Skip to content
STIMSMITH

mispredicted path fuzzing

Concept

Mispredicted path fuzzing is a processor-verification technique that perturbs speculative execution paths, such as branch-target predictions and instruction-cache contents, so that RTL simulations exercise instructions and addresses that the test binary would not normally place on a mispredicted path.

First seen 5/27/2026
Last seen 5/27/2026
Evidence 2 chunks
Wiki v1

WIKI

Overview

Mispredicted path fuzzing is a verification technique for processor RTL that deliberately changes what a core sees while executing down a mispredicted speculative path. In the cited Logic Fuzzer work, fuzzing can insert arbitrary instructions into the mispredicted path regardless of the binary being executed, which lets verification runs cover all instructions on that path and reach that coverage earlier than without fuzzing.

What it mutates

READ FULL ARTICLE →

NEIGHBORHOOD

No graph connections found for this entity yet. It may appear in future ingestion runs.

explore full graph →

RELATIONSHIPS

1 connections
Logic Fuzzer ← uses 100% 2e
Logic Fuzzer implements mispredicted path fuzzing by inserting instructions into mispredicted paths.

LINKED ENTITIES

1 links
Logic Fuzzer USES Extracted graph relationship

CITATIONS

6 sources
6 citations — click to expand
[1] Mispredicted path fuzzing can insert arbitrary instructions into a mispredicted path regardless of the executed binary, enabling full instruction coverage on that path earlier than without fuzzing. [PDF] Effective Processor Verification with Logic Fuzzer Enhanced Co ...
[2] Logic Fuzzer table mutators are used to insert random instructions into the mispredicted path by replacing instruction-cache tag and data arrays with fuzzer-managed tables. [PDF] Effective Processor Verification with Logic Fuzzer Enhanced Co ...
[3] BTB fuzzing can provide falsely predicted or random target addresses at runtime, and such scenarios can potentially create iTLB page faults on the mispredicted path; the same technique can be applied to the Return Address Stack. [PDF] Effective Processor Verification with Logic Fuzzer Enhanced Co ...
[4] Without fuzzing, BTB predictions are constrained to the narrow address range encoded in the ELF .text section, while fuzzing produces broader atypical prediction ranges. [PDF] Effective Processor Verification with Logic Fuzzer Enhanced Co ...
[5] In the described Dromajo/OpenCosim integration, RTL accesses fuzzer tables through DPI calls, fuzzers are configured by a JSON file, and branch-predictor fuzzer tables match the size of the branch predictor. [PDF] Effective Processor Verification with Logic Fuzzer Enhanced Co ...
[6] Logic Fuzzer may create microarchitectural states unreachable by real programs, but co-simulation failures exposed by fuzzing are treated as potential bugs that engineers must prove or disprove. [PDF] Effective Processor Verification with Logic Fuzzer Enhanced Co ...