Read Anytime Anywhere Easy Ebook Downloads at ebookmeta.

com

Analysis Verification and Transformation for

Declarative Programming and Intelligent Systems
Essays Dedicated to Manuel Hermenegildo on the
Occasion of His 60th Birthday Pedro Lopez-Garcia
https://ebookmeta.com/product/analysis-verification-and-
transformation-for-declarative-programming-and-intelligent-
systems-essays-dedicated-to-manuel-hermenegildo-on-the-
occasion-of-his-60th-birthday-pedro-lopez-garcia/

OR CLICK HERE

DOWLOAD EBOOK

Visit and Get More Ebook Downloads Instantly at https://ebookmeta.com

 Recommended digital products (PDF, EPUB, MOBI) that
you can download immediately if you are interested.

Analysis Verification and Transformation for Declarative

Programming and Intelligent Systems Essays Dedicated to
Manuel Hermenegildo on the Occasion of His 60th Birthday
Pedro Lopez Garcia John P Gallagher Roberto Giacobazzi Eds
https://ebookmeta.com/product/analysis-verification-and-
transformation-for-declarative-programming-and-intelligent-systems-
essays-dedicated-to-manuel-hermenegildo-on-the-occasion-of-his-60th-
birthday-pedro-lopez-garcia-john-p-gall/
ebookmeta.com

Model Checking Synthesis and Learning Essays Dedicated to

Bengt Jonsson on The Occasion of His 60th Birthday 1st
Edition Ernst-Rüdiger Olderog
https://ebookmeta.com/product/model-checking-synthesis-and-learning-
essays-dedicated-to-bengt-jonsson-on-the-occasion-of-his-60th-
birthday-1st-edition-ernst-rudiger-olderog/
ebookmeta.com

Model Checking Synthesis and Learning Essays Dedicated to

Bengt Jonsson on The Occasion of His 60th Birthday 1st
Edition Ernst Rüdiger Olderog Bernhard Steffen Wang Yi
https://ebookmeta.com/product/model-checking-synthesis-and-learning-
essays-dedicated-to-bengt-jonsson-on-the-occasion-of-his-60th-
birthday-1st-edition-ernst-rudiger-olderog-bernhard-steffen-wang-yi/
ebookmeta.com

Practical Guide to Vegetable Oil Processing 2nd Edition

Monoj K. Gupta

https://ebookmeta.com/product/practical-guide-to-vegetable-oil-
processing-2nd-edition-monoj-k-gupta/

ebookmeta.com
Spacecraft 1st Edition Timothy Morton

https://ebookmeta.com/product/spacecraft-1st-edition-timothy-morton/

ebookmeta.com

Baby Don t Go Beach Babies 1st Edition M.K. Moore & Flirt
Club

https://ebookmeta.com/product/baby-don-t-go-beach-babies-1st-edition-
m-k-moore-flirt-club/

ebookmeta.com

Colonizing Kashmir State building under Indian Occupation

1st Edition Hafsa Kanjwal

https://ebookmeta.com/product/colonizing-kashmir-state-building-under-
indian-occupation-1st-edition-hafsa-kanjwal/

ebookmeta.com

Connecting Discrete Mathematics and Computer Science

solution manual 2nd Edition David Liben-Nowell

https://ebookmeta.com/product/connecting-discrete-mathematics-and-
computer-science-solution-manual-2nd-edition-david-liben-nowell/

ebookmeta.com

Forbidden French 1st Edition R S Grey

https://ebookmeta.com/product/forbidden-french-1st-edition-r-s-grey/

ebookmeta.com
The Law and Politics of Unconstitutional Constitutional
Amendments in Asia 1st Edition Rehan Abeyratne (Editor)

https://ebookmeta.com/product/the-law-and-politics-of-
unconstitutional-constitutional-amendments-in-asia-1st-edition-rehan-
abeyratne-editor/
ebookmeta.com
 Pedro Lopez-Garcia
John P. Gallagher
Roberto Giacobazzi (Eds.)
Festschrift
LNCS 13160

Analysis, Verification and Transformation

for Declarative Programming
and Intelligent Systems
Essays Dedicated to Manuel Hermenegildo
on the Occasion of His 60th Birthday
Lecture Notes in Computer Science 13160
Founding Editors
Gerhard Goos
Juris Hartmanis

Editorial Board Members

Elisa Bertino, Purdue University, West Lafayette, IN, USA
Wen Gao, Peking University, Beijing, China
Bernhard Steffen , TU Dortmund University, Dortmund, Germany
Moti Yung , Columbia University, New York, NY, USA
The series Lecture Notes in Computer Science (LNCS), including its subseries Lecture
Notes in Artificial Intelligence (LNAI) and Lecture Notes in Bioinformatics (LNBI),
has established itself as a medium for the publication of new developments in computer
science and information technology research, teaching, and education.
LNCS enjoys close cooperation with the computer science R & D community, the
series counts many renowned academics among its volume editors and paper authors, and
collaborates with prestigious societies. Its mission is to serve this international commu-
nity by providing an invaluable service, mainly focused on the publication of conference
and workshop proceedings and postproceedings. LNCS commenced publication in 1973.
Pedro Lopez-Garcia · John P. Gallagher ·
Roberto Giacobazzi
Editors

Analysis, Verification and Transformation

for Declarative Programming
and Intelligent Systems
Essays Dedicated to Manuel Hermenegildo
on the Occasion of His 60th Birthday
Editors
Pedro Lopez-Garcia John P. Gallagher
IMDEA Software Institute Roskilde University
Pozuelo de Alarcón, Madrid, Spain Roskilde, Denmark

Roberto Giacobazzi
Università di Verona
Verona, Italy

ISSN 0302-9743 ISSN 1611-3349 (electronic)

Lecture Notes in Computer Science
ISBN 978-3-031-31475-9 ISBN 978-3-031-31476-6 (eBook)
https://doi.org/10.1007/978-3-031-31476-6

© Springer Nature Switzerland AG 2023

This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or part of
the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation,
broadcasting, reproduction on microfilms or in any other physical way, and transmission or information
storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now
known or hereafter developed.
The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication
does not imply, even in the absence of a specific statement, that such names are exempt from the relevant
protective laws and regulations and therefore free for general use.
The publisher, the authors, and the editors are safe to assume that the advice and information in this book
are believed to be true and accurate at the date of publication. Neither the publisher nor the authors or the
editors give a warranty, expressed or implied, with respect to the material contained herein or for any errors
or omissions that may have been made. The publisher remains neutral with regard to jurisdictional claims in
published maps and institutional affiliations.

This Springer imprint is published by the registered company Springer Nature Switzerland AG
The registered company address is: Gewerbestrasse 11, 6330 Cham, Switzerland
 Preface

This volume is published in honour of Manuel Hermenegildo, on the occasion of his

60th birthday. Throughout his career, Manuel has been at the forefront of the fields of
logic programming, constraint programming, parallel programming, program analysis,
program transformation, and programming environment design. Many of these areas are
reflected in the papers in this Festschrift and in the presentations made at the AVERTIS
symposium, held in Madrid on November 29, 2019, and at the MH60 workshop, held
in Porto on October 8, 2019.
Manuel grew up in Madrid and received a degree in Electrical Engineering from
the Universidad Politécnica de Madrid (UPM). He moved to the University of Texas at
Austin (UT Austin) and obtained a masters in Electrical and Computer Engineering, fol-
lowed by a Ph.D. from the same university. He established himself early as a researcher
who was comfortable at all levels of the computing stack, from electronics and com-
puter architecture to very high-level programming languages and their semantics. He
undertook his Ph.D. at UT Austin while also at the Microelectronics and Computer
Technology Corporation (MCC), a joint industry/academy research centre established
in response to the Japanese 5th Generation project. Declarative programming and paral-
lel computing were major topics at MCC, and Manuel combined them in his own work
on AND-parallel execution of logic programs. After three more years at MCC, he spent
three more years in Texas, both as a researcher at MCC and as (adjunct) assistant and
later associate professor at UT Austin. Following this, he returned to Spain in 1990 to
take up a faculty position at UPM, where he founded the CLIP (Computational Logic,
Implementation, and Parallelism) research group and where he became full professor in
1994.
During the years following his Ph.D., he explored models for the parallel and concur-
rent execution of more expressive variants of logic programming languages including,
for example, constraints. At the same time, and motivated by the need to detect oppor-
tunities for parallelism at compile time, instead of through expensive run-time tests,
his interests widened to include the static analysis of (constraint) logic programs. He
devised a generic algorithm for the abstract interpretation of logic programs, into which
different abstract domains could be plugged. This seminal work was very influential
in other researchers’ efforts to perform static analysis of logic programs, and became
the core of the advanced programming environment developed at the CLIP group, the
Ciao logic programming system, which uses program analysis and transformation as the
core techniques to optimise, debug, and verify programs. Always an engineer at heart,
Manuel continuously and actively participated in the design and implementation of the
Ciao logic programming system, including its analysis and transformation tools and its
programming environment.
Manuel has always been a strong advocate of logic programming, arguing that its
declarative semantics, coupled with flexible procedural semantics, offered the best frame-
work for realising the vision of an advanced development environment. Expressiveness,
viii Preface

efficiency, and usefulness in real-world tasks were (and are) the driving forces behind his
research. He was an active member of the Association for Logic Programming (ALP)
and was first elected to the ALP executive committee in 1993 and later as ALP President,
from 2005 to 2009. To this day, he continues to be involved with the ALP as Secretary
and Director.
He has also been a member of the editorial boards of different journals as well as
program chair of many conferences and workshops on implementation, analysis, and
verification of logic programming, such as ICLP, LOPSTR, FLOPS, PADL, and PPDP –
always focussing on ensuring the quality of the scholarly works presented at these venues.
Apart from logic programming events, he has been involved in leading conferences
on programming languages, analysis, and verification more generally, including being
program chair of SAS and VMCAI and general chair of POPL.
As a relatively young science, computing has sometimes struggled to obtain public
research funding in competition with the established disciplines. Manuel has worked
tirelessly to raise the profile of computer science in Spain, taking on the job of Director
of the Spanish National Research Directorate for two years in 2000, while somehow
maintaining his research activities. As an extension to his national activities, Manuel
was deeply involved in representing Spain in European Union funding programs.
In 2003 Manuel returned partly to the USA to take on the Prince of Asturias Chair
in Information Science and Technology at the University of New Mexico, where he
extended his research activities and group, all of which gave rise to many collabora-
tions and results, including three Ph.D. theses, in addition to laying new avenues for
collaboration between Spain and the USA.
In the early 2000s, the Madrid regional government began to plan a network of
research institutes of the highest international stature. Manuel’s research achievements
and his experience in research policy was vital in ensuring that Computer Science was
adequately represented in these plans. In 2007, he was appointed as the Founding Sci-
entific Director of the IMDEA Software Institute, a position he held for 10 years, during
which the Institute was established and grew to be the world-class research institution
it is now.
Manuel has been given many awards, including the National “Aritmel” Prize for
Scientific Merit in Computer Science, 2005, and the National “Julio Rey Pastor” Prize
for Research in Mathematics and Information and Communication, 2006. He has been
appointed to many other positions of high responsibility, clearly showing the trust he has
within the research community: Elected member of the Academia Europæa; President of
the Scientific Advisory Board of Inria; President of the Association for Logic Program-
ming; and Member of the Scientific Advisory Board of the Schloß Dagstuhl International
Center. In 2022 he was elected a Fellow of the ACM for contributions to program analysis,
verification, parallelism, logic programming, and the IMDEA Software Institute.
Throughout his scientific career, Manuel has had hundreds of research collabora-
tors. All of them know his amazing capacity for detailed work, thoroughness, and expert
contributions at all the stages of a piece of work, from its inception to the final prod-
uct. Manuel has in abundance all the skills needed for successful collaboration: exten-
sive knowledge, innovative ideas, interpersonal skills, a positive attitude, capacity for
encouragement, a sense of humour, and the ability to turn a potential conflict into a
 Preface ix

constructive discussion. In short, working with him is a pleasure and a source of inspira-
tion. Those who perhaps know this best are his 15 Ph.D. students: Kalyan Muthukumar,
Yow-Yan Lin, María García de la Banda, Francisco Bueno, Germán Puebla, Pedro López-
García, Manuel Carro, Daniel Cabeza, Jorge Navas, Amadeo Casas, Mario Méndez, José
Francisco Morales, Pablo Chico de Guzmán, Nataliia Stulova, and Isabel García.
To Manuel Hermenegildo, the scholar, teacher, engineer, manager, administrator,
leader, and friend, with deep admiration, gratitude, and affection. Happy birthday!

July 2022 Pedro Lopez-Garcia

John Gallagher
Roberto Giacobazzi
 Organization

Editors

Pedro López-García IMDEA Software Institute and Spanish Council

for Scientific Research, Spain
John P. Gallagher Roskilde University, Denmark, and IMDEA
Software Institute, Spain
Roberto Giacobazzi University of Verona, Italy
 Contents

Strategies in Conditional Narrowing Modulo SMT Plus Axioms . . . . . . . . . . . . . . 1

Luis Aguirre, Narciso Martí-Oliet, Miguel Palomino, and Isabel Pita

Optimizing Maude Programs via Program Specialization . . . . . . . . . . . . . . . . . . . . 21

María Alpuente, Demis Ballis, Santiago Escobar, Jose Meseguer,
and Julia Sapiña

Automated Synthesis of Software Contracts with KindSpec . . . . . . . . . . . . . . . . . 51

María Alpuente and Alicia Villanueva

Abstract Interpretation of Graphs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

Patrick Cousot

Applications of Muli: Solving Practical Problems with Constraint-Logic

Object-Oriented Programming . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Jan C. Dageförde and Herbert Kuchen

Grammar Induction for Under-Resourced Languages: The Case of Ch’ol . . . . . . 113

Veronica Dahl, Gemma Bel-Enguix, Velina Tirado, and Emilio Miralles

Answer Set Programming Made Easy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133

Jorge Fandinno, Seemran Mishra, Javier Romero, and Torsten Schaub

The Role of Abstraction in Model Checking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151

María-del-Mar Gallardo, Pedro Merino, and Laura Panizo

Justifications and a Reconstruction of Parity Game Solving Algorithms . . . . . . . 170

Ruben Lapauw, Maurice Bruynooghe, and Marc Denecker

SMT-Based Test-Case Generation and Validation for Programs

with Complex Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
Ricardo Peña, Jaime Sánchez-Hernández, Miguel Garrido,
and Javier Sagredo

Layerings of Logic Programs - Layer Decomposable Semantics

and Incremental Model Computation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
Alexandre Miguel Pinto and Luís Moniz Pereira

Modularization of Logic Programs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222

Alexandre Miguel Pinto and Luís Moniz Pereira
xiv Contents

Proof-Theoretic Foundations of Normal Logic Programs . . . . . . . . . . . . . . . . . . . . 233

Elmer Salazar and Gopal Gupta

A Discourse on Guessing and Reasoning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253

Enric Trillas

Reversible Debugging in Logic Programming . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266

Germán Vidal

Towards Systematically Engineering Autonomous Systems Using

Reinforcement Learning and Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
Martin Wirsing and Lenz Belzner

Strand Spaces with Choice via a Process Algebra Semantics . . . . . . . . . . . . . . . . . 307

Fan Yang, Santiago Escobar, Catherine Meadows, Jose Meseguer,
and Sonia Santiago

Author Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351

 Strategies in Conditional Narrowing
Modulo SMT Plus Axioms

Luis Aguirre , Narciso Martı́-Oliet(B) , Miguel Palomino, and Isabel Pita

Departamento de Sistemas Informáticos y Computación, Facultad de Informática,

Universidad Complutense de Madrid, Madrid, Spain
{luisagui,narciso,miguelpt,ipandreu}@ucm.es

Abstract. This work presents a narrowing calculus that uses strategies

to solve reachability problems in order-sorted conditional rewrite theories
whose underlying equational logic is composed of some theories solvable
via a satisfiability modulo theories (SMT) solver plus some combination
of associativity, commutativity, and identity. Both the strategies and the
rewrite rules are allowed to be parameterized, i.e., they may have a set
of common constants that are given a value as part of the solution of a
problem. A proof tree based interpretation of the strategy language is
used to prove the soundness and weak completeness of the calculus.

Keywords: Narrowing · Strategies · Reachability · Rewriting logic ·

SMT · Unification

1 Introduction
Rewriting logic is a computational logic that was developed thirty years ago [11].
The semantics of rewriting logic [2] has a precise mathematical meaning, allowing
mathematical reasoning for proving properties, providing a flexible framework
for the specification of concurrent systems.
A system is specified in rewriting logic as a rewrite theory R = (Σ, E, R),
with (Σ, E) an underlying equational theory, which in this work will be order-
sorted equational logic, where terms are given as an algebraic data type, and R
is a set of rules that specify how the system can derive one term from another.
Strategies allow modular separation between the rules that specify a system
and the way that these rules are applied. In this work we will use a subset of
the Maude strategy language [5,10,20], and we will give an interpretation of its
semantics.
A reachability problem has the  form ∃x̄(t(x̄) →∗ t (x̄)), with t, t terms with
variables in x̄, or a conjunction ∃x̄ i (ti (x̄) →∗ ti (x̄)). In the general case where

Partially supported by projects TRACES (TIN2015-67522-C3-3-R), ProCode (PID

2019-108528RB-C22), and by Comunidad de Madrid as part of the program S2018/
TCS-4339 (BLOQUES-CM) co-funded by EIE Funds of the European Union.

c Springer Nature Switzerland AG 2023

P. Lopez-Garcia et al. (Eds.): Hermenegildo Festschrift 2022, LNCS 13160, pp. 1–20, 2023.
https://doi.org/10.1007/978-3-031-31476-6_1
2 L. Aguirre et al.

t(x̄) is not a ground term, a technique known as narrowing [7] that was first
proposed as a method for solving equational problems (unification), has been
extended to cover also reachability problems [15]. One of the weaknesses of nar-
rowing is the state space explosion associated to any reachability problem where
arithmetic equational theories are involved. Satisfiability modulo theories (SMT)
solvers [17] may mitigate this state space explosion.
This paper extends our previous work [1], where we developed a sound and
weakly complete, i.e., complete with respect to normalized answers, narrowing
calculus when R = (Σ, E0 ∪ B, R), with E0 a subset of the theories handled
by SMT solvers and B a set of axioms for the other algebraic data types. Here
we introduce: (i) the use of strategies to further reduce the state space, and (ii)
the support for parameters in the specifications, i.e., a subset of the variables in
them, either SMT or not, to be considered as common constants that need to be
given a value in the reachability problem. We have defined a strategy language
suitable for narrowing, given a proof tree based interpretation of the semantics
of the strategy language, and developed a completely new narrowing calculus
that includes the strategy language and the use of parameters. Under certain
requirements, the calculus is proven to be sound and weakly complete.
The work is structured as follows: Sect. 2 presents basic definitions and prop-
erties for order-sorted equational deduction and unification. Section 3 presents
rewriting modulo built-in subtheories and axioms (R/E). In Sect. 4 the concepts
of built-in subtheory, abstraction, B-extension, and rewrite theory closed under
B-extensions are introduced. Also, the relation →R,B is presented. This rela-
tion is closely related to the narrowing calculus to be developed in Sect. 7. Then
the equivalence of R/E-rewriting and R, B-rewriting, for rewrite theories closed
under B-extensions, is proved. In Sect. 5 the strategy language and its semantics
are presented; then, an interpretation of this semantics is proved. In Sect. 6 we
define the concept of parameterized reachability problem and its solution. In
Sect. 7 the narrowing calculus for reachability is introduced. Then the soundness
and weak completeness of the calculus are proved, as well as its completeness for
some rewrite theories. Section 8 shows an example of the use of the calculus. In
Sect. 9, related work, conclusions, and future lines of investigation for this work
are presented. The technical report TR-02/2021, with more definitions, expla-
nations, examples, and all the related proofs, together with the prototype with
the running example, can be found at http://maude.ucm.es/cnarrowing.

2 Preliminaries
Familiarity with term rewriting and rewriting logic [2] is assumed. Several def-
initions and results from [19] are included in this section. The technical report
TR-02/2021 holds other definitions, required in the proofs.

2.1 Running Example

Example 1. Toast cooking will be used as a running example. A toast is well-
cooked if both sides of the toast have been cooked for exactly cookTime (abbre-
 Strategies in Conditional Narrowing Modulo SMT Plus Axioms 3

Fig. 1. Running example. Toast cooking

viated to ct) seconds. No overcooking is allowed. Fresh toasts are taken from a
toast bag, and they are cooked using a frying pan that can toast up to two toasts
simultaneously, well-cooking one side of each toast in the pan. There is a bin,
where fresh toasts are put when taken from the bag. A toast in the pan can be
returned to the bin, being flipped in this process. Finally, there is a dish where
well-cooked toasts can be output. There is a limit of failTime (ft) seconds to
reach the desired final state. In this example, ct and ft will be the parameters,
i.e., they are the variables that represent the common constants of the specifi-
cation that must be given a value either by the conditions of the problem or by
its solution (Fig. 1).
A Toast (abbreviated to t) can be either a RealToast (rt), represented as
an ordered pair of natural numbers, each one with sort Integer (i), storing the
seconds that each side has already been toasted, or an EmptyToast (et) which
has a constant zt, representing the absence of Toasts; a Pan (p) is an unordered
pair of Toasts; a Kitchen (k) has a timer, represented by a natural number, and
a Pan; a Bin (b) is a multiset of Toasts; the bag and the dish are represented
by natural numbers, the number of RealToasts in each one; the System (s) has
a bag, a Bin, a Kitchen, and a dish. When a RealToast is in the pan, the side
being toasted is represented by the first integer of the ordered pair. We will use
two auxiliary functions, cook and toast (in lowercase).

2.2 Order-Sorted Equational Logic

Definition 1 (Kind completion). A poset of sorts (S, ≤) whose connected
components are the equivalence classes corresponding to the least equivalence
relation ≡≤ containing ≤ is kind complete iff for each s ∈ S its connected
component has a top sort, denoted [s], called the kind of s.

Definition 2 (Order-sorted signature). An order-sorted (OS) signature is

a tuple Σ = (S, ≤, F ) where: (1) (S, ≤) is a kind complete poset of sorts; (2)
F = {Σs1 ...sn ,s }(s1 ...sn ,s)∈S ∗ xS is an S ∗ x S-indexed family of sets of function
symbols, where for each function symbol f in Σs1 ...sn ,s there is a function symbol
f in Σ[s1 ]...[sn ],[s] ; and (3) Σ is sensible, i.e., if f is a function symbol in Σs1 ...sn ,s ,
f is also a function symbol in Σs1 ...sn ,s , and [si ] = [si ] for i = 1, . . . , n then
[s] = [s ].
When each connected component of (S, ≤) has exactly one sort, the signature
is many-sorted. When f ∈ Σ,s ,  being the empty word, we call f a constant
with type s and write f ∈ Σs instead of f ∈ Σ,s .
4 L. Aguirre et al.

Example 2. In the cooking example, omitting the implied kind for each con-
nected component of S, Σ = (S, ≤, F ) is:
S = {Integer, RealToast, EmptyToast, Toast, Pan, Kitchen, Bin, System},
≤ = {(RealToast, Toast), (EmptyToast, Toast), (Toast, Bin)},
F = {{[ , ]}i i,rt , { }t t,p , { ; }b b,b , { ; }i p,k , {cook}k i,[k] , {toast}t i,[t] ,
{ / / / }i r k i,s , {zt}et }.
The notation used in F has the following meaning: {[ , ]}i i,rt means that
[ , ] is a mix-fix function symbol such that if i1 and i2 are terms with sort
Integer then [i1 , i2 ] is a term with sort RealToast.
A function symbol f in Σs1 ...sn ,s is displayed as f : s1 . . . sn → s, its rank
declaration. An S-sorted set X = {Xs }s∈S of variables satisfies s = s ⇒ Xs ∩
Xs = ∅, and the variables in X are disjoint from all the constants in Σ. Each
variable in X has a subscript indicating its sort, i.e., xs has sort s.
The sets TΣ,s and TΣ (X )s denote, respectively, the set of Σ-terms with sort
s and the set of Σ-terms with sort s when the variables in X are considered
extra
 constantsof Σ. The notations TΣ and TΣ (X ) are used as a shortcut for
T
s∈S Σ,s and s∈S TΣ (X )s respectively. It is assumed that Σ has non-empty
sorts, i.e., TΣ,s = ∅ for all sorts s in S. We write vars(t) to denote the set of
variables in a term t in TΣ (X ). This definition is extended in the usual way to
any other structure, unless explicitly stated. If vars(A) = ∅, where A is any
structure, then A is said to be ground. A term where each variable occurs only
once is said to be linear.
Positions in a term t: when a term t is expressed in functional notation as
f (t1 , . . . , tn ), it can be pictured as a tree with root f at position  and children
ti at position i, for 1 ≤ i ≤ n. The inner positions of t are referred as lists of
nonzero natural numbers separated by dots. The set of positions of t is written
pos(t). The set of non-variable positions of t is written pos Σ (t). t|p is the subtree
of t below position p. t[u]p is the replacement in t of t|p with u. t[ ]p is a term
with hole that is equal to t except that in the position p there is a special symbol
[ ], the hole. For positions p and q, we write p ≤ q if there is a position r such
that q = p.r. Given any ordered list ū = u1 , . . . , un , we call û = {u1 , . . . , un }.
Definition 3 (Preregularity). Given an order-sorted signature Σ, for each
natural number n, for every function symbol f in Σ with arity n, and for every
tuple (s1 , . . . , sn ) in S n , let Sf,s1 ...,sn be the set containing all the sorts s that
appear in rank declarations in Σ of the form f : s1 . . . sn → s such that si ≤ si ,
for 1 ≤ i ≤ n. If whenever Sf,s1 ,...,sn is not empty it is the case that Sf,s1 ,...,sn
has a least sort, then Σ is said to be preregular.
Preregularity guarantees that every Σ-term t has a least sort, denoted ls(t),
i.e., for any rank declaration f : s1 . . . sn → s that can be applied to t it is true
that ls(t) ≤ s.
A substitution σ : X → B, where B ⊆ TΣ (X ) is a superset of the range
of σ, defined below, is a function that matches the identity function in all X
except for a finite set called its domain, dom(σ). We represent the application
of a substitution σ to a variable x in X as xσ. Substitutions are written as
 Strategies in Conditional Narrowing Modulo SMT Plus Axioms 5

n n
σ = {x1s1 →t 1 , · · ·, xsn →tn }, where dom(σ) is {xs1 , . . ., xsn } and the range of σ
1
n
is ran(σ) = i=1 vars(ti ). If ran(σ) = ∅ then σ is ground. We write σ : D → B,
where D ⊂ X is finite, to imply that dom(σ) = D. The identity substitution,
where dom(σ) = ∅, is displayed as none. A substitution σ where dom(σ) =
{x1s1 , . . . , xnsn } (n ≥ 0), xisi σ = ysi i ∈ X , for 1 ≤ i ≤ n, and ysi i = ysjj for
1 ≤ i < j ≤ n is called a renaming. The restriction σV of σ to a set of variables
V is defined as xσV = xσ if x ∈ V and xσV = x otherwise. The deletion σ\V ,
where V ⊆ X is defined as xσ\V = xσ if x ∈ dom(σ) \ V and xσ\V = x otherwise.
Substitutions are homomorphically extended to terms in TΣ (X ) and also to any
other syntactic structures. The composition of σ and σ  is denoted by σσ  , with
x(σσ  ) = (xσ)σ  (left associativity). Their closed composition, denoted by σ·σ  ,
is defined as σ·σ  = (σσ  )\ran(σ) . If σσ = σ then we say that σ is idempotent.
A context C is a λ-term of the form λx1s1 · · · xnsn .t, with t ∈ TΣ (X ) and
{xs1 , . . . , xnsn } ⊆ vars(t). A Σ-equation has the form l = r, where l ∈ TΣ (X )sl ,
1

r ∈ TΣ (X )sr , and sl ≡≤ sr . A conditional Σ-equation has the form l = r if C

with l = r a Σ-equation and C a conjunction of Σ-equations. We call a Σ-
equation l = r: regular iff vars(l) = vars(r); sort-preserving iff for each substi-
tution σ and sort s, lσ in TΣ (X )s implies rσ in TΣ (X )s and vice versa; left (or
right) linear iff l (resp. r) is linear; linear iff it is both left and right linear.
A set of equations E is said to be regular, or sort-preserving, or (left or right)
linear, if each equation in it is so.

2.3 Order-Sorted Equational Theories

Definition 4 (OS equational theory). An OS equational theory is a pair
E = (Σ, E), where Σ is an OS signature and E is a  finite set of (possibly
n
conditional) Σ-equations of the forms l = r or l = r if i=1 li = ri . All the
variables appearing in these Σ-equations are interpreted as universally quantified.

Example 3. The OS equational theory for the toast example has Σ = (S, ≤, F )
and E is the set E0 of equations for integer arithmetic (not displayed), together
with the equations:
(xb ; yb ); zb = xb ; (yb ; zb ), xb ; yb = yb ; xb , xb ; zt = xb , xt yt = yt xt
stating that Bin is a multiset of Toasts and that the position of the Toasts in
the Pan is irrelevant.

Definition 5 (Equational deduction). Given an OS equational theory E =

(Σ, E) and a Σ-equation l = r, E  l = r denotes that l = r can be deduced
from E using the rules in [12].

An OS equational theory E = (Σ, E) has an initial algebra (TΣ/E or TE ),

whose elements are the equivalence classes [t]E of ground terms in TΣ identified
by the equations in E.
We denote by TΣ/E (X ), or TE (X ), the algebra whose elements are the equiv-
alence classes of terms in TΣ (X ) identified by the equations in E.
6 L. Aguirre et al.

The deduction rules for OS equational logic specify a sound and complete
calculus, i.e., for all Σ-equations l = r, E  l = r iff l = r is a logical consequence
of E (written E  l = r) [12]; then we write l =E r.
A theory inclusion (Σ, E) ⊆ (Σ  , E  ) is called protecting iff the unique Σ-
homomorphism TΣ/E −→ TΣ  /E  |Σ to the Σ-reduct of the initial algebra TΣ  /E  ,
i.e., the elements of TΣ  /E  that consist only in function symbols from Σ, is a
Σ-isomorphism, written TΣ/E  TΣ  /E  |Σ .

2.4 Unification
Given an OS equational theory (Σ, E), the E-subsumption preorder E on
TΣ (X ) is defined by t E t if there is a substitution σ such that t =E t σ. For
substitutions σ, ρ and a set of variables V we write ρV E σV , and say that σ
is more general than ρ with respect to V, if there is a substitution η such that
dom(σ) ∩ dom(η) = ∅, ran(ρV ) = ran((ση)V ), and ρV =E (ση)V . When V is not
specified, it is assumed that V = dom(ρ) and ρ =E σ·η. Then σ is said to be
more general than ρ. When E is not specified, it is assumed that E = ∅.
Given an OS equational
n theory (Σ, E), a system of equations F is a conjunc-
tion of Σ-equations i=1 li = ri . An E-unifier for F is a substitution σ such
that li σ =E ri σ, for 1 ≤ i ≤ n.

Definition 6 (Complete set of unifiers [18]). For F a system of equations

and vars(F ) ⊆ W, a set of substitutions CSU W E (F ) is said to be a complete set
of E-unifiers of F away from W iff each substitution σ in CSU W E (F ) is an E-
unifier of F , for any E-unifier ρ of F there is a substitution σ in CSU WE (F ) such
that ρW E σW , and for each substitution σ in CSU W E (F ), dom(σ) ⊆ vars(F )
and ran(σ) ∩ W = ∅.
The notation CSUE is used when W is the set of all the variables that have
already appeared in the current calculation.

3 Conditional Rewriting Modulo Built-Ins and Axioms

Definition 7 (Signature with built-ins [19]). An OS signature Σ = (S, ≤,
F ) has built-in subsignature Σ0 = (S0 , ≤, F0 ) iff (i) Σ0 ⊆ Σ, (ii) Σ0 is many-
sorted, (iii) S0 is a set of minimal elements in (S, ≤), and (iv) if f : w → s ∈ F1 ,
where F1 = F \F0 , then s ∈ / S0 and f has no other typing in Σ0 .
We let X0 = {Xs }s∈S0 , X1 = X \X0 , S1 = S\S0 , Σ1 = (S, ≤, F1 ), HΣ (X ) =
TΣ (X )\TΣ0 (X0 ), and HΣ = TΣ \TΣ0 .

The restriction of TΣ/E to HΣ is denoted by HΣ/E or HE , and the restriction

of TΣ/E (X ) to HΣ (X ) is denoted by HΣ/E (X ) or HE (X ).

Definition 8 (Rule). Given an OS signature (Σ, S, ≤) with built-in n subsigna-

ture (Σ0 , S0 ), a rule is an expression with the form c : l → r if i=1 li → ri | φ,
where: (i) c is the alphanumeric label of the rule, (ii) l, the head of the rule, and
r are terms in HΣ (X ), with ls(l) ≡≤ ls(r), (iii) for each pair li , ri , 1 ≤ i ≤ n,
 Strategies in Conditional Narrowing Modulo SMT Plus Axioms 7

li is a term in HΣ (X )\X and ri is a term in HΣ (X ), with ls(li ) ≡≤ ls(ri ),

and (iv) φ ∈ QF (X0 ), the set of quantifier free formulas made up with terms
in TΣ0 (X0 ), the comparison function symbols = and =, and the connectives ∨
and ∧.

The symbol ¬ (that can be defined with respect to =, =, ∨, and ∧) will also
appear in this work. All the variables in vars(c) are interpreted as universally
quantified.
n Three particular cases of the general form are admitted: c : l →
r if i=1 li → ri , c : l → r if φ, and the unconditional case c : l → r.

Definition 9 (B-preregularity). Given a set of Σ-equations B, a preregular

OS signature Σ is called B-preregular iff for each Σ-equation u = v in B and
substitution σ, ls(uσ) = ls(vσ).

Definition 10 (Conditional rewrite theory with built-in subtheory).

A conditional rewrite theory R = (Σ, E, R) with built-in subtheory and axioms
(Σ0 , E0 ) consists of: (1) an OS equational theory (Σ, E) where: (i) Σ = (S, ≤, F )
is an OS signature with built-in subsignature Σ0 = (S0 , ≤, F0 ), (ii) E = E0 ∪ B,
where E0 is the set of Σ0 -equations in E, the theory inclusion (Σ0 , E0 ) ⊆ (Σ, E)
is protecting, B is a set of regular and linear equations, called axioms, each
equation having only function symbols from F1 and kinded variables, (iii) there
is a procedure that can compute CSUB (F ) for any system of equations F , (iv)
Σ is B-preregular, and (2) a finite set of uniquely labeled rules R.

Condition number 2 will be relaxed, but not totally removed, later in this
work. From now on, we will write “rewrite theory” as a shortcut for “conditional
rewrite theory with built-in subtheory and axioms”.
The transitive (resp. transitive and reflexive) closure of the relation →1R ,
∗
inductively defined below, is denoted →+ R (resp. →R ).

Definition 11 (R-rewriting). Given a rewrite theory R n= (Σ, E0 ∪ B, R), a

term t in HΣ , a position p in Pos(t), a rule c : l → r if i=1 li → ri | φ in R,
and a substitution σ : vars(c) → TΣ , the one-step transition t →1R t[rσ]p holds
iff t = t[lσ]p , li σ →∗R ri σ, for 1 ≤ i ≤ n, and E0  φσ.

We write t −−−→1 t[rσ]p when we need to make explicit the rule, position, and
c,p,σ R
substitution. Any of these items can be omitted when it is irrelevant. We write
t −−→1 v to express that there exists a substitution δ such that t −−−→1 v.
cσ R c,σ·δ R

Example 4. In the toast example, E0 is the theory for integer arithmetic, B is

the set of axioms in Example 3, and R is:
[kitchen] : yi ; hrt vt → cook(yi ; hrt vt , zi ) if zi > 0
[cook] : cook(yi ; hrt vt , zi ) → yi + zi ; hrt vt if
toast(hrt , zi ) → hrt ∧ toast(vt , zi ) → vt
[toast1] : toast(zt, zi ) → zt
[toast2] : toast([ai , bi ], zi ) → [ai + zi , bi ] if ai ≥ 0 ∧ ai + zi = cti
[bag] : ni /xb /gk /ok i → (ni − 1)/[0, 0]; xb /gk /ok i if ni > 0
8 L. Aguirre et al.

[pan] : ni /hrt ; xb /yi ; zt vt /ok i → ni /xb /yi ; hrt vt /ok i

[bin] : ni /xb /yi ; [ai , bi ] vt /ok i → ni /[bi , ai ]; xb /yi ; zt vt /ok i
[dish] : ni /xb /yi ; [cti , cti ] vt /ok i → ni /xb /yi ; zt vt /ok i + 1
The transitive closure of the relation →1R/E , inductively defined below, is
denoted →+R/E . The relation →R/E is defined as →R/E =→R/E ∪ =E .
+

Definition 12 (R/E-rewriting). Given a rewrite theory n R = (Σ, E0 ∪ B, R),

terms t, u, and v in HΣ , and a rule c : l → r if i=1 li → ri | φ in R, if
there exist a position p in Pos(u), and a substitution σ : vars(c) → TΣ such that
t =E u = u[lσ]p , u[rσ]p =E v, li σ →R/E ri σ, for 1 ≤ i ≤ n, and E0  φσ then
we say that the one-step modulo transition t →1R/E v holds.

We write t −−−−→1 v when we need to make explicit the rule, matching term,
c,u,p,σ R/E
position, and substitution. Any of these items can be omitted.
Rewriting modulo is more expressive than rewriting (see example 3.9 in [1]).

4 Abstractions, B-extensions, and R, B-Rewriting

Two simpler relations, →1R,B and →R,B [13] are defined in this section which,
under several requirements, are equivalent to →1R/E and →R/E , allowing us to
solve reachability problems using a narrowing calculus based on →R,B .

4.1 Abstractions
Definition 13 (Abstraction of built-in [19]). If Σ is a signature with built-in
subsignature Σ0 , then an abstraction of built-in is a context C = λx1s1 · · · xnsn .t◦ ,
with n ≥ 0, such that t◦ ∈ TΣ1 (X ) and {x1s1 , . . . , xnsn } = vars(t◦ ) ∩ X0 . For pairs
of terms we write abstract Σ1 ((u, v)) = λ(x̄, ȳ).(u◦ , v ◦ ); (θu◦ , θv◦ ); (φ◦u , φ◦v ).
Lemma 1 shows that there exists an abstraction that provides a canonical
decomposition of any term in TΣ (X ).
Lemma 1 (Existence of a canonical abstraction [19]). Let Σ be a sig-
nature with built-in subsignature Σ0 . For each term t in TΣ (X ) there exist an
abstraction of built-in λx1s1 · · · xnsn .t◦ and a substitution θ◦ : X0 → TΣ0 (X0 ) such
that (i) t = t◦ θ◦ and (ii) dom(θ◦ ) = {x1s1 , . . . , xnsn } are pairwise distinct and
disjoint from vars(t); moreover, (iii) t◦ can always be selected to be S0 -linear
and with {x1s1 , . . . , xnsn } disjoint from an arbitrarily chosen finite subset Y of X0 .
Definition 14 (Abstract function [19]). Given a term t in TΣ (X ) and a
finite subset Y of X0 , define abstract Σ1 (t, Y) as λx1s1 · · · xnsn .t◦ ; θ◦ ; φ◦  where the
context λx1s1 · · · xnsn .t ◦
n and i the substitution θ◦ satisfy the properties (i)-(iii) in
◦ i ◦
Lemma 1 and φ = i=1 (xsi = xsi θ ). If t ∈ TΣ1 (X \X0 ) then abstract Σ1 (t, Y) =
λ.t; none; true. We write abstract Σ1 (t) when Y is the set of all the variables
that have already appeared in the current calculation, so each xisi is a fresh
variable. For pairs of terms we use the compact notation abstract Σ1 ((u, v)) =
λ(x̄, ȳ).(u◦ , v ◦ ); (θu◦ , θv◦ ); (φ◦u , φ◦v ).
 Strategies in Conditional Narrowing Modulo SMT Plus Axioms 9

Definition 15 (Set of topmost Σ0 -positions [1]). Let R = (Σ, E0 ∪ B, R) be

a rewrite theory with built-in subtheory (Σ0 , E0 ), and t a term in HΣ (X ). The
set of topmost Σ0 positions of t, top Σ0 (t), is top Σ0 (t) = {p | p ∈ Pos(t) ∧ t|p ∈
TΣ0 (X0 ) ∧ ∃i ∈ N, q ∈ Pos(t) s.t. p = q.i ∧ t|q ∈ HΣ (X )}.

4.2 B-Extensions
The concept of B-extension, together with its properties, has been studied in [13].
Now, we allow for repeated labels in rules; later we will restrict this repetition.
We will use subscripts or apostrophes, e.g. c1 or c , when we need to refer to a
specific rule with label c.

Definition 16 (Rewrite theory closed under B-extensions). Let R =

(Σ, E0 ∪ B, R) be a rewrite theory, where R may have repeated labels, and
let c : l → r if C be a rule in R. Assume, without loss of generality, that
vars(B) ∩ vars(c) = ∅. If this is not the case, only the variables of B will be
renamed; the variables of c will never be renamed. We define the set of B-
extensions of c as the set:
Ext B (c) = {c : u[l]p → u[r]p if C | u = v ∈ B ∪ B −1 ∧ p ∈ Pos Σ (u) − {} ∧
CSU B (l, up ) = ∅} where, by definition, B −1 = {v = u | u = v ∈ B}.
All the rules in Ext B (c) have label c. Given two rules c : l → r if C and
c1 : l → r if C, c subsumes c1 iff there is a substitution σ such that: (i)
dom(σ) ∩ vars(C) = ∅, (ii) l =B lσ, and (iii) r =B rσ.
We say that R is closed under B-extensions iff for any rule with label c in
R, each rule in Ext B (c) is subsumed by one rule with label c in R.

Meseguer [13] shows an algorithm that given a rewrite theory R = (Σ, E0 ∪

B, R) constructs a superset R that is finite and closed under B-extensions, called
a finite closure under B-extensions of R.

Definition 17 (Finite closure under B-extensions of a rule). Given an

equational theory (Σ, E0 ∪ B), with built-in subtheory (Σ0 , E0 ), and a rule with
label c, we denote by cB the set of rules in any finite closure under B-extensions
of the rewrite theory R = (Σ, E0 ∪ B, {c}).

Definition 18 Associated rewrite theory closed under B-extensions).

Given a rewrite theory R1 = (Σ, E0 ∪ B, R) with no repeated rule labels, its
associated rewrite
 theory closed under B-extensions is any rewrite theory R2 =
(Σ, E0 ∪ B, c∈R cB ) .

Rewriting modulo does not change if we use a rewrite theory or any of its
associated rewrite theories closed under B-extensions.

Lemma 2 (Equivalence of R/E-rewriting and RB /E-rewriting). If RB =

(Σ, E0 ∪ B, RB ) is an associated rewrite theory of R = (Σ, E0 ∪ B, R) closed
under B-extensions, then →1R/E =→1RB /E and →R/E =→RB /E .
10 L. Aguirre et al.

Our definition of the relation →1R,B will require the use of a single represen-
tative for all the instances of each E0 -equivalence class that may appear in the
top Σ0 positions of the subterm that we are rewriting.
Definition 19 (Representative of a Σ0 -term over a set of Σ0 terms). Let
t be a term in TΣ0 and let û = {u1 , . . . , un } ⊆ TΣ0 such that t ∈ û. We define
the Σ0 -representative of t over û as rep ◦û (t) = umin({i|ui =E0 t)}) .
Definition 20 (Representative of a term over a set of Σ0 terms). Let t
be a term in TΣ , where top Σ0 (t) = p̂, and let û ⊆ TΣ0 such that t|p̂ ⊆ û. We
define the representative of t over û, as rep û (t) = t[rep ◦û (t|p̄ )]p̄ .
Definition 21 (Representative of a term). Let t be a term in TΣ , where
top Σ0 (t) = p̂. We define the representative of t as rep(t) = rep t|p̂ (t).
The transitive closure of the relation →1R,B , inductively defined below, is
denoted →+R,B . The relation →R,B is defined as →R,B =→R,B ∪ =E .
+

Definition 22 (R, B-rewriting). Given na rewrite theory R = (Σ, E0 ∪ B, R),

terms t, v in HΣ , and a rule c : l → r if i=1 li → ri | φ in R, if abstract Σ1 (l) =
λx̄.l◦ ; θ◦ ; φ◦  and there exist a position p in pos Σ1 (t) and a substitution σ :
x̄ ∪ vars(c) → TΣ such that rep(t|p ) =B l◦ σ, v =E t[rσ]p , li σ →R,B ri σ, for
1 ≤ i ≤ n, and E0  (φ ∧ φ◦ )σ, then we say there is a one-step transition
t →1R,B v.
We write t −−→1 v when we need to make explicit the rule, position, and
c,p,σ R,B
substitution. Any of these items can be omitted when it is irrelevant.
Definition 23 (Normalized substitution). Given a rewrite theory R =
(Σ, E, R) with built-in subtheory (Σ0 , E0 ), a substitution σ is R/E-normalized
(resp. R, B-normalized) iff for each variable x in dom(σ) there is no term t in
TΣ (X ) such that xσ →1R/E t (resp. xσ →1R,B t).
Theorem 1 (Equivalence of R/E and R, B-rewriting). If R = (Σ, E0 ∪
B, R) is an associated rewrite theory of R0 = (Σ, E0 ∪ B, R0 ) closed under
B-extensions, then →1R,B =→1R/E and →R,B =→R/E .

5 Strategies
In this section we present the combinators of a strategy language suitable for
narrowing, which is a subset of the Maude strategy language for rewriting [5,
10,20], a set-theoretic semantics for the language, and an interpretation of this
semantics.
A call strategy is a name given to a strategy to simplify the development of
more complex strategies. A call strategy definition is a user-defined association
of a strategy to one call strategy.
A rewrite theory R = (Σ, E, R) and a set of call strategy definitions for R,
written Call R , have an associated set of derivation rules DR,Call R that will be
defined and used in the following.
 Strategies in Conditional Narrowing Modulo SMT Plus Axioms 11

5.1 Goals, Derivation Rules and Proof Trees

Definition 24 (Goals). An open goal has the form t → v/ST , where t, its
head, and v are terms in HΣ , and ST is a strategy; a closed goal has the form
G , with G an open goal.

Definition 25 (Derivation rule). A derivation rule, has the form G or

G1 ···Gn
G , where G, its head, and each Gi , 1 ≤ i ≤ n, are open goals.
Definition 26 (Proof tree). Given a rewrite theory R = (Σ, E, R) and a set
of call strategy definitions Call R , a proof tree T is inductively defined as either:
(i) an open or closed goal, G or G , or (ii) a derivation tree T1 ···T
G
n
, constructed
by application of the derivation rules in DR,Call R , where each Ti , 1 ≤ i ≤ n, is
a proof tree. The head of T is G in all cases, and we write head (T ) = G. T is
said to be closed if it has no open goals on it. We denote by VR the set of all the
variables appearing in R and B, VCall R the set of all the variables appearing in
Call R , and VR,Call R = VR ∪ VCall R .
Definition 27 (Application of a derivation rule to an open goal). Given
any open goal t → v/ST in a proof tree and a derivation rule with head t →
v  /ST such that t =E t and v =E v  , the application of the rule to the open goal
consists in putting the derivation rule in place of the open goal, but replacing t
with t and v  with v anywhere in the rule.

5.2 Strategies and Their Semantics

The semantics that defines the result of the application of a strategy to the
equivalence class of a term is given by a function (in mix-fix notation) @ :
Strat R,Call R × HΣ/E −→ P(HΣ/E ), with R = (Σ, E0 ∪ B, R) and E = E0 ∪ B,
where [v]E is an element of ST @ [t]E if and only if a closed proof tree, c.p.t.
from now on, with head t → v/ST can be constructed using the derivation rules
in DR,Call R , also defined below. We will use this set of strategies for narrowing,
which is a subset of the Maude strategy language for rewriting [5,10,20]:
1. Idle and fail. These are constant strategies that always belong to
Strat R,Call R . While the first one always succeeds, returning the same equiv-
alence class, the second one always fails. For each [t]E ∈ HΣ/E there is a
derivation rule t→t/idle ∈ DR,Call R . There are no derivation rules for fail.
m
2. Rule application. If c : l → r if j=1 lj → rj | ψ is a rule in R, m ≥ 0,
γ is a substitution such that dom(γ) ⊆ vars(c), and ST = ST 1 , . . . , ST m
is an ordered list of strategies then RA = c[γ]{ST } is a rule application in
Strat R,Call R . For each substitution δ : vars(cγ) → TΣ such that E0  ψγδ,
each term u in HΣ , and each position p in pos(u) such that u|p = lγδ there
is a derivation rule l1 γδ→r1 γδ/ST 1 δ···lm γδ→rm γδ/ST m δ
u→u[rγδ]p /RA in DR,Call R .
3. Top. It is possible to restrict the application of a rule in R only to the top
of the term. This is useful for structural rules, that are applied to the whole
state, or for the strategies applied on the conditional part of a rule.
12 L. Aguirre et al.

m
If c : l → r if j=1 lj → rj | ψ is a rule in R, m ≥ 0, γ is a substitution, such
that dom(γ) ⊆ vars(c), ST = ST 1 , . . . , ST m is an ordered list of strategies,
and we call RA = c[γ]{ST }, then top(RA) is a strategy in Strat R,Call R . For
each substitution δ : vars(cγ) → TΣ such that E0  ψγδ, there is a derivation
rule l1 γδ→r1 γδ/ST 1 δ···lm γδ→rm γδ/ST m δ
lγδ→rγδ/top(RA) in DR,Call R .
4. Call strategy. Call strategy definitions allow the use of parameters and
the implementation of recursive strategies. We list the semantics for their
invocations, for any pair of terms t and v in HΣ such that ls(t) ≡≤ ls(v):
– If sd CS (x̄) := ST ∈ Call R , where x̄ = x1s1 , . . . , xnsn , n ≥ 0, are the
parameters of CS , t1 , . . . , tn are terms in TΣ (X \VR,Call R ), with sorts
s1 , . . . , sn respectively, and we call t̄ = t1 , . . . , tn , then the call strategy
invocation CS (t̄) is a strategy in Strat R,Call R . If ρ = {x̄ → t̄} then for
every renaming γ such that dom(γ) ∩ \x̂ = ∅ there is a derivation rule
t→v/ST (γ∪ρ)
t→v/CS (t̄) in DR,Call R .
– If csd CS (x̄) m:= ST if C ∈ Call R , where everything is as in the previous
case, C = j=1 (lj = rj ) ∧ φ, m ≥ 0, and δ : vars(C(γ ∪ ρ)) → TΣ is a
substitution such that ¯l(γ ∪ ρ)δ =E r̄(γ ∪ ρ)δ and E0  φ(γ ∪ ρ)δ, then
there is a derivation rule t→v/ST (γ∪ρδ)
t→v/CS (t̄) in DR,Call R .
m
5. Tests. A test strategy TS has the form match u s.t. j=1 (lj = rj ) ∧ φ. It
checks a property on an equivalence class [t]E in HΣ/E . The test returns
{[t]E } if the property holds, else ∅. For each equivalence class [t]E in HΣ/E
and ground substitution δ such that t =E uδ, ¯lδ =E r̄δ, and E0  φδ, there
is a derivation rule t→t/TS in DR,Call R .
6. If-then-else. An if-then-else strategy IS has the form match u s.t. φ ? ST 1 :
ST 2 . It uses the quantifier-free formula φ as test. For each pair of equivalence
classes [t]E and [v]E in HΣ/E and each substitution δ : vars(u)∪vars(φ) → TΣ
such that t =E uδ, if E0  φδ, then t→v/ST t→v/IS
1δ
∈ DR,Call R , and if E0  ¬φδ
then t→v/ST
t→v/IS
2δ
∈ DR,Call R . The restriction to SMT conditions will ensure
the completeness of the narrowing calculus since, in general, a reachability
condition cannot be proved false.
7. Regular expressions. Another way of combining strategies is the use of
regular expressions: ; (concatenation), | (union), and + (iteration). ST ∗ is
defined as idle | ST +. Let ST and ST  be strategies, and let t, v and u
be terms in HΣ such that ls(t) ≡≤ ls(u) ≡≤ ls(v). Then, we have rules
t→u/ST 1 u→v/ST 2 t→v/ST 1 t→v/ST 2 t→v/ST t→v/ST ; ST +
t→v/ST 1 ; ST 2 , t→v/ST 1 | ST 2
, t→v/ST 1 | ST 2
, t→v/ST + , and t→v/ST +
in DR,Call R . The scope of this work is restricted to concatenated strategies
that have no variables in common.
8. Rewriting of subterms. The matchrew combinator allows the selection
of a subterm toapply a rule. Matchrew strategies have the form MS =
m
matchrew u s.t. j=1 (lj = rj ) ∧ φ by x1s1 using ST 1 , . . . , xnsn using ST n ,
where x̄ = x1s1 , . . . , xnsn are the match parameters of MS . We will also use
the short-form MS = matchrew u s.t. ¯l = r̄ ∧ φ by x̄ using ST . For each n-
n
tuple (t1 , . . . , tn ) of terms in HΣ such that ls(t̄) ≤ s̄, and each substitution
 Strategies in Conditional Narrowing Modulo SMT Plus Axioms 13

δ such that uδ ∈ TΣ , {lj δ, rj δ}m ¯

j=1 ⊂ TΣ , lδ =E r̄δ, φδ ∈ TΣ , and E0  φδ,
x1s1 δ→t1 /ST 1 δ···xn
sn δ→tn /ST n δ
there is a derivation rule uδ→uδ[t̄]p̄ /MS in DR,Call R .

5.3 Interpretation of the Semantics

We enumerate some of the properties of the semantics for each c.p.t. T formed
using the rules in DR,Call R , with head t → v/ST :

1. This is the main property: t →R/E v.

2. If ST = idle then [t]E = [v]E .
3. If ST = c[γ] then t −−→1 v.
cγ R/E
4. If ST = CS , where sd CS := ST 1 ∈ Call R , then [v] Em ∈ ST 1 @[t]E .
5. If ST = c[γ]{ST 1 , . . . , ST m }, with c : l → r if j=1 lj → rj | ψ a rule
in R, then there is a substitution δ such that [ri γδ]E ∈ ST i δ @ [li γδ]E , for
1 ≤ i ≤ m, and t −−→1 v.
c,γδ R/E

6. If ST = matchrew u s.t. ¯l = r̄ ∧ φ by x̄ using ST , where u = u[x1s1 , . . . , xnsn ]p̄

then there exist a substitution δ, where δVu,φ,l̄,r̄ is ground, and terms t1 , . . . , tn
in HΣ such that t =E uδ, ¯lδ =E r̄δ, E0  φδ, [ti ]E ∈ ST i δ @ [xisi δ]E , for
1 ≤ i ≤ n, and v =E uδ[t̄]p̄ .

6 Reachability Problems

In this section we present the concept of reachability problem, together with its
solutions and the properties that a solution to one of these problems has. From
now on, we will consider as valid those rewrite theories R = (Σ, E0 ∪ B, R)
whose axioms B are any combination of associativity, commutativity, and
identity (ACU rewrite theories).

Definition 28 (Reachability problem). Given a rewrite theory R =

(Σ, E0 ∪B, R) and a set of call strategy
n definitions Call R , a reachability problem
is an expression P with the form i=1 ui → vi /ST i | φ | V, ν, where ui and vi
are terms in HΣ (X ), ST i is a strategy in Strat R,Call R , φ ∈ QF (X0 ), V ⊂ X is
the finite set of parameters of the problem, i.e., variables that have to be given a
ground value, and ν is a substitution such that dom(ν) ⊆ V and ran(ν) consists
only of new variables. We define vars(P ) = vars(ū, v̄, φ). V must always verify:
(1) vars(P ) ⊆ V , vars(B) ∩ V = ∅, and VR ∩ VCall R ⊆ V , (2) concatenated
and iterated strategies may have in common only variables from V , and (3) V
cannot contain: (i) any variable in dom(γ) for any strategy c[γ] that may appear
in Call R or ST i , 1 ≤ i ≤ n, (ii) any variable in x̂ for any call strategy defi-
nition sd C(x̄) or csd C(x̄) that may appear in Call R , or (iii) any variable in
matchParam(ST ) ∪ matchParam(Call R ).
14 L. Aguirre et al.

Definition 29 (Instances). Given a rewrite theory R = (Σ, E0 ∪ B, R), a

set of call strategy declarations Call R , and a substitution σ such that vars(B) ∩
(dom(σ) ∪ ran(σ)) = ∅, the instance Rσ of R is the rewrite theory that results
from the simultaneous replacement of every instance in R of any variable x ∈
dom(σ) with xσ, Call σR is the set of call strategy declarations that results from the
simultaneous replacement of every instance in Call R of any variable x ∈ dom(σ)
with xσ, and Strat σR,Call R is their set of associated strategies. For every strategy
ST in Strat R,Call R we denote by ST σ its corresponding strategy in Strat σR,Call R .
σ
We denote by DR,Call R
the associated set of derivation rules.
Although the label, say c, of an instantiated rule remains the same, we will
use superscripts, say cσ , to distinguish the instances of a rule.
Definition 30 (Solution of a reachability problem). Given a rewrite theory
R = (Σ, E0 ∪ B, R) and a set  of call strategy definitions Call R , a solution of
n
the reachability problem P = i=1 ti → vi /ST i | φ | V, ν is a substitution
σ : V → TΣ such that σ = ν · σ  for some substitution σ  , E0  φσ, and
[vi σ]E ∈ ST σi @[ti σ]E (hence ti σ →Rσ /E vi σ), for 1 ≤ i ≤ n.

7 Strategies in Reachability by Conditional Narrowing

Modulo SMT and Axioms
In this section, the narrowing calculus for reachability with strategies is intro-
duced, and its soundness and weak completeness are stated.
Definition 31 (Instance of a set of variables). Given a set of variables V
and a substitution ν, we call V ν = (V \dom(ν)) ∪ ran(νV ).
Definition 32 (Reachability goal and instantiation). Given a rewrite the-
ory R = (Σ, E0 ∪B, R) and a set of call strategy ndefinitions Call R , a reachability
goal G is an expression with the form (1)  ( i=1 ui → vi /ST i | φ )ν ν | V, ν,
n
or (2) (u1 |p →1 xk , u1 [xk ]p → v1 /ST 1 ∧ i=2 ui → vi /ST i | φ )ν ν | V, ν,
where ν and ν are substitutions, dom(ν) ⊆ V , dom(ν ) ∩ (V ∪ V ν ) = ∅,
V ⊂ X is finite, call (ū, v̄, φ) = (ū , v̄  , φ )ν ν , n ≥ 1, ui and vi are terms
in HΣ (X ), ST i ∈ Strat R,Call R , for 1 ≤ i ≤ n, and φ ∈ QF (X0 ); also, in
the second case, p ∈ pos(u1 ), k = [ls(u1 |p )], the kind of the least sort of u1 |p ,
xk ∈/ Vū ,v̄ ,φ ,ST ∪V ∪ran(ν)∪dom(ν )∪ran(ν ), and ST 1 has the form RA; ST ,
with RA a rule application.
In the first case, each one of the elements in the conjunctions is an open
goal, for which we define Vu→v/ST = Vu,v , and VG = Vū,v̄,φ ∪ V ν ; in the second
case, we say that xk is the connecting variable of the goal and we define VG =
{xk } ∪ Vū,v̄,φ ∪ V ν . We will write ‘goal’ as a synonym of ‘reachability goal’.
n
Definition 33 (Instance of a goal). If G is a goal of the form ( i=1 Si |
φ)ν ν | V, ν and σ is a substitution such that dom(σ) ∩ V ν = ∅, then we ndefine
the instance Gσ of G, where μ = (νσ)V and μ = (ν σ)VG \V , as Gσ = ( i=1 Si |
φ)μ μ | V, μ.
 Strategies in Conditional Narrowing Modulo SMT Plus Axioms 15

When dom(σ) ∩ V ν = ∅, σ is directly applied to every term and formula in

G thus avoiding circularity in this definition.
Definition 34 (Admissible goals). Only two types of goals n are admitted in
our work: (a) those goals coming from a reachability
n problem i=1 ui → vi /ST i |
φ | V, ν, which is transformed into the goal i=1 ui ν → vi ν/ST νi ; idle | φν | V, ν,
with ν = none, and (b) those goals generated by repeatedly applying the inference
rules for reachability (see excerpt in Fig. 2) to one goal of type (a).
The notation G [r],σ G , a narrowing step, will be used to indicate that
rule [r] has been applied with substitution σ to G, yielding G .

Definition 35 (Solution of a goal). Given a rewrite theory R = (Σ, E0 ∪

B, R), a set of call strategy definitions Call R for R, and a goal G, a substitution
σ : vars(G) → TΣ , where ν  = (νσ)V and ν  = (ν σ)\V , is a solution of G iff:
n
1. if G = i=1 ui → vi /ST νi ν | φ | V, ν then E0  φσ and [vi σ]E ∈

ST νi ν  @[ui σ]E (hence ui σ →Rν  /E vi σ), for 1 ≤ i ≤ n, and
n
2. if G = u1 |p →1 xk , u1 [xk ]p → v1 /ST ν1 ν ∧ i=2 ui → vi /ST νi ν | φ | V, ν,

where ST 1 = RA; ST , then E0  φσ, [xk σ]E ∈ RAν ν  @ [u1 σ|p ]E , [v1 σ]E ∈
 
ST ν ν  @[u1 [xk ]p σ]E , and [vi σ]E ∈ ST νi ν  @[ui σ]E , for 2 ≤ i ≤ n.

We call nil | φ | V, ν, where φ is satisfiable and ν : X → TΣ (X ) such

that dom(ν) n ⊆ V , an empty goal. Given R and RB , a reachability prob-
lem P = i=1 ui → vi /ST i | φ | V, ν is solved by applying the n inference
rules for reachability (see excerpt in Fig. 2), starting with G = i=1 ui ν →
vi ν/(ST νi ; idle) | φν | V, ν in a top-down manner, until an empty goal is
obtained.
Figure 2 is an excerpt of the calculus rules. We briefly explain rule [w]
(matchrew): we rename the matching parameters from z̄ to the fresh variables x̄
with γ. Once abstracted u and t[x̄]p̄ to u◦ and t◦ and B-unified u◦ and t◦ with
σ, we search for a unifier of ¯lγσ and r̄γσ, say α, using the idle strategy. Once
found, the open goals (x̄σ → ȳ/ST γσ)α, where ȳ is fresh, will find a substitution
β that makes [yi β]E an element of ST i γσαβ@[xi σαβ]E , for 1 ≤ i ≤ n, and go
on trying to find solutions for the open goal (t[ȳ]p̄ → v/ST )σαβ.

Definition 36 (Narrowing path and computed answer). Given RB =

(Σ, E0 ∪B, RB ), an associated rewrite theory of R = (Σ, E0 ∪B, R) closed under
B-extensions, , and a reachability goal G with set of parameters V and substitu-
tion ν0 , if there is a narrowing path G σ1 G1 σ2 · · · σn−1 Gn−1 σn nil |
ψ | V, ν then we write G ∗σ nil | ψ | V, ν, where σ = σ1 · · · σn , and we call ν | ψ
a computed answer for G.

Theorem 2 (Soundness of the Calculus for Reachability Goals). Given

an associated rewrite theory R = (Σ, E0 ∪B, R) closed under B-extensions and a
reachability goal G, if ν | ψ is a computed answer for G then for each substitution
ρ : V ν → TΣ such that ψρ is satisfiable, ν · ρ is a solution for G.
16 L. Aguirre et al.

Fig. 2. Inference rules for reachability modulo SMT plus B with strategies (excerpt)
 Strategies in Conditional Narrowing Modulo SMT Plus Axioms 17

Theorem 3 (Weak Completeness of the Calculus for Reachability

Goals). Given an associated rewrite theory  R = (Σ, E0 ∪ B, R) closed under
n
B-extensions and a reachability problem P = i=1 ui → vi /ST i | φ | V, μ, where
μ is R/E-normalized, if σ : V → TΣ is a R/E-normalized solution for P then
n exist a formulaμψ ∈ QF (X0 ) and two+substitutions, say λ and ρ, such that
there
i=1 ui μ → vi μ/ST i ; idle | φμ | V, μ λ nil | ψ | V, ν, σ =E ν·ρ, and ψρ is
satisfiable, where ν = (μλ)V .
The proof of both theorems can be found in the technical report TR-02/2021
at http://maude.ucm.es/cnarrowing.

8 Example
In this example, where ct = 20 (cooktime) and ft = 61 (failtime), from an
initial system with an empty toaster, an empty dish, and at most one toast in
the bin, we want to reach a final system where there are three toasts in the dish
and all the remaining elements are empty. We choose Call R to consist of the
following call strategy definitions:
– sd test := match N/B/Y ; V W/OK s.t. Y < ft
– sd cook1 := matchrew N/B/K/OK s.t. K = Y ; RV by K using kitchCook
– sd kitchCook := top(kitchen[none]) ; top(cook[none]{toasts, toasts})
– sd toasts := top(toast1[none]) | top(toast2[none])
– sd noCook := top(bin[none]) | top(pan[none]) | top(dish[none])
– sd loop := (noCook | (cook1 ; test ; noCook))+
– sd solve := top(bag[none]) ; top(bag[none]); (top(bag[none])|idle); loop.
The (symbolic) reachability problem is: P = N / T / 0 ; zt zt / 0 →
0 / zt / Y ; zt zt / 3 / solve | N > 0 ∧ N < 3 | {ct, ft, N, T, Y }, {ct → 20, ft → 61}.
In P we use the strategy solve. As there must be either two or three toasts
in the bag, we impose the application of the rule bag twice, followed by the
nondeterministic strategy top(bag[none]) | idle, and we use the variable T with
sort Toast to represent the bin, since both EmptyToast and RealToast are
subsorts of Toast, subsort of Bin, so T covers both initial cases: the one without
toasts in the bin and the one with one toast in the bin. The concatenation of
the strategy test after each invocation of cook1, comparing the timer against
ft, renders the search state space finite.
Among the answers returned by the prototype we have:
a - ct → 20, ft → 61, N → 3, Y → 60, T → zt,
b - ct → 20, ft → 61, N → 2, Y → 60, T → [0, 0],
c - ct → 20, ft → 61, N → 2, Y → 40, T → [20, 20], and
d - ct → 20, ft → 61, N → 2, Y → 40 + U + V, T → [C, D] such that
C + U = 20 ∧ D + V = 20 ∧ U + V ≤ 20 ∧ U > 0 ∧ V > 0,
stating that we need 60 s when (a) 3 toasts are in the bag or (b) 2 toasts are in
the bag and one fresh toast is in the bin. The required amount of time can be
smaller: (c) 40 s if the toast in the bin is well-cooked or, if it is not, (d) 40 s plus
the remaining toasting time for the toast in the bin, as long as this remaining
time is not above 20 s.
18 L. Aguirre et al.

9 Conclusions and Related Work

In our previous work [1], we extended the admissible conditions in [19] by: (i)
allowing for reachability subgoals in the rewrite rules and (ii) removing all restric-
tions regarding the variables that appear in the rewrite rules. A narrowing calcu-
lus for conditional narrowing modulo E0 ∪ B when E0 is a subset of the theories
handled by SMT solvers, B are the axioms not related to the algebraic data
types handled by the SMT solvers, and the conditions in the rules in the rewrite
theory are either rewrite conditions or quantifier-free SMT formulas, was pre-
sented, and the soundness and weak completeness of the calculus, as well as the
completeness of the calculus for topmost rewrite theories was proved.
The current work extends the previous one by adding two novel features: (1)
the use of strategies, to drive the search and reduce the state space, and (2)
the support for parameters both in the rewrite theories and in the strategies,
that allows for the resolution of some reachability problems that could not be
specified in the previous calculi that we had developed. A calculus for conditional
narrowing modulo E0 ∪ B with strategies and parameters has been presented,
and the soundness and weak completeness of the calculus have been proved.
To the best of our knowledge, a similar calculus did not previously exist in the
literature.
The strategy language that we have proved suitable for our narrowing cal-
culus in this work is a subset of the Maude strategy language [5,10,20]. This
strategy language and a connection with SMT solvers have been incorporated
into the latest version of the Maude language [4], which is being used to develop
the prototype for the calculus in this work.
Conditional narrowing without axioms for equational theories with an order-
sorted type structure has been thoroughly studied for increasingly complex cat-
egories of term rewriting systems. A wide survey can be found in [16]. The
literature is scarce when we allow for extra variables in conditions (e.g., [8]) or
conditional narrowing modulo axioms (e.g., [3]).
Narrowing modulo order-sorted unconditional equational logics is covered
by Meseguer and Thati [15], being currently used for cryptographic protocol
analysis.
The idea of constraint solving by narrowing in combined algebraic domains
was presented by Kirchner and Ringeissen [9], where the supported theories had
unconstrained equalities and the unconditional rewrite rules had constraints from
an algebraic built-in structure.
Escobar, Sasse, and Meseguer [6] have developed the concepts of variant and
folding variant narrowing, a narrowing strategy for order-sorted unconditional
rewrite theories that terminates on those theories having the finite variant prop-
erty, but it has no counterpart for conditional rewrite theories and it does not
allow the use of constraint solvers or strategies.
Foundations for order-sorted conditional rewriting have been published by
Meseguer [13]. Cholewa, Escobar, and Meseguer [3] have defined a new hierar-
chical method, called layered constraint narrowing, to solve narrowing problems
in order-sorted conditional equational theories, an approach similar to ours, and
 Strategies in Conditional Narrowing Modulo SMT Plus Axioms 19

given new theoretical results on that matter, including the definition of con-
strained variants for order-sorted conditional rewrite theories, but with no spe-
cific support for SMT solvers.
Order-sorted conditional rewriting with constraint solvers has been addressed
by Rocha et al. [19], where the only admitted conditions in the rules are
quantifier-free SMT formulas, and the only non-ground terms admitted in the
reachability problems are those whose variables have sorts belonging to the SMT
sorts supported.
In [14], Meseguer studies reachability in Generalized Rewrite Theories, that
include constructors and variants, using equational theories beyond our setup of
E0 ∪ B (that only asks for strict B-coherence), but with no rewrite conditions
in the rules. Frozenness is used as a type of strategy.
Future work will focus in broadening the applicability of the calculus. One line
of work will involve the development of a narrowing calculus for E0 ∪ (E1 ∪ B)
unification with strategies, where E1 is a non-SMT equational theory; another
line of work will study the extension of the strategies and reachability problems
supported by the calculus.

References
1. Aguirre, L., Martı́-Oliet, N., Palomino, M., Pita, I.: Conditional narrowing mod-
ulo SMT and axioms. In: Vanhoof, W., Pientka, B. (eds.) Proceedings of the
19th International Symposium on Principles and Practice of Declarative Pro-
gramming, Namur, Belgium, 09–11 October 2017, pp. 17–28. ACM (2017).
http://doi.acm.org/10.1145/3131851.3131856
2. Bruni, R., Meseguer, J.: Semantic foundations for generalized rewrite theories.
Theor. Comput. Sci. 360(1-3), 386–414 (2006). http://dx.doi.org/10.1016/j.tcs.
2006.04.012
3. Cholewa, A., Escobar, S., Meseguer, J.: Constrained narrowing for conditional
equational theories modulo axioms. Sci. Comput. Program. 112, 24–57 (2015).
https://doi.org/10.1016/j.scico.2015.06.001
4. Durán, F., et al.: Programming and symbolic computation in Maude. J. Log.
Algebr. Meth. Program. 110, 100497 (2020). https://doi.org/10.1016/j.jlamp.2019.
100497
5. Eker, S., Martı́-Oliet, N., Meseguer, J., Verdejo, A.: Deduction, strategies,
and rewriting. In: Archer, M., de la Tour, T.B., Muñoz, C. (eds.) Proceed-
ings of the 6th International Workshop on Strategies in Automated Deduc-
tion, STRATEGIES 2006, Seattle, WA, USA, 16 August 2006. Electronic Notes
in Theoretical Computer Science, vol. 174, no. 11, pp. 3–25. Elsevier (2007).
http://dx.doi.org/10.1016/j.entcs.2006.03.017
6. Escobar, S., Sasse, R., Meseguer, J.: Folding variant narrowing and opti-
mal variant termination. J. Logic Algebraic Program. 81(7-8), 898–928 (2012).
http://dx.doi.org/10.1016/j.jlap.2012.01.002
7. Fay, M.: First-order unification in an equational theory. In: Proceedings of the 4th
Workshop on Automated Deduction, Austin, pp. 161–167. Academic Press (1979)
8. Giovannetti, E., Moiso, C.: A completeness result for E-unification algorithms
based on conditional narrowing. In: Boscarol, M., Carlucci Aiello, L., Levi, G.
(eds.) Foundations of Logic and Functional Programming. LNCS, vol. 306, pp.
157–167. Springer, Heidelberg (1988). https://doi.org/10.1007/3-540-19129-1 7
20 L. Aguirre et al.

9. Kirchner, H., Ringeissen, C.: Constraint solving by narrowing in combined alge-

braic domains. In: Hentenryck, P.V. (ed.) Logic Programming, Proceedings of the
Eleventh International Conference on Logic Programming, Santa Marherita Ligure,
Italy, 13–18 June 1994, pp. 617–631. MIT Press (1994)
10. Martı́-Oliet, N., Meseguer, J., Verdejo, A.: Towards a strategy language for Maude.
In: Martı́-Oliet, N. (ed.) Proceedings of the Fifth International Workshop on
Rewriting Logic and its Applications, WRLA 2004, Barcelona, Spain, 27 March–4
April 2004. Electronic Notes in Theoretical Computer Science, vol. 117, pp. 417–
441. Elsevier (2004). https://doi.org/10.1016/j.entcs.2004.06.020
11. Meseguer, J.: Rewriting as a unified model of concurrency. In: Baeten, J.C.M.,
Klop, J.W. (eds.) CONCUR 1990. LNCS, vol. 458, pp. 384–400. Springer, Heidel-
berg (1990). https://doi.org/10.1007/BFb0039072
12. Meseguer, J.: Membership algebra as a logical framework for equational specifica-
tion. In: Presicce, F.P. (ed.) WADT 1997. LNCS, vol. 1376, pp. 18–61. Springer,
Heidelberg (1998). https://doi.org/10.1007/3-540-64299-4 26
13. Meseguer, J.: Strict coherence of conditional rewriting modulo axioms. Theor.
Comput. Sci. 672(C), 1–35 (2017). https://doi.org/10.1016/j.tcs.2016.12.026
14. Meseguer, J.: Generalized rewrite theories, coherence completion, and symbolic
methods. J. Log. Algebraic Meth. Program. 110 (2020). https://doi.org/10.1016/
j.jlamp.2019.100483
15. Meseguer, J., Thati, P.: Symbolic reachability analysis using narrowing and its
application to verification of cryptographic protocols. Higher-Order and Symbolic
Comput. 20(1-2), 123–160 (2007). http://dx.doi.org/10.1007/s10990-007-9000-6
16. Middeldorp, A., Hamoen, E.: Completeness results for basic narrowing. Appl.
Algebra Eng. Commun. Comput. 5, 213–253 (1994). http://dx.doi.org/10.1007/
BF01190830
17. de Moura, L., Bjørner, N.: Z3: an efficient SMT solver. In: Ramakrishnan, C.R.,
Rehof, J. (eds.) TACAS 2008. LNCS, vol. 4963, pp. 337–340. Springer, Heidelberg
(2008). https://doi.org/10.1007/978-3-540-78800-3 24
18. Plotkin, G.: Building in equational theories. Mach. Intell. 7, 73–90 (1972)
19. Rocha, C., Meseguer, J., Muñoz, C.A.: Rewriting modulo SMT and open system
analysis. J. Log. Algebr. Meth. Program. 86(1), 269–297 (2017). https://doi.org/
10.1016/j.jlamp.2016.10.001
20. Rubio, R., Martı́-Oliet, N., Pita, I., Verdejo, A.: Parameterized strategies specifi-
cation in Maude. In: Fiadeiro, J.L., Tutu, I. (eds.) WADT 2018. LNCS, vol. 11563,
pp. 27–44. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-23220-7 2
 Optimizing Maude Programs via Program
Specialization

María Alpuente1 , Demis Ballis2 , Santiago Escobar1 , Jose Meseguer3 ,

and Julia Sapiña1(B)
1 VRAIN, Universitat Politècnica de València, Valencia, Spain
{alpuente,sescobar,jsapina}@upv.es
2 DMIF, Università degli Studi di Udine, Udine, Italy

[email protected]
3 University of Illinois at Urbana-Champaign, Urbana, IL, USA
[email protected]

Abstract. We develop an automated specialization framework for rewrite theo-

ries that model concurrent systems. A rewrite theory R = (Σ, E  B, R) consists
of two main components: an order-sorted equational theory E = (Σ, E  B) that
defines the system states as terms of an algebraic data type and a term rewriting
system R that models the concurrent evolution of the system as state transitions.
Our main idea is to partially evaluate the underlying equational theory E to the
specific calls required by the rewrite rules of R in order to make the system com-
putations more efficient. The specialization transformation relies on folding vari-
ant narrowing, which is the symbolic operational engine of Maude’s equational
theories. We provide three instances of our specialization scheme that support dis-
tinct classes of theories that are relevant for many applications. The effectiveness
of our method is finally demonstrated in some specialization examples.

1 Introduction
Maude is a high-performance, concurrent functional language that efficiently imple-
ments Rewriting Logic (RWL), a logic of change that unifies a wide variety of models
of concurrency [38]. Maude is endowed with advanced symbolic reasoning capabilities
that support a high-level, elegant, and efficient approach to programming and analyz-
ing complex, highly nondeterministic software systems [24]. Maude’s symbolic capa-
bilities are based on equational unification and narrowing, a mechanism that extends
term rewriting by replacing pattern matching with unification [49], and they provide
advanced logic programming features such as unification modulo user-definable equa-
tional theories and symbolic reachability analysis in rewrite theories. Intricate comput-
ing problems may be effectively and naturally solved in Maude thanks to the synergy of
This work has been partially supported by the EC H2020-EU grant agreement No.
952215 (TAILOR), grants RTI2018-094403-B-C32 and PID2021-122830OB-C42 funded by
MCIN/AEI/10.13039/501100011033 and by “ERDF A way of making Europe”, by Generali-
tat Valenciana under grant PROMETEO/2019/098, and by the Department Strategic Plan (PSD)
of the University of Udine—Interdepartmental Project on Artificial Intelligence (2021-25).

c Springer Nature Switzerland AG 2023

P. Lopez-Garcia et al. (Eds.): Hermenegildo Festschrift 2022, LNCS 13160, pp. 21–50, 2023.
https://doi.org/10.1007/978-3-031-31476-6_2
22 M. Alpuente et al.

these recently developed symbolic capabilities and classical Maude features, such as: (i)
rich type structures with sorts (types), subsorts, and overloading; (ii) equational rewrit-
ing modulo various combinations of axioms such as associativity (A), commutativity
(C), and identity (U); and (iii) classical reachability analysis in rewrite theories.
Partial evaluation (PE) is a program transformation technique that automatically
specializes a program to a part of its input that is known statically (at specialization
time) [23, 33]. Partial evaluation conciliates generality with efficiency by providing
automatic program optimization. In the context of logic programming, partial evalu-
ation is often called partial deduction and allows to not only instantiate input variables
with constant values but also with terms that may contain variables, thus providing
extra capabilities for program specialization [35, 36]. Early instances of this framework
implemented partial evaluation algorithms for different narrowing strategies, including
lazy narrowing [12], innermost narrowing [15], and needed narrowing [2, 16].
The Narrowing-driven partial evaluation (NPE) scheme for functional logic pro-
gram specialization defined in [14, 15] and implemented [1] in is strictly more power-
ful than the PE of both logic programs and functional programs thanks to combining
functional reduction with the power of logic variables and unification by means of nar-
rowing. In the Equational narrowing-driven partial evaluation (E Q NPE) scheme of
[7], this enhanced specialization capability was extended to the partial evaluation of
order-sorted equational theories. Given a signature Σ of program operators together
with their type definition, an equational theory E = (Σ, E  B) combines a set E of
equations (that are implicitly oriented from left to right and operationally used as sim-
plification rules) on Σ and a set B of commonly occurring axioms (which are implicitly
expressed in Maude as operator attributes using the assoc, comm, and id: keywords)
that are essentially used for B-matching1 . To be executable in Maude, the equational
theory E is required to be convergent (i.e., the equations E are confluent, terminating,
sort-decreasing, and coherent modulo B). This ensures that every input expression t has
one (and only one) canonical form t↓E,B up to B-equality.
This paper addresses the specialization of rewrite theories R = (Σ, E  B, R) whose
system transitions are specified by rewrite rules R on top of an underlying equational
theory E = (Σ, E  B). Altogether, the rewrite theory R specifies a concurrent sys-
tem that evolves by rewriting states using equational rewriting, i.e., rewriting with the
rewrite rules in R modulo the equations and axioms in E [38]. In Maude, rewrite theo-
ries can also be symbolically executed by narrowing at two levels: (i) narrowing with the
(typically non-confluent and non-terminating) rules of R modulo E = (Σ, E  B); and
(ii) narrowing with the (explicitly) oriented equations E modulo the axioms B. They
both have practical applications: (i) narrowing with R modulo E = (Σ, E  B) is useful
for solving reachability goals [43] and logical model checking [29]; and (ii) narrow-
ing with E modulo B is useful for E -unification and variant computation [31]. Both
levels of narrowing should meet some conditions: (i) narrowing with R modulo E is
performed in a “topmost” way (i.e., the rules in R rewrite the global system state) and
there must be a finitary equational unification algorithm for E ; and (ii) narrowing with
E modulo B requires that B is a theory with a finitary unification algorithm and that

1 For example, assuming a commutative binary operator ∗, the term s(0) ∗ 0 matches within the
term X ∗ s(Y ) modulo the commutativity of symbol ∗ with matching substitution {X/0,Y /0}.
 Optimizing Maude Programs via Program Specialization 23

E is convergent. When (Σ, E  B) additionally has the property that a finite complete
set of most general variants2 exists for each term, known as the finite variant property
(FVP), E -unification is finitary and topmost narrowing with R modulo the equations
and axioms can be effectively performed.
For variant computation and (variant-based) E -unification, the folding variant nar-
rowing (or FV-narrowing) strategy of [31] is used in Maude, whose termination is guar-
anteed for theories that satisfy the FVP (also known as finite variant theories). Another
important class of rewrite theories are those that satisfy the so-called constructor finite
variant property (CFVP), i.e., they have a finite number of most general constructor
variants [40]. Many relevant theories have the FVP, including theories of interest for
Boolean satisfiability and theories that give algebraic axiomatizations of cryptographic
functions used in communication protocols, where FVP and CFVP are omnipresent.
CFVP is implied by FVP together with sufficient completeness modulo axioms (SC);
that is, all function calls (i.e., input terms) reduce to values (i.e., ground constructor
terms [27, 32]).
Given the rewrite theory R = (Σ, E  B, R), the key idea of our method is to spe-
cialize the underlying equational theory E = (Σ, E  B) to the precise use that the rules
of R make of the operators that are defined in E . This is done by partially evaluating
E with respect to the maximal (or outermost) function calls that can be retrieved from
the rules of R, in such a way that E gets rid of any possible over-generality and the
functional computations given by E are thus greatly compacted. Nevertheless, while
the transformation highly contracts the system states, we deliberately avoid making any
states disappear since both reachability analysis and logical model checking generally
require the whole search space of rewrite theories to be searched (i.e., all system states).
Our specialization algorithm follows the classic control strategy of logic specializ-
ers [36], with two separate components: 1) the local control (managed by an unfolding
operator [13]) that avoids infinite evaluations and is responsible for the construction
of the residual equations for each specialized call; and 2) the global control (managed
by an abstraction operator) that avoids infinite iterations of the partial evaluation algo-
rithm and decides which specialized functions appear in the transformed theory. A post-
processing compression transformation is finally performed that highly compacts the
functional computations occurring in the specialized rewrite theory while keeping the
system states as reduced as possible.
We provide three different implementations of the unfolding operator based on FV-
narrowing that may include some distinct extra control depending on the FVP/CFVP
behavior of the equational theory E . More precisely, we distinguish the following three
cases:

1. E does not fulfill the finite variant property: a subsumption check is performed at
each FV-narrowing step that compares the current term with all previous narrowing
redexes in the same derivation. The subsumption checking relies on the order-sorted
equational homeomorphic embedding relation of [8] that ensures all infinite FV-
narrowing computations are safely stopped;

2 A variant [22] of a term t in the theory E is the canonical (i.e., irreducible) form of t σ in E
for a given substitution σ ; in symbols, it is represented as the pair (t σ ↓E,B , σ ).
24 M. Alpuente et al.

2. E satisfies the finite variant property: FV-narrowing trees are always finite for any
input term, and therefore they are completely deployed; and
3. E satisfies the finite variant property and is also sufficiently complete: we supple-
ment unfolding with an extra “sort downgrading” transformation in the style of [41]
that safely rules out variants that are not constructor terms. This means that all
specialized calls get totally evaluated and the maximum compression is achieved,
thereby dramatically reducing the search space for the construction of the special-
ized theories.

It is worth noting that our specialization system is based on the Maude’s narrowing
engine and, hence, it respects the limitations and applicability conditions of the cur-
rent narrowing implementation. In particular, Maude’s narrowing (and thus our special-
izer) does not support conditional equations, built-in operators and special equational
attributes (e.g., owise). However, advances in narrowing and unification for Maude will
enlarge the class of rewrite theories that our specialization technique handles.
It is a great pleasure for us to honor Manuel Hermenegildo in this Festschrift.
Many of the themes and techniques we present—beginning with partial evaluation, and
including as well the solving of constraints in user-definable algebraic domains—are
themes to which Manuel and his collaborators have made outstanding contributions.
More broadly, we share also with him the passion for logically-based programming
language design, so as to integrate within a solid mathematical framework various pro-
gramming paradigms. Science is, should be, a dialogue. We look forward to continue
the pleasure of such a dialogue with Manuel—which some of us initiated with him
decades ago—and to his new outstanding contributions in the years to come.
Plan of the Paper. In Sect. 2, we introduce a leading example that illustrates the opti-
mization of rewrite theories that we can achieve by using our specialization technique,
which we formalize in Sect. 3. In Sect. 4, we focus on finite variant theories that are suf-
ficiently complete and we demonstrate that both properties, SC and FVP, are preserved
by our transformation scheme. In Sect. 5, we instantiate the specialization scheme for
the three classes of equational theories already mentioned: theories whose terms may
have an infinite number of most general variants, or a finite number of most general
variants, or a finite number of most general constructor variants. The proposed method-
ology is illustrated in Sect. 6 by describing several specializations of the bank account
specification of Sect. 2 and by presenting some experiments with the partial evaluator
Presto that implements our technique. In Sect. 7, we discuss some related work and we
conclude. The complete code of a non-trivial specialization example together with its
computed optimizations are given in Appendix.

2 A Leading Example

Let us motivate the power of our specialization scheme by optimizing a simple rewrite
theory that is inspired by [41]. The considered example has been engineered to ful-
fill the conditions for the applicability of all the three instances of our specialization
framework.
 Optimizing Maude Programs via Program Specialization 25

Example 1. Consider a rewrite theory that specifies a bank account system with man-
aged accounts. The system automates a simple investment model for the beginner
investor that, whenever the account balance exceeds a given investment threshold, the
excess balance is automatically moved to investment funds. The system allows deposits
and withdrawals to occur non-deterministically, where each withdrawal occurs in two
steps: the withdrawal is initiated through a withdrawal request provided that the amount
to be withdrawn is less than or equal to the current account balance. Later on, the actual
withdrawal is completed. On the contrary, deposits are single-step operations that need
to consume explicit deposit messages to be performed. This asymmetric behaviour is
due to the fact that the amount in a deposit operation is unbounded, while a withdrawal
request is always limited by the account balance. For simplicity, the external operation
of the investment portfolio is not considered in the model.
A managed account is modelled as a term
< bal: n pend: x overdraft: b threshold: h funds: f >

where n is the current balance, x is the amount of money that is currently pending to
be withdrawn, b is a Boolean flag that indicates whether or not the account is in the red,
h is a fixed upper threshold for the account balance, and funds represents the amount
to be invested by the account manager. Messages of the form d(m) and w(m) specify
deposit and withdrawal operations, where m is the amount of money to be, respectively,
deposited and withdrawn. A bank account state (or simply state) is a pair act # msgs,
where act is an account and msgs a multiset of messages. Monetary values in a state are
specified by natural numbers in Presburger’s style3 . State transitions are formalized by
the three rewrite rules in Fig. 1 (namely, w-req, w, and dep) that respectively implement
withdrawal requests, (actual) withdrawals, and deposits.

Fig. 1. Rewrite rules that model a simple bank account system.

The intended semantics of the three rules is as follows. The rule w-req non-
deterministically requests to draw money whenever the account balance covers the
request. The requested amount m is added to the amount of pending withdraw requests
and the withdraw message w(m) is generated. The rule w implements actual withdrawal
of money from the account. When the balance is not enough, the account is blocked by
3 In [40], natural numbers are encoded by using two constants 0 and 1 and an ACU operator +
so that a natural number is either the constant 0 or a finite sequence 1 + 1 ... + 1.
26 M. Alpuente et al.

setting overdraft to true and the withdrawal attempt fails (for simplicity, the excess
of balance that is moved to investment funds is never moved back). If not in overdraft,
money can be deposited in the account by processing the deposit message d(m) using
rule dep.
The auxiliary functions that are used by the three rules implement the pre-agreed,
automated investment policy for a given threshold. They update the account’s state by
means of an equational theory whose operators and equations are shown in Fig. 2. The
equational theory extends Presburger’s arithmetic with the operators over natural num-
bers _>_ and _-_, together with the if-then-construct [_, _, _] and an auxiliary version
«...» of the operator <...> that ensures that the current balance n is below the current
threshold h; otherwise, it sets the balance to n mod h and increments the funds by n
div h, where div is the division for natural numbers and mod is the remainder of the
division; both operations are encoded by successive subtractions. Roughly speaking,
this operator allows money to be moved from the bal attribute to the funds attribute,
whenever the balance exceeds the threshold h. Note that the amount of money in the
investment funds is measured in h units (1, 2, . . . ), which indicate the client’s wealth
category (the higher the category, the greater the investment advantages). The attribute
variant is used to identify the equations to be considered by the FV-narrowing strat-
egy.
The considered equational theory has neither the FVP nor the CFVP since, for
instance, the term « bal: n pend: x overdraft:false threshold: h funds: f »
has an infinite number of (incomparable) most general (constructor) variants

Fig. 2. Companion equational theory for the bank account system.

 Optimizing Maude Programs via Program Specialization 27

( < bal: n’ pend: x overdraft: false threshold: h funds: f + 1 >,{n/(n’ + h)})

..
.
( < bal: n’ pend: x overdraft: false threshold: h funds: f + 1 + ...+ 1 >,{n/(n’ + h +...+ h)})

Fig. 3. Specialized bank account system.

Nonetheless, this is not an obstacle to applying our specialization technique as it can

naturally handle theories that may not fulfill the FVP, whereas the total evaluation
method of [41] can only be applicable to theories that satisfy both, FVP and SC. Actu-
ally, in this specific case, the application of our technique generates the highly opti-
mized rewrite theory that is shown in Fig. 3, which improves several aspects of the input
bank account theory. First, the specialized equational theory is much more compact (3
equations vs 8 equations); indeed, all of the original defined functions are replaced by
a much simpler, newly introduced function f0 that is used to update bank accounts.
Furthermore, f0 exhibits an optimal performance since any call is normalized in just
one reduction step, thereby providing fast bank account updates. Actually, the partially
evaluated equational theory runs one order of magnitude faster than the original one, as
shown in Sect. 6. This happens because the right-hand sides of the equations defining
f0 are constructor terms; hence, they do not contain any additional function call that
must be further simplified.
Second, the specialized equational theory satisfies the FVP, which enables E -
unification, complete variant generation, and also symbolic reachability in the special-
ized bank account system via narrowing with rules modulo E while they were not fea-
sible in the original rewrite theory.
Third, the original rewrite rules have also been simplified: the new deposit
rule dep-s gets rid of the operator «bal:_ pend:_ overdraft:_ threshold:_
funds:_ », while the rewrite rule w-s replaces the complex nested call structure in the
right-hand side of the rule w with a much simpler and equivalent call to function f0.
A detailed account of the specialization process for this example is given in Sect. 6.
28 M. Alpuente et al.

3 Specialization of Rewrite Theories

In this section, we briefly present the specialization procedure NPERU A , which allows
a rewrite theory R = (Σ, E  B, R) to be optimized by specializing the underlying equa-
tional theory E = (Σ, E  B) with respect to the calls in the rewrite rules R. The pro-
cedure NPERU A extends the equational, narrowing-driven partial evaluation algorithm
E Q NPEU A of [7], which applies to equational theories and is parametric on an unfolding
operator U that is used to construct finite narrowing trees for any given expression, and
on an abstraction operator A that guarantees global termination.

3.1 Narrowing and Folding Variant Narrowing in Maude

Equational, (R, E  B)-narrowing computations are natively supported by Maude ver-
sion 3.0 for unconditional rewrite theories. Before explaining how narrowing compu-
tations are handled within our framework, let us introduce some technical notions and
notations that we need.
Let Σ be a signature that includes typed operators (also called function symbols) of
the form f : s1 . . . sm → s where si , and s are sorts in a poset (S, <) that models subsort
relations (e.g. s < s means that sort s is a subsort of s ). Σ is assumed to be preregular,
so each term t has a least sort under <, denoted ls(t). Binary operators in Σ may have
an axiom declaration attached that specifies any combinations of algebraic laws such
as associativity (assoc), commutativity (comm), and identity (id). By ax( f ), we denote
the set of algebraic axioms for the operator f . By TΣ (X ), we denote the usual non-
ground term algebra built over Σ and the set of (typed) variables X . By TΣ , we denote
the ground term algebra over Σ. By notation x : s, we denote a variable x with sort s.
Any expression tn denotes a finite sequence t1 . . .tn , n ≥ 0, of terms. A position w in a
term t is represented by a sequence of natural numbers that addresses a subterm of t (Λ
denotes the empty sequence, i.e., the root position). Given a term t, we let Pos(t) denote
the set of positions of t. We denote the usual prefix preorder over positions by ≤. By
t|w , we denote the subterm of t at position w. By root(t), we denote the operator of t at
position Λ.
A substitution σ is a sorted mapping from a finite subset of X to TΣ (X ). Substi-
tutions are written as σ = {X1 → t1 , . . . , Xn → tn }. The identity substitution is denoted
by id. Substitutions are homomorphically extended to TΣ (X ). The application of a
substitution σ to a term t is denoted by t σ . The restriction of σ to a set of variables
V ⊂ X is denoted σ|V . Composition of two substitutions is denoted by σ σ  so that
t(σ σ  ) = (t σ )σ  .
A Σ-equation (or simply equation, where Σ is clear from the context) is an unori-
ented pair t = t  , where t,t  ∈ TΣ,s (X ) for some sort s ∈ S. An equational theory is
a pair (Σ, E  B) that consists of a signature Σ, a set E of Σ-equations, and a set B of
equational axioms (e.g., associativity, commutativity, and identity) declared for some
binary operators in Σ. The equational theory E induces a congruence relation =E on
TΣ (X ).
A term t is more (or equally) general than t  modulo E , denoted by t ≤E t  , if there
is a substitution γ such that t  =E t γ . A substitution θ is more (or equally) general than
σ modulo E , denoted by θ ≤E σ , if there is a substitution γ such that σ =E θ γ , i.e.,
 Another Random Document on
Scribd Without Any Related Topics
 V.
P eu de temps après sa première visite, M. de Cogolin offrit à
Déborah, si elle étoit curieuse de connoître le séjour et le
pays qu’elle habitoit, de faire une excursion dans l’île, et
de l’accompagner pour lui servir de guide et d’explicateur,
ou, comme on dit à Rome, de cicerone. Elle accepta
volontiers.
Ils montèrent premièrement sur la plate-forme la plus élevée du
donjon.
Après avoir long-temps promené ses regards, Déborah dit à M.
de Cogolin: maintenant, je connois les lieux qui m’environnent, me
seroit-il possible de savoir où je suis?
—Mylady, ce n’est point un mystère; si j’avois pu penser que
vous l’ignorassiez, je me serois empressé de vous dire que nous
sommes ici dans l’île Sainte-Marguerite. Cette autre petite île, au
Sud de celle-ci, dont elle n’est séparée que par un canal étroit, est
Saint-Honorat, où, si cela peut vous plaire, je me ferai un plaisir de
vous conduire. Ces deux islettes qui sont ici tout proche se nomment
la Fornigue et la Grenille; toutes deux sont incultes et inhabitées.
Ils redescendirent ensuite dans l’intérieur de la forteresse, et le
visitèrent minutieusement. Déborah ne put se défendre d’une forte
émotion lorsqu’elle pénétra dans le cachot qui autrefois avait été
habité par le Masque de Fer.
La garnison de cette citadelle ne consistoit en temps de paix
qu’en quelques centaines d’invalides. Les degrés des escaliers, les
parapets, les terrasses et le rivage étoient semés de ces vestiges
humains étendus au soleil.
—Que font ici ces vieux braves? demanda Déborah.
—Ils font, répondit M. le gouverneur, ce que font touts les
hommes, rien! et ils attendent ce que nous attendons touts, la mort!
Alors M. le gouverneur invita Déborah à faire un tour dans son
jardin, la seule partie de l’île qui ne fût pas inculte; puis ils s’assirent
à l’ombre d’une yeuse, et, tout en égrainant et mangeant une
grenade, M. de Cogolin causoit.
—Cette île se nommoit anciennement Lerinus, et celle de Saint-
Honorat Lerina. D’où leur venoient ces noms? Je ne le sais pas,
madame, et tiens à ne le pas savoir, parce que j’ai à honneur d’être
un savant, et que n’en sachant rien, j’en sais autant que Strabon,
Pline, Bouche et Moréry.
Remarquez que par une bizarrerie de l’instabilité des choses
humaines ces deux îles ont changé de sexe, Lerina est devenue
Saint-Honorat, et Lerinus Sainte-Marguerite, vierge et martyre. Cette
dernière a appartenu aux moines de l’autre jusques en 1611, que
Claude de Lorraine, duc de Chevreuse, leur abbé, se la fit céder je
ne sais plus pourquoi.
Autrefois le cardinal de Richelieu fit mettre en état de défense
toutes les côtes de Provence, craignant une invasion des Espagnols.
Ce qui ne les empêcha pas de se rendre maîtres de ces îles et de s’y
fortifier autant que put leur permettre le séjour qu’ils y firent. Dans
celle-ci, qui compte à peine en longueur deux tiers de lieue, et un
quart de lieue de largeur ils élevèrent cinq forts dont tout-à-l’heure
nous pourrons voir les ruines. Dans celle de Saint-Honorat, ayant un
quart de lieue de longueur sur quelque six cents pas de largeur, et
qui étoit auparavant le Paradis terrestre en gentillesse et rareté de
fleurs, de vignes et de jardinages, comme jadis en sainteté, ils
convertirent en forts et bastions les cinq chapelles de la Trinité, de
Saint-Cyprien et Justine, de Saint-Michel, de Saint-Sauveur et de
Saint-Capraise, répandues en divers endroits de l’île. Ils les
remplirent de terre par dedans, les terrassèrent par dehors, et
placèrent au-dessus de chacune deux pièces d’artillerie.
 Comme M. de Cogolin achevoit ses précis historiques, auxquels
Déborah avoit pris peu d’intérêt, ils sortoient du jardin et longeoient
le rivage du côté du golphe de Juan, où ils trouvèrent à peu près en
décombre le moindre des ouvrages élevés par les Espagnols, appelé
le Fortin. Plus avant dans les terres, ils rencontrèrent les ruines du
fort Monterey, où ils s’arrêtèrent quelques instants. Puis, à travers
les bosquets de pins, de phylarias, de bruyères, de garous, de
lentisques, de romarins, et d’alaternes, et les landes de thyms, de
cistes, de stecas, de petites bruyères et de lavandes, dont le sol
inculte étoit couvert, ils revinrent au couchant visiter la tour du
Baliguier et le fort d’Aragon.
—Mais le cinquième et le plus considérable des ouvrages des
Espagnols, dit alors M. de Cogolin, étoit le Fort-Réal, que les
François ont continué et perfectionné: c’est la citadelle que nous
habitons. M. de Saint-Marc, qui en fut gouverneur avant de l’être de
la Bastille, eût l’idée d’y faire construire des prisons pour les
criminels d’État, et il en obtint l’autorisation. Ce sont les plus sûres
de la France.
—Jamais je n’aurois pensé que sous un si beau ciel; reprit
Déborah, il existât un lieu aussi morne. Ne vous semble-t-il pas que
tout ce qu’il y a de douloureux au monde s’y soit assemblé? Une
terre plate, abandonnée, stérile et sauvage; des plantes de
cimetière, couleur du sol qui les nourrit; des décombres et des
ruines partout attestant la fureur sanguinaire des hommes, et la loi
désespérante du Temps; une forteresse et des vieillards mutilés; une
bastille et des geôliers, des chaînes, des captifs, des gémissements.
N’est-ce pas en vérité, l’île de la désolation?... Mais cette désolation
me sourit, elle répond à celle de mon âme.
—Mylady, vous me faites frémir!
—Mon esprit se plaît ici....
—Un vallon amoureux vous conviendroit mieux, ma tourterelle.
—Oh! de la tourterelle les hommes ont fait un oiseau de nuit et
de proie.
 VI.

P rès de l’ancien LOGIS-AUX-CHEVAUX, un batelier les

attendoit et leur fit passer le Frioul: bras de mer d’un
quart de lieue environ, séparant Sainte-Marguerite de
Saint-Honorat. Sur le rivage opposé, un Bénédictin, qui se
promenoit solitairement, s’approcha d’eux, et offrit
galamment sa main à Déborah, pour descendre de la barque. M. de
Cogolin l’ayant salué et lui ayant dit qu’il venoit avec cette dame
étrangère pour visiter l’Abbaye, le saint homme demanda la
permission de les accompagner. Il les conduisit d’abord à la chapelle
Saint-Capraise, située à la pointe occidentale; puis à celles Saint-
Sauveur, Saint-Michel, et Saint-Cyprien et Justine, semées le long de
la rive Nord et se mirant dans le Frioul. Un peu plus à l’Est ils
rencontrèrent la chapelle de la Sainte-Trinité.
Déborah fut frappée de la différence si tranchée entre deux îles
aussi voisines, du complet abandon de l’une et de l’état florissant de
l’autre. Celle-ci étoit presque vivante et passante. Des pélerins
alloient d’église en église faire leurs oraisons. Dans les vignobles, les
vergers, les champs, les prés, les jardins, des moines et des
journaliers travailloient. De grandes avenues d’arbres de haute futaie
sillonnoient le sol plat, dont des bocages et des fourrés d’arbustes
odoriférants varioient l’uniformité. Des plantes et des fleurs les plus
rares et les plus exquises diaproient la verdure et charmoient la vue.
Un air pur et embaumé caressoit l’odorat. A chaque pas que faisoit
Déborah et qui agitoit l’herbe, il s’élevoit des bouffées de parfums
qui montoient comme d’une cassolette. Cette nature inconnue qui
tout-à-coup se révéloit à ses regards habitués à la végétation
septentrionale la remplissoit d’étonnement et d’admiration. Elle alloit
d’arbre en arbre, d’herbe en herbe, s’arrêtant, contemplant, flairant,
cueillant, savourant, et comme un enfant demandant le nom de
chaque plante nouvelle.
—Ces arbrisseaux rampant sur le sol et le long de ces murailles,
sont des câpriers, répondoit le Bénédictin, charmé d’avoir une
occasion d’étaler son savoir; les Provençeaux l’appellent encore en
grec tapenos, de l’adjectif ταῶεινος, qui veut dire bas, humble ou
rampant.—Voici le lentisque et le térébinthe, qui touts deux laissent
fluer une résine, et sur lesquels on greffe le pistachier, qui appartient
au même genre.
—Ici, sur le bord de la mer, vous voyez le myrthe, dont les côtes
maritimes de Saint-Tropez sont couvertes, et la belle Barba-Jovis aux
feuilles argentées.—Ceci, c’est l’elæagnus, le chalef des Turks, que
les Provençaux nomment saule muscat. Ceci, c’est le cassie de Saint-
Domingue, aussi frileux qu’odorant: les parfumeurs de Grasse le
recherchent beaucoup pour leurs essences. Voici l’agnus-castus,
dont le nom est un pléonasme, et que plus sottement encore on
appelle vulgairement poivrier.—Oh! pour cette plante bizarre qui
vous fait pousser des cris d’étonnement, c’est l’aloès! aloe folio in
oblongum aculeum abeunte; sa fleuraison est très-curieuse, mais
extrêmement rare; on assure qu’elle n’a lieu que touts les cent ans,
quoique, par un phœnomène inexplicable, en très-peu de temps sa
tige s’élève jusqu’à trente pieds et jette quelques rameaux terminés
par des bouquets de fleurs. Mais ce qu’il y a de plus merveilleux,
c’est la détonation qui précède la naissance de sa tige, détonation
tout-à-fait semblable à un violent coup de tonnerre, ou une
décharge d’artillerie.
A ces mots, M. de Cogolin partit d’un si énorme éclat de rire, que
mylady fit un soubresaut, et crut un instant que c’étoit une tige
d’aloès qui tout-à-coup jaillissoit.—Votre rire est impie, monsieur le
gouverneur, reprit le cénobite; est-il quelque chose d’impossible à
Dieu? N’est-ce pas une pitié de voir l’impuissance humaine vouloir
circonscrire l’omnipotence du Créateur?
Puis il continua avec le même calme sa nomenclature et ses
dissertations.—Ceci, madame, c’est l’amelanchier, mespilus folio
rotundiore fructu nigro, qu’il ne faut pas confondre avec le mespilus
folio rotundiore fructu rubro, et le mespilus folio oblongo serrato;
celui-là, c’est l’ilex aculeata cocciglandifera, espèce de chêne vert sur
lequel se cueille la graine de kermès ou d’écarlate; voici la
camphrée, excellent vulnéraire, et le carthame d’Égypte, d’où l’on
extrait le fard végétal, dont les femmes folles de leurs corps souillent
leurs visages faits à l’image de Dieu. Voici le jasmin d’Arabie, le
sumach, l’aligousier, le bois-puant, le mahaleb et le micocoulier. A
genoux, madame, ne portez point la main à cet arbuste sacré, c’est
l’argalou, en provençal arnavéou, et en latin paliurus. Son port et ses
fleurs le font ressembler au jujubier, mais voyez, sa tige est hérissée
de deux sortes de piquants. Il croît en abondance aux environs de
Jérusalem, et a servi au temps de la Passion à faire la sainte
couronne d’épines que les Juifs enfoncèrent dans le front de notre
Sauveur. Enfin, voici l’azedarach, arbre de la Syrie, dont on a
conservé le nom arabe. C’est lui qui produit ces graines grisâtres,
dures, lisses, coriaces, appelées larmes de Job: elles servent à faire
de jolies chapelets. Voyez combien son feuillage est beau; ses fleurs,
disposées en bouquets, répandent une odeur suave. Il est cultivé
dans toutes les contrées méridionales de l’univers. Les Américains
l’appellent l’orgueil de l’Inde.
En s’avançant vers la tour du monastère, ils trouvèrent presque
réunies en un groupe la chapelle Notre-Dame, la grande église Saint-
Honorat et la chapelle Saint-Porcaire.
Le bénédictin, laissant alors de côté sa science botanique, dit à
Déborah:—Il y a ici, depuis l’Ascension jusqu’à la Pentecôte, un
concours immense de personnes pieuses qui viennent visiter ces
sept chapelles pour gagner les indulgences accordées par les
Souverains Pontifes, de la même manière qu’on les gagneroit à
Rome en visitant les sept églises basiliques.
Puis il l’emmena entre la chapelle Notre-Dame et les ruines de la
chapelle Saint-Pierre, pour lui montrer un puits miraculeux creusé
dans le roc, et dont l’eau très-limpide est excellente à boire. Ce
puits, affirmoit-il, n’a jamais plus de trois seaux d’eau, et quelque
quantité qu’on en puise, il n’en a jamais moins.
 Là-dessus, M. le gouverneur sourit et railla un peu notre moine:—
Si votre miracle est curieux, lui disoit-il, toutefois il n’est pas unique,
il a quelques degrés de parenté avec les cinq sous éternels du juif
errant.
Sans répondre à cette attaque, Dom Fiacre continua en lisant à
haute voix et avec emphase une très-ancienne inscription, gravée
sur une table de marbre, et placée au plus haut d’un mur voisin du
puits.
Isacidûm ductor lymphas medicavit amaras,
Et virgâ fontes extudit è silice.
Aspice, ut hic rigido surgunt è marmore rivi,
Et falso dulcis gurgite vena fluit;
Pulsat Honoratus rupem laticesque redundant,
Et sudis ad virgæ Mosis adæquat opus.

Sans doute, madame ne sait pas le latin?... Ces vers comparent

Saint-Honorat à Moyse, pour avoir fait sourdre de l’eau d’un rocher
et rendu potables des eaux amères. Lymphas medicavit amaras!...
Saint Honorat chassa aussi de cette île les bêtes venimeuses qui la
rendoient déserte....
—Chasser les bêtes venimeuses pour y mettre des moines;
pardieu! mon révérend, s’écria M. Cogolin, c’est tomber de Nègre à
Maure, de fièvre en chaud-mal, ou de Carybde en Scylla.
—Et il y fonda notre abbaye, la première de tout l’Occident. La
réputation de sa vertu se répandit bientôt, et attira tant de solitaires
des pays les plus éloignés, que l’île devint bientôt aussi peuplée que
les déserts de la Thébaïde. Du temps de Saint-Amand, abbé, on y
comptoit plus de trois mille solitaires.
Ce fut, madame, vers l’an 375, que saint Honorat fonda cet
illustre monastère.
—Je vous demande pardon, mon révérend, mais Baillet prouve
clairement que ce ne fut qu’en l’année 391; Tillemont, que ce ne fut
qu’en 401, et l’abbé Expilly en 410. Mais, qu’importe! j’ai tant de foi,
mon révérend Dom, que je puis en ajouter à ces quatre dates, et
vous assurer qu’il m’en restera encore assez pour l’usage que j’en
fais. Encore un mot: il me revient à l’instant que Bouche dit quelque
part que saint Honorat naquit en 425. Son sentiment seroit donc
qu’il fonda votre monastère cinquante ans environ avant sa
naissance: cette opinion me semble la plus raisonnable, et je
m’empresse de m’y ranger.
—Monsieur le gouverneur, je vois avec un grand chagrin, lui dit
alors Dom Fiacre d’un air pénétré, que vous êtes rongé de la lèpre
philosophique. Vous avez bu votre part de Voltaire; vous suez
l’Encyclopédie. Croyez-moi, retenez votre raison à deux mains;
l’esprit de la France est en orgie. Si ce n’est point pour moi, que ce
soit pour madame, taisez-vous! que Dieu vous garde d’être une
école de scandale.
En sortant de l’église de la Sainte-Trinité, ils se dirigèrent vers
une haute et grosse tour bâtie sur le rocher, dont les pierres étoient
taillées en pointe de diamant, et la porte tournée vers le Nord.
—Mais, est-ce bien là votre abbaye? demanda Déborah à Dom
Fiacre; en honneur, je ne l’aurois jamais deviné; cette tour n’a pas le
moindre caractère abbatial.
—Ce n’est pas non plus le caractère qu’on a voulu donner à cette
merveille de la chrétienté. Elle fut commencée au dixième siècle,
pour servir tout à la fois de logement et de rempart à ses religieux
contre les Sarrasins et les corsaires, qui faisoient des courses le long
du littoral. Ce fut sous le règne de Raymond-Béranger Ier, comte de
Provence, qu’elle fut bâtie; mais elle ne fut amenée en perfection
que par une bulle du pape Honorius II, exhortant touts les chrétiens
à venir demeurer trois mois dans l’île, pour assister et défendre les
moines de Lerins contre les attaques des infidèles, ou à contribuer,
par leurs aumônes, à la construction de la tour, leur accordant les
mêmes indulgences plénières que ses prédécesseurs avoient
accordées aux Croisés. Cette bulle enjoignoit en outre à ceux qui
s’étoient emparés de quelques églises et de quelques biens
dépendant du monastère, de ne pas différer de les rendre.
—Sans vouloir faire le philosophe, vous me permettrez de vous
dire, mon révérend Dom, que la bulle qui renferme ces privilèges est
fort suspecte, et ne peut pas être d’Honorius II, à qui elle est
attribuée, car le pape qui est censé l’avoir donnée y parle d’Eugène
son prédécesseur: et il n’y a point de pape Honorius qui ait succédé
à un Eugène. Secondement: Vous auriez dû dire à madame que ceux
à qui il étoit enjoint de restituer les églises et les biens dérobés au
monastère n’étoient rien moins que des évêques. Pendant que nos
braves moines s’amusoient à se faire une citadelle pour garantir
leurs biens du pillage des Sarrasins, les évêques les leur voloient.
Quant à l’injonction faite à touts les chrétiens de se rendre
pendant trois mois dans une île qui n’a pas une lieue de superficie,
vous conviendrez, mon Révérend, que c’étoit une mauvaise
plaisanterie.
Tout en causant, ils avoient passé deux portes, et monté
quelques degrés au haut desquels se trouvoit un pont-levis qui
menoit au portail de la tour. Là, il se présenta un escalier étroit et
obscur. Comme Déborah mettoit le pied sur la première marche, un
gémissement se fit entendre, elle recula. Et voyant venir à elle un
monstre énorme, qui descendoit en rampant, elle s’enfuit
épouvantée. Dom Fiacre, pour la rassurer, lui prit le bras et la
ramena auprès de l’animal qui avoit causé son effroi.
—N’ayez pas peur, lui disoit-il, c’est un de mes bons amis, un
veau-marin, qui depuis quelque temps vit avec nous dans le
monastère, sans avoir peur des hommes, comme vous voyez, et
sans leur faire aucun mal. Caressez-le, madame; il est très-sensible
aux flatteries. Nous l’avons pris ici, sur le bord de la mer. On en voit
beaucoup, sur le rivage de ces îles, qui s’endorment au soleil.
Après avoir visité quelques cellules, un réfectoire immense, le
logis de la garnison, une plate-forme munie de pièces de canon, et à
l’extrémité du second dortoir la bibliothèque célèbre par le grand
nombre de manuscrits et d’imprimés précieux qu’elle possédoit, ils
entrèrent dans l’église de la tour, sous le vocable de sainte Croix, où
reposoient les corps de plusieurs saints.
Dom Fiacre les conduisit premièrement devant la grande et
magnifique châsse de saint Honorat, tout incrustée de pierreries,
toute sculptée merveilleusement: ensuite, il leur présenta trois
fleurs-de-lys d’argent, où se trouvoient enchâssés des ossements de
saint Pierre, de saint Paul, de saint Jacques le majeur, de saint
Jacques le mineur, et de presque touts les apôtres; une épine de la
couronne de Jésus, du bois de la vraie croix, et plusieurs autres
reliques insignes; enfin une caisse dorée, qui contenoit les
ossements de cinq cents religieux tués par les Sarrasins, du temps
de l’abbatiat de saint Porcaire, et une autre caisse de trente religieux
martyrisés avec saint Aigulfe.
—Mon révérend, de peur de vous blesser encore, je ne me suis
point permis de vous interrompre, dit alors M. de Cogolin, mais je
vous prie maintenant de vouloir bien me permettre quelques
remarques. Vous auriez dû ajouter, en parlant de saint Aigulfe, que
son martyre et celui de ses compagnons n’est point l’ouvrage des
Sarrasins, comme vous le donnez à penser à madame. Ne calomniez
pas ces pauvres Sarrasins, on leur en a déjà assez mis sur le dos.
Vous auriez dû lui dire que les moines de Lerins ayant élu pour leur
abbé Aigulfe, moine de Fleury, celui-ci voulut réformer les désordres
qui régnoient dans le monastère, et proposer la règle de Saint-
Benoît, dont il avoit apporté le corps en France; que le pieux abbé
ne trouva pas un esprit docile dans ses religieux, qui se portèrent à
des excès horribles contre lui, excès qui auroient révolté le plus
farouche Sarrasin; qu’ils tournèrent leur fureur même contre le
monastère, et le ravagèrent, à faire honte à des Vandales; qu’ils
enlevèrent Aigulfe et quelques autres moines attachés à lui, qu’ils
leur coupèrent la langue, qu’ils leur crevèrent les yeux, et qu’après
les avoir laissés deux ans dans l’île de Capreria, ils les massacrèrent
dans une autre île déserte, l’an 675.
Mon Révérend, vous ne pouvez nier le fait. D’ailleurs, il n’est pas
unique, et ce Paradisus terrestris, ce quies piorum, ce solamen
dulce, ce sinus tranquillissimus, comme vous l’appeliez tout-à-
l’heure, avec Dom Vincent Barral, fut souvent un affreux repaire.—Ce
ne sont, mon Révérend, que de simples remarques historiques,
faites sans malice; ne vous en fâchez pas, je vous en prie, et n’en
accusez surtout ni Voltaire, ni l’Encyclopédie, ni les pauvres
Sarrasins!
 —S’il est des gents, monsieur, assez abandonnés de Dieu pour
faire le mal, il en est d’autres qui n’ont d’autre œuvre que de le
mettre en évidence; qui voilent les parties saines, et étalent les
plaies; qui usent toute leur vie et toute leur intelligence à la
recherche de tout ce qui peut couvrir de honte l’humanité, et à
déterrer les pourritures qu’ils devroient recouvrir d’une montagne.
Lequel des deux sera le plus coupable devant Dieu, de celui qui aura
fait le mal dans l’effervescence de la passion, ou de celui qui se sera
plu à le dévoiler, dans le plat sang-froid d’une âme sans
enthousiasme et d’un cœur pervers? Je vous le laisse à juger.—Je ne
dis pas cela pour vous, monsieur le gouverneur; vous êtes un
homme bon, généreux, vertueux, que j’aime et j’honore; vous n’êtes
point dans la classe des premiers, mais vous êtes sous l’influence
des seconds; et c’est ce dont je suis grandement affligé. N’est-il pas
douloureux de voir que même les hommes les plus justes et les plus
nobles n’ont pu se garantir de la contagion; et que quelques vers
seulement ont suffi pour vicier et corrompre la France, comme
quelques vers suffisent pour détruire le plus beau fruit!
Après un moment de silence, se tournant vers Déborah, et lui
montrant le maître-autel, Dom Fiacre reprit: Madame, là repose le
corps de saint Vénant, frère de saint Honorat, celui de saint Vincent
de Lerins, si célèbre par sa doctrine et par sa vertu.
Voici encore un très-beau reliquaire, contenant des restes de
saint Patrice, apôtre de l’Irlande. Le désir de se perfectionner dans la
vie religieuse qu’il avoit embrassée, le porta à se retirer dans le
monastère de Lerins: il y demeura neuf ans.
Dom Fiacre ne put achever: Déborah, qui tout-à-coup avoit pâli
et chancelé, s’étoit agenouillée lourdement et renversée sur le pavé
de l’église.
Son évanouissement fut long.
On la transporta sous une tonnelle du jardin.
Lorsqu’elle rouvrit les paupières, M. le gouverneur lui exprimoit
sur les lèvres le jus d’une orange, et le Bénédictin étoit à genoux
devant elle, les bras étendus en croix. Un sentiment de pudeur et
d’embarras colora ses joues, et lui fit jeter un cri timide et porter ses
doigts à son corset délacé. Mais ses premières paroles furent des
remercîments pour les soins qu’on lui prodiguoit.—Ne vous alarmez
pas, mes bons seigneurs, ajouta-t-elle; ce n’est qu’une violente
émotion. La vue de ces reliques de saint Patrice a réveillé tout à la
fois dans mon âme des souvenirs douloureux de patrie et d’amour,
qui m’ont brisée et suffoquée.... Je suis Irlandoise, mon Révérend, et
mon époux, qui a été assassiné il y a quelques mois, se nommoit
Patrick.... O mon pauvre Patrick!... Tenez, mon père, le voici! c’est
son portrait qui pend à cette chaîne. N’est-ce pas, qu’il étoit beau?
Eh bien! il étoit encore plus pur et plus juste. Les cruels me l’ont tué
sans me tuer!...
—Ma fille, adorez les décrets de Dieu; que savez-vous pourquoi il
vous a ôté votre époux à l’entrée de la vie? que savez-vous quel sort
il vous garde?... Vous connoissez les maux qui vous ont atteinte,
mais connoissez-vous ceux dont il vous a préservée, et dont il vous
préserve?
—Maintenant, je me sens mieux mon Révérend, beaucoup
mieux; je puis me lever et marcher: achevons notre pélerinage.
M. de Cogolin, soutenant Déborah, la conduisit alors à la
calanque de Saint-Colomban: caverne au pied de laquelle la mer bat
continuellement. Elle étoit grosse à cette heure, ils ne purent y
pénétrer sans se mouiller à mi-jambe.—C’est ici, dit gravement Dom
Fiacre, le lieu sauvage où se cachèrent saint Eleuthère et saint
Colomban, lorsque les Sarrasins massacrèrent les cinq cents religieux
dont nous avons vu tantôt les ossements. Mais ayant apperçu les
âmes de ces saints cénobites monter au ciel, sous la forme d’étoiles
brillantes, saint Colomban sortit de cette spélonque, et alla s’offrir à
la hache des infidèles pour s’associer au martyre de ses frères.
A ces mots, M. le gouverneur éclata de rire, et comme un esprit
fort, regardant d’une air malicieux notre sérieux mystagogue:—Ah!
par la mort-Dieu! mon Révérend, s’écria-t-il, vous nous en baillez de
bonnes!... Oh! pour cette bourde-là, elle ne passera pas.—Vraiment,
si surtout ce massacre s’est fait pendant la nuit, jamais girande et
bouquet de feu d’artifice n’ont produit un plus beau spectacle que
ces cinq cents et une âmes montant au ciel, comme des fusées
volantes, en manière d’étoiles de feu. J’avoue que je serois curieux
de voir un pareil feu d’artifice d’âmes, et surtout de savoir si pour les
faire monter ainsi elles ont besoin d’une baguette d’osier comme les
pétards?
En sortant de la calanque, profanée par les dérisions de M. le
gouverneur, à la pointe Sud-Est de l’île, ils montèrent dans une
nacelle, pour passer le pas étroit qui sépare Saint-Honorat d’un îlot,
nommé Saint-Féréol. Lorsque sous l’abbatiat de Saint-Amand, où l’on
comptoit plus de trois mille solitaires, ne pouvant touts se loger dans
Lerina, une partie de ces saints personnages allèrent habiter Lerinus,
Sainte-Marguerite, qui compte entre ces plus célèbres anachorètes
saint Eucher de Lyon, il s’en établit aussi dans les autres petites îles
d’alentour, à la Fornigue, à la Grenille, et dans celle-ci, qui doit son
nom à Saint-Féréol, dont ont voit encore la cellule, qui contient à
peine un homme.
Après avoir fait une assez longue station sur ce rocher sauvage,
semblant de loin une feuille morte flottante, et d’où le regard,
effleurant la surface de la mer, fuit sur son étendue, avec la vitesse
d’un lutin, jusque dans le golphe de Gènes, ils regagnèrent le Frioul
et la barque qui les avoit amenés.
Déborah adressa d’aimables remercîments à Dom Fiacre, puis
elle se mit à genoux, et lui demanda sa bénédiction.
—Soyez bénie, lui dit-il, au nom de Celui qui est le refuge des
affligés; soyez bénie à la face des trois immensités, foible image de
l’immensité de Dieu, la terre, l’océan et le ciel. Ma fille, ne vous
laissez point maîtriser par la désolation; le désespoir ne doit point
souiller une âme chrétienne; le désespoir est un grand blasphème
contre Dieu.—Priez, il ne vous abandonnera pas.—Qu’est-ce pour le
Tout-Puissant qu’une chaîne et qu’un verrouil?... Celui qui tira Daniel
de la fosse aux lions saura bien tirer sa servante,—ancilla sua,—de la
fosse aux hommes.
 VII.

D eux ou trois fois par semaine M. le gouverneur réunissoit

dans son salon touts les prisonniers, et leur donnoit des
espèces de soirées, où l’on causoit et jouoit à la bassette
et à l’hombre. Déborah s’y montroit rarement; elle n’y
paroissoit que lorsqu’elle n’étoit point en disposition de
tristesse. Le vrai chagrin ne veut point de distraction: il se renferme,
il demeure face à face avec lui-même, et s’y complaît, comme une
femme devant le miroir qui répète son image; tout autre que lui-
même est laid, grimaçant et repoussant. Le chagrin, a-t-on dit, est
pareil à ces verres d’optique qui, par un jeu étrange, bouleversent,
rabougrissent ou prolongent les plus belles formes, et font une
figure grotesque d’une admirable statue. Mais peut-être, au
contraire, n’est-ce qu’un verre éclaircissant, qui nous découvre tel ce
que l’éducation, les préventions, les illusions, le trouble des passions
et l’orgueil nous présentent sous un jour faux.—Le chagrin pourroit
être comparé à la balance de la Justice, si la balance de la Justice
pesoit juste.
La forteresse ne recéloit alors que huit ou dix prisonniers. Parmi
eux se trouvoient deux vieillards en pleine santé et en pleine raison,
que leurs enfants, puissants en Cour, avoient fait interdire et
enfermer comme aliénés, pour s’emparer et jouir de leurs biens par
avancement d’hoirie.
Quoiqu’il manquât peu de chose au bien-être matériel de
Déborah, elle étoit plus sombre et plus abattue que jamais. Elle étoit
poursuivie de désirs étranges, elle aspiroit à un état autre et lointain;
et comme elle étoit captive, elle se disoit:—C’est la liberté qui me
manque. Mais ce besoin vague, l’homme le porte avec lui en tout
temps et en touts lieux: libre ou captif, en deuil ou en joie, son âme
est toujours troublée par ses élancements, vers un infini et un
inconnu inexplicables. Est-ce l’oscillation de la flamme qui brûle en
notre lampe d’argile, et qui s’essaye à remonter au foyer d’où elle a
été distraite? Est-ce l’arrière-souvenance d’une vie meilleure et
passée, ou le pressentiment d’une vie meilleure et future?... Celui
qui le premier compara la vie à un voyage et l’homme à un pélerin,
jeta une de ces grandes lueurs qui rarement s’échappent du génie
humain, et qui, comme la foudre, étalent une nappe de lumière dans
les ténèbres. L’homme en effet n’est-il pas comme le voyageur qui
aspire toujours? mais à quoi aspire-t-il?... Pour certain, ce n’est pas
au néant de la tombe.
La solitude dans laquelle vivoit Déborah exaltoit sa sensibilité, et
dégageoit en elle ces vapeurs noires qui assaillent les femmes
durant leurs gestations. La mémoire de ses maux soufferts ne
désemparoit pas de son esprit, et son cœur étoit plein de remords et
de regrets. Elle s’accusoit du trépas de sa mère et du trépas de
Patrick. Il lui sembloit que leurs ombres erroient sans repos autour
d’elle et la frôloient. Dans le grincement du verrouil de sa porte
agitée, dans le bruit du vent, dans les pulsations des psoques et des
psylles, qui frappent et percent les vieux meubles de leur tarière, elle
croyoit entendre leurs pas ou des plaintes et des gémissements. M.
de Cogolin venoit bien de temps à autre passer quelques loisirs
auprès d’elle, mais sa conversation étoit si frivole, que Déborah y
goûtoit peu de charmes et y puisoit peu de force. Dom Fiacre la
visitoit aussi assez fréquemment; mais comme il la travailloit sans
miséricorde de dogmes et de doctrines, il étoit plutôt importun
qu’agréable, et jouoit plutôt le rôle d’un persécuteur que d’un saint
paraclet. Pour les autres prisonniers, elle les fuyoit le plus possible.
La vue de beaucoup de ces victimes, qui, comme elle, jeunes
avoient passé la porte de cette forteresse, et dont les cheveux
avoient blanchi sous ses voûtes, l’attristoit profondément, lui
présageoit sa destinée; destinée contre laquelle tout ce que son âme
avoit de puissance se roidissoit. Elle soutenoit rarement une
conversation, ses réponses étoient brèves, et quelquefois même
insensées. Son plaisir le plus vif étoit de se promener dans le jardin
du gouverneur, de s’y promener seule, et dans la partie la plus
sombre.
Il y avoit quatre mois que Déborah avoit été transférée à Sainte-
Marguerite, quand elle accoucha d’un enfant mâle. Sa joie fut
grande, et elle le nomma Vengeance. Ce nom fit trembler M. de
Cogolin; et Dom Fiacre employa tout ce que ses moyens oratoires
purent lui suggérer de persuasif pour faire substituer à ce nom impie
le nom patronal d’un saint apôtre. Mais Déborah demeura inflexible.
La naissance de ce fils lui rendit toute son énergie et tout son
courage. Dans les soins et les sollicitudes maternels elle trouvoit
l’oubli de ses malheurs. C’étoit pour elle une grande consolation que
d’être mère, et de voir revivre Patrick, dont cet enfant étoit déjà
l’image; d’être tutrice d’une créature encore plus foible qu’elle-
même; d’avoir une existence dépendante de la sienne, d’avoir une
éducation à faire. Son avenir, qui lui apparoissoit vide, sombre et
sans but, venoit tout-à-coup de se remplir. Elle avoit une tâche
longue et douce, des travaux, des devoirs, une compagnie, toutes
ses affections prises, toute sa vie occupée. Il lui sembloit qu’il
pourroit être encore pour elle quelques félicités vraies, en se livrant
au culte d’un souvenir vivant, mais pour cela il falloit s’arracher du
cachot où elle étoit condamnée à languir et à mourir, il falloit qu’elle
recouvrît sa liberté. Depuis long-temps c’étoit là ce qui la
préoccupoit. L’heure de l’exécution lui paroissant enfin venue, elle
écrivit cette lettre à son tuteur Sir John, Chatsworth, avocat à
Dublin:
«Mon cher et honorable ami,

»J’ai besoin de vous, vous êtes mon seul refuge, ne me manquez pas,
tout me manqueroit. Souvenez-vous avec plaisir de cette pauvre Debby,
votre fille, comme vous l’appeliez et comme vous l’aimiez, dont les petits
bras s’enlacèrent tant de fois à votre col, et que vous berçâtes tant de fois
dans votre grande robe noire. Vous m’avez connue au berceau, vous
m’avez chérie dès mon enfance; chérissez-moi toujours, chérissez-moi au
moins encore une fois, je vous en prie au nom de ma malheureuse mère,
je vous en prie au nom de son père, mon ayeul, qui vous portoit tant
 d’amitié. Il m’a placée sous votre protection, il m’a faite votre pupille, il
vous a confié ma défense et mes biens, sauvez-moi, vous êtes maître de
ma fortune et de ma vie.
» Lorsque je quittai l’Irlande, il y a dix mois environ, je vous adressai
un mémoire de tout ce qui venoit de se passer dans ma famille, et des
motifs qui me forçoient à m’expatrier; ce mémoire étoit triste, ce mémoire
étoit déchirant, votre cœur bon en a été très-affecté sans doute; je vous
demande pardon du chagrin que je vous ai fait. Je croyois que l’exil alloit
mettre fin à mes souffrances, et me donner le bonheur dont mon âme
étoit avide, parce quelle avoit avec qui le partager. Je croyois trouver en
France liberté et hospitalité!... Hélas! jamais déception fut-elle plus grande
que la mienne! Que n’allai-je plutôt me jeter dans le désert de Barca!...
Vous trouverez ci-inclus un nouveau mémoire, exact et vrai, de tout ce qui
m’est advenu depuis ma fuite sur le Continent. Le premier étoit déchirant,
celui-ci est affreux! Si votre cœur répugne aux tableaux sombres, si
l’injustice vous fait mal, prenez-le, lacérez-le, jetez-le au feu.... Alors qu’il
vous suffise de savoir qu’aujourd’hui je suis emprisonnée dans une bastille
d’État, d’où je ne dois plus sortir que sur l’épaule d’un fossoyeur. Mais
avec votre secours et votre aide, cela ne sera pas. J’ai longuement mûri
des projets d’évasion, voici le plus sûr et le plus simple, auquel je
m’arrête. Il coûtera sans doute des sommes considérables; allez, que ceci
ne vous ralentisse point, Dieu merci, j’ai assez de richesses, et depuis trois
jours je suis majeure.

(Ici se trouvoit un plan de fuite très-hardi et parfaitement

circonstancié.)
»Quoique toutes ces recommandations puissent vous sembler des
minuties, qu’aucune ne soit négligée, le sort de l’entreprise en dépend.
»Je prends à ma charge touts les frais d’armement, d’équipage et de
voyage. Si vous trouvez un sujet convenable, qui vous demande plus de
vingt mille livres, donnez plus, n’hésitez pas. Je suis prête, s’il étoit
nécessaire, à faire le sacrifice entier de mes biens, pour me tirer du lieu
où je suis. Pour payer une vie, même la vie la plus infortunée, il n’y a pas
de rançon trop chère.
»Tout cela va vous donner beaucoup d’ennui et de peine, mon bon
tuteur, mais croyez bien que j’apprécie l’immensité du service que vous
allez me rendre, service au-delà de toute reconnoissance. J’en conserverai
à tout jamais une inaltérable gratitude, qui, jointe à l’affection dont mon
cœur est possédé, fera de vous l’homme le plus aimé, comme vous êtes le
plus digne de l’être.»
 Quand Déborah eut achevé cette lettre, elle courut la porter à M.
de Cogolin, que déjà très-adroitement elle avoit entretenu de son
projet d’écrire à son tuteur, pour lui demander compte des biens que
lui avoit légués son grand-père: projet qu’il avoit approuvé et
encouragé de tout son cœur. Et elle la lui présenta toute ouverte, en
le priant de vouloir bien en prendre connoissance, certaine à
l’avance de son refus, par galanterie, par délicatesse, et surtout
parce qu’il savoit à peine quelques mots d’anglois.
—Cachetez votre lettre, ma belle amie, je vous rends confiance
pour confiance, lui dit-il, en lui prenant et lui baisant les mains,
cachetez-la et remettez-la moi de suite, quelqu’un de mes gents va
partir tout-à-l’heure pour Antibes, je l’en chargerai.
Déborah le remercia poliment, mais avec une extrême réserve,
crainte de trahir tout ce qu’elle éprouvoit de joie de ce premier
succès.
LIVRE CINQUIÈME.
 VIII.

H ola! sentinelle, veillez-vous?

—Qui vive?
—Ordre du Roi. Faites baisser le pont.
Il se fit un long silence. Onze heures de la nuit
sonnèrent au château. L’obscurité était profonde.
—Qui vive? s’écria de nouveau une voix dans l’éloignement.
—Ordre du Roi! Jean Buot!
—Ah! c’est vous, monsieur Buot! votre serviteur très-humble.
Vous nous amenez sans doute du gibier? toutes nos cages à poulets
sont pleines, à quel croc voulez-vous que nous le logions?
Les chaînes du grand pont-levis grincèrent, il s’abaissa
lourdement et un carrosse s’avança: deux hommes en descendirent,
l’un avoit une épée au côté, l’autre des fers et des boulons aux pieds
et aux mains; et ces deux hommes en suivirent deux autres, le
sergent de garde et le concierge du donjon.
Arrivés à une enceinte de muraille d’une hauteur excessive,
percée d’une seule entrée, défendue par deux sentinelles, trois
portes énormes, scellées de distance en distance dans l’épaisseur
d’un mur ayant plus de seize pieds, s’ouvrirent et se refermèrent sur
eux.
Une lampe de fer, vraiment sépulcrale, éclairoit de sa lueur
mourante leurs pas, qui retentissoient sous les voûtes et se mêloient
aux cris des verrouils et des grilles, pivotant sur leurs monstrueuses
crapaudines. Partout où l’œil perçoit il ne rencontroit, à travers les
ténèbres, qu’un effroyable spectacle de serrures, de verrouils,
d’écrous, de cadenas et de barres de fer.
Après avoir passé par un escalier à noyau, tortueux, étroit,
escarpé, allongeant le chemin, multipliant les détours, de toise en
toise obstrué de portes rigoureusement closes, au premier étage un
guichet, semblant une muraille qui va et vient, s’ouvrit, et ils
pénétrèrent dans une vaste chambre, voûtée en ogive, avec un seul
pilier au centre.
Le jeune homme chargé de chaînes, soulevant alors sa tête
inclinée en victime, lut au-dessus de la porte cette inscription:
CARCE TORMENTORUM, Salle de la Question; et apperçut les parois
des murs et le berceau des voûtes couverts d’instruments de torture,
étranges et inconnus. Tout au pourtour se trouvoient des stalles de
pierre, environnées d’anneaux scellés dans des blocs, servant à
assujétir, au moment des épreuves, les membres des malheureux
placés sur ces sièges de douleur. Çà et là se voyoient aussi quelques
lits de charpente, où l’on enchaînoit le patient, lorsqu’anéanti par le
surcroît de la souffrance et près d’expirer, on lui donnoit un peu de
relâche pour le rendre à la sensibilité, afin de lui faire subir de
nouveaux supplices.
Le lieutenant du Roi au Donjon ne tarda pas à paroître. M. Jean
Buot lui ayant remis les ordres et la lettre-de-cachet du ministre
Phélypeaux de Saint-Florentin de la Vrillière, il considéra un instant
son nouvel hôte, et, selon l’usage, ordonna aux guichetiers de le
fouiller. Pour qu’ils le fissent avec plus de zèle, il commença lui-
même par leur en donner le bon exemple. Ayant retroussé les
parements de ses manches, il introduisit ses mains dans les goussets
et dans toutes les poches; et, comme un chirurgien qui veut sonder
une hernie, il promenoit ses doigts jusque dans les lieux les plus
secrets.—Honte et dégoût!... Le prisonnier fit un mouvement
d’indignation, et détourna la tête et cracha sur la muraille. On lui
enleva son argent, sa montre, ses bijoux, ses dentelles, son
portefeuille.... On lui détacha ses fers: ses bras et ses jambes
étoient écorchés par leur frottement et bleuis par la compression
qui, arrêtant la circulation de la sève, avoit fait lever tout au tour des
bourrelets comme à un cep étranglé par des liens. Quand notre
infortuné fut débarrassé de ses entraves, M. Jean Buot s’écria avec
une emphase vraiment risible: Messieurs, cet homme est un forcené
redoutable, tenez-vous sur vos gardes; et vous, commandant, tirez
s’il vous plaît votre épée hors du fourreau.—A cette exhortation, le
prisonnier ne fit que sourire, mais d’un sourire amer.
Enfin on le dépouilla de ses vêtements, et on le recouvrit de
haillons, sans doute imbibés des pleurs et des sueurs d’agonie de
quelque infortuné mort à la chaîne.
De grosses larmes tomboient des yeux de ce pauvre jeune
homme, ses jambes fléchissoient; il se renversa sur un des sièges de
torture. Profitant de son évanouissement, deux porte-clefs le
traînèrent hors de cette salle; et, redescendant l’escalier tortueux, et
traversant au-dessous un repaire à peu près semblable, paroissant
servir de cuisine, ils le firent passer dans un affreux cachot, à rez-de-
chaussée, où on l’étendit sur un peu de litière, après l’avoir enchaîné
à la muraille. Puis comme s’il eût été en état de l’entendre, M. le
lieutenant du Roi lui fit alors l’injonction brève et hautaine de ne pas
se permettre le plus léger bruit, car c’est ici, lui dit-il, la maison du
silence.
En effet, c’étoit la maison du silence, mais c’étoit aussi celle de la
faim et de la mort.
Peu de temps après, il commença à reprendre possession de ses
esprits; mais à mesure qu’il recouvroit le sentiment ses larmes
redoubloient. Pour tâcher de découvrir en quels lieux il pouvoit être,
il se dressa sur son séant, palpant de ses doigts à l’entour de lui et
cherchant à déchiffrer quelques formes dans l’obscurité.—Tout-à-
coup, il lui semble entendre un bruit de respiration pénible, il écoute:
—le même bruit se prolonge.—Plus de doute, c’est un souffle!... Mais
est-ce le souffle d’un être humain ou d’une bête fauve?—L’effroi le
saisit, il se penche, il écoute encore.... Cette fois, son oreille
distingue un froissement léger et un craquement de membres étirés
qui se disloquent.
—L’obscurité est si épaisse que j’échappe à mes propres regards.
Quelqu’un autre n’est-il pas en ce lieu? dit-il alors, presque à voix