search

cascade-artifacts-designs / cascade-meta

Other
4 stars 7 forks source link

RFuzz on Verilog #11

Open enfreck opened 2 weeks ago

enfreck commented 2 weeks ago

I need to use RFuzz on Verilog and know you all built out a way to do that. Are there instructions on how to run this capability?

TobiasKovats commented 2 weeks ago

Hi!

You can find the Yosys instrumentation passes for RFUZZ here, see the tcl script for how they are used. The fuzzing engine is built as a Verilator test bench and available here. Running make run_drfuzz_notrace in the respective design directories, e.g. here should instrument the SV design sources, compile them together with the fuzzing engine and run the resulting binary. Let me know if you need further instructions.

Greetings,

Tobias

enfreck commented 4 days ago

I've been able to get your re-implementation of RFuzz up and running and have been messing with it for a while. I noticed that it will quit by itself within about 5 minutes for every core I've been working with this on. It looks like an input gets popped off the corpus even once it has been determined as coverage increasing so it can no longer be mutated to find additional coverage. Is this expected behavior? One of my cores only generates one interesting input before it quits.

TobiasKovats commented 1 day ago

Hi! Could you please share the command line output? Coverage-increasing inputs should be added to the corpus (see this line). However, please note that RFUZZ might struggle to generate interesting inputs for more complex cores and quit after running all mutations when none has been found to be coverage-increasing.

enfreck commented 22 hours ago

Hey! I saw that coverage increasing inputs are added to the corpus, however, the input is popped off the queue (line 83) and never pushed back on. From my understanding of the AFL corpus, things aren't used just once - rather inputs are added and then might be culled if there's another input(s) that finds the same coverage as others, but faster. I just wanted to make sure that removing inputs is expected behavior in the reimplementation.

The output of the core that only gets one coverage increasing input is below. I was just expecting the inputs in the queue to be added back as they got popped off because some of the mutations are random.

***SEED***
INPUT:
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
OUTPUT: 
001000001000010000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000100000000000000000000000000000000000000010000000000100
001000000000010000000010000000000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000100000000000000000000000000000000000000010000000000100
001000000000010000000010000000000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000100000000000000000000000000000000000000010000000000100
001000000000010000000010000000000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000100000000000000000000000000000000000000010000000000100
001000000000010000000010000000000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000100000000000000000000000000000000000000010000000000100
001000000000010000000010000000000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000100000000000000000000000000000000000000010000000000100
001000000000010000000010000000000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000100000000000000000000000000000000000000010000000000100
001000000000010000000010000000000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000100000000000000000000000000000000000000010000000000100
001000000000010000000010000000000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000100000000000000000000000000000000000000010000000000100
001000000000010000000010000000000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000100000000000000000000000000000000000000010000000000100
ACCUMULATED OUTPUT:
000000001000000000000000000000000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
COVERAGE:
2
Timestamp start: 1728848717511
**********
***CORPUS***
Running mutator det bitflip 1/1
Toggled 1 new coverage point(s) 
Timestamp toggle: 1728848717512
New total coverage: 3
000000001000000000000000000000000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000000000000000000000000000000000000000000000000000000
Running mutator det bitflip 2/1
Running mutator det bitflip 4/1
Running mutator det bitflip 8/8
Running mutator det bitflip 16/8
Running mutator det bitflip 32/8
Running mutator det arith 8/8
Running mutator det arith 16/8
Running mutator det arith 32/8
Running mutator rand bitflip 1/1
Running mutator rand arith 8/8
Running mutator rand arith 16/8
Running mutator rand arith 32/8
Running mutator rand interest 8
Running mutator rand interest 16
Running mutator rand interest 32
Running mutator rand random 8
Running mutator delete
Running mutator clone
Running mutator overwrite
Running mutator det bitflip 1/1
Running mutator det bitflip 2/1
Running mutator det bitflip 4/1
Running mutator det bitflip 8/8
Running mutator det bitflip 16/8
Running mutator det bitflip 32/8
Running mutator det arith 8/8
Running mutator det arith 16/8
Running mutator det arith 32/8
Running mutator rand bitflip 1/1
Running mutator rand arith 8/8
Running mutator rand arith 16/8
Running mutator rand arith 32/8
Running mutator rand interest 8
Running mutator rand interest 16
Running mutator rand interest 32
Running mutator rand random 8
Running mutator delete
Running mutator clone
Running mutator overwrite
Timestamp stop: 1728848717911
**********
RFUZZ max possible coverage: 204
RFUZZ achieved coverage: 3
RFUZZ total number of cycles: 
620532
RFUZZ final coverage map: 
000000001000000000000000000000000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000000000000000000000000000000000000000000000000000000
TobiasKovats commented 10 hours ago

Hi! This is expected behaviour in the reimplementation. Let me know if you have any further questions.