Abstract

This paper presents a new two-step verification method for control software. The novelty of the method is that it reduces the verification of the temporal properties of a control program to the deductive verification of an imperative program in the Hoare style, which explicitly models the time and history of the control program. The method is applied to programs written in the Reflex language, a domain-specific extension of C developed as an alternative to the languages of the IEC 61131-3 standard. Reflex is a process-oriented language that describes control programs in terms of communicating processes controlled by operator events, including the events generated by operations on discrete time intervals. At the first step, an annotated Reflex program is translated into an equivalent annotated imperative program on a bounded subset of C, which is extended with the logical type bool, supertype value (which combines the values that can return Reflex functions and operators), and statement havoc x (which assigns an arbitrary value to the variable x). At the second step, the resulting imperative program undergoes deductive verification. The proposed method is illustrated by the example of deductive verification of a Reflex program that controls a hand dryer. The example includes the original Reflex program, a set of requirements, the resulting annotated program, the correctness conditions generated, and results of verifying these conditions in Z3py, an interface to the Z3 SMT solver implemented in Python.

中文翻译：

---

反射程序的专用验证

摘要

本文提出了一种新的两步验证方法的控制软件。该方法的新颖性在于，它将控制程序的时间属性的验证减少为Hoare风格的命令式程序的演绎式验证，从而明确地对控制程序的时间和历史进行建模。该方法适用于以Reflex语言编写的程序，Reflex语言是C的特定于域的扩展，是对IEC 61131-3标准语言的替代开发的。Reflex是一种面向过程的语言，它根据通信过程来描述控制程序，这些过程由操作员事件控制，包括由离散时间间隔上的操作生成的事件。第一步，将带注释的Reflex程序转换为C的有限子集上的等效带注释的命令式程序，x（将任意值分配给变量x）。在第二步，生成的命令式程序经过演绎验证。通过对控制干手器的Reflex程序进行演绎验证的示例来说明所提出的方法。该示例包括原始的Reflex程序，一组需求，所得的带注释的程序，生成的正确性条件以及在Z3py中验证这些条件的结果，Z3py是用Python实现的Z3 SMT求解器的接口。