Verilog Fuzzer to test the major verilog compilers by generating random, valid and deterministic Verilog. There is a presentation about Verismith and a thesis which goes over all the details of the implementation and results that were found.
It currently supports the following synthesis tools:
and the following simulator:
Supported Verilog Constructs
The fuzzer generates combinational and behavioural Verilog to test the various tools. The most notable constructs that are supported and generated are the following:
- module definitions with parameter definitions, inputs and outputs
- module items, such as instantiations, continuous assignment, always blocks, initial blocks, parameter and local parameter declarations
- most expressions, for example concatenation, arithmetic operations, ternary conditional operator
- behavioural code in sequential always blocks
- behavioural control flow such as if-else and for loops
- declaration of wires and variables of any size, signed or unsigned
- bit selection from wires and variables
21 bugs were found in total over the course of a month. 8 of those bugs were reported and 3 were fixed.
Build the Fuzzer
The fuzzer now supports building with nix, which pulls in all the extra dependencies that are needed to build the project. The main files and their functions are described below:
default.nix: describes the main Haskell package and it's dependencies that have to be pulled in.
shell.nix: describes how to set up a shell with
nix-shellwhich has all the needed dependencies present.
release.nix: passes the versions of the packages that should be used to the description of the fuzzer in
default.nix, which also overrides some dependencies so that everything builds nicely. The exact versions of the packages that should be overridden are in nix.
It may be possible to build it purely with cabal-install, however it may not have all the right versions of the dependencies that are needed.
Instead, stack could be used and the
stack.yaml file could contain the
overrides that are used by nix.
Build with nix
Nix build is completely supported, therefore if nix is installed, building the project is as simple as
If one wants to work in the project with all the right dependencies loaded, one can use
Build with cabal and nix
After entering a development environment with
nix-shell, the project can
safely be built with
cabal v2-configure cabal v2-build
This should not have to download any extra dependencies and just have to build the actual project itself.
Contains information about the command line tool being used, such as the hash of the commit it was compiled with and the version of the tool. The tool then verifies that these match the current configuration, and will emit a warning if they do not. This ensures that if one wants a deterministic run and is therefore passing a seed to the generation, that it will always give the same result. Different versions might change some aspects of the Verilog generation, which would affect how a seed would generate Verilog.
Provides a way to assign frequency values to each of the nodes in the AST. During the state-based generation, each node is chosen randomly based on those probabilities. This provides a simple way to drastically change the Verilog that is generated, by changing how often a construct is chosen or by not generating a construct at all.
Changes properties of the generated Verilog code, such as the size of the output, maximum statement or module depth and sampling method of Verilog programs. This section also allows a seed to be specified, which would mean that only that particular seed will be used in the fuzz run. This is extremely useful when wanting to replay a specific failure and the output is missing.
Accepts a list of synthesisers which will be fuzzed. These have to first be defined in the code and implement the required interface. They can then be configured by having a name assigned to them and the name of the output Verilog file. By each having a different name, multiple instances of the same synthesiser can be included in a fuzz run. The instances might differ in the optimisations that are performed, or in the version of the synthesiser.
Current benchmark results to compare against.
benchmarking generation/default time 65.16 ms (42.67 ms .. 84.90 ms) 0.837 R² (0.722 R² .. 0.966 R²) mean 82.87 ms (71.13 ms .. 105.9 ms) std dev 27.59 ms (15.80 ms .. 42.35 ms) variance introduced by outliers: 90% (severely inflated) benchmarking generation/depth time 860.8 ms (2.031 ms .. 1.488 s) 0.900 R² (0.668 R² .. 1.000 R²) mean 483.9 ms (254.1 ms .. 647.6 ms) std dev 224.4 ms (100.8 ms .. 283.5 ms) variance introduced by outliers: 74% (severely inflated) benchmarking generation/size time 541.1 ms (-749.1 ms .. 1.263 s) 0.568 R² (0.005 R² .. 1.000 R²) mean 698.8 ms (498.2 ms .. 897.5 ms) std dev 229.8 ms (195.0 ms .. 239.7 ms) variance introduced by outliers: 73% (severely inflated)
Clifford Wolf's VlogHammer is an existing Verilog fuzzer that generates random Verilog to test how expressions are handled in synthesis tools and simulators. It was the inspiration for the general structure of this fuzzer, which extends the fuzzing to the behavioural parts of Verilog.
Tom Hawkins' Verilog parser was used to write the lexer, the parser was then rewritten using Parsec.