Skip to content
STIMSMITH

ProcessorFuzz: Processor Fuzzing with Control and Status Registers Guidance

Paper

ProcessorFuzz is a paper presenting a processor fuzzer for RTL verification. It introduces CSR-transition coverage, which uses transitions in Control and Status Registers to guide fuzzing toward new processor states, and uses ISA simulation to identify interesting inputs more quickly than RTL-only guidance. The evaluation on Rocket, BOOM, and BlackParrot found ground-truth bugs 1.23× faster on average than DIFUZZRTL and exposed nine new confirmed bugs.

First seen 5/28/2026
Last seen 5/28/2026
Evidence 2 chunks
Wiki v1

WIKI

Overview

ProcessorFuzz: Processor Fuzzing with Control and Status Registers Guidance presents ProcessorFuzz, a processor fuzzer for Register-Transfer Level (RTL) processor verification. The paper is authored by Sadullah Canakci, Chathura Rajapaksha, Leila Delshadtehrani, Anoop Nataraja, Michael Bedford Taylor, Manuel Egele, and Ajay Joshi, with affiliations at Boston University and the University of Washington.[C1]

The work is motivated by the increasing complexity of processor designs and the difficulty of verifying large processor state spaces before manufacturing. The paper frames processor fuzzing as an adaptation of coverage-guided software fuzzing to hardware, while noting two important challenges: conventional software coverage metrics such as basic-block or branch coverage are not well suited to hardware, and processor bugs often do not manifest as obvious crashes or exceptions during testing.[C2]

READ FULL ARTICLE →

NEIGHBORHOOD

No graph connections found for this entity yet. It may appear in future ingestion runs.

explore full graph →

RELATIONSHIPS

11 connections
ProcessorFuzz introduces → 100% 1e
The paper presents ProcessorFuzz as a novel processor fuzzer.
CSR-transition coverage introduces → 100% 1e
The paper proposes CSR-transition coverage as a novel coverage metric for processor fuzzing.
Sadullah Canakci authored by → 100% 1e
Sadullah Canakci is listed as an author of the paper.
Chathura Rajapaksha authored by → 100% 1e
Chathura Rajapaksha is listed as an author of the paper.
Leila Delshadtehrani authored by → 100% 1e
Leila Delshadtehrani is listed as an author of the paper.
Anoop Nataraja authored by → 100% 1e
Anoop Nataraja is listed as an author of the paper.
Michael Bedford Taylor authored by → 100% 1e
Michael Bedford Taylor is listed as an author of the paper.
Manuel Egele authored by → 100% 1e
Manuel Egele is listed as an author of the paper.
Ajay Joshi authored by → 100% 1e
Ajay Joshi is listed as an author of the paper.
Boston University authored by → 100% 1e
Several authors are affiliated with Boston University.
University of Washington authored by → 100% 1e
Some authors are affiliated with University of Washington.

LINKED ENTITIES

11 links
ProcessorFuzz INTRODUCES Extracted graph relationship
CSR-transition coverage INTRODUCES Extracted graph relationship
Sadullah Canakci AUTHORED_BY Extracted graph relationship
Chathura Rajapaksha AUTHORED_BY Extracted graph relationship
Leila Delshadtehrani AUTHORED_BY Extracted graph relationship
Anoop Nataraja AUTHORED_BY Extracted graph relationship
Michael Bedford Taylor AUTHORED_BY Extracted graph relationship
Manuel Egele AUTHORED_BY Extracted graph relationship
Ajay Joshi AUTHORED_BY Extracted graph relationship
Boston University AUTHORED_BY Extracted graph relationship
University of Washington AUTHORED_BY Extracted graph relationship

CITATIONS

8 sources
8 citations — click to expand
[1] The paper is titled ProcessorFuzz: Processor Fuzzing with Control and Status Registers Guidance and is authored by Sadullah Canakci, Chathura Rajapaksha, Leila Delshadtehrani, Anoop Nataraja, Michael Bedford Taylor, Manuel Egele, and Ajay Joshi, with Boston University and University of Washington affiliations. ProcessorFuzz: Processor Fuzzing with Control and Status Registers Guidance
[2] The paper motivates ProcessorFuzz by noting that processor verification is difficult as processor complexity grows, that software-style coverage metrics are not well suited to hardware, and that processor bugs may not produce obvious crashes or exceptions. ProcessorFuzz: Processor Fuzzing with Control and Status Registers Guidance
[3] ProcessorFuzz introduces CSR-transition coverage, which monitors transitions in Control and Status Registers because CSRs control or hold processor state and their transitions indicate new processor states. ProcessorFuzz: Processor Fuzzing with Control and Status Registers Guidance
[4] ProcessorFuzz uses ISA simulation to rapidly determine whether a test input is interesting; the paper states that ISA simulation is significantly faster than RTL simulation and helps eliminate repetitive test inputs. ProcessorFuzz: Processor Fuzzing with Control and Status Registers Guidance
[5] Coverage-guided fuzzing repeatedly runs generated inputs, records coverage to identify interesting inputs, mutates those inputs, and feeds the resulting inputs into later fuzzing rounds; processor fuzzing requires RTL simulation because hardware is not directly executable on the host machine. ProcessorFuzz: Processor Fuzzing with Control and Status Registers Guidance
[6] The paper contrasts CSR-transition coverage with hardware-specific metrics such as register coverage, including DIFUZZRTL's monitoring of value changes in registers that control multiplexer selection signals. ProcessorFuzz: Processor Fuzzing with Control and Status Registers Guidance
[7] ProcessorFuzz was evaluated on Rocket, BOOM, and BlackParrot RISC-V processors, including designs in Chisel and SystemVerilog with varied microarchitectural implementations such as pipeline depth and in-order or out-of-order execution. ProcessorFuzz: Processor Fuzzing with Control and Status Registers Guidance
[8] ProcessorFuzz triggered ground-truth bugs 1.23× faster on average than DIFUZZRTL and exposed eight new bugs across three RISC-V cores plus one new reference-model bug, all confirmed by project developers. ProcessorFuzz: Processor Fuzzing with Control and Status Registers Guidance