### Table 1: Safety Proof Breakdown

2003

"... In PAGE 24: ...heorems 4.1, 4.2 and 4.6 consists of 10137 lines of Twelf code (including comments). A breakdown of the proof code for the interested reader is given in Table1 . The full proof takes approximately three minutes to check in Twelf 1.... ..."

Cited by 66

### Table 1: Safety Proof Breakdown

2003

"... In PAGE 24: ...heorems 4.1, 4.2 and 4.6 consists of 10137 lines of Twelf code (including comments). A breakdown of the proof code for the interested reader is given in Table1 . The full proof takes approximately three minutes to check in Twelf 1.... ..."

Cited by 66

### Table 1: Safety Proof Breakdown

2003

"... In PAGE 24: ...heorems 4.1, 4.2 and 4.6 consists of 10137 lines of Twelf code (including comments). A breakdown of the proof code for the interested reader is given in Table1 . The full proof takes approximately three minutes to check in Twelf 1.... ..."

Cited by 66

### Table 1. Relative Safety Proof Experimental Results

2006

"... In PAGE 13: ... For producer-consumer problem, we do not perform any lhs unfolding. Experimental results in proving relative safety assertions are shown in Table1 , where A#=number of verified assertions, LSt=number of visited lhs goals, RSt=number of visited rhs goals, and T=time in seconds. In ProblemName-N, N denotes the number of processes, except for Prod/Cons-N where N denotes that there are N produce and consume operations.... In PAGE 15: ... Reduction in time roughly corresponds to those of state space. Finally, comparing Table1 and 2, the proof of relative safety assertions are no easier than the proof of traditional safety assertions, even with coinduction. This is because of the need to perform rhs unfold when proving relative safety.... ..."

Cited by 1

### Table 1. Safety conditions for different safety policies.

"... In PAGE 6: ...From our perspective here, the safety conditions are the most interesting aspect since they have the greatest bearing on the form of the proof obligations. Table1 summarizes the different conditions and the domain theories needed to reason about them. Both vari- able initialization and usage as well as array bounds certification are logically simple and rely just on propositional and simple arithmetic reasoning, respectively, but can require a lot of information to be propagated throughout the program.... ..."

### Table 1. Results of safety certification

2005

"... In PAGE 9: ...nd there are no operations on entire matrices (e.g., matrix multiplication). For each of the examples, Table1 lists the size jS j of the specification, the size jP j of the generated program (including comments but without annotations), the applicable safety policies, the sizes jAj and jA j of the generated and propagated annotations, and finally the numbers N and Nfail of generated and invalid safety obligations as well as the generation and proof times Tgen and Tproof. All times are wall-clock times rounded to the next second and were obtained on a 2.... ..."

Cited by 4

### Table 1. Safety formulas for different policies

2004

"... In PAGE 4: ... From our perspective, the safety conditions are the most interesting aspect since they have the greatest bearing on the form of the proof obligations. Table1 summarizes the different formulas and the domain theories needed to reason about them. Both variable initialization and usage as well as array bounds certification are logically simple and rely just on propositional and simple arithmetic reasoning, respectively, but can require a lot of information to be propagated throughout the program.... ..."

Cited by 11