Skip to content
STIMSMITH

Post-processing Test Vector Clustering

Technique WIKI v1 · 5/26/2026

Post-processing Test Vector Clustering is an automatic reduction step used after coverage-guided fuzzing in a cross-level processor verification flow. It groups test vectors that trigger mismatches and appear to expose the same bug, representing each cluster by a unique test vector, and relies on a logging-oriented co-simulation build to identify the instruction associated with the bug.

Overview

Post-processing Test Vector Clustering is a technique used after a coverage-guided fuzzing loop in a cross-level processor verification workflow. In the described flow, fuzzing first generates test vectors for co-simulation of an RTL processor core and a reference instruction set simulator (ISS); post-processing then reduces the generated set of mismatch-triggering test vectors. [C1]

The purpose of the technique is to reduce manual analysis effort for verification engineers by clustering test vectors that trigger mismatches and encapsulating vectors that detect the same bug. [C2]

Motivation

Fuzzing is described as an efficient verification methodology because it can generate many test vectors, reach high coverage, and uncover numerous bugs. However, after test generation, reported errors must be investigated carefully, and many test vectors may reveal the same bug. Clustering those vectors saves manual analysis time. [C3]

Method

The post-processing step operates on test vectors that caused mismatches during co-simulation. Each cluster is represented by a unique test vector that behaves like every other test vector in that cluster. [C4]

To support clustering, the co-simulation is compiled with more extensive logging instrumentation than the fuzzing configuration. The post-processing version logs all executed instructions together with their corresponding addresses, providing additional feedback needed for the clustering step. [C5]

This logging-enabled co-simulation is not used for fuzzing itself because the hard-disk write accesses make it much slower. In contrast to the fuzzing build, the post-processing co-simulation also does not need coverage instrumentation, which is essential during fuzzing. [C6]

After logging, the post-processing extracts the instruction that leads to the bug. The cited description notes that the post-processing distinguishes mismatches in two cases, but the provided evidence does not include the details of those cases. [C7]

Role in the verification flow

The broader verification approach consists of two subsequent steps: first, a coverage-guided fuzzing loop generates test vectors; second, post-processing reduces the generated set. In the fuzzing loop, generated test vectors are used as instruction streams for co-simulation of an RTL core under test and a reference ISS. An Execution Controller checks behavioral equality through register-value comparison and identifies mismatches. [C1]

Within that flow, Post-processing Test Vector Clustering is the reduction stage applied to mismatch-triggering test vectors, using additional co-simulation logging to group vectors that expose the same underlying bug. [C2]

LINKED ENTITIES

2 links
Coverage-Guided Fuzzing preceded_by
Co-Simulation uses

CITATIONS

7 sources
7 citations
[1] C1: The verification flow consists of a coverage-guided fuzzing loop that generates test vectors followed by post-processing that reduces the generated set; the loop uses co-simulation of an RTL core and reference ISS, and mismatches are detected through register-value comparison. Efficient Cross-Level Processor Verification using Coverage-guided Fuzzing
[2] C2: The post-processing step clusters test vectors that trigger mismatches in order to reduce manual labor and encapsulate vectors that detect the same bug, using co-simulation compiled with more extensive logging instrumentation. Efficient Cross-Level Processor Verification using Coverage-guided Fuzzing
[3] C3: Fuzzing can generate many test vectors, reach high coverage, and uncover numerous bugs, but many test vectors may reveal the same bug, motivating clustering to save manual analysis time. Efficient Cross-Level Processor Verification using Coverage-guided Fuzzing
[4] C4: Each cluster is represented by a unique test vector that behaves like every other test vector in the cluster. Efficient Cross-Level Processor Verification using Coverage-guided Fuzzing
[5] C5: The post-processing co-simulation logs all executed instructions with corresponding addresses and uses additional logging feedback for clustering. Efficient Cross-Level Processor Verification using Coverage-guided Fuzzing
[6] C6: The logging-enabled post-processing co-simulation is slower due to hard-disk write accesses and does not need the coverage instrumentation that is essential for fuzzing. Efficient Cross-Level Processor Verification using Coverage-guided Fuzzing
[7] C7: The post-processing extracts the instruction that leads to the bug and distinguishes mismatches in two cases, though the provided evidence does not specify those cases. Efficient Cross-Level Processor Verification using Coverage-guided Fuzzing