e r i z e
1). PedreschL S. Ruggieri I J. Logic Programming 39 (1999) 125-176
132
~,orrect a n d c o m p u t e d i n s t a n c e s o f i n t e n d e d q u e r i e s ; a n d finally, we s t u d y h o w the ~-, relation completes the picture by dealing with termination.
3.1.1. Example." preorder tree traversal A s a n e x a m p l e t o c l a r i f y the f o r m o f t h e n e e d e d p r o o f o b l i g a t i o n s , c o n s i d e r the p r o g r a m PREORDER: p r e o r d e r ( T , Ls) 6-L s is a p r e o r d e r t r a v e r s a l o f the b i n a r y tree T
(pl) (p2) (p3)
preorder(nil, [ ]) . p r e o r d e r ( l e a f ( X ) , IX]) . p r e o r d e r ( t r e e ( X , Left, Right), Ls) ep r e o r d e r ( L e f t , As) , p r e o r d e r ( R i g h t , Bs) , append( IX~As], Bs, Ls) .
a u g m e n t e d w i t h t h e APPEND p r o g r a m . T h e set o f g r o u n d b i n a r y trees Tree(~,fl) w h o s e l e a v e s b e l o n g to ~ c UL a n d i n t e r m e d i a t e n o d e s b e l o n g to fl c Ut is d e f i n e d by the grammar: Tree::=nil
I leaf(~)
I tree(fl.
Tree,
Tree)
F o r i n s t a n c e , i f 0e = {0, 1 , 2 , . . . } a n d fl = { + , - , * . . . . }, we h a v e t h a t Tree(~, fl) is t h e set o f s y n t a x trees d e f i n i n g a r i t h m e t i c e x p r e s s i o n s o n n a t u r a l n u m b e r s . W e d e n o t e b y Iltll t h e n u m b e r o f n o d e s o f a tree t, d e f i n e d as follows: iileaf(x)t I = 1 Ittree(x,
t,r)ll
lie(t,
t.)ll
.....
= Iltll + Ilrll + l =
0
otherwise.
I n t u i t i v e l y , a n i n t e n d e d use o f PREORDER is to c o m p u t e the p r e o r d e r t r a v e r s a l o f a g i v e n tree. T h i s is f o r m a l l y e x p r e s s e d b y d e f i n i n g :
PrepREOaDER = { p r e o r d e r ( t ,
Is) ] t • Tree(~, fl)} t.) Preapp~.,~D
or, in a m o r e i n t u i t i v e r e p r e s e n t a t i o n :
t~'ePav.ORDER = p r e o r d e r ( D ' e e ( ~ ,
fl) × UL) tD a p p e n d ( G L i s t
× GList
×
U,).
T h i s p r e c o n d i t i o n a l l o w s us to c o n c e n t r a t e o n the r e l e v a n t i n p u t q u e r i e s , a b s t r a c t i n g a w a y f r o m i l l - t y p e d i n f o r m a t i o n w h i c h is p r e s e n t in t h e least l - l e r b r a n d m o d e l o f PREORDER, s u c h a s t h e u n i n t e n d e d a t o m preorder(tree(0,1eaf([
]),leaf(nil)),[0,[
],nil]).
I n d e e d , a c o m p l e t e c h a r a c t e r i z a t i o n o f MptR~.0RDERis m u c h m o r e l a b o r i o u s t h a n s i m p l y r e a s o n i n g o n c o r r e c t n e s s a n d t e r m i n a t i o n o f a t o m s in Pre~,a~.oaD~R. A c a n d i d a t e level m a p p i n g is:
i p r e o r d e r ( t , ls)[ = Iltll + l l a p p e n d ( x s , #s, zs)l = Ixst. T h e + l a d j u s t m e n t is n e e d e d to s a t i s f y the r e q u i r e d p r o o f o b l i g a t i o n s , b u t , as s h o w n l a t e r in S e c t i o n 4.2, t h e m e t h o d c a n be refined to a v o i d this c o m p l i c a t i o ~ . . F i n a l l y , we d e f i n e the p o s t c o n d i t i o n , w h i c h reflects the intended interpr~'.'~tion o f PREORDER:
1). Pt'~b'esc/,i. S. Rugg&'ri I J. Logic Programming 39 (1999) 125 176
133
POStpR~oRVeR = { p r e o : r d e r ( t , I s ) I t E Tree(~,fl) A Is is a p r e o r d e r t r a v e r s a ! o f t} U Post~.~:~D. W e are n o w in the p o s i t i o n to p r o v e ~-, {/3"epE~0.~,zE} PREORDRR {PostpREOR,~R}. b y s h o w i n g the p r o o f o b l i g a t i o n s o f D e f i n i t i o n 3.2. F o r c l a u s e ( p l ) . we h a v e to s h o w t h a t i f p r e o r d e r ( n ± l . [ ]) is in the p r e c o n d i t i o n t h e n it is in the p o s t c o n d i t i o n s as well. w h i c h is o b v i o u s . T h e r e a s o n i n g o n (p2) a n d o n t h e c l a u s e s o f APPEND is also i m m e d i a t e . Let us c o n c e n t r a t e o n c l a u s e (/,3). and consider a ground instance:
preorder(tree(.v, left. r i g h t ) , preorder(lel? as), preorder(riqhl, bs), append([xlas], hs. Is).
Is),--
Assume that the head i.,~ in the precondition, i.e. that x Efl left. right E D'ee(~,fl). By d e f i n i t i o n o f t~'ep~o~i 0 that for every A ~ Te T i f l Pre there exists A .-- B . . . . . . . B,, E groundt.(P) such that: W E [ l , n l : P o s t ~ B, A IAt > iB,1.
T h e base case is trivial, since Tp $ 0 = q). L e t A be in Te T i ,~ P,.'e. If A E Tp r ( i - l) then the conclusion follows from the inductive hypothesis. O n the c o n t r a r y , let A be in T e l i \ l " i , l " ( i - l ) f q P r e . By definition o f Tp, there exists A ~--Bi . . . . . B, in g r o u n d L ( P ) such that
r. r ( i -
l) ~ B , , . . . , B , , .
(l)
We nt.w observe that, by T h e o r e m 3.9, Post ~_ M~ f3 Pre ~ Tt, T ( i - 1)t"1 h ' e .
Since t- { / ' r e } P ( P o s t } hold, by a simple induction on n, this a n d (1) imply Post ~ B I , . . . , B , , . In addition, .4 E Te T i \ Tp T ( i - 1) implies that for k E [l, n]
1AI = i > i -
I >/IB~t.
(if) W e only show t h a t Post f3 t~'e c M~, as the converse inclusion follows directly from T h e o r e m 3.9. C o n s i d e r A ~ Post fq t~'e and a m a x i m a l tree T such that: • A is the root: • if B is a node such that B ~ P o s t f 3 Fg'e and Bt . . . . . B,, are its children then B .-- Bi . . . . . B,, E g r o t m d t . ( P ) and
eos, ~ B , , . . . , B , ,
^
sl
IBt > m~xlB,!.
D. PedreschL S. Ruggieri I J. Logic Progrmnming 39 (1999) 125-176
143
Since W is w e l l - f o u n d e d , there is no infinite b r a n c h : b y t h e K f n i g l e m m a , the tree is finite. Sincc !- {f~e} P {Post} a n d A c / ' r e , it is readily c h e c k e d b y i n d u c t i o n t h a t every a t o m in T is in Post N Pre. I f a leaf B is n o t a g r o u n d i n s t a n c e o f a fact in P, then, b y h y p o t h e s i s , there exists B ~-- BI, . . . . B,, in groundL(P) such t h a t Post ~ B ~ , . . . , B , a n d [B[ > max~_~ ]Bi[, t h u s T is n o t m a x i m a l . In conclusion, T is a p r o o f tree for A (see [22]), which implies A E Mfi. [] A s a final o b s e r v a t i o n , we p o i n t o u t t h a t w h e n t-{P}'e} P {Post} holds, then sp(P, Pre) is w e l l - s u p p o r t e d . In fact, by T h e o r e m 3.10 ~ {Pre} P { s p ( P , Pre)} holds, a n d sp(P, Pre)f'l Pie = sp(P, Pre). T h u s , we are in the h y p o t h e s i s o f T h e o rem 3.12,
3. 4.1. P r o o f outlines P r o v i n g w e a k p a r t i a l c o r r e c t n e s s is h a n d y , as the t a s k c a n be carried o u t using the p r o o f outlines. In c o n t r a s t , D e f i n i t i o n 3.7 m a y seem intricate a n d difficult to h a n d l e . F o r t u n a t e l y , it has a s t r a i g h t f o r w a r d i n t e r p r e t a t i o n in t e r m s o f p r o o f outlines. Definition 3.8. A p r o o f outline for a clause A ~-- AI, . . . ,A,,, a f u n c t i o n [ t : BL --~ W into a w e l l - f o u n d e d poset (W, < ) a n d Pre, Post, is a labeled clause o f the form:
{g} [t.}
Ao
{t, }
AI,
{./i } A,,__,, {J;,-i } A,,.
{t,,_,} {t,,}
where ti for i ~ [0, n] a n d f , g, for i E [1, n] are, respectively, e x p r e s s i o n s o v e r W a n d a s s e r t i o n s (iv, sotne f o r m a l logic), such t h a t every g r o u n d instance o f the following p r o o f obligations holds: (i) for i E [0,n]: g ~ t~ = IA~l, (ii) f o r i E [l,n]: g A f =} Ai E Post, (iii) for i ~ [I, n]: g ::> j ; A to > t~. T h e a s s e r t i o n g expresses a relation a m o n g the variables o f the clause in ~.qch a w a y t h a t for every g r o u n d i n s t a n c e o f t e e p r o o f o u t l i n e if the instance o f g h o l a s then Ai ~ Post A [A0[ > jAil. T h e use o f the a u x i k a r y a s s e r t i o n s f ' s is no ~. strictly necessary, albeit useful in c o n s t r u c t i n g p r o o f outlines. N e x t , in o r d e r to p r o v e t h a t Post is w e l l - s u p p o r t e d w.r.t. P a n d F,~ we h a v e to s h o w t h a t there exist p r o o f outlines for (instances of) clauses f r o m P a n d a f u n c t i o n [ ] : BL --~ W such t h a t every a t o m A in Post N/:'re is a g r o u n d instance o f s o m e h e a d a t o m in a p r o o f o u t l i n e a n d the assertion associated with the h e a d holds.
D. Pedreschi. S. Rttggieri 1.1'. Logh" Programming 39 (1999) 125-176
144
3.4.2. E x a m p l e : lexicographie ordering A s a n e x a m p l e , c o n s i d e r t h e f o l l o w i n g p r o g r a m LEXORD, s p e c i f y i n g a l e x i c o graphic ordering relation over pairs of natural numbers.
(II)
~ m is s e l e c t e d a n d n, m a r e n o t g a e ' s . T h i s is t h e p r o c e d u r a l s e m a n t i c s o f > in P r o l o g . A s i m i l a r o p e r a t i o n a l s e m a n tics is g i v e n f o r < , < - - , = / = , > = , w h e r e a s f o r is o u l y t h e s e c o n d a r g u m e n t is req u i r e d to be a gae. U n f o r t u n a t e l y , as d i s c u s s e d b y A p t [8], it is n o t p o s s i b l e t o r e a s o n in a d e c l a r a t i v e w a y o n r u n - t i m e a r i t h m e t i c e r r o r s w i t h i n t h e l o g i c p r o g r a m m i n g t h e o r y . In p a r t i c u lar, t h e L i f t i n g L e m m a d o e s n o t h o l d f o r p r o g r a m s w i t h a r i t h m e t i c . C o n s i d e r n o w the p r o g r a m PART
part(X, [YlXs]. [YII~s]. Bs ) ~- X > Y. p a r t ( X , Xs, L s , B s ) . part(X. part(x,
[YlXsl. Ls. [~-iBs] ) , - X ~ Y, p a r t ( X , [ l . [ l . [1 )-
Xs. L s , B s )
f o r p a r t i t i o n i n g a list o f g a e ' s , a n d s u p p o s e t h a t ~ {Pre} P A R T { P o s t } h o l d s f o r s o m e P r e , / ~ , s t . By C o r o l l a r y 3.1 (i), f o r e v e r y s e l e c t e d a t o m A , we h a v e t h a t ~ ' e ~ A. T h i s s u g g e s t s us a s i m p l e c o n d i t i o n to p r e v e n t t h e s e l e c t i o n o f i l l - t y p e d a r i t h m e t i c a t o m s , c o n s i s t i n g o f i m p o s i n g t h a t i f / ~ ' e ~ .4 h o l d s f o r a n a r i t h m e t i c a t o m A t h e n A is c o r r e c t l y t y p e d . F o r i n s t a n c e , i f n > m is s e l e c t e d a n d P~'e c o i n c i d e s o n > - a t o m s w i t h t h e set t~'e> = { n > m I n , m
E G a e },
t h e n P~-e ~ n > m i m p l i e s t h a t n , m a r e g a e ' s , t i n d e r t h e w e a k h y p o t h e s i s t h a t t h e r e e x i s t s a t least o n e s y m b o l r in 2-'L t h a t d o e s n o t b e l o n g t o Z'~r. ! n fact, we n o t i c e t h a t n > m is g r o u n d , o t h e r w i s e b y i n s t a n t i a t i n g t h e v a r i a b l e s o f n, m w i t h a g r o u n d t e r m c o n t a i n i n g f we get t w o t e r m s t h a t a r e n o t g a e ' s . S i n c e ntt > m is g r o u n d , w e h a v e t h a t n > m ~ / ~ ' e a n d t h e n n, m a r e g a e ' s . W e reason a n a l o g o n s l y for the o t h e r a r i t h m e t i c a t o m s , except for ± s, for which: l~'ei,.; = { t i s
m [ m 6 G a e }.
C o n s i d e r i n g a g a i n PART, w e d e f i n e t h e pre- a n d p o s t c o n d i t i o a a s f o l l o w s :
152
D. Pech'esdlL S. Ruggieri I J. Logic Progrtomning 39 (1999) 125-176
P}'epART = ~t~'e> U P r e < U { part(x, xs. l.s', bs) I x E Gae A xs E L i s t ( G a e ) } , PO.S'IPAaT = Post> U Post ~ U { part(x..rs, is. bs) i x E G e e A x s . ls, b s C L i s t ( G a e )
A ls < x >l bs}.
By ls < x ~> bs we m e a n t h a t e v e r y e l e m e n t in t h e list g r e a t e r o r e q u a l ) t h a n x. It is r e a d i l y c h e c k e d t h a t T h e r e f o r e , w h e n a n a r i t h m e t i c a t o m n > m is s e l e c t e d a n d a q u e r y Q s u c h t h a t I-- {/°i,'e~,M~.r} Q {PostpART}, we
Is (resp., hs) is s m a l l e r (resp., I- {/~'ePar~T} PART {PostpaRr}. in a L D - d e r i v a t i o n f o r PART have that
Pre-. ~ n > m.
(2)
A s d i s c u s s e d , this i m p l i e s t h a t , . m a r e g a e ' s a n d a f o r t i o r i t h a t t h e L D - d e r i v a t i o n d o e s n o t e n d in a n e r r o r . W e g e n e r a l i z e this r e a s o n i n g b y m e a n s o f t h e f o l l o w i n g definition. D e f i n i t i o n 4.1. Let P be a p r o g r a m w i t h a r i t h m e t i c , a n d L s u c h t h a t St_ \ S o . ~ ~}. W e w r i t e t-- {Pre} P { P o s i } i f f k- {Pre} P {Post} h o l d s f o r P as a l o g i c p r o g r a m , a n d f o r e v e r y a r i t h m e t i c p r e d i c a t e o p a p p e a r i n g in P, t h e sets o f o p - a t o m s in P r e a n d in Post c o i n c i d e w i t h P~'eop a n d Postop, r e s p e c t i v e l y . U n d e r t h e h y p o t h e s i s o f D e f i n i t i o n 3.2. we c a n s h o w a b s e n c e o f r u n - t i m e e r r o r s . ILemma 4.1. A s s u m e that ~- {/~'.,} P {Post} a n d k- { ~ ' e } Q {Post} h o h l J o r a p r o g r a m w i t h a r i t h m e t i c P a n d a q u e r r O. Then , o LD-~h, riratiott ./or P a n d Q emls i , an error. S i n c e L D - t r e e s o f p r o g r a m s w i t h a r i t h m e t i c a r e still f i n i t e l y b r a n c h i n g , b y t h e L e m m a a b o v e we c a n e x t e n d t h e l i n i n g l e m m a a n d t h e s t r o n g c o m p l e t e n e s s t h e o r e m f o r L D - r e s o l u t i o n to p r o g r a m s w i t h a r i t h m e t i c P s u c h t h a t I-- { ~ ' e } P {Pox't} h o l d s . A s a c o n s e q u e n c e , t h e p r o o f t h e o r y o f S e c t i o n 3 a n d t h e r e l a t e d r e s u l t s c a n be g e n e r a l i z e d to p r o g r a m s w i t h a r i t h m e t i c . 4.2. M o & t h t r reri.,ficatio, T h e d e f i n i t i o n o f r e l a t i o n ~, h a s a m a j o r d r a w b a c k , d u e to t h e l a c k o f e x p r e s s i v e ness o f level m a p p i n g s in m o d u l a r c o r r e c t n e s s p r o o f s . W e i n t r o d u c e t h e p r o b l e m with an example. Consider the program SUBLIST. sublist(A:~'.
Y~-) ~-- A:~ is a s u b l i s t o f )k'.
s u b l i s t ( X s , Ys] append(_, Zs, Ys), a p p e n d ( X s . _. Zs). a u g m e n t e d by t h e A P P E N D p r o g r a m . A level m a p p i n g s u c h ghat lappend(xs,
rs, -x)l = [--',~']
is a n a t u r a l c a n d i d a t e t o s h o w k-, { -exp~E..&~} APPEND {l~,~stApp~rD} w h e r e
D. Pedreschi. S. Ruggieri I J. Logic Programming 39 (1999) 125-176
153
A n a l o g o u s l y . w h e n considering the specification for SUBLZST:
P;'e.~uBr,IST = { s u b l i s t ( _ , ' s , 3w) t)~ ~ G L i s t } U l~'e'~p.~mD { sublist(.~:~', y~) ] .x-~"s u b l i s t o f ~s E GList } U PostApp~D
POStsuBr~XST :
a n i n t u i t i v e l y c o r r e c t level m a p p i n g is s u c h t h a t I s u b i i the p r o o f o b l i g a t i o n s o f D e f i n i t i o n 3.2 r e q u i r e t h a t
s t ( x s , .~x)] -- b~[. H o w e v e r ,
Isublist(.rs',
3-x)[ > ] append(_..7-;. 3w)]----lysl. T h e r e f o r e . to s h o w ~-, {P"esL, BL~ST} S U B L I S T {PostsuBLrST}, we m u s t c o n s i d e r a s o m e w l ~ a t u n n a t u r a ! level m a p p i n g s u c h as I s u b l i s t ( x s . )w)[ = lys[ + I. U n f o r t u nately, such a phenomena propagates upward when considering programs which use S U B L I S T , g i v i n g rise to c o u n t e r - i n t u i t i v e level m a p p i n g s a n d p r e v e n t i n g m o d u lar p r o g r a m d e v e l o p m e n t . A r e l a t i o n s e m i - ~, is i n t r o d u c e d in Ref. [46] f o l l o w i n g the a p p r o a c h o f Ref. [5], w h i c h a d d r e s s e s the m o d u l a r i t y p r o b l e m s s h o w n a b o v e . F i r s t , for two p r e d i c a t e s y m b o l s p a n d q, w e w r i t e p --1 q i f p uses q in its d e f i n i t i o n , b u t p a n d q a r e n o t m u t u a l l y recursive; we w r i t e p _~ q i f p a n d q a r e m u t u a l l y r e c u r sive. ,'el(A) d e n o t e s the p r e d i c a t e s y m b o l o f t h e a t o m ,4. D e f i n i t i o n 4 . L G i v e n a p r o g r a m P a n d a s p e c i f i c a t i o n (t3-e. Post). we w r i t e s e m i - t - t {1%'e~ P {Post} iff there exists a level m a p p i n g ] I s u c h t h a t for e v e r y ,4 ~
BI ....
, B. E
groundL(P)
1. for i ~ [I.n]: t%'e ~ A A Post ~ B I . . . . . Bi_l :e~ (a) Pre ~ Bi a n d (b) IA I > IB, I i f , - e l ( A ) ~_ ,'el(B) ]AI i> [Bil i f r e l ( A ) ~ r e l ( B ) 2. Pre ~ A A Post ~ B i . . . . . ,~I,,---->~ Post ~ A. In c o n t r a s t to D e f i n i t i o n 3.2, in l ( b ) we n o w d i s t i n g u i s h two cases d e p e n d i n g w h e t h e r r e l ( A ) a n d ,-el(B,) a r e (or n o t ) m u t u a l l y r e c u r s i v e p r e d i c a t e s . I f t h e y a r e m u t u a l l y r e c u r s i v e , a strict d e c r e a s i n g is i m p o s e d . C o n s i d e r the SUB:LIST p r o g r a m a g a i n . By d e f i n i n g
]append(xs. Isublist(-rs,
3"s,
=s)i----I'-sl
.~)1 = 13~1.
we h a v e t h a t semi--F-, {Presu~r.~sT} S U B L I S T {Postsu~L~ST} h o l d s . In fact, :~ince sublist a n d a p p e n d a r e n o t m u t u a l l y recursive, the d e c r e a s i n g o f the level m a p p i n g h a s n o t Io b e strict. In [46], it is s h o w n that r e l a t i o n s I-, a n d semi-- ~-, c o i n c i d e , in the f o l l o w i n g sense: ~, {/~'e} P {Post} h o l d s i f f se,ni-- ~-t {Pre} P {Post} h o l d s . T h i s result a l l o w s us to e x t e n d all o f the p r o p e r t i e s a n d toois ( s u c h as p r o o f o u t l i n e s ) o f triples in r e l a t i o n 1--, to triples in s e m i - 5 , . T h e w i d e a p p l i c a b i l i t y o f r e l a t i o n s e m i - I--, is s u p p o r t e d b y several results o n m o d u l a r p r o g r a m v e r i f i c a t i o n . W e refer t h e r e a d e r to [46] for m e t h o d s to p r o v e t h a t a t r i p l e {Pro} t" o P" {Post} is in a relat,.'on I-, I--, o r s e m i - ~, s t a r t i n g f r o m p r o o f s t h a t triples for P a n d P ' a r e in the s a m e relation.
154
D. Pedreschi, S. Rt~ggieri I J. Logic Programmh~g 39 (1999) 125-176
4.3. The occm'-check protdem A p t a n d P e l l e g r i n i Ref. [6] p r e s e n t a m e t h o d o l o g y for the safe o m i s s i o n o f the occ u r - c h e c k in t h e M a r t e l l i - M o n t a n a r i u n i f i c a t i o n a l g o r i t h m . M o s t o f P r o l o g interp r e t e r s o m i t the o c c u r - c h e c k for efficiency r e a s o n s : u n f o r t u n a t e l y , this m e a n s t h a t the c o r r e c t n e s s o f L D - r e s o l u t i o n is lost. H o w e v e r , A p t a n d P e l l e g r i n i s h o w t h a t for m a n y p r a c t i c a l p r o g r a m s , the o c c u r - c h e c k o m i s s i o n is safe, b y p r o v i d i n g s o m e sufficient c o n d i t i o n s . F i r s t , we i n t r o d u c e s o m e b a s i c d e f i n i t i o n s . D e f i n i t i o n 4.3, ® C o n s i d e r a n - a r y p r e d i c a t e s y m b o l p. A mode for p is a f u n c t i o n d/, f r o m { i . . . . . n} in { + , - - } . lfdp(i) = ' + ' we call i a n input p o s i t i o n . Ifdl,(i ) = ' --' t h e n i is c a l l e d a n output p o s i t i o n ( w i t h respect to dp). W e w r i t e d r, in t h e m o r e s u g g e s t i v e f o r m p ( d , , ( l ) . . . . . d,,(n)). e A n a t o m is c a l l e d output-linear i f the f a m i l y o f t e r m s w h i c h o c c u r in its o u t p u t pos i t i o n s is l i n e a r , i.e. n o v a r i a b l e o c c u r s twice in the f a m i l y . ,, A p a i r o f a t o m s (A, B) is N S T O ( n o t s u b j e c t to o c c u r - c h e c k ) i f in e v e r y c o m p u t a t i o n o f the M a r t c l l i - M o n t a n a r i a l g o r i t h m the o c c u r - c h e c k y i e l d s false. A st, i~icient c o n d i t i o n o f Ref. [6] c a n b e i n t e g r a t e d w i t h i n the p r o o f t h e o r y b a s e d o n r e l a t i o n t- in o r d e r to s h o w the safe o m i s s i o n o f the o c c u r - c h e c k a l o n g a L D - d e r ivation. T h e o r e m 4.1. A s s , , , w that t- [P~'e} P {Post} amlF- {Pre} ~,~ {/~,st} hold. Consider a set II c IlL o f predicate symbols such that (i)./or every atom A such that rel(A) C H, if l~'e ~ A then ,:ml.v gromul terms appear #t the input positions o.f /I. and (ii) the hetul o l'every ckmse ji'om P whose predicate synthol is in H Ls output linear. Then ,[br ether), atom A such that rel(A ) E H and selected ht a LD-derit'ation f o r P and Q, the omission o f occto'-che:'k itt the Marteili-hdotttatutrl tmificution algorithm is sa.l~'. Proof. See Ref. [47], T h e o r e m 4.9.
[]
4.4. Meta-interpreters M e t a - c i r c u l a r i n t e r p r e t e r s h a v e b e e n i n t r o d u c e d as a f u n d a m e n t a l f e a t u r e o f a d v a n c e d p r o g r a m m i n g l a n g u a g e s . S i n c e the e a r l y studies, m a n y m e t a - i n t e r p r e t e r s h a v e b e e n p r o p o s e d a n d p r o v e d c o r r e c t w i t h respect to t h e i r i n t e n d e d b e h a v i o r . H o w e v e r , the task of proving correctness has been largely performed using ad-hoc techniques, d e p e n d i n g c a s e b y case o n the s e m a n t i c s , the p a r t i c u l a r m e t a - p r o g r a m a n d the r a n g e o f properties o n e was interested in verifying. in Ref. [48], a general criterion is introduced for reasoning about meta-interpreters. T h e basic idea is to apply the general purpose verification m e t h o d s based o n r e l a t i o n s t- a n d I--, to t h e c a s e s t u d y o f the V a n i l l a meta-interpreter, and, m o r e g e n e r a l l y , to g e n e r i c m e t a - i n t e r p r e t e r s , b y r e l a t i n g t h e pre- a n d p o s t c o n d i t i o n s o f the o b j e c t p r o g r a m to t h o s e o f the m e t a - p r o g r a m . T h e m a i n results o f Ref. [48] c a n b e s u m m a r i z e d a s follows: u n d e r c e r t a i n n a t u r a l a s s u m p t i o n s , all in-
1). Pedrt'schL S. Ruggier,~ / J. Logic Programming 39 (1999) 125-176
155
teresting verification properties lift up from the object p r o g r a m to V a n i l l a , including o (weak) partial correctness, • (weak) total correctness. • absence o f arithmetic errors, • call pattern characterization, • correct and c o m p u t e d instances characterization. 4.5. S e m a n t i c s decidtthility
The semantics decidability issue has been largely investigated in the literature with respect to t h e . / / - s e m a n t i c s [15]. In o u r context, a by-result o f T h e o r e m 3, t5 is that, when I--, {P~'e} P {Post} hold then it is decidable for every A E /~e w h e t h e r A ~ .//(P). Recently, the decidability o f the c6. and Yf-semantics has been iovestigated in Ref. [50]. A Prolog i m p l e m e n t a t i o n o f a decision procedure is presented for the class o f acceptable logic p r o g r a m s , namely p r o g r a m s P such that ~, ~BL} P {Post} holds for some Post. M o r e o v e r , semantics decidability and p r o g r a m testing are shown to be s:congly related, and, in practice~ the p r o p o s e d decision procedure is the core o f a test driver. We generalize those decidability results to p r o g r a m s such that ~ : { t~'e } P { Post } holds. Theorem 4.2. A s s t o n e that F-, {~'e} P {Post} hohis, a n d coJ,.shler an a t o m ,4 such that t~'e ~ ~ 4 . T l w n (i) it is decidable w h e t h e r A C eg.(p); (ii) it is decidable w h e t h e r ,4 E .~'(P). Proof. See Ref. [47], T h e o r e m 4.13.
[]
5. General logic programs General p r o g r a m s a n d queries are introduced by allowing r,,egated a t o m s in the b o d y o f clauses a n d queries. In this section, we extend the p r o o f t h e o r y to reason on general p r o g r a m s and queries. M a n y results c a n n o t be lifted directly, due to soiize well-known problems with extending the logic p r o g r a m m i n g theory to handle negation. In particular, a m a j o r difficulty is the incompleteness o f the negation as failure rule w.r.t. C l a r k ' s completion semantics c o m p ( P ) (see Ref. [41].) We partly solve this problem by reasoning on the basis o f the I--, relation. This section is structured as follows: lirst, we consider negated a t o m s only in queries, dealing w~th the so called L D N F - - r e s o l u t i o n . Then we extend the a p p r o a c h to general p r o g r a m s , by providing a m e t h o d for (weak) total correctness. As an application, we also obtain a rather general completeness result for L D N F - r e s o l u t i o n . 5. !. L D N F - - r e s o h t t i o n
We start by considering negation only in queries. Following Apt [7], we introduce L D N F --resolution.
156
D. Pedreschi. S. Ruggieri I J. Logic Programming 39 ?1999) 125-176
Definition 5.1. • A L D N F - - d c r i v a t i o n is a S L D N F - d e r i v a t i o n for a p r o g r a m and a general query,
by using the leftmost selection rule. • We write I--, {Pre} Q {Post} for a general query Q iff there exist a level mapping I I and k ~ N such that for every ground instance L~ . . . . , L,, o f Q: for i ~ [l,n] ~-e ~ A, A k > IA, I if Li = A,. Post ~ L, . . . . . L,_t ~ Pre ~ Aj A k > [A~t i f L ~ = ~ A ; .
{
* Given a p r o g r a m P and a general query Q. we say P u {Q} does not flounder if there is no L D N F - - d e r i v a t i o n for P and Q in which a n o n - g r o u n d negative literal is selected. In the following t h e o r e m ,he. completeness of negation as failure rule is shown for (positive) p r o g r a m s P and ge~lcral queries Q that are in the t-, relation. Theorem 5.1. Let P be a program and Q a g, ~eral quet '" such that F-, {Pre} P {Post} and ~t {Pre} Q {Post} hold by the same lecel mapping. I.]:. e p U {Q} does not flounder, and
. comp(P) ~ (2' Jot" 01 instance o f Q, then there exists a LDNF--refittation fi~r P and Q with computed instance more general than ~ . First, we point out that by T h e o r e m 3.10 I-, {Pre} P {M~,n/~'e} and I-t {Pre} Q {Mfi O Pre} hold. Let us prove that if eomp(P) ~ (2' then there exists a L D N F - - r e f u t a t i o n for P a,~d Q' with c o m p u t e d instance Q'. The p r o o f is by induction on the n u m b e r n o f iiterals in Q'. (Base) If Q' consists o f one literal then we distinguish two cases. If Q' = A then by the Strong Completeness T h e o r e m o f SLD-resolution there exists a L D ( N F - ) refutation for P and A. i f Q' --= -~A then A is g r o u n d since P U {Q'} does not flounder otherwise P U {Q} flounders. Since k, {Pre} A {M~ n Pre}, by Theorem 3.15 the LDtree for P and A is finite. Moreover, it is finitely failed. Otherwise, by correctness o f L D N F - - r e s o l u t i o n comp(P) ~ A: this is in contradiction with the assumption comp(P) ~ ~A and the fact that comp(P) is consistent. Thus there exists a L D N F - - r e f u t a t i o n for P and Q'. (Step) We distinguish two cases. o If Q' = A, Q" then by the Strong C~:,r.lpleteness T h e o r e m o f SLD-resolution there exists a L D ( N F - ) refutation for P and A. Moreover, by Corollary 3(ii) M~ n Pre ~ A and then ~-, {/:'re} Q" {M~ N m-e}. The result follows by applying the inductive hypothesis on Q". • I f Q' :-:--,A. Q" then A is ground since P U {Q'} does not flounder - otherwise P U {Q} flounders. Since I--. {Pre} A {M~ n Pre}. the LD-tree for P and A is finite. Moreover. it is finitely failed, i.e. A ,-_ FF~. Otherwise. by correctness o f L D N F - resolution comp(P) ~ A: this is in contradiction with the assumption comp(P) ~ -~A, Q" and the fact that comp(P) is consistent. Thus Q" is the L D N F - - r e s o l v e n t o f Q'. Moreover. A E FF~ implies MeL N Pre ~ ~A. which in turn implies 1--, {Pre} Q" {M~. n/~'e}. The conclusion follows by applying the inductive hypothesis on Q".
Proof.
D. Peth't'schi. S. Ruggieri I J. Logic Programming 39 (1999) 125-176
157
Since P U {Q} d o e s n o t f l o u n d e r , we c a n a p p l y the ( L D N F - - v e r s i o n o f the) L i f t i n g L e m m a to t h e r e f u t a t i o n for P a n d Q'. t h u s o b t a i n i n g a L D N F - - r e f u t a t i o n for P a n d Q w i t h c o m p u t e d i n s t a n c e m o r e g e n e r a l t h a n Q'. [] 5.2. L D N F - r e s o h t t i o n 5.2.1. C o r r e c t n e s s T h e e x p o s i t i o n o f t h e a p p r o a c h for g e n e r a l p r o g r a m s is organ~.zed as follows: first. we e x t e n d to g e n e r a l p r o g r a m s t h e d e f i n i t i o n s o f ( w e a k ) total c o r r e c t n e s s , a n d o f rel a t i o n I-t. S e c o n d . we s h o w s o m e c o r r e c t n e s s p r o p e r t i e s , i n c l u d i n g p e r s i s t e n c y , t e r m i n a t i o n a n d ( w e a k ) total c o r r e c t n e s s . F i n a l l y , we c o n c e n t r a t e o n c o m p l e t e n e s s o f S L D N F - r e s o l u t l o n . b y e x p l o i t i n g the c o r r e c t n e s s results. T h e r e f o r e . we start b y ext e n d i n g D e f i n i t i o n 2.2.
D e f i n i t i o n 5.2. C o n s i d e r a g e n e r a l p r o g r a m P. (i) L D N F - r e s o l u t i o n is S L D N F - r e s o l u t i o n t o g e t h e r w i t h the l e f t m o s t s e l e c t i o n rule. (ii) W e d e n o t e w i t h M~; the set o f A E Bt. s u c h t h a t t h e r e exists a L D N F - r e f u t a t i o n for P a n d A, a n d w i t h FFpL t h e set o f . 4 E Bz s u c h t h a t t h e r e exists a finitely f a i l e d L D N F - t r e e f o r P a n d ,4. b-'F~is the set Bt. \ FFJ;. (iii) G i v e n a g e n e r a l p r o g r a m P a n d a g e n e r a l q u e r y Q, we say P u {Q} does n o t f l o u n d e r i f t h e r e is n o L D N F - d e r i v a t i o n for P a n d Q w h e r e a n o n - g r o u n d n e g a t i v e literal is selected. (iv) P is w e a k totaih" correct w.r.t..+t specific~,+ion (l~'e. Post) iff A4"fi(q Pre C Post a n d t~'e C_ M~ U FF~+. (v) P is totali)" correct w.r.t, a s p e c i f i c a t i o n (/~'e. Post) iff M[; fq t ~ ' e - - P o s t a n d
~-~c_ M,~: u ~'~. A l t h o u g h Mfi a n d / : , ~ - n o w a r e not d e c l a r a t i v e l y d e f i n e d , we will s h o w l a t e r t h a t for t h e class o f p r o g r a m s we a r e i n t e r e s t e d in t h e y h a v e the e x p e c t e d d e c l a r a t i v e int e r p r e t a t i o n . R e g a r d i n g q u e r i e s , the d e f i n i t i o n o f r e l a t i o n t-, r e m a i n s the s a m e as D e f i n i t i o n 5.1. R e l a t i o n I-, is e x t e n d e d to g e n e r a l p r o g r a m s as l b l l o w s . Definition 5.3. Let P be a g e n e r a l p r o g r a m , a n d (l~-e. Post) a s p e c i f i c a t i o n . W e write 1--, {Pre} P ~Postj iff t h e r e exists a level m a p p i n g I I s u c h that: (i) for e v e r y .4 ~ L1 . . . . . L, E groundt.(P): !. f o r i c [ l , n ] : t%z, ~ A
A
Post ~ L t . . . . . Li I
{
~ B, ,~'e ~ B, ~'e
2. l~'e ~ A A Post ~ Li . . . . . (ii) Tp(Post) D_ Post f-1 Pre. W e s a y t h a t P is no~l-~ottnderhtg flounder. It is w o r t h n o t i n g that r e l a t i o n t e n s i o n o f t h a t f o r logic p r o g r a m s .
At~4I > B,I A IA] > Iael
L,, ::¢. Post
~
ilL, =B;
if Li = - ~ B i
..I
(w.r.t+ Prt') iff for e v e r y .4 E / ~ ' e . P U {,4 } d o e s n o t k, for g e n e r a l p r o g r a m s is not a c o n s e r v a t i v e exIn g e n e r a l . ~, {Pre} P {Post} for a logic p r o g r a m
15~
D. Pedreschi. S. Ruggieri I J. Logic Programming 39 (1009) 125- 176
P does n o t necessarily imply t h a t I--, {/:~-c} P {Post} holds for P as a general prog~'a.qa. T h i s is d u e to the a d d i t i o n a l r e q u i r e m e n t (ii) o f D e f i n i t i o n 5.3 Tt,( Post ) ~ Post n t~-e. H o w e v e r , we p o i n t o u t t h a t we alreadx met a similar relation: by " l h c o r e m 3.20. it is e q u i v a l e n t t b r logic p r o g r a m s to require t h a t Post is w e l l - s u p p o r t e d w.r.t. P a n 6 Pre. i.e. t h a t Post n l~'e :: M[; N Pre. T h e r e f o r e . by T h e o r e m 3.17. if F-, {P~w} P {Post} holds for a logic p r o g r a m then
holds c o n s i d e r i n g P as a ,5~.neral p r o g r a m . In o t h e r w o r d s , w h e n d e a l i n g with triples for general p r o g r a m s , we are forced to c o n s i d e r the strongest postcontKtions. l f c o n d i t i o n (ii) o f Definition 5.3 is o m i t t e d , then we are not able to s h o w the basic p r o p e r t i e s o f correctness, such as the e q u i v a l e n t o f C o r o l l a r y 3.1 (ill for general p r o g r a m s . C o n s i d e r , as an e x a m p l e the p r o g r a m P:
a n d the q u e r y -,q. C o n d i t i o n (i) holds for P a n d / ~ ' e = Post = { p , q } . a n d I-, {Pre} ~ q {Post}. I l o w e v e r . Post [~ ~ q even t h o u g h -,q is a c o m p u t e d instance o f P a n d --,q. In the following t h e o r e m , we e x t e n d the p r o p e r t i e s o f persistenc5 a n d call p a t t e r n c h a r a c t e r i z a t i o n to general p r o g r a m s . As we will see in an e x a m p l e , call p a t t e r n c h a r a c t e r i z a t i o n is essential for e s t a b l i s h i n g n o n - f l o u n d e r i n g o f general p r o g r a m s . T h e o r e m 5.2 (Persistency a n d call p a t t e r n s ) . A s s u m e that k, {~'e} P {Post} a m i H, {P~'e} Q {Post} h o k l hi, the .~'ame 1et'el m a p p i n g [ !. Then: (i) .]t~" ecer)' L D N F - r e s o h , e n t Q' t ! l ' P and Q, F, {Pre} _O' {Post} holds by the
s.m;
I I:
(ii)./br et, er)" literal A or -1.,I selected in a L D N F - t h ' r i r a t i o n /or P a n d Q, t~'e ~ A; (iii).[br el'err c o m p u t e d instance ~ o f P and Q, °ost ~ Q'. Proof. (i) See Lenama B 2 (iii) r e p o r t e d in A p p e n d i x B. (ii) I m m e d i a t e by (i) and Definition 5.1. (iii) Let xl . . . . . x,, be the variables o f Q, a n d p a fresh p r e d i c a t e s y m b o l o f arity n. W e define P}'e' a s / ~ ' e U { p(q . . . . . t,,) f Post ~ Q { x i / t , ] i E [l,n]} } a n d Post' as Posto p (Uz. × . - - × UL). W i t h this a s s u m p t i o n s , it is readily c h e c k e d that D, {Pre'} PO { p(Xt . . . . . X,,) +--Q } {Post'}. a n d I-, {/~'e'} Q. p ( x t . . . . , x , ) { / : b s t ' } , by fixing the level o f t,.ny p ( q . . . . . t,,) to the n a t u r a l n u m b e r k p r o v i d e d by Definition 5.1. By h y p o t h e s i s , there exists a L D N F - d e r i v a t i o n for P a n d Q . p ( X I . . . . . X,,) where 9(7"! . . . . . T,,) is selected, with Q{xi/Ti [ i ~_ [!. ,l]} v a r i a n t o f Q'. By (ii) a n d the definition o f ,r~'e', we c o n c l u d e that Post ~ Q{x,/T~ I i E [l . n] }. a n d then ~ s t ~ Q'. [] As a c o n s e q u e n c e , the T e r m i n a t i o n T h e o r e m 3.15 e x t e n d s to general p r o g r a m s . T h e o r e m 5.3 ( T e r m i n a t i o n ) . A s s u m e that ~-, {m-e} P {Post} and k, {/~-e} O {post} hohi b)' the same let:el mtq~ping. Then the L D N F - t r e e . l o r P a n d Q is finite.
D. Pech'eschi. S. Ruggieri i J. Logic Programming 39 ( 1 9 9 9 ) 1 2 5 ~ i 7 6
i 59
Proof, T h e p r o o f is by induction on the rank o f the L D N F - t r e e . If the rank is 0, then by L e m m a B.2 (ii) there c a n n o t be an infinite branch. Since the L D N F - t r e e is finitely branching, by K6nig's L e m m a , it is tinitc_ If the rank is greater than 0, then by inductive h y p o t h e s i s the rank o f a subsidiary tree used in a L D N F - d e r i v a t i o n is lower and then, by inductive hypothesis, finite. M o r e o v e r , by L e n l m a B.2 0 i ) there c a n n o t be an infinite branch. Since the L D N F - t r e e is finitely branching, by K6nig's L e m m a , it is finite. [] H o w e v e r . s t a t i n g that e v e r y L D N F - t r e e o f P a n d Q is finite d o e s n o t n e c e s s a r i l y m e a n t h a t the P r o l o g c o m p u t a t i o n for P a n d Q e v e n t u a l l y t e r m i n a t e s . F o r the p r o g r a m N:I:L p ,-- ~ p . a n d the q u e r y p, we h a v e that there exists n o L D N F - t r e e . T h e r e f o r e , e v e r y L D N F ' tree is finite. In c o n t r a s t , the P r o l o g c o m p u t a t i o n r u n s forever, b y t r y i n g to built a s u b s i d i a r y tree for p, e a c h t i m e -,p is selected. A n o t h e r d i f f e r e n c e b e t w e e n L D N F r e s o l u t i o n a n d P r o l o g is ~hat the l a t t e r d o e s n o t c h e c k for f l o u n d e r i n g . W e refer the r e a d e r to t h e p a p e r o f A p t a n d D o e t s [3] for a d i s c u s s i o n o n the d i f f e r e n c e s between LDNF-resolution and Prolog. H e r e , we c o n f i n e o u r s e l v e s to o b s e r v e t h a t w i t h the a s s u m p t i o n s o f T h e o r e m 5.3, t e r m i n a t i o n w.r.t, the P r o i o g c o m p u t a t i o n c a n b e s h o w n . T h i s f o l l o w s b y o b s e r v i n g t h a t e a c h t i m e a s u b s i d i a r y tree for --,A is b e i n g c o m p u t e d , its r o o t is ,4, i.e. it is a positive literal. "I'herefore, there is at least o n e c h i l d , d u e to the r e s o l u t i o n of,4 w i t h s o m e clause. T h e r e f o r e , if t h e r e is a:'," infinite s e q u e n c e {,-t,}~ ~, 0 o f a t o m s s u c h t h a t .4,~1 is ~he r o o t o f a s u b s i d i a r y tree b e i n g c o m p u t e d d u r i n g the r e s o l u t i o n o f g~ t h e n , b y L e l , m a B.2 (ii), [lA~i I1 - IPtS o m e r e l e v a n t p~operties o f rek~tion F, a r e s u m m a r i z e d in the f o l l o w i n g l e m m a . L e m m a 5. I. A s s m n e that ~-t { t~'e } P { f'ost } l~okls a n d P is non-/tomulering. jbll:~w#tg statemelpts hold: (i) P~'e c_ Mfi u FEet-, (ii) Mfi n/~'e : FF/; n m-e. (iii) /kl~ n / ~ ' e c Post, (iv) FF¢ i-i Pre c Post'. (v) t- t {/~'e} P { P o s t n t ~ ' e } .
The
Proof. (i) F o r e v e r y A E P~'e, by T h e o r e m 5.3 the L D N F - t r e e for P a n d A is finite. S i n c e P i~; n o n - f l o u n d e r i n g , t h e n e i t h e r t h e r e exists a L D N F - r e f u t a t i o n o r the L D N F - t r e e is finitely failed, i.e. A E M~; u F F t . T h e r e f o r e , Pre C Mfi U FFet-. (ii) T h e _C i n c l u s i o n h o l d s since Mfi C/~T..,'. b y d e f i n i t i o n o f M~ a n d FF~'. O n the o t h er h a n d , b y (i), FF], n t~'e is i n c l u d e d in Mfi. T h e r e f o r e MeL n / : ' r e = FF,~ n P>'e, (iii) C o n s i d e r A EMtt; A ~-e. By d e f i n i t i o n o f M~. t h e r e exists :; L,_.:,qF-refuta~ion f o r P a n d A. By L e m m a B. I (ii), ,4 E Post. T h u s , M~ n Pre C Post.
D. Petb'eschi. 5;. Ruggieri I J Logic Programming 39 (1999) 125-176
160
(iv) C o n s i d e r ,4 ~ FFeL n/~-c. By definition o f FF¢ t h e r e exists a L D N F - r e f u t a t i o n for P a n d -~A. By L e m m a B. I (it). Post ~ --,A. T h e r e f o r e , FFeL n Pre C Post". iv) D e f i n i t i o n 5.3 (i) holds by r e a s o n i n g in the s a m e w a y o f T h e o r e m 3.7. Let us verify Definition 5.3 OiL W e h a v e to s h o w t h a t Tp(Post n l~'e) ~ Post (q l~'e. C o n s i d e r A E P o s t n P,"e. Since k, {/~-e} P {Post} holds, there exists A ,-- L, . . . . . L, E grotmdl. (P),
such t h a t Post ~ L1 . . . . . L,,. W e s h o w that for i c [l.n] Post N I~'e ~ L,. C o n s i d e r two cases. • If L, is a positive literal, say B, then by Definition 5.3 (i), Pre ~ B. T h e r e f o r e Post n Pre '~ L~. • If La is a negative literal then Post ~ Li implies Post n Pre ~ L,. [] T h e first c o n s e q u e n c e o f the l e m m a is the w e a k total c o r r e c t n e s s t h e o r e m for general p r o g r a m s . T h e o r e m 5.4 ( W e a k total correctness). / f b-, {/~'e} P {Post} holds a n d P is non.[totmdering then P is wea(" totally correct w.r.t, the spec(B'cation (~'e, Post). Proof. T h e c o n c l u s i o n is an i m m e d i a t e c o n s e q u e n c e o f L e m m a 5.1 (i, iii).
[]
Similarly to oositive p r o g r a m s , we are in the position to define the n o t i o n o f s t r o n g est p o s t c o n d i t i o n for P a n d P,'e as the intersection o f all p o s t c o n d i t i o n s Post such t h a t t-t {Pre} P {Post}. W e still d e n o t e it by s p ( P . l~'e). H o w e v e r , in the case o f general prog r a m s , the n o , i v n o f stror, gest p o s t c o n d i t i o n does n o t result in a relevant concept. As s h o w e d in T h e o r e m 3.20, the inclusion Tp(Post) ~_ Post N Pre required in D e f i n i t i o n 5.3 is e q u i v a l e n t f o r positive p r o g r a m s to force Post n lh'e = M~ n t~'e = s p ( P . Pre). T h i s fact e x t e n d s to general p r o g r a m s , as p o i n t e d O t i t by the f o l l o w i n g t h e o r e m . T h e o r e m 5.5. A s s u n w that ~, {Ply} P {Post} hoMs a n d P is nott-lhn,mter#tg. Then: (i) M~ n Pre = Post N t~'e, (it) FFet N/~'e = P o s t ' n Pre, (iii) t--, {Fre} P {Mtt; n Pre}.
Proof. (i) The c_ inclusion is s h o w n in L e m m a 5.1 (iii). M o r e o v e r : Post n t~'e
{ L e m m a 5.1 (i)} C_ P o s t N ( ( M ~ n I ~ . e )
U(FFl~nPre))
{ Distributivity } = =
(post n M~ n t~'e) u (Post n FF¢ n t~'e) { L e m m a 5.1 (iii), (iv)} Mtt;, n P r e .
(it) T h i s is a direct c o n s e q u e n c e o f (i) a n d o f L e m m a 5.1 (it). (iii) By L e m m a 5.1 Iv). ~, {/~'e} P {Post n ~ v } holds. By (i). Post 71 t~'e coincides with M/; n Pre. T h e r e f o r e , I-t {Pre} P {M~ n / ~ ' e } holds+ []
D. PedreschL S. Rug~;ieri I J. Logic Programming 39 (1999) 125-176
161
W e are n o w in the p o s i t i o n to state the total c o r r e c t n e s s t h e o r e m for general p r o grams. l ' h e o r e m 5.6 ( T o t a l correctness). I f I-, { i r e } P {Post} holds a n d P is non-floundering, then P is totaliv correct w.r.t, the specification (t~-e. Post O l~'e). Proof. By L e m m a 5.5. (i, iii), I--, {Pre} P { g # n e r e } holds, with M ~ O P r e = Post A P r e . By T h e o r e m 5.4, P is w e a k t o t a l l y correct w.r.t, the specification (t%'e, Post n Pre). N o t i n g t h a t M~ n l°re = Post o Pre, b y Definition 5.2, we c o n c l u d e t h a t P is t o t a l l y correct w.r.t, the specification (/°re, Post O I r e ) . [] W e c o n c l u d e by p o i n t i n g o u t t h a t n o t i o n s a n d results such as p r o o f outlines, reas o n i n g on a r i t h m e t i c built-in's, a n d m o d u l a r p r o o f s , directly e x t e n d to general p r o grams. 5.2.2. E x a m p l e : transitive c!osure C o n s i d e r the f o l l o w i n g p r o g r a m TRANS, used to calculate the t r a n s i t i v e closure o f a given relation.
trans (x, y, e, v)*--x"->,.\,.y trans(X, Y, E, V)~membe r([X,Y], E), ~member'(X, V). trans(X, Z, E, V).member( [X, Y], E), ~member'(X, V). trans(Y,
Z, E, [XIV] ).
member(X, [XIT] ). m e m b e r ( X , [YIT] )~-member(X, T). membert(X, [XIT] ). m~mber'(X,
[YIT] ) ~
member'(X, T). T h e definitions o f m e m b e r a n d m e m b e r " coincide, and: in practice, t h e y are n o t rep!icated. H o w e v e r , the uses (or directionalitics) highlighte0 by t h a t distinction will be useful to s h o w n a b s e n c e o f floundering. Let e be a b i n a r y ret~tion on a set o f constants at, r e p r e s e n t e d as an e l e m e n t in List([=,~]), i.e. a list oi" pairs Ix, y] with x , y 6 ~t. F o r x 6 ~t, the i n t e n d e d m e a n i n g o f a q u e r y such as t r a n ~ ( x , Y , e , [ ]) is to find o u t all Ix, y] in the t r a n s i t i v e c l o s u r e o f e. T o define suitable pre- a n d p o s t c o n ditions, we write x---%.\,, y when there is a p a t h f r o m x to y in e t h a t d o e s n o t traverse pairs Is, b] such t h a t a is in the list v. W e define: t°re = { t r a n s ( x , y, e, v) ] x 6 :t A v list o f distinct e l e m e n t s in ot A e 6 List( [=, a] ) AXCa in v 3 [a,b] in e} U { m e m b e r ( x , Is) [ x 6 [=, U,], is c= L/st([~,~z]) } U { member'(x,
t,) [ x 6 ~t, t, 6 List(or)},
D. Pedreschi, S. Ruggieri l J. Logic Prograt~tming 39 (1999) 125-176
1,(.2
Post = { trans(x, y, e, v) I x--.~,,,~,y } u { member(x, Is) I xisin IsE GList } U { m e m b e r ' ( x , is) I x i s i n l s E GList }. N e x t . we define the f o l l o w i n g level m a p p i n g :
I m e m b e r ( x , e)l = [ m e m b e r ' ( x , e)l = lel P Itrans(x, v. e. t')l = 2-[e] - Ivl + 1 for a t o m s in Pre, a n d 0 elsewhere. W e n o t e timt the level maplz.i,ag is well-defined, since for t r a n s ( x , y, e, v) S Pre, we h a v e t h a t [el >/Ivl ~md t h e n Itrans(x,
y, e, *')1 f> 0.
W e o b s e r v e t h a t in the case Pre : BL, we wou~d h a v e n e e d e d a m o r e c o m p l i c a t e d level m a p p i n g . S u c h a case is s h o w n in [13], w h e r e t h e focus was o n t e r m i n a t i o n . Here, o u r p r e c o u d i t i o n simplifies the definition o f t h e level m a p p i n g c o n s i d e r a b l y , albeit large e n o u g h to r e a s o n o n the interesting queries, such as t r a n s (x, Y, e, [ ]). Proving t h a t I--, {Pre} TRANS {Post} holds is h a n d y . A s a n e x a m p l e , we s h o w a p r o o f o b ligation relatively to the s e c o n d clause. C o n s i d e r a g r o u n d instance:
tran(x, z. e, v) m e m b e r ( i x , y], e), --, m e m b e r ' ( x , v), t r a n s O ' , z, e, [x I v]). such t h a t / ~ ' e
Post ~
~
trans(x, z, e, v) a n d
m e m b e r ( I x , y], e), --, m e m b e r ' ( x ,
t,).
W e h a v e to s h o w that: />re ~ t r a n s ( y , z, e, Ix I t,]) a n d ( 3 ) [ t r a n s ( . v , _-, e, v)[ > I t r a n s 0 , , z, e, [xlv])l. F o r (3), we h a v e t h a t since [x, y] is in e a n d e is a list o f pairs o f e l e m e n t s in ~, then y is in ~. In a d d i t i o n , [x l v] is a list o f disthwt e l e m e n t s in ~, since v is a list o f distinct e l e m e n t s a n d x is n o t in v. F i n a l l y , for Va in v 3 [a, b] in e a n d Ix, y] is in e i m p l y Va in [x I v] 3 [a. b] in e. T h e r e f o r e , (3) holds. F o r (4), we n o t e t h a t I t r a n s ( x , z, e,v)[ = 2 - [ e l -- IvlL+ I > 2 - l e l -- (Ivl + I) + 1 = I t r a n s ( y , z, e, [xlv])l. A n o t h e r useful o b s e r v a t i o n in s h o w i n g the p r o o f o b l i g a t i o n s relatively to the dec r e a s i n g o f t h e level m a p p i n g f r o m the h e a d to the t w o first b o d y a t o m s is to n o t e t h a t Pre ~ trans(x, z, e, v) implies le[ >I It'[, a n d then: 2 - [ e l - Ivl + 1 > lel, Ivl. Let us see h o w the Call P a t t e r n T h e o r e m 5.2 (ii) helps us in s h o w i n g t h a t TRANS is n o n - f l o u n d e r i n g . C o n s i d e r a negative ~titeral - , m e m b e r ' ( X , V) selected a l o n g a L D d e r i v a t i o n for TRANS a n d a n y q u e r y Q such t h a t t--, {P~-e} Q {Post} h o l d s b y I IBy T h e o r e m 5.2 (ii), Pre ~ m e m b e r ' ( . ' ( , V). D u e to the f o r m o f Pre, this implies t h a t X E ~ a n d V E List(~). T h i s a n d the fact t h a t x is a set o f c o n s t a n t s i m p l y t h a t -~ m e m b e r ' ( X , V) is g r o u n d . In p a r t i c u l a r , we h a v e t h a t TRANS is n o n - f l o u n d e r i n g
D. Pedre~chk S. Ruggieri I J. Logk' Programmhtg 39 (1999) 125-176
163
w.r.t. Pre. By T h e o r e m 5.6, we c o n c l u d e that T1RA~IS is te~ally correct w.r.t, the specificatitm (Pre, Post n Pre).
5.2.3. Completeness o f LDNF-resohttion In the following, we present s o m e results on c o m p l e t e n e s s o f N e g a t i o n as F a i l u r e for L D N F - r e s o l u t i o n , as a by-result o f the verification m e t h o d d e v e l o p e d so far. T h e o r e m 5.7 ( C o m p l e t e n e s s o f n e g a t i o n as failure). Assume that I--, {/~'e} P {Post} holds and comp(P) is consistent. If./br A E t~'e, P U {A } does not floumier, then (i) (/'comp(P) ~ -~A then tltere exists a fin#el.v fidled LDNF-tree.[or P a n d A. (ii) ~'comp(P) ~ A then there e.x'ists a LDNF-reftttation f o r P and A. P r o o f . By the T e r m i n a t i o n T h e o r e m 5.3 the L D N F - t r e e for P a n d A is finite. Since P U {A} is n o n - f l o u n d e r i n g either the L D N F - t r e e is finitely failed o r t h e r e is a refutation. (i) T h e latter case is n o t possible, o t h e r w i s e by S o u n d n e s s o f S L D N F - r e s o l u t i o n ([41], T h e o r e m 15.6) c o m p ( P ) ~ - A . This is in c o n t r a d i c t i o n with t h e h y p o t h e s i s comp(P) ~ -~A a n d the a s s u m p t i o n that comp(P) is consistent. (ii) T h e f o r m e r case is not possible, o t h e r w i s e by s o u n d n e s s o f n e g a t i o n as failure ([-41], T h e o r e m 15.4) comp(P) ~-~A. This is in c o n t r a d i c t i o n with the h y p o t h e s i s comp(P) ~ A a n d the a s s u m p t i o n t h a t comp(P) is consistent. [] We are n o w in the position to give a d e c l a r a t i v e i n t e r p r e t a t i o n o f Mfi a n d FEeL. T h e o r e m 5.8. Assume that ~-, {/~'e} P {Post} holds. P is non-flmmdering and comp(P) is consistent. Then." (i) M# CI/:~e = {A E /:~'e I co,.?(e) ~ A} (ii)/:Ft{- n P r e = {A E / ~ ' e I comp(P) ~ --,A}. Proof. T h e c inclusions follow f r o m s o u n d n e s s o f S L D N F - r e s o l u t i o n a n d o f the negation as failure ru|e. T h e ~ inclusions follow from the C o m p l e t e n e s s T h e o r e m 5.7. [] T h e next result e x t e n d s c o m p l e t e n e s s to g r o u n d general queries. P r o o f relation ln a t u r a l l y extends to general queries by d i s c a r d i n g the k > [A~I r e q u i r e m e n t s in Definition 5. !. T h e o r e m 5.9 ( C o m p l e t e n e s s o f L D N F - r e s o l u t i o n I). Assume that Ht {Pre} P {Post} attd b- {Pre} Q {Post} hold. where Q is a ground general query. Aloreover, assume that P o { Q} dot:~" notflotmder and comp(P) is consistent. I f c o m p ( P ) ~ Q then there exists a LDNF-refittation j o r P aml Q. Proof. T h e p r o o f is by i n d u c t i o n on the n u m b e r o f literals in Q. (Base) If Q consists o f o n l y one literal then the result follows b y T h e o r e m 5.7. (Step) If Q -- L, L9t then by T h e o r e m 5.7 there exists a L D N F - r e f u t a t i o n for L. By L e , n m a 5.1 (iii, iv) we have Post ~ L a n d then, by Definition 5.3, H {Pre} Q¢ {Post}
164
D. Pedreschi. S. Ruggieri I J. Logic Programming 39 (1999) 125-.176
holds. T h e r e f o r e we can a p p l y the inductive hypothesis on Q' to reach the desired conclusion. [] T h e final result o f this section is concerned with a further extension o f completeness o f L D N F - r e s o l u t i o n . In this case, assuming an underlying language with infinitely m a n y function s y m b o l s (i.e., Z'~ infinite), we can state a completeness result t h a t extends a well-l~now t h e o r e m by C a v e d o n [21]. Theorem 5.10 (Completeness o f L D N F - r e s o l u t i o n II)..4ssume that ~-t {/are} P {Post} and ~ {Pre} Q {Post} hold. ,rcloreover. assume that P tO {Q} does not flounder, S t is infinite and comp(P) is consistent. I f comp(P) ~ Q' f o r an instance L~ o f Q, then there exists a L D N F - r e f u t a t i o n f o r P and Q with computed instance more general than ~_. Proof. Let Q" be the q u e r y obtained by substituting every variable x, in Q' by a term ti with principal f u n c t o r n o t a p p e a r i n g in P or Q', and distinct from that o f the others ~j, for j ¢ i. Such terms exist since Z't. is infinite. P to {Q"" c a n n o t flounder, otherwise by substituting the ti's with the xi's in the derivation, we would conclude that P t_/{Q'} flounders, a n d a fortiori that P tO {Q} flounders. Therefore, by T h e o r e m 5.9, there exists a L D N F - r e f u t a t i o n for P a n d Q". By substituting the tfs with the x f s along t h a t refutation we o b t a i n a L D N F - r e f u t a t i o n for P a n d Q'. Since P tO {Q} does not flounder, we can lift that refutation to a L D N F - r e f u t a t i o n for P a n d Q with c o m p u t e d instance m o r e general t h a n Q~, [] As a special case we find again the r,~ults o f C a v e d o n [21] on acvclic p r o g r a m s . We recall that a p r o g r a m is acycfic if thele exists a level m a p p i n g I ] such that: for every A .-- Li, . . . . L,, E groundtp(P)
for i ~ [I,n]
IA] > ]L~],
where for a negative literal [--,Bi[ is set to tB~l. It c a n be shown that if a p r o g r a m is acyclic with respect to a language L, then it is acyclic with respect to every extension of L. Therefore, we can assume, with,rut loss o f generality, t h a t SL is infinite. A p t and Bezem ([1], T h e o r e m 2.5) show that for an acyclic p r o g r a m P, MeL is a model o f ecmp(P), i.e. that Te(M~) = M~. By Definition 5.3, we conclude that if P is acyclic then ~-, {Bt } P {M~} holds in some language L with 2"L infinite. In addition, comp(P) is consistent a n d t-- {Bt. } Q {M~ } holds for a n y query. S u m m a r i z i n g , the only hypothesis needed to apply T h e o r e m 5.10 is that P U {Q} does not flounder, which is implied by the only hypothesis o f the completeness theo r e m ([21], T h e o r e m 4.5) that P a n d Q are allowed.
6. Related work
F o r m a l m e t h o d s for reasoning a b o u t logic p r o g r a m s have been studied for a long time. A p t a n d M a r c h i o r i [10] survey modes, types, a n d weak partial correctness methods. C r n o g o r a c et al. [24] c o m p a r e some occur-check analysis methods, De Schreye a n d D e c o r t e [5 l] survey t e r m i n a t i o n methods. Ducass6 a n d N o y 6 [33] survey e n v i r o n m e n t s for d y n a m i c analysis and debugging. A p t ' s b o o k [8] presents several
D. Pedreschk S. Ruggieri I J. Logic Prog;'ammbtg 39 f1099) 125-176
165
results on verification o f Prolog programs. J a c q u e t ' s b o o k [39] collects c o n t r i b u t i o n s on p r o g r a m synthesis, derivation, and analysis. In the following, we discuss the relations o f o u r a p p r o a c h with other p r o o f methods for reasoning on (weak) partial correctness, termination, (weak) total correctness and general programs. Once again, we recall that our intended objective is to show that the p r o p o s e d m e t h o d - based on the l-t relation - is a trade-off between expressiveness (i.e.. the class of p r o g r a m s a n d properties i~ is able zo reason ~ b o u l ) a n d ease of use in paper & pem'il verification proofs. In fact. it is a p p a r e n t in the a b o v e references that the state-of-the-art in this area is that o f a wide collection o f separated m e t h o d s and techniques, whose c o m m o n issues are not p r o p e r l y recognized, and synthesized in a few unifying principles. O u r s is an a t t e m p t t o w a r d s this direction. 6.1. Weak partial correctnes.v Early works on proving declarative properties o f logic p r o g r a m s can be traced back to C l a r k [22] and H o g g e r [37,38]. A p t and Marchiori [10] c o m p a r e several methods, by showing how m a n y o f the proposal present in the literature a d o p t a Hoare's logic p r o o f style [3 I], where specifications are given in terms o f pre- a n d postconditions. In particular, we refer the reader to Naish [44] lbr a paper investigating the parallel between verification o f logic and imperative programs. A m o n g the others, the m e t h o d o f Bossi and Cocco [16] is a trade-off between expressiveness a n d ease o f use, being able to reason on declarative and run-time properties o f Prolog p r o g r a m s . By allowing m o n o t o n i c assertions only, i.e. assertions closed under substitution, they strictly extend the m e t h o d s of: • well-typed p r o g r a m s by Bronsard et al. [20]. where directional types are considered to model the i n p u t / o u t p u t b e h a v i o u r o f p r o g r a m s , • well-moded p r o g r a m s by Dentbinski and M a l u s z y n s k i [27]. On the oth,'-," hand, A p t and M a r c h i o r i [ ! 0]t silow that the m e t h o d o f Bossi and Cocco !:~ :~ s i ~ • ,~ ~:~:~e of: • tb~: ~ ,ductive assertion m e t h o d o f D r a b e n t and Maluszynski [32], which allows for the use o f n o n - m o n o t o n i c assertions, that is assertions not necessarily closed under substitution, • the m e t h o d o f Colussi and Marchiori [23], where assertions are associated to control points, rather than to the relations defined in programs. A n o t h e r relevant a p p r o a c h is due to D e r a n s a r t [28], who proposes two p r o o f m e t h o d s for weal: partial correctness which are correct a~ad complete. The first one is b ~ e d on ie:.htcth'e specifications, i.e. specification that hold for the head o f a cla',tse if they hold for the body o f the clause. The second one is a refinement o f the first m e t h o d in order to facilitate correctness proofs. D e r a n s a r t t[28], Section 6) points out that the m e t h o d d u e to Bossi a n d Cocco is a speci~l case o f his proposals. O t h e r recent a p p r o a c h e s investigate extensions o f pure logic p r o g r a m ming including: • declarative extensions o f first-order built-in's o f F r o l o g (Apt et ai. [1 !]), • m e t h o d s to prove correctness with respect to the :¢,- and -~'-semantics (Apt et al. [9D, • general logic p r o g r a m , ( F e r r a n d a n d Deransaa't [36], M a l f o n [42]), • c o n c u r r e a t constraint logic p r o g r a m s (de Boer et al. [25]), • m e t a - p r o g r a m m i n g (Pedreschi and Ruggieri [48]), and
l). Pedr~:vchL S. Ruggietq i J. Logic Frogramm#tg 39 (1999) 125-176
166
• d y n a m i c s c h e d u l i n g s y s t e m s ( A p t a n d L u i t j e s [4], d e B o e r et al, [26]). W e n o w s h o w t h a t t h e m e t h o d b a s e d o n t h e r e l a t i o n I- is e q u i v a l e n t w i t h the o n e o f Bossi a n d C o c c o , t h u s p r e c i s e l y c l a s s i f y i n g t h e e x p r e s s i v e n e s s o f 1-. "We f o l l o w the p r e s e n t a t i o n o f A p t a n d M a r c h i o r i [10]. D e f i n i t i o n 6.1. A t y p e I is a set o f a t o m s s u c h t h a t i f a n a t o m A is in I t h e n e v e r y i n s t a n c e o f A is in 1. Let pr~r,,post be types. A p r o g r a m is w e l l - m - a s s e r t e d b y pre, p o s t i f for e v e r y ,4 ,-- Bl . . . . . B , i n s t a n c e o f a c l a u s e f r o m it, for i E [l. n]" A Epre
AB~,...,B~
,. E p o s t
A Epre
A B I . . . . ,B,, E p o s t
=:> B ~ E p r e
and ::~
A Gpost.
A q u e r y is w e l l - m - a s s e r t e d b y pre, p o s t i f for e v e r y B ~ , . . . , B,, i n s t a n c e o f it, f o r i ~ [l,n]: ,4 E p r e A B I , . . . , B ~ _ j
E post
~
B~ E pre.
A type I is c a l l e d s t r o n g l y m o n o t o n i c i f a n a t o m is in / i f f e v e r y g r o u n d i n s t a n c e o f it is in 1. A s a n e x a m p l e o f n o n s t r o n g l y m o n o t o n i c type, w e m e n t i o n t h e set o f g r o u n d ato m s . T h e m e t h o d o f Bossi a n d C o c c o is b a s e d o n p r o v i n g a p r o g r a m w e l l - m - a s s e r t ed. It is er:~dent t h a t r e l a t i o n ~ is a s i m p l i f i c a t i o n o f w e l l - m - a s s e r t e d n e s s . I n t u i t i v e l y , t- c o i n c i d e s w i t h w e l l - m - a s s e r t e d n e s s r e s t r i c t e d to s t r o n g l y m o n o t o n i c types. H o w ever, w e ::iiaim t h a t u n d e r a r a t h e r g e n e r a l h y p o t h e s i s , t h e t w o m e t h o d s e x h i b i t the s a m e e x p r e s s i v e n e s s , in a s e n s e c l a r i f i e d b y t h e f o l l o w i n g d e f i n i t i o n . D e f i n i t i o n 6.2. C o n s i d e r t w o sets o f types, .~r a n d J . W e s a y t h a t .~" is at least as e x p r e s s i v e a s ,¢ i f e v e r y p r o g r a m w e l l - m - a s s e r t e d b y two t y p e s pre,/~Jst in j is wellm - a s s e r t e d b y p r e ' , p o s t ' t y p e s in .¢ s u c h t h a t : p r e C_ pre'
and
post' M p r e C post.
W e s a y t h a t .:" is a s e x p r e s s i v e as j
i f . ¢ is a': ,least a s e x p r e s s i v e a s j
a n d vice versa. []
In o t h e r w o r d s , .~ is at least as e x p r e s s i v e as j i f w h e n e v e r w e c a n r e a s o n o n P a n d O u s i n g t y p e s f r o m j , t h e n w e a r e a b l e t L~r e a s o n o n P u s i n g t y p e s f r o m .~" t h a t a l l o w for r e a s o n i n g o n a c l a s s o f q u e r i e s c o n t a i n i n g Q, since p r e c pre', a n d o n f i n e r p r o p e r t i e s , s i n c e for post' n p r e c post. T h e o r e m 6.1. A s s u m e e.vpressive a s types.
t h a t EL is infinite.
Then strongly monotonic
O'pes a r e as
P r o o f . O b v i o u s l y , t y p e s a r e at least a s e x p r e s s i v e a s s t r o n g l y m o n o t o n i c types. C o n v e r s e l y . c o n s i d e r t y p e s l ~ e a n d post, a n d a p r o g r a m P w e l l - m - a s s e r t e d b y pre, post. W e d e f i n e t h e s t r o n g l y m o n o t o n i c types: p r e ~ =.: True(pre N BL)
post' = True(M~ n Fost ),
D. Pedreschi. S. Ruggieri ! J. L~gic Programming 39 (1999) 125--176
167
where True(I) = {A E AtomL !~I ~ A}. It is readily checked t h a t P is well-m-asserted by pre',post" as well. Moreover, consider A E pre. Since every g r o u n d instance o f A is in pre n BL, then A is in pre'. Therefore, pre c_ pre'. In addition, irA E post' N p r e then every g r o u n d instance o f A is in A/pL. Let A' be a g r o u n d instance o f A obtained by instantiating every variable o f A with g r o u n d terms whose principal function s y m b o l is distinct and does not a p p e a r in ,4 or P. A' exists since 27L is infinite. Then: A' E IV/'~ ¢:~
{A' g r o u n d } P~A'
¢~
{ T h e o r e m on C o n s t a n t s (see e.g. Ref. [52]) }
P~A. By C o r o l l a r y 4.8 in Ref. [10], ,4 E pre and P ~ A imply A E post, hence post" O In'e C post. [] 6.2. Call pattern characteri:ation As shown in Section 3.3, the m e t h o d based on the p r o o f relation b is n o t complete with respect to the notion o f (weak} partial correctne:~s, in the sense t h a t there are p r o g r a m s P weak partially correct w.r.t, a specifi~:afion (/~-e, Po.~:) for which 1-- {Pre} P {Post'} does not hold for any Post'. A completeness result has been shown for the m e t h o d o f D e r ~ n s a r t [28]. Inc~ rn~letcness o f relation i- is due to a p h e n o m e n a recently investigated by Boye a n d Malu.~zynski [19]. T h e y p o i n t e d out t h a t directional types and, m o r e generally, correctness can be viewed u n d e r two different aspects, d e p e n d i n g whe~ther one is interested in the i n p u t / o u t p u t behaviour, i.e. declarative properties, o r in the run-time b e h a v i o u r o f p r o g r a m s , i.e. call pattern characterization with respect to some specific selection rule. U n d e r this distinction, the a p p r o a c h o f D e r a n s a r t is a m e t h o d for proving declarative properties, while ours addresses also run-time properties with reference to the leftmost selection rule. In particular, Definition 2.2 o f weak partial and partial correctness is concerned with declarative properties, by noting that: g ~ O l~'e C Post can be rewritten as
M~ c_ (BL \ h e ) U Post. O u the c o n t r a r y , the p r o o f p, ethod based on relation F- addresses call p a t t e r n characterization (see C o r o l l a r y 3.1) as well as declarative properties. Therefore, we h a d to trade completeness o f the m e t h o d for the possibility o f reasoning on call patterns 'with respect to the leftmost selection rule. Naish [45] discusses the notion o f types as supersets o f the least H e r b r a n d model in the sense o f (5), by a r g u i n g t h a t purely declarative i n f o r m a t i o n can actually express the essence o f types a n d modes. He proposes [43,45] a definition o f declarative typing o f p r o g r a m s and applies it to p r o g r a m verification a n d type
168
D. Peth'eschL S. Ruggieri I J. Logic .r'rogramming 39 (1999) 125-176
checking. T h e resulting declarative p r o o f m e t h o d is m o r e general than relation lb u t still incomplete. 6.3. Partial correctness
A m o n g the cited a p p r o a c h e s to w'eak partial correctness, only M a l f o n [42] shows a m e t h o d for proving that a p o s t c o n d i t i o n is the strongest one, in the sense o f Theo r e m s 3.12 a n d 3.20. T o the best o f o u r knowledge, no a p p r o a c h discusses m e t h o d s for characterizing the weakest (liberal) preconditions, in the sense of T h e o r e m 3.21. 6.4. Term#uttion
C o n c e r n i n g t e r m i n a t i o n , we refer the reader to the survey o f De Schreye a n d Decorte [51] for a c o m p r e h e n s i v e bibliography. A m o n g others, Bezcm [14] and A p t a n d Pedreschi [l 3] i n t r o d u c e d recurrent and acceptable logi?, p r o g r a m s , which are special cases o f the p r o o f relation ~-,. In particular, a p r o g r a m P is acceptable iff t- {BL} P {Post} holds for some Post, and P is recurrent iff I-- {BL} P {Bt.} holds. T h u s , o u r m e t h o d can be viewed as an a d a p t a t i o n o f the a b o v e universal termination p r o o f m e t h o d s with respect to the intended queries; this facilitates in m a n y examples the required reasoning, in that uninteresting input queries are not to be t a k e n into account. As an example, consider the following p r o g r a m FLAT:
f!at([l. []). f l a t ( [ X I Xs], [f(X) f l a t (Xs, FXs).
[ F X s ] ) ~-
flat(nil, []). flat(tree(X, Ls, Rs), [f(X) I Fs]) ÷-flat(Ls, FLs), flat(Rs, FRs), append(~:L¢.~, FRs, Fs). a u g m e n t e d with the APPEND p r o g r a m . FLAT applies f ( . ) to every element o f a given list, or o f a p r e o r d e r traversal o f a given b i n a r y tree. We d e n o t e by Btree the set o f b i n a r y trees, a n d for bt E BTree. [lbtll denotes the n u m b e r o f nodes o f bt. Given: Pre = f l a t ( G L i s t Post ={ f l a t ( I s , { fzat(i,t,
x UL) U f l a t ( B T r e e
x UL) U PreappEr~ D.
rs) I Is, rs E GList A Ilsl = Irsl } u ,'s) I bt 6 BTree,,:~ 6 GList A IIbtll = I,'~1} u
P o s t AppE~D,
it is s t r a i g h t f o r w a r d to exhibit p r o o f outlines to show that I-, {/~'e} :B'LAT {Post} holds by using a level m a p p i n g I I such that: If l a t ( I s ,
IW) l
S Ilsl + ! l t[lsll + !
if i~ E GList. if 1~ E Bl)'ee.
O n the c o n t r a r y , p r o v i n g acceptability i.~ a w k w a r d , due to the fact that b a d l y - t y p e d a t o m s have to be considered in the definition o f the level m a p p i n g , such as
tree(a.[a,b,e].tree(a,[ ],nil)).
1). Pedreschi. S. Ruggi~ri i J. Logic Programming 39 (1999) 125-176
169
Even worse, there are some interesting p r o g r a m s which terminate on a strict subset o f BL only, a n d then c a n n o t be acceptable. T h e m o s t immediate example is the following p r o g r a m TRANSP: trans(x,
y, e) ~-- x "--*~.y for a D A G e
trans(X, Y, E) ~member([X, Y], E). trans(X, Y, E) ~m e m b e r ( [ X , Z], E), t r a n s (Z, Y, E). a u g m e n t e d by the definition o f m e m b e r . In the intended m e a n i n g o f the p r o g r a m , t r a n s ( x , y, e) succeeds 7,fix "~eY, i.e. if Ix, y] is in the transitive closure o f a direct acyclic g r a p h ( D A G ) e, which is represented as a list o f pairs o f constants. It is readily checked t h a t i f e is not a D A G , i.e. it contains a cycle, then infinite derivations m a y occur. As a consequence, TRANSP is not acceptable. Notice, however, that in the intended use o f the p r o g r a m , e is s u p p o s e d to be a D A G . In o u r a p p r o a c h , we model that case by defining: Pre= { trans(x,
y, e) I e i s a
D A G } O { m e m b e r ( x , Is) I Is i s a l i s t }
Post = { trans(x, y, e) [ x-'-% y } U { m e m b e r ( x , Is) [ x is in ls }. It is readily checked t h a t t--, {Pre} TRANSP {Post} ho!ds by using the level m a p p i n g [trans(x,
y, e)[ = [el + 1 + C a r d { z [ x --~,.z }
t m e m b e r ( x , e)l = [el, where C a r d is the set cardinality o p e r a t o r . By means o f the same level m a p p i n g , it is readily checked that: I-, {Pre} t r a n s ( x ,
Y, e) {Post} a n d I--, {Pre} t r a n s ( X ,
Y, e) {Post}
hold, where e is a D A G . By T h e o r e m 3.15, the LD-trees for trans(x, Y, e) a n d t r a n s ( X , Y, e) are finite.
6. 5. ( W e a k ) total correctness We claim t h a t the sum o f well-m-assertedness a n d acceptability is not as expressive as the m e t h o d based on p r o o f relation I--t. O n the one h a n d , by simply applying in turn weU-m-assertedness and acceptability invoh,es considering m o r e p r o o f obligations than establishing ~-,. O n the o t h e r hand, the complications with proving acceptability highlighted in the example p r o g r a m s FLAT a n d TRANSP still c o n t i n u e to hold. F u r t h e r m o r e , consider P well-m-asserted by pre,post. Since in general post is not a model o f the p r o g r a m (see APPEND for an example), acceptability must be shown by considering a f u r t h e r set Post' - a model o f P - which is not present in o u r a p p r o a c h . In addition, confusion can arise due to the fact t h a t acceptability analy,~is acts at a g r o u n d level, whilst well-m-assertedness acts at a n o n - g r o u n d level. Also, we m e n t i o n t h a t well-m-assertedness has been extended by Bossi et al. [17] to reason on termination. T h e y define level m a p p i n g s [ I on n o n - g r o u n d a t o m s as well, and require that for every A ,--- B l , . . . , Bn instance o f a clause o f P, for every i ~ [l~n]:
D. Pedre,s'chL S. Ruggieri I J. Logic Pro gratnmittg 39 (1~99 J 125-176
170
pre ~ A /~, post ~ B~ . . . . . B~_., implies [AI > [B~]. (6) However, this leads to complications, since termination can be proved only using rigid level mappings, and then a further p r o o f obligation has to be satisfied. I I is called rigid if whenever pre ~ A then IAI = IA'I for every instance A' o f A . Moreover, the resulting p r o o f m e t h o d is not complete in the sense o f T h e o r e m 3.19. In fact, consider the p r o g r a m P: p(O). p ( 1 ) ~- p(O).
and pre : AtomL, and any/xgst. F o r every level m a p p i n g [ l- we have that (o) requires Ip(I )1 > Ip(0)l. Therefore, ] I c a n n o t be rigid, since p r e b 10( X ) . On the c o n t r a r y , it is s t r a i g h t f o r w a r d to show that ~, {Bt.} P {BIll and t--, {Bz.} p(X) {//L} hold by the same level mapping. A similar a r g u m e n t applies to the termination p~*ot,f m e t h o d p r o p o s e d for well-typed p r o g r a m s by Brc',lsard et al. [20]. 6.6. General p r o g r a m s
F e r r a n d and D e r a n s a r t [36] extr_nd the p r o o f m e t h o d o f D e r a n s a r t [28] to prove declarative properties o f general logic programs. Differently from o u r a p p r o a c h , they do not discuss termination issues and a d o p t the w e i i - l b t m d e d semantics [2]. A~, in tile case o f definhe p r o g r a m s , their m e t h o d is more general for proving declar-,tive properties, albeit ours is also able reason on call pattern characterization and termination as well as ensuring completeness o f L D N F - r e s o l u t i o n . T h e same a r g u m e n t s a p p l y to the proposal o f M a l f o n [42]. which presents a correct and complete m e t h o d to prove declarative properties with respect to Fitting and well-founded semantics [2]. It is worth noting that the notion o f well-supported int e r p r e t a t i o n results to be a simplification of a similar notion introduced in [42]. 6.7. h l t t ' . ~ l ' t i t e d a p l ~ r o a t ' h t ' s
There are a few atternpts to present in a uniform way m e t h o d s dealing with correctness, termination, call patterns, occur-check freedom, m o d u l a r proofs, a n d other p r o g r a m properties. A valuable a p p r o a c h is due to Apt [8]. However, his book presents several separated results, which in m a n y cases are instantiations o f the p r o o f m e t h o d presented in this paper. Also, Deville [30] proposes an a p p r o a c h for systematically deriving t e r m i n a t i n g p r o g r a m s from specifications provided in a C l a r k ' s completion-like I'ormat. t t o w ever, the m e t h o d is not applicable to check correctness o f existing programs. Recently, St/irk [53] p r o p o s e d a logic p r o g r a m theorem prover in which termination and correctness can be formally proved for p r o g r a m s c o n t a i n i n g negation and arithmetic built-in's. The formal theory underlying the theorem prover is an extension o f pure Prolog including induction principles and axioms for buitt-in's.
7. C o n c l u s i o n s
The starting point of the research reported in this p a p e r has been the recognition of a few core principles, c o m m o n to several existing p r o o f m e t h o d s for logic pro-
D. Pt.dreschL X Ruggieri I J. Logic Progral,u),ing 30 (1999) 1 2 5 - t 7 6
171
g r a m s . O n this basis, a t h o r o u g h p r o o f t h e o r y h a s b e e n d e v e l o p e d a s a c a n d i d a t e unif y i n g f r a m e w o r k c a p a b l e o f a d d r e s s i n g a r e a s o n a b l y l a r g e s p e c t r u m o f p r o p e r t i e s for a r e a s o n a b l y l a r g e class o f p r o g r a m s . T h e o r i g i n a l c o n t r i b u t i o n o f this p a p e r is the i n t r o d u c t i o n o f a p r o o f r e t a t i o n ~, f o r total c o r r e c t n e s s o f logic p r o g r a m s , p o s s i b l y c o n t a i n i n g n e g a t i o n a n d a r i t h m e t ic b u i l t - i n ' s , w h i c h are d e s i g n e d to be e x e c u t e d a c c o r d i n g to a fixed se!ection rule. In p a r t i c a l a r , the p r o p o s e d p r o o f t h e o r y c o n c e n t r a t e s o n the ( P r o l o g ' s ) l e f t m o s t selection rule. F o r r e a s o n s o f p r e s e n t a t i o n , the I-, p r o o f m e t h o d h a s b e e n i n t r o d u c e d in a n i n c r e m e n t a l w a y . b y a s t e p w i s e d e f i n i t i o n o f i n c r e a s i n g l y h i g h e r levels o f v e r i f i c a t i o n , f r o m a w e a k f o r m o f p a r t i a l c o r r e c t n e s s u p to f u l l - f l e d g e d total correctness. S o m e a p p l i c a t i o n s o f the m e t h o d h a v e b e e n s u r v e y e d , i n c l u d i n g p r o v i n g a b s e n c e o f r u n - t i m e e r r o r s , m o d u l a r p r o g r a m d e v e l o p m e n t , safe o m i s s i o n o f the o c c u r - c h e c k , v e r i f i c a t i o n o f m e t a - p r o g r a m s , s e m a n t i c s d e c i d a b i l i t y . By lack o f space, we c o u l d n o t i n c l u d e the p r e s e n t a t i o n o f c a s e s t u d i e s o f s i g n i f i c a n t d i m e n s i o n . H o w e v e r , we refer the r e a d e r to [47] for a c o l l e c t i o u o f c a s e studies. F i n a l l y , we c o m p a r e d t h e e x p r e s s i v e n e s s o f t h e p r o p o s e d a p p r o a c h w i t h existi n g p r o p o s a l s . T e c h n i c a t l y s p e a k i n g , the p r o o f t h e o r y is o b t a i n e d as a c o m b i n a t i o n o f the p r o o f m e t h o d o f Bossi a n d C o c c o [16] for w e a k p a r t i a l c o r r e c t n e s s . a n d the p r o o f m e t h o d o f A p t a n d P e d r e s c h i [13] for t e r m i n a t i o n T h e a d v a n t a g e o f this o p e r a t i o n is t h a t the e x p r e s s i v e n e s s o f the c o m b i n e d m e t h o d strictly exc e e d s the expressiveness,; o f the s e p a r a t e d m e t h o d s b o t h f r o m a t h e o r e t i c a l a n d a practical perspective. W e were n o t c o n c e r n e d here w i t h the issue o f a u t o m a t i o n , since the m a i n f o c u s w a s o n the t h e o r e t i c a l f r a m e w o r k a n d . in a d d i t i o n , t h e r e w o u l d b e n o s p a c e in the p a p e r for a f a i r a c c o u n t i n g o f the issue. H o w e v e r . we a r e p u r s u i n g a r e s e a r c h lh~e t o w a r d s the d e s i g n a n d the i m p l e m e n t a t i o n o f tools s u p p o r t i n g s y s l , : m a t i c p r o g r a m d e v e l o p m e n t a n d a u t o m a t i c v e r i f i c a t i o n . O t h e r intere~;l~ng e x t e n s i o n s we a r e c u r r e n t ly i n v e s t i g a t i n g i n c l u d e c o n s t r a i n t logic p r o g r a m s a n d d y n a m i c selection rules.
Appendix A. Termination In the f o l l o w i n g , we a s s u m e that the f u n c t i o n m a x : 2 x' ----, N td {zx: } is d e f i n e d as follows:
n'tax S =
0
if S =
,I ~x:
if S is finite a n d n o n - e m p t y , a n d n is the m a x i m u m o f S. i f S is infinite.
0,
T h e n n : a x S < c~ iff the set S is finite. M o r e o v e r . we will use the finite m u l t i s e t o r d e r i n g . A m u l t i s e t o n J4" is a n u n o r d e r e d s e q u e n c e o f e l e m e n t s f r o m /4". W e d e n o t e a m u i t i s e t o f e l e m e n t s a t . . . . . a , , b y b a g ( a j . . . . . a,,). I f 14/is a s s o c i a t e d w i t h a irreflexive o r d e r i n g < , we d e f i n e t h e ord e r i n g -- 0) a n d o n the d e p t h ( i> I ) o f t h e tinitely f a i l e d L D N F - t r e e in the c a s e (i). In t h e c a s e (ii). i n d u c t i o n is o n the r a n k ( >i 0) a n d o n the l e n g t h ( 1> l) o f t h e L D N F - r e f u t a t i o n . ( r a n k = 0):
D. Pedrescht. S. Rug.~ieri I J. Logh +Prewrammh~g 39 (1999) 125 176 (depth/length--l) (i) I f Post ~ A then A ~--Lt . . . . . L,, E g r o u n d L ( P ) s u c h t h a t
by
Definition
5.3
(ii)
173 there
exists
Post ~ Li . . . . . L,,. H o w e v e r , t h i s is i m p o s s i b l e s i n c e & ' p t h : ! i m p l i e s t h a t ..l d o e s n o t u n i ~ ' w i t h a n y clause head. (ii) S i n c e l e n g t h = 1. tile h y p o t h e s i s i m p l i e s t h a t .,I is a n i n s t a n c e o f tile h e a d o f a u n i t c l a u s e . By D e f i n i t i o n 5.3 (i2j+ we c o n c l u d e Post ~ +4. ( d e p t h / l e n g t h > 1) {i) I f ~ . v t ~ A t h e n b y D e f i n i t i o n 5.3 (ii~ t h e r e e x i s t s C 0 = A ,-- Li . . . . . L,, E g r o u ~ t d : ( P ) , w i t h C c l a u s e f r o m P, s u c h t h a t / ~ s t ~ L t . . . . . L,,.
( 1)
S i n c e t h e r e s o l v e n t o f . 4 a n d C h a s a f i n i t e l y f a i l e d L D ( N F ) - t r e e . e v e r y i n s t a n c e o f its. a n d in p a r t i c u l a r L~ . . . . . L,,. h a s a f i n i t e l y f a i l e d L D ( N F ) - t r e e . T h e r e f o r e t h e r e e x i s t s i E [ 1 , , ] s u c h t h a t L~ . . . . . L,_t h a v e a r e f u t a t i o n a n d L, h a s a f i n i t e l y f a i l e d L D I N F ~ . tree. S i n c e r a n k = 0. L~ . . . . . L, a r e p o s i t i v e l i t e r a l s . By i n d u c t i v e h ~ p o t h e s i s (ii) o n t h e length of refutations: /~:,.,~r t=:: Lt . . . . . L,+l a n d t h e n . s i n c e t--, {Pre} P { P o s t } . t~'e ~ L,. By i n d u c t i v e h y p o t h e s i s I~) o n t h e d e p t h Post ~ Li. T h i s c o n t r a d i c t s ( I ) , t h u s we c o n c l u d e / ~ z ~ . t ~ -~A. (ii) C o n s i d e r t h e L D N F - r e s o l v e n t o f +-!. S i n c e r a n k = 0, e v e r y l i t e r a l in it is p o s i tive. M o r e o v e r . s o m e g r o u n d i n s t a n c e B~ . . . . . B,, o f it h a s a L D ( N F } - r e f i ~ t a t i o n . By i n d u c t i v e h y p o t h e s i s o n t h e d e p t h , we h a v e Post ~ BD . . . . . B,,. S i n c e ~-, { ~ ' e } P { P o s t } h o l d s , b y D e l i n i t i o n 5.3 (i2) t h i s impl~t,s Post ~ ,4. ( r a n k > 0): { d e p t h i l e n g t h - - - I) A n a l o g o u s t o t h e c a s e r a n k = 0. ( d e p t h i l e n g t h > 1) (i) I f Post ~ .4 t h e n b y D e f i n i t i o n 5.3 (ii) t h e r e e x i s t s CO = A .-- Li . . . . . L,, E g r o u n d j . ( P ) , w i t h C c l a u s e f r o m P. s u c h t h u t : Post ~ Li . . . . . L,,+
(2)
S i n c e t h e r e s o l v e n t o f . 4 a n d C h a s a f i n i t e l y f a i l e d l _ . D N F - t r e e , e v e r , / i n s + a n t e o f its. a n d in p a r t i c u l a r L~ . . . . . L,,. h a s a f i n i t e l y f a i l e d L D N F - t r e e . T h e r e f o r e t h e r e er~,ists i E [ l , n ] s u c h t h a t L~ . . . . . L, ; h a v e a r e f u t a t i o n a n d L~ h a s a f i n i t e l y f a i l e d L D N F , tree. By i n d u c t i v e h y p o t h e s i s (ii) o n t h e l e n g t h o f r e f u t a t i o n s a n d li) o n t h e ran,,:: Post ~ L i . . . . . L+ t. S i n c e I-, {Pre} P { P o s t } . w e h a v e P~'e ~ A,. w h e r e L+ = A, o r L, --- --,A,. W e d i s t i n g u + s h n o w t w o cases. I f L+ = ,,i+ t h e n b y i n d u c t i v e h y p o t h e s i s (i) o n t h e d e p t h / ~ , s + ~ L,. T h i s c o n t r a d i c t s 12), t h u s w e c o n c l u d e / ~ z ~ - t ~ --,A. ] f L~ = --,A~ ~hen A, h a s a L D N F - r e f u t a t i o n w i t h l o w e r r a n k . By i n d u c l i : e h y p o t h esis (ii) o n t h e r a n k , we h a v e Post ~ A,, a n d t h e n Post ~ L,. T h i s c o n t r a d i c t s (2). t h u s w e c o n c l u d e Post ~ -~.4. (ii) C o n s i d e r t h e r e s o l v e n t ~ f A. W e o b s e r v e t h a t s o m e g r o u n d i n s t a n c e L~ . . . . . L,, o f it h a s a L D N F - r e f u t a t i o n . By i n d u c t i v e h y p o t h e s i s (ii) o n t h e l e n g t h o f r e f u t a t i o n s e v e r y p o s i t i v e l i t e r a l in L~ . . . . . L,. is in P o s t . By i n d u c t i v e h y p o t h e s i s (i) o n t h e r a n k , we h a v e t h a t e v e r y n e g a u v e li~,~ral is t r u e in P o s t , i.e.
1). PedreschL S. Rt.:Tgieri/ J. Logic Programming 39 (1999) 125-176
174
Post ~ LI . . . . , L,,. S i n c e f-t {/:'re} P {Post} h o l d s , b y D e f i n i t i o n 5.3 (i2), this i m p l i e s Post ~ A.
E3
W e e x t e n d t h e n o t i o n o f b o u n d e d r : ~ ~:~to g e n e r a l q u e r i e s b y d e f i n i n g f o r a g e n e r a l q u e r y Q:
IQI, = { 1,4,1 I L~,..., L,, is a ground instance of Q, Post ~ Li . . . . . L i _ l , a n d L i = A i
VLi=~Ai
}.
L e m m a B.2. A s s u m e that F, {Pre} P {Post} and F-, {/~'e} Q {Post} hoM b.r the same lerel mapping I I. Let QP be a LDNF-resol~ent o f P and Q. Then (i) Q' is b o u n d e d ( b y I I a n d Post), a n d (ii) [tQ'II -<m Ilall, and (iii) I-, {/='re} Q' {Post}. P r o o f . I n t h e c a s e t h a t a p o s i t i v e literal is s e l e c t e d , w e f o l l o w t h e s a m e r e a s o n i n g o f L e m m a A . I . T h e r e f o r e , w e h a v e o n l y t o c o n s i d e r Q = ~,4, _O'. I n this case, A is g r o u n d , a n d t h e r e exists a f i n i t e l y f a i l e d L D N F - t r e e f o r P a n d ,1, a n d _O' is t h e L D N F - r e s o l v e n t o f P a n d Q. By L e m m a B.i (i), Post ~ ~A. F r o m this, (i-ill) readily follow. []
References ll] K.R. Apt. M. Bezem. Acyclic programs, in: D.H.D. Warren, P. Szeredi (Eds.), Proceedings of the Seventh international Conference on Logic Programming, MIT Press, Cambridge, MA, 1990, pp. 617-633. [2] K.R. Apt, R. Bol. Logic programming and negation: a survey. Journal of Logic Programming 19-20 (I994) 9-71. [3] K.R. Apt, H.C. Doers, A new definition of SLDNF-resolution, Journal of Logi~ Programming 18 ~-~) (1994) 177--I90. [4] K.R. Apt, I. Luitjes. Verification of logic programs with delay declarations, in: V.S. Alagar, M. Nivat (Eds.), Proc. of AMAST'95, Lecture Notes in Computer Science vol. 936, Springer, Berlin, 1995, pp. 66-90. [5] K.R. Apt, D. Pedreschi, Modular termination proofs for logic and pure Prolog programs, ~n: G. Levi led.), Advances in Logic Programming Theory, Oxford University Press, Oxford, 1994, pp, 183-229. [6] K.R. Apt, A. Pellegrini, On the occur-check free Prolog programs, ACM Toplas 16 q3} (I994) 687726. [7] K.R. Apt, Logic programming, in: J. van Leeuwen lEd.). Handbook of Theoretical Computer Science, vol. B, Elsevier, Amsterdam, 1990, pp. 493-574. [81 K.R. Apt. From Logic Programming to Prolog, International Series in Computer Science, C.A.R. Hoare Series Editor, Prentice Hall, Englcwood Cliffs, N J, 1997. [91 K.R. Apt, M. Gabbrielli, D. Pedreschi, A closer look at declarative interpretations, Journal of Logic Programming 28 (2) (1996) 147-180. [iO] K.R. Apt, E. Marchiori, Reasoning about Prolog programs: from modes through types to assertions, Formal Aspects of Computing A 6 (1994) 743-764. [~.l] K.R. Apt, E. Marchiori, C. Palamidessi, A declarative approach for first-order built-in's of Prolog, Applicable Algebra in Engineering, Communication and Computalion 5 (314) (1994) ! 59-191. [12] K.R. Apl and E.R. Olderog. Verification of Sequential and Concurrent Programs. Texts and Monographs in Computer Science, Springer-Verlag, Berlin, 1991. [l?;]~ K.R. Apt, D. Pedreschi, Reasoning about termination of pure prolog programs, Information and Computation 106 ! 1) (19931 109--157.
19. Pedreschi, S. Rugg&ri i J. Logic Progrttlnnffng 39 (1999.) 125-176
175
[14] M. Bezem. Characteri_~ing termination o f logic p r o g r a m s with level mappings, in: E.L. Lusk, R.A. Overbeek (Eds.), Proceedings o f the N o r t h American Conference on Logic P r o g r a m m i n g . M IT Press, Cambridge, MA, 1989, pp. 69-80. [15] H.A. Blair, T h e recursion-theoretic complexity o f predicate logic as a p r o g r a m m i n g language. Information a n d Control 54 (1982) 25-47, [16] A. Bossi, N, Cocco, Verifying correctness o f logic programs, in: J. Diaz, F. Orejas {Eds.). T A P S O F T "89. Lecture Notes in C o m o u t e r Science vol. 352, Springer, Berlin, 1989, pp. 96-I 10. [17] A. Bossi, N. Cocco, M. Fabris. N o r m s on terms a n d their use in proving universal termination o f a logic program, Theoretical C o m p u t e r Science 124 (1994) 297-328. [I8] A. Bossi, M. Gabbrieili, G. Levi, M. Martelli, T h e / t ' - s e m a n t i c s approach: theory,, and applications. Journal o f Logic P r o g r a m m i n g 19120 (1994) 149-197. [19] J. Boye, J. Maluszynski, "l-wo aspects o f directional types, in: L. Sterling (Ed.), Proceedings o f the 1995 International Conference on Logic P r o g r a m m i n g , M I T Press, Cambridge, M A , 1995, pp. 747761. [20] F. Bronsard, T.K. L a k s h m a n , U.S. I~'e,~dy, A f r a m e w o r k o f directionality for proving termination o f logic pl ograms, in: K.R. Apt (Ed.), Proceedings o f the 1992 jt,int Int. Conference a n d S y m p o s i u m on Logic P r o g r a m m i n g , M I T Press, Cambridge, M A , 1992, pp. 321-335. [21] L. Cavedon. Acyclic logic p r o g r a m s a n d the completeness o f S L D N F - r e s o l u t i o n , "Fheeretical C o m p u t e r Science 86 (199t) 81-92. [22] K,L. Clark, Predicate logic as a c o m p u t a t i o n a l t~rmalism. Technical R e p o r t DOt? 79/59. Imperial College, Departmen~ o f C o m p u t i n g , 1979. [23] L. Colussi. E. Marchiori, Proving correctness o f logic p r o g r a m s using axiomatic semantics, in: Proceedings o f the Eight International ,?onference on Logic P r o g r a m m i n g , M I T Press, C~mbridge, NIA, 199!. pp. 629-644. [24] L, Crnogorac, A , D . Kelly, H. Sondergaard, A c o m p a r i s o n o f three occur-check a n a l y ~ r s . Proc. o f :SAS'96, Lecture Notes in Col~lputer Science vol. i 145, Springer, Berlin, 1996, pp. 159-173. [25] F.S. de Boer, M Gabbrielli, E. Marchiori, C. Palamidessi. Proving concurrent constraint p r o g r a m s correct, A C M Transactions on P r o g r a m m i n g Languages a n d Systems 19 (1997) {5) 685~-725. [261 F.S. de Boer a n d C. Palamidessi M. GabbrieHi. Proving Correctness o f Constraint Logic Programs with D y n a m i c Scheduling. In Proc. o f SAS'96, o f Lecture Notes in C o m p u t e r Science vol. ti45, Springer-Voting. Berlin, 1096, pp. 83-97. [27] P. Dembinski and J. MaluszynskL AND-parallelism with intelligent backtracking for a n n o t a t e d logic programs, in: Proceedings o f the International S y m p o s i u m on Logic P r o g r a m m i n g , Boston, 1995, pp. 29-38. [28] P. Deransart, P r o o f nlethods o f declarative properties o f definite programs, Theoretic~l C o m p u t e r Scie~ace 118 {1993) 99-166. [29] N. Dershowitz, Termiaatiota o f rewriting, Journal o f Symbolic C o m p u t a t i o n 8 (1987) 69-116. [30] V. Devil!e, Logic Programming: S)stematic Program De~,elopment. Addison-9,'esley, Reading, MA, 1990. [,~1] E.W. Dijkstra, A Disciplii~e o f P r o g r a m m i n g , Prentice Hall. Englewood Cliffs, N,L 1976. [32] W. Draben~, J. Maluszynski, inducti~e assertion m e t h o d for logic programs. Theoretical C o m p u t e r Science 59 ( 1) ( 1988~ 133-155. [33] M. Ducass& J. Noy6, Logic p r o g r a m m i n g environments: dynamic p r o g r a m analysis and debugging. Journal o f Logic P r o g r a m m i n g 19-20 { 1994) 351-384. [34] M. Falaschi, G. Levi. M. MarteUi. C. Palamidessi. Declarative modelling o f the operational behaviour o f logic languages, Theoretical C o m p a t e r Science 69 (3) (1989) 289-318. [35] M. Falaschi, ~ . Levi. M. Martelli. C. Palamidessi, A model-theoretic reconstruction o f the operational semantics o f logic programs. I n f o r m a t i o n and C o m p u t a t i o n 103 11) (I 993) 86-1 ~3. [36] G. Ferrand, P. Deransart, P r o o f m e t h o d o f partial correctness and weak completeness for n o r m a l logic programs, Journal o f Logic P r o g r a m m i n g 17 {1993) 265-278. [37] C.J. l-logger, Derivation~ o f logic programs, Journal o f the A C M 28 (2) (I981) 372 -392. [38] C J . Hogger, Introduction to Logic P r o g r a m m i n g . Academic Press, L o n d o n . 1984. [39] J.-M. Jacquet (Ed.). Constructit~g Logic Programs. Wile)'. Chichester, England, 1993. [40] M. Kalsbeek. Correctness o f the vanilla recta-interpreter a n d anabivalent syntax, in: K.R. Apt, F. Turini (Eds.), Meta-log~c~ and Logic P r o g r a m m i n g , M I T Press, Cambridge, MA. 1995~ pp. 3--26. [41] J.W. Lloyd, F o u n d a t i o n s o f t.ogic Programmir~g. second edition. Springer, Berlin. 1987.
176
D. Pe~h'eschL S. Ruggieri I J. Logic Programm#tg 39 11909) 125-176
[421 B. Malfon, Characterization o f some semantics for logic p r o g r a m s with negation a n d application to p r o g r a m validation, in: M. Bruy~t,,,oghe led.), Procecd:,ngs o f the International S y m p o s i u m on Logic P r o g r a m m i n g , M I T Press. Cambridge, MA. I994, pp. 91-!05. [431 L. Naish, Types and the intended m e a n i n g o f logic programs, in: F. Pfenning l e d . ) , Types in Logic P r o g r a m m i n g . M I T Press, Cambridge. M A , 1992, pp. 189-216. [44] 14. Naish, Veiification o f logic p r o g r a m s and imperative p r o g r a m s , in: J.-M. J~:tcquet lEd.I, Constructing Logic Programs, Wiley, Chichester, 1993. pp. 143-164. [45] L. Na,sh. A declarative view o f modes, in: M.J. M a h e r IEd.), Proceedings o f the 1996 Joint International Conference and S y m p o s i u m on Logic P r o g r a m m i n g , M1T Press, Cambridge, M A , 1996. [461 D. Pedreschi. S. Ruggieri, M o d u l a r verification o f logic programs, in: F.S. de Boer, M. Gabbrielli 1Ed.), Proceedings o f the W2 Post-Conference W o r k s h o p o f the 1996 JICSLP, Tech. R e p o r t TR-9631. D i p a r t i m e n t o di lnformatiea, Universit[l di Pisa, 1996. [47] D. Pedreschi, S. Ruggieri. Verification o f logic programs. Technical R e p o r t 97-05, Diparth-aento di Informatica, Universitil di Pisa, 1997, A collection o f case studies is available at the U R L : http:Hwww.di.unipi.itl-,~ruggierilVerificationlcases.hlml. [48] D. Pedreschi, S. Ruggieri, Verilication o f metainterpreters. Journal o f Logic a n d C o m p u t a t i o n 7 ¢2) (1997) 267-303. [49] D. Pedreschi, S. Ruggieri, Weakest preconditions for pure Prolog programs, I n f o r m a t i o n Processing Letters 67 (3) l!998) 1~5-150. [501 S. Ruggieri, Decidability o f logic p r o g r a m semantics a n d applications to testing. Proceedings o f P L I L P ' 9 6 , Lecture Notes in C o m p u t e r Science vol. 1140, Springer, Berlin, !996. pp. 347-362. [51] D. De Schreye. S. Decorte, T e r m i n a t i o n o f logic programs: the never-ending story, Journal o f Logic P r o g r a m m i n g 19--20 { 1994) 199-260. [52] J. Shoenfield, Mathematical Logic, A d d i s o n Wesdley, Reading, MA, 1967. [53] R.F. St/irk. F o r m a l verification o f logic programs: f o u n d a t i o n s a n d implementations, in: S. Adian. A. N e r o d e (Eds.), t, F C S "97, Lecture Notes in C o m p u t e r Science vol. 1234, Sprin~_~,er, Berlin, 1997, pp. 354-368. [54] L. Sterling, E. Shapiro, T h e Art o f Prolog, M I T Press, Cambridge, M A , 1986.