Computer Science Graduate Seminar

Thursday, May 4, 2023, 1:30pm

Automatic Test Case Generation for PLC Software

  • Hendrik Simon M.Sc.  -  Chair of Computer Science 11
  • Place: Seminar room 2202, main building, Ahornstr. 55



Automatic test case generation for the purpose of bug finding or achieving coverage goals has recently evolved to a scalable technique that is nowadays used to find highly critical security bugs, e. g. by Microsoft. However, in the domain of Programmable Logic Controllers (PLCs), applications of this technique are rare and usually rely on tools and mechanisms that were not initially designed for this domain. In fact, a discussion on how to design such techniques with the peculiarities of PLC software in mind, is missing. At the same time, PLC software is typically used in safety critical environments where software errors pose significant threats to the environment or humans and may additionally result in significant financial losses. Mature automatic testing techniques for the PLC domain would, thus, be highly beneficial to further support software quality in this area. PLC software typically follows a cyclic execution scheme that involves a repeated process of reading input values, executing a (often state machine based) control program that relies on local variables and writing computed values to outputs. Although the cyclic execution resembles only a small change in the execution semantics, the impact on automatic testing techniques is significant. This dissertation provides insights and mechanisms to transfer automatic test case generation into the domain of PLC software. We conduct an in-depth discussion on related approaches and point out strengths and weaknesses in order to provide baseline knowledge that can be utilised in future developments in this field of research. Further, we introduce our own automatic test case generation approaches and exemplify their effectiveness on PLC software. We are able to show that the generation of branch coverage tests can be achieved significantly faster than with existing techniques, rendering our approaches more applicable for larger software. The focus of our techniques lies in the exploitation of state-machine based execution behaviour and the preservation of structural information in Sequential Function Chart. For the latter, our presented algorithm can achieve full coverage in a few seconds for programs that could only partly be covered within an hour by related approaches.


The computer science lecturers invite interested people to join.