Embed Size (px)
Citation preview
Information Processing Letters 67 (1998) 145-150
Weakest preconditions for pure Prolog programs
Dino Pedreschi *, Salvatore Ruggieri ’
Dipartimento di Informatira, Vniversitic di Piso, Corso Italia 40, 56125 Piss, Italy
Received 5 February 1998; received in revised form 30 April 1998 Communicated by D. Gries
Abstract
We introduce a characterization of weakest preconditions and weakest liberal preconditions of pure Prolog programs P and postconditions Post in terms of ordinal closures of a natural operator based on P and Post. 0 1998 Elsevier Science B.V. All rights reserved.
Keywords: Logic programming; Prolog; Hoare’s logic; Weakest preconditions; Weakest liberal preconditions; Program correctness
1. Introduction
Several verification proof methods have been pro-
posed for logic and pure Prolog programs. Most ap- proaches [2-5,8] adopt a Hoare’s logic proof style [ 11, where specifications are given in terms of pre- and postconditions. In general, the basic tools for program analysis are triples {Pre) P (Post), where P is a logic program and Pre and Post assertions or sets of atoms. Pre models a class of intended queries and Post de- scribes some property of computed/correct instances of intended queries. A proof theory is then built start- ing from triples, which produces a proof relation F.
The contribution of this paper is the development of a calculus of weakest preconditions and weakest liberal preconditions for the method of [ 10,l 11, which represents a trade-off between expressiveness (i.e., the class of programs and properties it is able to reason about) and ease of use in paper and pencil verification proofs. We provide a characterization of
* Corresponding author. Email: [email protected].
’ Email: [email protected].
0020-0190/98/$19.00 0 1998 Elsevier Science B.V. All rights reserved. PII: SOO20-0190(98)00098-2
weakest (liberal) preconditions in terms of the ordinal closures of an operator i?p,p,,t, based on the program P under consideration and its intended interpretation Post.
The notion of weakest (liberal) precondition was originally introduced in [6], as an alternative, yet equivalent, formulation of Hoare’s logic, more geared to the calculation of assertions and programs. The theory of weakest preconditions was the basis for the systematic development of correct programs first described in [7], and further explained in [9]. The results of this work show how tight is the parallel between logic and imperative programming.
Preliminaries. Throughout the paper we use the stan- dard notation of logic programming, as in [2], when not specified otherwise. We use queries instead of goals and consider a fixed universal language L in which all programs and queries are written. Therefore, BL is the Herbrand base on L and Mf; is the least Herbrand model of a program P. A t B1 , . . . , B, E groundL (P) denotes that A t BI , . . . , B, is a ground instance of a clause from P. Given a Herbrand inter-
146 D. Pedreschi, S. Ruggieri/Information Processing Letters 67 (1998) 145-150
pretation I, i.e., a subset of BL, and a query Q we write I k Q if Z is a model of Q. In particular, if A is a ground atom then Z + A iff A E I. LD-resolution is SLD-resolution with the (Prolog’s) leftmost selection rule. A level mapping is a function from BL into the set of natural numbers N.
2. Reference proof method
The main advocated feature of the method in [lo, 111 is the possibility to reason in a uniform way on several properties of pure Prolog programs, including partial correctness, total correctness, absence of run- time errors due to the selection of ill-typed arithmetic atoms, safe omission of the occur check, and modular proofs. The basic relations of the method are the (Hoare’s logic style) triples
l- {Pm} P (Post} and t-t (Pre) P (Post),
where Pre and Post are Herbrand interpretations, respectively denoting the intended class of atoms we are interested in, and the intended interpretation of the program. We recall from [lo] the definitions of the proof relations.
Definition 1. We say that t--t (Pre) P (Post) holds iff there exists a level mapping 1 ( : BL + N such that for everyAtB1,...,B,EgroundL(P): (1) for i E [l,n], Pre + A A Post + Bl,. . ., Bi_1 =+
(
(a) Pre + Bi , and
(b) JAI > l&l, (2) Pre+AAPost~Bl,...,B,+Post~A. We write l- (Pre) P (Post) when (la) and (2) hold.
Intuitively, for a clause C with a body of length iz, there are n + 1 proof obligations to conclude that the triple I- (Pre) P (Post) holds: (1) each atom A in the body of C is in Pre when the
head of C is in Pre and all the atoms to the left of A in the body of C are in Post; and
(2) the head of C is in Post when it is in Pre and all the atoms in the body of C are in Post.
In the case of Et (Pm) P (Post) the decreasing of the level mapping is also required (lb). The main
properties of the proof method can be summarized as follows (from [lo]):
(i) weakpartiul correctness: if I- (Pre) P (Post) then Mf; n Pre E Post, i.e., Post is a property of successful atoms in Pre;
(ii) weak total correctness: if Et (Pre) P (Post) then A4; n Pre _C Post, and, moreover, every LD- derivation of P and any A E Pre is finite;
(iii) CUZZ patterns: if t- (Pre) P (Post) holds and A E Pre, then for every atom B selected in a LD- derivation of P and A, Pre ,+ B.
The above properties can be systematically ex- tended to non-ground queries (see [lo]). IIivo further notions were introduced in [lo] in order to model the case that Post exactly characterizes the set of success- ful intended queries: (i) partial correctness: A4pL II Pre = Post;
(ii) total correctness: A4; f~ Pre = Post, and every LD-derivation of P and any A E Pre is finite.
In [lo], also the notion of strongest postcondi- tion sp(P, Pre) was introduced, and it was shown that sp(P, Pre) coincides with A4; tl Pre. The proof method has been extended with additional proof oblig- ations in order to show that a given postcondition is the strongest one, and, a fortiori, partial and total cor- rectness. Analogously, the notions of weakest precon- dition and weakest liberal precondition were intro- duced.
Definition 2. We denote by wlp(P, Post) the union of every Pre’ such that I- (Pre’) P (Post) holds, and by wp(P, Post) the union of every Pre’ such that Fr (Pre’) P (Post) holds.
In [lo], it was shown that the weakest (liberal) preconditions are valid preconditions with respect to the proof relation l-t (respectively, i-), i.e., that
F {wlp(P, Post)} P (Post),
t-_t { wp(P, Post)} P (Post)
hold. However, no simple characterization of wlp(P, Post) and wp(P, Post) which could lead to practical proof methods has been found.
D. Pedreschi, S. Ruggieri /Information Processing L.etters 67 (1998) 145-150 141
3. Weakest preconditions as ordinal closures
We provide here a characterization of the weakest (liberal) preconditions as ordinal closures of a function ~P,P,,~ over the lattice of Herbrand interpretations.
Definition 3. Let P be a logic program, and Post 2
BL. We define the function Op.pOSr: 2’L + 2BL as follows:
={A~B~IVAtB~,...,Bn~ground~(p):
ViE[l,n]:Pdst+Bt ,..., Bi_)+ZkBi
r\Post+Bl,...,B,+-PostbA}.
The definition of Bp,posr is readily derived from the proof relations E and F-t. In particular, the following fundamental relation holds.
Lemma 4. Let P be a logic program, and Pre, Post C_ BL. Then
t- (Pre) P {Post] holds ifs Pre 2 i?p,p,,r(Pre).
Proof. We calculate:
I- (Pre) P (Post)
=VA +- B),..., B,, E groundL (P):
(ViE[l,n]:Pre+AA
Post b Bl, . . , Bi-1 +Pre b Bi)
A (Pre + A A Post + B1, . . . , B,, =+ Post b A)
sVVAEP~~VA-+B~,...,B,,E~~~~~~~(P):
(ViE[l,n]:Post~Bl,...,Bi_)=+Pre~Bt)
A Post b Bl , . . . , B, j Post + A
= Pre C Op,p,,t(Pre). 0
Let us now study the properties of rYp,post.
Lemma 5. Let P be a logic program, and Post c
BL. Thefunction Op+p,,t is monotonic and downward continuous over the lattice (2BL, C_). Moreover there
exist P and Post such that i?p,posr is not continuous.
Proof. Monotonicity is immediate from Definition 3. Let us show now that Op,posr is downward continuous.
Consider a chain (Zk)kao of subsets of BL. We have to show that
OP.Post ( )
f-) Ik = f--) flP.Posr(zk).
k>O k>O
Consider now any A E BL . We calculate:
k>O
= v k 2 0: A E gp,p,,t(Zk)
=Vk>O:
VA + Bl,..., B, E groundL(P):
(ViE[l,n]:PostbB),...,Bi_l+Zkt=Bi)
APost+Bl,...,B,+-PostbA
=VAtBl,..., B, E groundL (P):
(ViE[I,n]:Post/=B~,..., Bi_l+
Vk 3 0: zk b Bi)
r\Postt=Bl,...,B,+PostbA
= A E ~P.PCM (-j zk . ( 1 k>O
Finally, we exhibit a program P and a set Post
such that Op.posr is not continuous. Let P be the program consisting of the unique clause q t p(X) definedonthelanguageL=([OO,s’),(qo,pl}),and
Post = [~(X)]L U {q). Consider now the chain (zk)k>a where zk = (p(sj(0)) I 0 < j < k]. We have that
q E BP.POsr(Uk~O Ik) albeit q $ aP,Posr(fk) for every
k. Therefore,
OP.Post ( >
u Ik p u oP,Posf(zk),
k>O k>O
and then BP.P~~~ is not continuous. Cl
An interesting consequence of the monotonicity
of Bp,posr is that, by applying Op.posr to a set Pre such that E (Pre} P [Post] holds yields a precondition weaker than Pre.
Corollary 6. Let P be a logic program, and Pre,
Post E BL. Zf I- (Pre) P {Post] holds then
t- ( op,pOSt(Pre)} P {Post)
holds.
148 D. Pedreschi, S. Ruggieri / Inform&ion Processing Letters 67 (1998) 145-150
Proof. By Lemma 4, Pre E 6p,pos,(Pre). By monoto- nicity of Op,poSl, this implies
~p,Po,#w E 6P,P,,l(~P,Po,,(Pre)).
Therefore, again by Lemma 4, we get the conclu- sion. 0
We recall the following classical results, which are weak forms of theorems due to Kleene and Tarski [ 121.
Theorem 7. Let f be a monotonicfunction over the lattice (2BL, 2). Then the greatestfipoint g@( f) and the least&point lfp( f) exist. Moreover:
(i) if f is downward continuous then a(f) = f _1
w = UKf(l) 1; (ii) fir every ordinal a, f f Q C f(f f a);
(iii) for some ordinal CX!, lfi(f) = f t IX
From the fact that Bp,post is downward continuous, we can conclude that the greatest fixpoint &(Op,post) coincides with z9p,post j, w, i.e., the downward ordinal closure of z?p,post, and with wZp(P, Post), i.e., the weakest liberal precondition of P and Post.
Theorem 8. Let P be a logic program, and Post 2 BL. Then
wlp(P, Post) = &(~P,Post) = ffP,Post -1 w.
Proof. We calculate:
wlp( P, Post)
= (Definition 2)
U Pre’
I-(Pre’)p{Post)
= {Lemma 4)
U Pre’
Pr~C~p,posrWe’)
= (Theorem 7(i) and Lemma 5)
~P,Post A @
= {Theorem 7(i) and Lemma 5)
&P(fiP,Post). 0
It is now legitimate to ask oneself whether there is a relation between the set Op,post t o, and the proof
method based on relations I- and l---t. A generalization of Corollary 6 to arbitrary ordinals holds.
Corollary 9. For every ordinal (Y, I- {tip,posr f a) P {Post] holds.
Proof. Since ZJ)p,post is monotonic, by Theorem 7(ii) we have that
fiP,P& T a c flP,Posr(~P,Posr ? a).
By Lemma 4, this implies that E ( Op,posr f a) P [Post] holds. •I
In addition, when CY = w, a stronger conclusion can be shown.
Theorem 10. Let P be a logic program, and Post 2 BL. Then l-I { 9p,posr t w) P {Post] holds.
Proof. By Corollary 9 I- {Op,posr f w) P (Post) holds. Let us now show the decreasing of the level mapping defined as follows:
IAJ=min(iIA~~p,p,,t~(i+l)}
for A E Op,post t w, and IAl = 0 otherwise. Consider A t B1, . . . . Bn E groundL(P) and i E [l,n]. If Op,post t OJ k A A Post I= &, . . . , &1 then fiP,Pm t (JAj+l)+A~PostbBl,..., Bi_1.
By Definition 3, zYp,post t IAl j= Bi. This implies IAl > JAI - 1 3 min{j: Bi E ~p,posr t (j + 1)) = IfhI- 0
The following result provides a characterization of i?p,posr f o, by showing that it coincides with the weakest precondition of P and Post.
Theorem 11. Let P be a logic program, and Post E BL. Then
WPCP, Post> = fiP,Post f w.
Proof. The inclusion wp(P, Post) 1 z9p,posr t w is an immediate consequence of the definition of wp(P, Post) and Theorem 10. To prove the converse inclu- sion, we show that for every Pre such that Et {Pre} P [Post) holds, we have Pre C Op,post f o, hence wp(P, Post) C #p,post f w. Consider now Pre
D. Pedreschi, S. Ruggieri /Information Processing Letters 67 (1998) 145-150 149
such that tt {Pre) P {Post] holds by means of a level mapping I 1. We show by induction on k 2 0 that:
(A E Pre I I4 = k} G flp.Post t (k + 1). (1)
Case k = 0. By Definition 1, for every A t B1 , . . . , B, E groundL (P), we have that the body is empty, i.e., n = 0 and that Post + A. By definition of Qp,postr this
implies A E Op,posr t 1. Case k > 0. Assume I Al = k + 1 with k 2 0,
and consider A t B1, . . , B,, E groundl(P). For i E [l,n], if Post b Bl, . . ., Bi_1 then Bi E Pre A (Al > I Bi I, since Et {Pre) P (Post) holds.
By inductive hypothesis Bi E Bp,post 7 (I Bi I + 1).
By monotonicity of Op,post and 1 Al > ) Bi I, we have tbatB~~~p,po,r~]A~.Finally,ifPost~Bl,...,B,
then Post b A, as A E Pre and Et { Pre) P (Post) holds. Therefore, by Definition 3, we conclude A E Op,post t (IAl + 1). Finally, from(l), we have that
Pre= U (AEPre( IAj=k} k>O
E U oP,Post f (k + 1) = fiP,Post t 0,
k>O
and hence the conclusion. q
As an immediate consequence, we have that a
minimal level mapping can be characterized in terms of ordinal powers of B~,P,,~.
Corollary 12. Let P be a logic program such that t-, [ Pre) P (Post) holds by means of a level mapping I 1. Consider now the level mapping (( II defined as
follows:
IIAII =min{i I A E ep.Post f 6 + I)],
for A E Pre, and JJ AJJ = 0 otherwise. Then Ft [Pre) P {Post) holds by means of ]I 1). and for every A E Pre,
IAI 3 IIAII.
Let us now turn our attention on the least fixpoint ZfP(8p,posr). The following example shows that, in
general, ~fp(~p,post) # BP,P~~~ f 0.
Example 13. Consider the program
q+--P(X).
P(O) - PCS(X)) + P(X) -
defined on L = (IO’, sl), (q”,pl)) and let Post be [p(X)]r. U (q). We have that for i > 0, i?p,post t i = (p(sj(0)) I 0 < j < i). Therefore, we conclude that:
= i+P,Post f (w + 1) = ~&(aP,Po,t>.
Finally, the following result clarifies the status of
l@(~P,Post).
Theorem 14. Let P be a logic program, and Post & BL. Then
I-- (~fp(ffP,Post)} p (Post1
holds. Moreovel; every ground LD-derivation of P and any A E lfp(~Yp,p,,J isjinite.
Proof. By Theorem 7(iii), there exists an ordinal cr such that
~fP(f-+P.Post) = fiP,Post f a.
By Corollary 9,
k {~fp(~P.PcJst)} p uw
holds. Consider A E lfp(Bp~poSt) and let 6 be a ground
LD-derivation of P and A. We denote by a(A) the minimum ordinal (Y such that A E ti~,p,,~ f a. Consider now an atom Bi with i E [l, n] such that A +- B1,..., B, E groundL(P) and Bi is eventu- ally selected in 6. We show by induction on i that
~P.Post f a(&) C ~fP(ffp,post) and that a(Bi) < a(A). If i = 1 then by Definition 3, B1 E fip,post t a(B1) C lfP(Op,posr) with cr(B1) < a(A). If i > 1 then, by inductive hypothesis, we have that Ifp(8p,poSt) +
BI,..., Bi_1. Since B1, . . . , Bi_1 has a ground LD- refutation, and I- (Zfp(ljfp,post)) P (Post) holds, by weak partial correctness of E, we have that Post +
BI,..., Bi_1. Then, by Definition 3, Bi E fip,post t cr(Bi) C_ IfP(Op,post) with a(Bi) < a(A). In conclu- sion, since the < ordering on ordinals is well-founded, there is no infinite descending chain, i.e., infinitely many selected atoms. Therefore, every ground LD- derivation < is finite. EI
References
[I] K.R. Apt, Ten years of Hoare’s logic: a survey-Part I, ACM
Trans. Program. Languages Systems 3 (4) (1981) 431483.
150 D. Pedreschi, S. Ruggieri/lnfomation Processing L.etters 67 (1998) 145-150
[2] K.R. Apt, From Logic Programming to Prolog, Prentice-Hall, [7] E.W. Dijkstra, A Discipline of Programming, Prentice-Hall,
Englewood Cliffs, NJ, 1996. 1976.
[3] A. Bossi, N. Cocco, Verifying correctness of logic programs,
in: J. Diaz, F. Orejas (Eds.), TAPSOFT ‘89, Lecture Notes in
Computer Science, Vol. 352, Springer, Berlin, 1989, pp. 96-
110.
[8] W. Drabent, J. Maluszynski, Inductive assertion method for
logic programs, Theoret. Comput. Sci. 59 (1) (1988) 133-155.
[9] D. Gries, The Science of Programming, Springer, New York,
1981. [4] L. Colussi, E. Marchiori, Proving correctness of logic pro-
grams using axiomatic semantics, in: Proc. Eight Intemat.
Conf. on Logic Programming, MIT Press, Cambridge, MA,
1991, pp. 629-644.
[5] P Deransart, Proof methods of declarative properties of defi-
nite programs, Theoret. Comput. Sci. 118 (1993) 99-166.
[6] E.W. Dijkstra, Guarded commands, nondeterminancy and
formal derivation of programs, Comm. ACM 18 (8) (1975)
453-457.
[lo] D. Pedreschi, S. Ruggieri, Verification of logic programs,
Technical Report 97-05, Dipartimento di Informatica, Univer-
sim di Pisa, 1997; also: J. Logic Programming, to appear.
[ll] D. Pedreschi, S. Ruggieri, Verification of metainterpreters,
J. Logic Comput. 7 (2) (1997) 267-303.
[12] A. Tarski, A lattice-theoretical fixpoint theorem and its appli-
cations, Pacific J. Math. 5 (1955) 285-309.
