Runtime Instruction Morphing

Technique

Runtime Instruction Morphing is a processor-fuzzing technique introduced in MorFuzz. It collects contextual information from a processor during execution and uses it to dynamically mutate template instructions into instruction streams with valid formats and meaningful semantics, while still occasionally exploring illegal cases.

First seen 5/27/2026

Last seen 6/6/2026

Evidence 11 chunks

Wiki v1

WIKI

Overview

Runtime Instruction Morphing is the instruction-generation technique proposed by MorFuzz for processor fuzzing. Rather than relying only on statically generated tests, MorFuzz collects contextual information from the processor at runtime and uses it to mutate instructions dynamically. The stated goal is to produce instructions with valid formats and meaningful semantics, so that generated mutations are actually executed and coverage reflects the effect of those mutations.^[1]

Role in MorFuzz

READ FULL ARTICLE →

NEIGHBORHOOD

No graph connections found for this entity yet. It may appear in future ingestion runs.

explore full graph →

RELATIONSHIPS

10 connections

MorFuzz ← implements 100% 4e

MorFuzz implements runtime instruction morphing as a core technique.

MorFuzz: Fuzzing Processor via Runtime Instruction Morphing enhanced Synchronizable Co-simulation ← introduces 100% 4e

The paper introduces the runtime instruction morphing technique.

Program Semantic Level Mutation implements → 95% 2e

Runtime instruction morphing includes semantic level mutation of operands.

Instruction Field Level Mutation implements → 100% 2e

Runtime instruction morphing implements field-level mutation on instructions.

MorFuzz ← uses 100% 2e

MorFuzz uses runtime instruction morphing to dynamically generate diverse instruction streams.

Instruction Morphing part of → 90% 2e

Runtime instruction morphing is the runtime phase of the instruction morphing technique.

Processor State Level Mutation implements → 90% 1e

Runtime instruction morphing includes processor state level mutation primitives.

Pipeline Hazard Generation uses → 90% 1e

Runtime instruction morphing uses a sliding window to generate pipeline hazards.

Morpher Hardware Logic Block uses → 100% 1e

Runtime instruction morphing is performed by the morpher hardware logic block.

Semantic Level Mutation implements → 100% 1e

Runtime instruction morphing implements semantic level mutation using contextual information.

LINKED ENTITIES

6 links

MorFuzz IMPLEMENTS Extracted graph relationship

Instruction Field Level Mutation IMPLEMENTS Extracted graph relationship

Program Semantic Level Mutation IMPLEMENTS Extracted graph relationship

Morpher Hardware Logic Block USES Extracted graph relationship

Pipeline Hazard Generation USES Extracted graph relationship

MorFuzz: Fuzzing Processor via Runtime Instruction Morphing enhanced Synchronizable Co-simulation INTRODUCES Extracted graph relationship

CITATIONS

8 sources

8 citations — click to expand

[1] Runtime Instruction Morphing is proposed by MorFuzz and collects contextual runtime information from the processor to mutate instructions with valid formats and meaningful semantics. MorFuzz: Fuzzing Processor via Runtime Instruction Morphing enhanced Synchronizable Co-simulation

[2] MorFuzz's stimulus template supports mutation at processor-state, instruction-field, and program-semantic levels. MorFuzz: Fuzzing Processor via Runtime Instruction Morphing enhanced Synchronizable Co-simulation

[3] Because all mutations are executed, coverage reflects the effects of mutations and supports efficient mutation guidance. MorFuzz: Fuzzing Processor via Runtime Instruction Morphing enhanced Synchronizable Co-simulation

[4] The morpher records destination registers of instructions still executing in the pipeline and uses them as source and destination fields for later template instructions to generate read-after-write and write-after-write hazards. MorFuzz: Fuzzing Processor via Runtime Instruction Morphing enhanced Synchronizable Co-simulation

[5] The morpher still tries illegal cases with small probability because out-of-specification input space can be a source of bugs. MorFuzz: Fuzzing Processor via Runtime Instruction Morphing enhanced Synchronizable Co-simulation

[6] MorFuzz morphs template instructions on the fly to produce diverse and meaningful instruction streams and can control the device under test to execute them continuously in a loop without additional initialization. MorFuzz: Fuzzing Processor via Runtime Instruction Morphing enhanced Synchronizable Co-simulation

[7] MorFuzz applies online co-simulation using an ISA simulator in parallel with the device under test, with both executing the same inputs and states compared after instruction execution. MorFuzz: Fuzzing Processor via Runtime Instruction Morphing enhanced Synchronizable Co-simulation

[8] MorFuzz reports 4.4× and 1.6× higher coverage than DifuzzRTL and riscv-dv respectively, and reports 17 new bugs with 13 CVEs on CVA6, Rocket, and BOOM. MorFuzz: Fuzzing Processor via Runtime Instruction Morphing enhanced Synchronizable Co-simulation