Frama-PLC - Check List
Authors: | P. Baudin and F. Bobot |
Institute: | CEA-List, Université Paris-Saclay - Software Safety and Security Lab |
License: | Creative Commons Attribution-ShareAlike 4.0 International |
Copyright | (C) 2019-2022, CEA LIST |
Frama-PLC: A Static Analyser of Source Code for Programmable Logic Controllers
CHECK LIST
Syntactical checks are reported during the first analysis phase of the tool whereas the semantic checks are reported by Frama-C tool during the second phase.
E0 - Information
E0.1 - Log messages
Warns when parsing unknown xml tag elements.
E2 - Inadequate Types (syntactical check)
E2.1 - Equalities and inequalities between durations or reals
Warns on the use of equality =
and inequality <>
comparisons between durations or reals. Even if the duration type TIME
can be seen as an integer by EcoStruxure, such a comparison may be inadequate.
Note: - once a duration is converted into an integer using, for example, time_to_dint
, the checker cannot complain any more. Idem for the use of real_to_dint
. So, the tool can warn (not yet implemented) on the use of such a conversion function.
E2.2 - Rising and falling edge detections on non-EBOOL variables
Warns on the use of edge detections on on non-EBOOL variables
E4 - Constant expressions (syntactical & semantic check)
E4.1 - Expression that has always the same value (semantics)
Warns on expressions of the generated C code that have always the same value (this value is given by Frama-C).
E4.2 - Section activation variable that has always the same value (semantics)
Warns on section activation variables (leading to executions of section code) that have always the same value (this value is given by Frama-C) during their evaluations.
E4.3 - Transition that has always the same value (semantics)
Warns on transition variables (leading step transitions of Grafcets) that have always the same value (this value is given by Frama-C) during their evaluations.
E4.4 - Approximated floating-point constant (syntactical)
Warns on floating-point constant that cannot be represented exactly in a single decimal point floating number (32 bit format of ANSI/IEEE 754 standard).
E5 - Inadequate interfaces (syntactical & semantic check)
E5.1 - Missing uninitialized inputs (syntactical)
Warns on missing inputs of instance variables that are not assigned nor initialized.
E5.2 - Missing inputs having their own initialization (syntactical)
Warns on missing inputs of instance variables that are not assigned but have their own initialization.
Note: the initialization can be specified by the initial value of the instance variables or else from the data type definition of these instance variables.
E5.3 - Unused outputs (syntactical)
Warns on unused outputs of instance variables when all of them are not connected nor read by program statements.
E5.4 - Common inputs of the tasks MAST and FAST (semantics)
Lists the common inputs of the task Mast
and Fast
.
E5.5 - Common outputs of the tasks MAST and FAST (semantics)
Lists the common outputs of the task Mast
and Fast
.
E5.6 - Outputs of the task MAST read by the task FAST (semantics)
Lists the outputs of the task Mast
read by the task Fast
.
E5.7 - Outputs of the task FAST read by the task MAST (semantics)
Lists the outputs of the task Fast
read by the task Mast
.
E5.8 - Variable accesses outside authorized sections (syntactical)
Warns on variable accesses performed outside the authorized sections. The acceptable accesses can be specified through the configuration file. By defaut, all variable accesses are considered as acceptable by all sections.
E5.9 - Multiple writing (syntactical)
Warns on variables writen in multiple locations.
Note: imprecise access modes can be obtained when using anonymous parameters in ST function calls. In such a case, the Frama-PLC considers a Rd/Wr access to these parameters.
E6 - Inadequate variable declarations (syntactical check)
E6.1 - Use of direct variables
Warns on the direct uses of direct variables (names starting with a %
)
E6.2 - Incomplete reserve
Warns on global variables that - contain a reserve
or réserve
sub-string contradicting its comment; - do not contain a reserve
or réserve
sub-string, contradicting its comment.
Note: - these checks are case insensitive.
E7 - Dead code (semantic check)
E7.1 - Unreached Grafcet steps
Warns on Grafcet steps that are never reached.
Note: - the tool does not warn for steps of a Grafcet section that is always disable (that case is reported under reference E7.2).
E7.2 - Main code never executed
Warns on sections, transitions, subroutines and instances (their full code) that are never executed.
Note: - the tool does not warn for transitions outgoing from a Grafcet step that is unreachable (that case is reported under reference E7.1).
E7.3 - Piece of code never executed
Warns on sections, transitions, subroutines and instances containing a piece of C code that is never executed.
E8 - Inadequate Logics (syntactical)
E8.1 - Inadequate uses of labels and jumps
Warns on backward and forward LD jumps. Warns also on labels without any jump to them and on jumps to an undefined label.
E8.2 - Non consecutive set/reset coils
Between two set/reset coils involving the same global variable, no other coils are allowed. The tool warns in such a case.
But, when the two concerned coils are different (a set coil and reset one), the tool does not warn if the distance between them is lesser or equal to 25 LD raws.
The tool warns also when there is set coils without near reset and vice versa.
In the same maner, the tool warns also when there is set coils with faraway reset and vice versa.
E9 - Loop constructs (syntactical)
E9.1 - Use of loop statements
Warns on FOR
, WHILE
, REPEAT
, CONTINUE
and EXIT
constructs.
A specific warning is given for WHILE
and REPEAT
loop when the loop condition use an equality test.
E11 - Coding Rules (syntactical and semantic check)
E11.1 - Uncommented (syntactical check)
Warns on the absence of comments for global variables except when they have an owner
attribute (related to E11.1).
E11.2 - Empty statement (syntactical check)
Warns on empty - ladder (for SFC transitions, instances and sections) - ST blocks
E11.3 - Scanning order rule (semantic check)
Warns on invalid execution order of the sections of the tasks MAST
and FAST
.
Note: for each section, a message referenced Info.E11.3
informs whether the section performs read and write accesses to the I/O.
E11.4 - Hazardous comment tags/unclosed (syntactical check)
Warns on unclosed comments or comments (in ST code) using opening or closing comment tags in order to prevent about the way nested comments are implemented as specified by the norm ISO 61131-3 (allowing nested comments) or not.
For example, according to the norm ISO 61131-3, this code contents only comment using two lines:
(* x:=0; (* this is (* a nested comment *)
x:=1; // that is closed by this next comment tag *)
E11.5 - Statements into comments (syntactical check)
Warns on comments containing ST statements
E11.6 - Use of pragma
Warns on the use of pragma notation in ST code.
E12 - Naming rules
Warns on identifier names that do not comply with the dedicated naming rule.
This is performed by defining regular expressions and the names must match the dedicated regular expression. Dedicated checks on the length of these identifiers are also performed.
These naming rules apply to the following identifiers: - functional entities - MAST and FAST sections - global variables - instance variables (name once instantiated) - subroutines
Notes: - the required intervals for the length of these identifiers are modifiable; - theses checks are not case sensitive; - the same kind of checks could be performed for the following identifiers: * instance types (name before the instantiation - not yet implemented) * formal parameters of instance (not yet implemented) * activation variables of sections (not yet implemented) * transition variables (not yet implemented) * state variables (not yet implemented) * variable types (from the name of the variable - not yet implemented)
Regular expressions are defined using the following usual constructs: - exp*
matches the expression zero, one or several times - exp+
matches the expression one or several times - exp?
matches the expression once or not at all - .
matches any characters - [ chars ]
matches one of these characters; ranges are denoted with -
, as in ['a'-'z']
- exp1 | exp2
alternative between two expressions - ( exp )
groups the enclosed expression
The common definitions of the regular expressions used into the next subsections are:
space = [' ' '\t']
digit = ['0'-'9']
letter = ['a'-'z']
alpha = digit | letter
ident = letter ('_' | alpha)*
alpha_ident = alpha ('_' | alpha)*
let fr_charset = "ç"|"à"|"â"|"é"|"è"|"ê"|"ë"|"î"|"ï"|"ô"|"û"|"ù"|"ü"|"œ"|"æ"
let fr_letter = letter | fr_charset
let fr_alpha = digit | fr_letter
let fr_ident = fr_letter (underscore | fr_alpha)*
let fr_word = ('_' | fr_alpha)+
let fr_text = fr_word (space fr_word)*
Note: ’ denotes the tabular character
E12.1 - Functional entity rule
The entity names must match the entity_name
regular expression:
entity_prefix1 = "ef"
entity_prefix2 = "e" "f"?
entity_number = digit digit digit?
entity_posfix1 = space+ '-' space+ fr_text
entity_posfix2 = '_' fr_ident
entity_name =
| entity_prefix1 entity_number entity_posfix1
| entity_prefix2 entity_number entity_posfix2
For exemple, the entity name EF00 - Entrées Sorties
matches the first rule whereas E22_Général
matches the second.
There is no constraint on the length of these names (but they cannot be empty).
But, for the entity names used in the application, the entity numbers are extracted from the entity_number
part of the regular expression. These numbers are used as reference for other checks.
E12.2 - Section rule
The MAST and FAST section names must match the section_name
regular expression and their length must be in the interval [10..[
:
instance_name = ident
Note: - there is no check of the upper bound of their length.
E12.3 - Global variable rule
Global variable names must match the global_variable_name
regular expression and their length must be in the interval [5..32]
:
variable_prefix1 = "e"
variable_prefix2 = "i"|"q"|"ia"|"qa"
variable_type1 = "e"|"m"|"s"|"ea"|"ed"|"sa"
variable_type2 = '_' ("mes"|"tab")
variable_element1 = "calc"? ("r"|"rot"|"g"|['x' 'y' 'z']['1'-'3']?)+
variable_element2 = "ack_trf_tab"|"ok_trf_tab"
|"adr"|"bab"|"bit"|"cab"|"com"|"cpt"|"data"|"def_com"
|"def_mesure"|"ech"|"mem"|"mm"|"nb_mesure"|"er_rack"
|"etat_mesure"|"start"|"t"|"tgv"|"valeur"|"y"|"zx_tab_mesure"
|("mv_sq" digit)|("sq" digit?)
variable_postfix =
| variable_element1 '_' alpha_ident
| variable_element2 '_' alpha_ident
global_variable_name =
| variable_prefix1 entity_number variable_type1? "_reserve"? '_' variable_postfix
| variable_prefix1 entity_number variable_type2? "_reserve"? '_' variable_postfix
| variable_prefix2 variable_type2? "_reserve"? '_' variable_postfix
For global variables matching the prefix variable_prefix1
, the entity_number
part must be referenced in the used entity numbers of the application.
E12.4 Instance variable rule
Instance variable names (after instantiation) must match the instance_name
regular expression and their length must be in the interval [5..32]
:
instance_name = ident
E12.5 - Subroutine rule
Subroutine names must match the subroutine_name
regular expression and their length must be in the interval [5..32]
:
subroutine_prefix = "e"
subroutine_kind1 = "sr"
subroutine_kind2 = "msg"|"raz"
subroutine_postfix = ident
subroutine_name =
| subroutine_prefix entity_number '_' subroutine_kind1 '_' subroutine_postfix
| subroutine_prefix entity_number '_' subroutine_kind2 '_' subroutine_postfix
The entity_number
part must be referenced in the used entity numbers of the application.
E12.6 - External function rule
External function names must match the function_name
regular expression and their length must be in the interval [1..[
:
function_name = ident
E13 - Various Frama-C Properties (syntactical and semantic checking)
E13.1 - Various ACSL properties
Warns of various possible errors (related to ACSL properties) identified by Frama-C
.
E13.2 Exclusive aspect of the diverging conditions from a step to OR branches
Reports the unproved assertions ensuring the fact that transition conditions from a step are exclusive.
Notes:
the name of these
assert
properties has the formexclusive_OR_branch_from_step__<sfc-step-name>
;in order to ease this verification, some other properties of the C code are added. The verification of these properties is also performed and may fail even if they are
true
by construct since they give the semantic of the named transitions or Grafcet. The name of these properties has the form:helper_for_sfc_state__<sfc-name>
;helper_for_transitions__<sfc-transition-name>
.
E13.3 - Run-time errors
Warns of possible run-time errors identified by the Eva
plug-in of Frama-C
.
Note: the name of these properties has the form Eva: <RTE-kind>:
.