Skip to content
STIMSMITH

Transition Unit

Concept WIKI v1 · 5/28/2026

The Transition Unit (TU) is a ProcessorFuzz component that processes CSR transitions, filters and groups them, and determines whether a generated test input exposes a unique CSR transition worth preserving and simulating at RTL.

Overview

The Transition Unit (TU) is a component in ProcessorFuzz used to decide whether a fuzzing input produces a unique CSR transition. ProcessorFuzz builds the TU as one of its two main implementation steps, alongside generating an extended trace log with an ISA simulator. In the reported implementation, Spike was extended to store monitored CSR values for the extended trace log, and the TU was then used to drive CSR-transition-based feedback.

Role in fuzzing

During a fuzzing session, the TU determines whether the current input results in a unique CSR transition. If the transition is unique, ProcessorFuzz marks the input as interesting, launches RTL simulation, generates an extended RTL trace log, and compares it with the extended ISA trace log. If the input does not result in a unique transition, ProcessorFuzz discards it and proceeds to the next fuzzing iteration.

Transition handling

The TU helps implement CSR-transition coverage by operating on transitions in monitored control and status registers (CSRs). ProcessorFuzz selects monitored CSRs using two stated criteria: CSRs that contain processor status information, such as exception cause state, and CSRs that configure processor behavior, such as delegation settings. This selection is intended to help distinguish qualitatively different inputs and configurations.

The TU also filters out transitions caused by explicit writes to status CSRs, because the paper states that such transitions do not affect the architectural state of the processor. This filtering avoids treating those writes as useful coverage events.

Grouping transitions

The TU groups transitions to reduce the state space. ProcessorFuzz allows designers to group CSR transitions by Architectural Unit (AU), treating those groups as independent events. The paper describes this as a way to customize CSR-transition coverage for verifying different AUs individually; for example, privileged and unprivileged RISC-V architectural behavior can be grouped separately.

Transition map interaction

ProcessorFuzz maintains a Transition Map to store observed CSR transitions. Each transition is stored as a tuple (Im, S0, S1), where Im is the mnemonic of the instruction whose execution caused the CSR transition, and S0 and S1 are the CSR values before and after the transition. Including the instruction mnemonic distinguishes cases where different instructions trigger the same CSR value change.

Once tuples are created, the map is queried to determine whether a detected transition is new or a duplicate. Tuples containing new transitions are added to the map, and the current input is marked as interesting. The transition map is empty at the beginning of a fuzzing session and is maintained throughout the session.

LINKED ENTITIES

4 links
ProcessorFuzz USES
CSR-transition coverage USES
Transition Map USES
extended ISA trace log USES

CITATIONS

8 sources
8 citations
[1] ProcessorFuzz has two main implementation steps: generation of an extended trace log using the ISA simulator and building the TU. ProcessorFuzz: Processor Fuzzing with Control and
[2] The TU determines whether an input results in a unique CSR transition; unique inputs trigger RTL simulation and trace comparison, while non-unique inputs are discarded. ProcessorFuzz: Processor Fuzzing with Control and
[3] ProcessorFuzz compares the extended RTL trace log with the extended ISA trace log, and differences indicate potential processor design bugs requiring investigation. ProcessorFuzz: Processor Fuzzing with Control and
[4] ProcessorFuzz selects monitored CSRs based on whether they contain processor status information or configure processor behavior. ProcessorFuzz: Processor Fuzzing with Control and
[5] ProcessorFuzz filters out transitions caused by explicit writes to status CSRs because such transitions do not affect the architectural state. ProcessorFuzz: Processor Fuzzing with Control and
[6] The TU groups transitions to reduce state space and to customize CSR-transition coverage for independently verifying Architectural Units. ProcessorFuzz: Processor Fuzzing with Control and
[7] ProcessorFuzz stores CSR transitions in a transition map as tuples of instruction mnemonic, previous CSR value, and next CSR value: (Im, S0, S1). ProcessorFuzz: Processor Fuzzing with Control and
[8] Created transition tuples are queried against the transition map; new transitions are added and mark the current input as interesting, while the map starts empty and is maintained throughout the fuzzing session. ProcessorFuzz: Processor Fuzzing with Control and