Crate javm_fuzz 

javm-fuzz — differential fuzzer for the JAVM PVM2 ISA.

PVM2 is RV64E + standard extensions (M, C, Zba, Zbb, Zbs, Zicond) + the custom Xjar/EEI. We have strong confidence the interpreter and the x86 recompiler agree on legitimate programs (the conformance suite), but no systematic coverage of value-domain edge cases — INT_MIN/-1 division, shift-amount masking, W-op sign-extension, mulhsu, Zbb corner inputs. Those are exactly where a future ARM JIT lowering could silently diverge.

This crate generates RV64E-subset programs (generate), runs each through the interpreter and the recompiler (replay, linux/x86_64 only), and — offline — through a Sail/Spike oracle to mint static golden vectors. CI replays committed vectors and compares to the baked-in gold; the oracle never enters the build graph.

State readout: scratchpad signature region

A generated program ends with a deterministic signature epilogue (encode::signature_epilogue) that sds its full final register file into a memory region mapped from the scratchpad (slot[0]) DataCap at SIG_BASE. Each engine surfaces that region’s effective bytes back to the host (InvocationResult::scratchpad_head), so the differential compares the complete, uncompressed register signature — not the old lossy x10 fold — plus exit and gas. This exercises the v3 scratchpad + DataCap CoW return path end to end (kernel maps slot[0], guest writes it, host reads it back).

Re-exports

pub use encode::SIG_BYTES;

Modules

encode

RV64E-subset instruction encoders — the single source the generator and the decode round-trip test both drive off.

generate

RV64E-subset program generator.

oracle

Offline RISC-V oracle: run a Program on the golden model (Spike) and read back its final register file as the crate::SIG_BYTES-byte signature. Used by the mint binary to produce committed golden vectors — never a build/CI dependency (CI replays the committed vectors, it does not run Spike).

replay

Dual-engine replay: run a Program through the interpreter and the x86 recompiler and compare. Gated to linux/x86_64 (the recompiler needs the Hyperlight host stack, so the whole javm-bench crate is gated to it).

shrink

Delta-debugging minimizer: shrink a failing program to a minimal reproducer.

Structs

Gold

The oracle-computed expected post-state projection.

Init

Initial state seed for a vector.

MemInit

Serialized form of MemWindow.

MemWindow

A contiguous RW memory window backing the program’s loads/stores.

Program

A generated test program: instruction words (body + signature epilogue, no terminator), the initial register seed, and an optional initial RW memory window. The replay harness appends the ecalli 0 terminator.

Vector

One golden vector: program + initial state + the oracle’s projected post-state (register signature + exit).

VectorFile

One committed vector file: provenance + a batch of vectors.

VectorMeta

Provenance for a vector batch — enough to reproduce and to detect staleness.

Constants

ISA

The frozen ISA string PVM2’s compute core conforms to (RV64E run as the RV64I superset for the oracle, never naming x16–x31).

SIG_BASE

Guest VA the scratchpad (slot[0]) signature region maps at — the base of the instance data extent (javm_cap::layout::DATA_BASE). The signature epilogue stores the register file here; both engines surface its effective bytes.

SIG_VERSION

Bump when encode::signature_epilogue or the encoders change in a way that alters the golden signature of an unchanged program. Committed vectors record the version they were minted against; the replay test refuses a mismatch.