Fuzzing VexRiscv

[TobiasKovats]

Hello!

I have implemented a hardware fuzzer and am currently trying to fuzz the VexRiscv core. I have noticed that the core seems to ignore my inputs during the first few hundred (approx 250) cycles after reset. Is there some cache flushing procedure that is evoked after reset that might be causing this? And if yes, is there a way to disable it?

Thanks,

Tobias

[Dolu1990]

Hi,

Yes, after reset, the instruction cache and data cache will be initialized by a little FSM. No way to disable it as it is required for proper operations of the core, unless you can deal with a non-funtional core (for test purpose ?) You use the cached version of the core right ?

What is a hardware fuzzer ?

[TobiasKovats]

Hi,

thanks for your quick reply! Yes I am using the cached version of the core. For test purposes it would be interesting to disable it if possible. The idea of a hardware fuzzer is to find bugs in the design in an automated manner by applying various inputs and observing the behaviour of the DUT and comparing it to a golden model. The inputs are constructed to maximise a 'coverage' metric that represents how well the state space of the design is explored with a set of inputs. Coverage is obtained by instrumenting the DUT in a certain manner to allow coverage measurement and collec feedback during runtime. Here a a few publications if interested:

https://people.eecs.berkeley.edu/~ksen/papers/rfuzz.pdf https://www.bsg.ai/papers/Hardware_Fuzzing_DAC_2021.pdf https://arxiv.org/abs/2102.02308

Thanks,

Tobias

[bunnie]

Ironically I had the exact opposite problem you had (I definitely need the flush to make sure I have a deterministic state on boot).

I believe the bit that controls it is here:

https://github.com/SpinalHDL/VexRiscv/blob/c52433575dec04f10063b2fd7cebd0545c8b1be9/src/main/scala/vexriscv/ip/InstructionCache.scala#L328

If you set the RegInit to false, I bet it won't do a flush on boot. In which case, you will have to "cheat" and make sure your tags are initialized to 0 (which is not a thing you can do with physically real 6-T SRAM cells).

[TobiasKovats]

Very interesting, thanks for the hint! I will definitely have a look!

[Dolu1990]

Ahh nice ^^ The other one is on the d$ : https://github.com/SpinalHDL/VexRiscv/blob/c52433575dec04f10063b2fd7cebd0545c8b1be9/src/main/scala/vexriscv/ip/DataCache.scala#L853

Initialized to zero will make it flush the cache. init(1 << lineRange.size) instead should do the trick, + you also need to initialize the tags of the cache another way.

[TobiasKovats]

Great, thanks a lot for your help!