Skip to content
STIMSMITH

ISA simulation

Technique WIKI v1 · 5/28/2026

ISA simulation executes programs at the instruction-set-architecture level and is used as a reference in processor validation workflows. In the provided evidence, ProcessorFuzz runs an ISA simulator on mutated RISC-V assembly inputs to produce an extended ISA trace log, uses CSR transitions from that log as fuzzing feedback, and compares the ISA trace against an RTL trace to flag potential bugs.

Overview

ISA simulation is the use of an instruction-set-architecture-level simulator to execute test programs and observe architectural behavior. In processor verification workflows, the ISA simulator can act as a reference execution source whose trace is compared with a lower-level implementation trace, such as an RTL trace.

Role in ProcessorFuzz

In ProcessorFuzz, ISA simulation is part of the fuzzing loop. ProcessorFuzz generates random assembly programs that conform to the target ISA, mutates selected inputs by removing, appending, or replacing instructions, and then runs an ISA simulator on a mutated input. The simulator produces an extended ISA trace log that records CSR values for each executed instruction.

The extended ISA trace log is used in two ways:

  1. Coverage feedback through CSR transitions. ProcessorFuzz's Transition Unit extracts CSR transitions from the ISA trace log and checks them against a Transition Map. If a transition is new, it is added to the map; if an input triggers at least one new transition, the input is considered interesting and retained for further mutation.
  2. Reference comparison against RTL. ProcessorFuzz runs RTL simulation only for interesting mutated inputs. The RTL simulation produces an extended RTL trace log similar to the ISA trace log. The ISA and RTL logs are then compared, and any mismatch is treated as a potential bug that requires confirmation, typically by manual inspection.

Trace contents

The provided ProcessorFuzz example shows an extended trace log generated by the ISA simulator. Each trace entry includes a program counter, instruction, and selected CSR values. The example lists CSR values in hexadecimal for mstatus, mcause, scause, medeleg, frm, and fflags, and highlights transitions such as mstatus and fflags changes.

Use as a functional reference

A separate RISC-V validation context describes co-simulation against the Spike ISA simulator for functional verification inside a UVM-TLM framework. That context emphasizes simulation efficiency and acceptable fidelity for architectural exploration rather than cycle-level precision.

Related techniques and artifacts

  • ProcessorFuzz uses ISA simulation to generate extended ISA trace logs and guide fuzzing through CSR-transition feedback.
  • An extended ISA trace log is the trace artifact produced by ISA simulation in the ProcessorFuzz workflow.
  • The Spike ISA simulator is cited as an ISA simulator used for RISC-V co-simulation-based functional verification.

LINKED ENTITIES

4 links
ProcessorFuzz USES
extended ISA trace log USES
Spike ISA simulator IMPLEMENTS
Dromajo IMPLEMENTS

CITATIONS

5 sources
5 citations
[1] ProcessorFuzz runs an ISA simulator on mutated assembly inputs and generates an extended ISA trace log containing CSR values for each executed instruction. ProcessorFuzz: Processor Fuzzing with Control and
[2] ProcessorFuzz extracts CSR transitions from the extended ISA trace log, checks them against a Transition Map, and keeps inputs that trigger new transitions. ProcessorFuzz: Processor Fuzzing with Control and
[3] ProcessorFuzz compares the ISA trace log with an RTL trace log, and mismatches are treated as potential bugs requiring confirmation. ProcessorFuzz: Processor Fuzzing with Control and
[4] The ProcessorFuzz extended ISA trace example records PC, instruction, and selected CSR values including mstatus, mcause, scause, medeleg, frm, and fflags. ProcessorFuzz: Processor Fuzzing with Control and
[5] A RISC-V UVM-TLM co-simulation framework uses the Spike ISA simulator for functional verification and prioritizes simulation efficiency and acceptable fidelity over cycle-level precision. An Integrated UVM-TLM Co-Simulation Framework for RISC-V Functional Verification and Performance Evaluation