Extended ISA Trace Log
ConceptAn extended ISA trace log is an ISA-simulator execution trace whose per-instruction entries are augmented with the values of a selected subset of control and status registers (CSRs). In ProcessorFuzz, the log is produced by instrumenting the Spike RISC-V ISA simulator and serves as the input to the Transition Unit, which extracts, filters, and groups CSR transitions to decide whether a test input should be promoted to RTL simulation and compared against a corresponding extended RTL trace log.
First seen 5/28/2026
Last seen 6/8/2026
Evidence 13 chunks
Wiki v4
WIKI
Overview
An extended ISA trace log is an ISA-simulation trace whose per-instruction entries are augmented with the values of a selected subset of control and status registers (CSRs). In ProcessorFuzz, the log is generated by extending the Spike open-source RISC-V ISA simulator so that its existing trace logic also stores monitored CSR values after each committed instruction. The reported instrumentation cost is 0.4% in lines of C++ code and 0.15% in runtime overhead. [C1][C2]
Figure 4 of the paper shows a concrete example. For each executed instruction the log records the program counter, the disassembled instruction, and a bracketed tuple that lists the monitored CSR values in a fixed order. In the paper's example that order is mstatus, mcause, scause, medeleg, frm, fflags, with each value rendered in hexadecimal and split into a "Privileged" group and an "Unprivileged" group (which contains frm and fflags). Concretely the excerpt reads:
NEIGHBORHOOD
No graph connections found for this entity yet. It may appear in future ingestion runs.
explore full graph →RELATIONSHIPS
4 connectionsProcessorFuzz generates and processes extended ISA trace logs containing CSR values.
The Transition Unit takes the extended ISA trace log as input to extract CSR transitions.
CSR-transition coverage processes extended ISA trace logs to identify CSR transitions.
ISA simulation generates extended ISA trace logs with CSR values.
LINKED ENTITIES
4 linksspike generated_by The paper explicitly extends the Spike open-source RISC-V ISA simulator to produce the extended ISA trace log.
Verilator produces_related_log Verilator is used to run the RTL simulation that produces the corresponding extended RTL trace log compared against the extended ISA trace log.
BOOM evaluation_target The 79× speedup figure compares Spike against the RTL simulation of the RISC-V BOOM processor; BOOM bugs are also used in the evaluation.
Rocket Core evaluation_target Listed as one of the three real-world open-source RISC-V processors evaluated with ProcessorFuzz.
CITATIONS
14 sources14 citations — click to expand
[1] The extended ISA trace log is produced by extending the Spike open-source RISC-V ISA simulator, with 0.4% instrumentation overhead in lines of C++ code and 0.15% runtime overhead. ProcessorFuzz: Processor Fuzzing with Control and Status Register Transition Analysis
[2] If the Transition Unit flags a unique CSR transition, ProcessorFuzz launches RTL simulation (Verilator) to produce an extended RTL trace log and compares it to the extended ISA trace log; any mismatch is treated as a potential bug for verification-engineer inspection; otherwise the input is discarded. ProcessorFuzz: Processor Fuzzing with Control and Status Register Transition Analysis
[3] Figure 4 shows a concrete extended ISA trace log example with PC, disassembled instruction, and a bracketed tuple of monitored CSR values in the order mstatus, mcause, scause, medeleg, frm, fflags (split into Privileged and Unprivileged groups, rendered in hexadecimal), with mstatus transitions highlighted in red and fflags transitions in blue. ProcessorFuzz: Processor Fuzzing with Control and Status Register Transition Analysis
[4] Comparing lines 1 and 2 of the Privileged column in Figure 4, the mstatus value changes (e.g., from ...006000 to ...006020) after the sret instruction, illustrating how a CSR transition is identified in the extended ISA trace log. ProcessorFuzz: Processor Fuzzing with Control and Status Register Transition Analysis
[5] The RISC-V Spike ISA simulator is on average 79× faster than the RTL simulation of the RISC-V BOOM processor, providing a considerable speed advantage for identifying interesting test inputs without slow RTL simulation. ProcessorFuzz: Processor Fuzzing with Control and Status Register Transition Analysis
[6] Instrumenting an ISA simulator is much easier than instrumenting an RTL design: the simulator's already-available trace logic is simply extended with the selected CSRs, and the same instrumented ISA simulator can be used to fuzz any processor design targeting the same ISA. ProcessorFuzz: Processor Fuzzing with Control and Status Register Transition Analysis
[7] ProcessorFuzz's ISA-side overhead is much lower than prior RTL-instrumented fuzzers, which reported 71% overhead in TheHuzz and 97% overhead in RFUZZ. ProcessorFuzz: Processor Fuzzing with Control and Status Register Transition Analysis
[8] CSRs are system registers used to control the processor (e.g., delegated exceptions) or to hold information about the current architectural state (e.g., the state of the floating-point unit); a value change in a CSR often signifies an architectural state change such as a value change in a CSR that stores exception code or privilege level, motivating CSR-transition coverage as a way to realize the current state of the processor. ProcessorFuzz: Processor Fuzzing with Control and Status Register Transition Analysis
[9] DIFUZZRTL's register coverage only stores the current state of the processor for each newly covered FSM state and does not consider the previous state, motivating ProcessorFuzz's transition-based coverage that compares CSR values between consecutive instructions. ProcessorFuzz: Processor Fuzzing with Control and Status Register Transition Analysis
[10] Once tuples are created from the extracted CSR changes, the transition map is queried to check whether each detected transition is new or a duplicate; new transitions are added to the map and the current test input is marked as interesting. The transition map is empty at the start of a fuzzing session and is maintained throughout. ProcessorFuzz: Processor Fuzzing with Control and Status Register Transition Analysis
[11] Transitions for the floating-point CSRs frm and fflags are separated from the rest of the CSRs to distinguish floating-point operations from the other monitored CSRs. ProcessorFuzz: Processor Fuzzing with Control and Status Register Transition Analysis
[12] The CSR table in the paper lists examples of privileged CSRs considered for monitoring, including mscratch (pointer to the machine-mode context space while the hart executes in a lower privilege mode), {m,s}epc (PC of the instruction that caused an exception for machine or supervisor mode), and sscratch (pointer to the supervisor-mode context space while the hart executes in user mode). ProcessorFuzz: Processor Fuzzing with Control and Status Register Transition Analysis
[13] The evaluation uses three real-world open-source RISC-V processors, including Rocket Core (a Chisel HDL-based in-order core generated using the Rocket Chip SoC Generator framework), and Spike is also used as a reference model to verify correct behavior. ProcessorFuzz: Processor Fuzzing with Control and Status Register Transition Analysis
[14] The Transition Unit's full pipeline (Figure 6) has five stages — Extract Transitions, Filter Transitions, Group Transitions, Check Transition Map, and New Transition? — and the extended ISA trace log is its input. ProcessorFuzz: Processor Fuzzing with Control and Status Register Transition Analysis