Skip to content
STIMSMITH

mispredicted path fuzzing

Technique

Mispredicted path fuzzing is a processor-verification technique that perturbs speculative control-flow state so the RTL fetches unusual addresses or arbitrary instructions on mispredicted paths, exposing robustness bugs that normal binaries may not cover.

First seen 5/28/2026
Last seen 5/28/2026
Evidence 2 chunks
Wiki v1

WIKI

Overview

Mispredicted path fuzzing is a processor-verification technique used to exercise instructions and instruction addresses that appear only during speculative execution after a branch prediction or return prediction is wrong. In the Logic Fuzzer work, fuzzing allows a verifier to insert arbitrary instructions into the mispredicted path independent of the test binary, increasing coverage of instructions observed on that path. The paper reports that this enabled testing 100% of the instructions in the evaluated setting and reaching that coverage earlier than without fuzzing. [C1]

How it works

READ FULL ARTICLE →

NEIGHBORHOOD

No graph connections found for this entity yet. It may appear in future ingestion runs.

explore full graph →

RELATIONSHIPS

4 connections
Logic Fuzzer ← implements 100% 2e
The Logic Fuzzer implements mispredicted path fuzzing to stress speculative execution.
Branch Target Buffer uses → 95% 2e
Mispredicted path fuzzing manipulates Branch Target Buffer entries to generate atypical addresses.
branch predictor uses → 90% 2e
Mispredicted path fuzzing forces branch predictor to produce taken predictions for testing.
Return Address Stack uses → 85% 1e
Mispredicted path fuzzing can also be applied to the Return Address Stack.

LINKED ENTITIES

4 links
branch predictor USES Extracted graph relationship
Logic Fuzzer IMPLEMENTS Extracted graph relationship
Branch Target Buffer USES Extracted graph relationship
Return Address Stack USES Extracted graph relationship

CITATIONS

6 sources
6 citations — click to expand
[1] Fuzzing can insert arbitrary instructions into the mispredicted path regardless of the binary and can reach 100% instruction coverage earlier in the evaluated setting. [PDF] Effective Processor Verification with Logic Fuzzer Enhanced Co ...
[2] BTB entries can be fuzzed to provide falsely predicted addresses over a broader range or random addresses, potentially creating iTLB page faults on the mispredicted path; the same technique can be applied to the Return Address Stack. [PDF] Effective Processor Verification with Logic Fuzzer Enhanced Co ...
[3] Random instructions can be inserted into the mispredicted path by using table mutators to replace instruction-cache tag and data arrays. [PDF] Effective Processor Verification with Logic Fuzzer Enhanced Co ...
[4] Without fuzzing, BTB predictions tend to stay in the ELF .text address range, while fuzzing can broaden BTB-predicted addresses to non-typical ranges. [PDF] Effective Processor Verification with Logic Fuzzer Enhanced Co ...
[5] The described implementation embeds Logic Fuzzer into Dromajo, exposes fuzzers to RTL through DPI-accessible APIs, configures fuzzers through JSON, and uses a fuzzer table sized like the branch predictor table. [PDF] Effective Processor Verification with Logic Fuzzer Enhanced Co ...
[6] Logic Fuzzer may create unreachable microarchitectural states, but resulting co-simulation failures are treated as potential bugs that must be investigated; the paper's reported bugs were confirmed by designers. [PDF] Effective Processor Verification with Logic Fuzzer Enhanced Co ...