DifuzzRTL: Differential Fuzz Testing to Find CPU Bugs

Introduction

DifuzzRTL is a differential fuzz testing approach for CPU verification. We introduce new coverage metric, register-coverage, which comprehensively captures the states of an RTL design and correctly guides the input generation. DifuzzRTL automatically instruments register-coverage, randomly generates and mutates instructions defined in ISA, then cross-check against an ISA simulator to detect bugs. DiFuzzRTL is accepted at IEEE S&P 2021 (paper)

Setup

Prerequisite

Please install the correct versions!

sbt for FIRRTL

verilator for RTL simulation (v4.106)

cocotb for RTL simulation (1.5.2)

riscv for RISC-V instruction mutation (2021.04.23)

Instructions

For RTL simulation using verilator

git clone https://github.com/compsec-snu/difuzz-rtl
cd DifuzzRTL
git checkout sim

. ./setup.sh

Instrumentation

cd firrtl
sbt compile; sbt assembly
./utils/bin/firrtl -td regress -i regress/<target_fir> -fct coverage.regCoverage -X verilog -o <output_verilog>

target_fir: Firrtl file to instrument
output_verilog: Output verilog file

Run

cd Fuzzer
make SIM_BUILD=<build_dir> VFILE=<target> TOPLEVEL=<topmodule> NUM_ITER=<num_iter> OUT=<outdir>

SIM_BUILD: Directory for RTL simulation binary build by cocotb
VFILE: Target RTL design in DifuzzRTL/Benchmarks/Verilog/
(e.g., RocketTile_state, SmallBoomTile_v_1.2_state, SmallBoomTile_v1.3_state)
TOPLEVEL: Top-level module
(e.g., RocketTile or BoomTile)
NUM_ITER: Number of fuzzing iterations to run
OUT: Output directory
RECORD: Set 1 to record coverage log
DEBUG: Set 1 to print debug messages

About

BSD 3-Clause "New" or "Revised" License

Languages

Language:Verilog 84.9%Language:Scala 6.6%Language:C 5.5%Language:C++ 1.6%Language:Python 0.6%Language:TeX 0.3%Language:Assembly 0.2%Language:Makefile 0.1%Language:Shell 0.1%Language:M4 0.0%Language:ANTLR 0.0%Language:Dockerfile 0.0%Language:LLVM 0.0%Language:SystemVerilog 0.0%