Concolic test generation for PLC programs using coverage metrics

Abstract

This paper presents a technique for fully automated generation of test cases for PLC programs adhering to the IEC 61131-3 standard. While previous methods strive for completeness and therefore struggle with the state explosion we pursue a symbolic execution based approach, dropping completeness but nevertheless achieving similar or even better results in practice. The core component is a symbolic execution engine which chooses the next state to execute, handles constraints emerging during the execution and derives respective test vectors leading to a state. To make for a high coverage of the generated tests, we adopt techniques from concolic testing, allow for use of heuristics to prioritise promising states but also merge states to alleviate the path explosion. We exploit peculiarities of PLC semantics to determine reasonable merge-points and unlike similar approaches even handle unreachable code. To examine the feasibility of our technique we evaluate it on function blocks used in industry.