Modeling Systems in CLP with Coinductive Tabling
JOXAN JAFFAR, ANDREW E. SANTOSA, AND R˘ AZVAN VOICU
School of Computing
National University of Singapore
Abstract. We present a methodology for the modelling of complex program be-
havior in CLP. The first part of this paper is an informal description about how
to represent a system in CLP. At its basic level, this representation captures the
precise trace semantics of concurrent programs, or even high-level specifications,
in the form of a predicate transformer. Based on traces, the method can also cap-
ture properties of the underlying runtime system such as the scheduler and the
microarchitecture, so as to provide a foundation for reasoning about resources
such as time and space.
The second part of this paper presents a formal and compositional proof
method for reasoning about safety properties of the underlying system. The idea
is that a safety property is simply a CLP goal, and is proof established by exe-
cuting the goal by a CLP interpreter. However, a traditional CLP interpreter does
not suffice. We thus introduce a technique of coinductive tabling to CLP. Essen-
tially, this extends CLP so that it can inductively use proof obligations that are
assumed but not yet proven, and it can generate new proof obligations assertions
Constraint Logic Programming (CLP)  has been successful as a framework for
executable specifi cations, and several CLP systems have been successfully deployed
widely in application areas such as artifi cial intelligence and combinatorial optimiza-
tion (see eg. ). Its competitive advantage is expressive power coupled with a pow-
erful inference method. In this paper, we present a systematic application of CLP to
reasoning about complex program behavior.
We start with an informal but broad coverage of how to model various aspects of
the operation semantics of programs. Starting with the basic concepts of strongest-
postcondition and weakest-precondition, we then consider sequential and concurrent
systems, including perpetual processes, and various synchronization mechanisms. Our
modeling of these operational concepts is exact in the sense that the trace semantics of
the underlying program is represented in the CLP model. Going further, we show how
also to model the machine in which the program executes, focusing in particular, on the
scheduler for nondeterministic actions (such as the choice of which process to execute
next) and on the microarchitecture, which is often critical in determining the cost of
execution. We thus cover reasoning not only about the values of program variables, but
alsoaboutresources.At theendofthissection,weshowthata safetyproofofa program
is established by executinga particulargoal against the CLP modelof the program,thus
providing a generic and compositional methodology for program reasoning with CLP.
However, basic CLP is not quite suffi cient for this purpose.
The second part of this paper contains the main technical contribution: extending
basic CLP with coinductive tabling. Essentially, this extends CLP so that it can induc-
tively use proof obligations that are assumed but not yet proven, and it can generate
new proof obligations assertions dynamically. This technique is akin to the notion of
tabling in logic programming systems (see eg. ) in that the main purpose is to ob-
tain termination when dealing with recursion. In standard tabling, procedure calls and
their answers are tabled so as not to repeatthem. In our tabling,the main differencesare
fi rst that the setting is CLP and not just logic programming, and more importantly, that
proof obligationsand notjust calls are tabled.(We donot table answers.)Terminationis
obtained by applying a principle of coinduction (see eg: Appendix B of ), that is: a
recursiveproofobligationmaybe provedby assuming that a precedingproofobligation
Finally, we briefly discuss some important extensions that are not covered in this
paper. The most important extension concerns the use of abstraction, in the manner
of abstract interpretation . We shall just explain that our proof method may be aug-
mented by a liberally applying a notion of abstraction to a goal in a proof, preserving
correctness. The advantage of abstraction is, of course, to enhance the process of ter-
mination. Another important extension is to deal with liveness or progress. Here, we
discuss briefly how to include a notion of well-founded induction. Finally, we mention
how to deal with an unboundednumber of processes, ie: parameterized systems.
1.1 Related Work on CLP and Program Reasoning
There has been some recent work on using logic programs to describe concurrent pro-
grams, and which employ a systematic algorithm. Work based on the XSB and XMC
systems  used assertions based on the µ-calculus and executed the logic program
representations of programs and assertions using a tabling mechanism. Delzanno and
Podelski  showed that a transition system and its CTL-based verifi cation conditions
can be translated into a CLP program in way that the symbolic CLP fi xpoint opera-
tions can be used in the proof process. There are other works using CLP to describe
program behavior, eg. that by Flanagan  for imperative programs, and that by Gupta
and Pontelli  for timed automata, but these do not describe a systematic CLP-based
2 CLP Preliminaries
We fi rst briefly overview CLP . The universe of discourse is a set of terms, inte-
gers, and arrays of integers. A constraint is written using a language of functions and
relations. They are used in two ways, in the base programminglanguageto describe ex-
pressions and conditionals, and in user assertions, defi ned below. In this paper, we will
not defi ne the constraint language explicitly, but invent them on demand in accordance
with our examples. Thus the terms of our CLP programs include the function symbols
of the constraint language.
An atom, is as usual, of the form p(˜ t) where p is a user-defi ned predicate symbol
and the ˜ t a tuple of terms. A rule is of the form A:-˜B,φ where the atom A is the head
of the rule, and the sequence of atoms˜B and the constraint φ constitute the body of the
rule. A goal G has exactly the same format as the body of a rule. We say that a rule is
a (constrained) fact if˜B is the empty sequence. A ground instance of a constraint, atom
and rule is defi ned in the obvious way.
Let G = (B1,··· ,Bn,φ) and P denote a goal and program respectively. Let R =
A:-C1,··· ,Cm,φ1denote a rule in P, written so that none of its variables appear in
G. Let A = B, where A and B are atoms, be shorthand for equations between their
corresponding arguments. A reduct of G using R is of the form
(B1,··· ,Bi−1,C1,··· ,Cm,Bi+1,··· ,Bn,Bi= A∧φ∧φ1)
provided Bi= A∧φ∧φ1is satisfi able.
A derivation sequence is a possibly infi nite sequence of goals G0,G1,··· where
Gi,i > 0 is a reduct of Gi−1. If there is a last goal Gnwith no atoms, notationally (?,φ)
and called a terminal goal, we say that the derivation is successful and that the answer
constraint is φ. A derivation is ground if every reduction therein is ground.
In what follows, we shall only be concerned with goals that contain at most one
atom. Thus the reduct of a goal is deterministic on the rule that is employed.
Definition 1 (Unfold). Given a program P and a goal G which contains one atom.
Then unfold(G) is the set of reducts obtainedby using all the rules. An unfoldoperation
on G results in a subset of unfold(G); we say the operation is complete if it returns
all of unfold(G). An unfold tree of G (sometimes also called a proof tree) is a tree of
goals obtainedby successively applyingunfold operationson G, and then on the results
of the previous operation, etc. We say that the unfold tree is complete if all the unfold
operations used in its construction were complete1.
3 Modeling in CLP
We start by modeling the program P with variables˜X as a predicate transformer 
by fi rst identifying target variables˜Xtcorrespondingto˜X, and then establishing a con-
straint on˜X and˜Xt.
3.1 The Logical Basis of CLP Modeling
To outline the predicate transformer aspect of a (possibly nondeterministic) program,
where the logic variables˜X and˜Xtrepresent values of program variables at program
point PP, and at a target program point, respectively. The state predicate realizes the
followingrelation: if˜X are values of variablesat programpointPP, then˜Xtare possible
values of the program variables at the target program point. There are two alternatives
1Thus a complete tree is not necessarily one where unfold operations have been exhaustively
performed; rather, it is where each unfold operation used was complete.
Automating this process, and to include the case where liveness/progress depends
just on the fairness of the scheduler, is a major challenge.
5.3 Parameterized Systems
A parameterized system means that the number of processes is not fi xed, but rather
specifi ed by a symbolic parameter. We choose to implement this idea as follows.
We fi rst have a special Variable Id, which represents a static, unique process id to
be referenced by its process code. The program counter shall also be an array PC of
individual counters, such that PC[Id] represents the program counter of process Id.
Program P[Id] denotes the infinite system P,P,···. As an example, we may defi ne
the parameterized program P[Id] ::= ?0? if (Id < n) then x := x + 1 ?1?.
We can represent the above parameterized program in CLP as follows:
state(Id,PC,X,N) :- PC[Id]=0, X=0.
state(Id,<PC,Id,1>,X+1,N) :- Id<N, state(Id,PC,X,N).
where PC is an array of program counters of length N.
We now explain some idea on how the parameterized system can be verifi ed. As-
suming there are N processes with Id ranging from 0 to N-1, for the above parameter-
ized system we may want to prove the assertion state(Id,PC,X,N), PC=[1,...,1]
|= X=N, that is, at the end of execution X=N. The verifi cation proceeds using induction
on the number of processes (N). We fi rst prove the base case for N=1, and the inductive
case exemplifi ed here: assuming state(Id,PC,X,k), PC=[1,...,1] |= X= k holds,
we prove state(Id,PC,X,k +1), PC=[1,...,1] |= X= k+1. From our hypothesis
and other assumptions on the program, state(Id,PC,X,k+1), PC=[1,...,1,0] |=
X= k. We unfold state(Id,PC,X,k +1), PC=[1,...,1] |= X= k+1, obtaining the
goal state(Id,PC’,X’,k+1), X’=X-1, PC’=[1,...,1,0] |= X= k+1. Using the
hypothesis replacing state(Id,PC’,X’,k +1) with X’= k the assertion is directly
Whaveimplementeda prototypeversionofourproofmethodas a regularCLP(R ) 
program, with no special consideration for important features such as indexing to deal
with the generally large number of generated assertions. The execution of our imple-
mentationis basicallya call to state predicate.However,in additionwe inserta tabling
mechanism at every transition rule. Whenever a new proof obligation is generated by a
call to the state predicate, the tabling mechanism will check whether the proof obli-
gation is subsumed by another proof obligation already tabled. If so, it fails causing
backtracking. Otherwise, it saves the new proof obligation in the table and continue.
The implementation uses a restricted form of coinduction, and verifi es assertions
only of the form state(˜X), φ |= false. A more general implementation of the future
likely requires interfacing with a theorem prover.
We have presented a methodology for the modeling of complex program behavior in
CLP. Our many examples demonstrated expressive elegance and power. We then pre-
sented a crucial extension to basic CLP, coinductive tabling, to facilitate execution of
the model. We believe that our general approach, coupled with its potential for exten-
sion to deal with abstraction and liveness, can provide a signifi cant advance in the state
of the art of program reasoning.
1. R. Alur and D. L. Dill.
126(2):183–235, April 1994.
2. K. R. Apt and E.-R. Olderog. Verifi cation of Sequential and Concurrent Programs. Graduate
Texts in Computer Science. Springer, 2nd edition, 1997.
3. G. Behrmann, K. G. Larsen, H. R. Andersen, H. Hulgaar d, and J. Lind-Nielsen. Verification
of hierarchical state/event systems using reusabi lity and compositionality. In R. Cleaveland,
editor, 5th TACAS, volume 1579 of LNCS, pages 163–177. Springer, 1999.
4. P. Cousot and R. Cousot. Abstract interpretation: A unified lattice model for static analysis.
In 4th POPL, pages 238–252. ACM Press, 1977.
5. W. Damm and D. Harel. LSCs: Breathing life into message sequence charts. J. FMSD,
6. G. Delzanno and A. Podelski. Constraint-based deductive model checking. Int. J. STTT,
7. E. W. Dijkstra. A Discipline of Programming. Prentice-Hall Series in Automatic Computa-
tion. Prentice-Hall, 1976.
8. C. Flanagan. Automatic software model checking using CLP. In P. Degano, editor, 12th
ESOP, volume 2618 of LNCS, pages 189–203. Springer, 2003.
9. G. Gupta and E. Pontelli. A constraint-based approach for specification and verification of
real-time systems. In 18th RTSS, pages 230–239. IEEE Computer Society Press, 1997.
10. D. Harel and A. Naamad. The STATEMATE semantics of Statecharts. ACM TOSEM,
5(4):293–333, October 1996.
11. J. Jaffar and M. J. Maher. Constraint logic programming: A survey. J. LP, 19/20:503–581,
12. J. Jaffar, S. Michaylov, P. J. Stuckey, and R. H. C. Yap. The CLP(R ) language and system.
ACM TOPLAS, 14(3):339–395, 1992.
13. J. Jaffar, A. Santosa, and R. Voicu. A CLP proof method for timed automata. In 25th RTSS,
pages 175–186. IEEE Computer Society Press, 2004.
14. K. Marriott and P. J. Stuckey. Programming with Constraints. MIT Press, 1998.
15. F. Nielson, H. R. Nielson, and C. Hankin. Principles of Program Analysis. Springer, 1999.
16. Object Management Group, Inc. OMG Unifi ed Modeling Language Specifi cation, March
2003. Version 1.5 formal/03-03-01.
17. Y. S. Ramakrishna, C. R. Ramakrishnan, I. V. Ramakrishnan, S. A. Smolka, T. Swift, and
D. S. Warren. Efficient model checking using tabled resolution. In O. Grumberg, editor, 9th
CAV, volume 1254 of LNCS, pages 143–154. Springer, 1997.
18. D. S. Warren. Memoing for logic programs. Communications of the ACM, 35(3):93–111,
A theory of timed automata.
Theoretical Computer Science,