Multiway decision graphs are a new class of decision graphs for representing abstract states machines. This yields a new veriÿcation technique that can deal with the data-width problem by using abstract sorts and uninterpreted functions to represent data value and data operations, respectively. However, in many cases, it may su er from the non-termination of the state enumeration procedure. This paper presents a novel approach to solving the non-termination problem when the generated set of states, even inÿnite, represents a structured domain where terms (states) share certain repetitive patterns. The approach is based on the schematization method developed by Chen and Hsiang, namely -terms. Schematization provides a suitable formalism for ÿnitely manipulating inÿnite sets of terms. We illustrate the e ectiveness of our method by several examples.
Introduction
Two main approaches of formal veriÿcation have been studied: interactive veriÿcation using a theorem prover, and model checking. Each method possesses its own strengths and weaknesses. Mechanical theorem proving is more general, but requires intensive human guidance and is thus time consuming. Model checking is automatic, but it is applicable to ÿnite state machines and su ers from the state-explosion problem.
This limits its use to relatively small circuits. The problem was widely addressed in the literature. The works described in [1, 3, 4, 7, 8, 11, 16 ] exploit Bryant's reduced ordered binary decision diagrams (ROBDDs) [2] to encode sets of states and to perform implicit enumeration of the state space. However, these methods are not adequate in general for verifying circuits with large and complex data paths, because of the Boolean representation of circuits. More speciÿcally, every individual bit of every data signal is represented by a Boolean variable, while the size of a ROBDD grows, sometimes exponentially, with the number of variables. This means that ROBDD-based veriÿcation methods often take too much time, or run out of memory, when applied to circuits having a complex data path.
Recently, a new veriÿcation approach was presented to overcome the above drawbacks. This approach is based on abstract descriptions of state machines (ASM) which are encoded by a new class of decision graphs, called multiway decision graphs (MDGs) [10] , of which ROBDDs are a special case. With MDGs, one can integrate two veriÿcation techniques that have been very successful: implicit state enumeration and the use of abstract sorts and uninterpreted function symbols. MDGs are decision graphs that can represent relations as well as sets of states, and they incorporate variables of abstract sorts to denote data values, and uninterpreted function symbols to denote data operations. A set of basic operations on MDG graphs was implemented to perform various kinds of veriÿcation. It includes the algorithms for disjunction, relational product (image computation), pruning by subsumption, and rewriting [10] .
Unfortunately, the method su ers in many cases from an important problem, namely non-termination when computing the set of reachable states. This can be a severe limitation on the use of MDGs as a veriÿcation tool. For example, consider an abstract description of a conventional (non-pipelined) microprocessor where a state variable pc of abstract sort represents the program counter, a generic constant zero of the same abstract sort denotes the initial value of pc, and an abstract function symbol inc describes how the program counter is incremented by a non-branch instruction. The MDG representing the set of reachable states of the microprocessor would contain states of the form (pc; inc(: : : inc( k zero) : : :)) for every k¿0. Consequently, there is no ÿnite MDG representation of the set of reachable states, and hence the reachability algorithm will not terminate. This illustrates a typical form of non-termination, due to the fact that the terms can be arbitrarily large and hence arbitrarily many.
In this paper, we present a method based on schematization to deal with this kind of non-termination problem. Schematization is a method for ÿnitely representing inÿ-nite sets of objects [12, 5, 15, 9, 14] : terms, rewrites rules, substitutions, etc. If some inÿnite sets can be represented ÿnitely and if algebraic operations can be performed on these ÿnite representations, then the problem of non-termination can be avoided. The abstract machines we consider are those that present a cyclic behavior starting from any state of the machine. Let us return to the above example: as we can see, the labels of the pc node in the MDGs generated by the reachability analysis procedure form a structured domain whose terms share a repetitive pattern. For instance, the pattern of the domain {inc k (zero) : k ∈ N} is inc( ) such that, for every term inc k (zero) in the domain, inc(inc k (zero)) is also in the domain. Such a set is usually represented by a single expression (inc( ); N; zero), where the ÿrst argument of represents the pattern, the second argument serves as a counter, called the degree variable, and the third argument represents the base term. This kind of an expression is called a -term [5] . By allowing -terms to be part of the language, we are able to represent an inÿnite MDG ÿnitely, by labeling some edges by a -term, i.e., we can represent a logical formula having an inÿnite number of disjuncts of the form:
The paper is organized as follows: In Section 2, we brie y present MDGs. In Section 3, we provide a background on -terms, and we deÿne the MDG extension which incorporates the -terms. In Section 4, we illustrate our method on several examples. Finally, we conclude with some remarks and discuss the direction of future work.
Related Works. The non-termination problem was studied in [17] . The authors presented a method based on the generalization of the state variable that causes divergence, like the variable pc in the example. Rather than starting the reachability analysis with a generic constant zero as the value of pc, a fresh 2 variable is assigned to pc at the beginning of the analysis. As a consequence, the set of states represented by pc is enlarged, so that any incrementation of pc leads the ASM to a state, where the new value of pc is an instance of its arbitrary initial value. This technique is applicable only to circuits which, like a conventional (non-pipelined) processor, has a cyclic behavior: starting from a ready state, doing some work, and returning to a ready state. This class of circuits is called processor-like loop circuit. Unfortunately, if the entrance of the loop does not start in the initial state, then this generalization technique may not work. The solution proposed by the authors consists of ÿnding manually the entry state of the loop, where the generalization must be done. In general, it is di cult to identify processorlike loops in a machine. The heuristics used by the authors require human interferences at di erent stages of the veriÿcation process. Furthermore, the main drawback of this generalization method is the loss of information provided by axioms which partially interpret abstract function symbols. This means that we become deprived of powerful automated deduction technique, such as rewriting, which is useful when carrying out veriÿcation with MDGs. In this work, we use a schematization which possesses the advantages of generalization while avoiding its weaknesses to deal with non-termination. Rewriting rules that characterize uninterpreted functions can still be used. It su ces to instantiate the degree variables to speciÿc values and apply suitable rules.
Multiway decision graphs
An MDG is a ÿnite, directed acyclic graph (DAG) where the leaves are labeled by True ( ), the internal nodes are labeled by terms, and the edges issuing from an internal node are labeled by terms of the same sort as the label of . Such graph is a canonical representation, modulo a set of well-formedness conditions (see [10] for details), of a certain quantiÿer-free formula, called a directed formula (DF). A DF formula is a variant of ÿrst-order logic with equality and sorts, with a distinction between concrete sorts and abstract sorts. This distinction is a syntactic counterpart of the hardware di erence between data path and control. Concrete sorts have enumerations which are sets of individual constants, while abstract sorts do not.
Syntax. Let F be a set of function symbols and V a set of variables. We denote the set of terms freely generated from F and V by T(F; V). The syntax of a directed formula is then given by the grammar below: 
The vocabulary consists of generic constants, concrete constants, abstract variables, concrete variables and function symbols. The distinction between abstract and concrete sorts leads to a distinction between three kinds of function symbols. Let f be a function symbol of type 1 × · · · × n → n+1 . If n+1 is an abstract sort then f is an abstract function symbol. If all the 1 : : : n+1 are concrete, f is a concrete function symbol. If n+1 is concrete while at least one of 1 : : : n is abstract, then we refer to f as a cross-operator; cross-operators are useful for modeling feedback from the data path to the control circuitry. Atomic formulae are the equations, generated by the clause Eq, plus (truth) and ⊥ (false). Directed formulae are a disjunction of conjunction of equations.
An equation is well-typed if the sort of the term on the left-hand side of the equation is the same as the sort of the term on the right-hand side.
A directed formula is well-typed and is of type U → V if and only if: (1) each equation is well-typed, and (2) each term A in the equation of the form A = C or X = A is in T(F; U), and (3) for every abstract variable v ∈ V appears as the LHS of an equation v = A in each of the disjuncts.
Just as ROBDDs [2] must be reduced and ordered, MDGs must obey a set of wellformedness conditions given in [10] . Among other things, these conditions specify the kinds of nodes that may appear in an MDG. An internal node may be labeled by a variable of concrete sort, with edges issuing from the node labeled by individual constants in the enumeration of the sort; or by a variable of abstract sort, with edges labeled by concretely reduced terms of that sort; or by a cross-term of a sort , with edges labeled by the individual constants in the enumeration of . All leaf nodes are labeled , except when the graph has a single node, which may be labeled or ⊥. Semantics. An interpretation is a mapping that assigns a denotation to each sort, constant and function symbol, and satisÿes the following conditions:
• The denotation (S) of an abstract sort S is a non-empty set.
• If S = {a 1 ; : : : ; a m } then (S) = { (a 1 ); : : : ; (a m )} and (a i ) = (a j ) for all i; j such that a i = a j ; i = j.
• A variable assignment with domain X compatible with an interpretation , is a function that maps every variable x of X of sort S to an element (x) of (S). We write X for the set of -compatible assignments to the variables in X .
• If f(t 1 ; : : : ; t n ) is a term of sort S n+1 and t 1 ; : : : ; t n are terms of sorts S 1 ; : : : ; S n , respectively, then the denotation ( f(t 1 ; : : : ; t n )) is deÿned as (f)( (t 1 ); : : : ; (t n )). In particular, if the arity of f is equal to 0, (i.e., f is a generic constant of sort S), ( f) ∈ (S).
• We write ; |= P if a formula P denotes truth under an interpretation and -compatible variable assignment to the free variables of P; |= P if ; |= P for all such assignments , and |= P if |= P for all interpretations . Two formulae P and Q are logically equivalent i |= P ⇔ Q. M DG-based abstract state enumeration. A circuit is described at the register-transfer level as a collection of components interconnected by nets that carry signals. Each signal is represented by a variable. Variables denoting control signals have concrete sorts, while variables denoting data values have abstract sorts. An Uninterpreted function symbols are used to model control operations, which must have a concrete sort, while data operations are viewed as black boxes and are modeled by an uninterpreted function symbol which must have an abstract sort. A set of basic operation on the MDGs graph is implemented to perform various kind of veriÿcation for a given circuit. This set include algorithms for disjunction, relational product (image computation), pruning by subsumption, and rewriting. A good discussion on that is described in [10] . Most of the veriÿcation techniques with MDGs are based on an implicit reachability analysis algorithm which forms the kernel of this tool. The algorithm is based on abstract state enumeration [10] , where sets of states, as well as transition and output relations, are represented using MDGs. Because of abstract variables and the uninterpreted nature of function symbols, the reachability analysis algorithm may not terminate, and the least ÿxed point may not be reached in state enumeration. The procedure, called ReAn for Reachability Analysis, is described by the following pseudo-code:
R := F I ; Q := F I ; K := 0; 3. loop 4.
K := K + 1; 5.
I := Fresh(X; K); 6.
N := RelP({I; Q; F T }; X ∪ Y; Á); 7.
Q := PbyS(N; R); 8.
if Q = ⊥ then return success; 9.
R := PbyS(R; Q); 10.
R := Disj(R; Q); 11. end loop; 12. end ReAn; where D = (X; Y; Z; F I ; F T ; F O ) is an abstract state machine description in which X; Y; Z are disjoint sets of variables, viz. the input, state, and output variables, respectively, and F I ; F T ; F O are DFs representing a set of initial states, the transition, and the output relations, respectively.
We describe the most important steps of the algorithm, for more details see [17, 10] . In this pseudo-code, I; N; Q and R are program variables that take as values MDGs representing sets of states. We will identify the program variables and their values in the following explanations when there is no risk of confusion.
Before each loop iteration, R represents the set of reachable states found so far, while Q represents the frontier set, i.e., a subset of Set Y (R) containing at least all those states that entered Set Y (R) for the ÿrst time in the previous iteration.
In line 5, Fresh(X; K) constructs a one-path MDG representing a conjunction of equations x = u, one for each abstract input variable x ∈ X , where u is a fresh variable from the set of auxiliary abstract variables U . The value of the loop counter K is used to generate the fresh variables. This one-path MDG is assigned to I , which represents the set of input vectors.
In line 6, the relational product operation computes the MDG N representing the set of states reachable in one step from the frontier set Q of states that have not been visited.
Note that the MDG Q representing the frontier set is of type U → Y , the MDG I representing the set of input vectors is of type U → X , and the MDG F T representing the transition relation is of type (X ∪ Y ) → Y . The result of taking the conjunction of these three MDGs would be of type U → (X ∪ Y ∪ Y ), the result of subsequently removing the variables in X ∪ Y by existential quantiÿcation would be of type U → Y , and the result of subsequently applying the renaming substitution Á would be of type U → Y . The RelP operation performs these three operations in one pass, and assigns the resulting MDG of type U → Y to N .
Lines 7 and 8 check if the states reachable in one step are included in the sets of states found in the previous iterations. This is done by using the prune-by-subsumption operation PbyS which removes from N those paths which are instances of some paths in R. This operation uses syntactic matching between terms that label two corresponding nodes to ÿnd such paths. If the result is the empty set, then the procedure terminates and reports success. Otherwise, the MDG Q represents the new frontier set.
Line 9 simpliÿes R by removing from it any paths that are subsumed by Q, using PbyS. There may be such paths because Q was not computed earlier as an exact di erence. Then line 10 computes the new value of R by taking the disjunction of R and Q, which represents the set of states Set Y (R) ∪ Set Y (Q), and assigning it to R.
In general, this procedure may not terminate. When the MDGs generated in line 7 have a regular structure, we can schematize them by labeling some of its edges by a special term that represents this family of inÿnite objects. By using this ÿnite representation, we can manipulate them by appropriate algebraic operations, such as uniÿcation. The non-termination problem can thus be avoided. In the next sections, we deÿne -terms and we show how to use them to solve the non-termination problem.
A solution to the non-termination problem
Schematization is a formalism for ÿnitely describing inÿnite families of objects. Di erent schematizations were studied during the last years, using term schemes [12] , recurrence terms [6, 15] , rules with membership constraints [9] , meta-rules [14] , and primal grammars [13] . We chose recurrence terms ( -terms) [5] for schematizing the inÿnite states generated during reachability analysis because their algebraic operations are decidable and -terms have been used as an extension to the Prolog language [5] in which our MDG veriÿcation system was implemented too.
Preliminaries: -terms [5]
Let F be a set of function symbols, V a set of variables and D a set of degree variables. Let be a special function symbol of arity 3. We use sequences of positive numbers, also called positions, to refer to speciÿc subterms in a term. The empty sequence is a position in any term t, while a sequence i · u is a position in a term t = f(t 1 ; : : : ; t n ) only if 16i6n and u is a position in t i , where · is concatenation. If u is a position in a term t, then the subterm t| u of t at position u is t, if u = , and t i | v , if t = f(t 1 ; : : : ; t n ) and u = i · v, for some i with 16i6n. We denote by t[s] u , the result of replacing in t the subterm at position u by s. We deÿne t[s] u to be the term s, if u = , and the term f(t 1 ; : : : ; t i−1 ; t i [s] v ; t i+1 ; : : : ; t n ), if t = f(t 1 ; : : : ; t n ) and u = i · v.
Deÿnition 1 ( -term).
A -term is either a variable in V or an expression f(t 1 ; : : : ; t n ), where f is a function symbol of arity n and t 1 ; : : : ; t n are -terms, or (h[
Deÿnition 2.
We inductively deÿne the function Dvar which computes the degree variable of a -term as follows:
Dvar(f(t 1 ; : : : ; f ar(f) )) if f ∈ F and t 1 ; : : : ; f ar(f) are -terms
proper -term represents an inÿnite set of terms of T(F; V).
We It means that, for a particular natural number n, a -term denotes one term from T(F; V). Formally, the unfolding is deÿned as follows: 
Deÿnition 6 (Inclusion of -terms).
A -term L is included in a -term R, denoted as L ⊆ R, where L is a ground term and the set of degree variables of R is disjoint from those of L if and only if (L) ⊆ (R). If R is also ground, then L ⊆ R if and only if for all s in (L), there exists a term t in (R) such that s is identical to t.
We call an unfolding substitution a ÿnite set us = {q 1 * Q 1 + k 1 =N 1 ; : : : ; q m * Q m + k m =N m } such that N i = N j for all i = j and N i = Q j for all i and j, where q and k are integers, N i and Q i are degree variables, 16i6m; * is arithmetic multiplication and + is arithmetic addition. An empty unfolding substitution is denoted by id.
Applying q * Q + k=N to a -term H is deÿned as:
Application of -terms in MDGs
The extension of the syntax of directed formulae to incorporate -terms is straightforward. We allow the term A, deÿned in the syntax of Section 2, to be a proper -term. -DF is a directed formula where some of its terms are -terms. For a -DF P with m degree variables N 1 ; : : : ; N m , we extend the function by morphism as: |= P if ; |= P for all -compatible assignments ; and |= P if |= P for all interpretations . Two formulae P and Q are logically equivalent if and only if |= P ⇔ Q.
The -directed formulae are used to represent either sets or relations. For a -DF P of type U → V, where U contains only abstract variables, and for an interpretation ; P represents the following set of vectors:
where → N represents a vector of degree variables that appear in the -terms contained in P.
Lemma 7. (inc( ); N; zero) is concretely reduced term.
The proof could be done by induction on the degree variable N .
• Basic case: N = 0. (inc( ); 0; zero) = inc(zero) · inc(zero) is a concretely reduced term by deÿnition.
• Inductive case: Using the unfolding rule the term (inc( ); N + 1; zero) is equal to inc( (inc( ); N; zero)). This term is concretely reduced term, since inc( (inc( ); N; zero)) is concretely reduced using the inductive hypothesis, thus the term (inc( ); N + 1; zero) is concretely reduced term.
Theorem 8. The extension of MDG by -term is conservative.
Since a -term is concretely reduced. Thus the deÿnition of well-formedness of MDG still valid. This fact ensures that all the proven results for MDG [10] remain true for -MDG.
Abstract state enumeration with -terms
Having incorporated -terms in the syntax of DF, we need some extensions of the existing algorithms for MDGs. In this section, we present an extension of the reachability analysis algorithm that includes the appropriate handling of -terms.
1. Proc Generalize(Q; K; v; t) 2. if t is a generator then t := t[Dvar(t)#K=Dvar(t)]; 3.
for each equation in Q like v = rhs where rsh is not a -term 4.
replace rhs by t; 5.
end for 6. end Generalize Given a -term t and an abstract variable v, this procedure generalizes the variable v to this -term with its degree variable replaced by a fresh one, obtained by concatenating the degree variable of t with a value of the counter K. This counter counts the number of passes through the reachability analysis loop (i.e., the number of transitions by which the state machine advanced from the initial state). The second condition in line 3 is necessary because we need to generalize again during reachability analysis (see example 11). The procedure is called by a modiÿed version of the ReAn described below:
1. Proc ReAn (D; v; t) 2.
K := 0; F I := Generalize(F I ; K; v; t); R := F I ; Q := F I ; 3. loop 4.
Q := Generalize(Q; K; v; t) 6.
I := Fresh(X; K); 7.
N := RelP ({I; Q; F T }; X ∪ Y; Á); 8.
N := Unfold(N ) 9.
Q := PbyS (N; R); 10.
if Q = ⊥ then return success; 11.
R := PbyS (R; Q); 12.
R := Disj (R; Q); 13.
end loop; 14. end ReAn ;
where D is a description of an abstract machine as described in Section 2, v is a state variable to be generalized and t is a -term. 3 We use a modiÿed version of the relational product, the disjunction algorithm and the prune-by-subsumption algorithms. These new versions are extended by suitable rules to handle -terms.
In line 2 we generalize the state variable v to the -term t. This operation is done on the DF describing the initial state. The new operations 4 to perform at each iteration in the loop are:
Line 5: Generalizing the variable v in the frontier set Q. This operation can be just a renaming of the degree variable of a -term.
Line 7: Computing the states reachable in one transition from the states in Q. Line 8: unfolding each -term in N by using the unfolding rules given in Section 3. For example, the unfolding of the -term eqz( (inc( ); M; zero)) = 1 gives eqz(zero) = 1 and eqz(inc( (inc( ); M ; zero))) = 1.
It is not di cult to generalize ReAn when several state variables cause divergence. The variable to be generalized and the -term are supplied by the user after observation of the trace of the original ReAn algorithm. Unlike the generalization by variable where we lose any partial interpretations of uninterpreted functions, our method allows applying those rules during reachability analysis, by using the unfolding rules. This permits a useful simpliÿcation of the sets of states, thus reducing the possibility of false negative answers to invariant checking that can result from the simple variable generalization.
Examples
In this section, we illustrate our method on three di erent examples. Each example is chosen to demonstrate one particular aspect of the method. The ÿrst one shows that in some cases the generalization of the initial state is su cient. Also, we give an outline of the uniÿcation algorithm of -terms [5] . The second one illustrates the use of rewriting rules to obtain a regular structure. For this example, it also su ces to generalize the initial state using a -term. The third and ÿnal example is more complicated and requires more than one generalization during reachability analysis.
Example 9. Consider a synchronous machine which includes a data register count, a multiplexer mux, and a functional block represented by the uninterpreted function symbol inc which takes count as its input and produces an abstract value inc(count). The transition relation Tr of this machine is as follows:
where count is the next state variable of the register.
Suppose that count initially contains a generic constant zero. If we explore the state space using ReAn, the procedure never terminates and generates an unbounded sequences of values for count: zero; inc(zero); inc(inc(zero)); : : : ; inc k (zero). The variable to be generalized is count and the -term is H = (inc( ); N; zero). Hence, we use ReAn to do reachability analysis as follows:
ReAn (({y}; {count}; ∅; count = zero; Tr; ∅); count; H ):
In line 5, the call to Gen(count = zero; 0; count; H ) returns a -DF representing the initial state of the machine
The next states computed in line 7 are described by the formula
The -DF formula in Eq. (1) represents the set Set (P 1 ) = { ∈ {count} | ; |= ∃N 1 :P 1 } and the set represented by initial -DF P 0 is
The problem now is to show that
This inclusion is checked by PbyS (P 1 ; P 0 ). Informally, this operation can be viewed as PbyS( (P 1 ); (P 0 )). There are two edges issuing from the node count in P 1 , labeled by (inc( ); N 1 ; zero) and inc( (inc( ); N 1 ; zero)), respectively. There is one edge issuing from the same node count in P 0 , labeled by (inc( ); N 0 ; zero). It remains to show that the -terms in P 1 are included in the -term in P 0 .
For the ÿrst subproblem, ∀N 1 :∃N 0 : (inc( ); N 1 ; zero) ⊆ (inc( ); N 0 ; zero) we replace N 0 by N 1 . Hence, we get (inc( ); N 1 ; zero) ⊆ (inc ( ); N 1 ; zero) . For the second, ∀N 1 :∃N 0 :inc( (inc( ); N 1 ; zero)) ⊆ (inc( ); N 0 ; zero), we replace the variable N 0 by N 1 + 1. By applying the unfolding rules, we get:
Therefore, after one pass through the loop, the newly reached states are covered by the initial states and the procedure terminates.
Example 10. Consider a more complex synchronous circuit which consists of a data register count, two multiplexers mux 1 and mux 2 , and three functional blocks represented by uninterpreted function symbols inc; dec, and eqz. The functions inc and dec take as their input count and produce an abstract output inc(count) and dec(count), respectively. The cross-term eqz takes as its abstract input count and produces a concrete output of sort bool. The transition relation R of this machine is as follows:
where count represents the next state variable of count.
We deÿne the following rewriting rules to give a partial meaning to the function symbols:
Suppose that register count initially contains a generic constant zero. Reachability analysis of this machine produces an inÿnite number of states for the register count, containing the values zero; inc(zero); inc(inc(zero)); : : : . This regular structure is obtained by removing the dec operator by rewites. This divergence suggests to generalize the register count to the -term H = (inc( ); N; zero). The initial state is thus described by the -DF:
After one transition, the reached states are: We can see immediately that s 1 is an instance of the initial state s 0 , by replacing the degree variable N of H by 0.
• If N 1 = N + 1, s 1 can be rewritten to:
( by applying the unfolding substitution)
( by applying the unfolding rules)
( simpliÿcation by rewriting with rule (2)) = ⊥ (It means that in this case s 1 is unreachable:) It remains to show that the sets of states described by s 2 is covered by s 0 . We have:
• If N 1 = 0, then s 2 can be rewritten to:
( by applying the unfolding rules) Example 11. Our third example concerns the synchronous machine shown in Fig. 1 . It consists of three states R1, R2 and R3. We use one state variable R of concrete sort {R 1 ; R 2 ; R 3 } to describe the behavior of this machine.
The transition relation is as follows:
Deÿne the following rewriting rules:
The initial state of this machine is
The states reached after one transition are
State s 1 is covered by s 0 , hence we continue the analysis with s 2 . After the next transition, there are three possible states
and After three transitions the procedure terminates.
Conclusions
The non-termination problem of reachability analysis is a severe limitation of the methods based on abstract state machines. We have presented a new approach based on schematization using -terms, to ÿnitely represent the inÿnite sets of states generated during reachability analysis. Schematization presents a suitable formalism to deal explicitly by ÿnite means with inÿnites families of objects, i.e., it describes by ÿnite expressions inÿnites sets of terms. It permits to manipulate e ectively the schematized sets. It is constructed so that the uniÿcation problem and the inclusion problem for the schematized sets are decidables. This means that we can use these operations in the reachability analysis and invariant checking. We have also proposed an extension to the syntax of MDGs and to the reachability analysis algorithm to incorporate -terms. Furthermore, schematization enlarges the set of states just enough to deal with non-termination, since the generalization is performed by a -term representing a more restricted form of information than a fresh free variable used in the earlier approaches. Thus, the false negatives introduced by generalization with variables are considerably reduced, because the -term represents all the possibles states of the machine, and contains only symbols deÿned in the machine.
Future work is directed to deriving su cient conditions for detecting divergence of reachability analysis. These conditions can be described as structural patterns of the transition relation of a given abstract state machine. It would be interesting to have a method that automatically infers a -term from the structural pattern of divergence.
