Skip to content
STIMSMITH

Test Vector Generation

Concept

Test vector generation is described in the evidence as a fuzzing-driven activity for processor verification: a fuzzer produces test vectors, runs them through an instrumented ISS/RTL co-simulation, receives coverage and return-code feedback, applies mutations, and then post-processes generated vectors to cluster failures that likely expose the same bug.

First seen 5/28/2026
Last seen 6/5/2026
Evidence 8 chunks
Wiki v1

WIKI

Overview

In the cited processor-verification workflow, test vector generation is performed by a coverage-guided fuzzer. The fuzzer emits a test vector into a co-simulation environment containing an instruction set simulator (ISS) and an RTL core. The co-simulation is instrumented to collect coverage, and its coverage plus return code are returned to the fuzzer as execution feedback, in the described approach through shared memory.

Feedback-guided generation loop

READ FULL ARTICLE →

NEIGHBORHOOD

No graph connections found for this entity yet. It may appear in future ingestion runs.

explore full graph →

RELATIONSHIPS

2 connections
Code-based Test Generation for Validation of Functional Processor Descriptions ← uses 100% 1e
The paper's main contribution is automated test vector generation.
code-based test generation ← implements 100% 1e
Code-based test generation implements the process of generating test vectors from processor descriptions.

CITATIONS

6 sources
6 citations — click to expand
[1] A coverage-guided fuzzer generates test vectors for an ISS/RTL co-simulation, and the co-simulation returns coverage and return-code feedback to the fuzzer through shared memory in the described approach. Efficient Cross-Level Processor Verification using Coverage-guided Fuzzing
[2] The fuzzer collects test vectors and categorizes them into equal-behavior vectors and behavior-mismatch vectors, stopping when a fuzzing timeout is reached. Efficient Cross-Level Processor Verification using Coverage-guided Fuzzing
[3] Custom mutations are used to improve fuzzing efficiency, including insertion and replacement variants and CSR instruction insertion/replacement. Efficient Cross-Level Processor Verification using Coverage-guided Fuzzing
[4] For CSR testing, the described mutation functionality adds two CSR instructions: one writes a CSR and the next reads the same CSR, propagating possible CSR misbehavior into a register for detection by the execution controller. Efficient Cross-Level Processor Verification using Coverage-guided Fuzzing
[5] The post-processing step clusters test vectors that detect the same bug, represents each cluster with a unique test vector, and uses a logging co-simulation to record executed instructions and addresses. Efficient Cross-Level Processor Verification using Coverage-guided Fuzzing
[6] The cited evaluation uses VexRiscv as the RTL device under test, an ISS from RISC-V VP as the reference, Verilator to translate the RTL core to C++, a common SystemC testbench, and AFL 2.56b as the out-of-process fuzzer baseline. Efficient Cross-Level Processor Verification using Coverage-guided Fuzzing