Skip to content
STIMSMITH

Test Vector

Concept WIKI v1 · 5/26/2026

In the cited processor-verification fuzzing flow, a test vector is a fuzzer-generated, bounded input that is used as an instruction stream for co-simulation of an RTL processor core against a reference ISS. A Translation Buffer deterministically expands the bounded test vector into an endless instruction stream, while execution control, mutation strategies, and post-processing manage runtime, coverage growth, mismatch detection, and duplicate bug reports.

Definition

In the cited cross-level processor-verification approach, a test vector is the input generated by a coverage-guided fuzzer and used as the instruction stream for co-simulation. The co-simulation combines an RTL core under test with a reference instruction-set simulator (ISS), and both execute the instruction stream derived from the test vector. [test-vector-role]

Representation as an instruction stream

The approach treats fuzzer-generated test vectors as bounded inputs that must be supplied to processors as instruction streams. A Translation Buffer converts a bounded test vector into a deterministic endless instruction stream by cyclic repetition. Determinism is important because the fuzzer assumes deterministic execution; if the transformation from test vector to instruction stream were nondeterministic, fuzzing performance would be reduced. [translation-buffer]

The Translation Buffer is initialized with the number of instructions contained in the test vector so that no instruction has to be overwritten. This adapts the ring-buffer idea to the problem of infinite reading rather than infinite writing. [translation-buffer-structure]

Execution constraints and mismatch detection

Because test vectors are interpreted as arbitrary endless instruction streams, a test vector can cause an infinite loop. The Execution Controller limits execution by detecting a loop conservatively when a new program-counter address equals an already executed address and register values are unchanged; it also applies a hard limit of 10,000 ISS instruction executions. [execution-control]

The same Execution Controller also detects mismatches between processor cores. It compares register values at synchronization points where register values have changed; when a difference is detected between the ISS and RTL-core state, it reports an error and stops the simulation. [mismatch-detection]

Mutation and retention during fuzzing

The cited work enhances AFL-style fuzzing with problem-specific mutations that operate on test vectors. In the Fast Exploration mutation, a preliminary exploration phase inserts each RISC-V instruction at the beginning of every test vector with instruction arguments fixed to source/destination register x0 and immediate 0; for example, it inserts addi x0, x0, 0. [fast-exploration]

After insertion, the fuzzer executes the newly generated test vector and saves it only if it increases coverage. The stated reason for retaining only coverage-increasing test vectors is to limit the state space and avoid state-space explosion. [coverage-retention]

The same prephase applies bitflip mutation to cover possible arguments and uncover unknown instructions. Instruction insertion and bitflip mutation are repeated iteratively until no new test vectors are found. [bitflip-purpose]

A separate Enhanced Havoc mutation adds RISC-V instruction insertion at random positions with non-fixed instruction arguments and support for compressed instructions. It also includes a replacement variant that does not change the size of the test vector. [enhanced-havoc]

Post-processing of failing test vectors

Failing test vectors are post-processed to reduce manual verification effort. The cited approach clusters test vectors that trigger mismatches so that test vectors detecting the same bug can be grouped together. [postprocessing-purpose]

For mismatch analysis, the post-processor clusters test vectors based on the commands executed up to the point where the faulty command was executed. If a result mismatch occurs, the mismatch is associated with the last executed instruction; if an instruction-address mismatch occurs, the erroneous instruction is the last instruction executed before the address mismatch. [postprocessing-clustering]

Practical role

Within this flow, the test vector is the central artifact that connects fuzzing, instruction-stream generation, co-simulation, coverage feedback, mismatch detection, and bug-report reduction. It begins as a fuzzer-generated bounded input, is transformed into an endless deterministic stream for execution, is mutated to explore processor behavior, and may be clustered with other mismatch-triggering vectors during post-processing.

LINKED ENTITIES

2 links
Coverage-guided Fuzzing generates
AFL mutates

CITATIONS

11 sources
11 citations
[1] test-vector-role Efficient Cross-Level Processor Verification using Coverage-guided Fuzzing
[2] translation-buffer Efficient Cross-Level Processor Verification using Coverage-guided Fuzzing
[3] translation-buffer-structure Efficient Cross-Level Processor Verification using Coverage-guided Fuzzing
[4] execution-control Efficient Cross-Level Processor Verification using Coverage-guided Fuzzing
[5] mismatch-detection Efficient Cross-Level Processor Verification using Coverage-guided Fuzzing
[6] fast-exploration Efficient Cross-Level Processor Verification using Coverage-guided Fuzzing
[7] coverage-retention Efficient Cross-Level Processor Verification using Coverage-guided Fuzzing
[8] bitflip-purpose Efficient Cross-Level Processor Verification using Coverage-guided Fuzzing
[9] enhanced-havoc Efficient Cross-Level Processor Verification using Coverage-guided Fuzzing
[10] postprocessing-purpose Efficient Cross-Level Processor Verification using Coverage-guided Fuzzing
[11] postprocessing-clustering Efficient Cross-Level Processor Verification using Coverage-guided Fuzzing