Skip to content
STIMSMITH

instruction field mutation

Technique WIKI v1 · 5/26/2026

Instruction field mutation is a guided instruction-generation technique used in RISC-V processor verification. It modifies selected fields of a randomized instruction according to predefined, format-aware rules, such as forcing destination and source registers to match, setting the destination register to zero, injecting boundary immediates, or selecting supported CSR fields.

Overview

Instruction field mutation is a modification step in an instruction stream generator for RISC-V verification. The generator starts from randomized 32-bit instruction words and uses additional guidance to produce interesting cases for testing rather than relying only on pure randomization. Pure randomization is described as tending to generate illegal instructions because the state space of illegal instructions is significantly larger than that of legal instructions. [definition-and-motivation]

Role in instruction generation

In the cited instruction generation algorithm, a random 32-bit word is generated first. With high probability, a random valid opcode is injected while leaving the remaining instruction fields random. With a smaller probability, a random field mutation is then applied to the instruction fields. The algorithm text gives probabilities of 98% for random opcode injection and 20% for applying a random field mutation. [algorithm-placement]

This makes field mutation a targeted complement to opcode injection: opcode injection biases generation toward legal instructions, while field mutation biases selected operands or immediates toward structurally meaningful or special-case values. [algorithm-placement]

Mutation rules

The mutation rules are predefined and reason about instruction structure and values. The cited work states that these rules are derived from the RISC-V instruction format. Examples include: [rule-basis]

  • Injecting special immediate values such as MIN, -1, 0, 1, and MAX into the corresponding immediate field. [immediate-rules]
  • Mutating register fields, including setting RD to zero, setting RD equal to RS1 and/or RS2, and setting RS1 to match RS2. [register-rules]
  • Mutating the CSR selector field to a supported CSR. [csr-rule]

Example: ADDI with RD = RS1

The evidence gives an example using an ADDI instruction. Starting from a fully randomized 32-bit instruction word, the generator injects the ADDI opcode, producing a randomized ADDI instruction. A field mutation then changes the RD field to match the RS1 field. The immediate field remains randomized, while the two register fields are randomized but equal. [addi-example]

Conceptually, the resulting special ADDI case has the form:

ADDI: Regs[RD] = Regs[RS1] + imm
with RD = RS1, while imm remains randomized

This creates an operand-aliasing case for the instruction without requiring the entire instruction to be hand-authored. [addi-example]

Verification context

The technique appears as part of an instruction stream generator in a cross-level RISC-V verification setup. The cited setup aims to generate an endless and unrestricted instruction stream, with a baseline generator that fully randomizes instructions and additional modifications that guide generation toward interesting cases. [verification-context]

The cited evaluation applied the broader approach to verification of a pipelined 32-bit industrial RISC-V TGF series core implemented in SpinalHDL. [evaluation-context]

CITATIONS

9 sources
9 citations
[1] definition-and-motivation
[2] algorithm-placement
[3] rule-basis
[4] immediate-rules
[5] register-rules
[6] csr-rule
[7] addi-example
[8] verification-context
[9] evaluation-context