Skip to content
Verilog Fuzzer to test the major simulators and sythesisers by generating random, valid Verilog.
Haskell Coq Python Shell Verilog Nix
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
app Rename main modules Sep 18, 2019
bugs Add vivado bugs Apr 12, 2019
data Add description to data Jun 29, 2019
examples
experiments Add extra experiments Jun 2, 2019
scripts Update default configuration Oct 18, 2019
src Change location of the html reports Oct 18, 2019
test
.dir-locals.el Add dired locals to open verilog files Apr 6, 2019
.envrc
.gitattributes Add data to .gitattributes Mar 3, 2019
.gitignore Fix nix build and add to travis Jul 23, 2019
.travis.yml Add benchmark Jul 28, 2019
LICENSE Change license name Mar 30, 2019
README.md Fix spelling in readme Oct 6, 2019
Setup.hs Add new pretty printer with indentation May 9, 2019
default.nix
shell.nix Add benchmark Jul 28, 2019
verismith.cabal

README.md

Verismith Build Status

Verilog Fuzzer to test the major verilog compilers by generating random, valid and deterministic Verilog. There is a presentation about Verismith and a thesis which goes over all the details of the implementation and results that were found.

It currently supports the following synthesis tools:

and the following simulator:

Supported Verilog Constructs

The fuzzer generates combinational and behavioural Verilog to test the various tools. The most notable constructs that are supported and generated are the following:

  • module definitions with parameter definitions, inputs and outputs
  • module items, such as instantiations, continuous assignment, always blocks, initial blocks, parameter and local parameter declarations
  • most expressions, for example concatenation, arithmetic operations, ternary conditional operator
  • behavioural code in sequential always blocks
  • behavioural control flow such as if-else and for loops
  • declaration of wires and variables of any size, signed or unsigned
  • bit selection from wires and variables

Reported bugs

21 bugs were found in total over the course of a month. 8 of those bugs were reported and 3 were fixed.

Yosys

Type Issue Confirmed Fixed
Mis-synthesis Issue 1243
Mis-synthesis Issue 1047
Mis-synthesis Issue 997
Crash Issue 993

Vivado

Type Issue Confirmed Fixed
Crash Forum 981787 𐄂
Crash Forum 981136 𐄂
Mis-synthesis Forum 981789 𐄂
Mis-synthesis Forum 982518 𐄂
Mis-synthesis Forum 982419 𐄂

Build the Fuzzer

The fuzzer now supports building with nix, which pulls in all the extra dependencies that are needed to build the project. The main files and their functions are described below:

  • default.nix: describes the main Haskell package and it's dependencies that have to be pulled in.
  • shell.nix: describes how to set up a shell with nix-shell which has all the needed dependencies present.
  • release.nix: passes the versions of the packages that should be used to the description of the fuzzer in default.nix, which also overrides some dependencies so that everything builds nicely. The exact versions of the packages that should be overridden are in nix.

It may be possible to build it purely with cabal-install, however it may not have all the right versions of the dependencies that are needed.

Instead, stack could be used and the stack.yaml file could contain the overrides that are used by nix.

Build with nix

Nix build is completely supported, therefore if nix is installed, building the project is as simple as

nix-build release.nix

If one wants to work in the project with all the right dependencies loaded, one can use

nix-shell

Build with cabal and nix

After entering a development environment with nix-shell, the project can safely be built with cabal-install.

cabal v2-configure
cabal v2-build

This should not have to download any extra dependencies and just have to build the actual project itself.

Configuration

Verismith can be configured using a TOML file. There are four main sections in the configuration file, an example can be seen here.

Information section

Contains information about the command line tool being used, such as the hash of the commit it was compiled with and the version of the tool. The tool then verifies that these match the current configuration, and will emit a warning if they do not. This ensures that if one wants a deterministic run and is therefore passing a seed to the generation, that it will always give the same result. Different versions might change some aspects of the Verilog generation, which would affect how a seed would generate Verilog.

Probability section

Provides a way to assign frequency values to each of the nodes in the AST. During the state-based generation, each node is chosen randomly based on those probabilities. This provides a simple way to drastically change the Verilog that is generated, by changing how often a construct is chosen or by not generating a construct at all.

Property section

Changes properties of the generated Verilog code, such as the size of the output, maximum statement or module depth and sampling method of Verilog programs. This section also allows a seed to be specified, which would mean that only that particular seed will be used in the fuzz run. This is extremely useful when wanting to replay a specific failure and the output is missing.

Synthesiser section

Accepts a list of synthesisers which will be fuzzed. These have to first be defined in the code and implement the required interface. They can then be configured by having a name assigned to them and the name of the output Verilog file. By each having a different name, multiple instances of the same synthesiser can be included in a fuzz run. The instances might differ in the optimisations that are performed, or in the version of the synthesiser.

Benchmark Results

Current benchmark results to compare against.

benchmarking generation/default
time                 65.16 ms   (42.67 ms .. 84.90 ms)
                     0.837 R²   (0.722 R² .. 0.966 R²)
mean                 82.87 ms   (71.13 ms .. 105.9 ms)
std dev              27.59 ms   (15.80 ms .. 42.35 ms)
variance introduced by outliers: 90% (severely inflated)

benchmarking generation/depth
time                 860.8 ms   (2.031 ms .. 1.488 s)
                     0.900 R²   (0.668 R² .. 1.000 R²)
mean                 483.9 ms   (254.1 ms .. 647.6 ms)
std dev              224.4 ms   (100.8 ms .. 283.5 ms)
variance introduced by outliers: 74% (severely inflated)

benchmarking generation/size
time                 541.1 ms   (-749.1 ms .. 1.263 s)
                     0.568 R²   (0.005 R² .. 1.000 R²)
mean                 698.8 ms   (498.2 ms .. 897.5 ms)
std dev              229.8 ms   (195.0 ms .. 239.7 ms)
variance introduced by outliers: 73% (severely inflated)

Acknowledgement

Clifford Wolf's VlogHammer is an existing Verilog fuzzer that generates random Verilog to test how expressions are handled in synthesis tools and simulators. It was the inspiration for the general structure of this fuzzer, which extends the fuzzing to the behavioural parts of Verilog.

Tom Hawkins' Verilog parser was used to write the lexer, the parser was then rewritten using Parsec.

You can’t perform that action at this time.