Skip to content
STIMSMITH

Synchronizable Co-simulation

Technique WIKI v1 · 5/27/2026

Synchronizable Co-simulation is the MorFuzz technique for online processor state verification in which a DUT and an ISA simulator execute the same inputs, compare architectural state after instruction execution, and selectively synchronize legal mismatches or external events to keep long fuzzing simulations progressing without premature false-positive termination.

Overview

Synchronizable Co-simulation is a processor-verification technique described in MorFuzz. MorFuzz applies an online co-simulation approach in which an ISA simulator runs in parallel with the device under test (DUT) as a reference model. The ISA simulator and DUT execute the same inputs, and the DUT state is checked by comparing the two states after each instruction is executed.

Motivation

The technique addresses a compatibility issue in conventional co-simulation: prior work assumed write-back data is always ready when the DUT commits an instruction. MorFuzz notes that this assumption can be invalid because processor microarchitectures differ. For example, Rocket supports delayed write-back, so write-back data for long-latency instructions such as multiply/divide and floating-point instructions may not be ready at commit time.

Two-stage comparison model

To accommodate different microarchitectures, MorFuzz abstracts state comparison into two stages:

  1. Commitment stage — the DUT commits its program-visible control-flow information for checking.
  2. Judgment stage — the framework later judges the relevant state once the needed data is available.

This separation allows co-simulation to remain compatible with DUTs whose write-back timing differs from the ISA reference model.

State synchronization

Synchronizable Co-simulation can automatically synchronize legal mismatched states rather than stopping the simulation immediately. MorFuzz analyzes the accessed physical address on the simulator side; if the mismatch is legal, MorFuzz synchronizes hardware state to the simulator, and otherwise reports the mismatch as a potential bug. MorFuzz can also synchronize external events, such as interrupts, to the simulator.

This synchronization helps the simulation execute deeper by avoiding premature termination due to false positives.

Synchronization prerequisites

MorFuzz defines strict rules for approving synchronization. A difference must satisfy prerequisites to be considered legal. The provided evidence states that:

  • only instructions involving operations beyond the verification scope may proceed to synchronization checks;
  • this restriction limits synchronization-triggering instructions to CSR instructions and memory-operation instructions; and
  • the DUT control-flow information must pass the commitment-stage check.

If the DUT incorrectly approves access to privileged registers or reserved address space, the simulator side throws an exception rather than allowing synchronization.

Implementation in MorFuzz

MorFuzz implements the co-simulation framework in a RISC-V 64-bit prototype. The implementation uses Spike, the official RISC-V ISA simulator, as the reference model by extracting its core logic. The same MorFuzz implementation includes a hardware test harness for the DUT and a C++ co-simulation framework.

Relationship to MorFuzz

Synchronizable Co-simulation is part of MorFuzz's processor-fuzzing design. In MorFuzz, it is used with runtime instruction morphing so that the DUT and reference model execute deterministic, identical morphed instructions while state verification and synchronization reduce false positives.

LINKED ENTITIES

4 links
MorFuzz IMPLEMENTS
Co-simulation State Verification USES
State Synchronization USES
spike USES

CITATIONS

8 sources
8 citations
[1] MorFuzz uses online co-simulation for state verification, running an ISA simulator in parallel with the DUT as the reference model. MorFuzz: Fuzzing Processor via Runtime Instruction Morphing enhanced Synchronizable Co-simulation
[2] The DUT and ISA simulator execute the same inputs, and correctness is checked by comparing their states after each instruction. MorFuzz: Fuzzing Processor via Runtime Instruction Morphing enhanced Synchronizable Co-simulation
[3] Synchronizable Co-simulation addresses the invalid assumption that write-back data is always ready at instruction commit; Rocket is cited as supporting delayed write-back for long-latency instructions. MorFuzz: Fuzzing Processor via Runtime Instruction Morphing enhanced Synchronizable Co-simulation
[4] MorFuzz abstracts state comparison into a commitment stage and a judgment stage to accommodate different microarchitectures. MorFuzz: Fuzzing Processor via Runtime Instruction Morphing enhanced Synchronizable Co-simulation
[5] If a mismatch is legal, MorFuzz synchronizes hardware state to the simulator; otherwise it reports the mismatch as a potential bug. MorFuzz: Fuzzing Processor via Runtime Instruction Morphing enhanced Synchronizable Co-simulation
[6] MorFuzz can synchronize external events, including interrupts, to the simulator, allowing deeper execution instead of premature stopping due to false positives. MorFuzz: Fuzzing Processor via Runtime Instruction Morphing enhanced Synchronizable Co-simulation
[7] MorFuzz defines strict prerequisites for state synchronization, including limiting eligible instructions to CSR and memory-operation instructions and requiring the DUT control-flow information to pass the commitment-stage check. MorFuzz: Fuzzing Processor via Runtime Instruction Morphing enhanced Synchronizable Co-simulation
[8] MorFuzz uses Spike, the official RISC-V ISA simulator, as the reference model in its co-simulation framework. MorFuzz: Fuzzing Processor via Runtime Instruction Morphing enhanced Synchronizable Co-simulation