Automated test generation for IEC 61131-3 ST programs via dynamic symbolic execution

Programmable logic controllers (PLCs) are essentially domain-specific computers that are widely used in the industrial field. These industrial devices are usually required to be of high reliability, and program bugs can lead to catastrophes. However, there are few automated testing tools for PLC programs. This paper proposes a framework, named STAutoTester, for automatically generating test cases for IEC 61131-3 Structured Text (ST) programs. It adopts Dynamic Symbol Execution (DSE) combined with redundant path pruning to efficiently perform PLC multi-cycle test data generation under different coverage criteria. We have evaluated STAutoTester on 21 programs. The experimental results show that STAutoTester can effectively handle these programs. Compared to S_YMPLC, a previous symbolic execution based tool for automatically testing PLC software, we achieved comparable statement coverage with much fewer test cases. Besides, we have achieved greater branch coverage and stricter MC/DC coverage, which were not implemented by S_YMPLC.