Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

INSTILLER: Towards Efficient and Realistic RTL Fuzzing

Gen Zhang, Pengfei Wang, Tai Yue, Danjun Liu, Yubei Guo, Kai Lu

TL;DR

Hardware bugs in CPUs must be detected before deployment, but RTL fuzzing faces challenges from growing input lengths and unrealistically simple interruption handling. Instiller introduces input instruction distillation via a variant of ant colony optimization (VACO), along with realistic interruptions and hardware-aware seed selection and mutation, to deliver efficient and realistic RTL fuzzing. Across four real-world RTL cores, Instiller achieves higher coverage, shorter inputs, more mismatches, and modest speedups compared with state-of-the-art fuzzers, driven by VACO and hardware-oriented strategies. The work demonstrates that combining differential testing, ACO-based distillation, and hardware-aware fuzzing significantly improves the practicality and effectiveness of RTL fuzzing for CPU verification.

Abstract

Bugs exist in hardware, such as CPU. Unlike software bugs, these hardware bugs need to be detected before deployment. Previous fuzzing work in CPU bug detection has several disadvantages, e.g., the length of RTL input instructions keeps growing, and longer inputs are ineffective for fuzzing. In this paper, we propose INSTILLER (Instruction Distiller), an RTL fuzzer based on ant colony optimization (ACO). First, to keep the input instruction length short and efficient in fuzzing, it distills input instructions with a variant of ACO (VACO). Next, related work cannot simulate realistic interruptions well in fuzzing, and INSTILLER solves the problem of inserting interruptions and exceptions in generating the inputs. Third, to further improve the fuzzing performance of INSTILLER, we propose hardware-based seed selection and mutation strategies. We implement a prototype and conduct extensive experiments against state-of-the-art fuzzing work in real-world target CPU cores. In experiments, INSTILLER has 29.4% more coverage than DiFuzzRTL. In addition, 17.0% more mismatches are detected by INSTILLER. With the VACO algorithm, INSTILLER generates 79.3% shorter input instructions than DiFuzzRTL, demonstrating its effectiveness in distilling the input instructions. In addition, the distillation leads to a 6.7% increase in execution speed on average.

INSTILLER: Towards Efficient and Realistic RTL Fuzzing

TL;DR

Hardware bugs in CPUs must be detected before deployment, but RTL fuzzing faces challenges from growing input lengths and unrealistically simple interruption handling. Instiller introduces input instruction distillation via a variant of ant colony optimization (VACO), along with realistic interruptions and hardware-aware seed selection and mutation, to deliver efficient and realistic RTL fuzzing. Across four real-world RTL cores, Instiller achieves higher coverage, shorter inputs, more mismatches, and modest speedups compared with state-of-the-art fuzzers, driven by VACO and hardware-oriented strategies. The work demonstrates that combining differential testing, ACO-based distillation, and hardware-aware fuzzing significantly improves the practicality and effectiveness of RTL fuzzing for CPU verification.

Abstract

Bugs exist in hardware, such as CPU. Unlike software bugs, these hardware bugs need to be detected before deployment. Previous fuzzing work in CPU bug detection has several disadvantages, e.g., the length of RTL input instructions keeps growing, and longer inputs are ineffective for fuzzing. In this paper, we propose INSTILLER (Instruction Distiller), an RTL fuzzer based on ant colony optimization (ACO). First, to keep the input instruction length short and efficient in fuzzing, it distills input instructions with a variant of ACO (VACO). Next, related work cannot simulate realistic interruptions well in fuzzing, and INSTILLER solves the problem of inserting interruptions and exceptions in generating the inputs. Third, to further improve the fuzzing performance of INSTILLER, we propose hardware-based seed selection and mutation strategies. We implement a prototype and conduct extensive experiments against state-of-the-art fuzzing work in real-world target CPU cores. In experiments, INSTILLER has 29.4% more coverage than DiFuzzRTL. In addition, 17.0% more mismatches are detected by INSTILLER. With the VACO algorithm, INSTILLER generates 79.3% shorter input instructions than DiFuzzRTL, demonstrating its effectiveness in distilling the input instructions. In addition, the distillation leads to a 6.7% increase in execution speed on average.
Paper Structure (35 sections, 5 equations, 12 figures, 15 tables, 3 algorithms)

This paper contains 35 sections, 5 equations, 12 figures, 15 tables, 3 algorithms.

Table of Contents

  1. Introduction
  2. Background and Motivation
  3. CPU Design, Interruptions, and Exceptions
  4. Fuzzing and Differential Testing
  5. Ant Colony Optimization
  6. Design
  7. Overview
  8. Input instruction Distillation Based on VACO
  9. Realistic Interruption and Exception Handling
  10. Seed Selection
  11. Mutation
  12. Implementation
  13. Evaluation
  14. Setup
  15. Evaluation on Coverage
  16. ...and 20 more sections

Figures (12)

  • Figure 1: Example of the effectiveness of multi-interruption and exception hardware fuzzing.
  • Figure 2: Percentages of HDL line coverage and bugs of Instiller, DiFuzzRTL, and RFuzz related to multiple interruptions and exceptions.
  • Figure 3: Overview of the basic procedures in Instiller, including VACO, seed selection and mutation, and verilator.
  • Figure 4: Fuzzing procedures of Instiller, where the colored parts are newly proposed mechanism compared with traditional fuzzing.
  • Figure 5: Example of the relationships between instructions, where the three instructions all operate on the same register.
  • ...and 7 more figures