Approaches And Implementation Of Coverage Criteria-based Test Case Generation For IEC?61131?3 ST Language

Programmable Logic Controller(PLC)is a special type of computer used in the automation system.It is widely used in various secure industrial control systems,such as nuclear power plants and chemical plants.Errors in PLC programs may cause huge losses of life and property.Therefore,the correctness and security of the PLC software have received great attention.Unit testing is one of the effective means of ensuring code quality.However,writing PLC function unit test cases by people requires expertise.Additionally,this is very time consuming and the quality of the test cases written cannot be guaranteed.To this end,this paper proposes methods for automatic generation of unit test cases for IEC61131-3(Second Version)ST language(which is widely used in the PLC)based on dynamic symbolic execution technology.It presents high-coverage-oriented tests generation algorithms for control flow and data flow coverage criteria.According to the execution characteristics of PLC,we propose test generation algorithms based on PLC state.In addition,data flow test is introduced into PLC field for the first time.The main contributions of this paper are as follows:1.Research and implement automated test case generation methods for multiple con- trol flow coverage criteria: This method utilizes the characteristics of the PLC's cycle execution,and generates a single-phase test case,and then combines a single- phase test case to multiplicate test cases.In addition,in order to reduce the path space and improve the efficiency of searching path,we design the irrelevant path pruning algorithm.The final implementation tool provides the features of statement coverage,branch coverage,and MC / DC coverage criteria.2.Research and implement automated test case generation methods for data flow cov- erage criteria: This method utilizes the PLC state in the PLC cycle execution pro- cess,and searches for data flow test targets(ie,definition points,and reference points)in two phases.In addition,in order to accelerate the search process from the definition point to the reference point,we propose a search algorithm based on the dominant node.3.Implement an automated test case generation tool STAUT based on symbolic ex- ecution: The tool STAUT designed and implemented in this paper uses a syn analysis tool to parse and process the ST source code,next generate an abstract syntex tree(AST)of the program,and then generate a control flow graph(CFG). Through control-flow and data-flow analysis,STAUT gets control flow and data flow information.The above-described control flow test and data flow test algo- rithm are implemented in the dynamic symbol execution engine to realize the test case generation function for coverage criteria.