riscv64-unknown-elf-gcc -march=rv64g -mabi=lp64 -static -mcmodel=medany -fvisibility=hidden -nostdlib -nostartfiles -I Fuzzer1/Template/include -I /usr/include -T Fuzzer1/Template/include/link.ld -I Fuzzer1/Template/include/p output/.input_1_copy.S -o output/.input_1_copy.elf

elf2hex --bit-width 64 --input output/.input_1_copy.elf --output output/.input_1_copy.hex

DifuzzRTL is a differential fuzz testing approach for CPU verification. We introduce new coverage metric, register-coverage, which comprehensively captures the states of an RTL design and correctly guides the input generation. DifuzzRTL automatically instruments register-coverage, randomly generates and mutates instructions defined in ISA, then cross-check against an ISA simulator to detect bugs. DiFuzzRTL is accepted at IEEE S&P 2021 (paper)

Please install the correct versions!

1. sbt for FIRRTL

2. verilator for RTL simulation (v4.106)

3. cocotb for RTL simulation (1.5.2)

4. riscv for RISC-V instruction mutation (2021.04.23)

• For RTL simulation using verilator

git clone https://github.com/compsec-snu/difuzz-rtl
cd DifuzzRTL
git checkout sim

. ./setup.sh

cd firrtl
sbt compile; sbt assembly
./utils/bin/firrtl -td regress -i regress/<target_fir> -fct coverage.regCoverage -X verilog -o <output_verilog>

target_fir: Firrtl file to instrument
output_verilog: Output verilog file

cd Fuzzer
make SIM_BUILD=<build_dir> VFILE=<target> TOPLEVEL=<topmodule> NUM_ITER=<num_iter> OUT=<outdir>

SIM_BUILD: Directory for RTL simulation binary build by cocotb
VFILE: Target RTL design in DifuzzRTL/Benchmarks/Verilog/
(e.g., RocketTile_state, SmallBoomTile_v_1.2_state, SmallBoomTile_v1.3_state)
TOPLEVEL: Top-level module
(e.g., RocketTile or BoomTile)
NUM_ITER: Number of fuzzing iterations to run
OUT: Output directory
RECORD: Set 1 to record coverage log
DEBUG: Set 1 to print debug messages