Overview

ISA simulation is the use of an instruction-set-architecture simulator to model the functional behavior of a processor design. In processor fuzzing, the ISA simulator can act as a reference model: it mimics ISA-level operations, while an RTL simulator models the detailed microarchitecture implementation of the processor. [isa simulator reference model]

Role in differential testing

Hardware-domain differential testing adapts the software idea of comparing multiple implementations with the same intended behavior. For processor fuzzing, the same instruction-stream input is provided to both an RTL simulator and a reference model; the reference model is an ISA simulator. The RTL simulator executes the instruction stream on the detailed microarchitecture implementation, while the ISA simulator models the processor's functional behavior. [hardware differential testing workflow]

A difference between the execution output of RTL simulation and ISA simulation is treated as an indication of a potential processor bug. [rtl isa mismatch bug signal]

Performance motivation

The evidence reports a concrete performance reference point: for the open-source RISC-V BOOM processor, ISA simulation is 79× faster than RTL simulation. This speed difference motivates using ISA simulation in fuzzing workflows where many test inputs must be evaluated. [isa simulation speed]

Use in ProcessorFuzz

ProcessorFuzz proposes using the ISA simulator as part of a coverage-feedback mechanism to rapidly identify interesting test inputs and accelerate bug finding. The paper also describes ProcessorFuzz as a processor-fuzzing mechanism that uses a CSR-transition coverage metric and evaluates practicality on three open-source RISC-V processors. [processorfuzz isa feedback]

The ProcessorFuzz evidence further reports that the tool revealed eight new bugs in widely used open-source processors and one new bug in a reference model. [processorfuzz bug findings]