Skip to content
STIMSMITH

RTL Input Instructions

Concept WIKI v1 · 5/24/2026

**RTL input instructions** are instruction sequences used as inputs when fuzz-testing hardware designs at the register-transfer level (RTL), such as CPU cores. In RTL fuzzing, these instruction inputs are generated and executed against a hardware model to expose hardware bugs before deployment.[^1]

RTL Input Instructions

RTL input instructions are instruction sequences used as inputs when fuzz-testing hardware designs at the register-transfer level (RTL), such as CPU cores. In RTL fuzzing, these instruction inputs are generated and executed against a hardware model to expose hardware bugs before deployment.[1]

Overview

Hardware bugs differ from software bugs in that they must be detected before a chip is deployed, since post-deployment fixes can be difficult or impossible.[1] RTL fuzzing is one approach to this problem: it generates instruction inputs for RTL-level CPU designs and observes whether the resulting behavior indicates coverage growth, mismatches, exceptions, or other signs of design errors.

A key practical issue is the length of RTL input instructions. Prior CPU fuzzing approaches have been reported to produce instruction inputs whose length keeps growing, and longer inputs can become ineffective for fuzzing.[1] Long instruction sequences may reduce fuzzing efficiency because they take more time to execute and can dilute the impact of useful mutations.

Role in RTL Fuzzing

In CPU RTL fuzzing, input instructions act as the test stimuli applied to the hardware design. The quality of these inputs affects:

  • Coverage: how much of the CPU design state or logic is exercised.
  • Mismatch detection: whether the fuzzer exposes behavioral inconsistencies.
  • Execution speed: shorter or more efficient inputs can increase the number of tests executed over time.
  • Realism: inputs may need to model realistic CPU behavior, including interruptions and exceptions.[1]

Problems with Long RTL Inputs

The INSTILLER work identifies input growth as a disadvantage of previous CPU fuzzing approaches. According to the authors, “the length of RTL input instructions keeps growing,” and such longer inputs are ineffective for fuzzing.[1]

This creates several engineering problems:

  1. Reduced efficiency — longer inputs require more simulation time.
  2. Lower fuzzing productivity — time spent executing redundant instructions could otherwise be used for additional test cases.
  3. Difficulty in mutation — large inputs may contain irrelevant instructions, making useful mutations harder to discover.
  4. Less effective bug triggering — overly long instruction streams may obscure the minimal conditions needed to expose a bug.

Instruction Distillation

Instruction distillation is the process of shortening RTL input instruction sequences while preserving or improving their usefulness for fuzzing. The INSTILLER system, short for Instruction Distiller, was proposed as an RTL fuzzer that distills input instructions using a variant of ant colony optimization called VACO.[1]

The goal of this distillation is to keep inputs short and efficient. In the reported experiments, INSTILLER generated input instructions that were 79.3% shorter than those produced by DiFuzzRTL.[1] The shorter inputs also contributed to a reported 6.7% average increase in execution speed.[1]

Interruptions and Exceptions

Realistic RTL input instruction generation may need to include CPU interruptions and exceptions. The INSTILLER paper states that related work could not simulate realistic interruptions well during fuzzing, and that INSTILLER addresses this by inserting interruptions and exceptions when generating inputs.[1]

This is important because many CPU bugs may only appear under realistic control-flow disruptions, privileged events, or exception-handling paths.

Seed Selection and Mutation

INSTILLER also introduces hardware-based seed selection and mutation strategies to improve fuzzing performance.[1] In fuzzing terminology:

  • A seed is an initial input or instruction sequence used as a starting point.
  • Mutation modifies seeds to generate new test inputs.
  • Hardware-aware strategies use information from the target CPU design or its behavior to guide which inputs should be retained and how they should be changed.

Reported Results

In experiments against real-world target CPU cores, INSTILLER was compared with prior state-of-the-art RTL fuzzing work, including DiFuzzRTL. The reported results include:[1]

Metric Reported INSTILLER Result
Coverage improvement over DiFuzzRTL 29.4% more coverage
Mismatch detection improvement 17.0% more mismatches
Input length reduction 79.3% shorter input instructions
Execution speed increase 6.7% average increase

These results suggest that reducing RTL input instruction length can improve both fuzzing efficiency and bug-detection effectiveness.

See Also

References

[1]: Gen Zhang, Pengfei Wang, Tai Yue, Danjun Liu, Yubei Guo, and Kai Lu, “INSTILLER: Towards Efficient and Realistic RTL Fuzzing,” arXiv:2401.15967 [cs.CR], 2024. DOI: 10.48550/arXiv.2401.15967.