- Email: [email protected]
Weakest preconditions for pure Prolog programs
Information
Processing
Weakest preconditions
Letters 67 (1998) 145-150
for pure Prolog programs
Dino Pedreschi *, Salvatore Ruggieri ’ Dipartimento di Informatira, Vniversitic di Piso, Corso Italia 40, 56125 Piss, Italy Received 5 February 1998; received in revised form 30 April 1998 Communicated by D. Gries
Abstract We introduce a characterization of weakest preconditions and weakest liberal preconditions of pure Prolog programs P and postconditions Post in terms of ordinal closures of a natural operator based on P and Post. 0 1998 Elsevier Science B.V. All rights reserved. Keywords:Logic programming;
Prolog; Hoare’s logic; Weakest preconditions;
1. Introduction Several verification proof methods have been proposed for logic and pure Prolog programs. Most approaches [2-5,8] adopt a Hoare’s logic proof style [ 11, where specifications are given in terms of pre- and postconditions. In general, the basic tools for program analysis are triples {Pre) P (Post), where P is a logic program and Pre and Post assertions or sets of atoms. Pre models a class of intended queries and Post describes some property of computed/correct instances of intended queries. A proof theory is then built starting from triples, which produces a proof relation F. The contribution of this paper is the development of a calculus of weakest preconditions and weakest liberal preconditions for the method of [ 10,l 11,which represents a trade-off between expressiveness (i.e., the class of programs and properties it is able to reason about) and ease of use in paper and pencil verification proofs. We provide a characterization of * Corresponding author. Email: [email protected]. ’ Email: [email protected]. 0020-0190/98/$19.00 0 1998 Elsevier Science B.V. All rights reserved. PII: SOO20-0190(98)00098-2
Weakest liberal preconditions;
Program correctness
weakest (liberal) preconditions in terms of the ordinal closures of an operator i?p,p,,t, based on the program P under consideration and its intended interpretation Post. The notion of weakest (liberal) precondition was originally introduced in [6], as an alternative, yet equivalent, formulation of Hoare’s logic, more geared to the calculation of assertions and programs. The theory of weakest preconditions was the basis for the systematic development of correct programs first described in [7], and further explained in [9]. The results of this work show how tight is the parallel between logic and imperative programming. Preliminaries. Throughout the paper we use the standard notation of logic programming, as in [2], when not specified otherwise. We use queries instead of goals and consider a fixed universal language L in which all programs and queries are written. Therefore, BL is the Herbrand base on L and Mf; is the least Herbrand model of a program P. A t B1 , . . . , B, E groundL (P) denotes that A t BI , . . . , B, is a ground instance of a clause from P. Given a Herbrand inter-
D. Pedreschi, S. Ruggieri/Information
146
pretation I, i.e., a subset of BL, and a query Q we write I k Q if Z is a model of Q. In particular, if A is a ground atom then Z + A iff A E I. LD-resolution is SLD-resolution with the (Prolog’s) leftmost selection rule. A level mapping is a function from BL into the set of natural numbers N.
2. Reference proof method
The main advocated feature of the method in [lo, 111 is the possibility to reason in a uniform way on several properties of pure Prolog programs, including partial correctness, total correctness, absence of runtime errors due to the selection of ill-typed arithmetic atoms, safe omission of the occur check, and modular proofs. The basic relations of the method are the (Hoare’s logic style) triples l- {Pm} P (Post}
and
t-t (Pre) P (Post),
where Pre and Post are Herbrand interpretations, respectively denoting the intended class of atoms we are interested in, and the intended interpretation of the program. We recall from [lo] the definitions of the proof relations. Definition 1. We say that t--t (Pre) P (Post) holds iff there exists a level mapping 1 ( : BL + N such that for everyAtB1,...,B,EgroundL(P): (1) for i E [l,n], Pre + A A Post + Bl,. . ., Bi_1 =+ (a) Pre + Bi , and ( (b) JAI > l&l, (2) Pre+AAPost~Bl,...,B,+Post~A. We write l- (Pre) P (Post) when (la) and (2) hold.
Intuitively, for a clause C with a body of length iz, there are n + 1 proof obligations to conclude that the triple I- (Pre) P (Post) holds: (1) each atom A in the body of C is in Pre when the head of C is in Pre and all the atoms to the left of A in the body of C are in Post; and (2) the head of C is in Post when it is in Pre and all the atoms in the body of C are in Post. In the case of Et (Pm) P (Post) the decreasing of the level mapping is also required (lb). The main
Processing Letters 67 (1998) 145-150
properties of the proof method can be summarized as follows (from [lo]): (i) weakpartiul correctness: if I- (Pre) P (Post) then Mf; n Pre E Post, i.e., Post is a property of successful atoms in Pre; (ii) weak total correctness: if Et (Pre) P (Post) then A4; n Pre _C Post, and, moreover, every LDderivation of P and any A E Pre is finite; (iii) CUZZ patterns: if t- (Pre) P (Post) holds and A E Pre, then for every atom B selected in a LDderivation of P and A, Pre ,+ B. The above properties can be systematically extended to non-ground queries (see [lo]). IIivo further notions were introduced in [lo] in order to model the case that Post exactly characterizes the set of successful intended queries: (i) partial correctness: A4pLII Pre = Post; (ii) total correctness: A4; f~ Pre = Post, and every LD-derivation of P and any A E Pre is finite. In [lo], also the notion of strongest postcondition sp(P, Pre) was introduced, and it was shown that sp(P, Pre) coincides with A4; tl Pre. The proof method has been extended with additional proof obligations in order to show that a given postcondition is the strongest one, and, a fortiori, partial and total correctness. Analogously, the notions of weakest precondition and weakest liberal precondition were introduced. Definition 2. We denote by wlp(P, Post) the union of every Pre’ such that I- (Pre’) P (Post) holds, and by wp(P, Post) the union of every Pre’ such that Fr (Pre’) P (Post) holds.
In [lo], it was shown that the weakest (liberal) preconditions are valid preconditions with respect to the proof relation l-t (respectively, i-), i.e., that F {wlp(P, Post)} P (Post), t-_t{ wp(P, Post)} P (Post)
hold. However, no simple characterization of wlp(P, Post) and wp(P, Post) which could lead to practical proof methods has been found.
D. Pedreschi, S. Ruggieri /Information
3. Weakest preconditions as ordinal closures We provide here a characterization of the weakest (liberal) preconditions as ordinal closures of a function ~P,P,,~ over the lattice of Herbrand interpretations.
Definition 3. Let P be a logic program, and Post 2 BL. We define the function follows:
Op.pOSr:2’L +
141
Processing L.etters 67 (1998) 145-150
Consider a chain (Zk)kao of subsets of BL. We have to show that OP.Post
f-) Ik = f--) flP.Posr(zk). ( k>O ) k>O
Consider now any A E BL . We calculate:
2BL as k>O = v k 2 0: A E gp,p,,t(Zk)
=Vk>O:
={A~B~IVAtB~,...,Bn~ground~(p):
ViE[l,n]:Pdst+Bt
,...,
VA + Bl,...,
Bi_)+ZkBi
B, E groundL(P):
(ViE[l,n]:PostbB),...,Bi_l+Zkt=Bi)
r\Post+Bl,...,B,+-PostbA}.
APost+Bl,...,B,+-PostbA
The definition of Bp,posr is readily derived from the proof relations E and F-t. In particular, the following fundamental relation holds.
=VAtBl,...,
B, E groundL (P):
(ViE[I,n]:Post/=B~,...,
Bi_l+
Vk 3 0: zk b Bi)
Lemma 4. Let P be a logic program, and Pre, Post C_
r\Postt=Bl,...,B,+PostbA
BL. Then t- (Pre) P {Post] holds
ifs
Pre 2 i?p,p,,r(Pre).
I- (Pre) P (Post) B,, E groundL (P):
(ViE[l,n]:Pre+AA Post b Bl, . . , Bi-1 +Pre
b Bi)
A (Pre + A A Post + B1, . . . , B,, =+ Post b A) sVVAEP~~VA-+B~,...,B,,E~~~~~~~(P):
q E BP.POsr(Uk~O Ik) albeit
OP.Post
, . . . , B, j Post + A
= Pre C Op,p,,t(Pre).
q $ aP,Posr(fk)
every
u Ik p u oP,Posf(zk), ( k>O > k>O
and then
BP.P~~~
is not continuous.
Cl
0
Let us now study the properties of rYp,post.
Lemma 5. Let P be a logic program,
and Post c
An interesting consequence of the monotonicity of Bp,posr is that, by applying Op.posr to a set Pre such that E (Pre} P [Post] holds yields a precondition weaker than Pre.
BL. Thefunction Op+p,,t is monotonic and downward continuous over the lattice (2BL, C_). Moreover there
Corollary 6. Let P be a logic program,
exist P and Post such that i?p,posr is not continuous.
Post E BL. Zf I- (Pre) P {Post] holds then
Proof. Monotonicity
for
k. Therefore,
(ViE[l,n]:Post~Bl,...,Bi_)=+Pre~Bt) A Post b Bl
(-j zk . ( k>O 1
Finally, we exhibit a program P and a set Post such that Op.posr is not continuous. Let P be the program consisting of the unique clause q t p(X) definedonthelanguageL=([OO,s’),(qo,pl}),and Post = [~(X)]L U {q). Consider now the chain (zk)k>a where zk = (p(sj(0)) I 0 < j < k]. We have that
Proof. We calculate:
=VA +- B),...,
= A E ~P.PCM
is immediate from Definition 3. Let us show now that Op,posr is downward continuous.
t- ( op,pOSt(Pre)} P {Post) holds.
and Pre,
D. Pedreschi, S. Ruggieri / Inform&ion Processing Letters 67 (1998) 145-150
148
Proof. By Lemma 4, Pre E 6p,pos,(Pre). By monotonicity of Op,poSl,this implies
method based on relations I- and l---t.A generalization of Corollary 6 to arbitrary ordinals holds.
~p,Po,#w
Corollary 9. For every ordinal (Y, I- {tip,posr f a) P {Post] holds.
E 6P,P,,l(~P,Po,,(Pre)).
Therefore, again by Lemma 4, we get the conclusion. 0
Proof. Since ZJ)p,post is monotonic, by Theorem 7(ii)
We recall the following classical results, which are weak forms of theorems due to Kleene and Tarski [ 121.
we have that
Theorem 7. Let f be a monotonicfunction over the lattice (2BL, 2). Then the greatestfipoint g@( f) and the least&point lfp( f) exist. Moreover: (i) if f is downward continuous then a(f) = f _1
By Lemma 4, this implies that E ( Op,posrf a) P [Post] holds. •I
w = UKf(l)
1;
(ii) fir every ordinal a, f f Q C f(f f a); (iii) for some ordinal CX!, lfi(f) = f t IX From the fact that Bp,post is downward continuous, we can conclude that the greatest fixpoint &(Op,post) coincides with z9p,postj, w, i.e., the downward ordinal closure of z?p,post, and with wZp(P, Post), i.e., the weakest liberal precondition of P and Post. Theorem 8. Let P be a logic program, and Post 2 BL. Then wlp(P, Post) = &(~P,Post)
= ffP,Post
-1 w.
Proof. We calculate:
(Definition 2)
U
Pre’
Pr~C~p,posrWe’)
(Theorem 7(i) and Lemma 5) ~P,Post
=
In addition, when CY= w, a stronger conclusion can be shown. Theorem 10. Let P be a logic program, and Post 2 BL. Then l-I { 9p,posr t w) P {Post] holds. Proof. By Corollary 9 I- {Op,posrf w) P (Post) holds.
Let us now show the decreasing of the level mapping defined as follows: IAJ=min(iIA~~p,p,,t~(i+l)}
for A E Op,postt w, and IAl = 0 otherwise. Consider A t B1, . . . . Bn E groundL(P) and i E [l,n]. If Op,post
t OJ k
A A Post
I= &,
. . . , &1 then fiP,Pm t Bi_1. By Definition 3, zYp,post t IAl j= Bi. This implies IAl > JAI - 1 3 min{j: Bi E ~p,posr t (j + 1)) =
(JAj+l)+A~PostbBl,...,
i?p,posr f o, by showing that it coincides with the weakest precondition of P and Post.
{Lemma 4)
U
=
? a).
The following result provides a characterization of
Pre’
I-(Pre’)p{Post) =
T a c flP,Posr(~P,Posr
IfhI- 0
wlp( P, Post) =
fiP,P&
A@
{Theorem 7(i) and Lemma 5) &P(fiP,Post).
0
It is now legitimate to ask oneself whether there is a relation between the set Op,postt o, and the proof
Theorem 11. Let P be a logic program, and Post E BL. Then WPCP, Post> = fiP,Post
f w.
Proof. The inclusion wp(P, Post) 1 z9p,posrt w is an immediate consequence of the definition of wp(P, Post) and Theorem 10. To prove the converse inclusion, we show that for every Pre such that Et {Pre} P [Post) holds, we have Pre C Op,postf o, hence wp(P, Post) C #p,post f w. Consider now Pre
D. Pedreschi, S. Ruggieri /Information
such that tt {Pre) P {Post] holds by means of a level mapping I 1.We show by induction on k 2 0 that: (A E Pre I I4 = k} G flp.Post t (k + 1).
(1)
Case k = 0. By Definition 1, for every A t B1 , . . . , B, E groundL (P), we have that the body is empty, i.e., n = 0 and that Post + A. By definition of Qp,postrthis implies A E Op,posrt 1. Case k > 0. Assume IAl = k + 1 with k 2 0, and consider A t B1, . . , B,, E groundl(P). For i E [l,n], if Post b Bl, . . ., Bi_1 then Bi E Pre A (Al > IBi I, since Et {Pre) P (Post) holds. By inductive hypothesis Bi E Bp,post 7 (I Bi I + 1). By monotonicity of Op,postand 1Al > )Bi I, we have tbatB~~~p,po,r~]A~.Finally,ifPost~Bl,...,B, then Post b A, as A E Pre and Et {Pre) P (Post) holds. Therefore, by Definition 3, we conclude A E Op,postt (IAl + 1). Finally, from(l), we have that Pre=
U (AEPre(
IAj=k}
Processing Letters 67 (1998) 145-150
149
defined on L = (IO’, sl), (q”,pl)) and let Post be [p(X)]r. U (q). We have that for i > 0, i?p,postt i = (p(sj(0)) I 0 < j < i). Therefore, we conclude that:
=
i+P,Post
Finally,
f
(w +
1) = ~&(aP,Po,t>.
the following
result clarifies the status of
l@(~P,Post).
Theorem 14. Let P be a logic program, and Post & BL. Then I--(~fp(ffP,Post)}
p
(Post1
holds. Moreovel; every ground LD-derivation of P and any A E lfp(~Yp,p,,J isjinite. Proof. By Theorem such that
7(iii), there exists an ordinal cr
~fP(f-+P.Post)
f a.
= fiP,Post
k>O
U
E
By Corollary 9, oP,Post
f (k + 1) = fiP,Post
t 0,
k
k>O
and hence the conclusion.
q
As an immediate consequence, we have that a minimal level mapping can be characterized in terms of ordinal powers of B~,P,,~. Corollary 12. Let P be a logic program such that t-, [ Pre) P (Post) holds by means of a level mapping I 1. Consider now the level mapping (( II defined as follows:
IIAII =min{i
I A E ep.Post f 6 + I)],
for A E Pre, and JJAJJ = 0 otherwise. Then Ft [Pre) P {Post) holds by means of ]I 1).and for every A E Pre,
IAI 3 IIAII. Let us now turn our attention on the least fixpoint ZfP(8p,posr). The following example shows that, in general, ~fp(~p,post) #
BP,P~~~ f 0.
{~fp(~P.PcJst)}
p
uw
holds. Consider A E lfp(Bp~poSt)and let 6 be a ground LD-derivation of P and A. We denote by a(A) the minimum ordinal (Y such that A E ti~,p,,~ f a. Consider now an atom Bi with i E [l, n] such that A +- B1,..., B, E groundL(P) and Bi is eventually selected in 6. We show by induction on i that ~P.Postf a(&) C ~fP(ffp,post) and that a(Bi) < a(A). If i = 1 then by Definition 3, B1 E fip,post t a(B1) C lfP(Op,posr) with cr(B1) < a(A). If i > 1 then, by inductive hypothesis, we have that Ifp(8p,poSt) + BI,..., Bi_1. Since B1, . . . , Bi_1 has a ground LDrefutation, and I- (Zfp(ljfp,post)) P (Post) holds, by weak partial correctness of E, we have that Post + BI,..., Bi_1. Then, by Definition 3, Bi E fip,post t cr(Bi) C_IfP(Op,post) with a(Bi) < a(A). In conclusion, since the < ordering on ordinals is well-founded, there is no infinite descending chain, i.e., infinitely many selected atoms. Therefore, every ground LDderivation < is finite. EI
Example 13. Consider the program References q+--P(X). P(O)
[I] K.R. Apt, Ten years of Hoare’s logic: a survey-Part
-
PCS(X))
+
P(X)
-
Trans. Program. Languages
I, ACM Systems 3 (4) (1981) 431483.
150
D. Pedreschi, S. Ruggieri/lnfomation
[2] K.R. Apt, From Logic Programming
[3]
[4]
[5] [6]
to Prolog, Prentice-Hall, Englewood Cliffs, NJ, 1996. A. Bossi, N. Cocco, Verifying correctness of logic programs, in: J. Diaz, F. Orejas (Eds.), TAPSOFT ‘89, Lecture Notes in Computer Science, Vol. 352, Springer, Berlin, 1989, pp. 96110. L. Colussi, E. Marchiori, Proving correctness of logic programs using axiomatic semantics, in: Proc. Eight Intemat. Conf. on Logic Programming, MIT Press, Cambridge, MA, 1991, pp. 629-644. P Deransart, Proof methods of declarative properties of definite programs, Theoret. Comput. Sci. 118 (1993) 99-166. E.W. Dijkstra, Guarded commands, nondeterminancy and formal derivation of programs, Comm. ACM 18 (8) (1975) 453-457.
Processing L.etters 67 (1998) 145-150
[7] E.W. Dijkstra, A Discipline of Programming, Prentice-Hall, 1976. [8] W. Drabent, J. Maluszynski, Inductive assertion method for logic programs, Theoret. Comput. Sci. 59 (1) (1988) 133-155. [9] D. Gries, The Science of Programming, Springer, New York, 1981. [lo] D. Pedreschi, S. Ruggieri, Verification of logic programs, Technical Report 97-05, Dipartimento di Informatica, Universim di Pisa, 1997; also: J. Logic Programming, to appear. [ll] D. Pedreschi, S. Ruggieri, Verification of metainterpreters, J. Logic Comput. 7 (2) (1997) 267-303. [12] A. Tarski, A lattice-theoretical fixpoint theorem and its applications, Pacific J. Math. 5 (1955) 285-309.
Processing
Weakest preconditions
Letters 67 (1998) 145-150
for pure Prolog programs
Dino Pedreschi *, Salvatore Ruggieri ’ Dipartimento di Informatira, Vniversitic di Piso, Corso Italia 40, 56125 Piss, Italy Received 5 February 1998; received in revised form 30 April 1998 Communicated by D. Gries
Abstract We introduce a characterization of weakest preconditions and weakest liberal preconditions of pure Prolog programs P and postconditions Post in terms of ordinal closures of a natural operator based on P and Post. 0 1998 Elsevier Science B.V. All rights reserved. Keywords:Logic programming;
Prolog; Hoare’s logic; Weakest preconditions;
1. Introduction Several verification proof methods have been proposed for logic and pure Prolog programs. Most approaches [2-5,8] adopt a Hoare’s logic proof style [ 11, where specifications are given in terms of pre- and postconditions. In general, the basic tools for program analysis are triples {Pre) P (Post), where P is a logic program and Pre and Post assertions or sets of atoms. Pre models a class of intended queries and Post describes some property of computed/correct instances of intended queries. A proof theory is then built starting from triples, which produces a proof relation F. The contribution of this paper is the development of a calculus of weakest preconditions and weakest liberal preconditions for the method of [ 10,l 11,which represents a trade-off between expressiveness (i.e., the class of programs and properties it is able to reason about) and ease of use in paper and pencil verification proofs. We provide a characterization of * Corresponding author. Email: [email protected]. ’ Email: [email protected]. 0020-0190/98/$19.00 0 1998 Elsevier Science B.V. All rights reserved. PII: SOO20-0190(98)00098-2
Weakest liberal preconditions;
Program correctness
weakest (liberal) preconditions in terms of the ordinal closures of an operator i?p,p,,t, based on the program P under consideration and its intended interpretation Post. The notion of weakest (liberal) precondition was originally introduced in [6], as an alternative, yet equivalent, formulation of Hoare’s logic, more geared to the calculation of assertions and programs. The theory of weakest preconditions was the basis for the systematic development of correct programs first described in [7], and further explained in [9]. The results of this work show how tight is the parallel between logic and imperative programming. Preliminaries. Throughout the paper we use the standard notation of logic programming, as in [2], when not specified otherwise. We use queries instead of goals and consider a fixed universal language L in which all programs and queries are written. Therefore, BL is the Herbrand base on L and Mf; is the least Herbrand model of a program P. A t B1 , . . . , B, E groundL (P) denotes that A t BI , . . . , B, is a ground instance of a clause from P. Given a Herbrand inter-
D. Pedreschi, S. Ruggieri/Information
146
pretation I, i.e., a subset of BL, and a query Q we write I k Q if Z is a model of Q. In particular, if A is a ground atom then Z + A iff A E I. LD-resolution is SLD-resolution with the (Prolog’s) leftmost selection rule. A level mapping is a function from BL into the set of natural numbers N.
2. Reference proof method
The main advocated feature of the method in [lo, 111 is the possibility to reason in a uniform way on several properties of pure Prolog programs, including partial correctness, total correctness, absence of runtime errors due to the selection of ill-typed arithmetic atoms, safe omission of the occur check, and modular proofs. The basic relations of the method are the (Hoare’s logic style) triples l- {Pm} P (Post}
and
t-t (Pre) P (Post),
where Pre and Post are Herbrand interpretations, respectively denoting the intended class of atoms we are interested in, and the intended interpretation of the program. We recall from [lo] the definitions of the proof relations. Definition 1. We say that t--t (Pre) P (Post) holds iff there exists a level mapping 1 ( : BL + N such that for everyAtB1,...,B,EgroundL(P): (1) for i E [l,n], Pre + A A Post + Bl,. . ., Bi_1 =+ (a) Pre + Bi , and ( (b) JAI > l&l, (2) Pre+AAPost~Bl,...,B,+Post~A. We write l- (Pre) P (Post) when (la) and (2) hold.
Intuitively, for a clause C with a body of length iz, there are n + 1 proof obligations to conclude that the triple I- (Pre) P (Post) holds: (1) each atom A in the body of C is in Pre when the head of C is in Pre and all the atoms to the left of A in the body of C are in Post; and (2) the head of C is in Post when it is in Pre and all the atoms in the body of C are in Post. In the case of Et (Pm) P (Post) the decreasing of the level mapping is also required (lb). The main
Processing Letters 67 (1998) 145-150
properties of the proof method can be summarized as follows (from [lo]): (i) weakpartiul correctness: if I- (Pre) P (Post) then Mf; n Pre E Post, i.e., Post is a property of successful atoms in Pre; (ii) weak total correctness: if Et (Pre) P (Post) then A4; n Pre _C Post, and, moreover, every LDderivation of P and any A E Pre is finite; (iii) CUZZ patterns: if t- (Pre) P (Post) holds and A E Pre, then for every atom B selected in a LDderivation of P and A, Pre ,+ B. The above properties can be systematically extended to non-ground queries (see [lo]). IIivo further notions were introduced in [lo] in order to model the case that Post exactly characterizes the set of successful intended queries: (i) partial correctness: A4pLII Pre = Post; (ii) total correctness: A4; f~ Pre = Post, and every LD-derivation of P and any A E Pre is finite. In [lo], also the notion of strongest postcondition sp(P, Pre) was introduced, and it was shown that sp(P, Pre) coincides with A4; tl Pre. The proof method has been extended with additional proof obligations in order to show that a given postcondition is the strongest one, and, a fortiori, partial and total correctness. Analogously, the notions of weakest precondition and weakest liberal precondition were introduced. Definition 2. We denote by wlp(P, Post) the union of every Pre’ such that I- (Pre’) P (Post) holds, and by wp(P, Post) the union of every Pre’ such that Fr (Pre’) P (Post) holds.
In [lo], it was shown that the weakest (liberal) preconditions are valid preconditions with respect to the proof relation l-t (respectively, i-), i.e., that F {wlp(P, Post)} P (Post), t-_t{ wp(P, Post)} P (Post)
hold. However, no simple characterization of wlp(P, Post) and wp(P, Post) which could lead to practical proof methods has been found.
D. Pedreschi, S. Ruggieri /Information
3. Weakest preconditions as ordinal closures We provide here a characterization of the weakest (liberal) preconditions as ordinal closures of a function ~P,P,,~ over the lattice of Herbrand interpretations.
Definition 3. Let P be a logic program, and Post 2 BL. We define the function follows:
Op.pOSr:2’L +
141
Processing L.etters 67 (1998) 145-150
Consider a chain (Zk)kao of subsets of BL. We have to show that OP.Post
f-) Ik = f--) flP.Posr(zk). ( k>O ) k>O
Consider now any A E BL . We calculate:
2BL as k>O = v k 2 0: A E gp,p,,t(Zk)
=Vk>O:
={A~B~IVAtB~,...,Bn~ground~(p):
ViE[l,n]:Pdst+Bt
,...,
VA + Bl,...,
Bi_)+ZkBi
B, E groundL(P):
(ViE[l,n]:PostbB),...,Bi_l+Zkt=Bi)
r\Post+Bl,...,B,+-PostbA}.
APost+Bl,...,B,+-PostbA
The definition of Bp,posr is readily derived from the proof relations E and F-t. In particular, the following fundamental relation holds.
=VAtBl,...,
B, E groundL (P):
(ViE[I,n]:Post/=B~,...,
Bi_l+
Vk 3 0: zk b Bi)
Lemma 4. Let P be a logic program, and Pre, Post C_
r\Postt=Bl,...,B,+PostbA
BL. Then t- (Pre) P {Post] holds
ifs
Pre 2 i?p,p,,r(Pre).
I- (Pre) P (Post) B,, E groundL (P):
(ViE[l,n]:Pre+AA Post b Bl, . . , Bi-1 +Pre
b Bi)
A (Pre + A A Post + B1, . . . , B,, =+ Post b A) sVVAEP~~VA-+B~,...,B,,E~~~~~~~(P):
q E BP.POsr(Uk~O Ik) albeit
OP.Post
, . . . , B, j Post + A
= Pre C Op,p,,t(Pre).
q $ aP,Posr(fk)
every
u Ik p u oP,Posf(zk), ( k>O > k>O
and then
BP.P~~~
is not continuous.
Cl
0
Let us now study the properties of rYp,post.
Lemma 5. Let P be a logic program,
and Post c
An interesting consequence of the monotonicity of Bp,posr is that, by applying Op.posr to a set Pre such that E (Pre} P [Post] holds yields a precondition weaker than Pre.
BL. Thefunction Op+p,,t is monotonic and downward continuous over the lattice (2BL, C_). Moreover there
Corollary 6. Let P be a logic program,
exist P and Post such that i?p,posr is not continuous.
Post E BL. Zf I- (Pre) P {Post] holds then
Proof. Monotonicity
for
k. Therefore,
(ViE[l,n]:Post~Bl,...,Bi_)=+Pre~Bt) A Post b Bl
(-j zk . ( k>O 1
Finally, we exhibit a program P and a set Post such that Op.posr is not continuous. Let P be the program consisting of the unique clause q t p(X) definedonthelanguageL=([OO,s’),(qo,pl}),and Post = [~(X)]L U {q). Consider now the chain (zk)k>a where zk = (p(sj(0)) I 0 < j < k]. We have that
Proof. We calculate:
=VA +- B),...,
= A E ~P.PCM
is immediate from Definition 3. Let us show now that Op,posr is downward continuous.
t- ( op,pOSt(Pre)} P {Post) holds.
and Pre,
D. Pedreschi, S. Ruggieri / Inform&ion Processing Letters 67 (1998) 145-150
148
Proof. By Lemma 4, Pre E 6p,pos,(Pre). By monotonicity of Op,poSl,this implies
method based on relations I- and l---t.A generalization of Corollary 6 to arbitrary ordinals holds.
~p,Po,#w
Corollary 9. For every ordinal (Y, I- {tip,posr f a) P {Post] holds.
E 6P,P,,l(~P,Po,,(Pre)).
Therefore, again by Lemma 4, we get the conclusion. 0
Proof. Since ZJ)p,post is monotonic, by Theorem 7(ii)
We recall the following classical results, which are weak forms of theorems due to Kleene and Tarski [ 121.
we have that
Theorem 7. Let f be a monotonicfunction over the lattice (2BL, 2). Then the greatestfipoint g@( f) and the least&point lfp( f) exist. Moreover: (i) if f is downward continuous then a(f) = f _1
By Lemma 4, this implies that E ( Op,posrf a) P [Post] holds. •I
w = UKf(l)
1;
(ii) fir every ordinal a, f f Q C f(f f a); (iii) for some ordinal CX!, lfi(f) = f t IX From the fact that Bp,post is downward continuous, we can conclude that the greatest fixpoint &(Op,post) coincides with z9p,postj, w, i.e., the downward ordinal closure of z?p,post, and with wZp(P, Post), i.e., the weakest liberal precondition of P and Post. Theorem 8. Let P be a logic program, and Post 2 BL. Then wlp(P, Post) = &(~P,Post)
= ffP,Post
-1 w.
Proof. We calculate:
(Definition 2)
U
Pre’
Pr~C~p,posrWe’)
(Theorem 7(i) and Lemma 5) ~P,Post
=
In addition, when CY= w, a stronger conclusion can be shown. Theorem 10. Let P be a logic program, and Post 2 BL. Then l-I { 9p,posr t w) P {Post] holds. Proof. By Corollary 9 I- {Op,posrf w) P (Post) holds.
Let us now show the decreasing of the level mapping defined as follows: IAJ=min(iIA~~p,p,,t~(i+l)}
for A E Op,postt w, and IAl = 0 otherwise. Consider A t B1, . . . . Bn E groundL(P) and i E [l,n]. If Op,post
t OJ k
A A Post
I= &,
. . . , &1 then fiP,Pm t Bi_1. By Definition 3, zYp,post t IAl j= Bi. This implies IAl > JAI - 1 3 min{j: Bi E ~p,posr t (j + 1)) =
(JAj+l)+A~PostbBl,...,
i?p,posr f o, by showing that it coincides with the weakest precondition of P and Post.
{Lemma 4)
U
=
? a).
The following result provides a characterization of
Pre’
I-(Pre’)p{Post) =
T a c flP,Posr(~P,Posr
IfhI- 0
wlp( P, Post) =
fiP,P&
A@
{Theorem 7(i) and Lemma 5) &P(fiP,Post).
0
It is now legitimate to ask oneself whether there is a relation between the set Op,postt o, and the proof
Theorem 11. Let P be a logic program, and Post E BL. Then WPCP, Post> = fiP,Post
f w.
Proof. The inclusion wp(P, Post) 1 z9p,posrt w is an immediate consequence of the definition of wp(P, Post) and Theorem 10. To prove the converse inclusion, we show that for every Pre such that Et {Pre} P [Post) holds, we have Pre C Op,postf o, hence wp(P, Post) C #p,post f w. Consider now Pre
D. Pedreschi, S. Ruggieri /Information
such that tt {Pre) P {Post] holds by means of a level mapping I 1.We show by induction on k 2 0 that: (A E Pre I I4 = k} G flp.Post t (k + 1).
(1)
Case k = 0. By Definition 1, for every A t B1 , . . . , B, E groundL (P), we have that the body is empty, i.e., n = 0 and that Post + A. By definition of Qp,postrthis implies A E Op,posrt 1. Case k > 0. Assume IAl = k + 1 with k 2 0, and consider A t B1, . . , B,, E groundl(P). For i E [l,n], if Post b Bl, . . ., Bi_1 then Bi E Pre A (Al > IBi I, since Et {Pre) P (Post) holds. By inductive hypothesis Bi E Bp,post 7 (I Bi I + 1). By monotonicity of Op,postand 1Al > )Bi I, we have tbatB~~~p,po,r~]A~.Finally,ifPost~Bl,...,B, then Post b A, as A E Pre and Et {Pre) P (Post) holds. Therefore, by Definition 3, we conclude A E Op,postt (IAl + 1). Finally, from(l), we have that Pre=
U (AEPre(
IAj=k}
Processing Letters 67 (1998) 145-150
149
defined on L = (IO’, sl), (q”,pl)) and let Post be [p(X)]r. U (q). We have that for i > 0, i?p,postt i = (p(sj(0)) I 0 < j < i). Therefore, we conclude that:
=
i+P,Post
Finally,
f
(w +
1) = ~&(aP,Po,t>.
the following
result clarifies the status of
l@(~P,Post).
Theorem 14. Let P be a logic program, and Post & BL. Then I--(~fp(ffP,Post)}
p
(Post1
holds. Moreovel; every ground LD-derivation of P and any A E lfp(~Yp,p,,J isjinite. Proof. By Theorem such that
7(iii), there exists an ordinal cr
~fP(f-+P.Post)
f a.
= fiP,Post
k>O
U
E
By Corollary 9, oP,Post
f (k + 1) = fiP,Post
t 0,
k
k>O
and hence the conclusion.
q
As an immediate consequence, we have that a minimal level mapping can be characterized in terms of ordinal powers of B~,P,,~. Corollary 12. Let P be a logic program such that t-, [ Pre) P (Post) holds by means of a level mapping I 1. Consider now the level mapping (( II defined as follows:
IIAII =min{i
I A E ep.Post f 6 + I)],
for A E Pre, and JJAJJ = 0 otherwise. Then Ft [Pre) P {Post) holds by means of ]I 1).and for every A E Pre,
IAI 3 IIAII. Let us now turn our attention on the least fixpoint ZfP(8p,posr). The following example shows that, in general, ~fp(~p,post) #
BP,P~~~ f 0.
{~fp(~P.PcJst)}
p
uw
holds. Consider A E lfp(Bp~poSt)and let 6 be a ground LD-derivation of P and A. We denote by a(A) the minimum ordinal (Y such that A E ti~,p,,~ f a. Consider now an atom Bi with i E [l, n] such that A +- B1,..., B, E groundL(P) and Bi is eventually selected in 6. We show by induction on i that ~P.Postf a(&) C ~fP(ffp,post) and that a(Bi) < a(A). If i = 1 then by Definition 3, B1 E fip,post t a(B1) C lfP(Op,posr) with cr(B1) < a(A). If i > 1 then, by inductive hypothesis, we have that Ifp(8p,poSt) + BI,..., Bi_1. Since B1, . . . , Bi_1 has a ground LDrefutation, and I- (Zfp(ljfp,post)) P (Post) holds, by weak partial correctness of E, we have that Post + BI,..., Bi_1. Then, by Definition 3, Bi E fip,post t cr(Bi) C_IfP(Op,post) with a(Bi) < a(A). In conclusion, since the < ordering on ordinals is well-founded, there is no infinite descending chain, i.e., infinitely many selected atoms. Therefore, every ground LDderivation < is finite. EI
Example 13. Consider the program References q+--P(X). P(O)
[I] K.R. Apt, Ten years of Hoare’s logic: a survey-Part
-
PCS(X))
+
P(X)
-
Trans. Program. Languages
I, ACM Systems 3 (4) (1981) 431483.
150
D. Pedreschi, S. Ruggieri/lnfomation
[2] K.R. Apt, From Logic Programming
[3]
[4]
[5] [6]
to Prolog, Prentice-Hall, Englewood Cliffs, NJ, 1996. A. Bossi, N. Cocco, Verifying correctness of logic programs, in: J. Diaz, F. Orejas (Eds.), TAPSOFT ‘89, Lecture Notes in Computer Science, Vol. 352, Springer, Berlin, 1989, pp. 96110. L. Colussi, E. Marchiori, Proving correctness of logic programs using axiomatic semantics, in: Proc. Eight Intemat. Conf. on Logic Programming, MIT Press, Cambridge, MA, 1991, pp. 629-644. P Deransart, Proof methods of declarative properties of definite programs, Theoret. Comput. Sci. 118 (1993) 99-166. E.W. Dijkstra, Guarded commands, nondeterminancy and formal derivation of programs, Comm. ACM 18 (8) (1975) 453-457.
Processing L.etters 67 (1998) 145-150
[7] E.W. Dijkstra, A Discipline of Programming, Prentice-Hall, 1976. [8] W. Drabent, J. Maluszynski, Inductive assertion method for logic programs, Theoret. Comput. Sci. 59 (1) (1988) 133-155. [9] D. Gries, The Science of Programming, Springer, New York, 1981. [lo] D. Pedreschi, S. Ruggieri, Verification of logic programs, Technical Report 97-05, Dipartimento di Informatica, Universim di Pisa, 1997; also: J. Logic Programming, to appear. [ll] D. Pedreschi, S. Ruggieri, Verification of metainterpreters, J. Logic Comput. 7 (2) (1997) 267-303. [12] A. Tarski, A lattice-theoretical fixpoint theorem and its applications, Pacific J. Math. 5 (1955) 285-309.