Skip to content
STIMSMITH

Direct Instruction Injection

Technique

Direct Instruction Injection (DII) is the instruction-injection technique used in the TestRIG randomized RISC-V CPU testing ecosystem. It works in combination with the RISC-V Formal Interface (RVFI-DII) to drive random instruction streams against both reference models and implementations under test, comparing execution traces to detect divergences. The technique was introduced in the paper "Randomized Testing of RISC-V CPUs Using Direct Instruction Injection" (Joannou et al., IEEE Design & Test, 41(1):40-49, February 2024) and is reported to enable straightforward shrinking of failing instruction sequences, including those containing branches.

First seen 5/27/2026
Last seen 6/9/2026
Evidence 10 chunks
Wiki v3

WIKI

Overview

Direct Instruction Injection (DII) is the instruction-injection technique used in the TestRIG randomized testing ecosystem for RISC-V CPUs. It is presented in the paper "Randomized Testing of RISC-V CPUs Using Direct Instruction Injection" by Alexandre Joannou, Peter Rugg, Jonathan Woodruff, Franz A. Fuchs, Marno van der Maas, Matthew Naylor, Michael Roe, Robert N. M. Watson, Peter G. Neumann, and Simon W. Moore, published in IEEE Design & Test of Computers, 41(1):40-49, February 2024 (DOI 10.1109/MDAT.2023.3262741). [C1, C6]

In the cited TestRIG paper, instruction injection is tied to a standardized communication interface intended to make verification engines, models, and implementations interchangeable and independently improvable. The paper also states that instruction injection allows straightforward shrinking of instruction sequences with branches. [C1]

READ FULL ARTICLE →

NEIGHBORHOOD

2 nodes · 2 edges
graph · Direct Instruction Injection · depth=1

RELATIONSHIPS

9 connections
TestRIG ← uses 100% 6e
TestRIG uses Direct Instruction Injection to inject instruction sequences into RISC-V implementations.
TestRIG ← implements 100% 4e
TestRIG uses RVFI-DII interfaces for direct instruction injection testing.
Randomized Testing of RISC-V CPUs using Direct Instruction Injection ← introduces 100% 4e
The paper introduces Direct Instruction Injection as a core technique for RISC-V CPU testing.
Instruction Sequence Generation implements → 90% 3e
Direct Instruction Injection enables simplified instruction sequence generation by decoupling the instruction stream from control flow.
Test Case Shrinking implements → 90% 2e
Direct Instruction Injection enables simplified shrinking of test sequences because it decouples instructions from memory addresses.
Tandem Verification implements → 90% 2e
Direct Instruction Injection enables tandem verification by providing interactive instruction injection to both model and implementation.
RVFI-DII implements → 100% 2e
Direct Instruction Injection is the DII component of the RVFI-DII interface.
QCVEngine ← uses 100% 1e
QCVEngine uses Direct Instruction Injection to decouple instruction stream from control flow.
Randomized Testing of RISC-V CPUs using Direct Instruction Injection ← uses 100% 1e
The paper employs Direct Instruction Injection as a core technique for testing.

LINKED ENTITIES

3 links
Randomized Testing of RISC-V CPUs using Direct Instruction Injection USES Extracted graph relationship
TestRIG PART_OF DII is described as the instruction-injection technique used in the TestRIG randomized testing ecosystem.
QCVEngine USED_WITH QCVEngine is named in the paper as providing reduced counterexamples that aided CHERI Ibex development.

CITATIONS

8 sources
8 citations — click to expand
[1] DII is the instruction-injection technique used in the TestRIG ecosystem, tied to a standardized interface that makes verification engines, models, and implementations interchangeable, and allows straightforward shrinking of instruction sequences with branches. Randomized Testing of RISC-V CPUs using Direct Instruction Injection
[2] TestRIG participants are expected to expose an RVFI-DII interface, be extended with RVFI-DII instrumentation, provide 8 MiB of memory at 0x80000000 with access faults for other addresses, and reset to a known state on a reset DII packet (zeroed registers, known CSRs, zeroed memory). Randomized Testing of RISC-V CPUs using Direct Instruction Injection
[3] DII can be inserted by removing the instruction cache while keeping architecturally visible PC translation, exercising the instruction cache and replacing bytes after fetch, or for compressed instructions either substituting picked instructions before decode or injecting 16-bit fragments from DII to exercise instruction-picking logic. Randomized Testing of RISC-V CPUs using Direct Instruction Injection
[4] A TestRIG generator constructed addresses within the TestRIG memory range plus random loads/stores, found a Flute bug after 42 tests and 20 shrinking rounds; the reduced sequence contains two loads with one store between them to overlapping addresses, was found under 10 seconds into the run, and was fixed within the hour; the same bug was not found by the RISC-V unit-test suite. Randomized Testing of RISC-V CPUs using Direct Instruction Injection
[5] TestRIG's model-based testing supports counterexample-driven development; after Ibex was extended with RVFI-DII support, a summer intern was able to add full CHERI functionality to Ibex in a month, aided by the tight cycle of reduced counterexamples provided by QCVEngine. Randomized Testing of RISC-V CPUs using Direct Instruction Injection
[6] The paper introducing DII was authored by Joannou, Rugg, Woodruff, Fuchs, van der Maas, Naylor, Roe, Watson, Neumann, and Moore, and published in IEEE Design & Test of Computers, 41(1):40-49, February 2024, DOI 10.1109/MDAT.2023.3262741. Randomized Testing of RISC-V CPUs Using Direct Instruction Injection - researchr publication
[7] A 2025 RISC-V testability survey describes TestRIG as using RVFI-DII interfaces to drive random instruction streams against both reference models and implementations under test, comparing execution traces to detect divergences early in development, and notes its application to validate capability-architecture extensions such as CHERI. Towards Reliable and Secure RISC-V Systems: Survey of Testability ...
[8] The TestRIG paper describes a future Sail-OCaml VEngine with direct access to the data structures of the authors' Sail RISC-V model, eliminating independent encodings in the VEngine, and notes plans to use constraint solving to target specific deep architectural states. Randomized Testing of RISC-V CPUs using Direct Instruction Injection