Automated Test Generation for IEC 61131-3 ST Programs via Dynamic Symbolic Execution

A programmable logic controller (PLC) is essentially a computer dedicated to industrial control which is widely used in the field of global automation control. However, PLC software bugs can result in economic losses and even personal safety issues. PLC software must be thoroughly tested regarding function, structure, safety, and other aspects to avoid accidents. Existing PLC tools are mainly based on the manual setting of input data, which is not only unable to be well automated but also cannot provide information about code coverage. This paper presents an automated test case generation approach for a Structured Text (ST) language to reduce the cost of testing, using dynamic symbolic execution. We apply this method to implement the coverage-based automated test case generation tool STAutoTester. We have evaluated STAutoTester on 21 programs. The experimental results show that STAutoTester can effectively handle these programs. For 11 ST programs, STAutoTester reduces, on average, 87.5% of generated test cases compared to SYMPLC.

[1]  Hendrik Simon,et al.  Mode-Aware Concolic Testing for PLC Software - Special Session "Formal Methods for the Design and Analysis of Automated Production Systems" , 2018, IFM.

[2]  Meng Wu,et al.  Symbolic execution of programmable logic controller code , 2017, ESEC/SIGSOFT FSE.

[3]  Ting Su,et al.  SmartUnit: Empirical Evaluations for Automated Unit Testing of Embedded Software in Industry , 2017, 2018 IEEE/ACM 40th International Conference on Software Engineering: Software Engineering in Practice Track (ICSE-SEIP).

[4]  Zhendong Su,et al.  A Survey on Data-Flow Testing , 2017, ACM Comput. Surv..

[5]  Hendrik Simon,et al.  Concolic test generation for PLC programs using coverage metrics , 2016, 2016 13th International Workshop on Discrete Event Systems (WODES).

[6]  Hendrik Simon,et al.  Automatic test case generation for PLC programs using coverage metrics , 2015, 2015 IEEE 20th Conference on Emerging Technologies & Factory Automation (ETFA).

[7]  Zhendong Su,et al.  Combining Symbolic Execution and Model Checking for Data Flow Testing , 2015, 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering.

[8]  Bin Fang,et al.  Automated Coverage-Driven Test Data Generation Using Dynamic Symbolic Execution , 2014, 2014 Eighth International Conference on Software Security and Reliability.

[9]  Chung-Hao Huang,et al.  G4LTL-ST: Automatic Generation of PLC Programs , 2014, CAV.

[10]  Stefan Kowalewski,et al.  Arcade.PLC: a verification platform for programmable logic controllers , 2012, 2012 Proceedings of the 27th IEEE/ACM International Conference on Automated Software Engineering.

[11]  Dawson R. Engler,et al.  KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs , 2008, OSDI.

[12]  Koushik Sen,et al.  CUTE: a concolic unit testing engine for C , 2005, ESEC/FSE-13.

[13]  A. Jefferson Offutt,et al.  Coverage criteria for logical expressions , 2003, 14th International Symposium on Software Reliability Engineering, 2003. ISSRE 2003..

[14]  Filip Markovic,et al.  Automated Test Generation for Structured Text Language using UPPAAL Model Checker , 2015 .

[15]  Dipl.-Inform. Karl-Heinz John,et al.  IEC 61131-3: Programming Industrial Automation Systems , 2001, Springer Berlin Heidelberg.