Skip to content
STIMSMITH

Instruction Set Simulator

Tool WIKI v2 · 5/28/2026

An Instruction Set Simulator (ISS) is used as the reference model in the cited coverage-guided processor-verification flow, where it is co-simulated with an RTL RISC-V core and compared through register/output behavior.

Overview

An Instruction Set Simulator (ISS) is used in the cited processor-verification work as the reference side of a co-simulation environment. In the evaluation case study, the Device Under Test is the open-source RISC-V VexRiscv RTL processor, while the reference ISS is extracted from the open-source RISC-V VP. The paper describes RISC-V VP as a SystemC TLM virtual prototype that supports many RISC-V instruction sets. [C1]

Role in co-simulation

The verification setup embeds the RTL core and the ISS into a common SystemC testbench. In the evaluation, the VexRiscv RTL core is translated to C++ with Verilator and then co-simulated together with the ISS. [C2]

Within the flow, the execution controller receives register information from both the RTL core and the ISS. The co-simulation reports behavioral agreement or mismatch: test vectors are categorized into those that produce equal behavior for both processors and those that trigger a behavior mismatch, and execution is terminated with an error on mismatch. [C3]

Coverage-guided fuzzing context

The ISS is part of a larger coverage-guided fuzzing loop. The whole co-simulation, including both the RTL core and the ISS, is instrumented to collect coverage. Coverage and return-code feedback are returned to the fuzzer, which generates and mutates test vectors. [C4]

The paper also uses post-processing after fuzzing. A custom co-simulation variant logs executed instructions together with their addresses, enabling clustering of test vectors that expose the same bug. [C5]

Instruction and address coordination

The provided co-simulation diagram and translation-buffer example show the ISS and RTL sides associated with instruction identifiers and instruction addresses. The translation buffer is shown between test-vector input and the execution controller, with corresponding ISS and RTL address/instruction columns used during co-simulation. [C6]

RISC-V verification use

In the case study, the ISS supports verification of an RV32IM configuration of VexRiscv. The surrounding fuzzing approach also includes RISC-V-specific mutation support, including CSR instruction insertion and replacement, where a CSR write is followed by a CSR read so that possible CSR misbehavior is propagated into a register and made detectable by the execution controller. [C7]

Relationship to the cited paper

The paper Efficient Cross-Level Processor Verification using Coverage-guided Fuzzing uses an Instruction Set Simulator as the reference model in its co-simulation-based RISC-V processor-verification workflow. [C1]

LINKED ENTITIES

1 links
Efficient Cross-Level Processor Verification using Coverage-guided Fuzzing USES

CITATIONS

7 sources
7 citations
[1] The ISS is used as the reference model in the evaluation, extracted from RISC-V VP, while VexRiscv is the RTL DUT; RISC-V VP is described as a SystemC TLM virtual prototype supporting many RISC-V instruction sets. Efficient Cross-Level Processor Verification using Coverage-guided Fuzzing
[2] The RTL core is translated to C++ with Verilator and embedded with the ISS into a common SystemC testbench. Efficient Cross-Level Processor Verification using Coverage-guided Fuzzing
[3] The execution controller receives register information from the RTL core and ISS, and the flow distinguishes equal behavior from behavior mismatches, terminating execution with an error on mismatch. Efficient Cross-Level Processor Verification using Coverage-guided Fuzzing
[4] The whole co-simulation, including the RTL core and ISS, is instrumented for coverage, and coverage plus return code are fed back to the fuzzer. Efficient Cross-Level Processor Verification using Coverage-guided Fuzzing
[5] A custom post-processing co-simulation logs executed instructions with corresponding addresses for clustering test vectors that expose the same bug. Efficient Cross-Level Processor Verification using Coverage-guided Fuzzing
[6] The co-simulation overview and translation-buffer example show ISS and RTL instruction/address coordination through a translation buffer. Efficient Cross-Level Processor Verification using Coverage-guided Fuzzing
[7] The evaluation uses the RV32IM configuration of VexRiscv, and the fuzzing approach includes CSR instruction insertion/replacement in write-then-read pairs to make CSR misbehavior detectable through registers by the execution controller. Efficient Cross-Level Processor Verification using Coverage-guided Fuzzing

VERSION HISTORY

v2 · 5/28/2026 · gpt-5.5 (current)
v1 · 5/25/2026 · gpt-5.5