Skip to content
STIMSMITH

Processor State Coverage

Concept WIKI v1 · 5/27/2026

Processor State Coverage is a processor-fuzzing concept centered on steering tests toward broader and deeper architectural state exploration. In the provided evidence, MorFuzz supports this goal through processor-state-level mutation primitives in stimulus templates, runtime instruction morphing guided by runtime information, and synchronizable co-simulation that keeps the device under test and simulator aligned while checking architectural state after each instruction.

Overview

Processor State Coverage describes the coverage-oriented goal of exercising diverse processor architectural states during processor fuzzing. In the MorFuzz evidence, this goal is supported by stimulus templates that include processor state level runtime mutation primitives, along with instruction-field and program-semantic mutation primitives, to explore the processor input space more comprehensively. [Processor-state mutation primitives]

MorFuzz’s architecture ties state exploration to runtime feedback: it dynamically mutates instructions based on runtime information, executes the resulting instruction streams on both a processor under test and a simulator, and compares their architectural states after each instruction. [Runtime feedback and state comparison]

Role in MorFuzz

MorFuzz uses three techniques that are relevant to processor-state coverage:

  1. Stimulus templates provide multi-level mutation primitives, including processor-state-level primitives, instruction-field-level primitives, and program-semantic-level primitives. These templates are intended to generate diverse and meaningful instruction streams rather than directly emitting plain instruction streams. [Processor-state mutation primitives]
  2. Instruction morphing mutates instructions that are about to execute, using runtime information to modify opcodes and operands while maintaining valid field formats and meaningful semantics. The evidence states that this makes coverage more effective at guiding the fuzzer. [Instruction morphing and coverage guidance]
  3. Synchronizable co-simulation compares the architectural state of the device under test and simulator after each instruction. When differences are legal, MorFuzz can synchronize state from the device under test to the simulator, allowing synchronous co-simulation to continue and directing the fuzzer toward deeper states. [Synchronizable co-simulation and deeper states]

Verification context

The cited MorFuzz work focuses on software-triggered architectural functional bugs: combinations of instructions that make processor behavior deviate from the ISA specification. It verifies processor behavior under any privilege level, while excluding behavior that is undefined or unconstrained by the specification and excluding transient-execution bugs caused by microarchitectural mistakes. [MorFuzz verification scope]

Practical meaning

Within this evidence base, Processor State Coverage is best understood as a fuzzing objective and feedback target: tests should not merely generate many instructions, but should drive the processor through meaningful architectural states. MorFuzz operationalizes this by mutating processor state and instructions at runtime, measuring coverage feedback, and maintaining synchronized comparison against a golden simulator model. [Runtime feedback and state comparison]

LINKED ENTITIES

1 links
MorFuzz USES

CITATIONS

5 sources
5 citations
[1] Processor-state mutation primitives MorFuzz: Fuzzing Processor via Runtime Instruction Morphing enhanced Synchronizable Co-simulation
[2] Runtime feedback and state comparison MorFuzz: Fuzzing Processor via Runtime Instruction Morphing enhanced Synchronizable Co-simulation
[3] Instruction morphing and coverage guidance MorFuzz: Fuzzing Processor via Runtime Instruction Morphing enhanced Synchronizable Co-simulation
[4] Synchronizable co-simulation and deeper states MorFuzz: Fuzzing Processor via Runtime Instruction Morphing enhanced Synchronizable Co-simulation
[5] MorFuzz verification scope MorFuzz: Fuzzing Processor via Runtime Instruction Morphing enhanced Synchronizable Co-simulation