Assembly Program Test Input Wiki

Assembly Program Test Input

Concept WIKI v1 · 5/28/2026

An assembly program test input is a processor-fuzzing input represented as an assembly program that conforms to the target ISA. In ProcessorFuzz, such inputs are randomly generated, mutated, screened with ISA simulation for new CSR-transition coverage, and only then sent to RTL simulation when they are considered interesting.

Definition

An assembly program test input is a test input for processor fuzzing that is expressed as an assembly program conforming to the target instruction set architecture (ISA). In the ProcessorFuzz workflow, the seed corpus is populated by generating random test inputs in this form.

Role in ProcessorFuzz

ProcessorFuzz uses assembly program test inputs as the units that are selected from the seed corpus, mutated, and evaluated. Its mutations include removing instructions, appending instructions, and replacing instructions in a chosen input.

After mutation, ProcessorFuzz first runs an ISA simulator on a mutated assembly program test input. The ISA simulator produces an extended ISA trace log that includes Control and Status Register (CSR) values for each executed instruction. ProcessorFuzz then extracts CSR transitions from that trace and checks them against a Transition Map of previously observed transitions.

If a mutated input triggers at least one previously unseen CSR transition, ProcessorFuzz classifies it as interesting and adds it back to the seed corpus for future mutations. If it does not trigger a new transition, the input is discarded. ProcessorFuzz runs RTL simulation only for interesting mutated inputs, reducing time spent on repetitive inputs.

Why this representation matters

Coverage-guided fuzzing repeatedly runs a program under test with many random inputs and uses runtime coverage feedback to decide whether an input is interesting. When this idea is adapted to processors, the target hardware design is not directly executable on the host machine; it must be evaluated through simulation, typically RTL simulation. ProcessorFuzz therefore uses faster ISA simulation to screen assembly program test inputs before invoking RTL simulation on the target processor design.

LINKED ENTITIES

1 links

ProcessorFuzz USES

CITATIONS

7 sources

7 citations

[1] ProcessorFuzz populates its seed corpus by generating random test inputs in the form of assembly programs that conform to the target ISA. ProcessorFuzz: Processor Fuzzing with Control and

[2] ProcessorFuzz mutates chosen assembly program test inputs by removing, appending, or replacing instructions. ProcessorFuzz: Processor Fuzzing with Control and

[3] ProcessorFuzz runs an ISA simulator on a mutated input and generates an extended ISA trace log containing CSR values for each executed instruction. ProcessorFuzz: Processor Fuzzing with Control and

[4] ProcessorFuzz treats an input as interesting when it triggers at least one new CSR transition, adds it to the seed corpus, and discards inputs that do not trigger new transitions. ProcessorFuzz: Processor Fuzzing with Control and

[5] ProcessorFuzz runs RTL simulation of the target processor only with interesting mutated inputs. ProcessorFuzz: Processor Fuzzing with Control and

[6] Coverage-guided fuzzing uses runtime coverage feedback to determine whether an input is interesting, and processor fuzzing must account for the fact that hardware designs are evaluated through simulation rather than direct host execution. ProcessorFuzz: Processor Fuzzing with Control and

[7] ProcessorFuzz uses ISA simulation to rapidly determine whether a test input is interesting because ISA simulation is significantly faster than RTL simulation. ProcessorFuzz: Processor Fuzzing with Control and