Awesome

DifuzzRTL: Differential Fuzz Testing to Find CPU Bugs

Introduction

DifuzzRTL is a differential fuzz testing approach for CPU verification. We introduce new coverage metric, register-coverage, which comprehensively captures the states of an RTL design and correctly guides the input generation. DifuzzRTL automatically instruments register-coverage, randomly generates and mutates instructions defined in ISA, then cross-check against an ISA simulator to detect bugs. DiFuzzRTL is accepted at IEEE S&P 2021 (paper)

Setup

Prerequisite

Please install the correct versions!

1. sbt for FIRRTL

2. verilator for RTL simulation (v4.106)

3. cocotb for RTL simulation (1.5.2)

4. riscv for RISC-V instruction mutation (2021.04.23)

Instructions

• For RTL simulation using verilator

git clone https://github.com/compsec-snu/difuzz-rtl
cd DifuzzRTL
git checkout sim

. ./setup.sh

Instrumentation

cd firrtl
sbt compile; sbt assembly
./utils/bin/firrtl -td regress -i regress/<target_fir> -fct coverage.regCoverage -X verilog -o <output_verilog>

target_fir: Firrtl file to instrument
output_verilog: Output verilog file

Run

cd Fuzzer
make SIM_BUILD=<build_dir> VFILE=<target> TOPLEVEL=<topmodule> NUM_ITER=<num_iter> OUT=<outdir>

SIM_BUILD: Directory for RTL simulation binary build by cocotb
VFILE: Target RTL design in DifuzzRTL/Benchmarks/Verilog/
(e.g., RocketTile_state, SmallBoomTile_v_1.2_state, SmallBoomTile_v1.3_state)
TOPLEVEL: Top-level module
(e.g., RocketTile or BoomTile)
NUM_ITER: Number of fuzzing iterations to run
OUT: Output directory
RECORD: Set 1 to record coverage log
DEBUG: Set 1 to print debug messages