Forward versus Backward Verification of Logic Programs

1
Forward versus BackwardVerification of Logic
Programs

• Andy King
• University of Kent, UK
• a.m.king_at_kent.ac.uk
• Lunjin Lu
• University of Oakland, USA
• l2lu_at_oakland.edu

International Conference on Logic
Programming Friday 12th December 2003, Mumbai,
India
2
The structure of this talk

• Introduce backward analysis
• Show how backward and forward analysis can be
  applied in verification
• Motivate this paper
• Explain 2 central contributions
• Give 4 examples
• Conclude

3
Backward mode inference 1
pt(, _, , ). pt(XXs, M, XL, H)
? M?X, pt(Xs, M, L, H). pt(XXs, M, L,
XH) ? MgtX, pt(Xs, M, L, H).
pt(T1, _, T2, T3) ? tell(T1?T2?T3). pt(T1, M,
T2, H) ? tell(T1?X?Xs), tell(T2?X?L), ask(M?X),
pt(Xs, M, L, H). pt(T1, M, L, T2)
? tell(T1?X?Xs), tell(T2?X?H), ask(M?X),
pt(Xs, M, L, H).
?
4
Backward mode inference 2
pt(T1, _, T2, T3) ? tell(T1?T2?T3). pt(T1, M,
T2, H) ? tell(T1?X?Xs), tell(T2?X?L), ask(M?X),
pt(Xs, M, L, H). pt(T1, M, L, T2)
? tell(T1?X?Xs), tell(T2?X?H), ask(
M?X), pt(Xs, M, L, H).

• Calculate success patterns ignoring the asks
• S0 ?pt(w,x,y,z), false?
• S1 ?pt(w,x,y,z), w?y?z?
• S2 ?pt(w,x,y,z), w?(y?z)?
• lfp(S) S3 S2
• Whenever the goal pt(w,x,y,z) succeeds, then w is
  bound to a ground term iff y and z are both
  ground

?
5
Backward mode inference 3
pt(T1, _, T2, T3) ? tell(T1?T2?T3). pt(T1, M,
T2, H) ? tell(T1?X?Xs), tell(T2?X?L), ask(M?X),
pt(Xs, M, L, H). pt(T1, M, L, T2)
? tell(T1?X?Xs), tell(T2?X?H), ask(M?X),
pt(Xs, M, L, H). lfp(S) ?pt(w,x,y,z),
w?(y?z)?

• Calculate safe call patterns by considering the
  asks
• B0 ?pt(w,x,y,z), true?
• B1 ?pt(w,x,y,z), x?(w?(y?z))?
• gfp(B) B2 B1
• If the goal pt(w,x,y,z) is called with x and w
  ground or x, y and z ground, then the asks are
  satisfied

?
6
Backward mode inference 4

• Safe calling modes are calculated by propagating
  requirement right-to-left across each clause
• e4 true
• e3 ((Xs?(L?H))?e4) true require condensing
• e2 ((M ? X)?e3) (M?X) f?(?G) ?f?gg?G
• e1 ((T2?(X?L))?e2) where f?D and G?D
• e0 ((T1?(X?Xs))?e1)
• Formula e0 expresses a moding requirement in
  terms of the variables T1, M, T2, H, X, Xs, L
• Thus introduce a new projector f ?X
  (?Xs(?L(e0))) (M?(T1?T2)) such that f e0
  (thus strengthens f)

pt(T1, M, T2, H) ? tell(T1?X?Xs), tell(T2?X?L),
ask(M?X), pt(Xs, M, L, H). ?
? ? ?
? e0
e1 e2 e3
e4
7
One seed for the paper

• Referee/editor/author interaction in TPLP paper

• gt There's a bit of theory missing to me, their
  forall just gets pulled out of a hat.
• gt I'm sure they are on the right track, but they
  don't really argue their case.
• more comment
• Actually, this referee has raised 2 issues that
  have bothered us for some time. The insight into
  solving this problems is given by referee 1. This
  referee observes \forall is the adjoint of
  \exists. (This is a very smart referee). This has
  the important consequence that we can now
  systematically construct \forall from \exists.

• But how does this construction affect the
  precision of backward analysis?
• Is the resulting analysis any good for
  verification and how to you measure goodness?

8
Applying the polyvariant, top-down Bruynooghe
framework

• Consider a mini-language P ? p(x) ? A
  P.P' with agents A ask(d) tell(c) p(x)
  A1, A2 A1A2
• The framework computes the least fixpoint point,
  denoted lfp(F), of the equations
• fask(d) ?d.if d ?error d then d else error
• ftell(c) ?d.?(c) ?error d
• fA1A2 ?d.fA1(d) ?error fA2(d)
• fA1, A2 ?d.fA2(fA1(d))
• fp(x) ?d. fiddly-renaming-blurf that involves
  ?x
• The set of concrete queries that can be verified
  forwards as satisfying the assertions are
• FP ?p(x), C? lfp(F)p(x)(?(C)) ? error

9
Our 2 main results

• The set of concrete queries that can be verified
  backwards as satisfying the assertions are
• BP ?p(x), C? ?(C) d where ?p(x),
  d??gfp(B)
• Relative precision and correctness
• If D is condensing and ?D,?x,D,?x? is a Galois
  connection, then FP ? BP
• If D is condensing, ?x(?) ? and ?D,?x,D,?x? is
  a Galois connection, then BP ? FP
• Recall ?D,?x,D,?x? is a Galois connection iff
• ?x and ?x are monotonic
• ?x??x is reductive and ?x??x is extensive.
• If an initial query is not inferred backwards,
  then there is no point trying forwards (and vice
  versa)
• There is no loss of precision in reasoning
  backwards

10
A non-example

• It is tempting to define ?x and ?x for Pos like
  so
• ?x(f) f if x?var(f) then true else f
• ?x(f) f if x?var(f) then false else f
• ?x??x is reductive and ?x??x is extensive
• Consider p(x) ? ask(x?y) and q(x) ? ask(x)
• Now lfp(F)p(x)(x) x but gfp(B)p(x) false
• And lfp(F)q(x)(x?y) error but gfp(B)q(x)
  x
• Analyses are incomparable since
• ?x(y) y lt true ?x(x?y) yet x?y ? y
• ?x(x?y) false lt y ?x(y) yet y ? x?y

11
Three examples

• A Galois connection for Pos
• ?x(f) f0?f1 where f0 fx?0 and f1 fx?1
• ?x(f) if f0?f1?Pos then f0?f1 else false
• If f (x?y) then f0 (false?y) ?y?Pos
• A connection for the domain of directional types
  can be constructed analogously
• A connection for a numeric domain of sets of
  conjunctions of ax by lt 0 and ax by ? 0 where
  a, b ? -1, 0, 1 is given in the paper

12
Conclusions

• Providing the domain condenses, backward analysis
  can be engineered to match the verification power
  of forward analysis
• Equivalence rests crucially, and perhaps
  surprisingly, on the relationship between the
  projection operators
• Simplifies correctness argument