Logic + control: On program construction and verification

This paper presents an example of formal reasoning about the semantics of a Prolog program of practical importance (the SAT solver of Howe and King). The program is treated as a definite clause logic program with added control. The logic program is constructed by means of stepwise refinement, hand in hand with its correctness and completeness proofs. The proofs are declarative - they do not refer to any operational semantics. Each step of the logic program construction follows a systematic approach to constructing programs which are provably correct and complete. We also prove that correctness and completeness of the logic program is preserved in the final Prolog program. Additionally, we prove termination, occur-check freedom and non-floundering. Our example shows how dealing with “logic” and with “control” can be separated. Most of the proofs can be done at the “logic” level, abstracting from any operational semantics. The example employs approximate specifications; they are crucial in simplifying reasoning about logic programs. It also shows that the paradigm of semantics-preserving program transformations may be not sufficient. We suggest considering transformations which preserve correctness and completeness with respect to an approximate specification.

💡 Research Summary

The paper uses the Howe‑King SAT solver as a running example to demonstrate a disciplined methodology for constructing and verifying a Prolog program by separating its logical core from the control mechanisms that are added later. The authors start with a very small pure definite‑clause logic program (four clauses) that captures the essential DPLL algorithmic ideas (choice of literals, unit propagation, conflict detection). Through a series of stepwise refinements they gradually enrich the program, each time introducing an approximate specification consisting of a completeness component (what the program must produce) and a correctness component (what the program is allowed to produce). The relationship S_compl ⊆ M_P ⊆ S_corr is required at every stage; thus the program is “fully correct” with respect to the pair of specifications.

Correctness is proved declaratively using Clark’s model‑theoretic approach: the least Herbrand model M_P of the program is shown to be a subset of the correctness specification S_corr, i.e. S_corr ⊨ P. Completeness is handled via Drabent’s notion of semi‑completeness: the program is shown to generate every required answer in at least one SLD‑derivation, and a sufficient termination condition (adapted from Bezem 1993) is established. Semi‑completeness together with termination yields full completeness (M_P ⊇ S_compl).

After the logical core is verified, the authors add control in two forms. First, they introduce delay declarations that postpone the selection of atoms until their arguments are sufficiently instantiated. This eliminates floundering (situations where no atom can be selected) and also guarantees occur‑check freedom because the underlying Herbrand universe is assumed infinite, allowing fresh variables to be introduced safely. Second, they apply pruning (search‑space reduction) by cutting away branches that are known to be useless (e.g., after a conflict is detected). Pruning is not covered by traditional semantics‑preserving transformations, which only guarantee that the main predicates denote the same relation before and after transformation. To address this gap, the paper proposes a new transformation criterion: preservation of correctness and completeness with respect to the approximate specification. The authors prove that, despite the pruning, the program still satisfies S_compl ⊆ M_P ⊆ S_corr, thus retaining both correctness and completeness.

The paper also establishes termination, non‑floundering, and occur‑check freedom for the final Prolog program, showing that these operational properties can be proved independently of the logical semantics. The discussion highlights that many existing works on program verification rely on operational reasoning (e.g., ordering of atoms in clause bodies) or on exact specifications, which are often impractical. By using approximate specifications, the authors simplify the proof obligations and make the methodology applicable to realistic, untyped Prolog programs.

In the related‑work section the authors compare their approach with standard semantics‑preserving program transformations (e.g., Petroni et al. 2010). They argue that such transformations are insufficient when the intermediate programs define different relations but still satisfy the same approximate specification. Their example demonstrates that a sequence of programs can be non‑equivalent in the strict logical sense yet remain fully correct with respect to a common approximate spec, thereby motivating the need for the broader notion of transformation correctness introduced here.

Overall, the contribution of the paper is threefold: (1) a concrete, step‑by‑step construction of a non‑trivial SAT solver together with declarative proofs of correctness and completeness; (2) a rigorous treatment of control features (delays, pruning) that preserve the proven properties; and (3) the proposal of approximate‑specification‑based transformation preservation as an extension of the traditional semantics‑preserving paradigm. This work bridges the gap between formal verification and practical Prolog programming, offering a template for building reliable logic programs that scale beyond toy examples.