The Instruction Set Architecture (ISA) defines processor operations and serves as the interface between hardware and software. As an open ISA, RISC-V lowers the barriers to processor design and encourages widespread adoption, but also exposes processors to security risks such as functional bugs. Processor fuzzing is a powerful technique for automatically detecting these bugs. However, existing fuzzing methods suffer from two main limitations. First, their emphasis on redundant test case generation causes them to overlook cross-processor corner cases. Second, they rely too heavily on coverage guidance. Current coverage metrics are biased and inefficient, and become ineffective once coverage growth plateaus. To overcome these limitations, we propose SimFuzz, a fuzzing framework that constructs a high-quality seed corpus from historical bug-triggering inputs and employs similarity-guided, block-level mutation to efficiently explore the processor input space. By introducing instruction similarity, SimFuzz expands the input space around seeds while preserving control-flow structure, enabling deeper exploration without relying on coverage feedback. We evaluate SimFuzz on three widely used open-source RISC-V processors: Rocket, BOOM, and XiangShan, and discover 17 bugs in total, including 14 previously unknown issues, 7 of which have been assigned CVE identifiers. These bugs affect the decode and memory units, cause instruction and data errors, and can lead to kernel instability or system crashes. Experimental results show that SimFuzz achieves up to 73.22% multiplexer coverage on the high-quality seed corpus. Our findings highlight critical security bugs in mainstream RISC-V processors and offer actionable insights for improving functional verification.

翻译：指令集架构（ISA）定义了处理器操作规范，并作为硬件与软件之间的接口。作为一种开放指令集架构，RISC-V降低了处理器设计门槛并促进了广泛采用，但同时也使处理器面临功能缺陷等安全风险。处理器模糊测试是自动检测此类缺陷的有效技术。然而，现有模糊测试方法存在两个主要局限：其一，过度强调冗余测试用例生成导致其忽略跨处理器边界情况；其二，对覆盖率引导的依赖过强。当前覆盖率指标存在偏差且效率低下，当覆盖率增长停滞时即告失效。为克服这些局限，我们提出SimFuzz——一种通过历史触发缺陷的输入构建高质量种子语料库，并采用相似性引导的块级变异来高效探索处理器输入空间的模糊测试框架。通过引入指令相似性度量，SimFuzz在保持控制流结构的前提下扩展种子周边的输入空间，实现不依赖覆盖率反馈的深度探索。我们在三款广泛使用的开源RISC-V处理器（Rocket、BOOM和香山）上评估SimFuzz，共发现17个缺陷，其中包含14个先前未知的问题（7个已获得CVE编号）。这些缺陷影响解码与存储单元，引发指令与数据错误，可能导致内核不稳定或系统崩溃。实验结果表明，SimFuzz在高质量种子语料库上实现了最高73.22%的多路复用器覆盖率。本研究揭示了主流RISC-V处理器中的关键安全缺陷，并为改进功能验证提供了可操作的见解。