A Compositional Proof Method of Partial

A Compositional Proof Method of Partial Correctness for Normal Logic Programs with an application to Godel Gerard Ferrand and Arnaud Lallouet

Universite d'Orleans LIFO | BP 6759 | F-45067 Orleans Cedex 2. Tel : (33) 38.41.70.10, Fax : (33) 38.41.71.37

e-mail : fGerard.Ferrand j [email protected] November, 1995.

Abstract

This report presents a new proof method of partial correctness for logic programs with negation based on a proof modularity. We prove in a compositional way that Fitting's or the well-founded semantics of the program is included in a speci cation. We give conditions for an abstract semantics to be compositional and we base our proof method on this property. We present also conservative but compositional extensions of Fitting's and of the well-founded semantics. As an illustration, an application is made to the module system of the Godel language. Moreover, our method is suitable for incremental validation since it does not require all parts of the program to be implemented. This document is an extended version of [9] which incorporates the missing proofs and a counter-example.

Resume

Ce rapport presente une nouvelle methode de preuve de correction partielle pour des programmes logiques avec negation basee sur des preuves modulaires. Nous montrons de facon compositionelle que la semantique bienfondee ou la semantique de Fitting d'un programme est incluse dans une speci cation. Nous donnons des conditions pour qu'une semantique abstraite soit compositionelle et nous basons notre methode de preuve sur cette propriete. Nous presentons egalement des extensions compositionelles et conservatives de la semantique bien-fondee et de la semantique de Fitting. En guise d'illustration, une application est faite au systeme de modules du langage Godel. De plus, notre methode convient pour la validation incremantale car elle ne necessite pas que la totalite du programme soit implante. Ce document est une version etendue de [9] qui comprend les preuves manquantes et un contre-exemple.

Keywords: Logic Programming | Negation | Compositional semantics | Validation | Partial correctness | Modules | Well-founded semantics | Fitting's Semantics. 1

1 Introduction Having validated software is one important issue of software engineering. But as soon as program size increases, the problem becomes more crucial. Usually, large programs are cut out into modules or libraries, and software components are designed to be re-used. Our aim is to be able to validate a software component in such a way that we could re-use both component and knowledge of its validation, whatever the proof method used. In this paper, we present a compositional proof method of partial correctness for normal logic programs with import called here units. This method is based on an extension of a proof method given by [6] for de nite programs and [8] for normal logic programs. We choose to take up the theoretical framework of these works, in which a program is identi ed to the set of its ground instances and where the semantics, as well as the speci cation is denoted by a set of literals. The property of partial correctness of a program P wrt a speci cation S consists in proving the inclusion SemanticsP  S . The use of sets of literals allows us to remain in a purely set-theoretical framework. However, in practice, sets of literals are likely to be represented by logical assertions and sets of ground rules by programs. A proof method of partial correctness has been given in [8] for the wellfounded semantics, and indirectly in [7] for Fitting's semantics. The dual approach |completeness|, has been studied by Malfon [17] in a framework which uni es the well-founded, Fitting and Kunen's semantics. But these results do only concern what is called \programming in the small" and for larger programs, these non-compositional methods become quickly intractable since they consider the whole program at the same time. Our approach allows to cut large programs into pieces (and this is already done if the program is made out of modules) and validate each piece separately. Our work gives answers to the following problems. What sense can we give to the notion of correctness for a unit ? How can we re-use the knowledge of units validation in order to get a whole program correct ? Moreover, it answers a question raised in the conclusion of [3] : \Compositionality is not addressed by the existing semantics of normal programs. It is not clear how to determine the models of a normal program from the models of its components." To set up our compositional proof method, we only need the semantics given to a unit to be compositional and the existence of a proof method for a single unit. If ./ is a composition operator for programs, a compositional semantics wrt ./ is such that the semantics of P1 ./ P2 can be deduced from the semantics of P1 and P2 . In our framework, we only focus on the union operator, because our purpose is only to validate a program piece by piece. To have this, the semantics needs to depend on a set of literals as input. Then proving the partial correctness consists in proving the inclu2

sion SemanticsP (S )  S 0 : the output of the unit is proved correct ( S 0) assuming the correctness of the input (the speci cation S ). We emphasize on the fact that our proof method only needs the compositionality of the semantics. This allows to use any proof method to validate a unit. Then we present two compositional semantics. The rst one is an extension of the well-founded semantics, while the second extends Fitting's semantics. We prove that they ful ll the requirements of a compositional semantics. Moreover, we give proof methods for individual units. For the well-founded semantics, we state the compositionality only if the system of units is hierarchical, that is to say that there is no circular dependency between the units. The programming language Godel [13] is an ideal framework to apply our theoretical methods since it includes a module system that is moreover hierarchical. In this context, we de ne a suitable notion of speci cation and we build modular proofs for Godel programs. This paper is organized as follows : rst, we recall some elements of validation of logic programs and we set up our new proof method for an abstract semantics SEM . Then we introduce two compositional semantics for normal programs. At last, the application to the language Godel is detailed and the method is illustrated by an example. The results in this paper are greatly simpli ed for de nite programs. The reader can nd the missing proofs in appendix.

2 General considerations about validation of logic programs Validation of programs has been studied by various authors. Our work takes place in the continuity of the framework considered by [8], [17] and partially by [6] but is extended in order to take compositionality into account. We brie y recall these results to set the vocabulary and the notations. We are only interested here in the validation of the declarative meaning of the program, excluding operational properties. Here, validation consists in comparing the actual declarative semantics of a program to a speci cation. In this framework, we consider that both the semantics and the speci cation are sets of ground literals. A program is identi ed to the ground instances of its clauses, thus leading to an in nite set of rules. Basically, a program is partially correct if its semantics is included in the speci cation and complete if the converse holds. A proof method is a method that allows to prove such an inclusion. Proof methods are dierent depending on the considered semantics, the way the speci cation is expressed and the property that is to be proved. We call proof methods described in [8] inductive proof methods. Another proof method has been given in the case of de nite programs in [6] based on the notion of annotation. The knowledge that a unit is proved correct by 3

such a method can be re-used in our compositional proof method.

2.1 De nite programs

The case of de nite programs has been studied in [6]. For a de nite program

P , we consider the semantics given by lfp TP , the least xed point of the usual immediate consequence operator TP . A speci cation S is any set of atoms. We say that :  P is partially correct wrt S i lfp TP  S .  P is complete wrt C i C  lfp TP . If we replace lfp by gfp (greatest xed point), we get another notion :  P is sucient wrt C i C  gfp TP . Suciency has a close relationship with debugging [7]. In this paper, we will call these properties atomic properties since they only deal with sets of atoms.

2.2 Normal programs

In this paper, we use the following notations.  HB denotes the Herbrand base.  For a 2 HB, ?a = :a, ?:a = a and jaj = j:aj = a.  If A  HB is a set of atoms, A = HB ? A denotes the complement of A in HB and :A = f:aja 2 Ag.  For I  HB [ :HB, I + = I \ HB, I ? = fa 2 HBj:a 2 I g and jI j = fjlj jl 2 I g.  A normal program P is a set of clauses h B where h 2 HB and B  HB [ :HB.  For I  HB [ :HB , Ie is the conjugate of I and is de ned by Ie = I ? [ :I + = fl 2 HB [ :HBj ? l 62 I g.  For I  HB [ :HB and J  HB, I jJ = fl 2 I j jlj 2 J g = (J \ I +) [ :(J \ I ?). We say that I jJ is the restriction of I to J .  Here TP is the mapping TP : 2HB[:HB ?! 2HB de ned by TP (I ) = fh 2 HBj9B; h B 2 P and B  I g.  For each T , we de ne the operator TJ 0 : 2HB ?! 2HB by TJ 0 (J ) = T (J [ :J 0 ) for J; J 0  HB. 4

For normal logic programs, we need a semantics included in HB [ :HB . Two main semantics are considered here : Fitting's semantics [10] and the well-founded semantics [22]. We mostly use an alternate de nition of the well-founded semantics [1] [21] which is also used in [8]. The well-founded semantics WF (P ) is de ned as the lfp of the operator : : 2HB[:HB ?! 2HB[:HB de ned by P (I ) = lfp TP;I ? [ : lfp TP;I + Fitting's semantics Fit(P ) is de ned as the lfp of the operator  :  : 2HB[:HB ?! 2HB[:HB de ned by P (I ) = TP (I ) [ :TP (Ie) Its lfp is also the lfp of another operator (see appendix A) : 0 : 2HB[:HB ?! 2HB[:HB de ned by 0P (I ) = lfp TP;I ? [ : gfp TP;I + This alternate de nition is very close to the one of the well-founded semantics : only lfp has been replaced by gfp in the negative part. Validation results for these two semantics are recalled hereafter.  Partial correctness. If we call SEMP  HB [ :HB the program's semantics (SEMP = Fit(P ) or SEMP = WF (P )), partial correctness wrt the set of literals S means the inclusion SEMP  S . { For the well-founded semantics, a correct and complete proof method is given in [8] and consists, like for de nite programs, in nding an intermediate speci cation S 0 such that WF (P )  S 0  S . A sucient condition is that P (S 0)  S 0, thus leading to the following checkings : 1. WF + (P )  S 0+ , ie lfp TP;S 0?  S 0+. A sucient condition to have this is to have TP;S 0? (S 0+)  S 0+ ie 8h B; B  S 0 =) h 2 S 0+ . This is called bottom-up closure in [8]. 2. WF ? (P )  S 0? , or S 0?  lfp TP;S + . A condition to have this is to have a well-founded ordering  upon S 0? such that 8h 2 S 0?, 9B; h B 2 P; B  Se0 and 8b 2 B+ ; b  h. This is symmetrically called top-down closure in [8]. The condition b  h is called decreasing criterion. { For Fitting's semantics, [7] presents the equivalent of a proof method from the debugging point of view. Basically it is the same as for the well-founded semantics except that it does not need the decreasing criterion.  Completeness. Completeness has been studied in [17] and is not in the scope of this paper. 5

Normal logic programs contain de nite programs as a particular case, so it seems natural that proof methods for de nite programs are just a particular case of the others. In fact, partial correctness for the well-founded semantics leads to atomic partial correctness and atomic completeness wrt respectively S + and S ? . This is due to the fact that, for de nite programs, P (I ) is a constant function, so lfp P = lfp TP [ : lfp TP . For Fitting's semantics de ned by 0 , the same kind of remark leads to prove atomic partial correctness and suciency.

3 Compositional validation Our aim is to nd some modular proof methods : we want to consider a program as the union of several components and we want the correctness of the program to come only from the correctness of each of its components. This is what we call compositional validation, whatever the nature of each individual proof for a component. This supposes a suitable notion of correctness for a single component, and also suitable notions of semantics and speci cation for a single component. It follows that the semantics of the program should be a function of the semantics of its components. By the way, a component could also be seen as the union of smaller components and conversely, the program itself should be the particular case of a component for a trivial decomposition. These motivations lead us to consider a compositional semantics. A lot of work has been done to give logic programming such a semantics, especially as a foundation for module systems [15] [20] [11] [18] [12] [16] [4] [2] [5]. Our choice for the semantics of a component is imposed by the purpose of giving it proof methods which generalize the aforementioned ones for programs. The chosen semantics are precisely de ned in section 4. When we only consider de nite programs, they look like [20] or [11] but they just consider the union operator for it is the only one that matters for our compositional proof methods. [4] de nes a semantics in terms of admissible model and [2] in terms of clauses, both for de nite programs. Programs with negation are considered by [16] but the purpose is to build a transformation system for deductive databases modules and this approach uses a condition of strati cation inside the modules.

3.1 Unit and system of units

In order to prepare a program for composition with others, we need to take into account the fact that some information can be computed outside the program. This leads to the notion of unit : a program where predicates occurring in the body of clauses may be de ned outside.

De nition 3.1 (Unit) A unit u is a pair (H; P ) where H  HB, P is a logic program and for each clause h B 2 P , h 2 H . 6

The intended meaning is that in a unit, H is seen as a local Herbrand base, since everything produced by the unit is in H . In a module framework, we could say that the language exported by the module is in H while on the other side all external de nitions (\import") are in H . This de nition is close to the one of open programs [4]. A unit which imports nothing is identi ed to a program. Units are made to combine with others. The following de nitions concern systems of units.

De nition 3.2 (System of units) A system of units is a set U where every i 2 U is a unit (Hi; Pi ) and 8i; j 2 U ; i 6= j =) Hi \ Hj = ;. De nition (Sum a system) We call the unit u = (H; P ) with H = S H and3.3 S of P = P i2U i i2U i the sum unit of a system U . A system of units is positively hierarchical if there is no positive circular dependency between units :

De nition 3.4 (Positively hierarchical system of units) For i; j 2 U , we say that i + j i there is a clause h B 2 Pj such that B+ \Hi 6= ;. A system of units is positively hierarchical if the relation + is well-founded. The need of an import makes us consider that the genuine semantics of a unit u = (H; P ) is given by a function S 7?! SEMu(S ), for S  H [ :H . This semantics has to be a conservative extension of the one for programs on which it is based (SEMP ), thus leading to the following requirements.  SEMu(S )  H [ :H .  if H = HB, then the unit u can be identi ed with the program P for the only S that should be considered is S = ; and then SEMu(S ) = SEMP . In order to take into account an imported set of literals, the de nition of partial correctness has to be extended : a unit is proved correct assuming the correctness of the input. Hence for units, a speci cation is made out of two parts : the input part and the output part.

De nition 3.5 (Speci cation) A speci cation for a unit u is a pair (S; S 0) where S  H [ :H is the input part and S 0  H [ :H the output part. De nition 3.6 (Partial correctness for a unit) We say that a unit u is partially correct wrt (S; S 0), or in short u is wrt (S; S 0) if SEMu(S )  P.C.

S 0.

7

3.2 A compositional proof method

To be compositional in our sense, a semantics must ful ll the following requirements in addition to the previous ones.

De nition 3.7 (Compositional semantics) Let U be a system of units and u its sum. SEM is compositional if :  S 7?! SEMu(S ) is monotonic.

 Let : 2H [:H ?! 2H [:H be the monotonic operator de ned by (I ) = S  SEM i(S [ I jHi ). Then lfp  = SEMu(S ). i2U The operator  can be viewed as the immediate consequence operator,

not for the clauses of the units but for the whole units themselves. To be compositional, it is needed that the semantics obtained by this way coincides with the semantics of the union of the system of units' clauses. In the next section, we present some semantics suitable for compositionality, but for the exposition of the proof method, we assume that SEM is compositional. This abstract notion of compositionality is sucient to state a new proof method to prove the partial correctness of a sum unit : the proof method by decomposition.

Theorem 3.8 (Proof method by decomposition) u is if for each unit i 2 U , i is wrt (S [ S 0jHi ; S 0jHi ).

P.C.

wrt (S; S 0)

P.C.

Proof u is

wrt (S; S 0) means that SEMu(S )  S 0. But since SEM is compositional, it is to say that lfp   S 0. A sucient condition to have this is (S 0 )  S 0, ie 8i 2 U ; SEMi(S [ S 0 jHi )  S 0. But SEMi()  Hi [ :Hi , so it is equivalent to SEMi(S [ S 0jHi )  S 0 jHi  P.C.

Remark 3.9 This proof method is complete in a theoretical sense since u is wrt (S; S 0) i there exists S 00 such that S 00  S 0 and 8i 2 U , SEMi(S [ 00 S jHi )  S 00jHi . Such an S 00 always exists since one can take SEMu(S ). Actually, we have lfp   S 0 i 9S 00  S 0 such that (S 00)  S 00. P.C.

As a matter-of-fact, a suitable compositional semantics must have its proof method for a single unit. But even if not, our method is still applicable, because it considers only the compositional aspect. We only need to know that the unit has been proved, whatever the method used to get this result. In this exposition, the conjugate speci cation plays a crucial role, leading to an elegant, powerful and nevertheless practical framework. Let us de ne this notion.

De nition 3.10 (Conjugate speci cation) The conjugate speci cation  (S; S 0) of (S; S 0) is a speci cation (C; C 0) such that C = SejH and C 0 = Se0jH . 8

Intuitively, if S represents \strong" properties, ie atoms which are certainly known to be true or false, C represents the \weak" associated properties, ie atoms which are not false or not true. Notice that the conjugate is an involutive mapping, since  (S; S 0) = (S; S 0). Moreover, this duality is echoed when proving properties of programs. This is the basis for the practical implementation of our method. A speci cation (S; S 0) is made out of four sets of atoms (S + ; S ?; S 0+; S 0?). Let's call (C; C 0) the conjugate of (S; S 0). Instead of giving the speci cation (S; S 0) whose negative part may be tricky to explicit, the user gives four other sets of atoms : S + ; C + ; S 0+; C 0+ (see theorem 4.5 and example 4.9). The negative parts are the following : S ? = H ? C + and S 0? = H ? C 0? . By considering the speci cation C = S 0?, [8] contained the seeds of this idea but restricted to sets of atoms. Since we know that the proof for an individual unit is made easier with the conjugate speci cation, we want to keep this advantage for our new proof method. The following lemma shows that the restrictions we made on sets in the proof method by decomposition are conservative wrt the conjugate speci cation.

Lemma 3.11 Let (C; C 0) = (S; S 0). For every i 2 U , let Si = S [ S 0jHi , Si0 = S 0jHi , and (Ci ; Ci0) = (Si; Si0). Then Ci = C [ C 0jHi and Ci0 = C 0jHi . A proof can be found in appendix B.

4 Proof methods for individual units In this section are presented compositional extensions of the well-founded and Fitting's semantics and their associated proof methods. To handle imported sets of literals, the usual mapping TP for normal programs is extended as follows.

De nition 4.1 (Extended TP operator) For a unit u and an imported set of literals S  H [ :H , we de ne TuS (I ) = TP (S [ I ). Note that TuS (I )  H .

4.1 Well-founded semantics

We propose the following extension of the well-founded semantics in order to handle an imported set of literals S : SEMu (S ) = lfp Su where, for I  H [ :H : S ? [ :(H ? lfp T S jH ) Su (I ) = lfp Tu;I u;H ?I + e

Theorem 4.2 The semantics SEMu : S 7?! lfp Su is compositional if the unit system is hierarchical.

9

A detailed proof is given in appendix C. Note that the assumption that the system of units is hierarchical is necessary, as shown by a counter-example presented in appendix D. We also want a proof method to prove the partial correctness of a unit wrt a speci cation (S; S 0) for this semantics. This means to prove the inclusion : lfp Su  S 0. It is enough to have Su (S 0)  S 0. There is a positive and a negative part that can be proved separately : (1)

S 0?  S 0+ lfp Tu;S

S jH 0? (2) H ? lfp Tu;H ?S 0+  S With the conjugate speci cation  (S; S 0) = (C; C 0), one can see that the second inclusion is equivalent to : e

C 0? (2) C 0+  lfp Tu;C A practical interest of this method, as we said above, is that the negative part of the speci cation is expressed with the positive part of the conjugate speci cation C + and C 0+ , which is much more natural than S ? and S 0? . See the example 4.9 to appreciate this fact. The following de nitions are useful to state the conditions for these inclusions to hold :

De nition 4.3 (Bottom-up closure) We say that u is bottom-up closed wrt (Z; Z 0) if 8h B 2 P; B  Z [ Z 0 =) h 2 Z 0+ . De nition 4.4 (Strong top-down closure) We say that u is strongly top-down closed wrt (Z; Z 0) if there exists a well-founded ordering  upon Z 0+ such that 8h 2 Z 0+ ; 9B; h B 2 P and B  Z [ Z 0 and 8b 2 B \ Z 0+ ; b  h. Theorem 4.5 (Proof method of partial correctness wrt S and S 0 for the well-founded semantics) u is wrt (S; S 0) i 9S 00 such that :  S 00  S 0.  u is bottom-up closed wrt (S; S 00).  u is strongly top-down closed wrt  (S; S 00). P.C.

Proof S 00? (S 00+)  S 00+ (= A sucient condition to have the rst inclusion is Tu;S

which is obtained if u is bottom-up closed wrt (S; S 00). A condition to have C 00? which is obtained the second inclusion is to prove that C 00+  lfp Tu;C 10

when u is strongly top-down closed wrt (C; C 00). =) Take S 00 = lfp Su  We can notice that the proof method is correct and complete because of the i , but in practice, it may be dicult to get a suitable intermediate speci cation S 00. The proof method by decomposition applies because the semantics is compositional. Then we get that the sum unit u is P.C. wrt (S; S 0) if for each unit i 2 U , i is bottom-up closed wrt (S [ S 0 jHi ; S 0jHi ) and strongly top-down closed wrt  (S [ S 0 jHi ; S 0jHi ). This emphasize the role of the conjugate speci cation, as we noticed above. An other extension of the well-founded semantics using a characterization closer to the original de nition (unfounded sets) [22] is presented in appendix F. It does not need a hierarchical system of units but unfortunatly there is no simple associated proof method for a single unit.

4.2 Fitting's semantics

Fitting operator's [10] de nition is P (I ) = TP (I ) [:TP (Ie). For the purpose of a uniform characterization of Fitting's and the well-founded semantics, we use here the other operator given in section 2.2. We propose the following extension to handle an imported set of literals. S ? [ :(H ? gfp T S jH ) Su (I ) = lfp Tu;I u;H ?I + e

Theorem 4.6 The semantics SEMu : S 7?! lfp Su is compositional. A detailed proof can be found in appendix E. Note that there is no need for the unit system to be hierarchical. As for the well-founded semantics, we want a proof method for a single unit, ie to prove that u is P.C. wrt (S; S 0). Due to the similarities between this operator and the one of the well-founded semantics, the properties to prove are similar too, except that there is now an inclusion in a gfp . This removes the needing for a decreasing criterion in the top-down closure.

De nition 4.7 (Weak top-down closure) We say that u is weakly topdown closed wrt (Z; Z 0) if 8h 2 Z 0+ ; 9B; h B 2 P and B  Z [ Z 0 . Theorem 4.8 (Proof method of partial correctness wrt (S; S 0) for Fitting's semantics) u is wrt (S; S 0) i 9S 00 such that :  S 00  S 0.  u is bottom-up closed wrt (S; S 00).  u is weakly top-down closed wrt  (S; S 00). P.C.

11

The proof method by decomposition is of course applicable since the semantics is compositional. Similarly to the well-founded semantics, it comes to check the bottom-up closure wrt (Si ; Si0) and the weak top-down closure wrt  (Si; Si0). Si and Si0 are de ned like in lemma 3.11.

4.3 Example

The example consists of three units computing inclusion of lists. We illustrate the adaptation power of the method by giving a program under implementation :

Example 4.9 (Inclusion of lists (taken from [8]))

Unit u : P = finclud(L1,L2) ? not ninclud(L1,L2). g H = finclud(L1,L2) j L1 and L2 are ground terms g. Unit u : P = fninclud(L1,L2) ? elem(X,L1) & not elem(X,L2). g H = fninclud(L1,L2) j L1 and L2 are ground terms g. Unit u : P is under implementation. H = felem(X,L) j X and L are ground terms g. 1

1

1

2

2

2

3

3

3

We are interested in the unit u sum of u1 and u2. Note that this unit still imports some literals. We denote by letters the following sets of atoms :  X = finclud(l1 ; l2)jl1 and l2 lists =) l1  l2 g.  Y = fninclud(l1 ; l2)jl1 and l2 lists =) l1 6 l2 g.  Z = felem(x; l)jl list =) x 2 lg.  X 0 = finclud(l1 ; l2)jl1 and l2 lists and l1  l2 g.  Y 0 = fninclud(l1 ; l2)jl1 and l2 lists and l1 6 l2 g.  Z 0 = felem(x; l)jl list and x 2 lg. As speci cations, we take S + = Z and S 0+ = X [ Y . As stated in section 3.2, the speci cation (S; S 0 ) is actually de ned by S = S + [ :(H ? C + ) and S 0 = S 0+ [:(H ? C 0+ ) because the negative part of the speci cation is expressed with the conjugate one (C; C 0). To have this, we take C + = Z 0 and C 0+ = X 0 [ Y 0 . In order to apply the proof method by decomposition, we have to check that ui is P.C. wrt (Si ; Si0 ). It is sucient to check that ui is bottom-up closed wrt Si and Si0 and ui is (strongly of weakly) top-down closed wrt Ci and Ci0. The individual speci cations are :  S1+ = Y [ Z , S10+ = X , C1+ = Y 0 [ Z 0 , C10+ = X 0 .  S2+ = X [ Z , S20+ = Y , C2+ = X 0 [ Z 0, C20+ = Y 0 . Since the system of units is hierarchical, we can make proofs wrt the well-founded semantics as well as Fitting's. But since there is no recursive clause in the units u1 and u2, there is no need for the decreasing criterion and the proofs are the same in both cases. The individual proofs are obvious.

12

4.4 De nite programs

The particular case of de nite programs is interesting because it greatly simpli es the method. Actually, since there is no negative literal in bodies of clauses, the operator becomes, for example for the well founded semantics, to : e Su (I ) = lfp TuS [ :(H ? lfp TuS jH ) One can see that the operator is constant, leading to prove atomic properties separately. For the well-founded semantics the properties are atomic partial e correctness and atomic completeness : lfp TuS  S 0+ and S 0?  lfp TuS jH . For Fitting's semantics, the properties are atomic partial correctness and atomic suciency.

5 Application to the Godel module system Above results are to be applied to module systems. Here we take the example of the programming language Godel, described in [13]. A Godel module is an entity syntactically de ned by two parts : the export part and the local part. Either one of these parts may be empty. A module always has a name chosen from a set N of module names. More details about the syntax can be found in [13]. Since our framework only concerns \pure" logic programs, we use here a subset of the real Godel language. Godel has a syntax- attening mechanism which ensures the uniqueness of each symbol de nition and allows resolution of various name con icts and overloadings. A Godel program is a set of modules such that every used symbol is de ned in only one module. In order to apply our results, we will precise the de nition of a Godel module :

De nition 5.1 (Godel module) A Godel module is a 6-tuple composed of :

 a name m 2 N .  two disjoint sets of module names impe(m) and impl(m) corresponding to module names respectively imported by the export part and the local part of the module m. We will denote imp(m) = impe (m) [ impl (m).

 two disjoint sets of literals EXP (m) et LOC (m) corresponding respectively to the exported language and to the local language of the module.

 a set of clauses Pm de ning the predicates of EXP (m) and LOC (m). We note Hm = jEXP (m) [ LOC (m)j. By its syntax- attening mechanism, Godel ensures that m 6= m0 =) Hm \ Hm0 = ;. Hm and the set of clauses Pm are chosen to be the unit associated to the module m. We de ne the relation re-exports upon N as follows : 13

De nition 5.2 (Relation re-exports) We say that \m re-exports m0" and we note rexp(m; m0) i m0 2 impe (m). Let rexp? be its S re exive and transitive closure. We de ne the following set EXP ?(m) = fEXP (m0)j rexp?(m; m0)g.

De nition 5.3 (Relation uses) We say that \m uses m00" i 9m0 2 imp(m); rexp?(m0; m00). We de ne then (m) = fm00 j m uses m00g. Remark 5.4 In a Godel program, the dependency relation \uses" between

modules is well-founded [13], de ning therefore a hierarchical system of units. Hence we can apply our results concerning both Fitting's and the well-founded semantics.

By de nition, theSsemantics of a Godel program is the semantics of the S sum of its units P = m Pm . Let's take a speci cation S  m Hm split in as many parts as there are modules as follows :

[

[

m

m

S = (SjHm ) = (S -EXP (m) [ S -LOC (m)) with S -EXP (m)  EXP (m) and S -LOC (m)  LOC (m)

By this split, our method leads to the validation of every single unit m wrt S -IN (m) and S -OUT (m) with :

S -IN(m) =

[

m0 2(m)

S -EXP(m0 ) and S -OUT(m) = S -EXP(m) [ S -LOC(m)

All the above results apply.

6 Conclusion. Let's recall brie y the main results. We consider programs with import called units for which an abstract semantics is a function taking in input a set of imported literals and producing another set of literals. In our point of view, a suitable semantics must extend conservatively a semantics of classical programs. It must be compositional wrt union of units and have a proof method for a single unit. For such a semantics, we give a proof method of partial correctness by decomposition for a unit u sum of a system U which comes to validate independently each unit wrt a local speci cation : u is partially correct wrt S and S 0 if for each unit i 2 U , i is partially correct wrt (S [ S 0jHi ) and S 0jHi . The semantics S 7?! lfp Su and S 7?! lfp Su given in section 4 are proved to be suitable for our proof method. Our rst perspective is to continue the theoretical work by addressing the problem of completeness. The approach used in [17] seems fruitful because it gives conditions for an interpretation to be included in the well-founded or Fitting's semantics. Another perspective is an implementation. It should 14

provide some facilities, ie a way to describe sets of atoms for speci cations by assertions or other proof methods such an extension of the proof method with annotations [6]. Application to the module part of Standard Prolog [14] is another interesting experiment. But, the module speci cation is too unstable now for us to give the details of the adaptation. Still further is the extension to other formalisms, such as Contextual Logic Programming [19]. But some composition operators such as the overriding-union operator seem to need an extension of our framework, since they are clearly nonmonotonic.

References [1] S. Bonnier, U. Nilsson, and T. Naslund. A simple xed point characterization of three-valued stable model semantics. Information processing letters, 40:73{78, 1990. [2] A. Bossi, M. Gabbrielli, G. Levi, and M.C. Meo. A compositional semantics for logic programs. Theoretical Computer Science, 122:3{47, 1994. [3] A. Brogi, E. Lamma, P. Mancarella, and P. Mello. Normal logic programs as open positive programs. In Joint International Conference and Symposium on Logic Programming, 1992. [4] A. Brogi, E. Lamma, and P. Mello. Composing open logic programs. Journal of Logic and Computation, 3(4):417{439, August 1993. [5] M. Bugliesi, E. Lamma, and P. Mello. Modularity in logic programming. Journal of Logic Programming, Special Edition: Ten years of Logic Programming:1{64, 1994. [6] Pierre Deransart. Proof methods of declarative properties of de nite programs. Theoretical Computer Science, 118:99{166, 1993. [7] Gerard Ferrand. The notion of symptom and error in declarative diagnosis of logic programs. In Automated and Algorithmic Debugging, Linkoping, 1993. Springer LNCS. [8] Gerard Ferrand and Pierre Deransart. Proof method of partial correctness and weak completeness for normal logic programs. Journal of Logic Programming, 17:265{278, 1993. [9] Gerard Ferrand and Arnaud Lallouet. A compositional proof method of partial correctness for normal logic programs. In J.W. Lloyd, editor, International Logic Programming Symposium, Portland, Oregon, 12 1995. MIT Press. [10] Melvin Fitting. A Kripke-Kleene semantics for logic programs. Journal of Logic Programming, 4:295{312, 1985. [11] Melvin Fitting. Enumeration operators and modular logic programming. Journal of Logic Programming, 4:11{23, 1987. [12] Haim Gaifman and Ehud Shapiro. Fully abstract compositional semantics for logic programs. In 16th annual symposium on Principles Of Programming Languages (POPL'89), pages 134{142. ACM Press, 1989.

15

[13] P.M. Hill and J.W. Lloyd. The Godel Programming Language. MIT Press, 1994. [14] ISO/IEC DIS 13211, X3J17/95/6. Programming Language Prolog Part 2, Modules, working draft 8.1 edition, August, 3 1995. [15] J.-L. Lassez and M.J. Maher. Closures and fairness in the semantics of programming logic. Theoretical Computer Science, 29:167{184, 1984. [16] Michael J. Maher. A transformation system for deductive database modules with perfect model semantics. Theoretical Computer Science, 110:377{403, 1993. [17] Bernard Malfon. Characterization of some semantics for logic programs with negation and application to program validation. In Maurice Bruynooghe, editor, International Logic Programming Symposium, pages 91{105. MIT Press, 1994. [18] Paolo Mancarella and Dino Pedreschi. An algebra of logic programs. In R.A. Kowalski and K.A. Bowen, editors, International Conference on Logic Programming, pages 1006{1023. MIT Press, 1988. [19] Lus Monteiro and Antonio Porto. Contextual logic programming. In G. Levi and M. Martelli, editors, International Conference on Logic Programming, pages 284{299. MIT Press, 1989. [20] R. O'Keefe. Toward an algebra for constructing logic programs. In Symposium on Logic Programming, pages 152{160, Boston, 1985. [21] T. Przymusinski. Well-founded semantics coincides with three-valued stable semantics. Fundamenta Informaticae, XIII:445{463, 1990. [22] Allen Van Gelder, Kenneth A. Ross, and John S. Schlipf. The well-founded semantics for general logic programs. Journal of the ACM, 38(3):620{650, 1991.

16

A Alternate operator for Fitting's semantics For technical purposes, we use in this paper the following operator to de ne Fitting's semantics : S ? [ :(H ? gfp T SejH + ) Su (I) = lfp Tu;I u;H ?I An alternate operator for Fitting's semantics is the following: uS (I) = TuS (I) [ :(H ? TuS jH (IejH )) 0

Theorem A.1

e

0

lfp Su = lfp uS

Proof

Let's call A = lfp Su and B = lfp 0uS . 1. A  B. It is sucient to prove that Su (B)  B, leading to the two following checkings: S ?  B+ (1+) lfp Tu;B SejH ? (1?) H ? gfp Tu;H ?B+  B

But, since B = lfp 0uS = 0uS (B), we have B + = TuS (B) and B ? = H ? e TuS jH (Be jH ). S ?  B+ . (1+ ) lfp Tu;B S ? (B + )  B + , but T S ? (B + ) = It is sucient to prove that Tu;B u;B TuS (B) = B + . SejH ? (1? ) H ? gfp Tu;H ?B+  B . SejH This inclusion is equivalent to H ? B ?  gfp Tu;H ?B+ . A sucient e e S j S condition is that H ? B ?  Tu;HH?B+ (H ? B ? ) = Tu jH (BejH ), which is exactly H ? B ? . 2. B  A. It is sucient to prove that 0uS (A)  A, leading to the two following checkings: (2+) TuS (A)  A+ e (2?) H ? TuS jH (AejH )  A? (2+ ) TuS (A)  A+ . S ? = T S ? (A+ ) = T S (A). A+ = lfp Tu;A u u;A

(2? ) H ? TuS jH (AejH )  A? . e This is equivalent to prove that H ? A?  TuS jH (AejH ). But H ? A? = e e e gfp THS j?HA+ = THS j?HA+ (H ? A? ) = TuS jH (AejH ). e



17

B Proof of lemmas Lemma B.1 Let

   

U be a system of units, A  H [ :H , B  H [ :H , H=

[

i2U

Hi.

Then, for every i :



Proof of lemma B.1

^

^



A [ B jHi jHi = AejH [ Be jH ?Hi

Let's rst remark that 



l 2 A [ B jHi jHi () jlj 2 Hi and ? l 2= (A [ B jHi ) () jlj 2= Hi and ? l 2= A and ??l 2= B jHi
() jlj 2= Hi and ? l 2= A and : jlj 2 Hi and ? l 2 B () jlj 2= Hi and ? l 2= A and (jlj 2 Hi or ? l 2= B) () jlj 2= Hi and ? l 2= A and ? l 2= B Now we prove the inclusion in both sides :    Let's take l 2 A [ B jHi jHi ,

^

{ if jlj 2= H, then l 2 AejH because jlj 2 H and ?l 2= A, { if jlj 2 H, then l 2 BejH?Hi because jlj 2 H ? Hi and ?l 2= B.  Let's take l 2 AejH [ Be jH ?Hi , { if l 2 AejH , then ?l 2= A and jlj 2 H. Hence jlj 2= Hi because Hi  H and ?l 2= B because otherwise jlj 2 H, { if l 2 BejH?Hi , then ?l 2= B and jlj 2 H ? Hi. Hence jlj 2= Hi and ?l 2= A because otherwise jlj 2 H. 

Proof of lemma 3.11

^

 Proof of Ci = C [ C 0jHi : by de nition, Ci = Sei jHi , which is equal to S [ S 0 jHi jHi = SejH [ Se0jH ?Hi by above lemma. And Se0 jH ?Hi = (Se0 jH )jHi , which is equal to C 0jHi .  Proof of Ci0 = C 0 jHi : let's take l 2 Ci0, then jlj 2 Hi and ?l 2= Si0 , thus ?l 62 S 0 . This is exactly being in C 0 jHi .



18

Lemma B.2

Let E; F be two sets and  : 2E  2F ?! 2F a mapping such that :

8X  E; Y 7?! (X; Y ) is monotonic 8Y  F; X 7?! (X; Y ) is monotonic

Let X : 2F ?! 2F be the monotonic mapping de ned by X (Y ) = (X; Y ). Then the mappings 2E ?! 2F de ned by

X 7?! lfp X

and

X 7?! gfp X

are monotonic.

Proof of lemma B.2 0

Let's take X  X . 1. We want to prove that lfp X  lfp X 0 . We call Y = lfp X and Y 0 = lfp X 0 . Then it is sucient to have X (Y 0 )  Y 0. But Y 0 = X 0 (Y 0 ) and X (Y 0)  X 0 (Y 0). 2. We want to prove that gfp X  gfp X 0 . We call Y =gfp X and Y 0 = gfp X 0 . Then it is sucient to have Y  X 0 (Y ). But Y = X (Y ) and X (Y )  X 0 (Y ). 

19

C Well-founded semantics

Proof of theorem 4.2

The proposed extension of the well-founded semantics is the following: S ? [ :(H ? lfp T S jH + ) Su (I) = lfp Tu;I u;H ?I We have for this operator the following properties, which come from lemma B.2:  I 7?! Su (I) is monotonic;  S 7?! Su (I) is monotonic. Then Su has a lfp . Let us summarize the properties required in order to prove that S 7?! lfp Su is compositional. 1. lfp Su  H [ :H, 2. lfp Su is a conservative extension of the well-founded semantics (when H = HB ), 3. S 7?! lfp Su is monotonic, 4. lfp Su = lfp  with  : 2H [:H ?! 2H [:H de ned as follows: e

(I) =

[

i2U

S [I jHi

lfp i

The rst three points are obvious : 1. lfp Su  H [ :H : follows the de nition of Su , 2. lfp Su is a conservative extension of the well-founded semantics: when H = HB , the only possible S is ; and the operator collapses to u (I) = lfp Tu;I ? [ : lfp Tu;H ?I + which is the operator of the well-founded semantics for programs. 3. S 7?! lfp Su is monotonic, by application of lemma B.2. Here we prove the last point (4). Let's call G = lfp Su and M = lfp . There will be two parts corresponding to the inclusions in both sides. 1. Proof of G  M . It is sucient to prove Su (M)  M, i.e.: (1+) (1?)

?




S ?  M+ Su (M) +  M + () lfp Tu;M ?
SejH ? Su (M) ?  M ? () H ? lfp Tu;H ?M +  M

But we shall notice that M = (M) = Mi with Mi = lfp iS [M jHi . i2U Hence we have the following remarks:  M i = M j Hi ,  Mi = iS [M jHi (Mi ) [

20

 M+ = 

M? =

[

i2U [

i2U

Mi+ , Mi? ,

S ?  M +. (1+ ) lfp Tu;M S ? (M + )  M + . Let's take h 2 T S ? It is sucient to prove that Tu;M u;M + (M ). There exist i 2 U and B such that h B 2 Pi and B  S [ M. S [M j To have h 2 M + , it is sucient to prove that h 2 Mi+ = lfp Ti;Mi? Hi = S [M j Ti;Mi? Hi (Mi+ ). Thus it is sucient to prove that B  Mi [ S [ M jHi , which is true because M = M jHi [ M jHi and Mi = M jHi . SejH ? (1? ) H ? lfp Tu;H ?M +  M . SejH ? , which Let's call K = lfp Tu;H ?M + . We have to prove[that H ? K  M [ is equivalent to H ? M ?  K. Since H = Hi and M ? = Mi? ,

we have H ? M ? 

[

i2U

i2U

i2U

(Hi ? Mi? ). It is thus sucient to prove that,

for every i 2 U , Hi ? Mi?  K. We prove this inclusion by wellfounded induction on i, using the well-founded ordering between units in a hierarchical system. (S [M jH )jH i i . By Since Mi = iS [M jHi (Mi ), we have Mi? = Hi? lfp Ti;H i ?Mi+ application of lemma B.1, we simplify this into

^

S jH [M jH ?Hi Mi? = Hi ? lfp Ti;H i ?Mi+ e

f

S jH [M jH ?Hi . Then Hi ? Mi = lfp Ti;H i ?Mi+ Our induction hypothesis is : For all j + i, we have Hj ? Mj?  K. A sucient condition to have Hi ? Mi?  K is : f

e

S jH [M jH ?Hi Ti;H (K)  K i ?Mi+ e

f

Let h be in the left member. Then there exists B such that h B 2 Pi fjH ?H [ :(Hi ? M + ) [ K. and B  SejH [ M i i SejH (K). Thus we have to prove that On the other side, K = Tu;H ?M + + e B  S jH [ :(H ? M ) [ K. Let's consider a litteral l 2 B. Either i. l 2 K ; ii. l 2 SejH ; iii. l 2 :(Hi ? Mi+ ), then, since Hi \ M + = Mi+ , l 2 :(H ? M + ) ; fjH ?H . By de nition, jlj 2 H ? Hi and ?l 2 = M. There is iv. l 2 M i two cases : A. l is a negative litteral :a, then a 2= M + (or else a = ?l 2 M). Hence a 2 H ? M + and l 2 :(H ? M + ) ;

21

B. l is an atom a. a 2 H ? Hi and :a 2= M. a 2 H, so there exists j 2 U such that a 2 Hj . But, since :a 2= M, a 2= Mj? . Hence a 2 Hj ? Mj?. Moreover a 2 B + , so j + i. By induction hypothesis, we have Hj ? Mj?  K. Thus a 2 K. 2. Proof of M  G. It is sucient to prove that (G)  G i.e. for each i 2 U , lfp iS [GjHi  G. S [Gj A sucient condition to have this is to have i Hi (G)  G, i.e.:

^

S [Gj

lfp Ti;G? Hi  G+

(2+)

S [Gj

(2?) Hi ? lfp Ti;Hi ?GH+i (

jHi

)

 G?

But we shall notice that G = Su (G), so SejH and G? = H ? lfp Tu;H ?G+

S ? G+ = lfp Tu;G S [Gj

(2+ ) lfp Ti;G? Hi  G+ . S ? (G+ ), it is sucient to prove that : Since G+ = Tu;G

^

S [GjHi + + S Ti;G ? (G )  Tu;G? (G )

A condition to have this is S [ GjHi [ G  S [ G, which is true.

(S [GjH )jH i i  G? . (2? ) Hi ? lfp Ti;H i ?G+ By application of lemma B.1, the inclusion becomes

S jH [GjH ?Hi  G? Hi ? lfp Ti;H i ?G+ e

e

S jH [GjH ?Hi Let's call Li = lfp Ti;H . The inclusion is now Hi ? Li  G? , i ?G+ which is equivalent to H ? G?  (H ? Hi) [ Li . SejH The above remark has shown that H ? G? = lfp Tu;H ?G+ . Since this operator is a monotonic and continuous mapping, we have H ? G? = [ Fn with e

e

n=0;1;:::

F0 = ; SejH Fn+1 = Tu;H ?G+ (Fn) In order to prove that H ? G?  (H ? Hi) [ Li , we shall prove by recurrence on n that Fn  (H ? Hi) [ Li . Our hypothesis is : Fn  (H ? Hi ) [ Li And we want Fn+1  (H ? Hi) [ Li . Let h 2 Fn+1. i. if h 2= Hi , then h 2 H ? Hi, ii. if h 2 Hi , we want h 2 Li . Since h 2 Fn+1, we have h 2 SejH + Tu;H ?G+ (Fn ) = TP (SejH [ :(H ? G ) [ Fn). Since h 2 Hi, there

22

exists h B 2 Pi such that B  SejH [ :(H ? G+ ) [ Fn. e e On the other side Li = THSijH?[GG+jH ?Hi (Li ). It is thus sucient to prove that B  SejH [ GejH ?Hi [ :(Hi ? G+ ) [ Li . Then, for a litteral l 2 B, either : A. l 2 SejH , B. l 2 Fn, then, either  l 2 Hi, and by recurrence hypothesis, l 2 (H ? Hi) [ Li , so l 2 Li ,  l 2 H ? Hi. l is an atom and l 2 Fn  H ? G? . So l 2= G? and ?l 2= G. Hence l 2 GejH ?Hi , C. l 2 :(H ? G+ ). l is a negative litteral :a with a 2 H ? G+ .  if a 2 Hi , then l 2 :(Hi ? G+ ),  if a 2= Hi, then jlj 2 H ? Hi and ?l = a 2= G. Hence l 2 GejH ?Hi . 

23

D Counter-example The proposed extension of the well-founded semantics is compositional if the system of units is (positively) hierarchical. Here is a counter-example | as small as possible ! | using a non-hierarchical system of units. We recall that only positive dependencies are involved to state this property.

Example D.1

The program consists of two units : and

u1 = (H1 = fpg; P1 = fp

qg)

u2 = (H2 = fqg; P2 = fq

pg)

We want to prove that the sum unit u is partially correct wrt (S; S 0 ) = (;; ;). Since there is no recursive clause, proofs are the same either for the well-founded semantics or for Fitting's semantics. By decomposition, we have to prove that ui is partially correct wrt (Si ; Si0 ) = (;; ;). For the rst unit, it comes to prove that u1 is bottom-up closed wrt (S1 ; S10 ) and u1 is top-down closed wrt (C1; C10 ) = (fq; :qg; fp; :pg). These conditions hold for both the well-founded and Fitting's semantics. The same kind of proof can be made for the unit u2, thus proving that SEMu (;)  ;. Although it is true for Fitting's semantics, it is false for the well-founded semantics, which should be f:p; :qg.

24

E Fitting's semantics Proof of theorem 4.6

The proposed extension of Fitting's semantics is the following: S ? [ :(H ? gfp T S jH + ) Su (I) = lfp Tu;I u;H ?I We have for this operator the following properties, which come from lemma B.2:  I 7?! Su (I) is monotonic;  S 7?! Su (I) is monotonic. Then Su has a lfp . This proof shares the framework and some parts of the previous one, since the only dierence between the operator is that a gfp replaces a lfp in the negative part. Let us summarize the properties required in order to prove that S 7?! lfp Su is compositional. 1. lfp Su  H [ :H, 2. lfp Su is a conservative extension of Fitting's semantics (when H = HB ), 3. S 7?! lfp Su is monotonic, 4. lfp Su = lfp  with  : 2H [:H ?! 2H [:H de ned as follows: e

(I) =

[

i2U

S [I jHi

lfp i

The rst three points are obvious : 1. lfp Su  H [ :H : follows the de nition of Su , 2. lfp Su is a conservative extension of the well-founded semantics: when H = HB , the only possible S is ; and the operator collapses to u(I) = lfp Tu;I ? [ : gfp Tu;H ?I + which is the operator of Fitting's semantics for programs. 3. S 7?! lfp Su is monotonic, by application of lemma B.2. Here we prove the last point (4). Let's call G = lfp Su and M = lfp . There will be two parts corresponding to the inclusions in both sides. 1. Proof of G  M . It is sucient to prove Su (M)  M, i.e.: (1+) (1?)

?




S ?  M+ Su (M) +  M + () lfp Tu;M ?
SejH ? Su (M) ?  M ? () H ? gfp Tu;H ?M +  M

But we shall notice that M = (M) = Mi with Mi = lfp iS [M jHi . i2U Hence we have the following remarks:  M i = M j Hi ,  Mi = iS [M jHi (Mi ) [

25

 M+ = 

M? =

[

i2U [

i2U

Mi+ , Mi? ,

^

fjH ?Hi (S [M jH )jH i i = Hi? gfp T SejH [M  Mi? = Hi? gfp Ti;H . i;Hi ?Mi+ i ?Mi+

S ?  M +. (1+ ) lfp Tu;M The proof is the same as for the well-founded semantics (1+ ). SejH ? (1? ) H ? gfp Tu;H ?M +  M . SejH This inclusion is equivalent to H ? M ?  gfp Tu;H ?M + . It is sucient ejH S ? ? to have H ? M  Tu;H ?M + (H ? M ). Let's take h 2 H ? M ? , then there exists a unit i 2 U such that h 2 Hi and then h 2 Hi ? Mi? . But fjH ?Hi SejH [M (Hi ? Mi? ). So there exists h B 2 Pi such Hi ? Mi? = Ti;H i ?Mi+ fjH ?H . Hence we have to prove that that B  (Hi ? Mi ) [ SejH [ M i e B  (H ? M) [ S jH . Let's take b 2 B, then we have either i. b 2 Hi ? Mi , and then b 2 H ? M ; ii. b 2 SejH ; fjH . fjH ?H , then b 2 M iii. b 2 M i

2. Proof of M  G. S [Gj It is sucient to prove that (G)  G i.e. for each i 2 U , lfp i Hi  G. A sucient condition to have this is to have iS [GjHi (G)  G, i.e.: (2+)

^

S [Gj

lfp Ti;G? Hi  G+ S [Gj

(2?) Hi ? gfp Ti;Hi ?GH+i But we shall notice that G = Su (G), so (

S ? G+ = lfp Tu;G

jHi

)

 G?

SejH and G? = H ? gfp Tu;H ?G+

S [GjHi  G+ . (2+ ) lfp Ti;G ? The proof is the same as for well-founded semantics (2+ ).

^

(S [GjH )jH i i  G? . (2? ) Hi ? gfp Ti;H i ?G+ SejH [GejH ?Hi This is equivalent to Hi ? G?  gfp Ti;H . To have this inclui ?G+ e e S j sion, it is sucient to prove that Hi ? G?  Ti;HHi ?[GGj+H ?Hi (Hi ? G?). But, since Hi ? G? = (H ? G? ) ? (H ? Hi ), it is equivalent to prove that SejH [GejH ?Hi H ? G?  (H ? Hi ) [ Ti;H (Hi ? G? ). Let's take h 2 H ? G? = i?G+ SejH gfp Tu;H ?G+ , then we have either i. h 2 H ? Hi,

26

ii. h 2 Hi. Then there exists h B 2 Pi such that B  Ge jH [ SejH . Then, in order for h to be in the second right member, we want B  GejHi [ SejH [ GejH ?Hi , which is true. 

27

F Another compositional semantics Another operator provides a compositional extension to the well-founded semantics. It uses a characterization in terms of unfounded sets closer to the original de nition [22]. Let us recall brie y some basic de nitions :

De nition F.1 (Unfounded set) Let P be a program and I  HB [ :HB an interpretation. A set of atoms A is an unfounded set of P wrt I if : 8h 2 A; 8h B 2 P , either  9b 2 B such that ?b 2 I ,  9b 2 B such that b 2 A. +

We call UP (I) the greatest unfounded set of P wrt I. UP (I) is equal to the union of all unfounded sets of P wrt I. The operator introduced in [22] is : WP (I) = TP (I) [ :UP (I) and the well-founded semantics is de ned by WF(P) = lfp WP . We propose the following extension in order to take into account an imported set of litterals, for a unit u = (H; P): UPS (I) = fh 2 H j 9A  HB such that  h 2 A,  8a 2 A; 8B; a B 2 P =) 9b 2 B such that ?b 2 S [ I [ :Ag. The proposed compositional extension of the well-founded semantics uses the following operator : WuS (I) = TuS (I) [ :UuS (I) We have for this operator the following properties :  I 7?! WuS (I) is monotonic. We have to prove the following implication: I  I 0 =) WuS (I)  WuS (I 0 )

Let's take l 2 WuS (I). { if l is an atom h, then h 2 TuS (I), and since TuS (I)  TuS (I 0 ), we have h 2 TuS (I 0 ). { if l is a negative litteral :h, then h 2 UuS (I). That means that there exists A  HB such that h 2 A and 8a 2 A; 8B; a B 2 P =) 9b 2 B such that ?b 2 S [ I [:A. Let's prove that h 2 UuS (I 0 ). We have to nd a suitable A0  HB . We take A0 = A. Then h 2 A0 and 8a 2 A0 ; 8B, whenever a B 2 P, we take the same b 2 B than before and we have ?b 2 S [ I [ :A  S [ I 0 [ :A.  S 7?! WuS (I) is obviously monotonic too, for the same kind of reason.

Theorem F.2

The semantics SEMu : S 7?! lfp WuS is compositional.

28

Proof of theorem F.2

Let us summarize the properties required in order to prove that S 7?! lfp WuS is compositional. 1. lfp WuS  H [ :H, 2. lfp WuS is a conservative extension of the well-founded semantics (when H = HB ), 3. S 7?! lfp WuS is monotonic, 4. lfp WuS = lfp  with  : 2H [:H ?! 2H [:H de ned as follows: (I) =

[

i2U

S [I jHi

lfp Wi

The rst three points are obvious : 1. lfp WuS  H [ :H : follows the de nition of WuS , 2. lfp WuS is a conservative extension of the well-founded semantics : when H = HB , the only possible S is ; and the operator collapses to Wu (I) = Tu (I) [ :Uu (I) which is the operator of the well-founded semantics for programs. 3. S 7?! lfp WuS is monotonic, by application of lemma B.2. Here we prove the last point (4). Let's call G = lfp WuS and M = lfp . There will be two parts corresponding to the inclusions in both sides. 1. Proof of G  M . It is sucient to prove WuS (M)  M, i.e.: (1+) (1?)

?




WuS (M) +  M + () TuS (M)  M + ? S
Wu (M) ?  M ? () UuS (M)  M ?

But we shall notice that M = (M) = Mi with Mi = lfp WiS [M jHi . i2U Hence we have the following remarks:  M i = M j Hi ,  Mi = WiS [M jHi (Mi ) [  M + = Mi+ , [

  (1+ )

M? =

i2U [

Mi? ,

i2U S [M jHi ? M =U (Mi ).

i i TuS (M)  M + .

Let's take h 2 TuS (M). There exists i 2 U such that h 2 Hi and 9h B 2 Pi such that B  S [ M. We want h to be in Mi+ , but, since Mi+ = TiS [M jHi (Mi ), it is sucient to have B  S [ M jHi [ Mi , which is true because M = M jHi [ Mi .

29

(1? ) UuS (M)  M ? . Let's take h 2 UuS (M). Then there exists A 2 HB such that 8a 2 A; 8B; a B 2 P =) 9b 2 B such that ?b 2 S [ M [ :A. We want h to be in M ? . Since h 2 H, there exists i 2 U such that h 2 Hi. Thus we prove that h 2 Mi? = UiS [M jHi (Mi ). We have to nd a suitable A0  HB . We take A0 = A. Then h 2 A0 . For a 2 A, we have to consider the B such that a B 2 Pi and we have to nd b 2 B such that ?b 2 S [ M jHi [ Mi [ :A. We take the same b than before. Since ?b 2 S [ M [ :A, the expected property holds. 2. Proof of M  G. S [Gj It is sucient to prove that (G)  G i.e. for each i 2 U , lfp Wi Hi  G. A sucient condition to have this is to have WiS [GjHi (G)  G, i.e.: (2+) TiS [GjHi (G)  G+ S [Gj (2?) Ui Hi (G)  G? But we shall notice that G = WuS (G), so

G+ = TuS (G) and G? = UuS (G)

S [Gj

(2+ ) Ti Hi (G)  G+ . S [Gj Let's take h 2 Ti Hi (G), then there exists h B 2 Pi such that B  S [ GjHi [ G = S [ G. We have to prove that h 2 G+ = TuS (G), so it is sucient to prove that B  S [ G, which is true. (2? ) UiS [GjHi (G)  G? . Let's take h 2 UiS [GjHi (G). It means that there exists Ai  HB such that 8ai 2 Ai ; 8Bi ; ai Bi 2 Pi =) 9bi 2 Bi such that ?bi 2 S [ GjHi [ G [ :Ai = S [ G [ :Ai. We want h 2 G? = UuS (G), so we want to nd A  HB such that 8a 2 A; 8B; a B 2 P =) 9b 2 B such that ?b 2 S [ G [ :A. Let's consider a unit j 2 U and an atom x 2 UjS (G). Then there exists a set of atoms Ax such that x 2 Ax and 8ax 2 Ax ; 8Bx ; ax Bx 2 Pj =) 9bx 2 Bx such that ?bx 2 S [ G [ :Ax . We say that Ax is associated to x. For a unit j, we de ne the following set Ej : [

Ej = fAx j x 2 UjS (G)g In order to prove our inclusion, we take A =

[

j 2U

Ej . Therefore h 2 A

and 8a 2 A; 8B, for every clause a B 2 P, there exists a unit k 2 U such that a B 2 Pk , and then 9b 2 B such that ?b 2 S [ G [ :Ek  S [ G [ :A. 

30