Transition Unit

Concept

The Transition Unit (TU) is a ProcessorFuzz component that processes CSR transitions, filters and groups them, and determines whether a generated test input exposes a unique CSR transition worth preserving and simulating at RTL.

First seen 5/28/2026

Last seen 6/8/2026

Evidence 13 chunks

Wiki v1

WIKI

Overview

The Transition Unit (TU) is a component in ProcessorFuzz used to decide whether a fuzzing input produces a unique CSR transition. ProcessorFuzz builds the TU as one of its two main implementation steps, alongside generating an extended trace log with an ISA simulator. In the reported implementation, Spike was extended to store monitored CSR values for the extended trace log, and the TU was then used to drive CSR-transition-based feedback.

Role in fuzzing

READ FULL ARTICLE →

NEIGHBORHOOD

No graph connections found for this entity yet. It may appear in future ingestion runs.

explore full graph →

RELATIONSHIPS

4 connections

ProcessorFuzz ← uses 100% 4e

ProcessorFuzz employs a Transition Unit to extract and evaluate CSR transitions.

CSR-transition coverage ← uses 95% 4e

CSR-transition coverage uses the Transition Unit to extract and process CSR transitions.

extended ISA trace log uses → 100% 3e

The Transition Unit takes the extended ISA trace log as input to extract CSR transitions.

Transition Map uses → 100% 2e

The Transition Unit communicates with the Transition Map to store and check CSR transitions.

LINKED ENTITIES

4 links

ProcessorFuzz USES Extracted graph relationship

CSR-transition coverage USES Extracted graph relationship

Transition Map USES Extracted graph relationship

extended ISA trace log USES Extracted graph relationship

CITATIONS

8 sources

8 citations — click to expand

[1] ProcessorFuzz has two main implementation steps: generation of an extended trace log using the ISA simulator and building the TU. ProcessorFuzz: Processor Fuzzing with Control and

[2] The TU determines whether an input results in a unique CSR transition; unique inputs trigger RTL simulation and trace comparison, while non-unique inputs are discarded. ProcessorFuzz: Processor Fuzzing with Control and

[3] ProcessorFuzz compares the extended RTL trace log with the extended ISA trace log, and differences indicate potential processor design bugs requiring investigation. ProcessorFuzz: Processor Fuzzing with Control and

[4] ProcessorFuzz selects monitored CSRs based on whether they contain processor status information or configure processor behavior. ProcessorFuzz: Processor Fuzzing with Control and

[5] ProcessorFuzz filters out transitions caused by explicit writes to status CSRs because such transitions do not affect the architectural state. ProcessorFuzz: Processor Fuzzing with Control and

[6] The TU groups transitions to reduce state space and to customize CSR-transition coverage for independently verifying Architectural Units. ProcessorFuzz: Processor Fuzzing with Control and

[7] ProcessorFuzz stores CSR transitions in a transition map as tuples of instruction mnemonic, previous CSR value, and next CSR value: (Im, S0, S1). ProcessorFuzz: Processor Fuzzing with Control and

[8] Created transition tuples are queried against the transition map; new transitions are added and mark the current input as interesting, while the map starts empty and is maintained throughout the fuzzing session. ProcessorFuzz: Processor Fuzzing with Control and