Skip to content
STIMSMITH

Morpher Hardware Logic Block

Concept WIKI v1 · 5/27/2026

The Morpher Hardware Logic Block is the instruction-morphing component used by MorFuzz. It is described as software logic embedded in hardware that interacts with the DUT through Verilog DPI to monitor internal state, hijack fetched instructions, and return morphed instructions while preserving pipeline-front-end consistency.

Overview

The Morpher Hardware Logic Block is the morpher component described in the MorFuzz implementation. The paper states that the morpher is implemented as software logic embedded in hardware and is used for instruction morphing in a RISC-V 64-bit MorFuzz prototype. It interacts with the hardware through the Verilog DPI interface to monitor processor internal state, hijack fetched instructions, and return morphed instructions. [C1]

Placement in the processor pipeline

The morpher performs field-aware mutation on fetched instructions. Rather than modifying the whole processor pipeline, it replaces only the wires between the fetch unit and the decode unit. This placement is intended to keep the morphed instruction's fetch-offset behavior consistent with the pipeline front-end and avoid requiring changes to the pipeline back-end. The authors state that this design avoids unwanted effects introduced by the morpher. [C2]

Deterministic morphing for co-simulation

To keep the DUT and reference model aligned, the morpher maintains a morphing map. The map uses the original instruction and its address as the key and the morphed instruction as the value. This allows the reference model to perform the same morphing as the DUT, so both models execute deterministic and identical morphed instructions. The paper states that this prevents instruction morphing from introducing false positives. [C3]

Pipeline-hazard-aware generation

The morpher also records the destination register field rd of instructions still executing in the pipeline using a sliding window. It can reuse registers from this window as later rs and rd fields, producing instruction streams with hazards such as read-after-write and write-after-write. The authors state that this lets MorFuzz generate inputs that spontaneously match microarchitectural details of the DUT. [C4]

Role in MorFuzz

Within MorFuzz, the morpher helps transform stimulus-template instructions into diverse and meaningful instruction streams while the DUT executes. MorFuzz also uses online co-simulation with an ISA simulator running in parallel with the DUT, comparing states after instruction execution; deterministic morphing is therefore important for keeping the DUT and reference model on the same input stream. [C3] [C5]

LINKED ENTITIES

2 links
MorFuzz USES
Runtime Instruction Morphing USES

CITATIONS

5 sources
5 citations
[1] C1: The morpher is implemented as software logic embedded in hardware, uses Verilog DPI, and monitors internal state, hijacks fetched instructions, and returns morphed instructions. MorFuzz: Fuzzing Processor via Runtime Instruction Morphing enhanced Synchronizable Co-simulation
[2] C2: The morpher performs field-aware mutation and replaces only wires between fetch and decode, preserving front-end fetch-offset consistency and avoiding pipeline back-end modification. MorFuzz: Fuzzing Processor via Runtime Instruction Morphing enhanced Synchronizable Co-simulation
[3] C3: The morpher maintains a morphing map keyed by the original instruction and address, enabling the DUT and reference model to execute deterministic and identical morphed instructions without false positives from morphing. MorFuzz: Fuzzing Processor via Runtime Instruction Morphing enhanced Synchronizable Co-simulation
[4] C4: The morpher uses a sliding window of in-pipeline destination registers and can use those registers in later source and destination fields to generate read-after-write and write-after-write hazards. MorFuzz: Fuzzing Processor via Runtime Instruction Morphing enhanced Synchronizable Co-simulation
[5] C5: MorFuzz morphs template instructions into diverse and meaningful instruction streams and uses online co-simulation with an ISA simulator running in parallel with the DUT for state checking. MorFuzz: Fuzzing Processor via Runtime Instruction Morphing enhanced Synchronizable Co-simulation