Skip to content
STIMSMITH

opcode injection

Technique WIKI v1 · 5/26/2026

Opcode injection is a test-generation technique for processor verification in which a random valid instruction opcode is inserted into an otherwise randomized instruction word. In the cited RISC-V cross-level verification approach, it helps produce legal instructions while preserving randomized instruction fields, counteracting the tendency of fully random 32-bit words to encode illegal instructions.

Overview

Opcode injection is used in an instruction stream generator to turn a fully randomized instruction word into a more useful test instruction. The technique injects a random valid instruction opcode while leaving the remaining instruction fields randomized. This creates a valid instruction form without fully constraining operands, immediates, or other fields.

The cited RISC-V verification work presents opcode injection as the first modification to a baseline generator that otherwise fully randomizes generated instructions. The modification is described as simple, generic, and effective, and as important for ensuring that many legal instructions are considered during testing.

Motivation

A fully random 32-bit word is most likely to be an illegal instruction because the state space of illegal encodings is significantly larger than the state space of legal instructions. Opcode injection addresses this by forcing the opcode portion of the randomized word to correspond to a valid instruction while keeping the rest of the encoding random.

Operation

The technique starts with a fully randomized 32-bit instruction word. A random valid opcode is then injected into the opcode field. The example in the evidence injects the ADDI opcode into a randomized word, producing a randomized ADDI instruction. The register and immediate fields remain randomized after the opcode is injected.

In the described generator algorithm, instruction generation proceeds by first creating a random 32-bit instruction word. With high probability, the generator injects a random valid opcode into that word. The cited pseudocode uses a 98% probability for opcode injection.

Relationship to field mutation

Opcode injection may be followed by field mutation. The cited approach applies random field mutation with a smaller probability after opcode injection. These mutation rules are based on the RISC-V instruction format and include inserting special immediate values such as MIN, -1, 0, 1, and MAX, changing register fields such as mutating RD to zero, making RD equal to RS1 or RS2, making RS1 match RS2, and changing the CSR selector field to a supported CSR.

In the example, after the ADDI opcode is injected, a mutation rule changes RD to match RS1, while the fields remain randomized subject to that equality constraint.

Use in verification

The technique appears in the context of a cross-level co-simulation setup for processor verification. The instruction stream generator is designed to generate an endless and unrestricted instruction stream, and opcode injection guides that random generation toward legal and interesting instruction cases. The cited work applies the overall approach to verification of a pipelined 32-bit industrial RISC-V TGF series core implemented in SpinalHDL.

LINKED ENTITIES

1 links
RISC-V applies_to

CITATIONS

7 sources
7 citations
[1] Opcode injection inserts a random valid instruction opcode into an otherwise randomized instruction word while keeping instruction fields randomized.
[2] Opcode injection is motivated by the fact that fully random 32-bit instruction words are most likely illegal because the illegal-instruction state space is significantly larger.
[3] The evidence example injects the ADDI opcode into a fully randomized 32-bit instruction word, producing a randomized ADDI instruction.
[4] The cited instruction generator creates a random 32-bit word and injects a random valid opcode with 98% probability.
[5] Field mutation may follow opcode injection, with the cited algorithm applying a random field mutation with 20% probability.
[6] The cited field mutation rules are derived from the RISC-V instruction format and include special immediate values, register-structure mutations, and CSR selector mutation.
[7] The broader verification setup uses an instruction stream generator intended to generate an endless and unrestricted instruction stream, and the overall approach was applied to a pipelined 32-bit industrial RISC-V TGF series core implemented in SpinalHDL.