Overview

Pipeline Hazard Generation is the deliberate creation of instruction streams that contain pipeline hazards during processor fuzzing. In the MorFuzz design, this is done by a morpher that tracks the destination register field (rd) of instructions that are still executing in the pipeline, then reuses those tracked registers as source (rs) and destination (rd) fields in subsequent template instructions. This produces hazards such as read-after-write and write-after-write cases. [Pipeline hazard generation mechanism]

Role in MorFuzz

MorFuzz uses this mechanism as part of its runtime instruction morphing process. The paper states that the morpher uses a sliding window to record the rd fields of instructions still being executed in the pipeline. Registers in that window can then be selected for later template instructions, allowing MorFuzz to generate inputs that match microarchitectural details of the device under test spontaneously. [MorFuzz use of pipeline hazards]

Generated hazard types

The evidence explicitly identifies two hazard classes generated by this approach:

• Read-after-write (RAW) hazards, created when a later instruction reads a register associated with an earlier in-flight write.
• Write-after-write (WAW) hazards, created when a later instruction writes a register associated with another in-flight write.

These hazards are generated by choosing tracked pipeline registers as rs and rd fields for later template instructions. [Generated hazard types]

Relationship to runtime instruction morphing

Pipeline Hazard Generation is tied to the runtime morphing workflow: MorFuzz morphs template instructions on the fly to produce diverse and meaningful instruction streams. The sliding-window register selection is one way the morpher adapts generated instructions to the current pipeline state. [Runtime morphing context]