Verification remains a key bottleneck in the design of modern RISC-V processors, particularly for deep corner cases that are difficult to reach with conventional verification techniques. Coverage-guided hardware fuzzing provides fast exploration, but often relies on coarse-grained coverage feedback and blind mutation, leading to shallow exploration. Symbolic and concolic methods offer control path reasoning, but their practicality is limited by path explosion and high solver cost on realistic RTL processor designs.
We present a concolic execution guided hybrid whitebox fuzzing framework for RISC-V processors with FPGA acceleration. The framework combines RTL static analysis, concolic solving, and high-throughput fuzzing to balance exploration of hard-to-trigger deep processor behaviors with fuzzing efficiency. It extracts the processor control-flow graph from RTL, instruments synthesizable control path monitoring, and uses the collected path conditions to steer test generation toward high-value unexplored paths. We further map the DUT and fuzzer on FPGA programmable logic, while running concolic engine and SMT solver on the on-board ARM processor to accelerate the hybrid whitebox fuzzing process through an end-to-end heterogeneous architecture.
We evaluate the approach on open-source RISC-V processors, including CVA6, Ibex, and PicoRV32. Results show that our approach can achieve 1.33x higher coverage than SOTA fuzzers and explore deep corner coverage points that are difficult to trigger with existing approaches.