### Table 4: Lemma 1 Program reductions commute with proof reductions. Proof. See Albrecht and Crossley [1].2 As a corollary we have: Theorem 2 Every sequence of proof-reductions and program-reductions terminates. Proof. By the lemma we can perform all the proof-reductions rst. This sequence of reductions terminates by theorem 1. Next, all program-reductions are length reducing hence any such sequence terminates.2

### Table 1. Results of experimental evaluation on device drivers. Each example represents a single loop in a dispatch routine for a device driver. Strengthenings indicates how many times the strengthening procedure was called, and Weakenings how many times the weakening procedure was invoked from the checking procedure. T/O indicates timeout. The timeout threshold was set to 3 hours (= 10800s). CEX indicates a bug found, False represents a false bug found, and Pass represents the case where a termination proof is found.

in Abstract

"... In PAGE 9: ... Results. See Table1 for the results of our experiments. Example 17 includes the code from Figure 1, and Example 1 includes the code from Figure 8.... In PAGE 9: ... Example 17 includes the code from Figure 1, and Example 1 includes the code from Figure 8. Each example in Table1 represents a thread- termination proof for a single loop (i.e.... In PAGE 9: ... The device drivers range in sizes from 1,000 to 30,000 lines of code, however the reachable code from a single dispatch routine (device drivers usu- ally export up to 10) usually ranges from 300 to 10,000 of lines of code. Table1 demonstrates promise that our algorithm from Fig- ure 4 can be made to be practical, automatic, accurate and scal- able. The tool is completely automatic.... In PAGE 9: ... Furthermore, the performance (while expensive) in many cases is not intractable. Table1 also demonstrates that, at least in this domain, simple agreements suf- fice. We expect the same to be true for most instances of industrial software.... In PAGE 9: ... Before now the sound option available was to apply a sequential termination prover on a program that represents an encoding of all of the interleavings of T1 to TN. In order to compare against our new algorithm we have tried this for the first three examples from Table1 : all three cases resulted in a timeout after 3 hours using TERMINATOR. The other potential competitor to our technique is simply to run a sequential termination prover on the single thread in question, thus simply ignoring the unsoundness (due to bugs that can only be found in the concurrent setting).... In PAGE 9: ... The other potential competitor to our technique is simply to run a sequential termination prover on the single thread in question, thus simply ignoring the unsoundness (due to bugs that can only be found in the concurrent setting). During the analysis that produced Table1 we found 3 previously unknown bugs (Examples 1, 5, and 19). The bugs in Examples 1 and 19 indeed require support for concurrency in order to be found, meaning that in principle no other known program termination prover would be able to find these bugs.... In PAGE 9: ... As A = true in Example 5, however, this bug can be found simply with a sequential termination prover. Notes on the bug from Example 1 of Table1 (Figure 8). Figure 8 shows the loop from the first example in Table 1.... In PAGE 9: ... Notes on the bug from Example 1 of Table 1 (Figure 8). Figure 8 shows the loop from the first example in Table1 . This is not all of the code used in the example, just the body of the loop.... In PAGE 9: ... A fix is to create a new list, remove the elements from ReadQueue, place them into the new list, release the lock, and then remove and complete each request from the new queue. Examples 2 and 3 from Table1 represent the two loops from this proposed fix. 8.... In PAGE 10: ...Information=0; RemoveReferenceAndCompleteRequest( devExt- gt;DeviceObject, Irp, STATUS_CANCELLED); KeAcquireSpinLock( amp;devExt- gt;SpinLock , amp;OldIrql); } Figure 8. Fragment of Example 1 from Table1 (a modem device driver) containing a concurrency/termination bug. Unbounded threads, thread creation, thread destruction, etc.... ..."

### Table 1. Termination predicates synthesized by our method.

1996

"... In PAGE 14: ...f. [NN95]. To determine non-trivial subdomains of higher-order functions which are not always terminating, in general one does not only need a termination predicate for each function f but one also has to generate termination predicates for the (higher-order) results of each function. Our method proved successful on numerous examples (see Table1 for some examples to illustrate its power). For each function f in this table the correspond- ing termination predicate f could be synthesized automatically.... In PAGE 14: ... Termination of those algorithms marked with can be proved by methods for absolute termination proofs, too. But the termination behaviour of all other algorithms in Table1 could not be analyzed with any other automatic method. Although those functions without which have the termination predicate true are also total, their totality cannot be veri ed by the existing methods for ab- solute termination proofs.... In PAGE 17: ...Examples This appendix contains 32 examples to illustrate the power of our method (cf. Table1 ). Algorithms marked with are (absolutely) terminating and only call terminating algorithms (they are required as auxiliary algorithms for the other examples).... ..."

Cited by 11

### Table 1. Termination predicates synthesized by our method.

1996

"... In PAGE 14: ...f. [NN95]. To determine non-trivial subdomains of higher-order functions which are not always terminating, in general one does not only need a termination predicate for each function f but one also has to generate termination predicates for the (higher-order) results of each function. Our method proved successful on numerous examples (see Table1 for some examples to illustrate its power). For each function f in this table the correspond- ing termination predicate f could be synthesized automatically.... In PAGE 14: ... Termination of those algorithms marked with can be proved by methods for absolute termination proofs, too. But the termination behaviour of all other algorithms in Table1 could not be analyzed with any other automatic method. Although those functions without which have the termination predicate true are also total, their totality cannot be veri ed by the existing methods for ab- solute termination proofs.... In PAGE 17: ...Examples This appendix contains 32 examples to illustrate the power of our method (cf. Table1 ). Algorithms marked with are (absolutely) terminating and only call terminating algorithms (they are required as auxiliary algorithms for the other examples).... ..."

Cited by 11

### Table 3: Proof reductions The basic result for proof terms in natural deduction and in the arithmetic de ned below is that all reductions terminate leaving a term which is then said to be in normal form. This prop- erty is called strong normalization. (Weak normalization is when some sequence of reductions terminates.) For convenience we shall call these reductions proof reductions. Theorem 1 (Girard [5]) Every proof term strongly normalizes and the normal form is unique (up to renaming of variables). 2 We now specify a further reduction process. First we delete all the types as in [7], except that we quot;remember quot; the type of the original term, i.e. the outermost type which is the formula whose proof is represented by the original proof term. Program-reductions are as shown in table 4. The resulting terms are called simpli ed proof terms of type . A ()

### Table 3: The basic result for proof terms in natural deduction and in the arithmetic de ned below is that all reductions terminate leaving a term which is then said to be in normal form. This prop- erty is called strong normalization. (Weak normalization is when some sequence of reductions terminates.) For convenience we shall call these reductions proof reductions. Theorem 1 Every proof term strongly normalizes and the normal form is unique (up to re- naming of variables). We now specify a further reduction process. First we delete all the types. Program-reductions are as shown in table 4. However, we quot;remember quot; the type of the original term, i.e. the outermost type which is the formula whose proof is represented by the original proof term. The resulting terms are called simpli ed proof terms of type . A

### Table 2: Transition function for the termination protocol.

1992

"... In PAGE 6: ... Any existing election algorithm is suitable (see, for example, [4]). Once the termination coordinator is chosen, it runs the protocol shown in Figure 2 and Table2 . First, it polls the participants of the transaction about their states.... In PAGE 6: ... 5 Proof of Correctness We now prove that the proposed protocol is correct. From now on, we will refer to the protocol in Table 1 as the normal commit protocol, and to the protocol in Table2 as the termination protocol. We will say that a commit quorum is established in the system if all nodes from commit-sufficient subsets of the districts with total weight at least Vc have visited state PC during the execution of the normal commit and the termination protocols.... ..."

Cited by 1

### Table 2: Necessary and executed inferences in protocols of distributed proofs Remark: For examples present in this table but not in table 1 there does not at the moment exist a sequential proof with DISCOUNT. For BoolAssoc, as an example, the sequential prover did 879594 inferences (generating a protocol of 73Megabytes) before terminating unsuccessfully due to lack of memory.

1994

"... In PAGE 59: ...Table2 shows the data for proofs generated in distributed mode. 7.... ..."

Cited by 17

### Table 2. Results from the Elimination of States Algorithm with fuzzy termination criterion

2000

"... In PAGE 8: ... This last advantage is much more significative when the number of objects increases. On the other hand Table2 shows other results from the experiments after using the above Elimination of States algorithm with a fuzzy termination criterion. It is shown as this algorithm provides a better approximation (lower error) with lower times than Sahni algorithm.... In PAGE 8: ... It is shown as this algorithm provides a better approximation (lower error) with lower times than Sahni algorithm. Results and conclusions pointed out from Table 1 and Table2 are a proof of the... ..."

Cited by 3

### Table 1. Performance of the di erent techniques on the examples of [2]

2003

"... In PAGE 31: ...Table 1. Performance of the di erent techniques on the examples of [2] Table1 shows in the \power quot; column the number and the percentage of the examples where the respective approach was successful within a time limit of 120 seconds. In the \time quot; column, it shows the time required for the 110 innermost termination proof attempts (where proof attempts were interrupted after 120 seconds) as well as the average time needed per example (in square brackets).... ..."

Cited by 12