cf-ambiguous Instructions

Concept

cf-ambiguous instructions are CPU instructions whose effect on control flow depends on runtime register values, posing a key challenge in CPU fuzzing because their target destinations cannot be statically predicted. In the Cascade framework, these instructions (e.g., beq, lw, jalr) are handled through specialized offset-construction and ISS-feedback mechanisms that allow the fuzzer to impose desired operand values while preserving dependency relationships with the program's random data flow.

First seen 6/14/2026

Last seen 6/14/2026

Evidence 3 chunks

Wiki v1

WIKI

cf-ambiguous Instructions

Definition

In the Cascade CPU fuzzing framework, cf-ambiguous instructions are defined as instructions that either behave as still or hopping depending on register values, or that are unconditionally hopping but whose destination depends on register values. Classic examples include:

READ FULL ARTICLE →

NEIGHBORHOOD

3 nodes · 3 edges

graph · cf-ambiguous Instructions · depth=1

RELATIONSHIPS

2 connections

Cascade ← uses 100% 2e

Cascade handles cf-ambiguous instructions specially during program generation to control program flow.

Intermediate Program Construction ← uses 90% 1e

Intermediate program construction handles cf-ambiguous instructions by controlling whether they are still or hopping.

LINKED ENTITIES

2 links

Cascade USES Extracted graph relationship

Intermediate Program Construction USES Extracted graph relationship

CITATIONS

8 sources

8 citations — click to expand

[1] cf-ambiguous instructions are those that behave as still or hopping depending on register values, or that are unconditionally hopping but whose destination depends on register values; beq and lw are cf-ambiguous, but add and illegal instructions are not. Cascade: CPU Fuzzing via Intricate Program Generation

[2] Indirect jumps (jalr) are cf-ambiguous instructions that require a specific operand value val that Cascade intends to impose; the ISS cannot proceed to the next basic block without running at least once per cf-ambiguous instruction using prior approaches. Cascade: CPU Fuzzing via Intricate Program Generation

[3] Cascade's offset construction lets val depend on a randomly picked dependent register rd, generates an offset register roff, and combines them with an offset applier (e.g., xor) whose output rapp holds the intended val. Cascade: CPU Fuzzing via Intricate Program Generation

[4] Cascade does not use the offset method for branches; instead it uses ISS feedback to obtain operand values and selects still vs. hopping branch opcodes. Cascade: CPU Fuzzing via Intricate Program Generation

[5] A simple per-register state machine is maintained to satisfy three availability requirements: rapp available at cf-ambiguous instruction, roff ready before offset applier, and rd available when the offset applier executes. Cascade: CPU Fuzzing via Intricate Program Generation

[6] The register lifecycle for offset construction comprises three steps: lui r_o, imm1 (a), addi r_off, imm2 (b), and xor r_off(r_d), r_o (c); registers in gen, ready, and unrel states must not be used outside the next cycle step. Cascade: CPU Fuzzing via Intricate Program Generation

[7] Strong memory allocation forbids loads from areas that store instructions differing between intermediate and ultimate programs, preventing cf-ambiguous entanglement through memory loads. Cascade: CPU Fuzzing via Intricate Program Generation

[8] When picking a cf-ambiguous instruction, Cascade chooses immediately whether it must be still or hopping. Cascade: CPU Fuzzing via Intricate Program Generation