Skip to content
STIMSMITH

Efficient Cross-Level Processor Verification using Coverage-guided Fuzzing

Paper WIKI v2 · 5/28/2026

A technical paper on applying coverage-guided fuzzing to processor verification, with AFL-based mutation extensions for RISC-V instruction streams and a post-processing step that clusters mismatch-triggering test vectors.

Efficient Cross-Level Processor Verification using Coverage-guided Fuzzing

Overview

Efficient Cross-Level Processor Verification using Coverage-guided Fuzzing is a paper about using coverage-guided fuzzing for processor verification. The available evidence identifies the work by title and shows that its implementation builds on AFL-style fuzzing, including a comparison between Vanilla AFL and an Enhanced AFL configuration. [paper-title] [afl-results]

AFL-based mutation strategy

The paper extends the AFL mutation flow with processor-specific mutations for RISC-V instruction streams. One described prephase inserts instructions whose operands are fixed to source/destination register x0 and immediate 0; the text gives addi x0, x0, 0 as an example. After insertion, the fuzzer executes the new test vector and keeps it only if it increases coverage, which the paper describes as a way to limit the state space and avoid state-space explosion. [fast-exploration]

The same prephase then applies bitflip mutation. The paper states that bitflips are used to cover possible instruction arguments and uncover unknown instructions, and that the insertion and bitflip steps are repeated until no new test vectors are found. It also argues that the overhead is low because RV32I has only 40 different instructions, the operations are applied only to test vectors that reach new coverage points, and the bitflip step is moved from a later AFL phase rather than added as a wholly new operation. [fast-exploration]

Enhanced Havoc

The paper also describes an Enhanced Havoc mutation. In contrast to the fixed-argument instruction insertion used in the earlier prephase, Enhanced Havoc inserts RISC-V instructions whose arguments are not fixed to zero and also supports compressed instructions. It adds both an insertion variant, which lengthens a test vector, and a replacement variant, which preserves the test-vector size. [enhanced-havoc]

Mismatch handling and post-processing

The evidence identifies mismatch detection as a purpose of the paper's Execution Controller. For failing tests, the post-processor distinguishes at least two cases: result differences in the last executed instruction, and instruction-address mismatches where different instructions have been executed. In the latter case, the paper treats the erroneous instruction as the last instruction executed before the instruction-address mismatch. The post-processor then clusters test vectors according to the executed commands up to the faulty command. [postprocessing]

Reported fuzzing results

The paper reports a table comparing Vanilla AFL with Enhanced AFL. In the table, the mean number of queued test cases is lower for Enhanced AFL than Vanilla AFL, while the mean number of unique crashes is higher for Enhanced AFL: 274.43 versus 237.36. The reported medians for unique crashes are 281.00 for Enhanced AFL and 223.00 for Vanilla AFL. [afl-results]

Referenced tools and related work

The paper's reference list includes AFL, RISC-V Torture Test Generator, RISC-V ISA Tests, and RFUZZ, as well as prior work on verifying instruction-set simulators using coverage-guided fuzzing and cross-level testing for processor verification. [references]

LINKED ENTITIES

37 links
Register Value Comparison USES
Niklas Bruns AUTHORED_BY
Vladimir Herdt AUTHORED_BY
Daniel Große AUTHORED_BY
Rolf Drechsler AUTHORED_BY
Cross-Level Processor Verification INTRODUCES
Coverage-guided Fuzzing USES
Co-Simulation USES
Instruction Set Simulator USES
RISC-V USES
AFL USES
VexRiscv EVALUATES
RISC-V VP USES
Verilator USES
SystemC TLM USES
Translation Buffer INTRODUCES
Execution Controller INTRODUCES
Fast Exploration Mutation INTRODUCES
Enhanced Havoc Mutation INTRODUCES
Post-processing Test Vector Clustering INTRODUCES
Virtual Coverage USES
CSR Testing USES
Mann-Whitney U Test USES
RV32IM USES
Processor-level Input Stimuli Generation USES
Mutation-Based Fuzzing USES
RFUZZ COMPARES_WITH
SpinalFuzz COMPARES_WITH
Endless Instruction Stream Generation COMPARES_WITH
Constraint Satisfaction Problem-based Test Generation COMPARES_WITH
Model-Based Test Generation COMPARES_WITH
Bayesian Network Coverage-Directed Test Generation COMPARES_WITH
Symbolic Execution for Test Generation COMPARES_WITH
RISC-V Torture Test Generator COMPARES_WITH
RISC-V ISA Tests COMPARES_WITH
riscv-dv COMPARES_WITH
Genesys-Pro COMPARES_WITH

CITATIONS

6 sources
6 citations
[1] paper-title Efficient Cross-Level Processor Verification using Coverage-guided Fuzzing
[2] fast-exploration Efficient Cross-Level Processor Verification using Coverage-guided Fuzzing
[3] enhanced-havoc Efficient Cross-Level Processor Verification using Coverage-guided Fuzzing
[4] postprocessing Efficient Cross-Level Processor Verification using Coverage-guided Fuzzing
[5] afl-results Efficient Cross-Level Processor Verification using Coverage-guided Fuzzing
[6] references Efficient Cross-Level Processor Verification using Coverage-guided Fuzzing

VERSION HISTORY

v2 · 5/28/2026 · gpt-5.5 (current)
v1 · 5/25/2026 · gpt-5.5