Overview

Instruction Shuffle is a randomized perturbation applied to the order of all instructions in a fuzzing payload at the end of generation. In MorFuzz, it is used to further increase sequence-level randomness after the payload has been generated. [C1]

Role in MorFuzz

MorFuzz generates fuzzing payloads that include runtime mutation primitives and uses runtime instruction morphing to transform template instructions into diverse and meaningful instruction streams during hardware simulation. [C2] Instruction Shuffle complements this process by changing the ordering of the generated payload instructions rather than mutating individual instruction fields or operands. [C1]

Effect on instruction sequences

The technique shuffles instructions so that adjacent testing blocks are mixed together. This increases the diversity of instruction sequences and can produce more processor states during fuzzing. [C3]

Trade-off

Instruction Shuffle can reduce observability in some cases because shuffling may sacrifice some watchpoints that were inserted at specific locations in testing blocks. [C4] In MorFuzz, watchpoint instructions are used by sequence patterns to expose internal DUT state, such as reading the floating-point exception flag CSR after a floating-point instruction sequence. [C5]

Position in the generation flow

Instruction Shuffle is performed at the end of fuzzing-payload generation. This placement means it acts after the payload structure has been generated, perturbing the final instruction order to increase sequence-level randomness. [C1]