Singapore Management University

Institutional Knowledge at Singapore Management University

Research Collection School Of Computing and School of Computing and Information Systems
Information Systems

9-2023

K-ST: A formal executable semantics of the structured text

language for PLCs
Kun WANG

Jingyi WANG

Christopher M. POSKITT
Singapore Management University, [email protected]

Xiangxiang CHEN

Jun SUN
Singapore Management University, [email protected]

See next page for additional authors

Follow this and additional works at: https://ink.library.smu.edu.sg/sis_research

Part of the Programming Languages and Compilers Commons, Software Engineering Commons, and
the Theory and Algorithms Commons

Citation
WANG, Kun; WANG, Jingyi; POSKITT, Christopher M.; CHEN, Xiangxiang; SUN, Jun; and CHENG, Peng. K-
ST: A formal executable semantics of the structured text language for PLCs. (2023). IEEE Transactions on
Software Engineering. 49, (10), 4796-4813.
Available at: https://ink.library.smu.edu.sg/sis_research/8199

This Journal Article is brought to you for free and open access by the School of Computing and Information
Systems at Institutional Knowledge at Singapore Management University. It has been accepted for inclusion in
Research Collection School Of Computing and Information Systems by an authorized administrator of Institutional
Knowledge at Singapore Management University. For more information, please email [email protected].
Author
Kun WANG, Jingyi WANG, Christopher M. POSKITT, Xiangxiang CHEN, Jun SUN, and Peng CHENG

This journal article is available at Institutional Knowledge at Singapore Management University:

https://ink.library.smu.edu.sg/sis_research/8199
 1

K-ST: A Formal Executable Semantics of the

Structured Text Language for PLCs
Kun Wang, Jingyi Wang, Christopher M. Poskitt, Xiangxiang Chen, Jun Sun, and Peng Cheng

Abstract—Programmable Logic Controllers (PLCs) are responsible for automating process control in many industrial systems (e.g. in
manufacturing and public infrastructure), and thus it is critical to ensure that they operate correctly and safely. The majority of PLCs are
programmed in languages such as Structured Text (ST). However, a lack of formal semantics makes it difficult to ascertain the
correctness of their translators and compilers, which vary from vendor-to-vendor. In this work, we develop K-ST, a formal executable
semantics for ST in the K framework. Defined with respect to the IEC 61131-3 standard and PLC vendor manuals, K-ST is a high-level
reference semantics that can be used to evaluate the correctness and consistency of different ST implementations. We validate K-ST
by executing 567 ST programs extracted from GitHub and comparing the results against existing commercial compilers (i.e.,
CODESYS, CX-Programmer, and GX Works2). We then apply K-ST to validate the implementation of the open source OpenPLC
platform, comparing the executions of several test programs to uncover five bugs and nine functional defects in the compiler.

Index Terms—Formal executable semantics, PLC programming, Structured text, K framework, OpenPLC.

1 I NTRODUCTION

P ROGRAMMABLE Logic Controllers (PLCs) are responsi-

ble for automating process control in several modern
industrial systems, e.g. in manufacturing and public infras-
tructure. It is critical to ensure that PLCs are operating cor-
rectly, as any functional or security-related defects may lead
to serious incidents in the system. This has most famously
been demonstrated by the Stuxnet worm [1], while many
other less-known safety and security incidents [2], [3], [4]
and potential hazards [5], [6] related to PLCs have resulted
in significant consequences, with an estimated $350,000 in
damage on average [7].
The majority of PLCs are programmed using languages
defined in the IEC 61131-3 open international standard [8].
Programs can be written in graphical languages such as
Function Block Diagrams (FBD), but the standard also de-
fines Structured Text (ST), a fully textual language based
on the idea of organizing code into ‘function blocks’ and
designed with a syntax similar to Pascal. ST is a particularly
important IEC 61131-3 language given its utility for data
processing [9], and the fact that snippets of ST are actu-
ally required in FBD and other graphical languages. It is
therefore important that translators and compilers for ST are
• K. Wang, and J. Wang are with the College of Control Science and
Engineering, Zhejiang University, Zhejiang 310027, China.
E-mail: {kunwang yml, wangjyee}@zju.edu.cn.
• CM. Poskitt is with the School of Computing and Information Systems,
Singapore Management University, Singapore.
E-mail:
Fig. 1: High-level workflow of our approach
correctly implemented and exhibit only expected behaviors
when the code is being run on a PLC.
This has motivated a surge of research on analyzing
and verifying PLC programs [7], [10], [11], [12], [13], [14],
[15], [16], [17], [18], [19], [20], [21], [22], [23], [24], [25],
[26], [27], [28], [29], [30], although few works focus on ST
implementations/compilers. Zhang et al. [24] propose Vet-
PLC, a temporal context-aware, program-based approach
to produce timed event sequences that can be used for
automatic safety vetting. McLaughlin et al. [21] propose TSV
which translates assembly-level code into an intermediate
language (ILIL) to verify safety-critical code executed on
PLCs. Mader and Wupper [26] translate Instruction List (IL)
code into timed automata [31]. Bauer et al. [25] similarly use
timed automata as the formalism for Sequential Function
Chart (SFC). In [27], the proposed method transforms IL to
Petri-nets [32], and manually builds two additional Petri-

[email protected]. nets for modeling the PLC and its environment. Xiong et
• X. Chen is with the College of Control Science and Engineering, Zhejiang
University, Zhejiang 310027, China.
al. [23] propose an algorithm based on variable state analysis
E-mail: [email protected]. for automatically extracting a Behavior Model (BM) from an
• J. Sun is with the School of Computing and Information Systems, ST program. These works attempt to transform PLC pro-
Singapore Management University, Singapore. grams into an intermediate language or another program-
E-mail: [email protected].
• P. Cheng is with the College of Control Science and Engineering, Zhejiang ming language (i.e., C) which is suitable for verifying or
University, Zhejiang 310027, China. detecting potential issues using existing associated verifiers
E-mail: [email protected]

. or checkers. The issue of these approaches is that they lack
(Corresponding authors: Jingyi Wang and Peng Cheng) analysis and proof of equivalence in the conversion process. In

addition, the analyses they perform are often limited (since
the existing tools are not designed for PLCs) and do not
offer the feedback to the level of source code. Canet et
al. [22] propose formal semantics for a significant fragment
of the IL language, and a direct coding of this semantics
into a model checking tool. Huuck [28] develops a formal
operational semantics and abstract semantics for IL, which
allows approximating program simulation for a set of inputs
in one simulation run. Blech et al. [10], [11], [30] attempted
to define the formal semantics of the IL and SFC languages
in Coq and NuSMV and, based on that, verify the safety
properties in the code. However, IL is a low level assembly-
like language that has been deprecated from the IEC61131-
3 standard. Furthermore, these studies mainly concentrate
on analyzing the functional aspects of the programs and
may overlook potential vulnerabilities and security risks
introduced during the compilation process.
While extensive research has been conducted on testing
more ‘traditional’ compilers (e.g. vulnerability detection for
GCC and Clang [33], [34], [35]), compilers for PLC lan-
guages such as ST have received much less attention. The
challenges associated with testing the implementation of
a compiler arise from the inherent difficulties of ensuring
its correctness. One particular challenge stems from the
absence of a precise specification of the expected behavior of
a compiler. For most popular programming languages, there
exist multiple purportedly equivalent implementations of
compilers. Compiler testing can take advantage of this by
utilizing these implementations as oracles for conducting
differential testing [36]. However, in the case of the domain-
specific ST language, there is no specific implementation
standard, and different vendors often develop their own
compilers based on their specific requirements. Another
challenge is the semantic complexity of the input and output
languages that compilers handle. The fact that different
vendors develop their own implementations further exacer-
bates this issue. Compiler testing methods based on formal
semantics [37] have shown advantages in addressing these
challenges. With a formal semantics of the ST language, the
expected behavior of ST compilers can be precisely and
unambiguously defined, which can greatly aid in testing
and verifying their correctness.
To the best of our knowledge, a practical and complete
semantics for the ST language does not exist, which makes
it difficult to ascertain the correctness of ST translators
and compilers (e.g. by comparing executions). There are a
number of reasons why such a reference semantics is yet to
emerge. First, there is insufficient documentation defining
or describing the complete features of the ST language [9].
For instance, the official documentation introduces language
features by only a few examples, based on which it is
difficult for readers to fully understand the behavior of the
language. Second, the ST compilers provided by different
vendors (e.g. Allen-Bradley, Siemens) can implement the
language differently, and their closed source solutions make
it difficult to fully assess how they behave systematically
(other than through manual observation). For example,
CODESYS, CX-Programmer, and GX Works2 all produce
negative numbers in the results of negative modulo oper-
ations, even though this behavior is undefined according
to the official documentation. Furthermore, GX Works2
2
supports only 10 basic data types, whereas CODESYS
supports 17 types. Thus, a formal semantics needs to be
‘concrete’ enough to be useful, but ‘high-level’ enough to
be general/extendable to the different nuances of vendors’
compilers. A preliminary attempt at defining a high-level
semantics for ST was made by Huang et al. [38]. However,
it falls short of a full reference semantics as it misses several
important features of the language, e.g. certain data types,
and key sentences.
In this work, we develop K-ST, a formal executable ref-
erence semantics for ST in the K framework [39]. Our high-
level semantics is both executable and machine readable,
and can be used by the K framework to generate inter-
preters, compilers, state-space explorers, model checkers,
and deductive program verifiers. Our principal goals for the
design of K-ST are as follows:
1) Validated reference semantics. K-ST is designed
to cover all the main features of ST, and is vali-
dated against hundreds of different real-world ST
programs extracted from GitHub.
2) General and extendable. The semantics is high-
level (rather than tied to a particular compiler), with
the goal of supporting different ST implementations
as well as extensions for vendor-specific functions.
3) Analyses of ST compilers. Most importantly, K-ST
can be used to check the correctness and consistency
of different ST implementations, and thus ensure
that a compiler is not introducing an unintended
behavior or compile-time threat [40], [41] into a
critical industrial system.
Given the absence of complete feature descriptions for
the ST language in official documentation, we not only refer
to the definitions and code samples in the official docu-
ments, but also extensively consult the guidance manuals
provided by multiple vendors to better define the semantics
of the ST language. For example, there is no specific docu-
mentation on how integer overflow is handled in the offi-
cial documents. Through investigating multiple instruction
manuals, we found that existing ST compilers generally use
truncation to handle integer overflow without any warning.
In defining the semantics, we find that the rewriting rule of
the K framework provides a good mechanism for capturing
the unique features of ST. For example, we can rewrite
REPEAT to WHILE to achieve the execution effect of REPEAT.
We validate K-ST by extracting 567 real-world ST code
samples from GitHub and comparing their executions in our
semantics against their executions resulting from various
commercial compilers (i.e., CODESYS, CX-Programmer, and
GX Works2). We find that K-ST is sufficiently complete to
support 509 of these programs (consisting of 26,137 lines of
code) and executes those programs correctly (i.e., producing
the same outputs as the corresponding existing compiler),
with the remaining programs only unsupported due to the
use of certain vendor-specific or hardware-related functions
that we did not yet formalize. Furthermore, to evaluate
the utility of K-ST for testing ST compilers, we compared
the executions of the 567 programs (and several mutants)
under K-ST and OpenPLC [42], a popular open source PLC
program compiler. Through this semantics-based testing, we
are able to uncover five bugs and nine functional defects in
 3

the OpenPLC compiler, all of them are previously unknown.

Fig. 1 summarises the high-level workflow of this process.
In summary, we make three main contributions.
• We propose an executable formal reference semantics
for ST;
• We collect a set of 567 complete ST program samples,
and validate the correctness of our executable seman-
tics by running those programs in the semantics and
via existing compilers (CODESYS, CX-Programmer,
and GX Works2), comparing the results.
• We test OpenPLC, an open source PLC program
compiler, using our proposed semantics, and find
five bugs and nine functional defects.
The remaining part of this paper is organized as follows.
Section 2 introduces the background of ST and the K frame-
work. The proposed executable operational semantics of ST
formalized in K is introduced in Section 3. Section 4 shows
some practical applications of our formal semantics. The
evaluation results of the proposed semantics are introduced
in Section 5. Section 6 summarises some related work, and
Section 7 concludes this work.

2 BACKGROUND
In this section, we briefly introduce the background of the
Structured Text (ST) language and the K framework.

2.1 Structured Text

The Programmable Logic Controller, invented in 1969 by
Dick Morley, is specially designed for applications in indus-
trial environments, e.g. assembly lines, robotic devices, or
public infrastructure. These kinds of applications all require
high reliability and ease of programming.
Early PLCs were represented as a series of logic expres-
sions in some kind of Boolean format. With the development
of programming terminals and the complexity of existing
control procedures, Ladder Diagrams (LD) were developed
to program PLCs. As of 1993, the IEC 61131-3 standard
developed by the International Electrotechnical Commis-
sion (IEC) defined five programming languages, including
two textual programming languages—ST and IL—as well
as three graphical languages—LD, FBD, and SFC. A simple
example in Fig. 2 [43] shows a ST code example which can
be used for linear scaling of an analog sensor signal.
ST is a high-level PLC programming language which
is similar to Pascal [44] (widely used from 1980 to 2000),
C/C++ and Java. While it contains common constructs
from modern programming languages such as FUNCTION,
IF/ELSIF/ELSE and CASE branches, WHILE and FOR loops, it
has its own characteristics, such as the lack of recursion, cap-
italized keywords, REPEAT statement, and FUNCTION BLOCK
structure. For instance, FUNCTION BLOCK as an important
part of ST, and has its own state. Its main purpose is to mod-
ularize and structure a straightforwardly defined portion of
the program. It is similar to the class-object manifestation in
object-oriented programming. Function blocks exist in two
forms: as a type or as an instance, but only the instance
can be called. For each function block, the local variables
retain their values between each ‘call’. TABLE 1 shows the
common elements of ST.
Fig. 2: An ST programming example
ST, as the only textual programming language supported
by the new IEC standard, has a number of advantages
compared to other PLC languages. First, being textual, ST
programs can be copied relatively easily. Second, compared
with the other four languages, it is more convenient for
mathematical calculations, formulas and algorithms, and for
managing large amounts of data [9]. Third, compared with
20 years ago, PLC solutions are more in demand today and
ST can better adapt to this change. Finally, LD, SFC and FBD
also require parts of the program to be written in ST anyway
[45], [46].
Unfortunately, the absence of documents defining or
describing the complete features of the ST language and the
differing customizations of vendors can lead to inconsistent
implementations of ST. In addition, understanding the se-
mantics of the ST language, and ensuring that it is formally
defined is difficult for end users accustomed to graphical
programming. A formal executable semantics of ST not only
provides a standard, but also helps PLC engineers verify the
completeness and correctness of these implementations.
2.2 The K Framework
K is a formal logic framework based on rewriting logic [47].
It was developed with the overarching goal of pursuing
the ideal language framework, where all programming lan-
guages have formal semantic definitions and all language
tools are automatically derived in a correct-by-construction
manner at no additional cost. The K backends, such as the
 4

TABLE 1: Common elements of the ST language

Type Element Type Element Type Element

FUNCTION BLOCK INT ARRAY

Built-in Data Type
Program Organization Unit FUNCTION DINT ...
PROGRAM SINT VAR GLOBAL
IF LINT VAR
CASE UINT VAR INPUT
WHILE UDINT VAR OUTPUT
Main Statement FOR USINT VAR IN OUT
REPEAT Built-in Data Type ULINT VAR EXTERNAL
Declaration Type
EXIT REAL VAR TEMP
RETURN LREAL AT
... BOOL RETAIN
ENUM STRING PERSISTENT
User Data Type
STRUCT WSTRING CONSTANT
TIME TIME OF DAY ...
Built-in Data Type
DATE DATE AND TIME ...

Isabelle theory generator, the model checker, and the de-

ductive verifier, can be utilized to prove properties based on
the semantics and generated verification tools [48]. Several
executable semantics in K have been developed for main-
stream programming languages, including C [49], Java [50],
JavaScript [51], Rust [52], Solidity [53], and IMP [54].
A language semantics definition in K consists of three
parts: the language syntax, the configuration, and a set of
semantics constructed based on the syntax and the config-
uration. Given the semantics definition for a programming
language and some source programs, K executes these pro-
grams like a translator. For illustration, in the following we
take a strict subset of the ST language, i.e., STdemo shown
in Fig. 2 as an example to illustrate how to define language
semantics in K.
Configuration. The whole configuration cell T of STdemo
contains two cells, namely k and state. The cell k is used
to store the source program $P GM for execution, and the
cell state is used to record the mapping from a variable
identifier to its value. The configuration simulates the mem-
ory status and environmental changes during runs of the
program. Fig. 3: The syntax of STdemo
hh$P GM : P gmik h.M apistate iT
With the configuration defined, we present the syntax of where V Bs stands for b : REAL; Error : BOOL := FALSE;.
STdemo in Fig. 3, which includes some numerical operations, Then, K will rewrite hVAR a : REAL; V Bs END VAR · · · ik to
logic operations and commonly used statements. Based on hVAR V Bs END VAR · · · ik , which means that a : REAL; has
the configuration and the syntax of STdemo , we introduce been executed according to rule Variable Allocate.
some basic rules in the semantics. The role of the semantics Meanwhile, it adds the mapping between the
is to tell K how to execute the source code, where K variable name and the corresponding value
executes the code and updates the configuration sentence- (a 7→ 0.0) in the current state cell Rho. In addition,
by-sentence after parsing the source program. “requires notBool (X in keys (Rho))” guarantees that
Here, we show the semantics of Allocate, Lookup and the variable will not be re-declared. Similarly, variables
Assignment in Fig. 4 as they are the most commonly b and Error will be allocated separately. After that, the
used constructs in programming languages. TABLE 2 content in the k cell is hVAR .V arBodys END VAR · · · ik ,
describes some common semantic notations. Take Allocate where .V arBodys represents an empty variable declaration
as an example: when K runs to lines 9–13 in Fig. 2, the list, that is, no additional variable needs to be allocated. The
content in the k cell is hVAR a : REAL; V Bs END VAR · · · ik , rule Variable Finish Allocate will be called to convert
 5

to be implemented by extending the operational seman-

tics. Specifically, the syntax of ST is constructed based on
the official IEC 61131-3 standard [46]. The configuration is
specifically designed for ST. Based on the syntax and the
configuration, we then formalize the semantic rules for the
language features with rewriting logic. Next, we present
each component of the semantic one by one.

3.1 The Syntax of ST

Fig. 4: The partial semantics of STdemo
TABLE 3 presents the syntax of ST defined in K-ST, which
covers most of the core syntax. We remark that TABLE 3
only contains the main part of K-ST while omitting oth-
ers, e.g., some built-in functions (LEN, DELETE and so on)
for space reasons. The syntax is specified by a grammar
in a dialect of Extended Backus-Naur Form (EBNF) [55],
where ∗ means zero or more repetitions. In ST, the top-level
grammatical structures include user-defined types (TYPE
statements) and three Program Organization Units (POUs):
FUNCTION, FUNCTION BLOCK and PROGRAM. Other syntactical
elements are derived within these top-level grammatical
structures.

TABLE 2: Summary of semantic notations

3.2 The Configuration of ST
The execution of an ST program needs to update the follow-
Notation Description
ing kinds of state: data segment, code segment and stack.
rule The beginning of a semantic rule. Among them, the data segment is used to store global vari-
The symbol ⇒ means “rewritten by”, thus a ⇒ b ables, the code segment is used to store program execution
a⇒b code, and the stack is used to store local variables of the
denotes that a can be replaced by b.
program. Note that runtime environment switching caused
a requires b Execute a when b is true.
by function calls is also achieved by the operation of stack.
hik stands for the k cell in a configuration. The overall runtime configuration of ST in K is presented in
a a
b k Similar to a ⇒ b, b
means a will be rewritten by b. Fig. 5. We highlight our careful design choices as follows.
However, it can only be used inside hi. Overview. There are 11 main cells in the configuration
h· · · a · · · i · · · represents the content in the a context.
T , i.e., k , control, allenv , genv , gvenv , store, type, constant
input, output and nextLoc. The value of each cell is initial-
. . stands for empty.
ized according to its specified type. For instance, for cells
Any value. with a mapping relationship, their values are initialized to
a : b The type of variable a is b. M ap type, and for cells that store a collection, they are
a 7→ b, a ← b Mapping from a to b. initialized to List type. A ‘.’ followed by any type means
a y b The execution of a, followed by execution of b.
an empty set of this type. For instance, .M ap in the cell
genv represents that genv is initialized with an empty map.
Enumeration type. By default, when an enumeration
type is defined in ST, PLC compilers will automatically
“VAR .V arBodys END VAR” in k to “.”, which means
associate a number (indexed from 0 and incremented by 1
that there is no more code to execute in the VAR block and
each time) to each variable in the enumeration. For repeated
K will continue to execute the subsequent code.
declarations, we use count cell to record the value of the
current enumeration.
3 F ORMAL S EMANTICS OF S TRUCTURED T EXT IN Global variables. There are two types of global variables.
First, the POUs and customized types that users define.
T HE K FRAMEWORK These variables can be accessed anywhere in the program.
In this section, we introduce K-ST, the executable opera- We store these variables in the genv cell as the basis
tional semantics of ST formalized in K. Note that in practice for program operation. Second, the variables defined in
the PLC programming environment is provided by specific VAR GLOBAL. These variables cannot be directly accessed in
PLC manufacturers including CODESYS and Siemens’s TIA the program unless they are declared with VAR EXTERNAL.
portal (TIA, Structured Control Language (SCL)). As a con- We store these variables in the gvenv cell and provide them
sequence, the implementations of different manufacturers on demand.
can vary and may also include their own unique functions Program execution. The source code parsed by the syn-
or structures. tax SourceU nit, called $P GM , is stored in the cell k for
Our approach is therefore to focus on the common fea- execution. Then the $P GM will be executed unit by unit.
tures, allowing other unique functions of the environment If the program terminates normally, there will be a ‘.’ in
 6

TABLE 3: The syntax of ST

Syntax Description

Id ::= [a − zA − z ] [a − zA − Z0 − 9 ]∗
Ids ::= Id∗ Identifier
IdV al ::= Id := Expression
EnumStructDeclaration ::= T Y P E EnumDeclarationExp∗ EN D T Y P E
| T Y P E StructDeclarationExp∗ EN D T Y P E
EnumBlock ::= Ids | IdV al∗ Enum and Struct declaration
EnumDeclarationExp ::= Id : (EnumBlock) ; | Id : (EnumBlock) := Id;
StructDeclarationExp ::= Id : ST RU CT V arDeclarationExp∗ EN D ST RU CT
F unction ::= F U N CT ION Id : T ype V arDeclaration∗ Statements EN D F U N CT ION Function declaration
F unctionBlock ::= F U N CT ION BLOCK Id V arDeclaration∗ Statements EN D F U N CT ION Function block declaration
P rogram ::= P ROGRAM Id V arDeclaration∗ Statements EN D P ROGRAM Program declaration
T ype ::= IN T |DIN T |SIN T |LIN T |U IN T |U DIN T |U SIN T |U LIN T |BY T E|W ORD|DW ORD|REAL
|LREAL|ST RIN G|ST RIN G [Expression] |W ST RIN G|W ST RIN G [Expression] |T IM E|DAT E Variable types
|T IM E OF DAY |DAT E AN D T IM E|Id|ARRAY [Expression] OF T ype
V arT ype ::= V AR GLOBAL | V AR | V AR IN P U T | V AR OU T P U T | V AR IN OU T | V AR T EM P
V arDeclarationExp ::= Ids : T ype; | Ids : T ype := Expression; Variable declaration
V arDeclaration ::= V arT ype V arDeclaration EN D V AR
Operation ::= + | − | ∗ | / | ∗ ∗ | M OD | < | > | = | <= | >= | <> | AN D | &
| AN D T HEN | XOR | OR | OR ELSE | ..
Expression ::= Int | F loat | String | Bool | Bit | AllT ime | Id | Expression Operation Expression Expressions
Expression (Expressions) | Expression.Expression | Expression [Expressions] | (Expression)
Expressions ::= Expression∗
Assignment ::= Expression := Expression; Assignment statement
ElseIf Block ::= ELSE Statements | ELSE IF Expression T HEN Statements ElseIf Block∗
If ::= IF Expression T HEN Statements ElseIf Block∗ EN D IF ;
CaseBlock ::= Expression : Statements | Expression .. Expression : Statements Branch statements
Case ::= CASE Expression OF CaseBlock∗ EN D CASE;
| CASE Expression OF CaseBlock∗ ELSE Statements EN D CASE;
W hile ::= W HILE Expression DO Statements EN D W HILE;
F or ::= F OR Expression T O Expression DO Statements EN D F OR;
Loop statements
| F OR Expression T O Expression BY Expression DO Statements EN D F OR;
Repeat ::= REP EAT Statements U N T IL Expression EN D REP EAT ;
Return ::= RET U RN ; Return statement
Exit ::= EXIT ; Exit statement
Statement ::= Expression; | Assignment | If | Case | W hile | F or | Repeat | Return | Exit
Statements
Statements ::= Statement∗

the k cell, denoting that no more units need to be executed.
In the preprocessing phase (the first pass of K), the k cell
only contains the token execute. Afterwards, K will start
executing from the MAIN program.
Stack operations. The cell control contains seven
subcells—f stack , env , temp, count, gvid, print and break —
which record the operating environment of the currently
running code segment. Specifically, the function stack
f stack is a list used to store the environment before exe-
cuting other POUs, including variables in the current envi-
ronment and the subsequent program. Next, the cell env is
used to store the mapping relationship between variables
and indexes in the current environment during program ex-
ecution. Furthermore, cells temp and count are used in ENUM
and STRUCT, where temp is for temporary mapping and
count is used as a counting pointer. The cell gvid records
all identifiers of global variables to assist in the generation
of global variables. The cell print records variables which
need to be output. Finally, break stores the program after
the loop in order to support the implementation of the EXIT
statement in FOR, WHILE and REPEAT loops.
Execution environment. The allenv cell is used to cache
the execution environment before function calls (for strict

Fig. 5: The runtime configuration of ST in K
type checking of parameter passing in function calls1 ). The
cell genv records the result of the pre-processing (including
POUs and custom types) and will be copied to env when
env is refreshed. The last cell related to the environment is
called gvenv and is used to index global variables.
Memory operation. The store cell is used to simulate
memory to record the mapping relationships of indexes
and variable values. After that, the cells input and output
are used to realize external inputs and external output
respectively. The last cell, nextLoc, ensures that the index of
a variable can always be incremented without duplication.
The design consideration behind this is that for complex lan-
guages, it is more effective to explicitly manage arbitrarily
large memory than use garbage collection [56].
3.3 Semantics of the Core Features
We implement the executable semantics covering most core
features of ST and leave the vendor-specific functionalities
as potential extensions. For example, some compilers would
use additional keywords to distinguish the declaration part
and the execution part of the program. In the following,
we provide an overview of four core semantic features of
ST, including 1) data types, 2) main control statements, 3)
declarations and calls of POUs and 4) memory operations.
Before diving into the details, we present the notations as
follows.
3.3.1 Extended Data Types
The K framework supports diverse data types including
identifiers (Id), integers (Int), bools (Bool), floats (F loat)
and strings (String ), which cover most of the require-
ments. However, there are still some unsupported data
1. This is optional but recommended for ST compilers.
7
types needing additional implementation in K-ST, which we
call extended data types. These extended data types can be
categorized into two kinds: 1) elementary types (TIME, BYTE,
WORD, DWORD, TIME OF DAY, DATE and DATE AND TIME) and
2) compound types (ENUM and STRUCT). We implement these
extended data types by the composition of built-in types and
methods in K as follows.
We take TIME OF DAY as an example to introduce
elementary types. There are two types of TIME OF DAY
in ST, e.g., TIME OF DAY#23 : 45 : 56.30 and
TOD#23 : 45 : 56.30. Fig. 6 shows our implementation
of TIME OF DAY type together with its relevant operations.
Lines 1 and 2 respectively define the syntax of TIME OF DAY
and how to parse it (Get TIME OF DAY). Line 3 is used
to convert Get TIME OF DAY to TIME OF DAY, which is
achieved by two steps—Gtd2T d and Standardization—
where Gtd2T d realizes the conversion of the format and
Standardization realizes content conversion, e.g., replacing
60 minutes with 1 hour. Lines 4–11 define some arithmetic
and relational operations of TIME OF DAY.
For compound types, we take STRUCT as an example
and show its semantics in Fig. 7, including both STRUCT
declaration and instantiation. Declarations are shown in
rule Struct Declaration, where we allocate memory for
each defined data structure. The instantiation of STRUCT
consists of four main steps in rule Struct Instantiation:
1) CreatStruct allocates memory for I1, 2) StructInits
generates each variable in turn according to V ds in STRUCT,
3) Set assigns values to the corresponding variables ac-
cording to Idvs, and finally, 4) U pdate stores the mapping
relationship of variables related to I1 into the memory of I1
to facilitate subsequent use.

Fig. 6: Implementation of TIME OF DAY in K
Fig. 7: The partial semantics of STRUCT in K
3.3.2 Main Control Statements
Control statements are important in ST for achieving com-
plex program logic (as in most other programming lan-
guages). We show the rules for CASE, REPEAT and EXIT in
Fig. 8 (as the semantics of IF, WHILE and FOR are typical). A
CASE statement can be rewritten as a combination of an IF
and CASE through rule Case. The rule Repeat is imple-
mented as follows. We first store the subsequent statements
outside the loop (recorded as K ) in cell break to deal with
the EXIT statement that may appear, and then rewrite it
into the form of WHILE for further execution. During the
execution of the loop body, once EXIT is executed, all the
statements in the current cell k are discarded and rewritten
to K (storing the subsequent statements), as shown in
rule Exit.
3.3.3 The Declaration and Call of POUs
In ST programs, statements are inside Program Organi-
zation Units (POUs), i.e., FUNCTION, FUNCTION BLOCK or
PROGRAM. A FUNCTION is a stateless POU type, comparing
to a FUNCTION BLOCK which stores its own state after ex-
ecution. The design of the FUNCTION BLOCK is similar to
8
Fig. 8: The partial semantics of ST control statements
the concept of class-object manifestation in object-oriented
programming (OOP), which aims to achieve better modu-
larization. FUNCTION BLOCKs exist in two forms: as a type
or as an instance, and only the instance can be called.
For a FUNCTION BLOCK instance, the local variables retain
their values between each ‘call’. PROGRAMs are defined by
the IEC 61131-3 standard as a “logical assembly of all the
programming language elements and constructs necessary
for the intended signal processing required for the control
of a machine or process by a PLC-system” [46]. Due to
space constraints, we show the declaration, call and return
operation of FUNCTION BLOCKs in Fig. 9 as an example for
illustration (FUNCTION and PROGRAM are shown in Fig. 10
and explained only when necessary).
Declaration. The declaration of FUNCTION BLOCK
is similar to that of STRUCT. As shown in
rule Function Block Declaration, we first assign an
index in memory for FUNCTION BLOCK X , set the type to the
built-in F unctionBlock , and convert the entire declaration
statement to the built-in type f unblambda(X, void, V ds, S)
for storage, where void means no return value, V ds and S
are variable declarations and operations in X respectively.
The purpose of setting const to true is to prevent it from
being modified. Note that FUNCTION and PROGRAM set type
and store to F unction, f unblambda(X, T, V ds, S) and
P rogram, plambda(X, void, V ds, S, .M ap).
Instantiation. The instantiation of FUNCTION BLOCK
is achieved through variable declarations, as shown
in rule Function Block Instantiation. However, the
value is set to runf unblambda(X, void, V ds, S, .M ap) to
distinguish it from f unblambda and .M ap is designed
to store the FUNCTION BLOCK environment for next call
and external query. This is because a FUNCTION BLOCK
can only be called after instantiation, i.e., runf unblambda
can be executed but f unblambda can not. Since FUNCTION
and PROGRAM have no such restrictions, f unlambda and
plambda can be directly called and executed.
Call. There are two cases when a FUNCTION BLOCK

Fig. 9: The partial semantics of FUNCTION BLOCK
is called. The first case is that the FUNCTION BLOCK
is called for the first time, as shown in
rule Function Block Call First. Since there is no
initial environment (the last value of runf unblambda is
.M ap), we will first store the current execution environment
inf o in f stack , including subsequent statements K , the
Allenv of the current environment, and the parameters
C in cell control. Then, we reset parameters C through
9
renew. After that, K executes the variable declaration V ds
(including index application, initialization and assignment)
and statements S in the function block. In addition, U pdate
is used to update the .M ap in runf unblambda to record
the current environment. Finally, RETURN can return to
the calling program and configure the corresponding
environment. In other cases (not called for the first time),
as shown in rule Function Block Call Others, there is
already a mapping relationship between related variables
and values in cell store, and the mapping relationship
between identifiers and indexes is also stored in the
runf unblambda. Therefore, no new memory allocation
will be made during the execution process and the existing
environment will be used. Note that the value of the
variable in the FUNCTION BLOCK will not be initialized,
which means that the execution result for the same input
may be different.
Regardless of whether RETURN appears in the
FUNCTION BLOCK, we add a RETURN by default for each
FUNCTION BLOCK as a sign that the FUNCTION BLOCK has
finished running and returned to the calling POUs. Since
FUNCTION BLOCKs and PROGRAMs do not have a return value,
we set null as the return value. Note that a FUNCTION
has a return value, and the returned value is the value
corresponding to the function identifier, so we need to use
Clearenv to clean up the memory environment correspond-
ing to the function identifier after calling procedure renew
and add the declaration of the function identifier variable in
V ds.
3.3.4 Memory Operations
Here, we present the rules for memory operations on ele-
mentary types in ST, such as built-in types and extended
elementary types. What elementary types have in common
is that they take only one memory slot. For complex types,
such as enums, structs, arrays, etc, which are compositions
of elementary types, the memory operation can be regarded
as a set of memory operations on elementary types. For
instance, the assignment to struct can be equivalent to assign
value for each variable of this struct.
Similar to STdemo , main memory operations in ST are
still composed of Allocation, Lookup, Assignment and
additional Clearenv . Where Allocation implements the
allocation of memory for variables in the store, Lookup
is used to find variable values in store cell, Assignment
implements the assignment of variables, and Clearenv im-
plements the recovery of memory in the store. However,
because the complete ST semantics has a more complex type
design, they will involve more cells in configurations, and
are more complicated, as shown in Fig. 11.
Note that HOLE is just a variable, but it has special
meaning in the context of sentences with the ‘heat’ or ‘cool’
attribute. In short, ‘heat’ is to lookup the corresponding
content of the HOLE in the formula, and ‘cool’ is to put
the recheck results back into the formula. For example, in
expression a+b where a is represented as HOLE , ‘heat’ is to
take a out of the formula and find its corresponding value.
If it is 3, and ‘cool’ puts 3 back into the original formula,
then the formula becomes 3 + b.
Let us start with the Assignment operation (we omit
Lookup as it is straightforward). The Assignment of ST

Fig. 10: The partial semantics of FUNCTION and PROGRAM
divides the Assignment of STdemo into two steps, where
context and rule Find Index are used to determine
the index L of the assigned variable X in store, and
rule Assignment implements the update of the store
at index L. The purpose of this division is to make the
Assignment operation better applicable to complex types,
because in some cases the index of the assigned variable can
not be directly obtained and multiple queries are required.
For instance, when assigning a value to A [3, 5, 7], where
A is a multi-dimensional array, we need to look up each
dimension one by one to finally determine the index. In
addition, we refer to the state of X in type and constant
during the assignment process. On the one hand, we use
Limit to ensure that the assigned value meets the type
10
Fig. 11: The partial semantics of memory operations
requirements, and on the other hand, we use constant to
ensure that the constant cannot be modified. Although the
memory cleaning operation is not necessary for ST in K, a
simple Clearenv operation can effectively reduce repetitive
code and improve code readability. For rule Clearenv,
what needs attention is the operation on cell env : it replaces
the index L of variable X with undef which means null in
the map supported by K.
ST has relatively complex and strict type definitions,
therefore the rule Allocation of ST involves more cells and
operations, such as type and constant for storing variable
types and whether they are constants, where U ndef ined
is used to generate the default of the specified type. In
addition, according to the content in TABLE 1, not only
VAR will be used in the variable declaration process, but
also other keywords, such as VAR INPUT, VAR IN OUT, etc.
In order to reduce the complexity of the code, we also
implement these declarations through VAR declarations. For
instance, Fig. 12 shows the implementation of VAR GLOBAL
and CONSTANT. We realize regional changes (from the env
cell to the gvenv cell) through letogv , and SetConstant
realizes the modification of the value in the const cell.
We remark that K-ST covers 259 core features with 876
rules in total, using 2315 lines of K code. The complete code
can be accessed through https://github.com/wkyml/K-ST.
 11

TABLE 4: Measure of K-ST/OpenPLC consistency

The result of K-ST

Successful Unusual
execution(Q) termination(I )
Successful Q = Q0 "
%
The result execution(Q ) 0
Q 6= Q0 %
of OpenPLC Unusual I = I 0 &Q = Q0 "
%
termination(I )0
others %
Fig. 12: The partial semantics of variable declarations
TABLE 5: Mutation operations

4 T ESTING AND A NALYSING ST C OMPILERS Mutation Operation Example

In addition to providing formal references for defined lan- Variable Random Assignment a : IN T ; a : IN T := 3527;
guages, our formal semantics also has several applications
Scalar Variable Replacement a := b; a := c | 30;
that use language-independent tools provided by K, such as
Arithmetic Operator Replacement a+b a−b
state space exploration, model checking, symbol execution
and deductive program validation. We omit demonstration Arithmetic Operator Insertion a+b a+b−c
of these applications in this paper since they have been Arithmetic Operator Deletion a+b−c a+b
well-illustrated in related works [51], [52]. In this work, Relational Operator Replacement a>b a <= b
we introduce the testing of ST implementations/compilers Logical Connector Replacement a AN D b a OR b
based on our executable semantics, K-ST.
Logical Connector Insertion a AN D b a AN D b OR c
As discussed earlier, because ST compilers are typically
provided by vendors, the execution behavior of compilers Logical Connector Deletion a AN D b OR c a AN D b
may be different, and may even be inconsistent with respect “NOT” Mutation N OT a a|a N OT a
to the high-level semantics [37]. One of the main applica- Statement Insertion IF · · · EN D IF ;
tions of the proposed semantics is to define the ‘reference’ Statement Deletion EXIT ;
execution behavior of ST, which can help programmers
detect bugs in existing ST compilers.
To explore this application (and given the closed nature In order to better mutate seed programs to improve
of commercial compilers), we choose OpenPLC2 as our test the diversity of test samples, we propose specific mutation
object, which is open source and supports ST programming. operations in TABLE 5 to generate mutated test samples.
The overall workflow of our testing approach is depicted in These mutation operations can enrich the test samples while
Fig. 13. It includes three parts: program variation, program minimizing program errors. Our method for generating
execution and result comparison. First, seed programs are mutant ST programs is shown in Algorithm 1. Given an ST
mutated to improve the diversity of test samples. Next, program Si , the algorithm makes a copy, randomly assigns
we use the mutated program as input to run OpenPLC initial values to all variables at the time of declaration, and
and our executable semantics respectively. Finally, the re- applies some applicable mutation operators to randomly
sult comparison part compares the consistency of the two selected lines in the program. The test is done by comparing
execution results. It should be noted that we use a policy results of these samples in K-ST and OpenPLC. It should
similar to [33], that is, the program does not need input, be noted that correct and erroneous programs in the test
and the category of result consistency comparison includes sample are both meaningful for checking the consistency
the values of all variables in the program. The comparison of execution behavior. This is because K-ST and OpenPLC
of results is performed to analyze potential inconsistencies report program errors at the same time, allowing us to verify
between K-ST and OpenPLC. By comparing the final ex- a stronger notion of consistency. In addition, considering
ecution state of the program with its variable state, we the lag of OpenPLC updates, we also tested it on the latest
can identify potential inconsistencies. The execution state Beremiz3 which uses the same underlying implementation
focuses on determining whether the program has completed (MATIEC 4 ) as OpenPLC. The specific results of the test are
its execution or terminates at the same statement. On the shown in Section 5.
other hand, the variable state captures the values of all
variables in the program, including input, output, and inter-
mediate variables, after the program has finished running. 5 E VALUATION
TABLE 4 shows our measure of consistency, where Q and In order to evaluate the semantics of ST we defined in K,
Q0 represent the values of each variable after the program we deployed K-ST on K version 5.1.11 (Intel(R) Core(TM)
executes, I and I 0 represent the commands corresponding i7-9750H CPU @ 2.60GHz). In the following, we design
to the exception termination, and "and %represent consis- multiple experiments to systematically answer the following
tency and inconsistency respectively. As a result, unless K- research questions (RQs).
ST and OpenPLC exhibit identical execution and memory
states, their behavior will be deemed inconsistent. 3. https://beremiz.org/
4. https://github.com/thiagoralves/OpenPLC Editor/tree/
2. https://www.openplcproject.com/ master/matiec

Fig. 13: Overview of the test process
• RQ1: How much of the ST language is K-ST cover-
ing? Completeness of the semantics is an important
indicator to measure executable formal semantics.
The lack of key semantics will seriously affect the
usefulness of formal semantics.
• RQ2: Is K-ST correct? Semantic correctness is the
basis for ensuring the usability of executable formal
semantics, so we need to analyze the correctness of
formal semantics implemented.
• RQ3: Can K-ST be used to discover bugs in a com-
piler? This is important since a key application of
executable formal semantics is to identify compiler
bugs.
12
5.1 Test Sets
For the purpose of evaluating the coverage and the correct-
ness of K-ST, the test data set that we used comes from
GitHub. We searched 4853 programs in GitHub through
keywords in the ST language. Then, we automatically
screened out samples containing other programming lan-
guages (2516) and XML forms (1542). After that, we manu-
ally splice the remaining programs and remove samples that
lack the components required for operation (such as POUs).
After screening, 567 complete programs written in pure
ST formed our test set. In other words, these 567 samples
contain all the components required for operation and do
not use other languages, such as C and Python.
With the aim of comprehensively testing the correct-
ness of the execution behavior of OpenPLC, we use two
sample sets, including test samples collected from GitHub
(GitHub set) and test samples obtained through mutation
(Mutated set). The GitHub set is the sample set with 567
test samples mentioned before. The Mutated set is generated
by Algorithm 1. We selected 30 high-quality samples from
GitHub set as initial mutant seeds. These 30 samples contain
all the key features of ST. Then, three rounds of iterative
mutation are carried out through Algorithm 1. Each round
of iteration produces 10 mutation samples per seed. Except
for the initial seed used in the first round, the seeds of each
round of mutation are the result of the previous round of
mutation. We get a set containing 33,330 mutation samples.
5.2 Experiment Results and Analyses
5.2.1 Semantic Completeness (RQ1)
We executed K-ST on 567 test samples collected from
GitHub. Among these 567 test samples, K-ST supports the
execution of 509 of them. For these 509 tests which K-ST can
support, Fig. 14 lists the number of tests for some important
features (based on TABLE 1) used in the evaluation. Specif-
ically, there are six kinds of features, namely FUNCTION,
FUNCTION BLOCK, PROGRAM, Declaration types, Date types

Fig. 14: Number of tests for each feature in ST
and Statements. For Declaration types, we list the num-
ber of tests for CONSTANT, VAR GLOBAL, VAR, VAR INPUT,
VAR OUTPUT, VAR IN OUT, VAR TEMP and VAR EXTERNAL.
For Data types, we list the number of tests for elemen-
tary types signed integer (INT, DINT, SINT, LINT), un-
signed integer (UINT, UDINT, USINT, ULINT), float (REAL,
LREAL), Boolean (BOOL), byte (BYTE, WORD, DWORD), string
(STRING, WSTRING), and time (TIME, DATE, TIME OF DAY,
DATE AND TIME); compound types enum (ENUM) and struct
(STRUCT); and finally, the array type ARRAY. For Statements,
we list the number of tests for main control statements: IF,
CASE, FOR, WHILE, REPEAT, EXIT and RETURN.
As indicated in Fig. 14, compared with FUNCTION,
the FUNCTION BLOCK is more favored by ST program-
mers (PROGRAM is necessary for ST program operation).
For Declaration types, the most used is VAR (with
a ratio of 470/509), followed by VAR INPUT (386/509),
VAR OUTPUT (360/509) and VAR IN OUT (313/509). Among
all the Data types, BOOL is the most used, followed by
unsigned integer and ARRAY, constituting 322/509 and
311/509 respectively. For the Data types, BOOL is the most
common type. In addition, we must remark that we do not
count the type of array members. Finally, IF is the most
common statement in all the tests considered. This is also in
line with the main working scenarios of PLCs.
We remark that we do not consider the vendor-based
functions in this experiment as these functions vary not
only from vendor to vendor, but even from product to
product. In particular, Mitsubishi PLCs provide completely
different data types, including Bit, Word[Signed/Unsigned],
Double Word[Signed/Unsigned], Bit STRING[16-bit/32-
bit], FLOAT, STRING[32] and Time. Siemens PLCs support
13
keyword BEGIN to represent the end of variable declaration
and the beginning of operation instructions. In addition,
there are also obvious differences between different prod-
ucts of the same vendor. For example, the S7-1500 and
the S7-1200 from Siemens support different type conversion
methods5 , where the former only provides explicit conver-
sions of types, and the latter provides both explicit and
implicit conversions.
5.2.2 Semantics Correctness (RQ2)
On the other hand, in order to evaluate the correctness of
K-ST, we compared the execution results of K-ST against
those of vendor compilers CODESYS, CX-Programmer and
GX Works2. We consider the proposed semantics correct
if the execution behaviors of K-ST are consistent with the
ones of the CODESYS, CX-Programmer and GX Works2
compilers. The consistency criteria described in Section 4
are utilized to evaluate the consistency of behavior between
K-ST and the compilers provided by vendors. Specifically,
if K-ST and these compilers demonstrate identical execution
and variable states for the same program, their behavior
is deemed consistent. We list the coverage of the K-ST
semantics in TABLE 6 from the perspective of each feature
specified by the official ST documentation, where FC, C and
N mean “Fully Covered and Consistent with Compilers”,
“Covered and Consistent with Compilers” and “Not Cov-
ered”, respectively.
From TABLE 6, we can see clearly that for POUs, we
fully cover the declaration and call. In variable declarations,
5. https://support.industry.siemens.com/dl/dl-media/272/
109742272/att 918238/v6/93516999691/zh-CHS/index.html#
ae443583b99950f7cca0d7237fe81ad4
 14

TABLE 6: Coverage of the proposed ST semantics

Feature Coverage Feature Coverage Feature Coverage

POUs(core) Data types(core) Enum instantiation FC

P OU s declaration SIN T FC Struct
F U N CT ION FC IN T FC Struct declaration FC
F U N CT ION BLOCK FC DIN T FC Struct instantiation FC
P ROGRAM FC LIN T FC F unction block
P OU s calls U SIN T FC F unction block instantiation FC
F U N CT ION FC U IN T FC Array
F U N CT ION BLOCK FC U DIN T FC One − dimensional array C
P ROGRAM FC U LIN T FC M ulti − dimensional array C
Variable Declaration(core) REAL FC Statements(core)
CON ST AN T FC LREAL FC Assignment statement
V AR GLOBAL FC BOOL FC := FC
V AR FC BY T E FC ⇒ N
V AR IN P U T FC W ORD FC Branch statement
V AR OU T P U T FC DW ORD FC IF FC
V AR IN OU T FC ST RIN G FC CASE FC
V AR EXT ERN AL FC W ST RIN G FC Loop statement
V AR T EM P FC T IM E FC W HILE FC
AT C DAT E FC F OR FC
RET AIN N T IM E OF DAY FC REP EAT FC
P ERSIST EN T N DAT E AN D T IM E FC Break statement
Typed constant Enum RET U RN FC
Type # Data FC Enum declaration FC EXIT FC
Built − in function
N umerical f unction (30)
ADD , SU B , M U L, SQR, IN C , DEC , M AX , M IN , M U X , ABS , SQRT , T RU N C , F RAC , F LOOR, LN , LOG, EXP , SIN
COS , T AN , COS , T AN ASIN , ACOS , AT AN , N EG, EXP T , DIV , M OD, LIM IT
Logical f unction (9)
GT , LT , GE , LE , EQ, N E , AN D, OR, SEL
String f unction (9)
CON CAT , IN SERT , DELET E , REP LACE , F IN D, LEN , LEF T , RIGHT , M ID
T ranslate f unction (160)
 FC: Fully Covered and Consistent with Compilers (256/262)  C: Covered and Consistent with Compilers (3/262)  N: Not Covered (3/262)

AT is related to input and output. We remark, however, that
the storage mode of variables in K is very different from that
in real PLCs, so we just support simple computer-side input
and output. In addition, RETAIN and PERSISTENT are related
to the actual situation in the PLC, so they are not imple-
mented. For instance, AT is used to bind the actual point of
the PLC; RETAIN and PERSISTENT support the preservation
of variable values after a power failure or power loss. Array
is the only one which is covered but not fully covered in
all data types. Limited by the realization of arrays, it is
temporarily impossible to achieve the array for enum and
struct, and to assign values to multi-dimensional arrays as
a whole. In statements, ⇒ has been used in K and can be
replaced by :=. For built-in functions, we show a list which
we supported, including 30 numerical functions, 9 logical
functions, 9 string functions and 160 translate functions.
In the process of comparing with CODESYS, CX-
Programmer and GX Works2, the following points need to
be explained. Firstly, due to the closed nature of these com-
pilers, they cannot be simply called, so we have to manually
fill the code in the specified way into the compiler to compile
and run, and compare the results, which is laborious and te-
dious work. This also hinders us from testing these commer-
cial compilers in an extensively large scale. After that, differ-
ent vendors have obvious differences in the implementation
of compilers, so the source code needs to be adapted to a
certain extent. For example, only 10 basic data types—Bit,
Word[Signed/Unsigned], Double Word[Signed/Unsigned],
Bit STRING[16-bit/32-bit], FLOAT, STRING[32] and Time—
are provided in the GX Works2 compiler, so we need to
adapt the variable types of the source program.

TABLE 7: The results of K-ST and OpenPLC
Data Set GitHub Set Mutated Set
Number of samples 567 31059 (2271)
Number of program K-ST 509 15850
run completely OpenPLC 490 11581
Kp Of 30 5664
Inconsistent Kf Op 11 1395
Diff. Result 0 735
5.2.3 Finding Bugs in OpenPLC (RQ3)
We execute OpenPLC and K-ST with the GitHub set and
Mutated set as input. The execution results of the two data
sets are shown in TABLE 7. Here, Kp Of is the number of
programs that K-ST can execute normally but OpenPLC
cannot compile and run; Kf Op is the number of programs
that K-ST cannot run normally but OpenPLC can.
For the GitHub set, K-ST supports 509 of them, and
OpenPLC supports 490. Through analysis, we found that the
reason for this phenomenon is that OpenPLC has some func-
tional deficiencies. For example, OpenPLC does not support
the initialization of variables using formulas at the time
of declaration; numerical calculations of BYTE, WORD, DWORD
types are not supported, etc.
For the Mutated set, there is a big difference between
the execution results of K-ST and OpenPLC. First of all,
we filter 2,271 timeout programs that timed out both in
OpenPLC and K-ST with 10 seconds as the time limit. After
that, we manually analyzed these samples with inconsistent
results to determine the causes. For the large Kp Of value,
functional deficiencies remain the main reason.
We found an interesting bug in OpenPLC. The bug is a
“VAR” parsing exception in OpenPLC. If the first operation
instruction starts with “VAR”, such as “VAR0 := 1;”, Open-
PLC terminates abnormally. The interesting phenomenon is
when an error statement appears in an unexecuted part of
the program, such as after the ”RETURN;”: K-ST can execute
such a program, but OpenPLC cannot. The main reason
for this phenomenon is that K adopts an operation-based
detection mechanism. Because the error code will not be
executed, it will not lead to the termination of our executable
semantics. The case study is shown in APPENDIX A.
After that, by analyzing those programs that have differ-
ent results on K-ST and OpenPLC, we find that the reasons
for the different results are mainly due to the differences in
underlying implementations between K and OpenPLC. For
example, for integer mode operation −7 MOD 3, the execu-
tion result of K-ST is −1, whereas the result for OpenPLC
is 2. From a mathematical point of view, both results are
correct, but they will have a completely different impact on
any following operations. When we run the program again
in CODESYS, the results of CODESYS were the same as K-
ST.
For those samples that K-ST cannot run normally but
OpenPLC can execute normally, our analysis found some
bugs in OpenPLC. For example, while OpenPLC can check
explicit divide-by-zero operations, it allows the execution
of implicit divide-by-zero operations. TABLE 8 details all
15
functional deficiencies and bugs we found in OpenPLC.
We show some relevant case studies in APPENDIX B.
Considering that Beremiz can be regarded as an updated
version of OpenPLC, we have retested the inconsistencies
we found in Beremiz. We found that in the latest Beremiz,
it fixes some problems, including negative MOD operation
results and “VAR” parsing exceptions. But other bugs and
shortcomings still exist. In response to these problems in
OpenPLC, we have submitted them to the OpenPLC and
Beremiz developers and are waiting for their confirmation6 .
6 R ELATED W ORK
In this section, we discuss some other PLC program analysis
techniques, summarize their characteristics, and distinguish
them from our work.
Keliris et al. [19] propose a framework (ICSREF) which
can automate the reverse engineering process for PLC bina-
ries. They instantiate ICSREF modules for reversing binaries
compiled with CODESYS and getting the complete Control
Flow Graph (CFG), and they provide an end-to-end case
study of dynamic payload generation and attack deploy-
ment. Tychalas et al. [7] analyze the binary files generated by
all control system programming languages in CODESYS to
understand the differences and even the vulnerabilities in-
troduced during the program compilation process. Based on
this analysis, they provide a fuzzing framework (ICSFuzz)
to perform security evaluation of the PLC binaries. Our
work differs from them because we focus on the source code
and do not rely on any specific compilation environment.
Kuzmin et al. [57] propose to use linear-time tem-
poral logic (LTL) to guide program behavior and check
whether ST programs satisfy the corresponding temporal
logic through Cadence SMV. Darvas et al. [15] propose rule-
based reductions and a Cone of Influence (COI) reduction
variant for state explosion problems that may be encoun-
tered in the formal analysis of ST code, and use the NuSMV
model checker to verify temporal logic. After that, they
[58] provide a state machine and data-flow-based formal
specification method for PLC modules. In addition, they
[43] analyze the feasibility of converting between the 5 PLC
programming languages provided by Siemens, and point
out that the extended SCL (a vendor-defined ST) can be
used as the target language for conversion. Adiego et al.
[59] propose an intermediate model-based method which
can transform PLC programs written in different modeling
languages of verification tools to facilitate checking tem-
poral logic. Hailesellasie et al. [60] propose UBIS, which
converts ST programs with potential intrusions as well as
trusted versions of programs into attributed graphs through
UPPAAL, and compares their nodes and edges to detect
stealthy code injections. Bohlender et al. [61] apply formal
verification and falsification of temporal logic specifications
to analyze chemical plant automation systems. Rawlings
et al. [62] use symbolic model checking tools st2smv and
SynthSMV to verify and falsify a ST program controlling
batch reactor systems. Xiong et al. [23] use the behavior
model (BM) to specify the behavior of ST programs, and
6. https://bitbucket.org/automforge/matiec git/issues?status=
new&status=open
 16

TABLE 8: The bugs and functional deficiencies of OpenPLC

Type Problem Description

“VAR” parsing exception The first operation instruction starts with “VAR”, and OpenPLC terminates abnormally.
Division by zero OpenPLC can check explicit division 0 but allow the execution of implicit division 0.
Bug Overflow access OpenPLC can check explicit overflow access but allow the execution of implicit overflow access.
MOD by zero OpenPLC provides MOD 0 operation, and the result is 0.
MOD Exception The divisor of MOD operation can be empty.
Numerical OpenPLC does not support normal numerical calculation ∗∗.
calculation defects Numerical calculations of BYTE, WORD, DWORD types are not supported.
Array functions defects Parentheses are not allowed in array assignments.
FUNCTION BLOCK
Functional Multiple instantiation of function blocks in one statement is not allowed.
instantiation defects
deficiencies
ENUM defects OpenPLC does not support normal assignment of ENUM type.
Variable Some non-keyword strings cannot be used as variable names, such as “ramp”, “LocalVar0 ”, etc.
declaration defects OpenPLC can not support formula and other variables previously declared as initial value.
Without operation or variable declarations, OpenPLC cannot compile ST program.
Structural defects
Without statements in FOR, WHILE, IF, CASE, REPEAT, OpenPLC cannot compile ST.

provide an method based on automatic theoretical to verify
LTL attributes on BM. Our work differs from the afore-
mentioned works because they attempt to transform PLC
programs into intermediate languages or other program-
ming languages which are suitable for verifying or detecting
potential issues, and lack analysis in the conversion process.
In addition, these methods do not offer feedback at the level
of source code.
Huang et al. [38] is the closest work to ours. They first
defined the executable semantics of the ST language in K
and use it to check some security properties. Our work
differs because we cover a more complete ST language, and
we can use it to discover errors in ST compilers.
7 C ONCLUSION
In this paper, we introduced an executable operational
semantics of ST formalized in the K framework. We pre-
sented the semantics of the core features of ST, namely
data types, memory operations, its main control statements,
and function calls. Our experimental results show that the
proposed ST semantics has already covered the main core
language features and correctly implements 26,137 lines of
public ST code on GitHub. Furthermore, the application
of the proposed semantics in testing and analyzing PLC
compilers is discussed. By comparing and analyzing the
execution results of OpenPLC and K-ST, we found five
bugs and some functional deficiencies in OpenPLC. In the
future, we hope to further extend K-ST to support the pro-
gramming environments provided by different vendors. For
example, vendors may customize keywords (Bit STRING of
GX Works2), add additional structures (LABEL of Siemens),
or even widely extend ST (ExST of CODESYS).
ACKNOWLEDGMENTS
We thank the reviewers for their constructive feedback. This
research is supported by National Key R&D Program of
China under grant 2020YFB2010900, NSFC under grants
61833015 and 62293511, Provincial Key R&D Program of
Zhejiang under grants 2020C01038 and 2021C01032, and the
Starry Night Science Fund of Zhejiang University Shanghai
Institute for Advanced Study, Grant No. SN-ZJU-SIAS-001.
R EFERENCES
[1] R. Langner, “Stuxnet: Dissecting a cyberwarfare weapon,” IEEE
Security & Privacy, vol. 9, no. 3, pp. 49–51, 2011.
[2] G. Liang, S. R. Weller, J. Zhao, F. Luo, and Z. Y. Dong, “The 2015
Ukraine blackout: Implications for false data injection attacks,”
IEEE Transactions on Power Systems, vol. 32, no. 4, pp. 3317–3318,
2016.
[3] K. Zetter, “The Ukrainian power grid was hacked again,” Mother-
board, 2017.
[4] N. Perlroth and C. Krauss, “A cyberattack in Saudi Arabia had a
deadly goal,” Experts fear another try, 2018.
[5] D. Tychalas and M. Maniatakos, “Open platform systems under
scrutiny: A cybersecurity analysis of the device tree,” in 2018 25th
IEEE International Conference on Electronics, Circuits and Systems
(ICECS). IEEE, 2018, pp. 477–480.
[6] A. Nochvay, “Security research: CODESYS runtime, a PLC control
framework,” Kaspersky ICS CERT, 2019.
[7] D. Tychalas, H. Benkraouda, and M. Maniatakos, “ICSFuzz: Ma-
nipulating I/Os and repurposing binary code to enable instru-
mented fuzzing in ICS control applications,” in 30th {USENIX}
Security Symposium ({USENIX} Security 21), 2021.
[8] “Programmable controllers - Part 3: Programming languages,”
International Electrotechnical Commission, Standard, 2013.
[9] T. M. Antonsen, PLC Controls with Structured Text (ST), V3: IEC
61131-3 and best practice ST programming. BoD–Books on Demand,
2020.
[10] J. O. Blech and S. O. Biha, “On formal reasoning on the semantics
of PLC using Coq,” arXiv preprint arXiv:1301.3047, 2013.
[11] J. O. Blech and S. Ould Biha, “Verification of PLC properties based
on formal semantics in Coq,” in International Conference on Software
Engineering and Formal Methods. Springer, 2011, pp. 58–73.
[12] T. Ovatman, A. Aral, D. Polat, and A. O. Ünver, “An overview
of model checking practices on verification of PLC software,”
Software & Systems Modeling, vol. 15, no. 4, pp. 937–960, 2016.
[13] H. Janicke, A. Nicholson, S. Webber, and A. Cau, “Runtime-
monitoring for industrial control systems,” Electronics, vol. 4, no. 4,
pp. 995–1017, 2015.
[14] L. Garcia, S. Zonouz, D. Wei, and L. P. De Aguiar, “Detecting PLC
control corruption via on-device runtime verification,” in 2016
Resilience Week (RWS). IEEE, 2016, pp. 67–72.

[15] D. Darvas, B. F. Adiego, A. Vörös, T. Bartha, E. B. Vinuela, and
V. M. G. Suárez, “Formal verification of complex properties on
PLC programs,” in International Conference on Formal Techniques for
Distributed Objects, Components, and Systems. Springer, 2014, pp.
284–299.
[16] D. Darvas, I. Majzik, and E. B. Viñuela, “Formal verification of
safety PLC based control software,” in International Conference on
Integrated Formal Methods. Springer, 2016, pp. 508–522.
[17] L. Garcia, F. Brasser, M. H. Cintuglu, A.-R. Sadeghi, O. A. Mo-
hammed, and S. A. Zonouz, “Hey, my malware knows physics!
Attacking PLCs with physical model aware rootkit.” in NDSS,
2017.
[18] R. Spenneberg, M. Brüggemann, and H. Schwartke, “PLC-Blaster:
A worm living solely in the PLC,” Black Hat Asia, vol. 16, pp. 1–16,
2016.
[19] A. Keliris and M. Maniatakos, “ICSREF: A framework for auto-
mated reverse engineering of industrial control systems binaries,”
arXiv preprint arXiv:1812.03478, 2018.
[20] S. Guo, M. Wu, and C. Wang, “Symbolic execution of pro-
grammable logic controller code,” in Proceedings of the 2017 11th
Joint Meeting on Foundations of Software Engineering, 2017, pp. 326–
336.
[21] S. E. McLaughlin, S. A. Zonouz, D. J. Pohly, and P. D. McDaniel,
“A trusted safety verifier for process controller code.” in NDSS,
vol. 14, 2014.
[22] G. Canet, S. Couffin, J. Lesage, A. Petit, and P. Schnoebelen,
“Towards the automatic verification of PLC programs written in
instruction list,” in Proceedings of the IEEE International Conference
on Systems, Man & Cybernetics: ”Cybernetics Evolving to Systems,
Humans, Organizations, and their Complex Interactions”. IEEE, 2000,
pp. 2449–2454.
[23] J. Xiong, X. Bu, Y. Huang, J. Shi, and W. He, “Safety verification
of IEC 61131-3 Structured Text programs,” IEEE Transactions on
Industrial Informatics, vol. 17, no. 4, pp. 2632–2640, 2020.
[24] M. Zhang, C.-Y. Chen, B.-C. Kao, Y. Qamsane, Y. Shao, Y. Lin,
E. Shi, S. Mohan, K. Barton, J. Moyne et al., “Towards automated
safety vetting of PLC code in real-world plants,” in 2019 IEEE
Symposium on Security and Privacy (SP). IEEE, 2019, pp. 522–538.
[25] N. Bauer, S. Engell, R. Huuck, S. Lohmann, B. Lukoschus,
M. Remelhe, and O. Stursberg, “Verification of PLC programs
given as sequential function charts,” in Integration of software
specification techniques for applications in Engineering. Springer,
2004, pp. 517–540.
[26] A. Mader and H. Wupper, “Timed automaton models for simple
programmable logic controllers,” in Proceedings of 11th Euromicro
Conference on Real-Time Systems. Euromicro RTS’99. IEEE, 1999, pp.
106–113.
[27] T. Mertke and G. Frey, “Formal verification of PLC programs
generated from signal interpreted Petri nets,” in 2001 IEEE Inter-
national Conference on Systems, Man and Cybernetics. e-Systems and
e-Man for Cybernetics in Cyberspace (Cat. No. 01CH37236), vol. 4.
IEEE, 2001, pp. 2700–2705.
[28] R. Huuck, “Semantics and analysis of instruction list programs,”
Electronic Notes in Theoretical Computer Science, vol. 115, pp. 3–18,
2005.
[29] J. Sadolewski, “Conversion of ST control programs to ANSI C for
verification purposes,” e-Informatica Software Engineering Journal,
vol. 5, no. 1, 2011.
[30] B. F. Adiego, D. Darvas, E. B. Viñuela, J.-C. Tournier, V. M. G.
Suárez, and J. O. Blech, “Modelling and formal verification of
timing aspects in large PLC programs,” IFAC Proceedings Volumes,
vol. 47, no. 3, pp. 3333–3339, 2014.
[31] O. Maler and S. Yovine, “Hardware timing verification using KRO-
NOS,” in Proceedings of the Seventh Israeli Conference on Computer
Systems and Software Engineering. IEEE, 1996, pp. 23–29.
[32] M. Heiner and T. Menzel, “Petri net semantics for the PLC user
programming language Instruction List,” Techn. Report BTU Cot-
tbus, I-20/1997, Cottbus December, 1997.
[33] V. Le, M. Afshari, and Z. Su, “Compiler validation via equivalence
modulo inputs,” ACM Sigplan Notices, vol. 49, no. 6, pp. 216–226,
2014.
[34] X. Yang, Y. Chen, E. Eide, and J. Regehr, “Finding and understand-
ing bugs in C compilers,” in Proceedings of the 32nd ACM SIGPLAN
conference on Programming language design and implementation, 2011,
pp. 283–294.
[35] J. Chen, J. Patra, M. Pradel, Y. Xiong, H. Zhang, D. Hao, and
17
L. Zhang, “A survey of compiler testing,” ACM Computing Surveys
(CSUR), vol. 53, no. 1, pp. 1–36, 2020.
[36] W. M. McKeeman, “Differential testing for software,” Digital Tech-
nical Journal, vol. 10, no. 1, pp. 100–107, 1998.
[37] R. Schumi and J. Sun, “SpecTest: Specification-based compiler
testing,” Fundamental Approaches to Software Engineering, vol. 12649,
p. 269, 2021.
[38] Y. Huang, X. Bu, G. Zhu, X. Ye, X. Zhu, and J. Shi, “KST: Executable
formal semantics of IEC 61131-3 structured text for verification,”
IEEE Access, vol. 7, pp. 14 593–14 602, 2019.
[39] G. Rosu, “K: A semantic framework for programming languages
and formal analysis tools,” Dependable Software Systems Engineer-
ing, vol. 50, p. 186, 2017.
[40] M. J. Hohnka, J. A. Miller, K. M. Dacumos, T. J. Fritton, J. D. Erdley,
and L. N. Long, “Evaluation of compiler-induced vulnerabilities,”
Journal of Aerospace Information Systems, vol. 16, no. 10, pp. 409–426,
2019.
[41] M. Marcozzi, Q. Tang, A. F. Donaldson, and C. Cadar, “Compiler
fuzzing: How much does it matter?” Proceedings of the ACM on
Programming Languages, vol. 3, no. OOPSLA, pp. 1–29, 2019.
[42] T. R. Alves, M. Buratto, F. M. De Souza, and T. V. Rodrigues,
“OpenPLC: An open source alternative to automation,” in IEEE
Global Humanitarian Technology Conference (GHTC 2014). IEEE,
2014, pp. 585–589.
[43] D. Darvas, I. Majzik, and E. Blanco Viñuela, “Generic representa-
tion of PLC programming languages for formal verification,” in
23rd PhD Mini-Symposium. Budapest University of Technology
and Economics, 2016, pp. 6–9.
[44] N. Roos, “Programming PLCs using structured text,” in Interna-
tional Multiconference on Computer Science and Information Technol-
ogy. Citeseer, 2008, pp. 20–22.
[45] F. Markovic, “Automated test generation for structured text lan-
guage using uppaal model checker,” 2015.
[46] M. Tiegelkamp and K.-H. John, IEC 61131-3: Programming indus-
trial automation systems. Springer, 2010.
[47] N. Martı-Oliet and J. Meseguer, “Rewriting logic: roadmap and
bibliography,” Theoretical Computer Science, vol. 285, no. 2, pp. 121–
154, 2002.
[48] A. Stefănescu, D. Park, S. Yuwen, Y. Li, and G. Roşu, “Semantics-
based program verifiers for all languages,” ACM SIGPLAN Notices,
vol. 51, no. 10, pp. 74–91, 2016.
[49] C. Ellison and G. Rosu, “An executable formal semantics of C with
applications,” ACM SIGPLAN Notices, vol. 47, no. 1, pp. 533–544,
2012.
[50] D. Bogdanas and G. Roşu, “K-Java: A complete semantics of
Java,” in Proceedings of the 42nd Annual ACM SIGPLAN-SIGACT
Symposium on Principles of Programming Languages, 2015, pp. 445–
456.
[51] D. Park, A. Stefănescu, and G. Roşu, “KJS: A complete formal
semantics of JavaScript,” in Proceedings of the 36th ACM SIGPLAN
Conference on Programming Language Design and Implementation,
2015, pp. 346–356.
[52] F. Wang, F. Song, M. Zhang, X. Zhu, and J. Zhang, “KRust: A for-
mal executable semantics of Rust,” in 2018 International Symposium
on Theoretical Aspects of Software Engineering (TASE). IEEE, 2018,
pp. 44–51.
[53] J. Jiao, S. Kan, S.-W. Lin, D. Sanan, Y. Liu, and J. Sun, “Semantic
understanding of smart contracts: Executable operational seman-
tics of Solidity,” in 2020 IEEE Symposium on Security and Privacy
(SP). IEEE, 2020, pp. 1695–1712.
[54] T. Nipkow and G. Klein, “Imp: A simple imperative language,” in
Concrete Semantics. Springer, 2014, pp. 75–94.
[55] D. D. McCracken and E. D. Reilly, “Backus-Naur Form (BNF),” in
Encyclopedia of Computer Science, 2003, pp. 129–131.
[56] G. Roşu and T. F. Şerbănuţă, “K overview and simple case study,”
Electronic Notes in Theoretical Computer Science, vol. 304, pp. 3–56,
2014.
[57] E. V. Kuzmin, A. Shipov, and D. A. Ryabukhin, “Construction and
verification of PLC programs by LTL specification,” in 2013 Tools
& Methods of Program Analysis. IEEE, 2013, pp. 15–22.
[58] D. Darvas, E. Blanco Vinuela, and I. Majzik, “A formal specifica-
tion method for PLC-based applications,” 2015.
[59] B. F. Adiego, D. Darvas, E. B. Viñuela, J.-C. Tournier, S. Bliudze,
J. O. Blech, and V. M. G. Suárez, “Applying model checking to
industrial-sized PLC programs,” IEEE Transactions on Industrial
Informatics, vol. 11, no. 6, pp. 1400–1410, 2015.
 18

[60] M. Hailesellasie and S. R. Hasan, “Intrusion detection in PLC- Jun Sun is currently a tenured professor at the
based industrial control systems using formal verification ap- School of Information Systems, Singapore Man-
proach in conjunction with graphs,” Journal of Hardware and Sys- agement University. He received bachelor’s and
tems Security, vol. 2, no. 1, pp. 1–14, 2018. Ph.D. degrees in computing science from the
[61] D. Bohlender and S. Kowalewski, “Compositional verification of National University of Singapore (NUS) in 2002
PLC software using horn clauses and mode abstraction,” IFAC- and 2006, respectively. From 2010 to 2019, he
PapersOnLine, vol. 51, no. 7, pp. 428–433, 2018. was an assistant/associate professor at the Sin-
[62] B. C. Rawlings, J. M. Wassick, and B. E. Ydstie, “Application of gapore University of Technology and Design. He
formal verification and falsification to large-scale chemical plant was a visiting scholar at MIT from 2011 to 2012.
automation systems,” Computers & Chemical Engineering, vol. 114, His research focuses on software engineering,
pp. 211–220, 2018. formal methods, program analysis, and cyber-
security. He is the co-founder of the PAT model checker.

Kun Wang received the B.S. degree in infor-

mation and computing sciences from Chongqing
University of Posts and Telecommunications of
China, in 2017. He received the M.Eng. degree
in Cyberspace Security from Xidian University
of China, in 2020. He is currently pursuing his
Ph.D degree with State Key Laboratory of In-
dustrial Control Technology, Group of Networked
Sensing and Control, Zhejiang University. His re-
search interests include control system security
and formal methods.

Jingyi Wang is currently a tenure-track assis-

tant professor at the College of Control Science
and Engineering, Zhejiang University, China. He
received his Ph.D. from Singapore University of
Technology and Design in 2018, and his bach-
elor’s degree in Information Engineering from
Xi’an Jiaotong University in 2013. He was a re-
search fellow at the School of Computing, Na-
tional University of Singapore during 2019-2020
and at Information Systems Technology and De-
sign Pillar, Singapore University of Technology Peng Cheng received the B.Sc. degree in au-
and Design during 2018-2019. His research interests include formal tomation and the Ph.D. degree in control science
methods, software engineering, cyber-security and machine learning. and engineering, from Zhejiang University, Hang
Zhou, China, in 2004 and 2009, respectively.
From 2012 to 2013, he worked as Research
Fellow in Information System Technology and
Design Pillar, Singapore University of Technol-
ogy and Design. He is currently a Professor with
Christopher M. Poskitt is an Associate Profes- the College of Control Science and Engineering,
sor of Computer Science (Education) at Singa- Zhejiang University, Hangzhou, China. His re-
pore Management University (SMU), where he search interests include networked sensing and
is part of the Centre for Research on Intelligent control, cyber-physical systems, and control system security.
Software Engineering. Prior to SMU, he held
postdoctoral research positions at ETH Zürich
and SUTD, and obtained his PhD in Computer
Science from the University of York (2014). His
research broadly addresses the problem of engi-
neering correct and secure software, especially
in the context of cyber-physical systems (e.g. in-
dustrial control systems, autonomous vehicles). In addition to software
engineering, his research interests span formal methods, cybersecurity,
and computer science education.

Xiangxiang Chen received the B.Eng. degree

in mechanical engineering from Xi’an Jiaotong
University, Xi’an, China in 2021. He is work-
ing toward the Ph.D degree in Cyberspace
Security at the IS2 Lab at School of Control
Science and Engineering, Zhejiang University,
Hangzhou, China. His research interests include
fuzzing and AI system testing.