RISC-V ISA
ConceptThe supplied evidence treats the RISC-V ISA as the open, modular architectural contract for verifying processor implementations and as a base for proposed extensions. Verification approaches include SystemC co-simulation with an ISS reference, RISCV-DV random instruction generation against Spike, ProcessorFuzz with CSR-transition feedback, and MorFuzz with runtime instruction morphing. The evidence also discusses the modular ISA profile notation (RV64GC, RV64GCHX, RV64GCX, RV32IMF), the role of CSRs and WARL fields, several real-world RISC-V cores (Rocket, CVA6, BOOM, Hornet), and proposed ISA extensions for load-acquire/store-release synchronization and GPGPU/3D-graphics support.
First seen 5/25/2026
Last seen 6/9/2026
Evidence 72 chunks
Wiki v6
WIKI
Overview
The supplied evidence treats the RISC-V ISA as the architectural contract used to validate processor implementations and as a base for proposed extensions. The RISC-V ISA is described as an open instruction-set architecture that has enabled rapid processor innovation, with verification flows that compare an RTL processor core against an instruction-set simulator (ISS) reference model and check that both executions produce matching architectural state.
Modular ISA Profiles and Extensions
NEIGHBORHOOD
2 nodes · 1 edgesgraph · RISC-V ISA · depth=1
RELATIONSHIPS
44 connections Cross-level processor verification via endless randomized instruction stream generation with coverage-guided aging ← uses 100% 4e
The paper evaluates its approach using a RISC-V processor.
BOOM is an out-of-order RISC-V processor implementing the RISC-V ISA.
CVA6 is a RISC-V processor implementing the RISC-V ISA.
Rocket is a RISC-V processor implementing the RISC-V ISA.
Vector extensions are an optional part of the modular RISC-V ISA.
RVV is the vector extension of the RISC-V ISA.
Spike is a RISC-V ISA simulator implementing the RISC-V ISA specification.
PMP is a RISC-V ISA feature restricting memory access for privilege and security.
ePMP is an enhanced RISC-V ISA feature for memory protection.
The MMU is part of the RISC-V ISA for virtual memory management.
The paper targets the RISC-V ISA for processor verification.
ProcessorFuzz targets RISC-V based processors designed in different HDLs.
MINRES TGC is a 32-bit pipelined RISC-V processor implementing the RISC-V ISA.
Machine mode is part of the RISC-V privileged architecture specification, which is an extension of the RISC-V ISA.
Illegal instruction handling is a part of the RISC-V ISA behavior that the approach must support.
Hypervisor extensions are an optional part of the modular RISC-V ISA.
BlackParrot Core is an open-source RISC-V core implementing the RISC-V ISA.
The randomized instruction stream generator produces RISC-V instructions.
RISC-V was developed at UC Berkeley.
Rocket Core is an open-source RISC-V processor implementing the RISC-V ISA.
BlackParrot is a 64-bit RISC-V core implementing the RISC-V ISA.
Rocket is a RISC-V processor implementing the RISC-V ISA.
BOOM is a RISC-V processor implementing the RISC-V ISA.
CVA6 is a RISC-V processor implementing the RISC-V ISA.
RISCV-DV generates instructions conforming to the RISC-V ISA.
The Hornet RV32IMF core is a processor implementing the RISC-V ISA.
Force-riscv targets the RISC-V ISA.
cv32e40p is a RISC-V core that implements the RISC-V ISA.
The Instruction Set Generator targets the RISC-V ISA to generate instructions.
RV32I is the base integer instruction set of the RISC-V ISA.
Spike is the RISC-V ISA simulator that implements the RISC-V ISA for simulation purposes.
RISC-V was developed at UC Berkeley.
CSRs are control and status registers that are part of the RISC-V ISA.
fence.i is a RISC-V ISA instruction used to synchronise instruction and data streams.
RVA22 is a RISC-V profile specification that is part of the broader RISC-V ISA ecosystem.
RVA23 is a RISC-V profile specification that is part of the broader RISC-V ISA ecosystem.
Privilege-mode transitions are a feature of the RISC-V ISA that may be inadequately exercised by random testing.
Memory protection is a RISC-V ISA feature that may not be fully exercised by random testing alone.
InstrGen generates RISC-V instructions for the verification process.
CSRs are part of the RISC-V ISA specification.
Spike is a RISC-V ISA simulator implementing the RISC-V ISA.
The TGF Series RTL core implements the RV32I RISC-V ISA.
Rocket Core is a RISC-V processor core implementing the RISC-V ISA.
BOOM Core is an out-of-order RISC-V processor implementing the RISC-V ISA.
LINKED ENTITIES
7 linksriscv-dv USES Extracted graph relationship
Hornet RV32IMF core IMPLEMENTS Extracted graph relationship
spike USED BY Spike is the open-source RISC-V ISA simulator used as the reference model in the ProcessorFuzz evaluation, in the SystemC co-simulation testbench, and in the RISCV-DV verification framework.
Rocket IMPLEMENTED BY Rocket is a Chisel-based, open-source, in-order RISC-V processor core implementing the RV64GCHX ISA profile, generated by the Rocket Chip SoC Generator framework.
BOOM IMPLEMENTED BY BOOM is the third-generation Berkeley Out-of-Order Machine, an out-of-order superscalar RISC-V processor written in Chisel implementing RV64GCX.
CVA6 IMPLEMENTED BY CVA6 is an open-source 64-bit in-order RISC-V processor written in SystemVerilog, implementing RV64GC with a six-stage pipeline, taped out in 22nm technology.
MorFuzz USED BY MorFuzz is a fuzzing framework that performs runtime instruction morphing on RISC-V 64-bit processor designs (CVA6, Rocket, BOOM) to discover architectural bugs.
CITATIONS
22 sources22 citations — click to expand
[1] The RISC-V ISA is an open instruction-set architecture that has enabled rapid processor innovation and serves as the architectural contract for verifying processor implementations against an ISS reference model. Creating Verification Environment Using RISCV-DV With Open and Closed Source Tools
[2] WARL CSR fields can be written with any value, but reads return only legal values, allowing software to query CSRs for information about core capabilities; CSR behavior is less rigidly defined than instruction-set specifications. Previous article evidence (preserved)
[3] Monitored privileged CSRs include mscratch (machine-mode context space pointer), {m,s}epc (PC of an instruction that caused an exception), and sscratch (supervisor-mode context space pointer). Previous article evidence (preserved)
[4] A SystemC-based RISC-V verification testbench co-simulates an RTL core with an ISS, advancing both by one instruction per step and comparing execution states; mismatches are reported as errors. Previous article evidence (preserved)
[5] A verification framework combines RISCV-DV random instruction generation with open-source (Python flow, Spike ISS) and commercial (Xcelium) tools, using a custom tracer in the Hornet RV32IMF core and CSV-based scripts for comparison. Creating Verification Environment Using RISCV-DV With Open and Closed Source Tools
[6] The RISCV-DV framework detected subtle errors in Hornet including incorrect IEEE-754 rounding modes and precision loss in division and square root, resolving multiple floating-point bugs and ensuring RISC-V and IEEE-754 compliance. Creating Verification Environment Using RISCV-DV With Open and Closed Source Tools
[7] ProcessorFuzz uses CSR-transition coverage with an ISA simulator to decide whether an input is interesting, then launches RTL simulation and compares extended trace logs against the ISA trace log; differences are treated as potential processor bugs. Previous article evidence (preserved)
[8] ProcessorFuzz extends the Spike open-source ISA simulator to store monitored CSR values and uses Verilator as the open-source RTL simulator. Previous article evidence (preserved)
[9] MorFuzz performs runtime instruction morphing on RISC-V 64-bit, replacing wires between the fetch and decode units so that morphed instructions keep the instruction fetch offset consistent with the pipeline front-end. MorFuzz: Fuzzing Processor via Runtime Instruction Morphing
[10] MorFuzz maintains a morphing map keyed by the pre-morph instruction and its address so that the reference model and DUT execute deterministic and identical morphed instructions. MorFuzz: Fuzzing Processor via Runtime Instruction Morphing
[11] MorFuzz's state synchronization rules require (1) only CSR or memory operations beyond verification scope can trigger synchronization, (2) the DUT's control flow must pass the commitment stage check, and (3) mismatched write-back values are limited to CSR WARL fields or peripheral addresses outside the specification. MorFuzz: Fuzzing Processor via Runtime Instruction Morphing
[12] MorFuzz uses the Synopsys VCS RTL simulator for hardware simulation and supports a control-register coverage matrix compatible with DifuzzRTL via a FIRRTL pass that instruments all control registers. MorFuzz: Fuzzing Processor via Runtime Instruction Morphing
[13] MorFuzz reported 17 new bugs and two already known bugs across real-world RISC-V processors, with 13 bugs assigned CVE numbers, evaluating CVA6, Rocket, and BOOM cores that are all capable of booting and running Linux. MorFuzz: Fuzzing Processor via Runtime Instruction Morphing
[14] CVA6 is an open-source 64-bit in-order RISC-V processor written in SystemVerilog with a 6-stage single-issue pipeline, independent internal execution units, ISA profile RV64GC, taped out in 22nm technology, and runs at up to 1.7 GHz. MorFuzz: Fuzzing Processor via Runtime Instruction Morphing
[15] Rocket is a five-stage single-issue in-order scalar RISC-V processor written in Chisel with delayed write-back, supports hypervisor and cryptography extensions (RV64GCHX profile), and is the world's first RISC-V processor open-sourced by UC Berkeley, taped out dozens of times. MorFuzz: Fuzzing Processor via Runtime Instruction Morphing
[16] BOOM is the third-generation Berkeley Out-of-Order Machine, an out-of-order superscalar RISC-V processor in Chisel; the MorFuzz evaluation uses the triple-issue LargeBoom configuration with ISA profile RV64GCX. MorFuzz: Fuzzing Processor via Runtime Instruction Morphing
[17] Bug B8: CVA6 considers illegal sfence.vma valid when its rd field is mutated to a non-zero value, although the specification says sfence.vma has a zero rd field. MorFuzz: Fuzzing Processor via Runtime Instruction Morphing
[18] Bug B9: The CVA6 decoder behaves incorrectly when executing dret with a non-zero rd field, which should be zero according to the specification; CVA6 handles the invalid dret as if it were a legal dret. MorFuzz: Fuzzing Processor via Runtime Instruction Morphing
[19] Bug B10: CVA6 throws an exception when executing a non-standard fence.i/fence with a non-zero rd field, although for forward compatibility implementations must ignore the rd field in fence.i/fence. MorFuzz: Fuzzing Processor via Runtime Instruction Morphing
[20] A project explores adding explicit load-acquire and store-release instructions to the RISC-V ISA, with support in the herd formal memory model, gem5 cycle-approximate simulator, and LLVM/Clang toolchain, motivated by weak memory models and the need to prevent ABI fragmentation. Adding Explicit Load-Acquire and Store-Release Instructions to the RISC-V ISA
[21] The Vortex project extends the RISC-V ISA to support GPGPUs and 3D-graphics with minimal ISA changes, implementing a PCIe-based soft GPU on FPGA that supports OpenCL and OpenGL, scaling to 32 cores on an Altera Stratix 10 at 200 MHz with 25.6 GFlops peak performance. Vortex: Extending the RISC-V ISA for GPGPU and 3D-Graphics
[22] Rocket is described as a Chisel HDL-based, open-source, general-purpose, in-order RISC-V processor core generated by the Rocket Chip SoC Generator framework; BOOM has been the subject of bugs previously reported by DIFUZZRTL. Previous article evidence (preserved)