Overview

RISC-V instructions currently have two valid lengths: 16-bit compressed instructions and 32-bit instructions for all other instructions. The cited MorFuzz paper presents 15 RISC-V instruction formats, each made up of multiple fields. [Instruction lengths and formats]

Instruction length and format decoding

For 32-bit RISC-V instructions, the instruction format is determined by the opcode field. For 16-bit compressed instructions, the format is determined by the op and funct fields. The lower two bits of the opcode field, together with the op field, determine instruction length; the funct fields and the remaining bits of the opcode field determine the opcode type. [Encoding determinants]

The paper distinguishes two categories of instruction fields:

• Opcode-related fields: funct and opcode fields determine the instruction operation, also called the opcode. Instructions with similar functions typically share the same opcode field and are distinguished by funct fields. [Field categories]
• Operand-related fields: imm and rs fields provide operands. rs fields select source registers, imm fields provide immediate numbers, and rd fields control the destination register to which the instruction result is written back. [Field categories]

Instruction formats shown in the evidence

The RISC-V formats shown in the evidence include six 32-bit formats and nine compressed formats. The 32-bit formats shown are R, I, S, B, U, and J. The compressed formats shown are CR, CI, CSS, CIW, CL, CS, CA, CB, and CJ. [Instruction formats list]

Role in processor verification

The evidence places RISC-V instruction formats in the context of processor verification. A typical simulation-based verification workflow randomly generates instruction streams based on constraints or coverage, translates processor RTL into a software model using an RTL simulator, compiles that model with a test harness into a host executable binary, and executes the simulation. Correctness is then checked by comparing the externally visible architectural state of the device under test with a golden reference model that executes the same input. [Processor verification workflow]

Use by MorFuzz

MorFuzz implemented a prototype on the RISC-V architecture and evaluated it on three real-world open-source processors: CVA6, Rocket, and BOOM. The evaluated processors covered microarchitectures ranging from simple in-order cores to complex out-of-order superscalar cores. [MorFuzz RISC-V implementation]

In that evaluation, MorFuzz achieved up to 4.4× more state coverage than DifuzzRTL and 1.6× more state coverage than riscv-dv. It also reached the coverage that DifuzzRTL achieved in 24 hours in about 30 minutes, reached the coverage that riscv-dv achieved in 24 hours in about 2.4 hours, and identified 17 new bugs, 13 of which were assigned CVE numbers. [MorFuzz evaluation results]