A generic approach for static code analysis of PLC-programs

Autoren Christian Huber
Titel A generic approach for static code analysis of PLC-programs
Typ Diplomarbeit
Organisation Software Competence Center Hagenberg
Abteilung Computer Science
Universität Johannes Kepler University Linz
Monat September
Jahr 2016
SCCH ID# 16109

The IEC 61131-3 standard defines programming languages for implementation of Programmable Logic Controllers (PLCs) which are means for controlling industrial systems. The standard defines five different programming languages: Structured Text (ST), which is a Pascal-like language; Sequential Function Chart (SFC), a graphical language for programming state transition systems; Instruction List (IL), an assembler-like language; Ladder Diagram (LD) and Function Block Diagram (FBD). Based on the standard, manufacturers have implemented their own dialects which usually provide their proprietary language features.

Static code analysis is an important quality assurance technique and works by examining programs without actually executing them. It can beneficially be used for finding bad code smells and potential defects. Although static code analysis techniques are widely used and numerous tools are available for conventional programming languages, the use of static analysis methods for PLC programming is still rare.

In a previous work, Florian Angerer has developed a comprehensive solution for static analysis of PLC programs. However, these methods and tool are restricted to the specialized KemroIEC dialect from KEBA AG. Therefore, in this thesis work a framework has been developed which supports development of analysis tools for different implementations of the IEC 61131-3 language standard. By abstracting from different dialects and language implementations, it allows implementing analysis tools with reduced effort. Based on this framework, a concrete analysis tool for the CODESYS dialect, a widely used implementation of the IEC 61131-3 standard, has been implemented. 

For abstracting from different dialects, the framework uses a project parser that generates a unified project structure out of vendor-specific project files. Afterwards, a dialectspecific IEC-Parser converts the information from the project parser into an abstract syntax tree (AST) representation. The abstract syntax tree (AST) representation is based on the Abstract Syntax Tree Metamodel (ASTM) standard from the OMG group, which is intended to provide a language-neutral representation for AST structures. Based on the AST, the framework computes several data structures about a program, i.e., the control flow graphs (CFGs), the data flow graphs (DFGs), a program-global call graph (CG), and the points-to sets (PTA) for pointer and reference variables. Finally, a rule framework was implemented that uses these data structures for finding violations of programming conventions, bad code smells, and possible defects in IEC 61131-3 programs.