Skip to content
STIMSMITH

mispredicted path fuzzing

Concept WIKI v1 · 5/27/2026

Mispredicted path fuzzing is a processor-verification technique that perturbs speculative execution paths, such as branch-target predictions and instruction-cache contents, so that RTL simulations exercise instructions and addresses that the test binary would not normally place on a mispredicted path.

Overview

Mispredicted path fuzzing is a verification technique for processor RTL that deliberately changes what a core sees while executing down a mispredicted speculative path. In the cited Logic Fuzzer work, fuzzing can insert arbitrary instructions into the mispredicted path regardless of the binary being executed, which lets verification runs cover all instructions on that path and reach that coverage earlier than without fuzzing.

What it mutates

The technique is described in two closely related forms:

  • Instruction-path mutation: random instructions can be inserted into the mispredicted path by using Logic Fuzzer table mutators. The implementation described replaces instruction-cache tag and data arrays with table mutators so instruction-cache logic reads and writes through the fuzzer rather than only the normal RTL memory model.
  • Prediction-target mutation: Branch Target Buffer (BTB) entries can be fuzzed so that the branch predictor supplies falsely predicted addresses across a broader address range, or even random addresses at runtime. The same approach can also be applied to a Return Address Stack.

Why it is useful

Without fuzzing, BTB predictions in the reported experiments stayed within a narrow range because they were derived from the history of resolved branch targets and therefore constrained by the address range encoded in the ELF file's .text section. With fuzzing enabled, BTB predictions covered broader and atypical address ranges. The authors argue that processors still need to handle these non-typical speculative cases robustly.

A specific stress case called out in the evidence is that random or broadened predicted addresses can potentially create instruction-TLB page faults on the mispredicted path.

Implementation context

The technique is implemented as part of Logic Fuzzer integration with the Dromajo/OpenCosim verification infrastructure. The RTL accesses fuzzer-managed tables through DPI calls, and fuzzers are configured through Dromajo's JSON configuration file. For branch-predictor fuzzing, the fuzzer allocates a table with the same size as the branch predictor; during simulation, the tables can be fuzzed randomly or according to specific patterns.

Caveat

Logic Fuzzer can create microarchitectural states that no real program could reach. The cited work treats co-simulation failures from such fuzzing as potential bugs: they are red flags that engineers must prove or disprove, rather than automatically confirmed design defects.

LINKED ENTITIES

1 links
Logic Fuzzer USES

CITATIONS

6 sources
6 citations
[1] Mispredicted path fuzzing can insert arbitrary instructions into a mispredicted path regardless of the executed binary, enabling full instruction coverage on that path earlier than without fuzzing. [PDF] Effective Processor Verification with Logic Fuzzer Enhanced Co ...
[2] Logic Fuzzer table mutators are used to insert random instructions into the mispredicted path by replacing instruction-cache tag and data arrays with fuzzer-managed tables. [PDF] Effective Processor Verification with Logic Fuzzer Enhanced Co ...
[3] BTB fuzzing can provide falsely predicted or random target addresses at runtime, and such scenarios can potentially create iTLB page faults on the mispredicted path; the same technique can be applied to the Return Address Stack. [PDF] Effective Processor Verification with Logic Fuzzer Enhanced Co ...
[4] Without fuzzing, BTB predictions are constrained to the narrow address range encoded in the ELF .text section, while fuzzing produces broader atypical prediction ranges. [PDF] Effective Processor Verification with Logic Fuzzer Enhanced Co ...
[5] In the described Dromajo/OpenCosim integration, RTL accesses fuzzer tables through DPI calls, fuzzers are configured by a JSON file, and branch-predictor fuzzer tables match the size of the branch predictor. [PDF] Effective Processor Verification with Logic Fuzzer Enhanced Co ...
[6] Logic Fuzzer may create microarchitectural states unreachable by real programs, but co-simulation failures exposed by fuzzing are treated as potential bugs that engineers must prove or disprove. [PDF] Effective Processor Verification with Logic Fuzzer Enhanced Co ...