Get ebook downloads in full at ebookmeta.

com

Program Proofs 1st Edition K. Rustan M. Leino

https://ebookmeta.com/product/program-proofs-1st-edition-k-
rustan-m-leino/

OR CLICK BUTTON

DOWNLOAD NOW

Explore and download more ebook at https://ebookmeta.com

 Recommended digital products (PDF, EPUB, MOBI) that
you can download immediately if you are interested.

Introduction to Dependent Types with Idris: Encoding

Program Proofs in Types 1st Edition Boro Sitnikovski

https://ebookmeta.com/product/introduction-to-dependent-types-with-
idris-encoding-program-proofs-in-types-1st-edition-boro-sitnikovski-2/

ebookmeta.com

Introduction to Dependent Types with Idris: Encoding

Program Proofs in Types 1st Edition Boro Sitnikovski

https://ebookmeta.com/product/introduction-to-dependent-types-with-
idris-encoding-program-proofs-in-types-1st-edition-boro-sitnikovski/

ebookmeta.com

Greedy Girl 7 Deadly Sins 1st Edition M K Moore Moore M K

https://ebookmeta.com/product/greedy-girl-7-deadly-sins-1st-edition-m-
k-moore-moore-m-k/

ebookmeta.com

Cambridge IGCSE® Maths Student Book (Cambridge

International Examinations) Third Edition, Edition Collins
Uk
https://ebookmeta.com/product/cambridge-igcse-maths-student-book-
cambridge-international-examinations-third-edition-edition-collins-uk/

ebookmeta.com
Dirty Daddies Pride 2023 1st Edition Adaline Raine Aster
Rae Cara Dee Chara Croft Chloe Lynn Ellis Colette Davison
J M Dabney Sammi Cee M A Innes Maggie Ryan P D Carter
Reese Morrison Siobhan Smile T L Travis
https://ebookmeta.com/product/dirty-daddies-pride-2023-1st-edition-
adaline-raine-aster-rae-cara-dee-chara-croft-chloe-lynn-ellis-colette-
davison-j-m-dabney-sammi-cee-m-a-innes-maggie-ryan-p-d-carter-reese-
morrison-siobhan-smile-2/
ebookmeta.com

Organic Reactions and Their Mechanisms, 2nd Edition V. K.

Ahluwalia

https://ebookmeta.com/product/organic-reactions-and-their-
mechanisms-2nd-edition-v-k-ahluwalia/

ebookmeta.com

On the History and Transmission of Lacanian Psychoanalysis

1st Edition Chris Vanderwees

https://ebookmeta.com/product/on-the-history-and-transmission-of-
lacanian-psychoanalysis-1st-edition-chris-vanderwees/

ebookmeta.com

Social Workers as Game Changers Confronting Complex Social

Issues Through Cases First Edition Lewis Laura

https://ebookmeta.com/product/social-workers-as-game-changers-
confronting-complex-social-issues-through-cases-first-edition-lewis-
laura/
ebookmeta.com

Breath Ghost Mountain Wolf Shifters 5 1st Edition Audrey

Faye Faye Audrey

https://ebookmeta.com/product/breath-ghost-mountain-wolf-
shifters-5-1st-edition-audrey-faye-faye-audrey/

ebookmeta.com
The Gnostic Scriptures 2nd Edition Bentley Layton David
Brakke

https://ebookmeta.com/product/the-gnostic-scriptures-2nd-edition-
bentley-layton-david-brakke/

ebookmeta.com
Program Proofs
Program Proofs

K. Rustan M. Leino
Illustrated by Kaleb Leino

The MIT Press

Cambridge, Massachusetts
London, England
© 2023 Massachusetts Institute of Technology

All rights reserved. No part of this book may be reproduced in any form by
any electronic or mechanical means (including photocopying, recording, or
information storage and retrieval) without permission in writing from the
publisher.

The MIT Press would like to thank the anonymous peer reviewers who
provided comments on drafts of this book. The generous work of academic
experts is essential for establishing the authority and quality of our
publications. We acknowledge with gratitude the contributions of these
otherwise uncredited readers.

This book was set in Gyre Pagella, Bera Mono, and Noto Emoji by the
author.

Illustrated by Kaleb Leino.

Library of Congress Cataloging-in-Publication Data is available.

ISBN: 978-0-262-54623-2

10 9 8 7 6 5 4 3 2 1

d_r0
Contents
Preface
Notes for Teachers

0. Introduction

Part 0. Learning the Ropes

1. Basics
2. Making It Formal
3. Recursion and Termination
4. Inductive Datatypes
5. Lemmas and Proofs

Part 1. Functional Programs

6. Lists
7. Unary Numbers
8. Sorting
9. Abstraction
10. Data-Structure Invariants

Part 2. Imperative Programs

11. Loops
12. Recursive Specifications, Iterative Programs
13. Arrays and Searching
14. Modifying Arrays
15. In-situ Sorting
16. Objects
 17. Dynamic Heap Data Structures

Reference Material
A. Dafny Syntax Cheat Sheet
B. Boolean Algebra
C. Answers to Select Exercises
References
Index
Preface
Welcome to Program Proofs!
I've designed this book to teach a practical understanding of what
it means to write specifications for code and what it means for code
to satisfy the specifications. In this preface, I want to tell you about
the book itself and how to use it.

Programs and Proofs

When I first learned about program verification, all program
developments and proofs were done by hand. I loved it. But I think I
was the only one in the class who did. Even if you do love it, it's not
clear how to connect the activity you have mastered on paper with
the activity of sitting in front of a computer trying to get a program to
work. And if you didn't love the proofs in the first place and didn't
get enough practice to master them, it's not clear you make any
connection whatsoever between these two activities.
To bring the two activities closer together, you need to get
experience in seeing the proofs at work in a programming language
that the computer recognizes. And playing out the activity of writing
specifications and proofs together with programs has the additional
benefit that the computer can check the proofs for you. This way, you
get instant feedback that helps you understand what the proofs are
all about. Instead of turning in your handwritten homework and
getting it back from the teaching assistant a week later (when you
have forgotten what the exercises were about and the teaching
assistant's comments on your paper seem less important than next
week's looming assignment), you can interact with the automated
verifier dozens of times in a short sitting, all in the context of the
program you're writing!
Trying to teach program-proof concepts in the setting of an actual
programming language may seem like madness. Most languages
were not designed for verification, and trying to bolt specification
and proof-authoring features onto such a language is at best clumsy.
Moreover, if you'd have to learn a separate notation for writing
proofs or interacting with the automated verifier, the burden on the
learner becomes even much greater. To really connect the program
and proof activities, I argue you want to teach verification in terms of
software-engineering concepts (like preconditions, invariants, and
assertions), not in terms of induction schemas, semantics-mapping
transforms, and prover directives.
Luckily, there are several programming languages designed to
support specifications and proofs (so-called verification-aware
languages), and there are integrated development environments
(IDEs) that run the automated verifiers (sometimes known as auto-
active verifiers: automated tooling that offers interaction via the
program text [82]). Among these are the functional languages
WhyML [20] and F* [53], the Ada-based SPARK language [43, 117],
the object-oriented language Eiffel [89, 44, 121], the imperative
languages GRASShopper [126] and Whiley [109], and—what I use in
this book—Dafny [76, 78, 35]. In a similar spirit, but with annotation
languages that have been added to existing programming languages
are ACL2 (for Applicative Common LISP) [71], VeriFast (for C and
Java) [64], the KeY toolset (for Java) [2], OpenJML (for Java with
JML annotations) [105, 26, 66], the Frama-C toolset (for C) [14],
Stainless (for Scala) [118], Prusti (for Rust) [5], Nagini (for Python)
[45], Gobra (for Go) [4], and LiquidHaskell (for Haskell) [86]. In the
notes at the end of chapters, I occasionally point out some alternative
notation or other differences with these other tools, so as to make the
concepts and experiences taught in this book readily applicable to
those language settings as well.

Material
I have written this book to support the level of a second-year
university course in computer science. It can also be used as a
comprehensive introduction for industrial software engineers who
are new to specification and verification and want to apply such
techniques in their work.
The book assumes basic knowledge of programs and
programming. The style of this prior programming (functional,
imperative) and the particular prior language used are not so
important, but it is helpful if the prior programming has not
completely ignored the concept of types.
The book also assumes some basics of logic. The “and”, “or”, and
“not” operators from programming will go a long way, but some
fluency with implication (logical consequence) is also important. For
example, a reader is expected to feel comfortable with the meaning of
a formula like
2 <= x ==> 10 <= 4 * (x + 1)
The book's Appendix B reviews some useful logic rules, but is hardly
suitable as a first introduction to logic. For that, I would recommend
a semester course in logic.
Beyond the basics of logic, concepts like mathematical induction
and well-founded orderings play a role in program proofs. The book
explains these concepts as needed.
The book is divided into three parts. Part 0 covers some
foundations, leading up to writing proofs. After that, Part 1 focuses
on (specifications and proofs of) functional programs and Part 2 on
imperative programs. Other than occasional references between
these parts, Parts 1 and 2 are independent of each other.
What the Book Is Not
Here are some things this book is not:
It is not a beginner's guide to programming. The book assumes
the reader has written (and compiled and run) basic programs
in either a functional or imperative language. This seems like a
reasonable assumption for a second-year university course in
computer science.
It is not a beginner's guide to logic, but see Appendix B for a
review of some useful logic rules and some exercises.
It is not a Dafny language guide or reference manual. The focus
is on teaching program proofs. The book explains the Dafny
constructs in the way they are used to support this learning, and
Appendix A provides a cheat sheet for the language.
It is not a research survey. There are many (mature or under-
development) program-reasoning techniques that are not
covered. There are also many useful programming paradigms
that are not covered. The mathematics or motivations behind
those advanced techniques are outside the scope of this book.
Instead, this book focuses on teaching basic concepts and
includes best practices for doing so.
The book does not teach how to build a program verifier.
Indeed, throughout this book, I treat the verifier as a black box.
A recurring theme is the process of building proofs manually,
which is good practice for interacting with any verifier.

How to Read This Book

Here is a rough chapter dependency graph:
Sections 13.7, 15.0, and 16.1 depend on Chapter 4, but the rest of
their enclosing chapters do not. The dotted lines show recommended
dependencies—it would be beneficial, but not absolutely required, to
study Chapter 7 before Chapters 8 and 12, and likewise to study
Chapter 6 before Chapter 12.

Dafny
All specifications, programs, and program proofs in the book use the
Dafny programming language and can be checked in the Dafny
verification system. Broadly speaking, the constructs of the Dafny
language support four kinds of activities.
There are constructs for imperative programming, such as
assignment statements, loops, arrays, and dynamically
allocated objects. The simpler of these are the bread and butter
of many classic treatments of program proofs.
There are constructs for functional programming, such as
recursive functions and algebraic datatypes. In Dafny, these
behave like in mathematics; for example, functions are
deterministic and cannot change the program state.
 There are constructs for writing specifications, such as
preconditions, loop invariants, and termination metrics. The
way these are integrated into the language has been influenced
by the pioneering Eiffel language and the Java Modeling
Language (JML). Specifications can use any of the functional-
language features, which makes them quite expressive.
Lastly, there are constructs for proof authoring, such as lemmas
and proof calculations.
These various features blend together. For example, all the
constructs use the same expression language; these expressions
include chaining expressions (like 0 <= x < y < 100), implication
(==>), quantifications (forall, exists), and sets (like {2, 3, 5}),
which are often found in specifications and math, but can also be
used in programs; methods, functions, and proofs bind values to
local variables in the same way; in a method, an if statement divides
up control flow, and in a lemma, it divides up proof obligations;
variables can be marked as ghost, which makes them suitable for
abstraction, but otherwise behave as ordinary compiled variables;
and induction is achieved simply by calling a lemma recursively,
where termination is specified and checked in the same way as for
methods and functions.
Not only is the Dafny language versatile, but so are its uses. The
Dafny development tools are quick to install and are available on
Windows, MacOS, and Linux. The verifier runs automatically in the
VS Code integrated development environment. Dafny programs
compile to executable code for several language platforms, including
.NET, Java, JavaScript, and Go. The toolset itself is available as open
source at
github.com/dafny-lang/dafny
Even before this book, Dafny has been used in teaching for over a
decade. It has also been used in several impressive research projects
(for example, at Microsoft Research, VMware Research, ConsenSys
R&D, CMU, U. Michigan, and MIT) and is currently in industrial use
(for example, at Amazon Web Services).
Online Information
Some additional information about this book is available online at
www.program-proofs.com

Acknowledgments
I have many to thank for helping make this book possible.
I extend my deep gratitude to Rajeev Joshi, Rosemary Monahan,
Bryan Parno, Cesare Tinelli, and especially Graeme Smith, who used
earlier drafts of this book in teaching their university courses. The
book has greatly benefited from their feedback, and from feedback of
their students.
The detailed comments from Rajeev Joshi, Yannick Moy, Jean-
Christophe Filliâtre, Peter Müller, and Ran Ettinger were much
beyond the call of duty and were really helpful! I've also received
good feedback from Nada Amin, Nathan Chong, David Cok, Josh
Cowper, Mikaël Mayer, Gaurav Parthasarathy, and Robin Salkeld.
I'm grateful for the encouragement of Byron Cook and Reto
Kramer in the Automated Reasoning Group where I work at Amazon
Web Services.
The term “program proofs” as a rubric for the kind of science and
engineering that this book is about was suggested by Nik Swamy.
To write and typeset this book, I used the Madoko system, and I
thank Daan Leijen for creating Madoko and for helping me with
customizations.
A big shout-out to Kaleb, who drew the cheerful chapter
illustrations.
Lastly, thank you, Gwen, for your loving support and the countless
weekends we spent at coffee shops while I was writing.
Thank you all!

K.R.M.L.
Notes for Teachers
Much thought goes into the selection and order of material in a book.
Here, I describe the purpose of and motivation for chapters in
greater detail. If you're a learner and just want to get started with the
book, skip ahead to Chapter 0. If you're a teacher and want to plan a
course outline, this is for you.
Part 0

If you want to go beyond that fun put-your-feet-into-the-water

experience, I strongly recommend learning how to swim by paying
attention to Chapters 3, 4, and 5 from Part 0.
Dafny provides a considerable amount of automation. This allows
you to write the loop and array programs in Chapter 13 mostly by
just supplying the necessary pre- and postconditions and loop
invariants, without the need to pain yourself with the details of the
proofs. In practice, when you leave those simpler programs, you will
always encounter situations where a tool's automation runs out. A
program-proof practitioner needs to know how to deal with those
situations, and Part 0 is aimed at providing the necessary
foundations.
Other documents randomly have
different content
after hunting an enormous male elephant for five hours, they had at
length brought him to a stand, near Bree, about ten miles north-east
of Kouka. Mr. Toole and myself instantly mounted our horses, and,
accompanied by a Shouaa guide, we arrived at the spot where he
had fallen, just as he breathed his last.
Although not more than twenty-five years old, his tusk measuring
barely four feet six inches, he was an immense fellow. His
dimensions were as under:
ft. in.
Length from the proboscis to the tail 25 6
Proboscis 7 6
Small teeth 2 10
Foot longitudinally 1 7
Eye 2 by 1½
From the foot to the hip-bone 9 6
From the hip-bone to the back 3 0
Ear 2 by 2 6
I had seen much larger elephants than this alive, when on my last
expedition to the Tchad; some I should have guessed sixteen feet in
height, and with a tusk probably exceeding six feet in length. The
one before me, which was the first I had seen dead, was, however,
considered as of more than common bulk and stature; and it was not
until the Kanemboo of the town of Bree came out, and by attracting
his attention with their yells, and teasing him by hurling spears at his
more tender parts, that the Shouaas dared to dismount; when, by
ham-stringing the poor animal, they brought him to the ground, and
eventually despatched him by repeated wounds in the abdomen and
proboscis: five leaden balls had struck him about the haunches, in
the course of the chase, but they had merely penetrated a few
inches into his flesh, and appeared to give him but little uneasiness.
The whole of the next day the road, leading to the spot where he lay,
was like a fair, from the numbers who repaired thither for the sake of
bringing off a part of the flesh, which is esteemed by all, and even
eaten in secret by the first people about the sheikh: it looks coarse,
but is better flavoured than any beef I found in the country. Whole
families put themselves in motion, with their daughters mounted on
bullocks, on this occasion, who, at least, hoped as much would fall to
their share as would anoint their heads and persons plentifully with
grease at the approaching fsug. The eyes of this noble animal were,
though so extremely small in proportion to his body, languid and
expressive even in death. His head, which was brought to the town, I
had an opportunity of seeing the next day, when I had it opened; and
the smallness of the brain is a direct contradiction to the hypothesis,
that the size of this organ is in proportion to the sagaciousness of the
animal. His skin was a full inch and a half in thickness, and dark
gray, or nearly black, hard, and wrinkled: his ears, large and
hanging, appeared to me the most extraordinary part about him,
particularly from the facility with which he moved them backwards
and forwards: his feet are round, undivided, and have four nails, or
hoofs, for they cannot be called toes, two in the front of the foot,
about an inch in depth, and two inches in length, which join each
other, with two smaller ones on each side of the foot. In Africa they
are scarcely ever taken alive, but hunted as a sport, for the sake of
their flesh; and also in order to obtain their teeth, which, however, as
they are generally small, are sold to the merchants for a very trifling
profit. The manner of hunting the elephant is simply this: from ten to
twenty horsemen single out one of these ponderous animals, and,
separating him from the flock by screaming and hallooing, force him
to fly with all his speed; after wounding him under the tail, if they can
there place a spear, the animal becomes enraged. One horseman
then rides in front, whom he pursues with earnestness and fury,
regardless of those who press on his rear, notwithstanding the
wounds they inflict on him. He is seldom drawn from this first object
of his pursuit; and, at last, wearied and transfixed with spears, his
blood deluging the ground, he breathes his last under the knife of
some more venturesome hunter than the rest, who buries his dagger
in the vulnerable part near the abdomen: for this purpose he will
creep between the animal’s hinder legs, and apparently expose
himself to the greatest danger: when this cannot be accomplished,
one or two will ham-string him, while he is baited in the front; and this
giant of quadrupeds then becomes comparatively an easy prey to his
persecutors.
Jan. 12.—Karouash came to us this evening, with his dark Arab
eyes, sparkling with somewhat more than vivacity; and it was not
long before we found out the cause. The people of Gulphi, who
inhabited a town close to the banks of the Shary, had no other
means of raising their grain (the land surrounding their walls being all
tributary to the sheikh) than by planting it on the south bank of that
river; reaping in the season, and carrying the produce to their city by
means of their flat-bottomed boats. They had, of late, been so little
interrupted in their agricultural pursuits, by the boats of the
neighbouring towns, that a village of huts had sprung up on this
portion of land; and labourers, to the number of three or four
hundred, resided there constantly. The hostile movements of the
Begharmis had, however, made the sheikh’s people more on the
alert than formerly; and passing over the river in their own boats,
accompanied by several deserters from Gulphi, who, traitor-like,
consented to bear arms against the land that gave them birth, and
lead its enemies to the pillage of their brethren, the people of
Maffatai and Kussery had, a few nights before, made an attack on
this village, putting to death all the males, even while they slept; and,
as usual, dragging the women and children to their boats, returned to
their homes without the loss of a man, after setting fire to all the huts,
and more than four hundred stacks of wheat and gussub. The effects
produced by this midnight expedition, and which was celebrated by
singings and rejoicings throughout Kouka, were indeed of a nature
favourable to my prospects, notwithstanding the shock humanity
received from the cause. The Begharmis, who had occupied the
southern banks of the Shary for months, obliging even the Loggun
people to supply them with provisions, took such alarm at this attack
of the sheikh’s people, that they struck their camp, and retired
immediately on the news reaching them; and the Loggun nation as
quickly sent off to the sheikh a deputation, with sixty slaves, and
three hundred bullocks, congratulating him on the event.
I determined on making immediate application for permission to
visit this country; so full of interest, both from its situation, and the
waters by which it was reported to be bounded. No time was to be
lost, for the return of the enemy might be as sudden as his flight; and
again I might have my intentions frustrated. I had been eleven
months endeavouring to visit this country—but to climb steep hills
requires a slow pace at first.
Jan. 18.—The sheikh, who had never, on any one occasion,
neglected making every possible arrangement for carrying my
wishes into execution, had not only instantly complied with my
request to seize this opportunity of visiting Loggun, but sent this
morning Karouash to advise with me as to my proceedings, and to
recommend my going without loss of time. “Bellal shall go with you,”
said he; “who has been in my confidence for seventeen years, and to
whom I could trust my own life, or that of my children, who are even
dearer to me than life itself.”
But in the morning we found a brown horse, which had carried Mr.
Toole from Tripoli, dead within our inclosure: both this and a black
one, which his Arab had been mounted on by the bashaw, had
scarcely eaten any thing since their arrival here. Our departure was
therefore put off for this day. Troubles, however, never come alone.
In the evening the camels I intended to take with me were missing;
and although the people were out looking for them until midnight, we
had no tidings. In the night I was called up, as Mr. Toole’s other
horse was dying: no blood could be got from him; and after
staggering about, in a way resembling intoxication, he died before
daylight.
Jan. 22.—Karouash, Ben Taleb, and even the sheikh, now
exclaiming against our going out, “Wonderful! Wonderful!” said they,
“it is written you are not to go.” The delay perplexed me, although to
go, and quickly, I was determined; the time was precious, for I did
not wish the news of my intentions to precede me. Towards night my
camels were found; and the sheikh, hearing that we had been
inquiring for a horse to purchase, sent a very smart black galloway to
Mr. Toole as a present. We had now seen die on our hands, in the
space of nine months, thirty-three camels, six horses, and one mule.
 On the 23d I intended being off by daylight; but it was the
afternoon before I could accomplish my wish. The sheikh had given
me Bellal: “He will obey your orders in every thing,” said he; “but you
are going amongst people with whom I have but little influence.”
Bellal, who was one of the handsomest negroes I almost ever saw,
and a superior person, was attended by six of his slaves, two of
whom were mounted; these, with ourselves and two camels, formed
our party. While I was waiting to take leave of the sheikh, a note was
brought me from Dr. Oudney, by a Bornouese from Katagum: it had
no date, and was indeed his last effort. The acknowledgment of
being weak and helpless assured me that he was really so; for
during the whole of his long sufferings a complaint had scarcely ever
escaped his lips. On the sheikh’s saying to him, when he first
expressed his wish to accompany the kafila, “Surely your health is
not such as to risk such a journey?” he merely replied, “Why, if I stay
here, I shall die, and probably sooner, as travelling always improves
my health.”
His letter, though short, expresses great satisfaction at the
treatment he had met with on his journey, and also from the
inhabitants of the country.
 FOOTNOTES:

[34]The most beautiful Jewess in Tripoli is called Mesrouda-

eyum el Oubara (Mesrouda, with the eye of the Oubara).
[35]The anniversary of Abraham’s offering up Isaac, or the
meeting of Pilgrims at Mecca.
[36]Strips of cotton, so many fathoms of which go to a dollar.
[37]Abyssinian hornbill.
[38]In Tripoli, the father or mother is generally the executioner,
to avenge the sin, and at the same time wipe the stain from the
family, and prevent public execution.
[39]Marry her.
[40]The horn of one of these animals measured two feet, six
inches, and three-quarters, in circumference.
[41]On these occasions the sheikh merely moves his finger,
which is the signal for immediate execution.
 [42]Black Mameluke.
[43]A religious mendicant: the name is nearly the Arabic for
poverty.
[44]Soon after this, I made an offer to two Arabs, both of whom
had formerly been at Waday, that I would give them each two
hundred dollars, if they would accompany me: this is a sum for
which an Arab will almost do any thing; but they refused, saying
“No! no! what is money without life? the Waday people will kill us
all.”
[45]Governor of the palace.
[46]A town near Mesurata.
 CHAPTER VI.
EXCURSION TO LOGGUN, AND DEATH OF MR. TOOLE.

Jan. 1824.—We passed the night of the 24th at Angornou, and

proceeded, without leaving the lake at any great distance, for two
days, when we arrived at Angala, one of the ancient governments
subject to Bornou. The present sultan was the first friend and
supporter of El Kanemy; and, twenty-five years ago, when he was
only a merchant, betrothed to him his daughter Miram in marriage,
with a large dower in slaves and cattle. The sultan, a most
benevolent-looking old black, received us with great kindness and
hospitality; and as soon as we were lodged in the house of the
delatoo (prime minister), bowls of milk, rice, flour, and honey, were
brought to us; an abundance of eatables were also sent in the
evening, and the next morning a very fine live sheep.
Miram (princess in the Bornou language), now the divorced wife
of the sheikh El Kanemy, was residing at Angala, and I requested
permission to visit her. Her father had built for her a very fine house,
in which she constantly resided: her establishment exceeded sixty
persons. She was a very handsome, beautifully formed negress, of
about thirty-five, and had imbibed much of that softness of manner
which is so extremely prepossessing in the sheikh. Seated on an
earthen throne, covered with a turkey carpet, and surrounded by
twenty of her favourite slaves, all dressed alike, in fine white shirts,
which reached to their feet, their necks, ears, and noses thickly
ornamented with coral; she held her audience with very considerable
grace, while four eunuchs guarded the entrance; and a negro dwarf,
who measured three feet all but an inch, the keeper of her keys, sat
before her with the insignia of office on his shoulder, and richly
dressed in Soudan tobes. This little person afforded us a subject of
conversation, and much laughter. Miram inquired whether we had
such little fellows in my country, and when I answered in the
affirmative, she said, “Ah gieb! what are they good for? do they ever
have children?” I answered “Yes; that we had instances of their
being fathers to tall and proper men.” “Oh, wonderful!” she replied: “I
thought so; they must be better then than this dog of mine; for I have
given him eight of my handsomest and youngest slaves, but it is all
to no purpose. I would give a hundred bullocks, and twenty slaves, to
the woman who would bear this wretch a child.” The wretch, and an
ugly wretch he was, shook his large head, grinned, and slobbered
copiously from his extensive mouth, at this flattering proof of his
mistress’s partiality.
We left Angala the following day, to the great distress of our host,
the delatoo, who would have feasted us for a week. A child had been
borne by one of his wives, just about the time Dr. Oudney had
passed through on his visit to Showy; which, in return for his
prescriptions, the delatoo had named Tibeeb, the Doctor’s travelling
name. Indeed, there was a liberality of feeling and toleration about
our host deserving most honourable mention; and when, on my
return from Loggun, worn out by fatigue and anxiety, I really required
nursing, he introduced his sister, a female of most matronly
deportment, who superintended the process of shampooing, which
was performed by one of her best looking and most accomplished
handmaids. On my expressing my thanks to the delatoo for these
unlooked-for attentions, he replied, “It grieved us all to see so great a
man as yourself, so far from home, a stranger and without women;
when in your own country, ‘gray hairs to you!’ you have, at least, a
hundred, I dare say!”
On the 23d we reached Showy, on the banks of the river Shary:
the magnitude of the stream drew from us both an involuntary
exclamation of surprise; it appeared to be full half a mile in width,
running at the rate of two to three[47] miles an hour, in the direction
nearly of north. In the centre of the river is a beautiful island, nearly a
mile in length, in front of the town. Showy forms part of the district of
Maffatai, and is governed by a kaid: and this person, who treated us
with great attention, proposed that we should proceed down the
stream to the Tchad, according to the sheikh’s directions.
On the 2d of February we embarked, accompanied by the kaid
and eight canoes, carrying ten and eleven men each: ploughing the
stream with their paddles, for nearly eight hours, they brought us, by
sunset, to a spot called Joggabah (or island, in the Mekkari
language), about thirty-five miles from Showy. The river, full as it is of
water at this season, had a highly interesting appearance: one noble
reach succeeded another, alternately varying their courses by
handsome sweeps, some of them three and four miles in length; the
banks were thickly scattered with trees rich in foliage, and all hung
over with creeping plants, bearing various coloured and aromatic
blossoms, amongst which the purple convolvolus flourished in great
beauty: several crocodiles, from eight to fifteen feet in length, were
slumbering on the banks, which, on our near approach, rolled into
the stream, and disappeared in an instant. The natives appeared to
fear them but little in shallow water, but dived in with great boldness
after the ducks we shot, and a large iguana that we struck while
sleeping on a tamarind tree, and which fell headlong into the river.
Joggabah is a beautiful feature in the scenery, as well as a
prominent one; and is seen for nearly six miles in proceeding down a
very wide, handsome reach, which we called Belle-vue Reach. The
river is here quite as wide as at Showy, which, with this exception, I
take to be the widest part.
Drawn by Captn. Clapperton. Engraved by E. Finden.

FISHING BOATS ON THE SHARY.

Published Feb. 1826, by John Murray, London.

This island is high ground, with steep and nearly perpendicular

banks, and a depth of ten feet water close to the edge: the canoes
moor up to the shore; the stream runs strong and clear; and the
landing is on a fine dry sandy beach: it extends to the Tchad north, a
distance of twelve or fifteen miles, and has two handsome streams
bounding it, which run north-east and north-west, and by which the
Shary takes its way into that immense lake. It abounds with game:
and we had fish in abundance, venison, the flesh of a buffalo, and
wild ducks, for supper, all roasted on wooden spits.
 We pitched our tent on the jutting head, where, a few years ago,
stood a negro town: the inhabitants, however, were refractory,
committed piracies on the Showy people, and in consequence the
sheikh determined on exterminating them. They were in league with
the Biddoomah, who were now kept to their own islands. Joggabah
we found uninhabited, and covered with jungle and prickly
underwood, in that part where we passed the night: we saw thirty
porcupines, and killed a centipede and two scorpions under our
mats. We had two canoes rowing guard the whole night on account
of the Biddoomah. By daylight we re-embarked, and proceeded by
the north-west branch for more than two hours, keeping nearly the
same direction: we passed several marshy floating islands, covered
with rushes, high grass, and papyrus, apparently dividing the water
into different streams, when we found ourselves in that sea of fresh
water, the Tchad, which we named Lake Waterloo, and into which
the Shary empties itself. It was my intention to have proceeded quite
round the island to the east, and to have returned by the other
branch; but after making about two miles in the open lake, a heavy
swell from the north-east caused so much water to come into the
canoes, and so much labour to the men, that we gave up that idea.
After our return to the south side of the island we followed the north-
east branch, and found it vary but little in appearance. During our
passage, by keeping the deepest water, and avoiding the convexities
of the stream, we, at this season, met with no impediments; and had
nowhere less than three feet water. We passed many small islands,
all of which, near the mouth, were destitute of trees, but covered with
reeds (among which was the papyrus), bamboos, and very tall
grasses: the quantity of water-fowl was immense, of great variety,
and beautiful plumage. The nearest Biddoomah island is said to be
three days voyage on the open lake, from the mouth of the river, in a
north-east direction, say ninety miles, during two of which these
canoes lose sight of land: with an excellent telescope I could discern
nothing but the waste of waters to the north or east. The Biddoomah
are a wild and independent people, who carry on a piratical war with
all their neighbours: they send out fleets of sixty or one hundred
canoes; and they are reported as terrible kaffirs.
 We now commenced our return, and a laborious business it was,
rowing or paddling against the stream: the paddles were only
resorted to when, now and then, a headland sheltered them from the
wind and current; and so cautious were the men of Showy, that it
was near midnight before we landed on a spot named Buffalo Bank.
We had endured two days of burning heat and exposure to the sun,
and a night of watchfulness and torture from the insects; added to
this, we had lived entirely on Indian corn, boiled in the canoes during
the day: we were also constantly ankle deep in water, from the
leaking of the canoes. The banks were here, for some miles inland,
thickly clothed with handsome trees encompassed by creeping
shrubs in full blossom, while large antelopes and buffaloes were
starting from the thickets where they had fixed their lairs. We
disturbed a flock of several buffaloes on our making the shore; and
hippopotami came so close to us as to be struck by the paddles:
here, and at the confluence of the two branches, we found the
greatest depth of water. The most desirable route for us now to have
pursued would have been to have gone from hence to Loggun by
water, but Gulphi lay in our way, and it was impossible. To follow the
direction of the river, therefore, as nearly as we could, by moving in a
line parallel to its banks, became our next anxiety.
Previously, however, we again embarked, and visited a spot
called Dugheia, within a day’s journey of Gulphi, higher up the
stream. Dugheia is a ford and a ferry, where the sheikh, with all his
people, pass the stream on their expeditions against the Begharmis:
the ford is in a slanting direction, and between two sinuosities. When
the river is at its greatest height, the water reaches up to the neck; it
was now not above the arm-pits of a good sized man. The infantry,
placing their spears and bags of corn on their heads, in their shields,
cross with ease: the cavalry are moved over in canoes, and the
horses swam at the sterns. The appearance of the river is similar
both above and below Showy: excepting that above there are more
picturesque islands; on one of which we passed the night, and
named it Red Heron Isle, as my poor friend shot there a bird of that
species.
 On the 8th of February we returned to Showy, and the day
following pursued our route by Willighi and Affadai. Willighi is a
walled town of considerable strength; indeed the Begharmis always
pass it by on their predatory excursions. The walls are nearly fifty
feet high, with watch-towers erected on the salient angles, where
there are constant sentinels. The sultan also lives in a sort of citadel
with double walls, and three heavy gates in each wall, strongly
bound with iron. Borgomanda, the reigning sultan of Begharmi, and
Cheromah (which means heir-apparent), send annual presents to
Mai Dundelmah, the sultan of Willighi; but he is a hadgi, and holds
the sheikh of Bornou in too high estimation to forsake his fortunes.
Before arriving at Willighi, which is only a day’s journey from Gulphi,
we recrossed the Gurdya, a considerable stream running from the
Shary into the great lake.
Feb. 10.—We left Willighi, after presenting the sultan with two
knives, two pairs of scissors, a turban, and a red cap, and in about
two hours arrived at another ford of the water Maffatai. These fords
are known by the natives of the neighbouring towns only, who are
always hired as guides. The water was up to the body of the horse;
and a weak camel, by encountering the load of another, was thrown
off the causeway into twelve or fourteen feet of water. We crossed,
this day, three deep marshes, besides the river, which, the Willighi
guide informed us, extended to the river, at one of which we were
detained nearly an hour before we could venture a passage: the
water reached to our saddles. After the rainy season, canoes come
from Showy to the neighbourhood of Willighi, for a wood which is
here abundant, called by the natives kagam, and another called
korna, with which they build their canoes, and make their paddles.
The fruit, also, of a species of locust tree, which the natives call
kadellaboo, is here gathered. We rested under the shade of a
beautiful large tree of this description, bearing a flower of a deep
crimson colour; a yellow jessamine, with a delicious odour, was
creeping around it, while other delicate aromatic plants grew in wild
profusion. Nevertheless, the paths through these woods, though
literally strewed with flowers, were nearly impassable from the
overhanging branches of thorny shrubs, which not only tore our
shirts and cloaks, but were sufficiently strong to drag the loads from
the backs of the camels: we were nearly twelve hours in making
twenty-two miles. When we arrived at the town of Affadai, our people
were too tired to cook the rice we had with us, and the kadi merely
sent us flour and water paste, and leban (sour milk): at the same
time promising to kill a sheep the next day, if we would stay. We,
however, departed early on the following morning, and came,
towards evening, to a place called Kala, a wretched nest of huts,
although surrounded by a wall, and having strong gates.
On the 12th we moved on, and, after crossing a long and deep
marsh, we halted, about noon, for an hour or two, at a town called
Alph, which stood on a foundation of earth artificially raised in the
midst of a swamp extending for miles in every direction. We shot
several cranes; one of a beautiful white, with a yellow beak, and dark
hazel eyes, with a yellow rim. We now began to approach Kussery,
and again came to the banks of the river Shary, leaving Gulphi to the
eastward. This route is but seldom traversed: it is a continued
succession of marshes, swamps, and stagnant waters, abounding
with useless and rank vegetation: flies, bees, and mosquitos, with
immense black toads, vie with each other in a display of their peace-
destroying powers.
I had, with grief, for several days, observed in my companion
symptoms which gave me great uneasiness: his stomach constantly
refused our coarse food of fish and paste; but as he complained but
little, I hoped a day or two at Kussery would restore his wonted good
health and spirits. Kussery, however, unfortunately, was the last
place one should have chosen for rest and tranquillity: during several
hours in the day, the inhabitants themselves dare not move out, on
account of the flies and bees. The formation of the houses, which
are literally one cell within another, five or six in number, excited my
surprise; which was not a little increased when I found that they were
built expressly as a retreat from the attacks of these insects. Still I
was incredulous, until one of our people, who had carelessly gone
out, returned with his eyes and head in such a state, that he was
extremely ill for three days. Kussery is a strong walled town,
governed by an independent sultan, named Zarmawha, who has
twice been in rebellion against the sheikh. Bellal was obliged to take
off his red cap and turban, and enter the presence with his head and
feet bare—a ceremony which had previously been dispensed with on
our journey. The sultan merely peeped at us through a lattice-work of
bamboo, but inquired particularly, why I turned my face towards him
as I sat. I, of course, replied, that turning my back would be, in my
country, a gross affront; at which he laughed heartily. We had a
separate letter to this prince from the sheikh: he seemed, however,
to pay but little respect to it, or the bearer, Bellal, while to me he was
most attentive. We had ten dishes of fish and paste, which regaled
our attendants sumptuously; and one of his own household took up
his residence at our huts. The fish was stale, and offensive to more
senses than one, which the natives rather prefer, as we do game
that has hung some time. The sultan’s officer, however, seeing that I
could not touch these Kussery delicacies, quickly brought me a mess
made of fresh fish, which, though a little oily, was not unpalatable,
with a large bowl of leban. Salt is here scarcely known, and therefore
not eaten with any of their meals: out of the small stock I had
brought, the townspeople were always begging little lumps, which
they put into their mouths, and sucked with as much satisfaction as if
it had been barley sugar.
I gave the sultan, in the morning, a parcel of beads, two pairs of
scissors, a knife, two turkadees, and a turban; on which he said “we
were a great people, a race of sultans, and would bring good fortune
to his dominions!” I must not omit to mention a visit which I received
from the sultan’s sister. She had been some time divorced from her
husband, who had gone over to the Begharmis. The officer in
attendance on us announced her with great secrecy, about ten
o’clock at night. For the only light in our hut we were indebted to the
pale moonbeams which shone through the door-way, as we had
neither candles nor lamp; and I had been some time fast asleep
when she arrived. Her attendants, three in number, waited for her at
the entrance, while she advanced and sat herself down beside my
mat: she talked away at a great rate, in a sort of whisper, often
pointing to my sick friend, who was at the further end of the hut; and
did not appear at all to wish for any reply. After remaining nearly half
an hour, and feeling and rubbing repeatedly my hands, face, and
head, which she uncovered by taking off my cap and turban, she
took her leave, apparently much gratified by her visit.
Drawn by Major Denham. Engraved by E. Finden.

THE RIVER SHARY, FROM THE WALLS OF KUSSERY.

Published by John Murray, London. Feb. 1826.

The river here is a wide, handsome stream, and the walls extend
quite to the banks, and have two water-gates; the character is the
same as nearer its embouchure. I passed one of these water-gates
at sunset, and was much struck by the beauty of the landscape, with
the fishing canoes just returning towards Loggun: the stream sweeps
off to the south-south-west, and then to the south. Loggun was said
to be thirty miles distant by the river. Here my poor friend declared it
impossible to remain, and we moved on towards Loggun the next
morning. We could advance, however, but a few miles. Mr. Toole’s
sufferings were most acute; he twice fainted, and we lifted him on
and off his horse like an infant, so helpless had he become. What
added also to our distress was, that from this time until the evening
of the 16th, the Shouaa Arabs, who occupy the frontier of the
Loggun country, refused to allow us to pass until the sultan had been
consulted, and a number of his questions answered as to the
purpose of our visit. We were now close to the river, and
notwithstanding the heat, the only means we had of defending either
ourselves or our animals from the torture of the millions of insects
that beset us, was by lighting fires at the entrance of our tent, and
constantly supplying them with weeds and wet straw: the thick
suffocating smoke arising from this description of fire afforded us
temporary relief. I rode down to the river, which here flows with great
beauty and majesty past the high walls of this capital of Loggun; it
comes direct from the south-west, with a rapid current. We entered
the town by the western gate, which leads to the principal street: it is
as wide as Pall Mall, and has large dwellings on each side, built with
great uniformity, each having a court-yard in front, surrounded by
walls, and a handsome entrance, with a strong door hasped with
iron: a number of the inhabitants were seated at their doors for the
purpose of seeing us enter, with their slaves ranged behind them. At
first they took but little notice of us: indeed, our appearance could not
have been very imposing: one of our party was laid on a camel, and
another supported on his horse by two persons, who walked on each
side of him, while he raved most incoherently from the violence of
the fever by which he was consuming. At length, however, a person
of apparent consequence advanced towards my horse, bending
nearly double, and joining his hands (the first salutation of the kind
that I had seen), followed by his slaves stooping still lower than
himself. After explaining that he was deputed by the sultan to
welcome kab n’jaffy (the white man), and repeating frequently that
he was kaffama (my friend), he preceded our party; and, as we
moved on, each assembly that we passed rose from the ground,
advanced towards us, and saluted us in the same manner as I have
already described. We were at length conducted to our habitation,
which consisted of four separate huts, well built, within an outer wall,
with a large entrance hall for our servants: in the most retired and
quiet spot I spread the mat and pillow of my patient, who was in a
sad state of exhaustion and irritation.
 The next morning I was sent for to appear before the sultan: ten
immense negroes, of high birth, most of them gray-bearded, bare-
headed, and carrying large clubs, preceded me through the streets,
and I was received with considerable ceremony. After passing
through several dark rooms, I was conducted to a large square court,
where some hundred persons were assembled, and all seated on
the ground: in the middle was a vacant space, to which they led me,
and I was desired to sit down also. Two slaves, in striped cotton
tobes, who were fanning the air through a lattice-work of cane,
pointed out the retirement of the sultan. On a signal, this shade was
removed, and something alive was discovered on a carpet, wrapped
up in silk tobes, with the head enveloped in shawls, and nothing but
the eyes visible: the whole court prostrated themselves, and poured
sand on their heads, while eight frumfrums and as many horns blew
a loud and very harsh-sounding salute.
My present, a red bornouse, a striped cotton caftan, a turban, two
knives, two pairs of scissors, and a pair of red trowsers, was laid
before him: he again whispered a welcome, for it is considered so
extremely ill-bred in a Loggun gentleman to speak out, that it is with
difficulty you can catch the sound of their voices.
He examined me very minutely, when the shade was again
drawn. I begged for permission to embark on the Shary, and was told
he would consider of it. He particularly inquired if I wished to
purchase b’lowy, or handsome female slaves, which I assured him I
did not; “because,” said he, “if you do, go no farther: I have some
hundreds, and will sell them to you as cheap as any one.”
Loggun, the capital of which country (Kernuk) is on the banks of
the Shary, and in 11° 7′ north latitude, is a very populous country.
Kernuk has fifteen thousand inhabitants at least. They speak a
language nearly Begharmi. The Shouaas are all round them, and to
them they are indebted for the plentiful supply of bullocks, milk, and
fat, with which the market abounds: these necessaries are paid for
by tobes, and blue cotton in stripes, which the Loggun people make
and dye of a very beautiful colour. They have, also, a metal currency
in Loggun, the first I had seen in Negroland: it consists of thin plates
of iron, something in the shape of the tip with which they shoe race-