Engineering Trustworthy Software

Systems Third International School

SETSS 2017 Chongqing China April 17
22 2017 Tutorial Lectures Jonathan P.
Bowen
Visit to download the full and correct content document:
https://textbookfull.com/product/engineering-trustworthy-software-systems-third-intern
ational-school-setss-2017-chongqing-china-april-17-22-2017-tutorial-lectures-jonatha
n-p-bowen/
More products digital (pdf, epub, mobi) instant
download maybe you interests ...

Engineering Trustworthy Software Systems: 5th

International School, SETSS 2019, Chongqing, China,
April 21–27, 2019, Tutorial Lectures Jonathan P. Bowen

https://textbookfull.com/product/engineering-trustworthy-
software-systems-5th-international-school-setss-2019-chongqing-
china-april-21-27-2019-tutorial-lectures-jonathan-p-bowen/

Engineering Trustworthy Software Systems First

International School SETSS 2014 Chongqing China
September 8 13 2014 Tutorial Lectures 1st Edition
Zhiming Liu
https://textbookfull.com/product/engineering-trustworthy-
software-systems-first-international-school-setss-2014-chongqing-
china-september-8-13-2014-tutorial-lectures-1st-edition-zhiming-
liu/

Reasoning Web Semantic Interoperability on the Web 13th

International Summer School 2017 London UK July 7 11
2017 Tutorial Lectures 1st Edition Giovambattista Ianni

https://textbookfull.com/product/reasoning-web-semantic-
interoperability-on-the-web-13th-international-summer-
school-2017-london-uk-july-7-11-2017-tutorial-lectures-1st-
edition-giovambattista-ianni/

Fundamentals of Software Engineering 7th International

Conference FSEN 2017 Tehran Iran April 26 28 2017
Revised Selected Papers 1st Edition Mehdi Dastani

https://textbookfull.com/product/fundamentals-of-software-
engineering-7th-international-conference-fsen-2017-tehran-iran-
april-26-28-2017-revised-selected-papers-1st-edition-mehdi-
Agile Processes in Software Engineering and Extreme
Programming 18th International Conference XP 2017
Cologne Germany May 22 26 2017 Proceedings 1st Edition
Hubert Baumeister
https://textbookfull.com/product/agile-processes-in-software-
engineering-and-extreme-programming-18th-international-
conference-xp-2017-cologne-germany-
may-22-26-2017-proceedings-1st-edition-hubert-baumeister/

IoT as a Service Third International Conference IoTaaS

2017 Taichung Taiwan September 20 22 2017 Proceedings
Yi-Bing Lin

https://textbookfull.com/product/iot-as-a-service-third-
international-conference-iotaas-2017-taichung-taiwan-
september-20-22-2017-proceedings-yi-bing-lin/

Advanced Hybrid Information Processing: First

International Conference, ADHIP 2017, Harbin, China,
July 17–18, 2017, Proceedings 1st Edition Guanglu Sun

https://textbookfull.com/product/advanced-hybrid-information-
processing-first-international-conference-adhip-2017-harbin-
china-july-17-18-2017-proceedings-1st-edition-guanglu-sun/

Principles of Security and Trust 6th International

Conference POST 2017 Held as Part of the European Joint
Conferences on Theory and Practice of Software ETAPS
2017 Uppsala Sweden April 22 29 2017 Proceedings 1st
Edition Matteo Maffei
https://textbookfull.com/product/principles-of-security-and-
trust-6th-international-conference-post-2017-held-as-part-of-the-
european-joint-conferences-on-theory-and-practice-of-software-
etaps-2017-uppsala-sweden-april-22-29-2017-pro/

Computational Linguistics and Intelligent Text

Processing 18th International Conference CICLing 2017
Budapest Hungary April 17 23 2017 Revised Selected
Papers Part I Alexander Gelbukh
https://textbookfull.com/product/computational-linguistics-and-
intelligent-text-processing-18th-international-conference-
cicling-2017-budapest-hungary-april-17-23-2017-revised-selected-
 Jonathan P. Bowen
Zhiming Liu
Zili Zhang (Eds.)
Tutorial
LNCS 11174

Engineering Trustworthy
Software Systems
Third International School, SETSS 2017
Chongqing, China, April 17–22, 2017
Tutorial Lectures

123
Lecture Notes in Computer Science 11174
Commenced Publication in 1973
Founding and Former Series Editors:
Gerhard Goos, Juris Hartmanis, and Jan van Leeuwen

Editorial Board
David Hutchison
Lancaster University, Lancaster, UK
Takeo Kanade
Carnegie Mellon University, Pittsburgh, PA, USA
Josef Kittler
University of Surrey, Guildford, UK
Jon M. Kleinberg
Cornell University, Ithaca, NY, USA
Friedemann Mattern
ETH Zurich, Zurich, Switzerland
John C. Mitchell
Stanford University, Stanford, CA, USA
Moni Naor
Weizmann Institute of Science, Rehovot, Israel
C. Pandu Rangan
Indian Institute of Technology Madras, Chennai, India
Bernhard Steffen
TU Dortmund University, Dortmund, Germany
Demetri Terzopoulos
University of California, Los Angeles, CA, USA
Doug Tygar
University of California, Berkeley, CA, USA
Gerhard Weikum
Max Planck Institute for Informatics, Saarbrücken, Germany
More information about this series at http://www.springer.com/series/7408
Jonathan P. Bowen Zhiming Liu
•

Zili Zhang (Eds.)

Engineering Trustworthy
Software Systems
Third International School, SETSS 2017
Chongqing, China, April 17–22, 2017
Tutorial Lectures

123
Editors
Jonathan P. Bowen Zili Zhang
London South Bank University Faculty of Computer and Information
London, UK Science
Southwest University
Zhiming Liu Chongqing, China
Southwest University
Chongqing, China

ISSN 0302-9743 ISSN 1611-3349 (electronic)

Lecture Notes in Computer Science
ISBN 978-3-030-02927-2 ISBN 978-3-030-02928-9 (eBook)
https://doi.org/10.1007/978-3-030-02928-9

Library of Congress Control Number: 2018958874

LNCS Sublibrary: SL2 – Programming and Software Engineering

© Springer Nature Switzerland AG 2018

This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or part of the
material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation,
broadcasting, reproduction on microfilms or in any other physical way, and transmission or information
storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now
known or hereafter developed.
The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication
does not imply, even in the absence of a specific statement, that such names are exempt from the relevant
protective laws and regulations and therefore free for general use.
The publisher, the authors and the editors are safe to assume that the advice and information in this book are
believed to be true and accurate at the date of publication. Neither the publisher nor the authors or the editors
give a warranty, express or implied, with respect to the material contained herein or for any errors or
omissions that may have been made. The publisher remains neutral with regard to jurisdictional claims in
published maps and institutional affiliations.

This Springer imprint is published by the registered company Springer Nature Switzerland AG
The registered company address is: Gewerbestrasse 11, 6330 Cham, Switzerland
 Preface

The Third School on Engineering Trustworthy Software Systems (SETSS 2017) was
held during April 17–22, 2017, at Southwest University, Chongqing, China. It was
aimed at Ph.D. and Master students, in particular, from around China, and was suitable
for university researchers and industry software engineers. This volume contains
tutorial papers related to most of the lecture courses delivered at the School.
SETSS 2017 was organized by the School of Computer and Information Science, in
particular, the Centre for Research and Innovation in Software Engineering (RISE) at
Southwest University, providing lectures on cutting-edge research in methods and tools
for use in computer system engineering. The School aimed to enable participants to
learn about state-of-the-art software engineering methods and technology advances
from experts in the field.
The opening session was chaired by Prof. Zili Zhang. A welcome speech was
delivered by the Vice President of Southwest University, Prof. Yanqiang Cui, followed
by an introductory briefing for SETSS 2017 by Prof. Zhiming Liu. The session finished
with a ceremony for a guest professorship at Southwest University for Prof. Zhou
Chaochen and a photograph of participants at the School.
The following lectures courses (four 90-minute lecture sessions each) were deliv-
ered during the School:
– Ian Hayes: “Rely/Guarantee Thinking”
– Gary T. Leavens: “Hoare-Style Specification and Verification of Object-Oriented
Programs with JML”
– Natarajan Shankar: “Logic, Specification, Verification, and Interactive Proof”
– Andreas Podelski: “Software Model Checking with Automizer”
– Rustan Leino: “Writing Programs and Proofs”
– Xiaoxing Ma: “Engineering Self-adaptive Software-intensive Systems”
In addition, there were three evening seminars and a meeting on educational issues:
– Maarten de Rijke: “Agents that Get the Right Information to the Right People in the
Right Way”
– Dang Van Hung: “A Model for Real-time Concurrent Interaction Protocols in
Component Interfaces”
– Zijiang Yang: “Optimizing Symbolic Execution for Software Testing”
– Zhiming Liu (Chair): CCF Formal Methods Division Meeting – “Formal Methods
Education”
These additional presentations and discussions complemented the longer lecture
courses.
VI Preface

Courses

Rely/Guarantee Thinking

Lecturer: Prof. Ian Hayes, University of Queensland, Australia

Biography: Ian Hayes is a Professor of Computer Science at the University of
Queensland, Australia. His research interests focus on formal methods for the specifi-
cation and development of software and systems. He has worked on the Z specification
notation, and specification and refinement of real-time systems. His most recent research
has focused on the specification and refinement of concurrent systems, along with an
algebraic approach to defining its semantics with the aim of providing tool support.
Overview: The rely/guarantee approach to reasoning about a concurrent process makes
the use of a rely condition to abstractly represent the assumptions the process makes
about interference from its environment and a guarantee condition to represent the
interference it imposes on its environment. The general view of rely/guarantee thinking
appears to apply to a very wide range of applications: it facilitates the development and
formal proof of intricate code — at the other extreme, it provides a framework for
deriving the specification of control systems that respond to, and actuate, physical
systems that interact with the physical world. In the last couple of years, the way of
recording rely assumptions and guarantee commitments has been recast into a style
similar to the refinement calculus. This results in a much more algebraic feel to rea-
soning about rely/guarantee thinking and the laws of this calculus were explained and
demonstrated on examples.

Hoare-Style Specification and Verification of Object-Oriented Pro-

grams with JML

Lecturer: Prof. Gary T. Leavens, University of Central Florida, USA

Biography: Gary T. Leavens is a professor and chair of the department of Computer
Science at the University of Central Florida. Previously he was a professor at Iowa
State University, where he started in 1989, after receiving his Ph.D. from MIT. Before
his graduate studies at MIT, he worked at Bell Telephone Laboratories in Denver,
Colorado. Professor Leavens was General Chair for the SPLASH 2012 conference and
Research Program Committee chair for the 2009 OOPSLA conference. He was the
Research Results Program Committee chair for the Modularity 2015 conference.
Overview: These lectures addressed the problem of specification and verification of
sequential object-oriented (OO) programs, which use subtyping and dynamic dispatch.
First we described the semantics of class-based object-oriented languages with mutable
objects, such as Java. Then we described the problems of applying Hoare-style rea-
soning to OO programs in a modular way. We look in detail at the key notions of
refinement, modular verification, and modular correctness. This leads to a detailed
 Preface VII

discussion of behavioral subtyping and supertype abstraction. Finally we discussed

specification inheritance, its relationship to behavioral subtyping, and how these con-
cepts are embodied in JML.

Logic, Specification, Verification, and Interactive Proof

Lecturer: Prof. Natarajan Shankar, SRI International Computer Science Laboratory,

USA
Biography: Prof. Natarajan Shankar is a Distinguished Scientist at the SRI Interna-
tional Computer Science Laboratory. He is the co-developer of a number of
cutting-edge tools (http:github.com/SRI-CSL) for automated reasoning and formal
verification spanning interactive proof (PVS), model checking (SAL), SMT solving
(Yices), and probabilistic inference (PCE). Prof. Shankar is an SRI Fellow and a
co-recipient of the 2012 CAV Award.
Overview: Formalization plays a key role in computing in disciplines ranging from
hardware and distributed computing to programming languages and hybrid systems. In
this course, we explore the use of SRI’s Prototype Verification System (PVS, see http://
pvs.csl.sri.com) in formal specification and interactive proof construction. PVS and
other proof assistants, like ACL2, Coq, HOL, HOL Light, Isabelle, and Nuprl, have
been used to formalize significant tracts of mathematics and verify complex hardware
and software systems. In the lectures, we explored the formalization of both intro-
ductory and advanced concepts from mathematics and computing. We use PVS to
interactively construct proofs and to define new proof strategies.

Software Model Checking with Automizer

Lecturer: Prof. Andreas Podelski, University of Freiburg, Germany

Biography: Prof. Andreas Podelski works in the area of programming languages,
specifically, on program analysis and verification. He is an associate editor of the
journals ToPLaS, FMSD, JAR, and STTT. He has served as the chair or as a member
of the program committee of over 50 conferences and he has been the invited speaker at
over 20 conferences. He did his Masters studies in Münster, Germany, his Ph.D. in
Paris, France, and postdoctoral research in Berkeley, California, USA. He holds the
Chair of Software Engineering at the University of Freiburg since 2006. He has spent
sabbaticals for research at Microsoft Redmond, ENS Paris, Microsoft Cambridge, and
Stanford Research Institute (SRI).
Overview: We presented a new approach to the verification of programs. The approach
was embodied in the tool Automizer. Automizer won this year’s gold medal at
SV-Comp (the second time in a row). We were able to decompose the set of behaviors
of the given program (whose correctness we wanted to prove) according to sets of
behaviors for which we already had a proof. We were able to construct a program from
VIII Preface

the correctness proof of a sequence of statements. A sequence of statements is a simple

case of a program (a straight-line program). At the same time, a sequence of statements
is a word over a finite alphabet (a word that can be accepted by an automaton). Just as
we asked whether a word had an accepting run, we were able to ask whether a sequence
of statements had a correctness proof (of a certain form). The automaton accepted
exactly the sequences that did. We constructed programs from proofs, repeatedly, until
the constructed programs together covered all possible behaviors of the given program
(whose correctness we wanted to prove). A crucial step here was the covering check.
This step was based on algorithms for automata (inclusion test, minimization, etc.). We
explained the approach for a wide range of verification problems: safety, termination,
liveness; with (possibly recursive) procedures, multi-threaded, with possibly
unboundedly many threads.

Writing Programs and Proofs

Lecturer: Dr. Rustan Leino, Amazon, USA

Biography: Rustan Leino is a senior principal engineer at Amazon Web Services. He
was previously a principal researcher in the Research in Software Engineering (RiSE)
group at Microsoft Research, Redmond, and has been a visiting professor in the
Department of Computing at Imperial College London. He is known for his work on
programming methods and program verification tools and is a world leader in building
automated program verification tools. One of these tools is the language and verifier
Dafny. Leino is an ACM Fellow. Prior to Microsoft Research, Leino worked at
DEC/Compaq SRC. He received his Ph.D. from Caltech (1995), but before doing so,
he already designed and wrote object-oriented software as a technical lead in the
Windows NT group at Microsoft. Leino collects thinking puzzles on a popular web
page and hosts the Verification Corner channel on YouTube.
Overview: Reasoning about programs and understanding how to write proofs are
important skills for software engineers. In this course, students learned techniques of
how to reason about programs, both imperative programs and functional programs. For
imperative programs, this included the concepts of assertions, pre- and postconditions,
and loop invariants. For functional programs, this additionally included lemmas, proof
calculations, and mathematical induction. Throughout the course, the Dafny language
and verifier was used.

Engineering Self-adaptive Software-Intensive Systems

Lecturer: Prof. Xiaoxing Ma, Nanjing University, China

Biography: Xiaoxing Ma is a professor and the deputy director of the Institute of
Computer Software at Nanjing University. His research interests include self-adaptive
software systems, software architectures, and middleware systems. Xiaoxing
 Preface IX

co-authored more than 60 peer-reviewed papers, some of which were published in

major software engineering conferences and journals, such as FSE, ICSE, ASE and
IEEE TSE, TC, TPDS. He has directed and participated in over a dozen research
projects funded by the National Natural Science Foundation and the Ministry of Sci-
ence and Technology of China. He has also served actively in technical program
committees of various international conferences and workshops.
Overview: Modern software-intensive systems often need to dynamically adapt to
the changes in the environment in which they are embedded and to the requirements
they must satisfy. Engineering self-adaptation in software is challenging due to the lack
of systematic engineering methods and proper enabling techniques. In this tutorial, we
discussed some recent advances in software engineering for self-adaptive systems, with
topics covering the sensing and understanding of systems’ environmental context, the
model-based and control theory-based approaches to adaptation decision making, and
the actuation of adaptation decisions through dynamic software updating.

Seminars

Agents that Get the Right Information to the Right People

in the Right Way

Lecturer: Prof. Maarten de Rijke, University of Amsterdam, The Netherlands

Biography: Maarten de Rijke, professor at the University of Amsterdam,
The Netherlands, leads the prestigious Information Language Processing and System
(ILPS) laboratory in the field of information retrieval. He has published more than 670
articles in the top conferences and journals of information retrieval, machine learning,
natural language processing and data mining, including SIGIR (CCF A), WWW (CCF
A), KDD (CCF A), ICML (CCF) CCF A), NIPS (CCF A), ACL (CCF A), WSDM (CCF
B), CIKM (CCF B), ACM Transactions on Information Systems (TOIS, CCF A) and
IEEE Transactions on Knowledge and Data Engineering (TKDE, CCF A). Especially in
the field of expert finding, online learning, modal logic, and community-based
answering. According to the Google Scholar, he has over 20,000 citations and an
h-index of 65. Professor Maarten de Rijke has served as chairman of the conference or
program committee for various meetings in the field of information retrieval, including
SIGIR, WWW, WSDM and CIKM. He is currently the director of the Amsterdam Data
Science Center and the director of the Ad de Jonge Intelligence and Safety Center in
the Netherlands, as well as the director of the Master of Artificial Intelligence program
at the University of Amsterdam. Professor Maarten de Rijke is also the editor-in-chief
of several top journals in the field of information retrieval and information systems,
including ACM Transactions on Information Systems (TOIS CCF A).
Abstract: Interaction with information is a fundamental activity of the human condition.
Interactions with search systems play an important role in the daily activities of many
people, so as to inform their decisions and guide their actions. For many years, the field
of IR has accepted “the provision of relevant documents” as the goal of its most
X Preface

fundamental algorithms. The focus of the field is shifting towards algorithms that are
able to get the right information to the right people in the right way. Artificial intelli-
gence (AI) is entering a new golden age. How can these advances help information
retrieval? That is, how can AI help to develop agents that get the right information to the
people in the right way? Making search results as useful as possible may be easy for
some search tasks, but in many cases it depends on the context, such as a user’s
background knowledge, age, or location, or their specific search goals. Addressing each
optimal combination of search result preferences individually is not feasible. Instead, we
need to look for scalable methods that can learn good search results without expensive
tuning. In recent years, there has been significant work on developing methods for a
range of IR problems that learn directly from natural interactions with their users. In the
talk, I sampled from these advances and hinted at future directions.

A Model for Real-time Concurrent Interaction Protocols in Compo-

nent Interfaces

Lecturer: Dang Van Hung, Vietnam National University, Vietnam

Biography: Dang Van Hung graduated in Mathematics in 1977 at the Department of
Mathematics, Hanoi University, Hanoi, Vietnam, and obtained his PhD degree in
Computer Science in 1988 at the Computer and Automation Research Institute, Hun-
garian Academy of Sciences, Budapest, Hungary. He began his career as a research
fellow at the Institute of Information Technology, Hanoi, Vietnam. He was a research
fellow at the United Nations University, International Institute for Software Technology,
located in Macao for more than 12 years. Since 2008, he is a senior lecturer of the
University of Engineering and Technology of Vietnam National University in Hanoi. He
has been actively involved in many scientific activities such as organising international
conferences, editing books and journals. His research interests include formal methods,
real-time, parallel and distributed systems, component-based software development.
Abstract: Interaction Protocol specification is an important part for component inter-
face specification. To use a component, the environment must conform to the inter-
action protocol specified in the interface of the component. We gave a powerful
technique to specify protocols which can capture the constraints on temporal order,
concurrency, and timing. We also showed that the problem of checking if a timed
automaton conforms to a given real-time protocol is decidable and developed a deci-
sion procedure for solving the problem.

Optimizing Symbolic Execution for Software Testing

Lecturer: Prof. Zijiang Yang, Western Michigan University, USA

Biography: Zijiang Yang is a professor of Computer Science at Western Michigan
University. His research is in the broad areas of software engineering and formal
 Preface XI

methods. The primary focus is to develop formal method based tools to support the
debugging, analysis, and verification of complex systems. He has published over 70
papers, many of which were published in major software engineering conferences and
journals such as FSE, ICSE, ASE, ICST, CAV and TSE. He is also an inventor of ten
United States patents. Yang received his Ph.D. from the University of Pennsylvania.
Abstract: Symbolic execution is a powerful technique for systematically exploring the
paths of a program and generating the corresponding test inputs. However, its practical
usage is often limited by the path explosion problem, that is, the number of explored
paths usually grows exponentially with the increase of program size. We proposed new
symbolic execution approaches to mitigate the path explosion problem by predicting
and eliminating the redundant paths based on symbolic values in the context of soft-
ware testing.
From the lectures, a record of the School has been distilled in five chapters within this
volume as follows:
– Ian J. Hayes and Cliff B. Jones: “A Guide to Rely/Guarantee Thinking”
– Gary T. Leavens and David A. Naumann: “An Illustrated Guide to the Model
Theory of Supertype Abstraction and Behavioral Subtyping”
– Natarajan Shankar: “Formalizing Hoare Logic in PVS”
– K. Rustan M. Leino: “Modeling Concurrency in Dafny”
– Xiaoxing Ma, Tianxiao Gu, and Wei Song: “Software Is Not Soft: Challenges and
Approaches to Dynamic Software Update”
An additional contribution by Cliff Jones (co-author with Ian Hayes above) was also
included. This is a lecture that would have been delivered had Cliff Jones also attended
the School. It is a tutorial paper on the formal semantics of programming languages that
is co-authored with his PhD student Troy Astarte:
– Cliff B. Jones and Troy K. Astarte: “Challenges for Formal Semantic Description:
Responses from the Main Approaches”
For further information on SETSS 2017, including lecture material, see: http://www.
swu-rise.net.cn/SETSS2017
Acknowledgments: SETSS 2017 was supported by IFIP Working Group 2.3 on Pro-
gramming Methodology. The aim of WG 2.3 is to increase a programers’ ability to
compose programs, which fits very well with SETSS. Several of the lecturers at SETSS
2017 are members of WG 2.3 and they are very pleased to have the opportunity to
support the training of researchers and engineers.
We would like to thank the lecturers and their co-authors for their professional
commitment and effort, the strong support of Southwest University, and the enthusi-
astic work of the local organization team, without which SETSS 2017 would not have
been possible. Finally, we are grateful for the support of Alfred Hofmann and Anna
Kramer of Springer Lecture Notes in Computer Science (LNCS) in the publication of
this volume.
July 2018 Jonathan P. Bowen
Zhiming Liu
Zili Zhang
Group photograph at SETSS 2017. Front row, left to right: Zhiming Liu, Yongjun Jin,
Dang Van Hung, Gary Leavens, Chaochen Zhou, Yangian Cui, Ian Hayes, Zili Zhang,
Guoqiang Xiao, Wu Chen

Selected lecturers and attendees at SETSS 2017. Left to right: Shmuel Tyszberowicz,
Ian Hayes, Rustan Leino, Natarajan Shankar, Gary Leavens, Zhiming Liu, Zhibin
Yang, Guisen Wu.
 Organization

School Chairs
Zhiming Liu Southwest University, China
Zili Zhang Southwest University, China

Academic Instructors
Jonathan P. Bowen RISE, Southwest University, China,
and London South Bank University, UK
Zhiming Liu RISE, Southwest University, China

Local Organization Committee

Huazhen Liang (Chair) Southwest University, China
Bo Liu (Chair) Southwest University, China
Xiao Qin Southwest University, China
Zhisai Shi Southwest University, China
Qing Wang Southwest University, China
Tingting Zhang Southwest University, China
Yukun Zhang Southwest University, China
Hengjun Zhao Southwest University, China

School Academic Committee

Michael Butler University of Southampton, UK
Yixiang Chen East China Normal University, China
Zhi Jin Peking University, China
Zhiming Liu Southwest University, China
Cong Tian Xi’Dian University, China
Ji Wang National University of Defence Science
and Technology, China
Yi Wang Uppsala University, Sweden,
and Northeast University, China
Jim Woodcock University of York, UK
Jianhua Zhao Nanjing University, China

Reviewers
Jonathan P. Bowen RISE, Southwest University, China,
and London South Bank University, UK
Ian J. Hayes University of Queensland, Australia
XVI Organization

Cliff B. Jones Newcastle University, UK

K. Rustan M. Leino Amazon, USA
Zhiming Liu RISE, Southwest University, China
Natarajan Shankar SRI International Computer Science Laboratory, USA
Shmuel Tyszberowicz RISE, Southwest University, China,
and Tel Aviv University, Israel
Mark Utting University of the Sunshine Coast, Australia
 Contents

A Guide to Rely/Guarantee Thinking. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Ian J. Hayes and Cliff B. Jones

An Illustrated Guide to the Model Theory of Supertype Abstraction

and Behavioral Subtyping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Gary T. Leavens and David A. Naumann

Formalizing Hoare Logic in PVS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

Natarajan Shankar

Modeling Concurrency in Dafny . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

K. Rustan M. Leino

Software Is Not Soft: Challenges and Approaches to Dynamic

Software Update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Xiaoxing Ma, Tianxiao Gu, and Wei Song

Challenges for Formal Semantic Description: Responses from

the Main Approaches. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
Cliff B. Jones and Troy K. Astarte

Author Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219

 A Guide to Rely/Guarantee Thinking

Ian J. Hayes1(B) and Cliff B. Jones2

1
School of Information Technology and Electrical Engineering,
The University of Queensland, Brisbane, Australia
Ian.Hayes@uq.edu.au
2
School of Computing Science, Newcastle University, Newcastle upon Tyne, UK

Abstract. Designing concurrent shared-variable programs is difficult.

The Rely-Guarantee concept provides a compositional approach to the
challenge. This paper reviews some recent developments in the approach,
offers worked examples and relates the approach to other research.

1 Introduction

This paper provides a guide to one of the approaches to reasoning about the
design of concurrent programs. The focus is on the interference that occurs
when concurrent threads access and update shared variables. The so-called
“Rely/Guarantee” (R/G) approach records such interference in specifications
and provides rules for reasoning about the coherence of different levels of abstrac-
tion thus making the ideas useful in formally justifying program designs. In a
sense that is made precise below, such development steps can be made “compo-
sitional”.
The sense in which this paper provides a “guide” is that the origins and recent
developments of the approach are set out together with a number of illustrative
examples. This section outlines the general R/G idea; Sect. 2 presents a number
of general laws; Sects. 3 and 4 present worked examples. The concluding Sect. 5
of the paper relates R/G to other approaches.

1.1 Interference

Sequential (or non-concurrent) programs begin execution in some starting state

and make changes to that state. Crucially, the designer of such a program can
assume that no changes to the state are made by an external agent during
execution of the sequential code.
It is precisely interference with the state that makes it difficult to construct
and reason about concurrent programs. When thinking about the development
of concurrent programs, it is useful to distinguish one component and its (entire)

This work was supported by Australian Research Council (ARC) Discovery Project
DP130102901 and the UK EPSRC “Taming Concurrency” and “Strata” research
grants.
c Springer Nature Switzerland AG 2018
J. P. Bowen et al. (Eds.): SETSS 2017, LNCS 11174, pp. 1–38, 2018.
https://doi.org/10.1007/978-3-030-02928-9_1
2 I. J. Hayes and C. B. Jones

environment but this initial motivation can be made clearer by assuming that
there are only two processes that can interact. Assume that P and Q share one
variable x and:

– Process Q may do atomic steps that either

• do not change x , i.e. x  = x , where x stands for the initial value of the
variable x and x  its final value, or
• increment x by one, i.e. x  = x + 1
– Before or after each atomic step of process P , P may observe
• no steps of Q, i.e. x  = x
• one step of Q, i.e. x  = x ∨ x  = x + 1
• many steps of Q, i.e. x ≤ x 
– Observe that both x  = x and x  = x + 1 imply x ≤ x 
– Hence we can use x ≤ x  to represent the possible interference from Q on P

This abstract view of the interference can be recorded with rely and guarantee
conditions:

– a rely condition of P
– a guarantee condition of Q

The assumption that P and Q share only one variable can be recorded as part
of the specification of each thread.
Specifications of sequential code are normally given using pre and post con-
ditions. Few programs will achieve a useful effect in arbitrary starting states and
a pre condition is a record of assumptions that the designer of a program can
make about the states in which the program will begin execution. In the same
way, almost no concurrent program could achieve a useful effect in the presence
of arbitrary state changes during its execution and the rely condition invites
the designer to assume limitations on the potential interference. With both pre
and rely conditions, it is the obligation of the designer of the context to check
that the assumptions hold. In contrast, a post condition relation expresses the
expected behaviour of a program and is thus an obligation on the behaviour of
the code to be created. The same applies to guarantee conditions.
To be useful in a design and development process, an important property of
a formal system is that it is compositional. This idea is first explained in terms
of sequential program constructs. The advantage of abstracting a specification
as a post condition is that the relation expresses all that the code to be devel-
oped is required to achieve; no details of the internal execution are dictated;
any implementation that always achieves the required relation is deemed to be
acceptable. Furthermore, if a design decision is made to achieve some given post
condition q by using the sequential composition of two sub-programs s1 ; s2 , the
correctness of such a step can be argued solely in terms of the specifications of
s1 and s2 (and subsequent development of each sub component can ignore both
the specification of its sibling and that of its parent q).
The possibility of interference is precisely what makes it difficult to achieve
useful compositional methods for concurrent programs. Willem-Paul de Roever’s
 A Guide to Rely/Guarantee Thinking 3

extensive study of compositional and non-compositional methods [dR01] reviews

how early approaches such as Susan Owicki’s [Owi75] fall short because of the
need for a final global check on the combined threads. A key claim for R/G
approaches is that, for a large class of shared-variable concurrent programs,
using rely and guarantee conditions offers a compositional approach. Thus a
design that satisfies a specification given as pre/rely/guarantee/post conditions
will not be rejected as a result of a post facto check.

1.2 The Basis of Rely/Guarantee Thinking

As indicated above, the rely/guarantee approach explicitly addresses interfer-
ence both in the specification and design processes. Executions of concurrent
programs can be pictured as traces of the sequence of states that arise. An exe-
cution trace starts in an initial state σ0 (that satisfies pre(σ0 )) and ends in σf
(that paired with the starting state should satisfy the postcondition post(σ0 , σf )).
rely
pre
   
σ0 ··· (σi σi+1 ) ··· π(σj σj +1 ) ··· σf
  
guar

post

For concurrent threads, it is necessary to distinguish environment steps

(σi σi+1 ) from program steps π(σi σi+1 ). The designer of a thread can assume
that:
– the initial state satisfies the precondition pre
– any environment step satisfies the rely condition rely
Under those assumptions, the commitment is that the code created must:
– terminate in a final state that is related to its initial state by post
– every program step satisfies the guarantee condition guar
A rely condition is an abstraction of the interference to be tolerated. Note
that the use of relations is key to the rely/guarantee approach.
Given that there are four predicates and the frame of variables that can
be accessed/changed to be specified, it is necessary to adopt a format for R/G
specifications. It is worth emphasising that there are various layouts (concrete
syntax) for the same underlying concepts. Early papers [Jon81,Jon83a,Jon83b]
followed the VDM keyword style. To take the example from Sect. 3, the task
of removing all of the composite numbers (abbreviated C ) from a set might be
presented as follows:
Sieve(n : N)
ext wr s : F N
pre s ⊆ 0 . . n
rely s  ⊆ s
guar s  ⊆ s ∧ s − s  ⊆ C
post s  ∩ C = ∅
4 I. J. Hayes and C. B. Jones

Comparison with a specification for a sequential version of Sieve is instruc-

tive. If there were no interference, the post condition could be given as an equality
s  = s − C . In the presence of interference, the post condition provides a lower
bound on the removal s  ∩ C = ∅; the upper bound of the elements that can
be removed goes into the guarantee condition s − s  ⊆ C . The rely condition
(which is also the other conjunct of the guarantee condition) is essential in the
subsequent development.
In order to present proof rules for R/G specifications, it proved to be conve-
nient to adopt a more compact concrete syntax than the keyword style; this can
be done by extending Floyd/Hoare [Flo67,Hoa69] triples to write:

{p, r } s {g, q} (1)

The key proof obligation about concurrent threads can then be written:
{p, rl } sl {gl , ql }
{p, rr } sr {gr , qr }
r ∨ gr  rl
r ∨ gl  rr
gl ∨ gr  g
p ∧ ql ∧ qr ∧ (r ∨ gl ∨ gr )∗  q
Par-I
{p, r } sl || sr {g, q}

As pointed out, the underlying idea (“rely/guarantee thinking”) is the impor-

tant concept; the specific concrete syntax to be used should be a matter of conve-
nience. Section 1.4 offers a markedly different style but, despite this new format,
the keyword presentation is in fact useful for long specifications and is used in
several publications.

1.3 Data Abstraction

The use of abstract objects is important for the specification of any non-trivial
computer system. Fortunately, the proof steps for data reification are composi-
tional in the same way as (and work together with) those that deal with decom-
position using programming constructs.
Data abstraction has a particularly strong role in the specification and design
of concurrent programs. As is illustrated below in the examples considered in
Sects. 3 and 4, an abstraction can yield a clear description of a problem that can
only yield an efficient implementation by choosing a clever representation. In the
Sieve example (Sect. 3), the specification in terms of sets of natural numbers is
brief and intuitive and the choice to reify this to a vector of bits affords a natural
way of ensuring the monotonic reduction of the set. The fact that a machine is
likely to read and write multiple bits in a single operation presents an interesting
challenge that is resolved in Sect. 3.5 using a compare-and-swap instruction.
A further important use of abstraction manifests itself in the development
of “Simpson’s four slot” implementation of an “asynchronous communication
 A Guide to Rely/Guarantee Thinking 5

mechanism”: a shared data structure is used in [JH16]; because the reader and
writer processes both access it, this abstract object appears to be subject to
data races but the development can partition which sub-parts of the shared
object are being used by the two processes at any point in time. The final data-
race-freedom property on the individual “slots” –that is the clever part of Hugo
Simpson’s design– is thus justified at a level of abstraction where the argument
is clearest.
Data abstraction and reification sit perfectly with rely/guarantee thinking.
A further interesting link to Separation Logic [O’H07] is made in [JY15]—this
point is explored in Sect. 5.

1.4 Pulling Apart the Old R/G Notation

Much research has been built on the original R/G ideas: over 20 PhDs more or
less directly contribute extensions; the ideas are also often used in conjunction
with other approaches including Separation Logic (e.g. [BA10,BA13]).
Recently, new presentations of R/G specifications have been proposed.
It is shown in [HJC14,JH16] how a refinement calculus [BvW98,Mor90]
specification can be qualified by rely or guarantee clauses of the form
(rely r • c) and (guar g • c), where c is an arbitrary command. The specifi-
cation of Sieve in Sect. 1.2 becomes:

(guar s  ⊆ s ∧ s − s  ⊆ C •
(rely s  ⊆ s •
î ó
s : s ⊆ 0 . . n, s  ∩ C = ∅ ))

Although this can be viewed as an alternative concrete syntax for the orig-
inal specification, this style lends itself to exploring algebraic properties of the
operators such as distribution of guarantee conditions over sequential and par-
allel constructs (see Sect. 2). The algebraic ideas are taken further in [HCM+16]
where relies and guarantees are represented as separate commands (rely r ) and
(guar g) which are combined with other constructs using a new weak conjunc-
tion operator “”.1 That facilitates proofs of some properties at a significantly
more abstract level. In the new form the specification of Sieve becomes:
î ó
(rely s  ⊆ s)  (guar s  ⊆ s ∧ s − s  ⊆ C )  {s ⊆ 0 . . n} ; s : s  ∩ C = ∅

A crucial advantage of the newer presentations of rely and guarantee condi-

tions is that they expose the algebraic properties of the components of specifica-
tions. In particular, it makes it possible to express properties of each construct
as well as their combinations.
1
This operator was originally devised by us to allow guarantees to be expressed as a
separate command, which is then combined with the rest of the specification using
weak conjunction. Weak conjunction has since found wider use as a general compo-
sition operator.
6 I. J. Hayes and C. B. Jones

2 Laws
This section presents an overview of the laws used in the examples; the reader
is expected to refer back to these laws when trying to comprehend the examples
in Sects. 3 or 4. Any reader who is unfamiliar with R/G might benefit from
scanning one of the examples in Sects. 3 or 4 before digesting the laws in this
section.
As a notational convention throughout this section, p is used for a predicate
characterising a set of states, g, q and r are used for predicates characteris-
ing relations between states, and c and d are used for commands. Subscripted
versions of these names follow the same convention.

2.1 Refinement
The approach presented here is based on the refinement calculus [BvW98,Mor90]
in which the fact that command c is refined (or implemented) by d is written c  d .
An operator is monotonic with respect to refinement if refining one operand of the
operator refines the whole. The operators sequential composition (;), parallel com-
position ( ), and weak conjunction (), explained below, are all monotonic in both
arguments.

Law 1 (monotonicity). If c0  c1 ∧ d0  d1 all the following hold.

c0 ; d0  c1 ; d1 (2)

c0 d0  c1 d1 (3)
c0  d0  c1  d1 (4)

Note that as refinement is reflexive, i.e. c  c for any c; the above law can be
applied when just the first (or just the second) operand is refined.

2.2 Pre Conditions and Post Conditions

The sequential refinement calculus [BvW98,Mor90] makes use of an assertion (or
î ó condition) command {p} and a specification (or post condition) command
pre î ó
q to express a pre-post specification as the sequential composition {p} ; q ,
in which p is a predicate characterising a set of states and q is a predicate
characterising a relation between a pair of (before and after) states. The pre
condition {p} represents an assumption that the initial state satisfies p. If p
holds in the initial state, {p} acts as the nil command and hence has no effect;
but, if p does not hold in the initial state, any behaviour at all is allowed; thus
{p} behaves like abort, the command that allows any behaviour whatsoever
and is strict in the sense that abort ; c = abort for any command c and hence
one cannot recover from aborting.
The basic laws regarding pre condition and post condition specifications from
the sequential refinement calculus are still valid in the concurrent refinement
 A Guide to Rely/Guarantee Thinking 7

calculus. It is a refinement to assume less about the initial state, i.e. weaken the
pre condition, and the ultimate weakening is to {true}, which is equivalent to
nil and hence corresponds to removing the pre condition.
Law 2 (weaken-pre). If p1  p2 , then {p1 }  {p2 }.

Law 3 (remove-pre). {p} ; c  c.

It is a refinement to produce a subset of the behaviours of a specification

command, which corresponds to strengthening the post condition, but in doing
so one can assume the pre condition holds initially.
î ó î ó
Law 4 (strengthen-post-pre). If p ∧ q2  q1 , then {p} ; q1  {p} ; q2 .
A post condition specification that takes the form of the relational compo-
sition q1 o9 q2 of two relations can be decomposed into a sequential composition
of two specifications, the first satisfying q1 and the second q2 . In addition, if the
first establishes p1 in the final state, represented here by p1 , the second may
assume p1 as a pre condition.
î ó î ó î ó
Law 5 (sequential). q1 o9 q2  q1 ∧ p1 ; {p1 } ; q2 .

2.3 Concurrent Specifications

To express concurrent specifications, two additional commands, rely r and
guar g, are used, in which both r and g are predicates characterising a rela-
tion between a pair of states. A concurrent specification can then be written in
the form
î ó
(rely r )  (guar g)  {p} ; q

in which  is the weak conjunction operator defined so that behaviours of c  d

are the common behaviours of c and d unless either c or d aborts, in which case
c  d aborts. Weak conjunction is associative, commutative and idempotent; it
has identity chaos, the command that allows any non-aborting behaviour.

2.4 Rely Conditions

A rely command rely r represents an assumption that all environment steps
satisfy r . It aborts if any atomic environment step does not satisfy r in the
same way that a pre condition {p} aborts if the state does not satisfy p. A rely
combined with a command, i.e. (rely r )  c, behaves as c unless its environment
makes a step that does not satisfy r , in which case the rely command aborts
and hence the whole command (rely r )  c aborts. A weak (rather than strong)
conjunction is essential here to allow the aborting behaviour of the rely to be
promoted to aborting behaviour of the whole command. Note that a strong
conjunction would mask the aborting behaviour of the rely if c by itself was
non-aborting.
8 I. J. Hayes and C. B. Jones

The basic laws for relies mimic those for pre conditions: one can assume less
about the environment (i.e. a rely can be weakened) and the ultimate weakening
is to remove the rely altogether because (rely true) = chaos, which is the identity
of .
Law 6 (weaken-rely). If r1  r2 , then (rely r1 )  (rely r2 ).
Law 7 (remove-rely). (rely r )  c  c.
A rely applied to a sequential composition effectively applies the rely to each
statement in the composition, and hence if one, c2 , is refined to d in a rely
context of r , the whole is refined by replacing c2 by d . Taking either c1 or c3 as
nil gives the special cases of refining the first or last commands in a sequence.
Law 8 (refine-within-rely). If (rely r )  c2  (rely r )  d ,
(rely r )  c1 ; c2 ; c3  (rely r )  c1 ; d ; c3 .

2.5 Guarantee Conditions

A guarantee command (guar g) allows any non-aborting behaviour in which all
atomic program steps satisfy g between their before and after states. A guarantee
combined with a command, i.e. (guar g)c, only allows behaviours of c in which
all program steps satisfy g unless c aborts in which case (guar g)  c aborts.
Again a weak (rather than strong) conjunction is essential to ensure that the
guarantee command, which never aborts, does not mask any aborting behaviour
of c, for example, c may contain a failing pre or rely condition.
In the same way that strengthening a post condition restricts the allowed
behaviours and hence is a refinement, strengthening a guarantee is also a refine-
ment. It is also a refinement to introduce a guarantee because the weakest guar-
antee, (guar true), equals chaos, the identity of .
Law 9 (strengthen-guar). If g2  g1 , then (guar g1 )  (guar g2 ).
Law 10 (introduce-guar). c  (guar g)  c.
Conjoining two guarantees requires every program step to satisfy both guar-
antees and hence the guarantees can be merged to give a guarantee satisfying
both guarantees.
Law 11 (merge-guars). (guar g1 )  (guar g2 ) = (guar g1 ∧ g2 ).
A guarantee distributes into a sequential composition or parallel composition,
regardless of whether the latter is a binary parallel or a multiway parallel.
Law 12 (distrib-guar-sequential).
(guar g)  (c ; d )  ((guar g)  c) ; ((guar g)  d ).
Law 13 (distrib-guar-parallel).
(guar g)  (c d )  ((guar g)  c)((guar g)  d ).
 
Law 14 (distrib-guar-multi-parallel). (guar g)  i ci  i ((guar g)  ci ).
 A Guide to Rely/Guarantee Thinking 9

2.6 Frames

The sequential refinement calculus makes use of a frame, a set of variables x

that are allowed to be modified; all other variables must remain unchanged. In
a sequential setting, the implied post condition that the final value of such vari-
ables is the same as their initial values would not preclude them being changed
providing their initial values were reestablished. In the context of concurrency,
a frame of x forbids any atomic program step to modify any variables other
than x . If we let id(y) stand for the relation constraining all variables in y to be
unchanged, and x to stand for the set of all variables other than x , then id(x )
represents the relation constraining all variables other than x to be unchanged.
To impose that constraint on all program steps one can use a guarantee of the
form (guar id(x )) and hence to constrain any command c to not modify vari-
ables other than x , one can use (guar id(x ))  c. We introduce the abbreviation
x : c for this.

x :c“= (guar id(x ))  c (5)

î ó
For example, a specification command q with a frame of x is expressed as
î ó
x : q , in the syntax of Morgan’s sequential refinement calculus [Mor90]. Note
î ó
that a specification with an empty frame is written ∅ : q and hence corresponds
î ó
to (guar id) q , which constrains all program steps to not modify any program
variables, i.e. all program steps are stuttering or idle steps. Restricting a frame
is a refinement because it strengthens the implicit guarantee of the frame.
Law 15 (restrict-frame). For sets of variables X and Y , if Y ⊆ X , then
X : c  Y : c.
Laws for a command c can be promoted to laws for a command with a frame
x : c by expanding x : c to (guar id(x ))  c, applying the law (assuming it does
not affect the guarantee) to give guar id(x ))  c1 and then
î ó abbreviating that to
x : c1 . In particular, laws for specifications of the form q can be promoted to
î ó
laws for framed specifications x : q in this manner. This paper does not give
the promoted laws explicitly but we assume all laws are promoted in this fashion
and implicitly make use of the promoted versions while quoting the un-promoted
law.

2.7 Introducing a Parallel Composition

The raison d’être for rely and guarantee conditions is to provide a law that allows
a specification that is the conjunction of two post conditions to be decomposed
into a parallel composition with each branch achieving one of the post condi-
tions. The first branch relies on the interference from the second branch being
bounded by r1 and hence the second branch needs to guarantee its program
steps guarantee r1 . Symmetrically, the second branch assumes interference from
10 I. J. Hayes and C. B. Jones

the first is bounded by r2 and hence the first branch needs to guarantee its pro-
gram steps guarantee r2 . Both branches also need to allow interference from the
environment of the whole, which is bounded by r .
Law 16 (introduce-parallel)
î ó î ó
(rely r )  q1 ∧ q2  ((rely r ∨ r1 )  (guar r2 )  q1 )
î ó
((rely r ∨ r2 )  (guar r1 )  q2 )

While the binary version of parallel introduction (above) allows asymmetric

relies and guarantees, the multiway version (below) is normally used where the
guarantees of all the component processes are the same. The interference on each
component process is either from the environment of the whole and satisfies r ,
or from some other process in the set and satisfies r1 .
Law 17 (introduce-multi-parallel). For a finite index set I ,
(rely r )  i∈I qi i∈I (guar r1 )  (rely r r1 )  qi .

2.8 Trading Law

If every program step made by a command satisfies g and every environment step
is assumed to satisfy r , then every step satisfies r ∨ g, and hence if the command
terminates after a finite number of steps, end-to-end it will satisfy the reflexive,
transitive closure of r ∨ g, i.e. (r ∨ g)∗ . Hence a specification command with a
post condition of q in the context of a rely of r and a guarantee g is equivalent
to a specification command with a post condition of (r ∨ g)∗ ∧ q.

Law 18 (trading). î ó î ó
(rely r )  (guar g)  q = (rely r )  (guar g)  (r ∨ g)∗ ∧ q .

2.9 Interference on Predicates and Expressions

A pre condition p may hold initially but, before a command has a chance to
do any program steps, the environment may execute some steps which may
invalidate p. To avoid such issues one needs to use predicates that are stable
under interference satisfying the rely condition r .

Definition 1 (stable). A predicate p characterising a set of states is stable

under r iff r  (p ⇒ p  ).

When dealing with post conditions of two states, it is advantageous to use

a post condition q that is unaffected by interference occurring before the initial
state or after the final state. Further, if the initial state satisfies a pre condition
p, it can be taken into account.
 A Guide to Rely/Guarantee Thinking 11

Definition 2 (tolerates). A predicate q characterising a relation between a

pair of states tolerates interference r from p iff p is stable under r and both

p ∧ (r o9 q)  q
p ∧ (q o9 r )  q.

If these conditions hold, p ∧ (r ∗ o9 q o9 r ∗ )  q.

If an expression is evaluated under interference from its environment, the
values of the variables in the expression may change between accesses to those
variables. To handle this, two restricted forms of expressions are used: con-
stant expressions and single-reference expressions. An expression that is constant
under interference r evaluates to the same value before and after the interference.

Definition 3 (constant-expression). An expression e is constant under

interference r iff r  (e = e  ), where e  stands for the evaluation of e in
the final state.
For example, both x + x and 2 ∗ x are constant under interference satisfying
x  = x , and x − x is constant under any interference. A less obvious example is
that x mod N is constant under interference that adds multiples of N to x .
Note that the definition of a constant expression only considers evaluating
the whole of the expression in a single state, either the initial or final state;
however, an expression like x − x may evaluate to a non-zero value if the two
accesses to x take place in states in which x is different. The other special class
of expression is a single-reference expression, which means that the evaluation of
the expression corresponds to its value in one single state during the expression’s
evaluation. For example, 2 ∗ x is single reference but x + x is not and neither is
x − x.
Definition 4 (single-reference-expression). An expression e is single refer-
ence under interference r iff e is
– a constant,
– a variable and access to the variable is atomic,
– a unary expression e and e is single reference, or
– a binary expression e1 ⊕ e2 and both e1 and e2 are single reference under r
and either e1 and e2 is constant under r .
Below, accesses to variables are assumed to be atomic, unless they are vectors.
If an expression is both constant and single reference then its evaluation under
interference corresponds to its value in any of the states during its evaluation.
That means there is no interference on its evaluation.

2.10 Introducing an Atomic Step

An atomic step command p, q represents a command that performs a single
atomic step satisfying q from a state satisfying p and aborts from states not
12 I. J. Hayes and C. B. Jones

satisfying p. The atomic step may be preceded or followed by a finite number of

stuttering steps that do not change the state. Note that p, q is not the same as
{p};true, q because in the latter p is evaluated in the initial state σ0 whereas in
the former p is evaluated in a state σ just before the atomic step satisfying q and
there may be environment steps in between that change σ0 to σ. An atomic step
command is used to define a compare-and-swap primitive used in the example
in Sect. 3. A specification can be refined to an atomic step that satisfies both the
guarantee and the postcondition. The guarantee must be reflexive to allow for
any stuttering steps made by p, g ∧ q.
Law 19 (introduce-atomic). If p is stable under r , g is reflexive and q tol-
erates r from p,
î ó
(guar g)  (rely r )  {p} ; q  (rely r )  p, g ∧ q .

2.11 Introducing an Assignment

An assignment, x := e, is subject to interference on both the expression e and

the assigned variable x . The simple case is if the rely condition implies there
is no interference at all, in which case the law is quite similar to the sequential
refinement law except that the assignment also has to satisfy any guarantee. The
guarantee is required to be reflexive to allow for stuttering steps in the evaluation
of the expression.

Law 20 (local-assignment). If e is an expression that is both single-reference

and constant under r , p is stable under r , q tolerates r from p, g is reflexive
and p ∧ id(x )  (g ∧ q)[x  \e],
î ó
(rely r )  (guar g)  {p} ; x : q  x := e.

The following law is useful for refining a specification to an updated speci-

fication followed by assignment. The law assumes that there is no interference
on e.
Law 21 (post-assignment). If e is an expression that is both single-reference
and constant under r , p0 and p1 are stable under r , q tolerates r from p, g is
reflexive and p1 ∧ id(x )  g[x  \e],
î ó
(rely r )  (guar g)  {p0 } ; x : q 
î ó
((rely r )  (guar g)  {p0 } ; q[x  \e  ] ∧ p1 ) ; x := e.

A special case of an assignment is if there is interference on a single-reference

expression e whereby the interference implies that the before and after values
of e are related by a reflexive, transitive relation “”. In that case, the value
assigned to x is between the initial and final values of e.
 A Guide to Rely/Guarantee Thinking 13

Law 22 (rely-assignment). Let p be stable under r , x be a variable that is

constant under r , e be an expression that is single-reference under r and “”
a reflexive, transitive binary relation, such that id(x ) ∨ r  e  e  , and
p ∧ id(x )  g[x  \e], then
î ó
(rely r )  (guar g)  {p} ; x : e  x   e   x := e.

2.12 Introducing a Local Variable

If before introducing a local variable called x , a pre condition p refers to a more
global variable also called x , then there are two separate variables both named
x and within the local variable block references within its pre condition are to
the local x . To address this issue, any information about x within p is removed
by existentially quantifying x within the pre condition within the local block to
give a pre condition (∃ x · p). A common case is where x is a fresh variable and
hence there are no references to x within p and (∃ x · p) ≡ p.
A similar situation applies to references to x within the initial rely condition.
Such references are existentially quantified in the rely condition within the local
block to give a local rely of (∃ x , x  · r ). Further, local variable x is private to the
block and thus not subject to any interference. Hence any rely condition within
the block is strengthened by x  = x within the local variable’s scope.
If within the local block there is a guarantee of g, any references to x within
g are to the local variable and hence the guarantee outside the block has to be
weakened to (∃ x , x  · g). Further, because all references to x within the local
block are to the local occurrence of x , the more global x cannot be modified
within the local block and hence the guarantee outside the local block can be
strengthened with x  = x .
A similar situation applies to the post condition, in that any references to x
within the post condition within the local block refer to the local x and must be
existentially quantified in the outer post condition. Note that the outer post con-
dition cannot be strengthened with x  = x (as for the outer guarantee) because
although the local block does not change the more global x , its environment
may. Again, if x is fresh and not referred to in q we have (∃ x , x  · q) ≡ q.
Finally, the local x is added to the frame of the specification within the block.

Law 23 (introduce-var). For a variable x and set of variables Y , if p is stable

under r , and q tolerates r from p,
î ó
(rely r )  (guar x  = x ∧ (∃ x , x  · g))  {p} ; Y : ∃ x , x  · q 
î ó
var x · (rely x  = x ∧ (∃ x , x  · r ))  (guar g)  {∃ x · p} ; x , Y : q .

A useful combination is to introduce a local variable and initialise it to satisfy

the pre condition of the residual specification. This rule assumes there is no
interference on the expression e assigned as the initial value of x .
Another random document with
no related content on Scribd:
 BELISARIUS.
a. d. 565.

The imagination of poets, painters, and sculptors, backed by one of

Marmontel’s novels, has helped to make of an apocryphal tradition a
matter of history which has been believed in by the many, who are
ever open-mouthed to receive the marvellous upon trust.
This tradition relates to the general Belisarius, the conqueror of the
Vandals, who, after having been falsely accused of treason, is said
to have been deprived of his sight by the Emperor Justinian, and to
have been reduced to such a state of poverty that he was compelled
to beg his bread in the streets of Constantinople.
No contemporary historian mentions these circumstances; but they
have been repeated age after age without examination, and several
learned men of repute, such as Volaterranus, Pontanus, &c., have
helped to propagate the error in the literary world.
In the 16th century it was so unquestionably accepted by the Italians,
that they gave the name of Belisarius begging to a beautiful ancient
statue then in the Borghese museum, which Winckelmann, in his
Histoire de l’Art, has proved to be no other than a statue of Augustus
propitiating Nemesis.
Between the years 1637 and 1681, this fable was made the subject
of several tragedies. In the following century Marmontel composed
and published his romance of Belisarius, the conception of which
arose from an engraving that came into his possession. In his
Memoirs he himself thus explains the circumstance:
“I had received a present of an engraving of Belisarius taken from
the fine picture of him by Van Dyck. My eyes were continually
attracted to the face, and I was seized with an irresistible desire to
treat this interesting subject in prose; and as soon as the idea took
possession of me, the pains in my chest and lungs seemed to leave
me as if by magic. The pleasure of composing my story, the care I
took in arranging and developing it, occupied my mind so entirely,
that I was drawn away from all thoughts of self.”
The novel was so successful that it was translated into almost every
language of Europe, and three successive editions appeared. But
the really ludicrous part of the story is, that in the preface to the
edition of 1787, the author declares that he has followed from first to
last the account given by Procopius, while in fact the details
presented by this contemporary of Belisarius in the five first chapters
of his Secret History are diametrically opposed to the picture drawn
by Marmontel.
Thus then the fiction of blind Belisarius begging was quickly
propagated, and was helped on by the artist David, who painted in
1781 his celebrated picture of the general. Again, in the reign of
Napoleon I., M. Jouy wrote a tragedy on this subject, but he only
obtained permission to bring it out in 1825, and thanks to the
immense talent of Talma it was very well received. M. Jouy, in his
preface, showed his ignorance as an historian by saying, “I have
kept faithfully to the facts, details, and characters authorised by
history.”
Lastly, this error appears in modern times in a Turkish tradition, and
is noticed by Feller in his Universal Biography. “There is shown to
this day,” says he, “a prison in Constantinople called the Tower of
Belisarius. It stands on the borders of the sea, on the road from the
castle of the seven towers to the seraglio. The common people say
that the prisoners let down a small bag at the end of a string to solicit
alms from the passers-by, saying: “Date obolum Belisario quem
Fortuna evexit, Invidia oculis privavit.”
After having traced as briefly as possible the origin of this fable, we
will dwell for a moment on the manner in which the best and most
learned critics have treated it.
The hackneyed story of Belisarius, blind and begging, was unknown
to all contemporary authors without exception. Not one can be
quoted as having mentioned so remarkable a circumstance. From
the 6th to the 12th century, no writer who speaks of this great
general ever alludes to his blindness or to his poverty.
The French historian Le Beau, in his “Histoire du bas Empire,” says:
“The fall of Belisarius gave rise to a ridiculous story which has been
for 600 years repeated by poets and prose writers, but which all well-
informed authors have agreed in refuting.”
The real fact, drawn from the best sources, and recorded by Gibbon,
is this:
About two years after the last victory of Belisarius over the
Bulgarians, the Emperor Justinian returned in bad health from a
journey to Thracia. There being a rumour of his death, a conspiracy
was formed in the palace, but the conspirators were detected, and
on being seized were found to have daggers hidden under their
garments. Two officers of the household of Belisarius were accused,
and torture induced them to declare that they had acted under the
secret instructions of their chief. Belisarius appeared before the
council, indignant and undaunted. Nevertheless, his fidelity, which
had remained unshaken for forty years, availed him nothing. The
emperor condemned him without evidence; his life was spared, but
his fortune was sequestrated, and from December 563 to July 564
he was guarded as a prisoner in his own palace. At length his
innocence was acknowledged, and his freedom and honours were
restored; but death, which might possibly have been hastened by
grief and resentment, removed him from the world within a year of
his liberation.
About 600 years after this event, John Tzetzes, poet and
grammarian, born in Constantinople, attempted in ten bad Greek
verses to draw a picture of Belisarius deprived of sight and
penniless. The tale was imported into Italy with the manuscripts of
Greece, and before the close of the 15th century it was taken up by
more than one learned writer and universally believed.
The credulity of the multitude is such, that they still persist in ignoring
the refutation of Samuel Schelling (Dissertatio historica de Belisario,
Witteb. 1665, in 4ᵗᵒ), of Th. Fr. Zeller (Belisarius, Tubing. 1809, in
8ᵛᵒ), of Roth (Ueber Belisar’s Ungnade, Bâle 1846, in 8ᵛᵒ) and many
others.
In a note to Gibbon’s History edited by W. Smith LL.D., we see that
two theories have been started in modern times to account for the
fable of the beggary of Belisarius. The first is that of Le Beau, who
supposes that the general was confounded with his contemporary
John of Cappadocia. This prætorian prefect of the East, whose
crimes deserved a thousand deaths, was ignominiously scourged
like the vilest of malefactors, clothed in rags and transported in a
bark (542) to the place of his banishment at Antinopolis in Upper
Egypt, and this ex-consul and patrician was doomed to beg his
bread in the cities which had trembled at his name.
The second supposition is that of Mr. Finlay (History of the Byzantine
Empire), who suggests that the story took its rise from the fate of
Symbatius and Peganes, who, having formed a conspiracy against
Michael III., in the 9th century, were deprived of their sight and
exposed as common beggars in Constantinople.
It is not likely, however, that the fate of men in the ninth century
should have been confused with that of individuals in the sixth.
It is right to add, that Lord Mahon, in his Life of Belisarius, argues in
favour of the tragic fate of Justinian’s celebrated general. “But,”
observes Dean Milman, “it is impossible to obtain any satisfactory
result without contemporary evidence, which is entirely wanting in
the present instance.” These words from the learned Milman lead us
to suppose that he rejects the authority of Procopius, who
accompanied Belisarius as counsellor and secretary in his Eastern
wars, in Africa, and in Italy, as he himself informs us; and who, in his
Anecdota,[12] devotes five chapters to the life and misfortunes of
Belisarius, without saying one word either of his blindness or of his
abject poverty.
Ernest Renan, in his Essais de morale et de critique, has also
examined into the trustworthiness of the Secret History of Procopius,
and he arrives at the opinion, that this author had only exaggerated
the crimes of the wicked century in which Justinian lived. He would
then have been the last to soften the disgrace incurred by Belisarius.
At the time of the fall of Napoleon I., a popular song written by
Népomucène Lemercier on Belisarius, became more than ever in
vogue, as it contained allusions to the misfortunes of the
companions in arms and soldiers, attached to the emperor. At all the
Bonapartist reunions they sang:

“Un jeune enfant, un casque en main,

Allait quêtant pour l’indigence,
D’un vieillard aveugle et sans pain,
Fameux dans Rome et dans Byzance;
Il disait à chaque passant
Touché de sa noble misère,
Donnez une obole à l’enfant
Qui sert le pauvre Bélisaire!”

In France this ballad contributed greatly to keep up a belief in the

fabulous story which we have here examined.
 THE ALEXANDRIAN LIBRARY.
a. d. 640.

Ptolemy-Soter, chief of the dynasty of the Lagides, laid the

foundation of the Alexandrian library. It was afterwards enlarged by
his son Ptolemy Philadelphus and his successors; and from this
celebrated repository the city of Alexandria derived the title of
“Mother of Books.”
There is much difference of opinion as to the number of works
contained in this library. Instead of 54,800 volumes as asserted by
St. Epiphanes, or 200,000 according to Josephus, Eusebius tells us,
that at the death of Ptolemy Philadelphus, 100,000 volumes were
collected in it.
The building was situated to the east of the large sea-port, near the
city of Canopus, and became a prey to the flames when Julius
Cæsar, who was besieged in that part of the town in which the
museum stood, ordered the fleet to be set on fire. The wind
unfortunately carried the flames to the neighbouring houses and to
the locality of the Bruchion, close to the site of the valuable library.
Lucan, in his Pharsalia, has described this conflagration with much
spirit:[13]

“On one proud side the lofty fabric stood

Projected bold into the adjoining flood;
There, fill’d with armed bands, their barks draw near,
But find the same defending Cæsar there:
To every part the ready warrior flies,
And with new rage the fainting fight supplies;
Headlong he drives them with his deadly blade,
Nor seems to be invaded, but to invade.
 Against the ships Phalaric darts he aims,
Each dart with pitch and livid sulphur flames.
The spreading fire o’erruns their unctuous sides,
And nimbly mounting, on the topmast rides:
Planks, yards and cordage feed the dreadful blaze;
The drowning vessel hisses in the seas;
While floating arms and men promiscuous strew’d,
Hide the whole surface of the azure flood.
Nor dwells destruction on their fleet alone,
But driven by winds, invades the neighbouring town:
On rapid wings the sheety flames they bear,
In wavy lengths, along the reddening air.
Not much unlike the shooting meteors fly,
In gleamy trails athwart the midnight sky.
Soon as the crowd behold their city burn,
Thither all headlong from the siege they turn;
But Cæsar, prone to vigilance and haste,
To snatch the just occasion ere it pass’d,
Hid in the friendly night’s involving shade,
A safe retreat to Pharos timely made.”

Orosius tells us that 400,000 volumes were destroyed by the fire:

“So perished,” says he “this monument of the learning and labour of
the ancients, who had amassed the works of so many illustrious
men.” “Monumentum studiique curæque majorum qui tot ac tanta
illustrium ingeniorum opera congesserant.”[14]
Cleopatra was not insensible to the loss of so great a treasure, and
Antony, to console her, presented her with the whole collection of
books made by the king of Bithynia at Pergamus, to the number of
200,000 volumes. These books, with the few that had escaped the
flames, formed the second library, and were placed in the Serapeon,
or temple of Serapis, which from that time became the resort of all
learned men. In a. d. 390, the fanatic Theophilus, patriarch of
Alexandria, worthy of being the friend of the tyrant Theodosius, took
advantage of the protection of that Emperor to disperse the library of
the Serapeon, and to drive out the savans who assembled there. He
overthrew the temple itself and built a church on its ruins which bore
the name of the Emperor Arcadius. It would thus appear that the
oldest and most extensive libraries of Alexandria ceased to exist
before the 5th century of the Christian era. Nevertheless, there is still
an opinion maintained among learned men that the immense
collection made by the Ptolemies was destroyed by the Arabs in the
7th century.[15]
Several writers, with Gibbon at their head, have rejected this notion.
Reinhart published at Göttingen in 1792 a special dissertation on the
subject. It was Gregorius Bar-Hebræus, better known under the
name of Abulpharadje, elected primate of the East in 1264, who
gave the earliest account of the burning of the library at Alexandria,
in a chronicle he published in Syriac, and afterwards translated into
Arabic at the solicitation of his friends.
He says: “John the grammarian came to Amrou, who was in
possession of Alexandria, and begged that he might be allowed to
appropriate a part of the booty. ‘Which part do you wish for,’ asked
Amrou. John replied, ‘The books of philosophy which are in the
treasury (library) of kings.’ Amrou answered that he could not
dispose of these without the permission of the Emir Al-Moumenin
Omar. He wrote to the Emir, who replied in these terms: ‘As to the
books you speak of, if their contents are in conformity with the Book
of God (the Koran) we have no need of them; if, on the contrary, their
contents are opposed to it, it is still less desirable to preserve them,
so I desire that they may be destroyed.’ Amrou-Ben-Alas in
consequence ordered them to be distributed in the various baths in
Alexandria, to be burnt in the stoves; and after six months, not a
vestige of them remained.”[16]
How open is this unlikely story to objection! In the first place, John of
Alexandria was dead before the city was taken, on the 21st
December 640.
D’Herbelot, in his Bibliothèque Orientale, tells us that at that period
four thousand baths existed in Alexandria. What a multitude of
volumes it must have required to supply fuel for them for the space
of six months! And then the absurdity of attempting to heat baths
with parchment!!!
Renaudot was the first in France who threw a doubt on this story in
his Histoire des Patriarches d’Alexandrie. “It merely reposes,” says
he, “on Eastern tales, and these are never to be relied upon.”
Kotbeddin, in his History of Mecca, from which de Sacy quotes an
extract in his Notes des Manuscrits, Vol. IV. p. 569, relates seriously,
that at the taking of Bagdad by Hulagou the destroyer, of the empire
of the Caliphs, the Tartars threw the books belonging to the colleges
of this city into the river Euphrates, and the number was so great,
that they formed a bridge, over which foot-passengers and
horsemen went across!
Besides Abulpharadi, two other eastern writers give an account of
the destruction of the library: Abd-Allatif and Makrizi; but they only go
over the same ground as their predecessors.
These three writers (of the 12th, the 13th, and the 15th centuries)
are the less to be relied upon as no other eastern historians who
speak of the conquest of Egypt by the Arabians, mention the loss of
their great repository by fire.
Eutyches, the patriarch of Alexandria, who lived in the 10th century,
and who enters into details of the taking of this city by the Arabians;
Elmacin, who, in the 13th century, recounts the same fact; and
Aboulfeda, who at about the same period gives a description of
Egypt, completely ignore this remarkable and important event.
How is it that the Greek authors, who were so incensed against the
Saracens, omit to speak of this conflagration authorised by Omar?—
and that after centuries of silence Abulpharadi is the first who opens
his lips on the subject? And it is still more surprising that this writer
did not mention the anecdote in his Chronicle, published in Syriac,
but that he only added it while translating his work into Arabic at the
latter end of his life.
The Caliphs had forbidden under severe penalties the destruction of
all Jewish and Christian volumes, and we nowhere hear of any such
work of destruction during the first conquests of the Mahommedans.
Quite at the beginning of the 5th century, Paulus Orosius, a disciple
of St. Jerome, mentions, on his return from Palestine, having seen at
Alexandria the empty book-cases which the library had formerly
contained.
All these arguments brought forward by Assemanni, by Gibbon, by
Reinhard, and many others, do not appear to have convinced M.
Matter, although he admits in his Histoire de l’École d’Alexandrie,
that a certain amount of courage is necessary to maintain the
opinion of the existence of an extensive collection of books at the
commencement of the conquest.
“There are two points beyond dispute,” says he, “in this question.
The first is, that Alexandria possessed during the 5th and 6th
centuries, after the destruction of the Serapeon, a library of sufficient
importance to contain many valuable literary works. The next is, that
these works, far from being limited to religion and theology, as
Gibbon supposes, included various branches of study; of this we
cannot entertain a doubt when we reflect on the later productions of
the school of Alexandria.”
In order to establish his argument, Matter enters into long details.
“Gibbon himself,” he says, “would have admitted later that Amrou
might have burned other works in Alexandria besides those on
theology.”
Two orientalists, Langlès and de Sacy, have adopted a very similar
opinion. “It is incontestable,” says the former, “that on the entrance of
the Mahommedans, a library still existed at Alexandria, and that it fell
a prey to the flames.”[17]
De Sacy allows that the story told by Abulpharadi is very probable,
and proves that at that period the Mahommedans did demolish
libraries and destroy books, in spite of the law against any such
destruction.
At any rate this opinion has only been adopted by a small minority,
and Amrou is generally exonerated from having been the destroyer
of the Alexandrian Library.
 POPE JOAN.
a. d. 855.

Is it true that a woman succeeded in deceiving her cotemporaries to

the extent of elevating herself to the pontifical throne?
Did a catastrophe ensue which afforded a proof of her sex as
unexpected as indisputable?
If there is no foundation for this tale, how comes it that it has been so
long accepted as authentic by writers whose attachment to the
Roman church is perfectly sincere?
Such are the questions that we here propose to ourselves, and
which have been recently treated by two Dutch literati, Mr. N. C. Kist,
professor at the university of Leyden, in a work published in 1845;
and Mr. J. H. Wensing, professor at the seminary of Warmond, who
has written a refutation of Mr. Kist’s work in a thick volume of more
than 600 pages, printed at the Hague.
I will proceed to give a brief sketch of the circumstances as
presented to us by reliable authors.
After the death of Leo IV., in the year 855, the Roman people
proceeded, according to the custom of that period, to the nomination
of a sovereign pontiff. The choice fell upon a foreigner who had for
some years been resident in the eternal city. He was held in high
repute, as well for his virtues as for his talents. This stranger was a
woman of English origin, born in Germany, who had studied in
France and Greece, and who in the disguise of a man had baffled all
detection. Raised to the pontifical throne, she assumed the name of
John VIII., and governed with exemplary wisdom, but in private life
was guilty of irregularities which resulted in pregnancy. She
endeavoured to conceal her situation, but on the occasion of a great
religious festival she was seized with sudden pains in the midst of a
procession, and, to the astonishment and consternation of the
crowd, gave birth to a child who instantly expired. The mother herself
died upon the spot, succumbing to the effects of pain, terror, and
shame.
This is the most widely spread version; it has however been asserted
that the female pope, “la papesse,” survived her mischance, and
ended her days in a dungeon.
Anastatius, deacon and librarian of the Roman church, was living at
this period, and collected numerous materials for a history of the
sovereign pontiffs. He composed a series of their biographies under
the title of “Liber Pontificalis,” and affirms that he was present at the
election of the Popes from Sergius III. to John VIII., that is to say
from 844 to 882. He must then have been a witness to the
catastrophe of Joan. Now he makes no mention of it, but, in his
work, Pope Benedictus III. follows immediately after Leo IV. An
occurrence of so extraordinary a nature must necessarily have
struck him. It has indeed been pretended that he did make mention
of it, but that his account was suppressed by defenders of the
church, and that in some manuscripts it is still to be found.
Nevertheless these manuscripts, very scarce and incorrect, only
contain one phrase to the purpose, which is met with for the first time
in the writings of the 14th century. It is moreover accompanied by an
expression of doubt (ut dicitur) and there is at the present time
scarcely any enlightened critic but would regard it as an interpolation
of the copyist.
The silence of Anastatius admits therefore of but one interpretation.
It is not until two hundred years after the alleged date of the event
that the first mention of it is found in the Chronicon of Marianus
Scotus, who was born in Scotland in 1028, and died at Mayence in
1086. He says: “Joan, a female, succeeded Pope Leo IV. during two
years, five months, and four days.” A contemporary of Marianus
Scotus, Godfrey of Viterbo, made a list of the sovereign pontiffs, in
which we read between Leo IV. and Benedict III., “Papissa Joanna
non numeratur” (the female Pope does not count).
We must come to the 13th century to find in the Chronicon of
Martinus Polonus, Bishop of Cosenza in Calabria, some particulars
respecting the female Pope Joan.[18] At this period a belief in the
truth of her existence is spread abroad, and the evidences become
more numerous, but they are little else but repetitions and hear-says;
no details of any weight are given.
David Blondel,[19] although a Protestant clergyman, treated the story
of Pope Joan as a fable. The English bishop John Burnet is of the
same opinion, as well as Cave, a celebrated English scholar. Several
other learned men have amply refuted this ancient tradition. Many
have thought to sustain the romance of Marianus against the doubt
excited by a silence of more than 200 years, by asserting that the
authors who lived from the year 855 to 1050, refrained from making
any mention of the story on account of the shame it occasioned
them; and that they preferred to change the order of succession of
the Popes by a constrained silence, rather than contribute, by the
enunciation of an odious truth, to the preservation of the execrable
memory of the woman who had dishonoured the papal chair. But
how is it possible to reconcile this with the other part of the same
story, that the Roman court was so indignant at the scandal, that, to
prevent a repetition of it, they perpetuated its remembrance by the
erection of a statue, and the prohibition of all processions from
passing through the street where the event had happened. What
shadow of truth can exist in things so totally contradictory?
Moreover, Joseph Garampi[20] has proved beyond dispute, that
between the death of Leo IV. and the nomination of Benedict III.,
there was no interval in which to place Pope Joan, and the most
virulent antagonists of the court of Rome make no mention of her.
In 991 Arnolphus, bishop of Orleans, addressed to a council held at
Reims, a discourse in which he vehemently attacked the excesses
and turpitudes of which Rome was guilty. Not a word, however, was
said on the subject of Joan. The patriarch of Constantinople,
Phocius, who was the author of the schism which still divides the
Greek and Latin churches, and who died in 890, says nothing
respecting her.
The Greeks, who after him maintained eager controversies against
Rome, are silent respecting Joan.
It is clear that the author who first speaks of this event, after a lapse
of two centuries, is not worthy of credit, and that those who, after
him, related the same thing, have copied from one another, without
due examination.
Whilst rejecting as apocryphal the legend under our consideration,
some writers have at the same time sought to explain its origin.
The Jesuit Papebroch, one of the most industrious editors of the
Acta Sanctorum, thinks that the name “papesse” was given to John
VII., because he shewed extreme weakness of character in the
exercise of his functions.
The Cardinal Baronius starts an hypothesis of the same kind, but this
conjecture is somewhat far-fetched.
A chronicle inserted in the collection of Muratori, Rerum Italicarum
Scriptores, contains an anecdote that has some analogy with our
subject.
A patriarch of Constantinople had a niece to whom he was much
attached. He disguised her in male attire and made her pass for a
man. At his death he recommended her to his clergy, without
divulging the secret of her sex. She was very learned and virtuous,
and was elected Patriarch. She remained eighteen months on the
throne, but the Prince of Benevent, having become acquainted with
the truth, denounced the fraud at Constantinople, and the
patriarchess was immediately expelled.
This anecdote was very generally reported and credited in Italy in the
11th century, for Pope Leo IX., in a letter of 1053, written to the
Patriarch of Constantinople, expresses himself thus:—
“Public report asserts as an undeniable fact, that in defiance of the
canons of the first council of Nice, you Greeks have raised to the
pontifical throne, eunuchs, and even a woman.”
At this period Rome had not yet begun to occupy herself with the
legend of Joan, which was scarcely spread abroad in Germany. If in
the East there had been any idea of the scandal of the female Pope,
which was afterwards so prevalent, the reproach of Leo IX. would
undoubtedly have been turned against himself.
We give another explanation: “The strangest stories have always
their foundation in some truth,” says Onuphrius Panvinius, in his
notes upon Platina: “I think that this fable of the woman Joan takes
its origin from the immoral life of Pope John XII., who had many
concubines, and amongst others Joan, who exercised such an
empire over him that for some time it might be said it was she who
governed. Hence it is that she was surnamed “papesse,” and this
saying, taken up by ignorant writers and amplified by time, has given
birth to the story which has had such wide circulation.
We find in the history of the Bishop of Cremona, Luitprand,[21] that
the love of John XII. for his concubine Joan went so far that he gave
her entire cities, that he despoiled the church of St. Peter of crosses
and of golden chalices in order to lay them at her feet; and we are
told that she died in childbed.
This death is a remarkable circumstance. In it we may trace the
source of the most striking event in the story of Pope Joan.
 ABELARD AND ELOISA.
a. d. 1140.

We had already collected many notes with the intention of

examining critically the celebrated history of these two lovers of the
12th century, when we read an article by Mr. F. W. Rowsell in the St.
James’s Magazine for October 1864, in which he gives a sketch of
the lives of both of them. The writer has succeeded in condensing
into half a dozen very amusing pages a complete résumé of the
leading events in their history; only he has followed the commonly
received opinion held by many English and French historians who
have taken up the subject, and he does not enter into a critical
examination of several points at issue.
Everybody knows how great an attraction the monument erected to
the memory of Eloisa and Abelard is to the crowds who visit the
cemetery of Père la Chaise, recalling to their minds the letters full of
love and passion written by Eloisa, which have elicited so many
imitations both in prose and verse in England and in France.
The history of the two lovers being true as a whole, we are far from
wishing to take away from the sympathy that their constancy and
hapless love so well deserve. Our only object is to separate the true
from the false, and to show that the celebrated letters imputed to
Eloisa were not written by her at all, and that the tomb in Père la
Chaise is altogether a modern construction.
Abelard, born in 1079, died in 1164, and Eloisa survived him
upwards of twenty years, dying in 1184.
The works and correspondence of Abelard were published for the
first time in 1616 by the learned Duchesne, and we therein find three
letters from Eloisa to Abelard and four from Abelard to Eloisa. These
are the letters on which Pope, in England, and Dorat, Mercier,
Saurin, Colardeau, &c., in France, founded their poems.
Out of these seven letters, four only can strictly be termed the
amatory correspondence of the two lovers. The remainder, and
those that have been brought to light and published in later years,
are pious effusions which contain no trace whatever of those
passionate emotions which pervaded the four other letters. We must
remind the reader that the oldest manuscript existing of these
epistles is nothing more than an alleged copy of the originals made
one hundred years after the death of Eloisa. It is preserved in the
library of the town of Troyes, and belongs to the latter half of the 13th
century.
A modern French historian, M. Henri Martin, having written some
pages in a melodramatic style on these letters of Eloisa, a critic, M.
de Larroque,[22] pointed out to him the error into which he had fallen,
they having evidently been composed some years after the death of
the heroine.
The learned Orelli published in 4ᵗᵒ at Zurich, in 1841, what may be
termed the memoirs of Abelard, entitled, Historia Calamitatum: also
the seven letters of the two lovers.
In the preface to this work, Orelli declares, that on many grounds he
believes that these letters, so different from such as might have been
expected from Eloisa, were never written by her. The grounds, which
Orelli omits to state, are supplied by M. Lalanne in “La
Correspondance Littéraire” of the 5th December 1856.
In order to arrive at a clear perception of the improbabilities and
contradictions contained in these epistles, all the bearings of the
case should be kept well in mind.
In the Historia Calamitatum, Abelard opens his heart to a friend who
is in affliction and whom he endeavours to console by drawing a
counter picture of his own misery. The writer relates his life from his
birth; his struggles and his theological triumphs; his passion for
Eloisa, the vengeance of Fulbert, her uncle, the canon of Paris; his
wandering life since he assumed the cowl in the abbey of St. Denis;
the foundation of the convent of the Paraclete, where he received
Eloisa and the nuns of the convent of Argenteuil; and lastly his
nomination as Abbé of the monastery of St. Gildas, where the monks
more than once conspired against his life.
This is about the only document we possess regarding the life of
Abelard, for it is remarkable that the contemporary writers are
singularly concise in all that concerns him. Otho, bishop of
Freisingen, who died in 1158, is the only one who makes even an
allusion to the vengeance of Fulbert; and he expresses himself so
vaguely that his meaning would be incomprehensible were we not
able to explain it by the help of the Historia Calamitatum.
According to these memoirs, Abelard was thirty-seven or thirty-eight
years of age when he became enamoured of Eloisa, who was then
sixteen or seventeen years old. He introduced himself into the
household of the Canon Fulbert, was appointed professor to the
young girl, and soon became domesticated in the family. Eloisa,
becoming soon after pregnant, fled to Brittany, where she gave birth
to a son. She afterwards returned to Paris, and after frequent
negotiations between Fulbert and Abelard, the lovers were at length
married, but the marriage was kept secret.
The rest is known. Abelard, fearfully mutilated, became a monk in
the abbey of St. Denis, and at his bidding, to which she was ever
entirely submissive, Eloisa took the veil in the convent of Argenteuil.
These events occupied about the space of two years, and bring us to
1118 or 1119.
In a council held in Paris ten years later (1129) a decree was passed
expelling Eloisa and the other nuns from the convent of Argenteuil,
which the Abbé Suger had claimed as being a dependance of the
Abbaye de St. Denis.[23]
This expulsion coming to the ears of Abelard, he offered the nuns an
asylum in the Paraclete, which he had lately founded, and which he
soon after made over to them as a gift.
Pope Innocent II. confirmed this gift in 1131. Abelard speaks further,
in his Historia Calamitatum, of events befalling a year later, and of
his return to the abbey of St. Gildas. We see therefore that this
memoir, written with much care and attention, cannot have been
published before 1133, and perhaps even long after that. Abelard
was then in his fifty-fourth year and Eloisa in her thirty-second or
thirty-third. About fourteen years had elapsed since both had
embraced the monastic life: in the meanwhile they had met and had
spent more or less time together in the Paraclete between 1129 and
1132.
Let us now enquire if the subject matter contained in these seven
letters, all of which were written after the latter date (a fact that
should be carefully noted) agrees with that which has preceded.
The amorous correspondence of the lovers is confined to four letters.
The first is written by Eloisa. She says, that if she writes to Abelard
at all, it is that she has by accident seen the Historia Calamitatum;
and in order to convince him that she has read it, she touches briefly
on each circumstance recorded in it, every one of which must have
been only too familiar to them both.
Does the reader think this a natural or a probable style of
commencement? Does it not denote something artificial in the
composition? Farther on she complains that Abelard has forsaken
her: “her to whom the name of mistress was dearer than that of wife,
however sacred this latter tie might be.”[24]
And finally she adds: “Only tell me if you can, why, since we have
taken the monastic vows, which you alone desired, you have so
neglected and forgotten me that I have neither been blessed by your
presence nor consoled by a single letter in your absence. Answer
me, I beseech you, if you can, or I may myself be tempted to tell you
what I think, and what all the world suspects.”[25]
This letter, full of passionate reproach, contains contradictions and
improbabilities perceptible to all who have read that which has
preceded.
Let us first call attention to the style, which is hardly to be explained.
The passionate expressions of Eloisa would have been quite natural
in the first years that followed her separation from Abelard, but
fourteen years had elapsed—fourteen years of monastic life to both
one and the other.
She appeals to a man of fifty-four years of age, cut off for the space
of fourteen years from all intercourse with her, worn out by his
theological contests, his wandering life, and the persecutions of
which he had been the victim; and who prays only, according to his
own letters, “for eternal rest in the world to come.” But nothing
checks the flow of her passion, which she pours out with a
vehemence the more remarkable as proceeding from a woman of
whom Abelard had not long since written, in his Historia
Calamitatum: “All are alike struck by her piety in the convent, her
wisdom, and her incomparable gentleness and patience under the
trials of life. She is seldom to be seen, but lives in the solitude of her
cell, the better to apply herself to prayer and holy meditation.”
But the continuation seems even more incomprehensible.
Admitting, which is somewhat difficult, that Eloisa had not seen
Abelard since his severe affliction until his reception of her in the
Paraclete in 1129, on her expulsion from Argenteuil, is it at all certain
that they did meet then, and that moreover the frequency of their
interviews gave rise to scandalous reports which obliged them again
to separate? How then can Eloisa complain that since their entrance
upon a religious life (that is to say since 1119) she has “neither
rejoiced in his presence, nor been consoled by his letters?” And she
wrote this in 1133 or 1134! It is incredible that these lines should
have been penned by her.
The second letter of Eloisa is not less ardent than the first. She
mourns in eloquent language over the cold tone of sadness
pervading the answer sent to her by Abelard. She reverts at some
length to the cruel cause of their separation, and deplores her
misfortune in such unequivocal terms, that we think it better to give
her words in their original latin. “Difficillimum est a desideriis
maximarum voluptatum avellere animum. ... In tantum vero illæ
quæs pariter exercuimus amantium voluptates dulces mihi fuerunt ut
nec displicere mihi nunc, nec a memoria labi possint.