Skip to content
STIMSMITH

ProcessorFuzz paper

Paper WIKI v1 · 5/29/2026

The ProcessorFuzz paper presents ProcessorFuzz, a coverage-guided processor fuzzing approach that introduces CSR-transition coverage and uses ISA simulation to rapidly filter interesting test inputs before more expensive RTL simulation. The paper evaluates the approach on three open-source RISC-V processors, compares it with DIFUZZRTL, and reports faster bug triggering plus newly discovered bugs.

Overview

The ProcessorFuzz paper introduces ProcessorFuzz, a processor fuzzing mechanism for dynamic hardware verification. The work adapts coverage-guided fuzzing to processor designs, where hardware cannot be executed directly on a host machine and is instead evaluated through RTL simulation.

Core ideas

ProcessorFuzz has two main technical features:

  1. CSR-transition coverage: ProcessorFuzz introduces a coverage metric that monitors transitions in Control and Status Registers (CSRs). The paper argues that ISA-defined CSRs can expose aspects of the current processor finite-state-machine state, such as privilege mode or floating-point exception causes, so transitions in these registers help guide fuzzing toward distinct processor states.
  2. ISA-simulation-based feedback: ProcessorFuzz uses ISA simulation as part of its coverage feedback mechanism to quickly determine whether a generated input is interesting. The paper contrasts this with prior approaches that rely on RTL simulation for the same purpose, which is more time-consuming. As a reference point, the paper reports ISA simulation as 79× faster than RTL simulation for the open-source RISC-V BOOM processor.

Bug detection model

The paper describes processor fuzzing as using differential testing: the same input is run against both an RTL simulator and a reference model, where the reference model is an ISA simulator that implements ISA-level behavior. Inconsistencies between these executions indicate a potential processor bug.

Evaluation

The paper evaluates ProcessorFuzz on three open-source RISC-V processors implemented in different HDLs, including Chisel and SystemVerilog. The evaluated processors vary in microarchitectural characteristics such as pipeline depth and execution style, including in-order and out-of-order designs.

Compared with the register-coverage-guided processor fuzzer DIFUZZRTL, ProcessorFuzz triggered the bugs found by DIFUZZRTL 1.23× faster on average. The paper also reports that ProcessorFuzz found 8 new bugs in widely used open-source processors and 1 new bug in a reference model.

LINKED ENTITIES

10 links
ProcessorFuzz INTRODUCES
CSR-transition coverage INTRODUCES
Sadullah Canakci AUTHORED_BY
Chathura Rajapaksha AUTHORED_BY
Leila Delshadtehrani AUTHORED_BY
Anoop Nataraja AUTHORED_BY
Michael Bedford Taylor AUTHORED_BY
Manuel Egele AUTHORED_BY
Ajay Joshi AUTHORED_BY
DiFuzzRTL COMPARES_TO

CITATIONS

7 sources
7 citations
[1] The paper introduces ProcessorFuzz as a new processor fuzzing mechanism. ProcessorFuzz: Processor Fuzzing with Control and
[2] ProcessorFuzz uses CSR-transition coverage to guide fuzzing toward interesting processor states by monitoring transitions in Control and Status Registers. ProcessorFuzz: Processor Fuzzing with Control and
[3] ProcessorFuzz uses ISA simulation as part of the coverage feedback mechanism to rapidly identify interesting test inputs, and ISA simulation is described as faster than RTL simulation. ProcessorFuzz: Processor Fuzzing with Control and
[4] The paper reports ISA simulation as 79× faster than RTL simulation for the open-source RISC-V BOOM processor. ProcessorFuzz: Processor Fuzzing with Control and
[5] Processor fuzzing in the paper uses differential testing between RTL simulation and an ISA-simulator reference model, where inconsistent behavior indicates a potential bug. ProcessorFuzz: Processor Fuzzing with Control and
[6] The evaluation uses three open-source RISC-V processors with different HDLs and microarchitectural properties. ProcessorFuzz: Processor Fuzzing with Control and
[7] ProcessorFuzz triggered DIFUZZRTL-found bugs 1.23× faster on average than DIFUZZRTL and revealed 8 new bugs in open-source processors plus 1 new bug in a reference model. ProcessorFuzz: Processor Fuzzing with Control and