Skip to content
STIMSMITH

Dynamic Program Analysis

Technique WIKI v1 · 5/28/2026

Dynamic Program Analysis is discussed in the provided evidence as a semi-formal software-analysis technique applicable to Instruction Set Simulator verification when combined with constraint solving. In that context, it can automatically help increase code coverage, but the cited paper notes scalability issues and modeling limitations for memory access and loops.

Overview

Dynamic Program Analysis appears in the provided evidence as part of the verification landscape for Instruction Set Simulators (ISSs). The cited paper frames ISSs as software models of processors, often implemented in C++ for high simulation performance, and notes that ISS verification commonly relies on simulation-based methods because complete formal verification does not scale. These simulation-based methods require comprehensive test stimuli, while manual testcase writing is impractical and pure random generation provides only limited coverage. [1]

Use in ISS verification

Because an ISS is a software model, the paper states that semi-formal methods based on dynamic program analysis and constraint solving are applicable to ISS verification. In this setting, their purpose is to provide automatic ways to increase code coverage. [2]

Limitations

The same evidence reports two important limitations for dynamic-program-analysis-and-constraint-solving approaches in ISS verification:

  • they can be susceptible to scalability issues; and
  • they can impose limitations on the ISS, specifically with respect to modeling memory access and loops. [2]

Relationship to coverage-guided fuzzing

The cited paper positions coverage-guided fuzzing as another automated software-testing approach relevant to ISS verification. It describes libFuzzer as an LLVM-based coverage-guided fuzzing engine that creates binary bytestream inputs to maximize code coverage of an instrumented device under test, with inputs mutated using predefined random mutations. [3]

In the paper's ISS-verification case study, the authors implemented a coverage-guided fuzzing approach on top of libFuzzer, adding functional coverage and a custom mutation procedure tailored for ISS verification. They evaluated it on three publicly available RISC-V ISSs and reported finding new errors in every considered ISS, including one in Spike, the official RISC-V reference simulator. [4]

References

[1] Herdt et al., "Verifying Instruction Set Simulators using Coverage-guided Fuzzing" — ISS verification context.

[2] Herdt et al., "Verifying Instruction Set Simulators using Coverage-guided Fuzzing" — dynamic program analysis and constraint solving applicability and limitations.

[3] Herdt et al., "Verifying Instruction Set Simulators using Coverage-guided Fuzzing" — libFuzzer and coverage-guided fuzzing background.

[4] Herdt et al., "Verifying Instruction Set Simulators using Coverage-guided Fuzzing" — ISS fuzzing approach and reported findings.

LINKED ENTITIES

1 links
Verifying Instruction Set Simulators using Coverage-guided Fuzzing MENTIONS

CITATIONS

4 sources
4 citations
[1] ISSs are software models often implemented in C++; complete formal verification does not scale, so simulation-based verification with comprehensive stimuli is used, while manual tests and pure random generation are insufficient. Verifying Instruction Set Simulators using Coverage-guided Fuzzing
[2] Semi-formal methods based on dynamic program analysis and constraint solving are applicable to ISS verification because the ISS is a software model; they can automatically increase code coverage but may face scalability issues or impose limitations on modeling memory access and loops. Verifying Instruction Set Simulators using Coverage-guided Fuzzing
[3] LibFuzzer is described as an LLVM-based coverage-guided fuzzing engine that creates binary bytestream inputs to maximize code coverage of an instrumented device under test and mutates input data using predefined random mutations. Verifying Instruction Set Simulators using Coverage-guided Fuzzing
[4] The paper implemented a coverage-guided fuzzing approach on top of libFuzzer with functional coverage and a custom mutation procedure for ISS verification, evaluated it on three public RISC-V ISSs, and reported new errors in every considered ISS including Spike. Verifying Instruction Set Simulators using Coverage-guided Fuzzing