Skip to content
STIMSMITH

State Synchronization

Concept WIKI v1 · 5/27/2026

State synchronization is a MorFuzz mechanism that handles legal mismatches between a processor design under test and a reference simulator by copying the hardware state to the simulator, allowing co-simulation to continue instead of stopping on non-bug implementation differences.

Overview

In MorFuzz, state synchronization is used during processor co-simulation to handle mismatched behavior that is not necessarily a bug. MorFuzz performs online state verification between a device under test (DUT) and a reference simulator; when a mismatch is detected, the framework can either report a potential bug or, if the mismatch is judged legal, synchronize the hardware state to the simulator and continue execution.

Role in co-simulation

MorFuzz's verification flow compares the DUT with the simulator at instruction commit and write-back time. The DUT commits its program counter and executed instruction, the simulator executes and checks the committed instruction, and the simulator records reference write-back data in a scoreboard. When the DUT write-back value becomes available, MorFuzz compares it against the reference value to determine whether execution was correct.

Without synchronization, a mismatch can cause MorFuzz to report a potential bug and exit the simulation. However, MorFuzz observes that not all mismatches are bugs: some are implementation differences, such as cases where the simulator lacks a corresponding peripheral simulation. Exiting in such cases discards the DUT's accumulated state and makes it harder for fuzzing to reach deeper processor states.

Synchronization behavior

When a mismatch is detected, MorFuzz analyzes whether the difference is legal. For example, if an instruction accesses a peripheral register and the simulator lacks the corresponding peripheral model, MorFuzz can analyze the accessed physical address on the simulator side. If the mismatch is legal, MorFuzz synchronizes the hardware state to the simulator; otherwise, it reports the mismatch as a potential bug.

MorFuzz can also synchronize external events, such as interrupts, to the simulator. By automatically synchronizing legal mismatched states, MorFuzz avoids premature termination caused by false positives and allows simulation to execute deeper.

Prerequisites for legal synchronization

MorFuzz defines rules for approving state synchronization. The provided evidence states that a difference must satisfy three prerequisites to be considered legal, and explicitly identifies two of them:

  • Only instructions involving operations beyond the verification scope can proceed to synchronization checks; in the cited implementation, this limits synchronization-triggering instructions to CSR instructions and memory-operation instructions.
  • The DUT's control-flow information must pass the commitment-stage check.

If the DUT incorrectly approves access to privileged registers or reserved address space, the simulator can throw an exception instead of treating the mismatch as a legal synchronization case.

Relationship to MorFuzz

State synchronization is one of the mechanisms evaluated as contributing to MorFuzz's fuzzing effectiveness. In MorFuzz's design, it complements runtime instruction morphing and online state verification by sustaining co-simulation after legal implementation differences rather than stopping immediately at every mismatch.

LINKED ENTITIES

2 links
MorFuzz USES
Synchronizable Co-simulation USES

CITATIONS

6 sources
6 citations
[1] MorFuzz synchronizes legal mismatched hardware state to the simulator and otherwise reports a potential bug. MorFuzz: Fuzzing Processor via Runtime Instruction Morphing enhanced Synchronizable Co-simulation
[2] State synchronization helps MorFuzz continue simulation after legal implementation differences, reducing premature termination from false positives and enabling deeper execution. MorFuzz: Fuzzing Processor via Runtime Instruction Morphing enhanced Synchronizable Co-simulation
[3] MorFuzz can synchronize external events such as interrupts to the simulator. MorFuzz: Fuzzing Processor via Runtime Instruction Morphing enhanced Synchronizable Co-simulation
[4] MorFuzz's online verification compares committed instructions and write-back values between the DUT and simulator using a scoreboard. MorFuzz: Fuzzing Processor via Runtime Instruction Morphing enhanced Synchronizable Co-simulation
[5] MorFuzz limits synchronization-triggering instruction types to CSR instructions and memory-operation instructions as part of its synchronization prerequisites. MorFuzz: Fuzzing Processor via Runtime Instruction Morphing enhanced Synchronizable Co-simulation
[6] The DUT's control-flow information must pass the commitment-stage check before a difference can be considered legal for state synchronization. MorFuzz: Fuzzing Processor via Runtime Instruction Morphing enhanced Synchronizable Co-simulation