Skip to content
STIMSMITH

Processor Stimulus Generation

Concept

Processor stimulus generation, in the evidenced ISS-verification setting, produces instruction bytestreams and constrained instruction sequences for exercising a processor model or instruction set simulator. The approach combines fuzzing, ISA-aware mutations, functional coverage tracing, and later comparison of execution results against reference ISSs.

First seen 5/29/2026
Last seen 5/29/2026
Evidence 8 chunks
Wiki v1

WIKI

Overview

Processor stimulus generation is the creation of instruction-level test inputs for processor or instruction set simulator (ISS) verification. In the coverage-guided fuzzing workflow described by Verifying Instruction Set Simulators using Coverage-guided Fuzzing, stimulus generation is the first step: a fuzzer generates a testset, and the resulting tests are then used to verify an ISS under test by comparing its execution results with one or more reference ISSs.[C1]

The generated stimulus is not limited to preselected legal programs. The workflow considers all possible instructions and instruction sequences, including illegal instructions, with the explicit goal of checking uncommon and error cases.[C2]

READ FULL ARTICLE →

NEIGHBORHOOD

No graph connections found for this entity yet. It may appear in future ingestion runs.

explore full graph →

RELATIONSHIPS

1 connections
Verifying Instruction Set Simulators using Coverage-guided Fuzzing ← uses 85% 2e
The paper addresses processor stimulus generation as a key aspect of ISS verification.

LINKED ENTITIES

1 links
Verifying Instruction Set Simulators using Coverage-guided Fuzzing USES Extracted graph relationship

CITATIONS

12 sources
12 citations — click to expand
[1] The workflow first generates a testset with a fuzzer and then uses it to verify an ISS under test by comparing execution results with one or more reference ISSs. Verifying Instruction Set Simulators using Coverage-guided Fuzzing
[2] The stimulus-generation approach considers all possible instructions and instruction sequences, including illegal instructions, to check uncommon and error cases. Verifying Instruction Set Simulators using Coverage-guided Fuzzing
[3] The implementation inserts a binary instruction bytestream into an ELF template by creating an empty section with a linker script and overwriting it using objcopy --update-section. Verifying Instruction Set Simulators using Coverage-guided Fuzzing
[4] The custom mutator scans through the bytestream and applies local mutations, choosing between opcode injection and constrained sequence injection. Verifying Instruction Set Simulators using Coverage-guided Fuzzing
[5] Opcode injection selects a random instruction, injects its opcode bits, preserves randomized parameter fields, and may optionally inject a special immediate value; the RISC-V ADDI example illustrates separate opcode and operand bit fields. Verifying Instruction Set Simulators using Coverage-guided Fuzzing
[6] The mutator can inject a randomly selected constrained sequence of instructions into the bytestream. Verifying Instruction Set Simulators using Coverage-guided Fuzzing
[7] A constrained sequence is a list of concrete instructions with some fixed parameters and others randomized; a two-instruction large-constant-loading sequence constrains the destination register while randomizing or specially selecting the value, and such sequences are engineer-defined and ISA-specializable. Verifying Instruction Set Simulators using Coverage-guided Fuzzing
[8] The paper defines generic functional coverage metrics for registers and immediates that reason about instruction structure and operand values. Verifying Instruction Set Simulators using Coverage-guided Fuzzing
[9] Operand-value metrics require register and immediate parameters to be assigned special values including MIN, -1, 0, 1, and MAX, with negative values omitted for unsigned immediates. Verifying Instruction Set Simulators using Coverage-guided Fuzzing
[10] Functional coverage tracing instruments the ISS execution step with begin-fcov-trace and end-fcov-trace calls that receive the instruction, decoded operation, and register snapshot, capturing pre- and post-execution register values and immediate values encoded in the instruction. Verifying Instruction Set Simulators using Coverage-guided Fuzzing
[11] Execution-result mismatches between ISSs must be analyzed because configuration differences such as memory size or mapped peripherals can cause non-bug differences, including load/store success on one ISS and failure on another. Verifying Instruction Set Simulators using Coverage-guided Fuzzing
[12] The paper uses processor stimulus generation concepts such as fuzzed instruction bytestreams, custom mutations, constrained sequences, coverage tracing, and reference-ISS comparison in ISS verification. Verifying Instruction Set Simulators using Coverage-guided Fuzzing