1 Introduction
Achieving trustworthy AI systems requires, among other qualities, the assessment that those systems produce correct judgments^{1}^{1}1Ethics Guidelines For Trustworthy AI
, Highlevel Expert Group on Artificial Intelligence set up by the European Commission.
https://ec.europa.eu/digitalsinglemarket/en/news/ethicsguidelinestrustworthyai. or, in other words, the ability to verify that produced results adhere to specifications on expected solutions. These specifications may have the form of expressions in some formal language or may amount to statements in natural language (consider English used in mathematical texts). Under this trustoriented perspective, AI systems built upon some Knowledge Representation (KR) paradigm start from an advantageous position, since their behavior is captured by some declarative machineinterpretable formal language. Moreover, depending on its degree of declarativity, a KR formalism can also be seen as a specification language by itself.
Answer Set Programming (ASP; niemela99a,martru99a) is a wellestablished KR paradigm for solving knowledgeintensive search/optimization problems. Based on logic programming under the answer set semantics [Gelfond and Lifschitz (1988)], the ASP methodology relies on devising a logic program so that its answer sets are in onetoone correspondence to the solutions of the target problem. This approach is fully declarative, since the logic program only describes a problem and conditions on its solutions, but abstracts out the way to obtain them, delegated to systems called answer set solvers. Thus, it would seem natural to consider an ASP program to serve a role of a formal specification on its expected solutions. However, the nonmonotonicity of the ASP semantics makes it difficult to directly associate an independent meaning to an arbitrary program fragment (as we customary do, for instance, with theories in classical logic). This complicates assessing that a given logic program reflects, in fact, its intended informal description. And yet, ASP practitioners do build logic programs in groups of rules and identify each group with some part of the informal specification [Erdoğan and Lifschitz (2004), Lifschitz (2017)]. Moreover, modifications on a program frequently take place within a group of rules rather than in the program as a whole. The safety of these local modifications normally relies on such properties in ASP as splitting [Lifschitz and Turner (1994), Ferraris et al. (2011)].
With these observations at hand, we propose a verification methodology for logic programs, where the argument of correctness of a program is decomposed into respective statements of its parts, relying to this aim on a modular view of ASP in spirit of [Oikarinen and Janhunen (2009), Harrison and Lierler (2016)]. In this methodology, a formal specification is formed by a set of modules called modular program, so that each module (a set of program rules) is ideally small enough to be naturally related to its informal description in isolation. This relation can be established using quasiformal English statements [Denecker et al. (2012), Lifschitz (2017)] or relying on classical logic [Lifschitz et al. (2018)]. The same specification may serve to describe different (nonmodular) ASP programs encoding the same problem. Each such program respects given priorities involving efficiency, readability, flexibility, etc. As usual in Formal Methods [Monin (2003)], verification then consists in obtaining a formal proof of the correspondence between the verified object (in our case, the nonmodular encoding ) and its specification (the set of modules matching the informal aspects of that problem). It is important to note that the formal specification language used is subject to two important requirements: (i) dealing with nonground programs; and (ii) capturing stable models of these programs using an expression that can be formally manipulated. For (i), we could use Quantified Equilibrium Logic [Pearce and Valverde (2008)] but for (ii) the equivalent formulation in [Ferraris (2011)] is more suitable, as it captures stable models of a program as a secondorder logic formula,^{2}^{2}2The need for secondorder logic is not surprising: the stable models of a logic program allow us to capture a transitive closure relation. the SM operator.
Once a modular specification is guaranteed (related to its informal description/proved to be correct with respect to its informal description), we expect that arguing the correctness of the replacement of some of its module by a different encoding is reduced to arguing some kind of equivalence between modules without affecting the rest of the correctness proof. The difficulty here appears when auxiliary predicates are involved. These predicates are quite common to improve the solver performance in a given encoding but, more importantly, they are sometimes indispensable in the specification to express some property that the ASP language cannot directly capture otherwise [Gonçalves et al. (2016)]. In both cases, their presence must be taken into account when proving correctness which, in its turn, normally depends on their local use in some part of the program.
In this paper, we extend the modular language from [Harrison and Lierler (2016)] to allow for a hierarchical tree of modules and submodules, each of them possibly declaring its own set of public and hidden predicates at different levels. We use this extension as a language for formal specifications. For illustration, we consider a logic program encoding the well known Hamiltonian Cycle (HC) problem. We start by providing a formal specification of the HC problem using the hierarchy of modules and relate it to the informal description of the problem. We then formally prove the correspondence between the HC logic program and its hierarchical specification. This constitutes the argument of correctness for the considered logic program. We also provide an example of module replacement that is verified through an equivalence proof that disregards the existing auxiliary predicates.
Paper outline: Section 2 provides a running example of the HC problem encoding and presents our methodology. In Section 3, we revisit the SM operator and extend it with hidden predicates. Section 4 presents our modular logic programs, while Sections 5 and 6 explain their use for formal verification, illustrating the proposed methodology on the running example.
2 Motivating example and methodology
We consider a wellknown domain in the ASP literature: the search of Hamiltonian cycles in a graph. A Hamiltonian cycle is a cyclic path from a directed graph that visits each of the graph’s vertex exactly once. For instance, Figure 0(a) depicts graph , whose unique Hamiltonian cycle is marked in double lines, whereas Listing 1 presents a possible encoding of the problem in the language of ASP solver clingo (Gebser et al., 2007). The #show directive is used to tell clingo which predicates (we call these public) should appear in the obtained answer sets: in this case, only predicate in/2 that captures the edges in the solution. Now, if we add the facts in Listing 2 corresponding to graph and instruct clingo to find all the answer sets we obtain the output in Listing 3, which is the only Hamiltonian cycle in the graph. ASP practitioners usually explain Listing 1 in groups of rules. Rule 3 is used to generate all possible subsets of edges, while Rules 78 guarantee that connections among them are linear. Rules 45 are meant to define the auxiliary predicate (for “reachable”) as the transitive closure of predicate . To assign this meaning to , we implicitly assume that this predicate does not occur in other rule heads in the rest of the program. Predicate is then used in Rule 6 to enforce that any pair of vertices are connected. Rules 46 together guarantee that facts for form a strongly connected graph covering all vertices in the given graph.
Methodology.
The methodology we propose for verifying the correctness of some logic program under answer set semantics consists of the following steps:

[label=Step ., ref=Step , labelwidth=38pt, align=left, leftmargin=45pt]

Decompose the informal description of the problem into independent (natural language) statements , identifying their possible hierarchical organization.

Fix the public predicates used to represent the problem and its solutions.

Formalize the specification of the statements as a nonground modular program , possibly introducing (modularly local) auxiliary predicates.

Construct an argument (a “metaproof” in natural language) for the correspondence between and the informal description of the problem.

Verify that the given logic program adheres to the formal specification . The result of this step is a set of formal proofs.
Note that the first four steps are exclusively related to the formal specification of the problem, while the particular program to be verified is only considered in 5, where formal verification proofs are produced.
Now, back to Hamiltonian cycle problem, a possible and reasonable result of 1 is the hierarchy of statements:

A Hamiltonian cycle of graph must be a subgraph of that contains all vertices of , that is:

[topsep=1pt]

has the same vertices as , and

all edges of also belong to .


A Hamiltonian cycle of graph is a cycle that visits all vertices of exactly once, that is:

[topsep=1pt]

no vertex has more than one outgoing/incoming edge on , and

is strongly connected.

The choice for public predicates (2) is, of course, arbitrary, but must be decided to compare different encodings (as also happens, for instance, when we fix a benchmark). Here, we choose predicates and to encode the edges of the input graph and the Hamiltonian cycle , respectively. To prove the correctness of the encoding in Listing 1, we resume the rest of our methodological steps later on, in Sections 5 and 6. For instance, 3 is shown in Section 5, where we define a formal specification that happens to comprise the same rules as Listing 1 but for the one in line 8. The main difference is that rules in are grouped in modules corresponding to the above hierarchy. A set of propositions in Section 5 are used to establish the correspondence between (4) and the informal statements. The already mentioned strong relation between Listing 1 and is not something we can always expect. As happens with refactoring in software engineering, encodings usually suffer a sequence of modifications to improve some of their attributes (normally, a better efficiency) without changing their functionality. Each new version implies a better performance of the answer set solver, but its correspondence with the original problem description becomes more and more obscure Buddenhagen and Lierler (2015). For instance, it might be noted that program in Listing 1 produces an excessively large ground program when utilized on graphs of non trivial size. It turns out that it is enough to require that all vertices are reachable from some fixed node in the graph (for instance ). Thus, rules 46 of Listing 1 are usually replaced by rules in Listing 4. The answer sets with respect to predicate are identical, if the graph contains a vertex named . In this sense, verifying an ASP program can mean establishing some kind of equivalence result between its formal specification in the form of a modular program and the final program obtained from the refactoring process Lierler (2019). This is tackled in Section 6 and constitutes 5.
3 Operator SM with hidden predicates
Answer set semantics has been extended to arbitrary firstorder (FO) theories with the introduction of Quantified Equilibrium Logic Pearce and Valverde (2008) and its equivalent formulation using the secondorder (SO) operator SM Ferraris et al. (2011). These approaches allow us to treat program rules as logical sentences with a meaning that bypasses grounding. For instance, rules in Listing 1 respectively correspond to:
(1)  
(2)  
(3)  
(4)  
(5)  
(6)  
(7)  
(8) 
As we can see, the correspondence is straightforward except, perhaps, for the choice rule in line 3 of Listing 1 that is represented as formula (3) (see fer05 for more details). We name the conjunction of sentences (1)(8) as our encoding .
We now recall the SM operator from Ferraris et al. (2011), assuming some familiarity with second order (SO) logic. We adopt some notation: a letter in boldface inside a formula denotes a tuple of elements also treated as a set, if all elements are different. Quantifiers with empty tuples (or empty sets of variables) can be removed: . Expression stands for the set of free predicate names (different from equality) in a SO formula . If and are predicate names of the same arity then is an abbreviation of where is an tuple of FO variables. Let and be tuples and of predicate symbols or variables. Then and is an abbreviation of . Given a FO formula , its stable model operator with intensional predicates (not including equality) is the SO formula
(9) 
with distinct predicate variables not occurring in and:
Predicate symbols occurring in but not in are called extensional and are interpreted classically. In fact, if is empty, it is easy to see that SM coincides with . We say that an interpretation over a signature is an answer set of a FO formula (representing a logic program) when it is a Herbrand model of SM and . When is a logic program, answer sets defined in this way correspond to the traditional definition based on grounding Ferraris et al. (2011). It is common to identify Herbrand interpretations with sets of atoms corresponding to its predicates and their extensions. For a Herbrand interpretation over set of predicates and set , we write to denote the restriction of to . As usual, the extent of a predicate in interpretation , written , collects every tuple of Herbrand terms for which holds in .
As a small example, let be the conjunction of facts in Listing 2, denote a conjunction of and and let be . Then, is formed by the conjunction of and all atoms , one per each fact in . The answer sets of are captured by the Herbrand models of . This formula has a unique model that minimizes the extension of to the exact set of facts in (and not more) and the extension of to be precisely all nodes used as left arguments in those edges. If we take instead the formula and then SM has a unique Herbrand model that has the same atoms for predicate as those in Listing 3 but, obviously, has also more atoms for the remaining predicates in . A simple way of removing (or forgetting) those extra predicates in SO is adding their existential quantification. Given formula we define the answer sets of for hiding predicates as the Herbrand models of:
(10) 
where is a tuple of predicate variables of the same length as and is the result of replacing all occurrences of predicate symbols from by the corresponding predicate variables from . We abuse the notation and write instead of (10) when it does not lead to confusion. We call predicates in tuples and intensional and hidden, respectively. For instance, stands for the formula where is obtained from by replacing predicate symbols by variables ; and it has a unique Herbrand model that coincides with the one in Listing 3. Thus, this model forms the unique answer set of for hiding predicates and . This corresponds to the behavior produced by the directive in Line 9 of the Hamiltonian cycle encoding. The following proposition states that the existential quantifiers for hidden predicates filter out their information in the models.
Proposition 1.
Let be a formula, a tuple of predicate symbols from and let . Then, is a Herbrand model of (10) iff there is some answer set of such that .
4 Nested modular programs
As explained in the introduction, our specification language departs from the work on modular logic programs by Harrison and Lierler (2016), where each module is a FO formula whose semantics is captured by the SM operator. This choice is motivated by two factors. First, it allows treating programs or modules with variables as FO formulas that can be manipulated without resorting to the program grounding at all. This is crucial is we wish to argue about the meaning of each module regardless of the particular instance of the problem to be solved. Second, the SM operator captures the semantics of the program also as a formula that, although including SO quantifiers, can be formally treated using a manifold of technical results from the literature (including theorems on splitting or constraints, for instance). To adapt this modular approach to our purposes in this paper, we extend it in two ways: (i) handling auxiliary predicates inside modules and (ii) introducing nested modules.
A defmodule is a pair , where is a tuple of intensional predicate symbols and is a FO formula. Its semantics is captured by the formula . When is empty, we write in place of defmodule — indeed, amounts to . On the contrary, when all predicates in are intensional, so defmodule represents the usual situation in a logic program . If we leave some predicates as extensional, then their extent is not “minimized.” For instance, rule alone, i.e., the defmodule , has a unique answer set whereas in a defmodule no assumption is made on extensional predicate , while collects precisely all left arguments of .
A modular program is a pair , where is the set of public predicate symbols and is the set of modules , where () is either a defmodule or another modular program (called subprogram of ), so that all predicate symbols occurring in are in . A modular program can be depicted as a hierarchical tree, whose leafs are defmodules. The interpretation of a modular program is captured by the (recursively defined) formula:
where contains all free predicate symbols in that are not in . Notice that, if is a defmodule , then as we defined before, while if is a subprogram, we apply the formula above recursively. We say that an interpretation is a model of a modular program , when it satisfies the formula . As in the previous section, we say that interpretation over public predicate symbols is an answer set of a modular program when it is a Herbrand model of . Programs and are said to be equivalent if they have the same answer sets. Under logic programming syntax (like Listing 1), public predicates are declared via #show clauses. We sometimes allow the defmodule as an abbreviation of the modular program .
We define as the set of all defmodules in at any level in the hierarchy. Program is said to be flat when it does not contain subprograms, i.e., coincides with . We call flat modular program HLmodular, when its set of public predicates contains all predicate symbols occurring in . HLmodular programs capture the definition of modular programs from (Harrison and Lierler, 2016).
To illustrate these definitions, we provide a modular program that will act later on as a specification for encoding = (1)(8) from Section 3. Program comprises the same rules (1)(7) (as we will see, (8) is actually redundant) but organizes them in the tree of Figure 2. The tree contains 5 defmodules (the leaf nodes) and has three subprograms, , and at different levels. Each modular program node (drawn as a thick line box) also shows inside its set of public predicates. Note, for instance, how predicate is local to subprogram that corresponds to rules 46 in Listing 1 and intuitively states that relation forms a strongly connected graph covering all vertices.
5 A formal specification language
Hamiltonian cycles constitute a good example of a typical use of ASP for solving a search problem. Following Brewka et al. (2011), a search problem can be seen as a set of instances, being each instance assigned a finite set of solutions. Under our verification method, we propose constructing a modular program that adheres to the specifications of so that when extended with modular program representing an instance of , the answer sets of this join are in one to one correspondence with members in . Then, we can use to argue, module by module, that each of its components actually corresponds to some part of the informal description of the problem. To illustrate these ideas we prove next that, indeed, program presented in Figure 2 and described in the last section is a formal specification for the search of Hamiltonian cycles. We start by presenting the informal readings of all defmodules occurring in the program — i.e., members of . The defmodules , and intuitively formulate the following Statements:

“In any model of , the extent of collects all objects in the extent of .”

“In any model of , the extent of is a subset of the extent of .”

“In any model of , the extent of r is the transitive closure of the extent of in.”
These statements can be seen as achievements of each defmodule in the sense of Lifschitz (2017), that are agnostic to the context where defmodules appear. This closely aligns with good software engineering practices, where the emphasis is made on modularity/independence of code development. An intuitive meaning of formulas (6) and (7) is self explanatory given the underlying conventions of FO logic:

“In any model of (6), the extent of contains each possible pair of vertices.”

“In any model of (7), the extent of does not contain two different pairs with the same left component.”
Statements S and S translate into a joint Statement about module :

“In any model of , is a subgraph of .”
Similarly, we identify the following two combined statements:

“In any model of , the extent of forms a strongly connected graph covering all vertices.”

“In any model of , the extent of is a cycle visiting all vertices exactly once” or equivalently “it induces a graph that is a Hamiltonian cycle.”
Note that each subcomponent of is small enough so that the verification of its corresponding statement is a manageable and selfisolated task. Note also that statements S and S are the result of fixing the public vocabulary for the statements 1 and 2 identified from the informal description in Section 2. Statements 1a and 1b in the informal description correspond to statements S and S, respectively. Statements 2a and 2b correspond to statements S and S.
At this point, we have completed 3 for our example, with the modular program and the informal statements to compare with. Now, 4 consists on building claims about the correctness of the modules versus the statements. Proofs for the correctness of statements S, S, S, S and S are obtained using properties of the SM operator and can be found in A. The formalization of Statement S follows from the general result below, if we just replace predicate names and by and , respectively. Its proof can also be found in A.
Proposition 2.
Let formula be
(11) 
For any arbitrary predicates and , any model of defmodule is such that the the extent of q is the transitive closure of the relation constructed from the extent of p.
The next two results prove the correctness of S and S, respectively, for and .
Proposition 3.
Let be formula ; be formula (11); be a modular program , be an interpretation, and be a graph. Then, is a model of iff for every pair of distinct vertices, there is a directed path from to in .
We just show the left to right direction. The complete proof can be found in A. Note first that is classically equivalent to , so any pair of vertices satisfies . From Proposition 2, relation is the transitive closure of . Hence, path from to exists in graph . ∎
Proposition 4.
Let be as in Proposition 3, be formula , be modular program and be an interpretation of . Then, is a model of graph iff are the edges of a Hamiltonian cycle of that is, the elements of can be arranged as a directed cycle so that are pairwise distinct and .
Again, we show only the left to right direction. See A for the complete proof. If is a model of , the hypothesis in the enunciate implies that for any pair of vertices, there is a directed path in . Hence, there exists:
(12) 
in graph such that every vertex in appears in it. Since is also a model of , Statement S (modulo names of predicate symbols) is applicable. This implies for all and, thus, that all edges in (12) are distinct. Therefore, (12) is a directed cycle. Since this cycle covers all vertices of , it is also a Hamiltonian cycle. ∎
Modular programs and coincide with modular programs and , when predicate symbols , and are replaced by , and , respectively. Statements S and S follow immediately. Note also that modular programs and also preserve their meaning inside a larger modular program mentioning predicate symbol in other parts. Indeed, symbol is hidden or local (existentially quantified) so that its use elsewhere in a larger modular program has a different meaning.
To complete the modularization of the Hamiltonian cycle problem, we develop the encoding for a graph instance. Given a set of graph edges, denotes a defmodule
(13) 
The intuitive and formal meaning of defmodule is captured by the statement:

“In any model of , the extent of is .”
Now, the Hamiltonian cycle problem on a given graph instance with edges is encoded by . To prove that obtains the correct solutions, we can now just simply rely on the already proved fulfillment of the statements for .
Proposition 5.
Let be a graph with nonempty sets of vertices and edges , where every vertex occurs in some edge, and be an interpretation over signature . Then, is an answer set of iff is a Hamiltonian cycle of .
We only showcase the left to right direction (see Appendix B for the rest). Take interpretation to be an answer set of . Then, there exists a Herbrand interpretation over signature so that coincides with on the extent of and is also a model of all submodules of . Thus, adheres to Statements S, S and S about these submodules. This implies that the extent forms a Hamiltonian cycle of (Statement S) and that is a subgraph of (Statement S). These two facts imply that forms a Hamiltonian cycle of the graph . Moreover, and respectively coincide with sets and (Statements S and S). Therefore, forms a Hamiltonian cycle of the graph . Finally, recall that , so the result holds. ∎
This result confirms that is indeed a correct formal specification of the Hamiltonian cycle problem, for any arbitrary graph instance . Propositions 25 are, in fact, an example of the application of 4 of our methodology to the Hamiltonian cycle problem. It is worth to mention that, in most cases, the decomposition in modules and the properties of the SM operator allow us to replace the SM operator by a FO formula (using Clark’s completion) or by the circumscription operator. This replacement greatly simplify the effort of the proofs detailed in A.
6 Verification based on modular programs
The results in the previous section state that the answer sets of our modular specification correspond to the Hamiltonian cycles of a graph. However, in general, there is no guarantee that the nonmodular version of (i.e., the regular ASP program formed by all rules in ) has the same answer sets. Next, we introduce some general conditions under which the answer sets of a modular program and its nonmodular version coincide. These results are useful for 5 of the proposed methodology.
In the rest of the section, we assume that has the form . We also identify a regular program with its direct modular version . The flattening of is defined as . For example, . We say that is in normal form (NF) if all occurrences of a predicate name in are free or they are all bound to a unique occurrence of existential quantifier. This happens, for instance, in . Still, any formula can always be equivalently reduced to NF by applying socalled transformations (i.e., choosing new names for quantified variables). In our context, this means changing hidden (auxiliary) predicate names in until different symbols are used for distinct auxiliary predicates. The next theorem states that, when modular program is in NF, we can ignore its recursive structure and instead consider its flat version.
Proposition 6.
For any modular program in NF, an interpretation is a model of iff is a model of .
Thus, since is in NF, it is simply equivalent to . Next, we show how to relate a flat program with a nonmodular program that contains exactly the same rules. We use this result to verify that program (corresponding to Listing 1) satisfies the Hamiltonian cycle specification. To formalize this relation we focus on a syntax closer to one of logic programs. Consider FO formulas that are conjunctions of rules of the form:
(14) 
where all are atoms and stands for the universal closure of their variables. As usual, the consequent and the antecedent of (14) are called head and body, respectively. The conjunction constitutes the positive (part of the) body. A modular program is called simple if, for every defmodule , formula is a conjunction of rules, and all head predicate symbols in are intensional (occur in ). This is, in fact, the case of all defmodules we considered so far. Let collect all intensional predicates in , that is . Then, we form the directed dependency graph by taking as nodes and adding an edge each time there is a rule occurring in with in the head and is in the positive body. For instance, the dependency graph of program is given in Figure 0(b). This graph has four strongly connected components, each one consisting of a single node.
A modular program is coherent if it is simple, in NF, and satisfies two more conditions: (i) every pair of distinct defmodules and in is such that , and (ii) for every strongly connected component in , there is a defmodule such that contains all vertices in . For example, is a coherent program. Now, let us collect the conjunction of all defmodule formulas in as We can observe, for instance, that , that is, the modular encoding of the Hamiltonian cycle problem and the nonmodular one share the same rules but for (8). We now obtain a similar result to Theorem 3 in (Harrison and Lierler, 2016) but extended to our framework. Together with Proposition 1, it connects modular programs with logic programs as used in practice. The proof of this result together with the proof of Theorem 2 below can be found in B.
Theorem 1.
Let be a coherent modular program, be , and be . Then, (i) any interpretation is a model of iff is a model of formula SM; (ii) any interpretation is an answer set of iff there is some answer set of such that .
As a result, we can now prove that program in Listing 1 satisfies the formal specification which, as we saw, captures the Hamiltonian cycle problem.
Proposition 7.
The answer sets of modular program coincide with the answer sets of logic program for intensional predicate symbol ‘in’ hiding all other predicate symbols of the program.
Since modular program is coherent, by Theorem 1, it is equivalent to the formula to where . Now, is in its turn equivalent to since entails formula (8) and defmodule (8) has no intensional predicate symbols. Besides, formulas and are identical. From Proposition 1, it follows that Herbrand models of are the answer sets of restricted to predicate . ∎
This proposition constitutes verification 5 that links an ASP encoding of the Hamiltonian cycle problem to its formal specification as a modular program . At a first sight, the effort may seem worthless, given that and almost share the same rules. But this is a wrong impression, since is actually an ideal case, i.e. the one closest to , while the latter can still be used as a specification for other encodings. To show how, let us take another encoding that results from replacing (4)(6) in by rules in Listing 4 respectively corresponding to:
(15)  
(16)  
(17) 
Verifying program amounts to proving its adherence to and, for that purpose, requires a proper modularization of . In this case, that modularization is obvious since the change is local to the module checking Hamiltonian cycles, . We define the modular programs , and , as the result of replacing by in . Even though they use different auxiliary predicates, programs and have the same intuitive meaning (Statement S) as long as there exists some vertex in the graph. One would, therefore, expect that the correctness of could be proved by checking some kind of equivalence with respect to . We formalize next this idea.
Given modular programs and , we write to denote the result of replacing all occurrences of module in by . We also define . For any finite theory , two modular programs and are said to be strongly equivalent with respect to context when any modular program with satisfies that and have the same answer sets.
Theorem 2.
Two modular programs and are strongly equivalent under context iff holds for all Herbrand interpretations.
In our example, although and are not equivalent in general, we can prove:
Proposition 8.
Modules and are strongly equivalent w.r.t. .
Recall that . The rest of the proof follows two steps. First, given:
(18) 
we get and, furthermore, follows by instantiation of with . Second, we can prove . ∎
7 Conclusions and future work
We presented a modular ASP framework that allows nested modules possibly containing hidden local predicates. The semantics of these programs and their modules is specified via the secondorder SM operator, and so, it does not resort to grounding. We illustrated how, under some reasonable conditions, a modular reorganization of a logic program can be used for verifying that it adheres to its (in)formal specification. This method has two important advantages. First, it applies a divideandconquer strategy, decomposing the correctness proof for the target program into almost selfevident pieces. Second, it can be used to guarantee correctness of a module replacement, even if interchanged modules are nonground and use different local predicates. In this way, correctness proofs are also reusable. The need for secondorder logic is inherent to the expressiveness of firstorder stable models but has the disadvantage of lacking a proof theory in the general case. Yet, there are wellknown specific cases in which the secondorder quantifiers can be removed. This is often the case of the SM operator so that we can use formal results from the literature (splitting, headcycle free transformations, relation to Clark’s Completion or Circumscription – see (Ferraris et al., 2011)) to reduce the these secondorder formulas to firstorder ones. We also intend to exploit the correspondence between SM and Equilibrium Logic to study general intertheory relations Pearce and Valverde (2004).
Our definition of contextual strong equivalence using hidden predicates is a variation of strong equivalence Lifschitz et al. (2001, 2007). We leave it to future work the relation to other equivalence notions Eiter et al. (2005); Oetsch and Tompits (2008); Oikarinen and Janhunen (2009); Aguado et al. (2019); Geibinger and Tompits (2019)
. Another topic for future work is the extension of automated reasoning tools for ASP verification
Lifschitz et al. (2018) to incorporate modularity.References
 Aguado et al. (2019) Aguado, F., Cabalar, P., Fandinno, J., Pearce, D., Pérez, G., and Vidal, C. 2019. Forgetting auxiliary atoms in forks. Artificial Intelligence 275, 575–601.
 Brewka et al. (2011) Brewka, G., Niemelä, I., and Truszczynski, M. 2011. Answer set programming at a glance. Communications of the ACM 54(12), 92–103.
 Buddenhagen and Lierler (2015) Buddenhagen, M. and Lierler, Y. 2015. Performance tuning in answer set programming. In Proceedings of the Thirteenth International Conference on Logic Programming and Nonmonotonic Reasoning (LPNMR).
 Denecker et al. (2012) Denecker, M., Lierler, Y., Truszczyński, M., and Vennekens, J. 2012. A Tarskian informal semantics for answer set programming. In Technical Communications of the 28th International Conference on Logic Programming (ICLP). 277–289.
 Eiter et al. (2005) Eiter, T., Tompits, H., and Woltran, S. 2005. On solution correspondences in answer set programming. In Proceedings of the Nineteenth International Joint Conference on Artificial Intelligence (IJCAI’05), L. Kaelbling and A. Saffiotti, Eds. Professional Book Center, 97–102.
 Erdoğan and Lifschitz (2004) Erdoğan, S. T. and Lifschitz, V. 2004. Definitions in answer set programming. In Proceedings of International Conference on Logic Programming and Nonmonotonic Reasoning (LPNMR). SpringerVerlag, 114–126.
 Ferraris (2005) Ferraris, P. 2005. Answer sets for propositional theories. In Proceedings of International Conference on Logic Programming and Nonmonotonic Reasoning (LPNMR). 119–131.
 Ferraris (2011) Ferraris, P. 2011. Logic programs with propositional connectives and aggregates. ACM Transactions on Computational Logic 12, 4, 25.
 Ferraris et al. (2011) Ferraris, P., Lee, J., and Lifschitz, V. 2011. Stable models and circumscription. Artificial Intelligence 175, 1, 236–263.
 Ferraris et al. (2009) Ferraris, P., Lee, J., Lifschitz, V., and Palla, R. 2009. Symmetric splitting in the general theory of stable models. In Proceedings of the Twentyfirst International Joint Conference on Artificial Intelligence (IJCAI’09), C. Boutilier, Ed. AAAI/MIT Press, 797–803.
 Gebser et al. (2007) Gebser, M., Kaufmann, B., Neumann, A., and Schaub, T. 2007. Conflictdriven answer set solving. In Proceedings of 20th International Joint Conference on Artificial Intelligence (IJCAI’07). MIT Press, 386–392.
 Geibinger and Tompits (2019) Geibinger, T. and Tompits, H. 2019. Characterising relativised strong equivalence with projection for nonground answerset programs. In Logics in Artificial Intelligence  16th European Conference, JELIA 2019, Rende, Italy, May 711, 2019, Proceedings. Lecture Notes in Computer Science, vol. 11468. Springer, 542–558.
 Gelfond and Lifschitz (1988) Gelfond, M. and Lifschitz, V. 1988. The stable model semantics for logic programming. In Proceedings of the Fifth International Conference and Symposium of Logic Programming (ICLP’88), R. Kowalski and K. Bowen, Eds. MIT Press, 1070–1080.
 Gonçalves et al. (2016) Gonçalves, R., Knorr, M., and Leite, J. 2016. You can’t always forget what you want: On the limits of forgetting in answer set programming. In Proceedings of 22nd European Conference on Artificial Intelligence (ECAI’16). Frontiers in Artificial Intelligence and Applications, vol. 285. IOS Press, 957–965.
 Harrison and Lierler (2016) Harrison, A. and Lierler, Y. 2016. Firstorder modular logic programs and their conservative extensions. Theory and Practice of Logic programming, 32nd Int’l. Conference on Logic Programming (ICLP) Special Issue.
 Lierler (2019) Lierler, Y. 2019. Strong equivalence and program’s structure in arguing essential equivalence between firstorder logic programs. In Proceedings of the 21st International Symposium on Practical Aspects of Declarative Languages (PADL).
 Lifschitz (2017) Lifschitz, V. 2017. Achievements in answer set programming. Theory and Practice of Logic Programming 17, 56, 961–973.
 Lifschitz et al. (2018) Lifschitz, V., Lühne, P., and Schaub, T. 2018. anthem: Transforming gringo programs into firstorder theories (preliminary report). CoRR abs/1810.00453.
 Lifschitz et al. (2001) Lifschitz, V., Pearce, D., and Valverde, A. 2001. Strongly equivalent logic programs. ACM Transactions on Computational Logic 2, 4, 526–541.
 Lifschitz et al. (2007) Lifschitz, V., Pearce, D., and Valverde, A. 2007. A characterization of strong equivalence for logic programs with variables. In Procedings of International Conference on Logic Programming and Nonmonotonic Reasoning (LPNMR). 188–200.
 Lifschitz and Turner (1994) Lifschitz, V. and Turner, H. 1994. Splitting a logic program. In Proceedings of the Eleventh International Conference on Logic Programming. MIT Press, 23–37.
 Marek and Truszczyński (1999) Marek, V. and Truszczyński, M. 1999. Stable models and an alternative logic programming paradigm. In The Logic Programming Paradigm: a 25Year Perspective, K. Apt, V. Marek, M. Truszczyński, and D. Warren, Eds. SpringerVerlag, 375–398.
 Monin (2003) Monin, J. 2003. Understanding formal methods. Springer.
 Niemelä (1999) Niemelä, I. 1999. Logic programs with stable model semantics as a constraint programming paradigm. Annals of Mathematics and Artificial Intelligence 25, 34, 241–273.
 Oetsch and Tompits (2008) Oetsch, J. and Tompits, H. 2008. Program correspondence under the answerset semantics: The nonground case. In Logic Programming, 24th International Conference, ICLP 2008, Udine, Italy, December 913 2008, Proceedings, M. G. de la Banda and E. Pontelli, Eds. Lecture Notes in Computer Science, vol. 5366. Springer, 591–605.
 Oikarinen and Janhunen (2009) Oikarinen, E. and Janhunen, T. 2009. A translationbased approach to the verification of modular equivalence. J. Log. Comput. 19, 4, 591–613.
 Pearce and Valverde (2004) Pearce, D. and Valverde, A. 2004. Synonymous theories in answer set programming and equilibrium logic. In Proceedings of the 16th European Conference on Artificial Intelligence. ECAI’04. IOS Press, Amsterdam, The Netherlands, The Netherlands, 388–392.
 Pearce and Valverde (2008) Pearce, D. and Valverde, A. 2008. Quantified equilibrium logic and foundations for answer set programs. In Logic Programming, 24th International Conference, ICLP 2008, Udine, Italy, December 913 2008, Proceedings, M. G. de la Banda and E. Pontelli, Eds. Lecture Notes in Computer Science, vol. 5366. Springer, 546–560.
Appendix A Formalizing the meanings of defmodules for
the Hamiltonian cycle problem
In this section we argue about the correctness of statements introduced in Section 5. We start by reviewing a series of results that are useful in proving such correctness and apply them to our running example.
In this section, it is convenient for us to identify defmodule with the formula that captures the semantics of .
Strong equivalence and denials.
Nonmodular programs and are strongly equivalent if for every traditional program , programs and have the same answer sets Lifschitz et al. (2001). More in general, FO formulas and are strongly equivalent if for any formula , any occurrence of in , and any list p of distinct predicate constants, SM is equivalent to SM, where is obtained from by replacing by . Lifschitz et al. (2007) show that FO formulas and are strongly equivalent if they are equivalent in SQHT logic — a FO intermediate logic Pearce and Valverde (2008) between classical and intuitionistic logics.
A formula of the form is intuitionistically equivalent to formula . We call formulas of both of these forms denials and identify the former with the latter.
Theorem 3 (Theorem 3; feleli11a).
For any FO formulas and and arbitrary tuple of predicate constants, is equivalent to
Theorem 3 can be understood in the following terms. A modular program containing a defmodule of the form is equivalent to the one resulting from by replacing with defmodules and . Thus, any denial semantically translates into a classical first order formula. Now, the claims in Statement S and S immediately follow from Theorem 3.
Tightness and completion.
Although SM is defined on arbitrary formulas, we focus now on the traditional syntax of logic program rules, that is, FO sentences of the form (14). We say that a module is tight if its dependency graph is acyclic. For example, all modules in program , but (and those containing it) are tight.
A FO formula is in Clark normal form Ferraris et al. (2011) relative to the tuple p of predicate symbols if it is a conjunction of formulas of the form
(19) 
one for each predicate , where is a tuple of distinct object variables. We refer the reader to Section 6.1 in Ferraris et al. (2011) for the description of the intuitionistically equivalent transformations that can convert a FO formula that is a conjunction of formulas of the form (14) into Clark normal form. Here, we illustrate results of these conversion steps on formulas stemming from the program . For instance, converting formula
(20) 
into Clark normal form results in the intuitionistically equivalent formula
(21) 
Similarly, module is intuitionistically equivalent to the formula
(22) 
where follows
The FO formula within defmodule (3) is in Clark normal form.
The completion of a formula in Clark normal form relative to predicate symbols p, denoted by , is obtained from by replacing each conjunctive term of the form (19) by
For instance, the completion of (21) is
(23) 
while the completion of formula (22) is
(24) 
The following theorem follows immediately from Theorem 11 in Ferraris et al. (2011).
Theorem 4.
Let be a tight defmodule. Then, and are equivalent.
Note that expression is a classical first order logic formula. Since formulas (20) and (21) are strongly equivalent, it follows that defmodules and are equivalent, too. Similarly, defmodule is equivalent to SO formula . Thus, by Theorem 4, modules and are equivalent to FO formulas (23) and (24), respectively. These facts suffice to support the claims of Statements S and S. Furthermore, also by Theorem 4, defmodule is equivalent to FO formula
which, in turn, is equivalent to formula
It is easy to see now that the claim of Statement S holds.
The following proposition follows immediately from Theorem 4 and generalizes the last claim.
Proposition 1.
A tight defmodule is equivalent to formula .
In other words, we can always understand a defmodule consisting of a choice rule as a reversed implication in FO logic.
Circumscription and transitive closure.
The circumscription operator with the minimized predicates of a FO formula is denoted by Ferraris et al. (2011). The models of are the models of where the extension of the predicates in is minimal given the interpretation of remaining predicates is fixed. Interestingly, if is a conjunction of rules of (14) without negation, then and are equivalent. Proposition 2 follows directly from this observation and allows us to assert that Statement S holds.
For a formula and a symbol occurring in it by we denote an expression constructed from by substituting symbol with .
Note that
Let be an interpretation over signature . Then, is a model of iff there is an interpretation over signature that agrees on on and is a model of . Take such interpretation , its is the transitive closure of (Proposition 2) and is a model of . Note also that is equivalent to
(25) 
Consequently, any pair of elements in are such that they are also in binary relation with each other. Lefttoright. Assume that is a model of