Skip to content
STIMSMITH

Execution Controller

CodeArtifact WIKI v1 · 5/25/2026

The Execution Controller is a processor-verification component used in a co-simulation flow to prevent infinite loops and detect behavioral mismatches between an instruction set simulator (ISS) and an RTL core.

Overview

The Execution Controller is a component in a processor verification flow based on coverage-guided fuzzing and co-simulation. Its two stated purposes are to prevent infinite loops and to detect mismatches between processor cores, specifically between an ISS and an RTL-core. [purpose]

Role in the verification flow

In the described flow, test vectors are interpreted as arbitrary endless instruction streams. Because such streams can lead to infinite loops, the Execution Controller is responsible for terminating problematic executions early enough to preserve fuzzing performance. [infinite-loop-context]

The controller is positioned in the co-simulation architecture alongside the Translation Buffer, ISS, and RTL-core. The co-simulation is instrumented to collect coverage, and execution feedback includes coverage and a return code. [cosim-integration]

Infinite-loop handling

The Execution Controller uses a conservative criterion for infinite-loop detection: a loop is detected when a new program-counter address equals an already executed program-counter address and the register values are unchanged. In addition, the ISS execution has a hard limit of 10,000 instruction executions to handle the halting problem. [loop-detection]

Mismatch detection

The controller detects processor-core mismatches by comparing register values at synchronization points. The described approach uses time points when register values actually changed as synchronization and comparison points. [sync-points]

In the example from the source, the ISS raises illegal-instruction exceptions for unsupported instructions and executes trap-handler code, while the RTL-core erroneously executes an LWU x8, x0, 48 instruction successfully. When this changes register x8, the Execution Controller detects the register-value change, compares registers between the ISS and RTL-core, finds a mismatch between x8 and x6, throws an error, and stops the simulation. [mismatch-example]

Execution sequencing

The ISS executes first and may run a trap loop until the Execution Controller terminates it. After the ISS is terminated, the Execution Controller starts execution of the RTL-core, beginning again at address 0x00. [sequencing]

Relationship to Translation Buffer

The Translation Buffer helps ensure that the ISS and RTL-core receive the same instruction stream by caching already fetched instructions. This matters for the Execution Controller because mismatch detection compares the behavior of the cores under the intended same instruction stream. [translation-buffer-context]

LINKED ENTITIES

1 links
Co-simulation USED_IN

CITATIONS

8 sources
8 citations
[1] purpose Efficient Cross-Level Processor Verification using Coverage-guided Fuzzing
[2] infinite-loop-context Efficient Cross-Level Processor Verification using Coverage-guided Fuzzing
[3] cosim-integration Efficient Cross-Level Processor Verification using Coverage-guided Fuzzing
[4] loop-detection Efficient Cross-Level Processor Verification using Coverage-guided Fuzzing
[5] sync-points Efficient Cross-Level Processor Verification using Coverage-guided Fuzzing
[6] mismatch-example Efficient Cross-Level Processor Verification using Coverage-guided Fuzzing
[7] sequencing Efficient Cross-Level Processor Verification using Coverage-guided Fuzzing
[8] translation-buffer-context Efficient Cross-Level Processor Verification using Coverage-guided Fuzzing