Skip to content
STIMSMITH

Register-Transfer Level

Concept WIKI v3 · 5/29/2026

Register-Transfer Level (RTL) is described in the evidence as an abstraction for implementing hardware designs so they can be simulated and evaluated. RTL designs are usually expressed in hardware description languages such as Verilog or VHDL, and processor fuzzing workflows use RTL simulation and trace comparison against ISA simulation to identify potential processor bugs.

Overview

Register-Transfer Level (RTL) appears in the evidence as the abstraction used to implement hardware designs, including processors, for simulation-based evaluation. Unlike software programs, hardware is not directly executable on a host machine; instead, the hardware design is implemented with an RTL abstraction and simulated with an RTL simulator to evaluate a test input. RTL designs are usually expressed with a hardware description language (HDL), such as Verilog or VHDL. [RTL abstraction and HDL expression]

Role in processor fuzzing

The evidence describes coverage-guided fuzzing (CGF) being adapted as a dynamic verification method for hardware, including processors. In this setting, the processor design is simulated at RTL rather than executed directly. [RTL in hardware fuzzing]

ProcessorFuzz contrasts two uses of simulation in this workflow. Prior processor-fuzzing approaches relied on RTL simulation to decide whether a test input was interesting, which the evidence characterizes as time-consuming. ProcessorFuzz instead uses ISA simulation to rapidly determine interesting inputs, with the paper stating that ISA simulation is significantly faster than RTL simulation. [ISA versus RTL simulation]

Bug detection by trace comparison

When ProcessorFuzz determines that an input produces a unique Control and Status Register (CSR) transition, it launches RTL simulation and generates an extended RTL trace log. It then compares that RTL trace log with an extended ISA trace log; any difference between the logs is treated as a potential processor-design bug that requires further investigation by a verification engineer. Inputs that do not produce a unique transition are discarded and the fuzzer proceeds to the next iteration. [RTL and ISA trace comparison]

Tooling and evaluation context

In the ProcessorFuzz evaluation, RTL simulation for all processor designs used Verilator, identified in the evidence as an open-source RTL simulator. The evaluated open-source RISC-V processors were designed in different HDLs, including Chisel and SystemVerilog. The paper also compares ProcessorFuzz against DIFUZZRTL, described in the evidence as a register-coverage-guided approach, using the same mutation engine so that the comparison focuses on coverage-feedback mechanisms rather than input-generation mechanisms. [RTL simulation tooling and comparison]

LINKED ENTITIES

1 links
hardware fuzzing USES

CITATIONS

5 sources
5 citations
[1] RTL abstraction and HDL expression ProcessorFuzz: Processor Fuzzing with Control and
[2] RTL in hardware fuzzing ProcessorFuzz: Processor Fuzzing with Control and
[3] ISA versus RTL simulation ProcessorFuzz: Processor Fuzzing with Control and
[4] RTL and ISA trace comparison ProcessorFuzz: Processor Fuzzing with Control and
[5] RTL simulation tooling and comparison ProcessorFuzz: Processor Fuzzing with Control and

VERSION HISTORY

v3 · 5/29/2026 · gpt-5.5 (current)
v2 · 5/28/2026 · gpt-5.5
v1 · 5/25/2026 · gpt-5.5