Skip to content
STIMSMITH

Control Register Coverage

Concept

Control Register Coverage is a hardware coverage metric used in processor-fuzzing frameworks. A control register is defined as any register whose value drives a multiplexer select signal. The metric is collected by instrumenting all such registers so that the different states triggered within each module are counted and summed into a final coverage value. It is adopted by both DifuzzRTL and MorFuzz to enable direct comparison of fuzzing effectiveness.

First seen 5/27/2026
Last seen 6/6/2026
Evidence 4 chunks
Wiki v2

WIKI

Overview

Control Register Coverage is a hardware coverage metric used in simulation-based processor fuzzing. In the MorFuzz paper it is defined as the coverage derived from registers whose values are used for any multiplexer's select signal. Such registers are termed control registers, and the metric measures how many distinct states of these registers are exercised during fuzzing campaigns.

The metric is one of several hardware coverage matrices proposed for processor fuzzing, alongside mux coverage (used by the fuzzer of reference [37] cited in the MorFuzz paper) and hardware behavior coverage (used by TheHuzz).

READ FULL ARTICLE →

NEIGHBORHOOD

No graph connections found for this entity yet. It may appear in future ingestion runs.

explore full graph →

RELATIONSHIPS

2 connections
DiFuzzRTL ← uses 100% 4e
DifuzzRTL uses control register coverage as its hardware coverage matrix.
MorFuzz ← uses 100% 3e
MorFuzz uses control register coverage as its hardware coverage matrix.

LINKED ENTITIES

2 links
MorFuzz USES Extracted graph relationship
DiFuzzRTL USES Extracted graph relationship

CITATIONS

8 sources
8 citations — click to expand
[1] A control register is defined as the register whose value is used for any multiplexer's select signal. MorFuzz: Fuzzing Processor via Runtime Instruction Morphing
[2] The control register coverage is implemented via the same FIRRTL pass used by DifuzzRTL to instrument all control registers. MorFuzz: Fuzzing Processor via Runtime Instruction Morphing
[3] Instrumented circuits count the different states triggered in the module and sum up the count as the final coverage. MorFuzz: Fuzzing Processor via Runtime Instruction Morphing
[4] The control register coverage is clock-sensitive and reflects the hardware state better than other coverage matrices. MorFuzz: Fuzzing Processor via Runtime Instruction Morphing
[5] Achieving high coverage in the DUT does not mean the design is bug-free; coverage is only used to evaluate the effect of inputs and mutations. MorFuzz: Fuzzing Processor via Runtime Instruction Morphing
[6] MorFuzz uses the same control register coverage as DifuzzRTL (reference [30]) to facilitate comparison. MorFuzz: Fuzzing Processor via Runtime Instruction Morphing
[7] Control register coverage is one of the coverage matrices used by existing processor fuzzing frameworks, alongside mux coverage and hardware behavior coverage. MorFuzz: Fuzzing Processor via Runtime Instruction Morphing
[8] During simulation-based fuzzing, the fuzzer uses hardware instruments to collect coverage of the current input. MorFuzz: Fuzzing Processor via Runtime Instruction Morphing