SurgeFuzz is a directed fuzzing method for RISC-V CPU designs. It can efficiently verify specific corner cases with user annotations.
- Docker is installed.
- Docker daemon is running.
Before running the fuzzing process, you first need to clone the repository and move to the directory:
git clone https://github.com/shioya-lab-public/surgefuzz.git
cd surgefuzz
The fuzzing process runs inside a Docker container. To build a Docker image and run the fuzzing, execute the following command:
make TARGET_CORE=rsd ANNOTATION=load_queue_max
By setting the variables TARGET_CORE
and ANNOTATION
described below, you can run fuzzing for a specific configuration. For example, the command make TARGET_CORE=rsd ANNOTATION=load_queue_max
sets the target CPU to rsd
and annotation to load_queue_max
to run fuzzing.
TARGET_CORE
specifies the target CPU for fuzzing.
The currently available CPUs are as follows:
rsd
: RSD: RISC-V Out-of-Order Superscalar Processorboom
: SonicBOOM: The Berkeley Out-of-Order Machinenaxriscv
: NaxRiscv
ANNOTATION
specifies an annotation for the target CPU of fuzzing.
For each CPU, the currently available annotations are as follows:
rsd
exception
: Frequent exceptionsschedule_state_stall
: Stall the scheduler longermshr_busy
: Keep MSHR busy longerload_queue_max
: High load queue usagestore_queue_max
: High store queue usagereplay_queue_max
: High replay queue usage
boom
ldq_full
: Frequently fill the load queuestore_blocked
: Block store commits longer
naxriscv
branch_miss
: Frequent branch prediction missesdcache_conflict
: Frequent data cache way conflictslq_usage
: High load queue usagesq_usage
: High store queue usage
If you want to change the execution time for fuzzing, specify TIMEOUT_SEC
.
For example, to set a timeout of 3600 seconds, use:
make TARGET_CORE=rsd ANNOTATION=load_queue_max TIMEOUT_SEC=3600
The fuzzing results are displayed in the following format in the standard output within the container. For each fuzzing cycle, the achieved surge score and the highest surge score achieved up to that cycle are displayed:
[fuzz_cycle: 1], [current surge score: 0], [max surge score: 0]
[fuzz_cycle: 2], [current surge score: 0], [max surge score: 0]
[fuzz_cycle: 3], [current surge score: 0], [max surge score: 0]
[fuzz_cycle: 4], [current surge score: 0], [max surge score: 0]
[fuzz_cycle: 5], [current surge score: 2], [max surge score: 2]
[fuzz_cycle: 6], [current surge score: 2], [max surge score: 2]
[fuzz_cycle: 7], [current surge score: 2], [max surge score: 2]
[fuzz_cycle: 8], [current surge score: 2], [max surge score: 2]
[fuzz_cycle: 9], [current surge score: 2], [max surge score: 2]
...
[fuzz_cycle: 318], [current surge score: 6], [max surge score: 10]
[fuzz_cycle: 319], [current surge score: 4], [max surge score: 10]
[fuzz_cycle: 320], [current surge score: 5], [max surge score: 10]
[fuzz_cycle: 321], [current surge score: 2], [max surge score: 10]
[fuzz_cycle: 322], [current surge score: 10], [max surge score: 10]
[fuzz_cycle: 323], [current surge score: 6], [max surge score: 10]
[fuzz_cycle: 324], [current surge score: 10], [max surge score: 10]
[fuzz_cycle: 325], [current surge score: 7], [max surge score: 10]
[fuzz_cycle: 326], [current surge score: 10], [max surge score: 10]
[fuzz_cycle: 327], [current surge score: 7], [max surge score: 10]
Detailed results are stored in the /workdir directory within the Docker container.
SurgeFuzz is released under the Apache License, Version 2.0.
If you have any problems or questions, please contact us at sugiyama [at] rsg.ci.i.u-tokyo.ac.jp.