Skip to content
STIMSMITH

Illegal Instruction Handling

Concept WIKI v3 · 5/30/2026

Illegal instruction handling, in the provided RISC-V verification evidence, is treated as a key area for processor and instruction-set-simulator testing. Unrestricted and binary-level fuzzing can generate illegal instructions and irregular trap-heavy control flows that valid-program generators may miss, exposing decoder errors, trap-state problems such as incorrect MTVAL updates, and control-flow bugs involving MRET after illegal instructions.

Overview

Illegal instruction handling is a verification concern for both RISC-V instruction set simulators and RTL processor implementations in the provided evidence. The evidence emphasizes that allowing test generators to create illegal instructions helps exercise behavior that valid instruction-stream generators, compilers, or assemblers may avoid. In the ISS fuzzing work, illegal instructions were explicitly useful for thoroughly checking the instruction decoder, and the approach exposed an error in the RISC-V reference simulator Spike. [decoder_stress]

The same ISS evidence argues that coverage-guided fuzzing retains the ability to generate completely random instructions, which helps cover rare corner and error cases that may be masked by a compiler or assembler. It contrasts this with RISC-V Torture, described there as generating only valid instruction sequences and therefore unable to detect some errors found by the fuzzer. [random_illegal_value]

Decoder and ISS behavior

Illegal instructions are important decoder tests because they exercise encodings outside the normal valid instruction stream. The ISS fuzzing evidence states that generating illegal instructions enabled thorough checking of the instruction decoder unit and revealed an error, labeled S1 in the paper's Table II, in Spike. [decoder_stress]

In the reported fuzzing campaign, the fuzzer generated a test set of 5,160 test cases; the smallest test had 1 instruction, the largest had 23 instructions, and the average was 3 instructions. This gives context for the compact illegal and mixed instruction sequences used to expose ISS mismatches. [fuzzer_testset_size]

Trap and diagnostic-state behavior

The RTL co-simulation evidence reports a bug in the reference ISS where MTVAL was set incorrectly. The bug was triggered by executing a compressed instruction that was considered an illegal instruction in that test context. This identifies diagnostic trap state, specifically MTVAL, as part of illegal-instruction handling that must match between the RTL core and the reference model. [mtval_illegal_compressed]

The same evidence reports an RTL bug where MRET continued at the wrong instruction for special sequences involving multiple MRET instructions and illegal instructions. Since MRET returns from the trap handler, these sequences stress the interaction between illegal-instruction traps, trap return, and irregular control flow. [mret_illegal_sequences]

Verification implications

The RTL testing approach generated and fed an endless instruction stream into the RTL core under test and a reference ISS in tightly coupled co-simulation. The instruction stream evolved on the fly, avoiding restrictions on generated instructions. The authors argue that many corner-case bugs are only revealed by highly irregular control flow, including tight loops and traps. [unrestricted_cosim]

This unrestricted generation is significant for illegal instruction handling because conventional frameworks can impose restrictions on generated instructions and therefore cannot create some specific sequences. The evidence describes unrestricted on-the-fly instruction-stream evolution as an advantage for exposing corner-case bugs, with the MRET plus illegal-instruction sequence serving as an example. [unrestricted_cosim]

Practical takeaway

From the provided evidence, illegal instruction handling should be verified not only as a decoder classification problem, but also as part of full trap behavior: diagnostic state such as MTVAL, trap-handler return through MRET, and irregular control-flow sequences all matter. Fuzzing approaches that allow illegal and random instruction encodings can expose issues that valid-only generators may miss. [decoder_stress] [mtval_illegal_compressed] [mret_illegal_sequences] [random_illegal_value]

CITATIONS

6 sources
6 citations
[1] Illegal instructions enabled thorough checking of the RISC-V instruction decoder and revealed an error in Spike. Verifying Instruction Set Simulators using Coverage-guided Fuzzing
[2] Coverage-guided fuzzing can generate completely random instructions to cover rare corner and error cases that compiler or assembler flows may mask; valid-only RISC-V Torture sequences would not detect some of the fuzzer-found errors. Verifying Instruction Set Simulators using Coverage-guided Fuzzing
[3] The ISS fuzzing campaign generated 5,160 test cases, with tests ranging from 1 to 23 instructions and averaging 3 instructions. Verifying Instruction Set Simulators using Coverage-guided Fuzzing
[4] A reference ISS bug set MTVAL incorrectly when executing a compressed instruction considered illegal in the test context. Efficient Cross-Level Testing for
[5] An RTL bug caused MRET to continue at the wrong instruction for special sequences involving multiple MRET and illegal instructions. Efficient Cross-Level Testing for
[6] The RTL cross-level testing approach used an endless on-the-fly instruction stream in tightly coupled RTL/ISS co-simulation and avoided restrictions on generated instructions, helping expose corner cases with irregular control flow, tight loops, and traps. Efficient Cross-Level Testing for

VERSION HISTORY

v3 · 5/30/2026 · gpt-5.5 (current)
v2 · 5/28/2026 · gpt-5.5
v1 · 5/26/2026 · gpt-5.5