Logic Based Program Synthesis and

Transformation 24th International

Symposium LOPSTR 2014 Canterbury
UK September 9 11 2014 Revised
Selected Papers 1st Edition Maurizio
Proietti
Visit to download the full and correct content document:
https://textbookfull.com/product/logic-based-program-synthesis-and-transformation-24
th-international-symposium-lopstr-2014-canterbury-uk-september-9-11-2014-revised-
selected-papers-1st-edition-maurizio-proietti/
More products digital (pdf, epub, mobi) instant
download maybe you interests ...

Parameterized and Exact Computation 9th International

Symposium IPEC 2014 Wroclaw Poland September 10 12 2014
Revised Selected Papers 1st Edition Marek Cygan

https://textbookfull.com/product/parameterized-and-exact-
computation-9th-international-symposium-ipec-2014-wroclaw-poland-
september-10-12-2014-revised-selected-papers-1st-edition-marek-
cygan/

Semantic Technology 4th Joint International Conference

JIST 2014 Chiang Mai Thailand November 9 11 2014
Revised Selected Papers 1st Edition Thepchai Supnithi

https://textbookfull.com/product/semantic-technology-4th-joint-
international-conference-jist-2014-chiang-mai-thailand-
november-9-11-2014-revised-selected-papers-1st-edition-thepchai-
supnithi/

Energy Efficient Data Centers Third International

Workshop E2DC 2014 Cambridge UK June 10 2014 Revised
Selected Papers 1st Edition Sonja Klingert

https://textbookfull.com/product/energy-efficient-data-centers-
third-international-workshop-e2dc-2014-cambridge-uk-
june-10-2014-revised-selected-papers-1st-edition-sonja-klingert/

Unifying Theories of Programming 5th International

Symposium UTP 2014 Singapore May 13 2014 Revised
Selected Papers 1st Edition David Naumann (Eds.)

https://textbookfull.com/product/unifying-theories-of-
programming-5th-international-symposium-utp-2014-singapore-
may-13-2014-revised-selected-papers-1st-edition-david-naumann-
Agents and Data Mining Interaction 10th International
Workshop ADMI 2014 Paris France May 5 9 2014 Revised
Selected Papers 1st Edition Longbing Cao

https://textbookfull.com/product/agents-and-data-mining-
interaction-10th-international-workshop-admi-2014-paris-france-
may-5-9-2014-revised-selected-papers-1st-edition-longbing-cao/

Trends in Functional Programming 15th International

Symposium TFP 2014 Soesterberg The Netherlands May 26
28 2014 Revised Selected Papers 1st Edition Jurriaan
Hage
https://textbookfull.com/product/trends-in-functional-
programming-15th-international-symposium-tfp-2014-soesterberg-
the-netherlands-may-26-28-2014-revised-selected-papers-1st-
edition-jurriaan-hage/

Foundations and Practice of Security 7th International

Symposium FPS 2014 Montreal QC Canada November 3 5 2014
Revised Selected Papers 1st Edition Frédéric Cuppens

https://textbookfull.com/product/foundations-and-practice-of-
security-7th-international-symposium-fps-2014-montreal-qc-canada-
november-3-5-2014-revised-selected-papers-1st-edition-frederic-
cuppens/

Cellular Automata and Discrete Complex Systems 20th

International Workshop AUTOMATA 2014 Himeji Japan July
7 9 2014 Revised Selected Papers 1st Edition Teijiro
Isokawa
https://textbookfull.com/product/cellular-automata-and-discrete-
complex-systems-20th-international-workshop-automata-2014-himeji-
japan-july-7-9-2014-revised-selected-papers-1st-edition-teijiro-
isokawa/

Information Search Integration and Personalization 9th

International Workshop ISIP 2014 Kuala Lumpur Malaysia
October 9 10 2014 Revised Selected Papers 1st Edition
Dimitrios Kotzinos
https://textbookfull.com/product/information-search-integration-
and-personalization-9th-international-workshop-isip-2014-kuala-
lumpur-malaysia-october-9-10-2014-revised-selected-papers-1st-
 Maurizio Proietti
Hirohisa Seki (Eds.)

Logic-Based
LNCS 8981

Program Synthesis
and Transformation
24th International Symposium, LOPSTR 2014
Canterbury, UK, September 9–11, 2014
Revised Selected Papers

123
Lecture Notes in Computer Science 8981
Commenced Publication in 1973
Founding and Former Series Editors:
Gerhard Goos, Juris Hartmanis, and Jan van Leeuwen

Editorial Board
David Hutchison
Lancaster University, Lancaster, UK
Takeo Kanade
Carnegie Mellon University, Pittsburgh, PA, USA
Josef Kittler
University of Surrey, Guildford, UK
Jon M. Kleinberg
Cornell University, Ithaca, NY, USA
Friedemann Mattern
ETH Zurich, Zürich, Switzerland
John C. Mitchell
Stanford University, Stanford, CA, USA
Moni Naor
Weizmann Institute of Science, Rehovot, Israel
C. Pandu Rangan
Indian Institute of Technology, Madras, India
Bernhard Steffen
TU Dortmund University, Dortmund, Germany
Demetri Terzopoulos
University of California, Los Angeles, CA, USA
Doug Tygar
University of California, Berkeley, CA, USA
Gerhard Weikum
Max Planck Institute for Informatics, Saarbrücken, Germany
More information about this series at http://www.springer.com/series/7407
Maurizio Proietti Hirohisa Seki (Eds.)
•

Logic-Based
Program Synthesis
and Transformation
24th International Symposium, LOPSTR 2014
Canterbury, UK, September 9–11, 2014
Revised Selected Papers

123
Editors
Maurizio Proietti Hirohisa Seki
IASI-CNR Nagoya Institute of Technology
Rome Nagoya
Italy Japan

ISSN 0302-9743 ISSN 1611-3349 (electronic)

Lecture Notes in Computer Science
ISBN 978-3-319-17821-9 ISBN 978-3-319-17822-6 (eBook)
DOI 10.1007/978-3-319-17822-6

Library of Congress Control Number: 2015937958

LNCS Sublibrary: SL1 – Theorectical Computer Science and General Issues

Springer Cham Heidelberg New York Dordrecht London

© Springer International Publishing Switzerland 2015
This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or part of the
material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation,
broadcasting, reproduction on microfilms or in any other physical way, and transmission or information
storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now
known or hereafter developed.
The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication
does not imply, even in the absence of a specific statement, that such names are exempt from the relevant
protective laws and regulations and therefore free for general use.
The publisher, the authors and the editors are safe to assume that the advice and information in this book are
believed to be true and accurate at the date of publication. Neither the publisher nor the authors or the editors
give a warranty, express or implied, with respect to the material contained herein or for any errors or
omissions that may have been made.

Printed on acid-free paper

Springer International Publishing AG Switzerland is part of Springer Science+Business Media

(www.springer.com)
 Preface

This volume contains a selection of the papers presented at LOPSTR 2014, the 24th
International Symposium on Logic-Based Program Synthesis and Transformation held
during September 9–11, 2014 at the University of Kent, Canterbury, UK. It was
colocated with PPDP 2014, the 16th International ACM SIGPLAN Symposium on
Principles and Practice of Declarative Programming.
Previous LOPSTR symposia were held in Madrid (2013 and 2002), Leuven (2012 and
1997), Odense (2011), Hagenberg (2010), Coimbra (2009), Valencia (2008), Lyngby
(2007), Venice (2006 and 1999), London (2005 and 2000), Verona (2004), Uppsala
(2003), Paphos (2001), Manchester (1998, 1992 and 1991), Stockholm (1996), Arnhem
(1995), Pisa (1994), and Louvain-la- Neuve (1993). More information about the sym-
posium can be found at: http://www.iasi.cnr.it/events/lopstr14/.
The aim of the LOPSTR series is to stimulate and promote international research
and collaboration on logic-based program development. LOPSTR is open to contri-
butions in all aspects of logic-based program development, all stages of the software
life cycle, and issues of both programming-in-the-small and programming-in-the-large.
LOPSTR traditionally solicits contributions, in any language paradigm, in the areas of
synthesis, specification, transformation, analysis and verification, specialization, testing
and certification, composition, program/model manipulation, optimization, transfor-
mational techniques in software engineering, inversion, applications, and tools.
LOPSTR has a reputation for being a lively, friendly forum for presenting and dis-
cussing work in progress. Formal proceedings are produced only after the symposium
so that authors can incorporate this feedback in the published papers.
In response to the call for papers, 34 contributions were submitted from 21 different
countries. The Program Committee accepted 7 full papers for immediate inclusion in
the formal proceedings, and 11 more papers presented at the symposium were accepted
after a revision and another round of reviewing. Each submission was reviewed by at
least 2 and on the average 3.0, Program Committee members or external referees. In
addition to the 18 contributed papers, this volume includes the abstracts of the invited
talks by two outstanding speakers: Roberto Giacobazzi (University of Verona, Italy),
shared with PPDP and Viktor Kuncak (EPFL, Switzerland).
We would like to thank the Program Committee members, who worked diligently to
produce high-quality reviews for the submitted papers, as well as all the external
reviewers involved in the paper selection. We are very grateful to the LOPSTR 2014
General Co-chairs, Olaf Chitil and Andy King, and the local organizers for the great
job they did in managing the symposium. Many thanks also to Olivier Danvy, the
Program Committee Chair of PPDP, with whom we often interacted for coordinating
the two events. We are grateful to Emanuele De Angelis and Fabrizio Smith, who
helped us in maintaining the LOPSTR web site and editing these proceedings. We
would also like to thank Andrei Voronkov for his excellent EasyChair system that
automates many of the tasks involved in chairing a conference. Special thanks go to all
VI Preface

the authors who submitted and presented their papers at LOPSTR 2014, without whom
the symposium would have not been possible. Finally, Maurizio Proietti gratefully
acknowledges financial support from the Italian National Group of Computing Science
(GNCS-INDAM).

February 2015 Maurizio Proietti

Hirohisa Seki
 Organization

Program Committee
Slim Abdennadher German University of Cairo, Egypt
Étienne André Université Paris 13, France
Martin Brain University of Oxford, UK
Wei-Ngan Chin National University of Singapore, Singapore
Marco Comini University of Udine, Italy
Włodek Drabent IPI PAN Warszawa, Poland and Linköping
University, Sweden
Fabio Fioravanti University of Chieti-Pescara, Italy
Jürgen Giesl RWTH Aachen, Germany
Miguel Gómez-Zamalloa Complutense University of Madrid, Spain
Arnaud Gotlieb SIMULA Research Laboratory, Norway
Gopal Gupta University of Texas at Dallas, USA
Jacob Howe City University London, UK
Zhenjiang Hu National Institute of Informatics, Japan
Alexei Lisitsa University of Liverpool, UK
Yanhong A. Liu State University of New York at Stony Brook,
USA
Jorge A. Navas NASA Ames Research Center, USA
Naoki Nishida Nagoya University, Japan
Corneliu Popeea Technische Universität München, Germany
Maurizio Proietti IASI-CNR, Rome, Italy (Co-chair)
Tom Schrijvers Ghent University, Belgium
Hirohisa Seki Nagoya Institute of Technology, Japan (Co-chair)
Jon Sneyers Katholieke Universiteit, Leuven, Belgium
Fausto Spoto University of Verona, Italy
Wim Vanhoof University of Namur, Belgium
Germán Vidal Universitat Politécnica de València, Spain

General Co-chairs
Olaf Chitil University of Kent, UK
Andy King University of Kent, UK

Organizing Committee
Emanuele De Angelis IASI-CNR, Rome, Italy
Fabrizio Smith IASI-CNR, Rome, Italy
VIII Organization

Additional Reviewers

Bardin, Sebastien Ieva, Carlo Morihata, Akimasa

Bucheli, Samuel Inuzuka, Nobuhiro Narayanaswamy, Ganesh
Cai, Zhouhong Ismail, Haythem Nishimura, Susumu
Choppy, Christine Kawabe, Yoshinobu Pettorossi, Alberto
Cirstea, Horatiu King, Andy Salazar, Elmer
Di Gianantonio, Pietro Komendantskaya, Ströder, Thomas
Emoto, Kento Ekaterina Tan, Tian Huat
Englebert, Vincent Lenisa, Marina Titolo, Laura
Faber, Wolfgang Li, Jun Yue, Tao
Fuhs, Carsten Lovato, Alberto Zaki, Amira
Guo, Hai-Feng López-Fraguas, Francisco
Gutiérrez, Raúl Javier
Haemmerlé, Rémy Marple, Kyle
 Obscuring Code

Unveiling and Veiling Information in Programs1

Roberto Giacobazzi

University of Verona, Verona, Italy

roberto.giacobazzi@univr.it

Abstract. We survey the most recent developments in code obfuscation and protection from a
programming languages perspective. Starting from known impossibility results on universal and
general purpose code obfuscation, we show that provably secure obfuscation can be achieved by
constraining the attack model. This corresponds to associate attacks with suitable forms of
interpretation. In this context it is always possible to systematically making code obscure, making
this interpretation failing in extracting (attacking) code. The code transformation can itself be
specified as the specialization of a distorted interpreter.

1
An extended version appears in the proceedings of the 16th International Symposium on Principles
and Practice of Declarative Programming (PPDP 2014), September 8–10 2014, Canterbury, United
Kingdom. ACM Press.
 Synthesizing Functions from Relations in Leon

Viktor Kuncak2, Etienne Kneuss, and Emmanouil Koukoutos

École Polytechnique Fédérale de Lausanne (EPFL),

Lausanne, Switzerland
viktor.kuncak@epfl.ch

Abstract. We present the synthesis functionality of the Leon system (leon.epfl.ch). Leon accepts
a purely functional subset of Scala extended with a choice construct. We describe automated and
manual synthesis and transformation techniques in Leon, which can eliminate the choice
construct and thus transform input/output relation specifications into executable functions from
inputs to outputs. The techniques employed include functional synthesis procedures for decidable
theories such as term algebras and Presburger arithmetic, synthesis proof rules for decomposing
specifications, as well as search-based techniques, such as counterexample-guided synthesis.

2
This work is supported in part by the European Research Council (ERC) Project Implicit Programming.
 Contents

Program Analysis and Transformation

Analyzing Array Manipulating Programs by Program Transformation . . . . . . 3

J. Robert M. Cornish, Graeme Gange, Jorge A. Navas,
Peter Schachte, Harald Søndergaard, and Peter J. Stuckey

Analysing and Compiling Coroutines with Abstract Conjunctive

Partial Deduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Danny De Schreye, Vincent Nys, and Colin Nicholson

Constraint Handling Rules

Confluence Modulo Equivalence in Constraint Handling Rules . . . . . . . . . . . 41

Henning Christiansen and Maja H. Kirkeby

Exhaustive Execution of CHR Through Source-to-Source Transformation . . . 59

Ahmed Elsawy, Amira Zaki, and Slim Abdennadher

A Formal Semantics for the Cognitive Architecture ACT-R . . . . . . . . . . . . . 74

Daniel Gall and Thom Frühwirth

CHRAnimation: An Animation Tool for Constraint Handling Rules . . . . . . . 92

Nada Sharaf, Slim Abdennadher, and Thom Frühwirth

Termination Analysis

Extending the 2D Dependency Pair Framework for Conditional

Term Rewriting Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Salvador Lucas, José Meseguer, and Raúl Gutiérrez

Security

Partial Evaluation for Java Malware Detection . . . . . . . . . . . . . . . . . . . . . . 133

Ranjeet Singh and Andy King

Access Control and Obligations in the Category-Based Metamodel:

A Rewrite-Based Semantics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
Sandra Alves, Anatoli Degtyarev, and Maribel Fernández
XII Contents

Program Testing and Verification

Concolic Execution and Test Case Generation in Prolog . . . . . . . . . . . . . . . 167

Germán Vidal

Liveness Properties in CafeOBJ – A Case Study for Meta-Level

Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
Norbert Preining, Kazuhiro Ogata, and Kokichi Futatsugi

Program Synthesis

A Hybrid Method for the Verification and Synthesis of Parameterized

Self-Stabilizing Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Amer Tahat and Ali Ebnenasir

Drill and Join: A Method for Exact Inductive Program Synthesis . . . . . . . . . 219
Remis Balaniuk

Program Derivation

Functional Kleene Closures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241

Nikita Danilenko

Semantic Issues in Logic Programming

On Completeness of Logic Programs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261

Włodzimierz Drabent

Polynomial Approximation to Well-Founded Semantics for Logic Programs

with Generalized Atoms: Case Studies . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
Md. Solimul Chowdhury, Fangfang Liu, Wu Chen,
Arash Karimi, and Jia-Huai You

Program Transformation and Optimization

Declarative Compilation for Constraint Logic Programming . . . . . . . . . . . . . 299

Emilio Jesús Gallego Arias, James Lipton, and Julio Mariño

Pre-indexed Terms for Prolog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317

J.F. Morales and M. Hermenegildo

Author Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333

Program Analysis and Transformation
 Analyzing Array Manipulating Programs
by Program Transformation

J. Robert M. Cornish1 , Graeme Gange1 , Jorge A. Navas2 , Peter Schachte1 ,

Harald Søndergaard1(B) , and Peter J. Stuckey1
1
Department of Computing and Information Systems,
The University of Melbourne, Melbourne, VIC 3010, Australia
j.cornish@student.unimelb.edu.au
{gkgange,schachte,harald,pstuckey}@unimelb.edu.au
2
NASA Ames Research Center, Moffett Field, Mountain View, CA 94035, USA
jorge.a.navaslaserna@nasa.gov

Abstract. We explore a transformational approach to the problem of

verifying simple array-manipulating programs. Traditionally, verification
of such programs requires intricate analysis machinery to reason with
universally quantified statements about symbolic array segments, such
as “every data item stored in the segment A[i] to A[j] is equal to the
corresponding item stored in the segment B[i] to B[j].” We define a simple
abstract machine which allows for set-valued variables and we show how
to translate programs with array operations to array-free code for this
machine. For the purpose of program analysis, the translated program
remains faithful to the semantics of array manipulation. Based on our
implementation in LLVM, we evaluate the approach with respect to its
ability to extract useful invariants and the cost in terms of code size.

1 Introduction
We revisit the problem of automated discovery of invariant properties in simple
array-manipulating programs. The problem is to extract interesting properties
of the contents of one-dimensional dynamic arrays (by dynamic we mean arrays
whose bounds are fixed at array variable creation time, but not necessarily at
compile time). We follow the array partitioning approach proposed by Gopan,
Reps, and Sagiv [9] and improved by Halbwachs and Péron [11]. This classical
approach uses two phases. In a first phase, a program analysis identifies all
(potential) symbolic segments by analyzing all array accesses in the program.
Each segment corresponds to an interval Ik of the array’s full index domain, but
its bounds are symbolic, that is, bounds are index expressions. For example, the
analysis may identify three relevant segments I1 = [0, . . . , i − 1], I2 = [i], and
I3 = [i + 1, . . . , n − 1]. After this the original array A is considered partitioned
into segments AIk corresponding to the identified segments and each segment is
replaced with a summary variable ak . In the second phase, the analysis aims at
discovering properties ψ(ak ) on each summary variable ak such that
∀  ∈ Ik (ψ(ak ) ⇒ ψ(A[])) (1)

c Springer International Publishing Switzerland 2015
M. Proietti and H. Seki (Eds.): LOPSTR 2014, LNCS 8981, pp. 3–20, 2015.
DOI: 10.1007/978-3-319-17822-6 1
4 J.R.M. Cornish et al.

By partitioning arrays into segments, the analysis can produce stronger sep-
arate analysis for each segment rather than a single weaker combined result
for the whole array. In particular, we can identify singleton segments (AI2 in
the example) and translate array writes to these as so-called strong updates.
A strong update benefits from the fact that the old content of the segment is
eliminated by the update, so the new content replaces the old. For a segment
that may contain multiple elements, an assignment to an array cell may leave
some content unchanged, so a weak update must be used, that is, we must use a
lattice-theoretic “join” of the new result and the old result associated with .
Although very accurate, array partitioning methods have their drawbacks. Par-
titioning can be prohibitively expensive, with a worst-case complexity of O(n!),
where n is the number of program variables. Moreover, partitioning must be done
before the array content analysis phase that aims at inferring invariants for the
form (1), which could be less precise than doing both simultaneously [5]. To mit-
igate this problem, the index analysis, used to infer the relevant symbolic inter-
vals, is run twice: once during the segmentation phase and again during the array
content analysis, which needs it to separate the first fixed point iteration from
the rest. In the more sophisticated approach of Halbwachs and Péron [11,16], the
transfer functions are much more complex and a concept of “shift variables” is
used, representing translation (in the geometric sense) of segments. This is not
easily implemented using existing abstract interpretation libraries.
Contribution. We present a program transformation that allows scalar analy-
ses techniques to be applied to array manipulating programs. As in previously
proposed array analyses [9, 11, 16], we partition arrays into segments whose con-
tents are treated as sets rather than sequences. To maintain the relationship
among corresponding elements of different arrays, we abstract the state of all
arrays within a segment to a set of vectors, one element per array. Thus we
transform an array manipulating program into one that manipulates scalars and
sets of vectors. A major challenge in this is to encode the disjunctive information
carried by each array segment. We propose a technique that splits basic blocks.
It has been implemented using the LLVM framework.
Importantly, a program transformation approach allows the separation of con-
cerns: existing analyses based on any scalar abstract domains can be used directly
to infer array content properties, even interprocedurally. While other approaches
lift a scalar abstract domain to arrays by lifting each transfer function, our app-
roach uses existing transfer functions unchanged, only requiring the addition of
two simple transfer functions easily defined in terms of operations that already
exist for most domains. The approach is also parametric in the granularity of
array index sets, ranging from array smashing [2] to more precise (and expensive)
instances. When we go beyond array smashing, the transformational approach
inherits the exponential search cost present in the Halbwachs/Péron approach,
as for some programs P , the transformed programs P  are exponentially larger
than P . However, for simple array-based sort/search programs [9, 11], a transfor-
mational approach is perfectly affordable, in particular as we can capitalize on
code optimization support offered by the LLVM infrastructure.
 Analyzing Array Manipulating Programs by Program Transformation 5

Instructions I → v1 = constant | v1 = ◦ v2 | v1 = v2 v3 | A
Array assignments A → v1 = arr[v2 ] | arr[v1 ] = v2
Jumps J → If (v1 2 ) label 1 label 2 | Jmp label | error | end
Blocks B → label : I* J
Programs P → B+

Fig. 1. A small control-flow language with array expressions

head∅ :
i=0
x=
head :
a0 =
i=0
Jmp guard0=i
x=
Jmp guard

guard0=i : guard0<i :
guard : v = a0 v = a1
v = A[i] If (v = x) body0=i tail0=i If (v = x) body0<i tail0<i
If (v = x) body tail
body0=i : body0<i :
i= i+1 i=i+1
tail0=i : tail0<i :
body : A0 = {a0 } A0 = A0 ∪ {a1 }
tail : end end
i= i+1 a1 = a1 =
end
Jmp guard Jmp guard0<i Jmp guard0<i
(a) (b)

Fig. 2. (a) An array program fragment and (b) the corresponding set-machine program.

2 Source and Target Language

Our implementation uses LLVM IR as source and target language. However, as
the intricacies of static single-assignment (SSA) form obscure, rather than clarify,
the transformation, we base our presentation on a small traditional control flow
language, whose syntax is given in Fig. 1. We shall usually shorten “basic block”
to “block” and refer to a block’s label as its identifier.
Source. Each block is a (possibly empty) sequence of instructions, followed by
a (conditional) jump. Arithmetic unary and binary operators are denoted by
◦ and  respectively, and logical operators by . We assume that there is a
fixed set of arrays {A1 , . . . , Ak }, which have global scope (and do not overlap
in memory). The semantics is conventional and not discussed here. Figure 2(a)
shows an example program in diagrammatic form.
Target. The abstract machine we consider operates on variables over two kinds
of domains: standard scalar types, and sets of vectors of length k, where k is
the number of arrays in the source. The scalar variables represent scalars of the
source program, including index variables, as well as singleton array segments;
sets of vectors represent non-singleton segments of all extant arrays. Let V be the
6 J.R.M. Cornish et al.

Instructions I → v1 = constant | v1 = ◦ v2 | v1 = v2 v3 | S
Set operations S → S1 = nondet-subset(S2 ) | S1 = S2 ∪ S3 | (v1 , . . . , vk ) = nondet-elt(S1 )
Jumps J → If (v1 2 ) label 1 label 2 | Jmp label | error | end
Blocks B → label : I* J
Programs P → B+

Fig. 3. Control-flow language for the set machine.

Fig. 4. Semantics for set manipulating operations.

set of scalar variables and S be the set of vector set variables. The runtime state
of the machine is given by a pair σ, ρ consisting of a variable store σ : V → Z,
and a set store ρ : S → P(Zk ).
A control flow language for set machine programs is given in Fig. 3. Arith-
metic and logical operations affect only the variable store σ; the semantic rules
for these operations are standard. The set machine also has set operations union
(∪), subset (nondet-subset) and element of (nondet-elt). Figure 4 gives their
semantic rules, distinguishing scalar variables v and (vector) set variables S.
The union update S1 = S2 ∪ S3 maps S1 to the union of values of S2
and S3 . The subset and element operations are non-deterministic: executing
S1 = nondet-subset(S2 ) assigns to S1 some non-empty subset of elements from
S2 , but makes no guarantee as to which elements are selected. Similarly, the ele-
ment operation (v1 , . . . , vk ) = nondet-elt(S1 ) nondeterministically selects some
element of vector set S1 to load into v1 , . . . , vk .
Translation. Figure 2(a)’s program scans an array for the first occurrence of
value x, assumed to occur in A. The constraint A[i] = x ∧ ∀ k ∈ [0, i) (A[k] =
x) is the desired invariant at tail. A corresponding array-free program is given
in Fig. 2(b). The example illustrates some key features. Each contiguous array
segment is represented by a set variable Ai . Each original block is duplicated
for each feasible ordering of interesting variables. In the initial ordering (0 = i)
the only interesting segment is A[0], represented as the singleton a0 ; the read
v = A[i] is replaced by an assignment v = a0 . At guard0<i , A[i] is represented
by a1 so the read is replaced by v = a1 . When i is updated at body0=i , the
previous singleton a0 becomes part of an “aggregate” segment A[0, i−1]. We then
transform singleton a0 to set A0 and introduce a new singleton a1 (representing
A[i] in the updated ordering). Similarly, when we update i in body0<i , segments
A[0, i − 1] and A[i] are merged (yielding A0 = A0 ∪ {a1 }), and a new singleton
a1 is introduced. Consider the resulting concrete set-machine states. At tail0=i ,
we have a0 = x, corresponding to A[0] = x in the original program. At tail0<i ,
we find x ∈ / A0 and a1 = x. These correspond, respectively, to array invariants
∀ ∈ [0, i − 1] . A[] = x and A[i] = x in the original program.
 Analyzing Array Manipulating Programs by Program Transformation 7

3 From Scalar to Set Machine Transfer Functions

We now show how to lift a scalar domain for use by set machines. Essentially, we
use a scalar variable to approximate each component of each set; approximation
of set-machine states can then be obtained by grouping states by values of the
(original) scalar variables. Essentially, we approximate a set-machine state σ, ρ
with set variables {S1 , . . . , Sm } by a set of scalar states {S1 , . . . , Sm

} represent-
ing the possible results of selecting some element from each set:
α (σ, ρ) = {σ ∪ {S1 → y1 , . . . , Sm

→ ym } | y1 ∈ ρ(S1 ), . . . , ym ∈ ρ(Sm )}
Transfer functions for set operations then operate over the universe of possible
states, rather than apply element-wise to each state.
Example 1. Consider a program with one scalar variable x, and one set variable
S, with initial state {x → 0}, {S → {1, 2}}. If we introduce a scalar variable y
that selects a value from S via a we have two possible states:
{x → 0, y → 1}, {S → {1, 2}}
{x → 0, y → 2}, {S → {1, 2}}
If we represent S by scalar variable S  , we have initial states {x → 0, S  → 1}
and {x → 0, S  → 2}. When we wish to select a value for y, it is chosen
nondeterministically from the possible values of S  , resulting in the states:
{x → 0, y → 1, S  → 1}, {x → 0, y → 1, S  → 2}
{x → 0, y → 2, S  → 1}, {x → 0, y → 2, S  → 2}
If we group states with equal values of x and y, we can see that these correspond
to the final states of the original set-machine fragment. 
Note that this is an (over-)approximation. We can only infer the set of values that
may be elements of S—this representation cannot distinguish sets of elements
which may occur together, nor the cardinality of S. For example, assume we
have possible set-machine states ∅, {S → {1}} and ∅, {S → {2}}. The scalar
approximation is {S  → 1}, {S  → 2} which covers the feasible set-machine
states, but also includes ∅, {S → {1, 2}}, which is not feasible. More generally,
if the set ϕ of concrete states allows sets S → X1 , . . . , S → Xk , we have:
∀X (X ⊆ X1 ∪ . . . ∪ Xk ⇒ (S → X) ∈ γ ◦ α(ϕ))
Consider a (not necessarily numeric) abstract domain A, with meet (), join ()
and rename operations, as well as a transfer function F : I → A → A for the
scalar fragment of the language. The rename operation constructs a new state
where each variable xi is replaced with yi (then removes the existing bindings
of xi ). Formally, the concrete semantics of rename is given by
 
y1 → σ(x1 ), . . . , yk → σ(xk ),
rename(σ, [x1 , . . . , xk ], [y1 , . . . , yk ]) = σ
x1 → , . . . , xk →
For each set variable S, we introduce k scalar variables [s1 , . . . , sk ] denoting the
possible values of each vector in S. We then extend F to set operations as shown
in Fig. 5.
8 J.R.M. Cornish et al.

Fig. 5. Extending the transfer function for scalar analysis to set operations

4 Orderings

The transformation relies on maintaining a single ordering of index variables at

each transformed block. We now discuss such total orderings.
Our goal is to partition the array index space (−∞, ∞) into contiguous
regions bounded by index variables. For index variables i and j, we need to
be able to distinguish between the cases where i < j, i = j and i > j. However,
this is not enough; if we assign A[i] = x, but only know that i < j, we cannot
distinguish between the cases i = j − 1 (every element between i and j is x) and
i < j − 1 (there are additional elements with some other property). So, for index
variables i and j, we choose to distinguish these five cases:

i+1<j i+1=j i=j i=j+1 i>j+1

For convenience in expressing these orderings, we will introduce for each index
variable i a new term i+ denoting the value i + 1, and for a set of index variables
I we will denote by I+ the augmented set I ∪ {v + | v ∈ I}. We can then define a
total ordering of a set of index variables I to be a sequence of sets [B1 , . . . , Bk ],
Bs ⊆ I+ , such that the Bs ’s cover I+ , are pairwise disjoint, and satisfy i ∈ Bs ⇔
i+ ∈ Bs+1 .
The meaning of the ordered list π = [B1 , B2 , . . . , Bk ] is parameterised by
the value of program variables involved, that is, it depends on a store σ. The
meaning is: [[π]](σ) ≡

(∀e, e ∈ Bs (σ(e) = σ(e )) ∧ ∀e ∈ Bs ∀e ∈ Bt (s < t → σ(e) < σ(e )))
s,t∈[1..k]

An ordering π (plus virtual bounds {−∞, ∞}) partitions the space of possible
array indices into contiguous regions, given by [σ(e), σ(e )) for e ∈ Bi , e ∈ Bi+1 .
For any index variable i, a segment containing i+ in the right bound is necessarily
a singleton segment; all other segments are considered aggregate.
When a new index variable k enters scope, several possible orderings may
result. Figure 6(c) gives a procedure for enumerating them. When an index vari-
able k leaves scope, computing the resulting ordering consists simply of elimi-
nating k and k+ from π, and discarding any now-empty sets. Assignment of an
index variable is handled as a removal followed by an introduction.1
1
If the assigned index variable appears in the expression, we assign the index to a
temporary variable, and replace the index with the temporary in the expression.
 Analyzing Array Manipulating Programs by Program Transformation 9

We can discard any ordering that arranges constants in infeasible ways, such
as 4 < 3. If we have performed some scalar analysis on the original program, we
need only generate orderings which are consistent with the analysis results.

5 The Transformation
We now detail the transformation from an array manipulating program to a
set-machine program, with respect to a fixed set of interesting segment bounds.
Section 6 covers the selection of these bounds. Intuitively, the goal of the trans-
formation is to partition the array into a collection of contiguous segments, such
that each array operation uniquely corresponds to a singleton segment. Each
singleton segment is represented by a tuple of scalars; each non-singleton seg-
ment is approximated by a set variable. There are two major obstacles to this.
First, a program point does not typically admit a unique ordering of a given
set of segment bounds; second, as variables are mutated in the program, the
correspondence between concrete indices and symbolic bounds changes.
The transformation resolves this by replicating basic blocks to ensure that, at
any program point, a unique partitioning of the array into segments is identifi-
able. Any time a segment-defining variable is modified, introduced or eliminated,
we emit statements to distinguish the possible resulting partitions, and duplicate
the remainder of the basic block for each case. For each partition, we also emit
set operations to restore the correspondence between set variables and array
segments, using nondet-elt and nondet-subset when a segment is subdivided,
and ∪, when a boundary is removed, causing segments to be merged. This way
every array read/write in the resulting program can be uniquely identified with
a singleton segment. As singleton sets are represented by tuples of scalars, we
can finally eliminate array operations, replacing them with scalar assignments.
In the following, we assume the existence of functions next block, which allo-
cates a fresh block identifier, and push block, which takes an identifier, a sequence
of statements and a branch, and adds the resulting block to the program. We
also assume that there is a mutable global table T mapping block identifier and
index variable ordering pairs id, π to ids, used to store previously computed
partial transformations, and an immutable set I of segment bound variables and
constants. The function get block takes a block identifier, and returns the body of
the corresponding block. The function vars returns the set of variables appearing
lexically in the given expression. The function find avar gives the variable name
to which a given array and index will be translated, given an ordering.
Figure 6 gives the transformation. Procedure transform takes a block and
transforms it, assuming a given total ordering π of the index variables. It is called
once with the initial block of each function and an ordering containing only the
constants in the index set. As there are finitely many id, π combinations, and
each pair is constructed at most once, this process terminates.
The core of the transformation is done by a call to transform body(B, π, id, ss).
Here B is the portion of the current block to be transformed and π the current
ordering. id and ss hold the identifier and body of the partially-transformed
10 J.R.M. Cornish et al.

% Check if the block has already been transformed split transform(x, (stmts, br), π, id, ss)
% under π. If not, transform it. Π := feasible orders(π, x)
transform(id, π) split rec(x, Π , (stmts, br), π, id, ss)
if ((id, π) ∈ T )
return T [(id, π)] split rec(x, [π ], (stmts, br), π, id, ss)
idt := next block() asts := remap avars(π, π )
T := T [(id, π) idt ] transform body((stmts, br), π , id, ss : : asts)
(stmts, br) := get block(id)
transform body((stmts, br), π, id, []) split rec(x, [π |Π ], (stmts, br), π, id, ss)
return idt idπ := next block()
% Evaluate a branch. idΠ := next block()
transform body(([], Jmp b), π, id, ss) cond := ord cond(x, π )
idb := transform(b, π) push block(id, ss, If cond then idπ else idΠ )
push block(id, ss, Jmp idb ) asts := remap avars(π, π )
transform body((stmts, br), π , idπ , asts)
transform body(([], If l then t else f ), π, id, ss) split rec(x, Π , (stmts, br), π, idΠ , [])
if vars(l) ⊆ I (b) Fan-out of a block when an index variable is changed
dest := if eval(l, π) then t else f
iddest := transform(dest, π) feasible orders(k, π) : insert(k, π, [])
push block(id, ss, Jmp iddest )
else insert(k, [], pre) : return {pre : :{k} : :{k+ }}
idt := transform(t, π) insert(k, [Si |S], pre)
idf := transform(f , π) low := insert+ (k, [Si | S], pre : :{k})
push block(id, ss, If l then idt else idf ) high := insert(k, S, pre : : Si )
% (Potentially) update an index. if ∃ x . x+ ∈ Si
transform body(([x = expr|stmts], br), π, id, ss) return low ∪ high
if x ∈ I else
split transform(x, (stmts, br), π, id, ss : :[x = expr]) return low ∪ high ∪
else insert+ (k, S, pre : :(Si ∪ {k}))
transform body((stmts, br), π, id, ss : :[x = expr])
% Transform an array read... insert+ (k, [], pre) : return {pre : :{k+ }}
transform body(([x = A[i]|stmts], br), π, id, ss) insert+ (k, [Si | S], pre)
Ai := find avar(π, A, i) if ∃ x . x+ ∈ Si
transform body((stmts, br), π, id, ss : :[x = Ai ]) return {pre : :(Si ∪ {k+ }) : : S}
% or an array write. else
transform body(([A[i] = x|stmts], br), π, id, ss) return {pre : :(Si ∪ {k+ }) : : S} ∪
Ai := find avar(π, A, i) {pre : :{k+ } : : Si : : S}
transform body((stmts, br), π, id, ss : :[Ai = x])
(c) Enumerating the possible total orderings upon
(a) The top-level transformation process introducing a new index variable k

Fig. 6. Pseudo-code for stages of the transformation process.

block. As a block is processed, instructions not involving index or array vari-

ables are copied verbatim into the transformed block. During the process, we
ensure that each (transformed) statement is reachable under exactly one index
ordering π. Singleton segments under π are represented by scalar variables, and
aggregate segments by set variables. Array reads and writes are replaced with
accesses and assignments to the corresponding scalar or set variable, as deter-
mined by find avar. Conditional branches whose conditions are determined by
the current ordering are replaced by direct branches to the then or else part,
as appropriate. Once no instructions remain to be transformed, the block id is
emitted with body ss, together with the appropriate branch instruction.
Whenever an index variable is modified, the rest of the current block must
be split, and the set variables must be updated accordingly. The rest of the
block is then transformed under each possible new ordering π  . This is the job
of split transform shown in Fig. 6(b), while the job of feasible orders in Fig. 6(c)
is to determine the set of possible orders. The function ord cond(x, π  ) gener-
ates logical expressions to determine whether the ordering π  holds, given that
 Analyzing Array Manipulating Programs by Program Transformation 11

π = [{0} < {1} < {i} < {i+ } < {n}]

transform body : π x = a2 x = a2
x := A[i] transform body : π b2 := x
B[i] := x B[i] := x transform body : π
i := i + 1 i := i + 1 i := i + 1
(a) Original (b) After Step 1 (c) After Step 2

Fig. 7. Transformation of array reads and writes under ordering π. As the segment
[i, i+ ] is a singleton, the array elements are represented as scalars.

π previously held. ord cond checks the position of both x and x+ . If x is part
of a larger equivalence class in π, ord cond generates the corresponding equality;
otherwise, it checks that x is greater than its left neighbour; similarly, it checks
that x+ is in its class or less than its right neighbour. Figure 6(b) shows the
process of splitting a block upon introducing an index variable x.

5.1 Reading and Writing

Transformation of array reads and writes is simple, if the array index is in the
set I of index variables. Figure 7(a–c) shows the step-by-step transformation
of a block, under the specified ordering. After Step 1, reference A[i] has been
transformed to scalar a2 , since {i} is a singleton. Similarly, Step 2 transforms
B[i] to b2 .
If the index of the read/write operation has been omitted, we must instead
emit code to ensure the operation is dispatched to the correct set variable. The
dispatch procedure is similar in nature to split transform, as given in Fig. 6(c);
essentially, we emit a series of branches to determine which (if any) of the current
segments contains the read/write index. Once this has been determined, we
apply the array operation to the appropriate segment. If the selected segment is
a singleton, this is done exactly as in transform body. For writes to an aggregate
segment, we must first read some vector from the segment, substitute the element
to be written, then merge the updated vector back into the segment.2

5.2 Index Manipulation

The updating of index variables is the most involved part of the transformation,
as we must emit code not only to determine the updated ordering π  , but also
to ensure the array segment variables are matched to the corresponding bounds.
Figure 8 illustrates this process, implemented by the procedure remap avars, as it
splits a block into three: one to test an index expression to determine what order-
ing applies, and one for each ordering. In the original code, ordering π applies, but
following the assignment, either ordering π0 or π1 may apply. The test inserted
by Step 2 distinguishes these cases, leaving only one ordering applicable to each
of the sπ0 and split1 blocks.
2
Detailed pseudo-code for this is in Appendix A.
12 J.R.M. Cornish et al.

π = [{0} < {1} < {i} < {i+ } < {n}]

π0 = [{0} < {1} < {i} < {i+ } < {n}]
π1 = [{0} < {1} < {i} < {i+ , n}]

..
.. .
.
.. i := i + 1
i := i + 1
. If i + 1 < n then sπ0
If i + 1 < n then sπ0
transform body : π else split1
else split1
i := i + 1
Jmp guard [sπ0 ]
[sπ0 ]
(a) Original remap avars : π i π0
remap avars : π i π0
transform body : π0
transform body : π0
.. Jmp guard
. Jmp guard
i := i + 1
split rec : π [π0 , π1 ] [split1 ]
[split1 ]
Jmp guard remap avars : π i π1
split rec : π i [π1 ]
transform body : π1
(b) After Step 1 Jmp guard
Jmp guard
(c) After Step 2
(d) After Step 3

Fig. 8. Example of updating an index assignment. We assume an existing scalar analy-

sis which has determined that, after i = i + 1, we have 1 < i < n.

If we normalize index assignments such that for k := E, k ∈ / E, we can sepa-

rate the updating of segment variables into two stages; first, computing interme-
diate segment variables Ai after eliminating k from π, and then computing the
new segment variables after introducing the updated value of k. Pseudo-code for
these steps are given in Figs. 9(a) and 10(a). In practice, we can often eliminate
many of these intermediate assignments, as segments not adjacent to the initial
or updated values of k remain unchanged.
When we eliminate an index variable k from π, we merge segments that were
bounded only by k or k + . If k or k + appears alone at the very beginning or
end of π, the segments are discarded entirely. If either appears alone between
other variables in π, the segments on either side are merged to form a single
segment. However, if k and k + are both equal to some other variables, the
original segments are simply copied to the corresponding temporary variables.
This is illustrated in Fig. 9(b).
The pseudo-code in Figs. 9 and 10 ignores the distinction between singleton
and aggregate segments; the transformed operations differ slightly in the two
cases. If we introduce a singleton segment into an aggregate segment, we select a
single vector from the set ((a , b , c ) = nondet-elt(A)); if an aggregate segment
is introduced, we emit a subset operation (A = nondet-subset(A)).
The procedure for injecting k into π behaves similarly. If k is introduced
at either end of π, we introduce new segments with indeterminate values. If k
 Analyzing Array Manipulating Programs by Program Transformation 13

remap avars(k, π, π ) a0 a1
eliminate(k, π) : : introduce(k, π ) π = [{k} < {k+ , n} < {n+ }]
a0
πr = [{n} < {n+ }}]
eliminate(k, π)
eliminate(k, π, 0, 0, ∅)
a0 := a1
eliminate(k, [], , i , E)
if (i = 0) return []
else return [emit merge(Ai −1 , E)] a0
π = [{k, n} < {k+ , n+ }]
eliminate(k, [{c} | S], i, i , E) a0
πr = [{n} < {n+ }}]
where c ∈ {k, k + }
return eliminate(k, S, i + 1, i , E ∪ {Ai })
a0 := a0
eliminate(k, [Sj | S], i, i , E)
suff := eliminate(k, S, i + 1, i + 1, {Ai })
if (i = 0) a0 a1 A2 a3
% Ignore leading segment. π = [{i} < {i+ , k} < {k+ } < {n} < {n+ }]
return suff a0 A1 a2
else πr = [{i} < {i+ } < {n} < {n+ }]
return emit merge(Ai −1 , E) : : suff
a0 := a0
emit merge(x, E) A1 := {a1 } ∪ A2
return [x = E] a2 := a3
(a) (b)

Fig. 9. (a) Algorithm for generating instructions to keep segment variables updated;
(b) resulting assignments when k is eliminated from various orderings, also showing
the remaining order πr and scalar or set variables corresponding to each segment.

is introduced somewhere within an existing segment, we introduce new child

segments—each of which is a subset of the original segment.

5.3 Control Flow

When transforming control flow, there are three cases we must consider:

1. Unconditional jumps
2. Conditional jumps involving some non-index variables
3. Conditional jumps involving only index variables

In cases (1) and (2), the transformation process operates as normal; we recur-
sively transform the jump targets, and construct the corresponding jump with
the transformed identifiers. However, when we have a conditional jump If i  j
then t else f where i and j are both index terms, the relationship between i
and j is statically determined by the current ordering π. As a result, we can sim-
ply evaluate the condition i  j under the ordering π, and use an unconditional
branch to the corresponding block. This is illustrated in Fig. 11.
14 J.R.M. Cornish et al.

introduce(k, π) πp = [{n} < {n+ }]

introduce(k, π, 0, 0) π = [{k} < {k+ , n} < {n+ }]

introduce(k, [], , i ) a0 :=
return [] a1 := a0

introduce(k, [{c} | S], i, i )

where c ∈ {k, k + } πp = [{n} < {n+ }]
suff := introduce(k, S, i + 1, i ) π = [{k, n} < {k+ , n+ }]
if (i = 0)
return [Ai = ] : : suff a0 := a0
else
return [Ai = nondet-subset(Ai )] : : suff
πp = [{i} < {i+ } < {n} < {n+ }]
introduce(k, [Sj | S], i, i ) π = [{i} < {i+ , k} < {k+ } < {n} < {n+ }]
suff := introduce(k, S, i + 1, i + 1)
if (i = 0)
a0 := a0
% Ignore leading segment.
(a1 ) = nondet-elt(A1 )
return suff
A2 = nondet-subset(A1 )
else
a3 := a2
return [Ai = Ai ] : : suff
(b)
(a)

Fig. 10. (a) Generating instructions for (re-)introducing a variable k into a given order-
ing, and (b) the resulting assignments when k is introduced into various orderings. Note
the difference between introducing singleton and aggregate segments.

π = [{0} < {1} < {i} < {i+ } < n]

..
. let bodyπ = transform(body, π) in
transform body : π
If i < n ..
.
then body
Jmp bodyπ
else tail

Fig. 11. Transforming a jump, conditional on index variables only, under ordering π

6 Selecting segment Bounds

Until now we have assumed a pre-selected set of interesting segment bounds.

The selection of segment boundaries involves a trade-off: we can improve the
precision of the analysis by introducing additional segment bounds, but the
transformed program grows exponentially as the number of segment bounds
increases. As do [11], we can run a data-flow analysis to find the set of variables
that may (possibly indirectly) be used as, or to compute, array indices. Formally,
we collect the set I of variables and constants i occurring in these contexts:
 Analyzing Array Manipulating Programs by Program Transformation 15

A[i] where A is an array (2)

i = op(i) where i ∈ I

(3)
i = op(i ) where i ∈ I and i is not a constant (4)

Any variable which does not satisfy these conditions can safely be discarded as
a possible segment bound. For the experiments in Sect. 7 we used all elements of
I as segment bounds (so I = I), which yields an analysis corresponding roughly
to the approaches of [9, 11]. We could, however, discard some subset of I to yield
a smaller, but less precise, approximation of the original program. The cases (3)
and (4) are needed because of possible aliasing; this is particularly critical in
an SSA-based language, as SSA essentially replaces mutation with aliasing. It is
worth noting that these dependencies extend to aliases introduced prior to the
relevant array operation, as in the snippet “i := x; . . . A[i] := k; . . . y := x + 1;”

7 Experimental Evaluation
We have implemented our method using the LLVM framework, in two distinct
transformation phases. In a first pass, transformation is done as described above,
but without great regard for the size of the transformed program. At the same
time, we also use a (polyhedral) scalar analysis of the original program (treating
arrays as unknown value sources) to detect any block whose total ordering is
infeasible. In the second pass, we prune these unreachable blocks away. As can be
gleaned from Table 1, these measures reduce the complexity of the transformed
program significantly.
To extract array properties from the cor- array copy (int* A, int* B, int n) {
int i;
responding invariants discovered in a trans- for (i = 0; i < n; i++)
A[i] = B[i];
formed program, we require users to specify, }
at transformation time, the range of array array init (int* A, int n) {
int i;
segments that are of interest. In our imple- for (i = 0; i < n; i++)
A[i] = 5;
mentation, this is described by a strict index }
inequality that must apply to segments in the array max (int* A, int n) {
int i, max = A[0];
range. For example, specifying 0 < n indi- for (i = 1; i < n; i++) {
if (max < A[i])
cates that we are interested in invariants of the max = A[i] }
form ∀ (0 ≤  < n ⇒ ψ(A1 [], . . . , Ak [])), }
search (int* A, int key) {
where A1 , . . . , Ak are the arrays in scope and int i = 0;
while (A[i] = key)
ψ is some property. At the end of the trans- i++;
formation we use a newly created block to join }
first not null (int* A, int n) {
all copies of the original exit block whose total int i, s = n;
for (i = 0; i < n; i++)
ordering is consistent with the given range. The if (s == n && A[i] = 0)
various scalar representations for each array seg- s = i;
}
ment, as well as other variables in scope in each sentinel (int* A, int n, int sent) {
int i;
copy, are merged together in phi nodes inside A[n − 1] = sent;
this final block. Properties discovered about the }
for (i = 0; A[i] = sent; i++);

segment phi nodes then translate directly to

properties about the corresponding array seg-
ments in the original program. Fig. 12. Simple test programs
16 J.R.M. Cornish et al.

Table 1. Sizes of transformed test programs and analysis time for polka and uva

Program Original Transformed Post-processed Running time (s)

blocks insts. blocks insts. blocks insts. transf. polka uva
array copy 5 12 274 898 33 149 0.80 67.07 0.18
array init 5 11 274 644 33 115 0.94 19.08 0.22
array max 7 19 220 562 51 139 0.95 110.87 0.45
search 5 10 90 167 27 69 0.49 2.05 2.75
first not null 8 17 1057 2217 216 694 3.73 2378.35 4.85
sentinel 5 13 1001 1936 294 765 3.07 1773.01 4.97

We have tested our method by running first the polka polyhedra domain [12]
on the output of our transformation when applied to the programs given in
Fig. 12. The interesting invariants that we infer are as follows (each property
holds at the end of the corresponding function):

array copy : ∀ (0 ≤  < n ⇒ A[] = B[])

array init : ∀ (0 ≤  < n ⇒ A[] = 5)
array max : ∀ (0 ≤  < n ⇒ A[] ≤ max)
search : ∀ (0 ≤  < i ⇒ A[] = key)
first not null : ∀ (0 ≤  < s ⇒ A[] = 0)
sentinel : ∀ (0 ≤  < i ⇒ A[] = sent)

Figure 12 shows test programs from related papers [9,11]. Table 1 lists sizes of the
original, transformed, and post-processed transformed versions (columns Origi-
nal, Transformed, and Post-processed respectively), as well as the time to per-
form the transformation (column transf). Column polka shows the analysis time
in seconds for running the polka polyhedra domain. uva is explained below.
Enhancing an existing analyzer. As a separate experiment we use IKOS [3],
an abstract interpretation-based static analyzer developed at NASA. IKOS has
been used successfully to prove absence of buffer overflows in Unmanned Aircraft
Systems flight control software written in C. The latest (unreleased) version of
IKOS provides an uninitialized variable analysis that aims at proving that no
variable can be used without being previously defined, otherwise the execution
of the program might result in undefined behaviour.
Currently IKOS is not sufficiently
precise for array analysis. (Figure 13), int array init unsafe (void) {
IKOS cannot deduce that A[5] is defi- 1: int A[6], i;
nitely uninitialized at line 4. However, 2: for (i = 0; i < 5; i++)
using the transformational approach, 3: A[i] = 1;
IKOS proves that A[5] is definitely unini- 4: return A[5];
tialized. The problem is far from triv- }
ial; as Regehr [17] notes, gcc and clang
(with -Wuninitialized ) do not even raise
Fig. 13. Regehr’s example [17]
warnings for this example, but stay com-
pletely silent.
 Analyzing Array Manipulating Programs by Program Transformation 17

We ran IKOS on the transformed version of array init unsafe. IKOS suc-
cessfully reported a definite error at line 4 in 0.22 s. Conversely, transformation
enabled IKOS to show that no array element was left undefined in the case of
array init. Finally we ran IKOS on the rest of the programs in Fig. 12. For the
purpose of the uninitialized variable analysis we added loops to force each array
to be treated as initialized, when appropriate. For the transformed version of
array copy, IKOS proved that A is definitely initialized after the execution of
the loop. For the rest of the programs IKOS proved that the initialized array A
is still initialized after the loops. Column uva in Table 1 shows the analysis time
in seconds of the uninitialized variable analysis implemented in IKOS.
Note that the polka analysis does not eliminate out-of-scope variables. Our
program transformation introduces many variables, and since polka incurs a
super-linear per-variable cost, the overall time penalty is considerable. We expect
to be able to greatly reduce the cost by utilising a projection operation and
improving the fixed-point finding algorithm.

8 Related Work
Amongst work on automated reasoning about array-manipulating code, we can
distinguish work on analysis from work that focuses on verification. Our paper
is concerned with the analysis problem, that is, how to use static analysis for
automated generation of (inductive) code invariants. As mentioned in Sect. 1,
we follow the tradition of applying abstract interpretation [4] to the array con-
tent analysis problem [5, 9, 11,16]. Alternative array analysis methods include
Gulwani, McCloskey and Tiwari’s lifting technique [10] (requiring the user to
specify templates that describe when quantifiers should be introduced), Kovács
and Voronkov’s theorem-prover based method [13], Dillig, Dillig and Aiken’s
fluid updates [7] (supporting points-to and value analysis but excluding rela-
tional analyses), and incomplete approaches based on dynamic analysis [8, 15].
Unlike previous work, we apply abstract interpretation to a transformed pro-
gram in which array reads and writes have been translated away; any standard
analysis, relational or not, can be applied to the resulting program, with negli-
gible additional implementation cost.
There is a sizeable body of work that considers the verification problem for
array-processing programs. Here the aim is to establish that given assertions hold
at given program points. While abstract interpretation may serve this purpose
(given a well-chosen abstract domain), more direct approaches are goal-directed,
using assertions actively, to drive reasoning, rather than passively, as checkpoints.
Many alternative techniques have been suggested for the verification of (some-
times restricted) array programs, including lazy abstraction [1], template-based
methods [14], and, more closely related to the present paper, techniques that
employ translation, for example to Horn clauses [6].
Another random document with
no related content on Scribd:
our national history more truly interesting than the early efforts of
Glasgow in commerce. Her first ventures to Maryland and Virginia
were in vessels chartered from Whitehaven. In each vessel, filled
with goods, there went a supercargo, whose simple instructions were
to sell as many as he could for tobacco, and return home as soon as
he had sold all, or had got enough of the plant to fill his vessel,
whether the goods were all sold or not, bringing home with him any
that remained unsold. In this cautious way were the foundations of
the wondrous wealth of Glasgow laid. It was not till now, eleven
years after the Union, that the first vessel belonging to Glasgow
crossed the Atlantic.
By that time, much of the tobacco-trade had come into the hands
of Glasgow merchants. Bristol, Liverpool, and Whitehaven, which
had heretofore been the great entrepôts of the trade, opened their
eyes with some little surprise when they began to find Glasgow
underselling them in this article even among their own retailers. It
was the mere frugality of the Scottish traders which gave them this
advantage. But the jealousy of their rivals refused to see the true
cause. They entered in 1721 into a confederacy to destroy the
tobacco-trade of Glasgow, petitioning in succession the House of
Lords and the House of Commons, with utterly unfounded
complaints on the subject. The charges of fraud were declared
groundless by the upper house; but, in the lower, the just defences of
Glasgow were disregarded, through the interest made by her
adversaries. ‘New officers were appointed at the ports of Greenock
and Port-Glasgow, whose private instructions seem to have been to
ruin the trade, if possible, by putting all imaginable hardships upon
it; bills of equity were exhibited against the merchants in the Court of
Exchequer for no less than thirty-three 1718.
ships’ cargoes, by which they were
commanded to declare, on oath, whether or not they had imported in
these ships any, and how much, more tobacco than what had been
exported, or had paid the king’s duty. Vexatious lawsuits of every
kind were stirred up against them. Every species of persecution,
which malice, assisted by wealth and interest, could invent, to
destroy the trade of Glasgow, was put in practice,’ and in part
successfully, the trade being reduced to a languishing condition, in
which it remained for a number of years.[512]
 Quiet Mr Wodrow, in his neighbouring Renfrewshire parish,
seems to have rather relished any loss or difficulty sustained by this
industrious community, being apparently under an impression that
wealth was apt to abate the godly habits of the people. He already
recognised a party in the city who mocked at the ministry, and
everything that was serious. Instead of seventy-two meetings for
prayer, which he had known some years before, there were now but
four or five; while in their place flourished club-meetings, at which
foolish questions were discussed. He adverts to the blow struck at the
tobacco-trade through the House of Commons, ‘which they say will
be twenty thousand pounds loss to that place. I wish it may be
sanctified to them.’[513]

We have seen a concert taking place in Edinburgh in 1694, and a

very grand one, partly supported by amateurs, presented in
celebration of St Cecilia’s Day, in the ensuing year. We learn that
there was now a weekly meeting of amateurs at the Cross Keys
Tavern, kept by one Steil, who is noted as an excellent singer of
Scottish songs, and who appears to have possessed a collection of
instruments for the use of his guests. This meeting admitted of
visitors of both sexes, and was a point of reunion for the beau monde
of Edinburgh in days while as yet there were neither balls nor
theatres. Its being held in a tavern would be no objection to the
ladies. Allan Ramsay, in singing the winter attractions of the city,
does not forget that
‘Others can with music make you gay,
With sweetest sounds Corelli’s art display;’

And then adds a picture of the scene: 1718.

‘To visit and take tea the well-dressed fair

May pass the crowd unruffled in her chair;
No dust or mire her shining foot shall stain,
Or on the horizontal hoop give pain.
For beaux and belles no city can compare,
Nor shew a galaxy so made, so fair;
The ears are charmed, and ravished are the eyes,
When at the concert my fair stars arise;
What poets of fictitious beauties sing,
 Shall in bright order fill the dazzling ring;
From Venus, Pallas, and the spouse of Jove,
They’d gain the prize, judged by the god of Love.’[514]

A writer of some ability and acuteness, who travelled over

Scotland, and wrote an account of his journey, published in 1723,
tells us that he was at several ‘consorts’ in Edinburgh, and had much
reason to be pleased with the appearance of the ladies. He had never
in any country seen ‘an assembly of greater beauties.’ It is not in
point here, but it may be stated that he also admired their stately
firm way of walking ‘with the joints extended and the toes out,’ and
thought their tartan head-mantles of scarlet and green at church as
gay as a parterre of flowers. At the same time, he knew them to be
good housewives, and that many gentlemen of good estate were not
ashamed to wear clothes of their wives’ and servants’ spinning.[515]
To return to music—it looks like a mark of rising taste for sweet
sounds, that we have a paragraph in the Edinburgh Courant for July
12, 1720, announcing that Mr Gordon, who had lately been travelling
in Italy for his improvement in music, was daily expected in
Edinburgh, ‘accompanied with Signor Lorenzo Bocchi, who is
considered the second master of the violoncello in Europe, and the
fittest hand to join Mr Gordon’s voice in the consorts which he
designs to entertain his friends with before the rising of the session.’
On the 28th of May 1722, at the request of several gentlemen of
Glasgow, Mr Gordon was to give a ‘consort’ in that city; and
immediately after we hear of him publishing ‘proposals for the
improvement of music in Scotland, together with a most reasonable
and easy scheme for establishing a Pastoral Opera in Edinburgh.’[516]
Signor Bocchi seems to have been able to 1718.
carve a professional position for himself in
Edinburgh, for in 1726 we find him publishing there an opera of his
own composition, containing twelve sonatas for different
instruments—violin, flute, violoncello, &c., with a libretto in broad
Scotch by Allan Ramsay, beginning:
‘Blate Johnnie faintly tauld fair Jean his mind.’

It was about this time that the native music of Scotland—those

beautiful melodies which seem to have sprung up in the country as
naturally and unperceivedly as the primroses and the gowans—were
first much heard of to the south of the Tweed. William Thomson,
who was a boy at the Feast of St Cecilia in 1695, had since grown up
in the possession of a remarkably sweet voice for the singing of Scots
songs, and having migrated to London, he was there so well received,
that Scottish music became fashionable even amidst the rage there
was at the same time for the opera and the compositions of Handel.
A collection of Scottish songs, with the music, under the title of
Orpheus Caledonius, was published by Thomson in London in 1725,
with a dedication to the Princess of Wales, and republished in an
extended form in 1733.
Of the other performers at the Feast of St Cecilia, a few were still
flourishing. Adam Craig, a teacher of music, played second violin at
the gentlemen’s concerts with high approbation. Matthew M‘Gibbon
was no more; but he had left a superior representative in his son
William, who had studied under Corbet in London, and was now
leader and first-violin at the concerts, playing the music of Corelli,
Geminiani, and Handel with great skill and judgment. A collection of
Scots tunes by William M‘Gibbon, published in 1742 and subsequent
years, was long in high repute.[517] Of the St Cecilia amateurs we only
hear now of Lord Colville, who seems to have been a great
enthusiast, ‘a thorough master of music,’ and is said to have
‘understood counterpoint well.’ His instruments were the
harpsichord and organ. He had made a large collection of music,
much of it brought home to him from Italy.
‘The god of Music joins when Colvil plays,
And all the Muses dance to Haddington’s essays;
The charms are mutual, piercing, and compleat—
This in his art excels, and that in wit.’
Defoe’s Caledonia, 1706.

Robert Lord Colville of Ochiltree (for it is 1718.

necessary so to distinguish him from Lord
Colville of Culross) died unmarried in March 1728, after having been
in possession of the peerage for fifty-seven years. Wodrow tells a
gossip’s story about his lordship having ‘walked’ for some time after
his apparent departure from the earth.[518]
After a comparatively private form of entertainment had been in
vogue some years, the lovers of harmony in Edinburgh constituted
themselves in 1728 into a regular society, with a governor and
directors, the entire number of members being seventy, and, for the
sake of room, transferred their meetings to St Mary’s Chapel, where
they continued to assemble for a long course of years.[519] The
progress of their gay science is marked by the publication, in 1730, of
a collection of Scots tunes for the harpsichord or spinet by Adam
Craig, appropriately dedicated to the Honourable Lords and
Gentlemen of the Musical Society of Mary’s Chapel, as ‘generous
encouragers and promoters of music’—this collection being the first
of the kind that was published,[520] although there were several
previous collections containing Scottish tunes, mingled with others.

At this time the house of the Rev. Mr June.

M‘Gill, minister of Kinross, was represented
as troubled with spirits. The first fact that excited attention, was the
disappearance of some silver spoons and knives, which were soon
after found in the barn, stuck up in straw, with a big dish all nipped
in pieces. Next it was found that no meat was brought to table but
what was stuck full of pins. The minister found one in an egg. His
wife, to make sure against trick, cooked some meat herself; but
behold, when presented at table, ‘there were several pins in it,
particularly a big pin the minister used for his gown. Another day,
there was a pair of
sheets put to the 1718. 1728. May.
green, among
other people’s, which were all nipped to pieces, and none of the
linens belonging to others troubled. A certain night several went to
watch the house, and as one was praying, down falls the press,
wherein was abundance of lime-vessels, all broke to pieces; also at
one other time the spirits, as they call them, not only tore the clothes
that were locked up in a coffer, to pieces, but the very laps of a
gentlewoman’s hood, as she was walking along the floor, were
clipped away, as also a woman’s gown-tail and many other things not
proper to mention. A certain girl, eating some meat, turned so very
sick, that, being necessitate to vomit, [she] cast up five pins. A stone
thrown down the chimney wambled a space on the floor, and then
took a flight out at the window. There was thrown in the fire the
minister’s Bible, which would not burn; but a plate and two silver
spoons melted immediately. What bread is fired, were the meal never
so fine, it’s all made useless. Is it not very sad that such a godly
family, that employ their time no otherwise but by praying, reading,
and serious meditation, should be so molested, while others who are
wicked livers, and in a manner avowedly serve the Wicked One, are
never troubled?’[522]
Wodrow, who relates these particulars, soon after enters in his
note-book: ‘I hear of a woman in Carstairs parish, that has been for
some time troubled with apparitions, and needs much sympathy.’[523]
It seems to have been a season of unusual spiritual activity. During
September, and for some time after, the house of William
Montgomery, mason, at Burnside, Scrabster, near Thurso, in the
extreme north of Scotland, was tormented in an unusual manner by
cats, which flocked in great numbers in and about his dwelling,
making a frightful noise. Montgomery himself was from home; but
his wife was so much troubled by this unaccountable pest, as to be
obliged to write to him requiring his return, as otherwise she would
be obliged to remove to Thurso. The goodman did return, and
became witness to the torment that was going on, as many as eight
cats, totally unknown in the neighbourhood, being sometimes
assembled about his fireside in a single evening, ‘making the night
hideous.’ One servant-girl left service on account of the nightly
disturbance. Another, who came in her place, called to her master
one evening that ‘the cats were speaking 1718.
among themselves,’ for so it had appeared
to her they were doing, so human-like were their cries.
On a particular night, the 28th of November, Montgomery became
unusually exasperated by these four-footed tormentors, and resolved
to attack them with lethal weapons. One having got into a chest
which had a hole in it, he watched with his drawn sword till he saw
the creature put her head out at the hole, when he struck hard, yet
failed to effect decapitation. Opening the chest, a servant named
Geddes struck the animal with his master’s dirk in her hinder
quarter, pinning her to the timber; yet after all she got out.
Ultimately, Montgomery battered this cat pretty effectually, and
threw her out as dead; nevertheless, they found she had disappeared
by the morning. Five nights thereafter, some of the cats coming in
upon Geddes in his bed, Montgomery dirked one, and battered its
head, till it appeared dead, when he flung it out of doors. Before
morning, it too had disappeared. He remarked that the wounds he
inflicted brought no blood.
As it had been threatened that none should thrive in his house,
William Montgomery entertained no doubt that there was witchcraft
in the visitation. When an old woman in the neighbourhood fell ill,
he became confirmed in his surmise, and thought himself justified in
seeking the interference of the sheriff, though without particularising
any delinquent. By this officer, the case was slighted as a piece of
popular credulity and ignorance, till, one day in the ensuing
February, a certain old woman named Margaret Nin-Gilbert, living
in Owst, about a mile and a half from Montgomery’s house, ‘was seen
by some of her neighbours to drop at her own door one of her legs
from the middle.’ So narrates the sheriff. He adds: ‘She being under
bad fame for witchcraft, the leg, black and putrefied, was brought to
me; and immediately thereafter I ordered her to be apprehended and
incarcerated.’
When old ladies begin to unhook their legs, and leave them in
public places, it is evident there must be something in it. On the 8th
of February, Margaret was examined in presence of two ministers, a
bailie, and four merchants of Thurso, and confessed that she was in
compact with the devil, who sometimes appeared to her as a great
black horse, sometimes as a black cloud, and sometimes like a black
hen. She owned to having been present as a cat in Montgomery’s
house, along with other women similarly transformed, when two of
the latter had died of the wounds inflicted 1718.
by Montgomery, and she had had her leg
broken by him, so that in time it mortified and broke off. Margaret
Olson, one of the women she accused, was examined for witch-
marks; and several small coloured spots being detected, a needle was
thrust in almost to the eye without exciting the least pain; but neither
she nor any other person besides Nin-Gilbert could be induced to
confess the practice of witchcraft.
Lord Advocate Dundas heard, some weeks after, what was going
on in this remote corner of Scotland, and wrote a letter to the sheriff,
finding fault with him for proceeding without consultation with the
central authority. The local officer apologised on the ground, that he
only acted for the Earl of Breadalbane and Mr Sinclair of Ulbster,
and had deemed it proper to communicate directly with them. In the
course of a short time, Nin-Gilbert died in prison, and this seems to
have been an end to the affair.[524]

Hitherto, no sort of literary or scientific association had been

formed in Scotland. For a long time bypast, almost the only learning
that existed was theological, and there was but little of that. In this
year, Thomas Ruddiman, who had distinguished himself in
Edinburgh by editing the works of Buchanan, and composing the
well-known Rudiments of the Latin Tongue, joined with the masters
of the High School of the city in establishing there an association for
improving each other in classical lore, ‘without meddling with the
affairs of church or state.’ This body was afterwards joined by a
young advocate, subsequently eminent as a judge and a philosophical
writer under the name of Lord Kames; afterwards, Mr Archibald
Murray and Mr James Cochran, advocates, and Mr George Wishart,
one of the ministers of Edinburgh, with some others, became
members. ‘Whether their conversations were preserved, or their
dissertations published, cannot now be ascertained.’[525]

This day was commenced a newspaper in Dec. 15.

Edinburgh, the first that succeeded in
thoroughly planting itself in Scotland, so as to obtain more than an
ephemeral existence. It was the adventure of James M‘Ewen,
bookseller in Edinburgh, and came out under the title of The
Edinburgh Evening Courant. The paper 1718.
appeared in virtue of a formal authority
from the magistrates and town-council, to whom M‘Ewen was to be
answerable for what he should print and publish; and, that this rule
might be enforced, he was, ‘before publication, to give ane coppie of
his print to [the] magistrates.’[526] The Courant was announced as to
contain ample accounts of foreign occurrences, and these derived,
not through London prints, but directly from foreign journals. It was
intended as a decidedly Whig print, in this respect differing from the
Caledonian Mercury, which was not long after started in the
Jacobite interest.
 The Courant was from the first successful. James M‘Ewen, writing
from Edinburgh, January 17, 1719, to the Rev. Mr Wodrow, says: ‘As
to our newspaper, it thrives so far as to be very well liked by all,
excepting the violent Jacobites, who hate it, for no other reason but
because it is a true and impartial paper. Several gentlemen who were
to have had the London papers sent them, have laid them aside,
because this contains the substance not only of them, but of the
foreign post also.’
In looking over, as it has been my fate to do, the early volumes of
the Courant, one cannot but groan over the long, dry ‘advices’ from
nearly all parts of Europe, and the wretched meagreness of the
department of home intelligence, whole months often elapsing
without so much as an obituary notice, or a ship’s arrival at Leith.
The reason of this unfortunate peculiarity was no other than the civic
censorship under which the paper, as we see, was from the beginning
placed. Even intelligence in the interest of the government was not in
every instance safe. In the course of February 1723, the magistrates
seized all the copies of a particular number of the paper, in which
there had been an apparently simple paragraph. It regarded Mr
Patrick Halden, then under trials before the judges of the Court of
Session as presentee of the crown for a seat on the bench—he being a
mere creature of the ministry unfit for the position. Fired at the
words: ‘We do not hear of any great discoveries yet made to his
prejudice,’ the judges inflicted this punishment upon the publisher,
M‘Ewen, who then announced the suppression of his paper, ‘that our
customers in the country may know why they cannot be served with
that day’s Courant, as also why we have been so sparing all along of
home news.’
It is at the same time evident that the meagreness of the home
news was in part caused by mere difficulty 1718.
of obtaining authentic accounts of such
matters. A rumour as to the death of a person of importance at a
distance would arrive. Owing to the sluggishness of posts, its verity
could not readily be ascertained. Inserting it on trust, the journalist
too often found, in the course of a few days, that the announcement
was unfounded. Such is a fair specimen of the way in which false
intelligence occasionally got into circulation; and every such case, of
course, operated as a motive to caution in future. The publishers,
moreover, could not afford to keep sub-editors to go about and
ascertain the verity of rumours. As an illustration of the difficulties
hence arising—the Caledonian Mercury of March 3, 1724, contained
the following paragraph: ‘We hear that my Lord Arniston, one of the
ordinary Lords of Session, is dead;’ which was followed in the next
number by: ‘It was by mistake in our last that my Lord Arniston was
dead, occasioned by the rendezvous of coaches, &c., hard by his
lordship’s lodging, that were to attend the funeral of a son of the
Right Honourable the Earl of Galloway; wherefore his lordship’s
pardon and family’s is humbly craved.’
It affords a pleasing idea of the possible continuousness of
sublunary things, that the then Whig, but now Conservative
Edinburgh Evening Courant, which began its career in 1718, and its
then Tory, but since liberal rival, the Caledonian Mercury, which
originated about two years later, are still published in Edinburgh.

The enjoyment during thirty years of ‘position’ as an

establishment, combined with the progressive ideas of the age, was
now working some notable changes in the spirit of the Scottish
Church.
There was still, of course, a general maintenance of the old
doctrines and habits; all was to appearance as it had been—places of
worship attended, Sunday observed, discipline kept up; in particular
outlying presbyteries, there would even be found a majority of men
of the old leaven. When, however, any strenuous Dumfriesshire or
Galloway pastor seemed animated by aught of the zeal of a past age,
and thereby excited troubles which came under the attention of the
General Assembly, he was sure to be snubbed, and, if contumacious,
deposed. If a presbytery of the ancient orthodoxy, labouring under
fears of backslidings and defections, ventured to reassert, in a public
manner, a doctrine that was beginning to be unfashionable, the
General Assembly frowned on its 1718.
forwardness. At the same time, Mr John
Simson, professor of divinity at Glasgow, openly taught doctrines
leaning to Arminianism, and even Arianism, and the same venerable
court could not, for a number of years, be brought to do more than
administer a gentle admonition.
 It chanced, one day, that a worthy pastor, Mr Thomas Boston,
found in a house which he was visiting a tattered treatise of the
bright days of the civil war, written by one Edward Fisher, and
entitled The Marrow of Modern Divinity. Turning over its leaves, he
found it asserting orthodox Puritan doctrines with a simplicity and
pathos all its own, particularly one which had lately been condemned
by the General Assembly—namely, that, Christ being all in all, a
forsaking of sins was not necessary ‘to reinstate us in covenant with
God.’ Here seemed the proper remedy for the alarming rationalism
of the church, and very soon there appeared a new edition of the
Marrow, under the care of Mr Thomas Hogg, minister of Carnock.
The book immediately got into wide circulation, and produced a very
decided impression on the public mind, insomuch that the General
Assembly felt called upon to issue a prohibition against its being
recommended or read.
Thus arose a once famous conflict generally recognised as the
Marrow Controversy. Dissatisfied with the pronouncement of the
church, twelve ministers, including Boston and Hogg, came forward
with a Representation, in which they remonstrated in very free terms
with the General Assembly, expressing themselves as grieved in an
especial manner to find any disfavour shewn to that freedom from
the covenant of works which true believers felt to be the chief branch
of the precious liberty which Christ had given them, and ‘in which
the eternal salvation of souls is wrapped up.’ For sending this paper,
the twelve brethren were taken in hand by the Assembly’s
commission, condemned, and ordered to stand a rebuke (1723); but,
while submitting, for the sake of peace, they took care to utter a
protest, which left no room for doubt that they remained unshaken
in their opinions. The entire proceedings are far too voluminous for
modern patience; but the importance of the affair is undoubted. The
‘Twelve Marrow Men’ may be said to have formed the nucleus of the
dissent which was a few years after matured under the name of the
Secession.[527]
 About eight o’clock this morning, at a 1719. Jan. 29.
spot a little west of Aberdeen, ‘there
appeared ane army, computed to be the number of 7000 men. This
computation was made by a very judicious man, who had long been a
soldier in Flanders, and is now a farmer at this place, who with about
thirty other persons were spectators. This army was drawn up in a
long line in battle-array, were seen to fall down to the ground, and
start up all at once; their drums were seen to be carried on the
drummers’ backs. After it remained more than two hours, a person
on a white horse rode along the line, and then they all marched
towards Aberdeen, where the hill called the Stocket took them out of
sight. It was a clear sunshine all that morning.’
October 22d, a second vision of the same kind was seen on the
same ground. ‘About two thousand men appeared with blue and
white coats, clear arms glancing or shining, white ensigns were seen
to slap down, as did the former, at which time a smoke appeared, as
if they had fired, but no noise. A person on a white horse also rode
along the line, and then they marched towards the bridge of Dee.
This vision continued on the ground from three hours in the
afternoon, till it was scarce light to see them. It was a clear fine
afternoon, and being the same day of the great yearly fair held at Old
Aberdeen, was seen by many hundreds of people going home, as well
as by above thirty that were at their own houses, about half a mile
distant. It’s observable that the people coming from the fair came
through them, but saw nothing till they came up to the crowd that
was standing gazing, who caused them to look back.’[528]

On the night of the 2d of November, the Nov. 2.

river Don was dried up from a little below
Kemnay down to near Old Aberdeen. It was so dry at Inverury and
Kintore, that children of five or six years of age gathered up the fish,
trouts, and eels, and many people going to a fair passed over dry-
shod. The water slowly returned about the middle of the day. The
same phenomenon was said to have happened in the Doveran at
Banff two days later.[529]
The Commissioners on the Forfeited 1719.
Estates were left in 1716 in a position of
discomfiture, in consequence of the impediments presented by
Scottish law and Scottish national feeling. Acts of the legislature
enabled them in subsequent years to overcome some of their
difficulties, and accomplish a tolerable portion of their mission. Not
indeed without further impediments from the Court of Session,
which, when their former decrees of sequestration were rendered
void, and could no longer protect the friends of the forfeited persons
in possession, gave efficacy to a new device of these friends, in the
form of exceptions which declared that the forfeited persons had
never been the real owners of the estates! In their report of 1720,
they pathetically advert to this new difficulty, and, as an illustration
of its absurdity, state a few cases, in which there had been decrees in
favour of more pretended owners than one—Seaforth’s estates, for
instance, were by one decree found to belong in full and absolute
right to Kenneth Mackenzie of Assint, by another to William Martin
of Harwood, by another to Hugh Wallace of Inglistown. For Mar’s
estates, there were four of these visionary owners, and for Kenmure’s
five! The exceptions were generally founded on conveyances and
dispositions of the lands which were alleged to have been formerly
executed by the attainted persons in favour of children and others.
Notwithstanding these obstructions, the commissioners were
enabled, in October 1719, to sell Panmure’s estates at £60,400
sterling, Winton’s at £50,482, Kilsyth’s at £16,000, and that of
Robert Craw of East Reston at £2364.
By reversals of the decrees in the House of Lords, and the help of a
new act, the Commissioners were enabled, in October 1720, to sell a
further lot of estates—Southesk’s for £51,549, Marischal’s for
£45,333, Linlithgow’s for £18,769, Stirling of Keir’s for £16,450,
Threipland of Fingask’s for £9606, Paterson of Bannockburn’s for
£9671, besides two others of trifling value. The purchase was in
nearly all these cases made by a speculative London company,
entitled The Governor and Company of Undertakers for raising the
Thames Water in York Buildings (commonly called the ‘York
Buildings Company’).[530] The exceptions in the cases of Keir and
Bannockburn were purchases probably made by friends of the
former owners. For any other persons connected with Scotland to
have come forward to buy these properties 1719.
on their own account, inferred such an
amount of public indignation, if not violence, as made the act
impossible, even if there had been any recreant Scot, Whig or Tory,
capable in his heart of such conduct.
We shall have occasion, under subsequent dates, to notice certain
difficulties of a different and more romantic kind which beset the
Commissioners. But, meanwhile, it may be well to complete the
history of their ordinary transactions.
Out of thirty estates left unsold in October 1720, they had
succeeded within the ensuing three years in selling nineteen, of
which the chief were Lord Burleigh’s at £12,610, Macdonald of
Sleat’s at £21,000, and Mackenzie of Applecross’s at £3550, the rest
being of inconsiderable amount, though raising the entire sum to
£66,236. The principal estate afterwards sold was that of John Earl
of Mar at £36,000.
When the Commissioners closed their accounts in March 1725, it
appeared that there was a total of £411,082 sterling paid and to be
paid into the Exchequer, from which, however, was to be deducted
no less than £303,995 of debts sanctioned by the Commissioners,
and for which they had issued or were to issue debentures, and
£26,120 allowed in the form of grants from the crown. There thus
remained, of money realised for public use and to pay the expenses
of the Commission, the sum of £84,043, 17s. 5¾d., while properties
to the yearly value of £2594 remained undisposed of, including an
item so small as ‘Feu-duty of some cellars at Leith, part of the Abbacy
of Aberbrothick, belonging to the late Earl of Panmure, 11s. 3½d.’
Some curiosity will naturally be felt to know the aggregate
expenses of the Commission,[531] and the balance of results which
these left out of the eighty-four thousand pounds. There is a mixture
of the ludicrous and sad in the problem, which may be expressed
thus: money from the destruction (for public objects) of about fifty of
the good old families of Scotland, £84,043; charges for the expense
of the destruction, £82,936 = £1107! Walpole would find it hardly a
decent purchase-money for a vote in the House of Commons.

By statute passed in 1718,[532] Dec.

arrangements had been made regarding the
sum of £16,575, 14s. 0½d., which had been 1719.
left over of the Equivalent money at the
Union, after paying sundry claims out of it, and for a further debt of
£230,308, 9s. 10d., due by England to Scotland since in equalisation
of duties, together with a small sum of interest—the whole
amounting to £248,550—also for enabling the king to constitute the
bond-holders of this debt into a corporation, which, after St John’s
Day, 1719, should receive £10,000 annually as interest, until the debt
should be redeemed.
Now, the Bank of Scotland had been going on very quietly for some
years, with its ten thousand pounds of paid-up capital, realising, as
we can infer from some particulars, about a thousand a year of profit
from its business. A prosperity so great could not then exist in
Scotland without exciting some degree of envy, and also raising up
thoughts of rivalry in a certain ardent class of minds. It began to be
alleged that the Bank, as it was commonly called, was stinted in its
means and frigid in its dealings; that it lacked enterprise; that it
would be the better of an infusion of fresh blood, and so forth. It had
many positive enemies, who tried to detract from its merits, and
were constantly raising evil reports about it.[533] Most deadly of all,
there was now this Equivalent Company, with about a quarter of a
million of debentures wherewith to engage in further mercantile
enterprise, so as to make their ten thousand a year a little better. The
boy, with his first shilling burning a hole in his pocket, was but a type
of it.
In December 1719, a proposal came from a proprietor of
Equivalent stock, to the effect that that stock should be added to the
£100,000 stock of the Bank, but with nine-tenths of it returned by
the Bank in notes, so that only £25,000 of it should in reality remain
active in the new concern. It was proposed that, of the £10,000 of
annual interest upon the Equivalent, the proprietors of Bank stock
should thenceforward draw two-sevenths, being the proportion of
£100,000 to £250,000; and of the £600 a year allowed for
management of the Equivalent, the Bank was also to be allowed a
proportion. In such a way might the Bank and Equivalent be brought
into a union presumed to be beneficial to both parties.
The directors of the Bank received the 1719.
proposition as an insidious attempt by a
number of outsiders to get into the enjoyment of a portion of their
time-bought advantages. They pointed out, in their answer, that the
Equivalent stock being only in the receipt of 4 per cent. interest,
while the profits of the Bank stock might be reckoned at not lower
than 10, the proposal was inequitable towards the Bank. Besides,
they did not want this additional stock, finding their present working
capital quite sufficient. The proposer was thus repelled for the
meantime; but he very quickly returned to the attack.
Under the guidance of this person, there was now formed what
was called ‘The Edinburgh Society for insuring of Houses against
Loss by Fire’—an arrangement of social life heretofore unknown in
Scotland. But, as often happens, no sooner was this design broached
than another set of people projected one of the same kind, with only
this slight difference, that, instead of being a company trading for
profits, it was a mutual insurance society reserving all profits for the
insured. Such was the origin, in 1720, of what afterwards, under the
name of ‘the Friendly Society,’[534] became a noted institution of the
Scottish capital, and is still in a certain sense existing amongst us.
The Edinburgh Society consequently got no insurance business.
It nevertheless kept together, under the care of a committee of
secrecy, who gave out that they contemplated a still better project.
For some time, they talked loudly of great, though unripe plans, by
which they expected to ‘make Scotland flourish beyond what it ever
did before.’ Then there arose a repetition of the old clamours about
the Bank—it was too narrow, both in its capital and in its ideas; the
directors were too nice about securities; the public required enlarged
accommodation. At last, the Society plainly avowed that they were
determined either to run down the Bank, or force a coalition with it.
It was precisely one of the last century heiress-abductions, adapted
to the new circumstances of the country and the advanced ideas of
the age.
The opportunity seemed to be afforded by the share which
Scotland took in the South-Sea scheme, large sums of specie being
sent southward to purchase stock in that notable bubble. In such
circumstances, it was assumed that the stock of coin in the Bank
must have sunk to rather a low ebb. Having then gradually and
unperceivedly gathered up the monstrous 1719.
sum of £8400 in notes of the Bank, our
Edinburgh Society came in upon it one morning demanding
immediate payment. To their surprise, the money was at once paid,
for in reality the kind of coin sent by speculators to London was
different from that usually kept by the Bank, so that there had been
hardly any abatement of its usual resources in coin. The Society tried
to induce the cashiers of all the public establishments to follow their
example, and draw out their money, but without success in any
instance but that of the trustees of the Equivalent, who came very
ostentatiously, and taking out their money, stored it up in the Castle.
The public preserved a mortifying tranquillity under all these
excitements, and the Bank remained unaffected.
The Edinburgh Society soon after sent the Bank a proposal of
union, ‘for the prevention of mutual injuries, and the laying of a solid
foundation for their being subservient and assisting to one another.’
It mainly consisted in an offer to purchase six hundred shares of the
Bank, not as a new stock, but by surrender of shares held by the
present proprietors, at £16, 13s. 4d. per share, or £10,000 in all,
being apparently a premium of £6, 13s. 4d. on each £10 of the Bank’s
paid-in capital. The Bank, however, as might have been expected,
declined the proposal.
The passing of the famous Bubble Act soon after rendered it
necessary for the Edinburgh Society to dissolve; but the Bank,
nevertheless, like a rich heiress, continued to be persecuted by
undesired offers of alliance. One, strange to say, came from the
London Exchange Assurance Company. By this time (1722), it
appears that the Bank had twenty thousand pounds of its capital
paid up. It was proposed on the part of the London Assurance, that
they should add £20,000, and have a half of the Bank’s profits,
minus only an annual sum of £2500 to the old proprietors; which the
Bank considered as equivalent to a borrowing of a sum of money at a
dear rate from foreigners, when, if necessary, they could advance it
themselves. Suppose, said the directors, that, after the London
company had paid in their £20,000, the Bank’s profits were to rise to
£7000 a year—and the authors of the proposal certainly
contemplated nothing so low—this sum would fall to be divided thus:
first, £2500 to the old Bank proprietors; second, the remaining
£4500 to be divided between the Bank and the Exchange Assurance
Company—that is, £2250 to the latter, being interest at the rate of 11
per cent. upon the money it had advanced—which money would be
lying the same as dead in the Bank, there 1719.
being no need for it. The Bank of Scotland declined the proposal of
the London Royal Exchange Assurance Company, which doubtless
would not be without its denunciations of Scotch caution on the
occasion.

Robert Ker, who seems to have been an inhabitant of Lasswade,

was a censor of morals much after the type of the Tinklarian Doctor.
He at this time published A Short and True Description of the Great
Incumbrances and Damages that City and Country is like to sustain
by Women’s Girded Tails, if it be not speedily prevented, together
with a Dedication to those that wear them. By girded tails he meant
skirts framed upon hoops of steel, like those now in vogue. According
to Robert Ker, men were ‘put to a difficulty how to walk the streets’
from ‘the hazard of breaking their shin-bones’ against this metal
cooperage, not to speak of the certainty of being called ill-bred
besides. ‘If a man,’ says he, ‘were upon the greatest express that can
be, if ye shall meet them in any strait stair or entry, you cannot pass
them by without being stopped, and called impertinat to boot.’ Many
are ‘the other confusions and cumbrances, both in churches and in
coaches.’ He calls for alterations in staircases, and new lights to be
broken out in dark entries, to save men from unchancy collisions
with the fairer part of creation. Churches, too, would need to be
enlarged, as in the old Catholic times, and seats and desks made
wider, to hold these monstrous protuberances.
‘I wonder,’ says Ker, ‘that those who pretend to be faithful
ministers do not make the pulpits and tents ring about thir sins,
amongst many others. Had we the like of John Knox in our pulpits,
he would not spare to tell them their faults to their very faces. But
what need I admonish about thir things, when some ministers have
their wives and daughters going with these fashions themselves?’
The ladies found a defender on this occasion in Allan Ramsay. He
says:
‘If Nelly’s hoop be twice as wide
As her two pretty limbs can stride,
What then? will any man of sense
Take umbrage, or the least offence?....
Do not the handsome of our city,
The pious, chaste, the kind, the witty,
 Who can afford it, great and small,
Regard well-shapen fardingale?....
Who watch their conduct, mien, and guise,
To shape their weeds as fits their case,
And place their patches as they please.’[535]

We learn with grief that our pathetic 1719.

censor of the fair sex lived on bad terms
with his own wife, and was imprisoned both in Dalkeith and in
Edinburgh for alleged miscarriages towards her. One of his most
furious outpourings was against a minister who had baptised a child
born to him during his Dalkeith imprisonment, the rite being
performed without his order or sanction.

‘All persons [in Edinburgh] desirous to 1720. Jan. 5.

learn the French tongue’ were apprised by
an advertisement in the Edinburgh Courant, that ‘there is a
Frenchman lately come to this city who will teach at a reasonable
price.’ This would imply that there was no native French teacher in
Edinburgh previously. In 1858, there were eleven, besides three
belonging to our own country.

Public attention was at this time attracted Jan.

by a report of devilish doings at Calder in
Mid-Lothian, and of there being one sufferer of no less distinction
than a lord’s son. It was stated that the Hon. Patrick Sandilands, a
boy, the third son of Lord Torphichen, was for certain bewitched. He
fell down in trances, from which no horse-whipping could rouse him.
The renal secretion was as black as ink. Sometimes he was thrown
unaccountably about the room, as if some unseen agent were
buffeting him. Candles went out in his presence. When sitting in a
room with his sisters, he would tell them of things that were going on
at a distance. He had the appearance occasionally of being greatly
tormented. As he lay in bed one night, his tutor, who sat up watching
him, became sleepy, and in this state saw a flash of fire at the
window. Roused by this, he set himself to be more careful watching,
and in a little time he saw another flash at the window. The boy then
told him that between these two flashes, he had been to Torryburn [a
place twenty miles distant]. He was understood to have been thus
taken away several times; he could tell them when it was to happen;
and it was then necessary to watch him, to prevent his being carried
off. ‘One day that he was to be waited on, when he was to be taken
away, they kept the door and window close; 1720.
but a certain person going to the door, he
made shift and got there, and was lifted in the air, but was catched by
the heels and coat-tails, and brought back.’ Many other singular and
dreadful things happened, which unfortunately were left unreported
at the time, as being so universally known.[536]
Lord Torphichen became at length convinced that his son was
suffering under the diabolic incantations of a witch residing in his
village of Calder, and he had the woman apprehended and put in
prison. She is described as a brutishly ignorant creature, ‘knowing
scarce anything but her witchcraft.’ She readily confessed her wicked
practices; told that she had once given the devil the body of a dead
child of her own to make a roast of; and inculpated two other women
and one man, as associates in her guilt. The baron, the minister, and
the people generally accepted it as a time case of witchcraft; and
great excitement prevailed. The minister of Inveresk, writing to his
friend Wodrow (February 19), says: ‘It’s certain my lord’s son has
been dreadfully tormented. Mr Brisbane got one of the women to
acknowledge ane image of the child, which, on search, was found in
another woman’s house; but they did not know what kind of matter it
was made of.’[537] The time, however, was past for any deadly
proceedings in such a case in the southern parts of Scotland; and it
does not appear that anything worse than a parish fast was launched
at the devil on the occasion. This solemnity took place on the 14th of
January.
For the crazed white-ironsmith of the West Bow,[538] the case of the
Bewitched Boy of Calder had great attractions. He resolved—
unfavourable as was the season for travelling—to go and examine the
matter for himself. So, on the day of the fast, January 14, he went on
foot in ill weather, without food, to Lord Torphichen’s house at
Calder, a walk of about twelve miles. ‘I took,’ says he, ‘the sword of
the spirit at my breast, and a small wand in my hand, as David did
when he went out to fight against Goliah.’ He found the servants
eating and drinking, as if there had been no fast proclaimed; they