Overview

Direct Instruction Injection (DII) is the instruction-injection technique used in the TestRIG randomized testing ecosystem for RISC-V CPUs. It is presented in the paper "Randomized Testing of RISC-V CPUs Using Direct Instruction Injection" by Alexandre Joannou, Peter Rugg, Jonathan Woodruff, Franz A. Fuchs, Marno van der Maas, Matthew Naylor, Michael Roe, Robert N. M. Watson, Peter G. Neumann, and Simon W. Moore, published in IEEE Design & Test of Computers, 41(1):40-49, February 2024 (DOI 10.1109/MDAT.2023.3262741). [C1, C6]

In the cited TestRIG paper, instruction injection is tied to a standardized communication interface intended to make verification engines, models, and implementations interchangeable and independently improvable. The paper also states that instruction injection allows straightforward shrinking of instruction sequences with branches. [C1]

A 2025 RISC-V testability survey describes TestRIG as using RVFI-DII interfaces to drive random instruction streams against both reference models and implementations under test, comparing execution traces to detect divergences early in development, and notes that the approach has been applied to validate ISA extensions such as capability architectures. [C7]

RVFI-DII integration

TestRIG participants are expected to expose an RVFI-DII interface and to be extended with RVFI-DII instrumentation. The cited work reports that supporting data structures and libraries are distributed in several languages to facilitate RVFI-DII connections over TCP ports. [C2]

The same evidence states additional architectural-environment requirements for TestRIG participants: they must provide 8 MiB of memory accessible at address 0x80000000, return access faults for other addresses, and reset to a known state when a reset DII packet is injected. The known reset state includes zeroed registers, known default values for RISC-V control and status records, and zeroed 8 MiB of memory. [C2]

Injection-point design choices

The evidence describes multiple implementation choices for where DII is inserted into a processor implementation. An implementation can remove the instruction cache entirely while retaining architecturally visible PC address translation, or it can exercise the instruction cache and replace instruction bytes after fetch. For RISC-V compressed instructions, the cited work describes a choice between substituting picked instructions before decode and injecting 16-bit instruction fragments from DII to exercise instruction-picking logic. [C3]

Counterexample shrinking and debugging

A major reported benefit of DII in TestRIG is more straightforward shrinking of failing instruction sequences, including sequences containing branches. The paper states that this capability allowed the authors to replace instruction-level unit tests for the CHERI extension, improving productivity and assurance in that context. [C1]

The paper gives a TestRIG debugging example in which a generator constructed addresses within the TestRIG memory range and random loads and stores. The generator found a bug after 42 tests and 20 rounds of shrinking. The cited final reduced sequence is:

lui   x1, 262148
slli  x1, x1, 1
lui   x20, 262148   # value used as data
ori   x3, x1, 1     # a page address
lui   x2, 262148
slli  x2, x2, 1     # the same page address
lhu   x4, x3[1]     # load from address
sh    x20, x2[2]    # store to an overlapping byte
lhu   x2, x3[1]     # divergence on reloading

The final sequence contains only three memory operations: two loads with a single store in between, all to overlapping addresses. The counterexample was found less than 10 seconds into the TestRIG run and was fixed within the hour. The same bug had not been found by the RISC-V unit-test suite and was difficult to debug from a full software trace. [C4]

Role in counterexample-driven development

The cited paper characterizes TestRIG's model-based testing as supporting counterexample-driven development: instead of requiring a basic working design before architectural unit tests can be useful, TestRIG can provide reduced stimulus from basic features through advanced interactions. As an example, after Ibex was extended with RVFI-DII support, a summer intern was able to add full CHERI functionality to Ibex in a month, aided by the tight cycle of reduced counterexamples provided by QCVEngine. [C5]

Future directions noted in the paper

The paper also describes a Sail-OCaml VEngine with direct access to the data structures of the authors' Sail RISC-V model. This eliminates independent encodings in the VEngine, and the authors state that they expect this approach to be taken further to automate generation of templates that target specific deep states in the architectural model using constraint solving. [C8]