Skip to content
STIMSMITH

Randomized Testing of RISC-V CPUs Using Direct Instruction Injection

Paper

A peer-reviewed paper, published in IEEE Design & Test of Computers, 41(1):40–49 in February 2024 (DOI 10.1109/MDAT.2023.3262741), that introduces TestRIG, a randomized RISC-V CPU verification ecosystem built around Direct Instruction Injection, RVFI-DII instrumentation, and QCVEngine-generated test sequences. The paper describes smart shrinking of failing instruction sequences, non-shrinkable initialization, sequence-level assertions, and a Sail-model architectural coverage comparison against riscv-tests and RISCV-DV. The work has been independently cited in follow-on research on large-scale RISC-V processor verification.

First seen 5/27/2026
Last seen 6/9/2026
Evidence 17 chunks
Wiki v3

WIKI

Publication

Randomized Testing of RISC-V CPUs Using Direct Instruction Injection was authored by Alexandre Joannou, Peter Rugg, Jonathan Woodruff, Franz A. Fuchs, Marno van der Maas, Matthew Naylor, Michael Roe, Robert N. M. Watson, Peter G. Neumann, and Simon W. Moore, and published in IEEE Design & Test of Computers, volume 41, issue 1, pages 40–49, in February 2024. [IEEE Design & Test of Computers] [DOI 10.1109/MDAT.2023.3262741] [1]

Overview

READ FULL ARTICLE →

NEIGHBORHOOD

18 nodes · 18 edges
graph · Randomized Testing of RISC-V CPUs using Direct Instruction Injection · depth=1

RELATIONSHIPS

36 connections
RVFI-DII introduces → 100% 7e
The paper introduces RVFI-DII as a combined interface for instruction injection and trace output.
Peter G. Neumann authored by → 100% 6e
Peter G. Neumann is listed as an author of the paper.
Marno van der Maas authored by → 100% 6e
Marno van der Maas is listed as an author of the paper.
Franz A. Fuchs authored by → 100% 6e
Franz A. Fuchs is listed as an author of the paper.
Alexandre Joannou authored by → 100% 6e
Alexandre Joannou is listed as an author of the paper.
Jonathan Woodruff authored by → 100% 6e
Jonathan Woodruff is listed as an author of the paper.
Michael Roe authored by → 100% 6e
Michael Roe is listed as an author of the paper.
Matthew Naylor authored by → 100% 6e
Matthew Naylor is listed as an author of the paper.
Robert N. M. Watson authored by → 100% 6e
Robert N. M. Watson is listed as an author of the paper.
TestRIG introduces → 100% 6e
The paper introduces TestRIG as a testing framework for RISC-V implementations.
Peter Rugg authored by → 100% 6e
Peter Rugg is listed as an author of the paper.
Simon W. Moore authored by → 100% 6e
Simon W. Moore is listed as an author of the paper.
University of Cambridge published by → 85% 5e
The paper is associated with University of Cambridge researchers and is partially funded by DARPA.
riscv-dv compares with → 90% 4e
The paper compares TestRIG with RISCV-DV in terms of coverage and counterexample complexity.
Direct Instruction Injection introduces → 100% 4e
The paper introduces Direct Instruction Injection as a core technique for RISC-V CPU testing.
CHERI evaluates → 100% 3e
The paper evaluates TestRIG on the CHERI security extension, finding and fixing multiple bugs.
Direct Instruction Injection introduces → 100% 2e
The paper introduces Direct Instruction Injection as the core mechanism of TestRIG.
QCVEngine evaluates → 95% 2e
The paper evaluates QCVEngine for architectural coverage and counterexample complexity.
QCVEngine introduces → 90% 2e
The paper presents QCVEngine as the TestRIG verification engine.
riscv-tests compares with → 90% 2e
The paper compares TestRIG with riscv-tests for coverage and counterexample complexity.
Cache Bug Detection uses → 90% 2e
The paper demonstrates TestRIG's ability to detect cache bugs.
Genesys-Pro mentions → 90% 2e
The paper mentions IBM's Genesys-Pro as an example of template-based test generation.
PyH2P mentions → 95% 2e
The paper discusses PyH2P as a precursor to TestRIG's approach.
QCVEngine uses → 100% 2e
The paper presents QCVEngine as the QuickCheck-based Verification Engine for TestRIG.
sailcov uses → 100% 1e
The paper uses sailcov to measure architectural coverage achieved by TestRIG.
BSV-RVFI-DII Library introduces → 85% 1e
The paper presents the BSV-RVFI-DII library as a reusable component for RVFI-DII instrumentation.
Counterexample-Driven Development evaluates → 90% 1e
The paper discusses counterexample-driven development as an advancement over test-driven development.
RISC-V uses → 100% 1e
The paper focuses on RISC-V as the CPU architecture under test.
DARPA published by → 85% 1e
The research was sponsored by DARPA under the SSITH program.
CPU evaluates → 100% 1e
The paper evaluates RISC-V CPUs through randomized testing.
Randomized Testing uses → 100% 1e
The paper employs Randomized Testing as a core technique.
Direct Instruction Injection uses → 100% 1e
The paper employs Direct Instruction Injection as a core technique for testing.
TestRIG uses → 100% 1e
The paper presents TestRIG and describes experiments using it.
C-Reduce mentions → 90% 1e
The paper mentions C-Reduce as a prior example of automated test case reduction.
IEEE Design & Test of Computers published by → 100% 1e
The paper was published in IEEE Design & Test of Computers journal.
Symbolic QED mentions → 90% 1e
The paper mentions Symbolic QED as an alternative approach for minimal test generation.

LINKED ENTITIES

15 links
Alexandre Joannou AUTHORED_BY Extracted graph relationship
Peter Rugg AUTHORED_BY Extracted graph relationship
Jonathan Woodruff AUTHORED_BY Extracted graph relationship
Franz A. Fuchs AUTHORED_BY Extracted graph relationship
Marno van der Maas AUTHORED_BY Extracted graph relationship
Matthew Naylor AUTHORED_BY Extracted graph relationship
Michael Roe AUTHORED_BY Extracted graph relationship
Robert N. M. Watson AUTHORED_BY Extracted graph relationship
Peter G. Neumann AUTHORED_BY Extracted graph relationship
Simon W. Moore AUTHORED_BY Extracted graph relationship
IEEE Design & Test of Computers PUBLISHED_BY Extracted graph relationship
Direct Instruction Injection USES Extracted graph relationship
Randomized Testing USES Extracted graph relationship
CPU EVALUATES Extracted graph relationship
RISC-V USES Extracted graph relationship

CITATIONS

12 sources
12 citations — click to expand
[1] The paper was published in IEEE Design & Test of Computers, volume 41, issue 1, pages 40–49, in February 2024, with DOI 10.1109/MDAT.2023.3262741. Randomized Testing of RISC-V CPUs Using Direct Instruction Injection - researchr publication
[2] TestRIG is positioned as a standardized environment in which verification engines, models, and implementations communicate through common interfaces and can be improved independently. Randomized Testing of RISC-V CPUs Using Direct Instruction Injection
[3] Direct Instruction Injection injects instruction-level packets into implementations, which makes shrinking of instruction sequences with branches straightforward and was used to replace instruction-level unit tests for the CHERI extension. Randomized Testing of RISC-V CPUs Using Direct Instruction Injection
[4] Implementations must expose an RVFI-DII interface, and supporting data structures and libraries are distributed in several languages to facilitate connections over TCP ports. Randomized Testing of RISC-V CPUs Using Direct Instruction Injection
[5] TestRIG baseline expectations include 8 MiB of memory at address 0x80000000, access faults for all other addresses, and reset to a known state with zeroed registers, known default CSR values, and zeroed memory after a reset DII packet. Randomized Testing of RISC-V CPUs Using Direct Instruction Injection
[6] Implementation choices for instruction injection include removing the instruction cache while preserving PC translation, or exercising the cache and replacing instruction bytes after fetch; for compressed instructions, either substituting picked instructions before decode or injecting 16-bit fragments. Randomized Testing of RISC-V CPUs Using Direct Instruction Injection
[7] Smart shrinking uses QuickCheck's built-in list shrinking and additional transformations such as propagating output registers into later input operands, plus a simplification library to replace esoteric instructions with simpler equivalents. Randomized Testing of RISC-V CPUs Using Direct Instruction Injection
[8] Sequences can be annotated as non-shrinkable to force initialization that avoids trivial counterexamples, e.g., from uninitialized floating-point registers, allowing testing of more interesting exception and rounding-mode behavior. Randomized Testing of RISC-V CPUs Using Direct Instruction Injection
[9] TestRIG sequences may include assertions (e.g., asserting that a previous instruction wrote a non-zero value), enabling failures without tandem verification, and were used to test limits of implementation-defined behavior. Randomized Testing of RISC-V CPUs Using Direct Instruction Injection
[10] Architectural coverage is measured using sailcov on the RISC-V Sail model, comparing QCVEngine against riscv-tests and RISCV-DV across RV32IMC and RV64IMAFDCZicsr, with RV32IMC coverage measured for the I, M, and C extension instructions and general-purpose registers. Randomized Testing of RISC-V CPUs Using Direct Instruction Injection
[11] Related work discussed in the paper includes PyH2P, IBM's Genesys-Pro, and Symbolic QED; TestRIG is presented as maturing the PyH2P approach via standardized interfaces. Randomized Testing of RISC-V CPUs Using Direct Instruction Injection
[12] Applying RVFI-DII to the Ibex core has been reported in follow-on work to require more than 450 lines of code, and the paper is cited as the Joannou2024 RVFI-DII reference in large-scale RISC-V verification research. Large-Scale RISC-V Processor Verification Using Automated ...