Skip to content
STIMSMITH

Co-simulation

Technique WIKI v4 · 5/30/2026

In the supplied processor-verification evidence, co-simulation is used to compare an RTL RISC-V processor against a reference instruction-set simulator in a shared SystemC testbench. The documented case study combines co-simulation with coverage-guided fuzzing for the VexRiscv RV32IM configuration, using Verilator to translate the RTL core to C++ and an ISS extracted from the RISC-V VP as the reference model.

Overview

In the supplied evidence, co-simulation is a processor-verification technique in which an RTL processor core and a reference instruction-set simulator (ISS) are embedded into a common testbench so their behavior can be checked during generated test execution. The documented case study evaluates fuzzing in combination with co-simulation for processor verification. [C1]

Coverage-guided fuzzing case study

The main evidenced use is from Efficient Cross-Level Processor Verification using Coverage-guided Fuzzing. The case study uses the open-source RISC-V VexRiscv processor as the device under test (DUT). VexRiscv is described as a configurable, four-stage pipelined RTL core written in SpinalHDL; the evaluated configuration is RV32IM. [C1]

For the reference side of the co-simulation, the authors extracted an ISS from the open-source RISC-V VP, a SystemC TLM virtual prototype supporting many RISC-V instruction sets. To enable co-simulation, they translated the RTL core to C++ using Verilator and embedded it with the ISS into a common SystemC testbench. [C1]

CSR-focused checking support

The fuzzing flow includes CSR instruction insertion and replacement to improve testing of RISC-V privileged-architecture behavior. Each CSR mutation adds two CSR instructions: the first writes a CSR, and the second reads the same CSR. The paper states that this propagates possible CSR misbehavior directly into a register, making it detectable by the Execution Controller. [C2]

Post-processing and bug triage

After fuzzing, the evidence describes a post-processing step for clustering failing test vectors. This step uses a custom version of the co-simulation that logs all executed instructions with their corresponding addresses. The logged co-simulation is not used for fuzzing because hard-disk writes make it slower, and it does not need the coverage instrumentation required during fuzzing. The post-processing then extracts the instruction that leads to the bug. [C3]

Practical implications from the evidence

  • Shared execution environment: the RTL core and ISS are embedded into a common SystemC testbench for co-simulation. [C1]
  • RTL integration path: Verilator is used to translate the RTL core into C++ before embedding it in the SystemC testbench. [C1]
  • Reference-model choice: the reference ISS is extracted from RISC-V VP. [C1]
  • Debug-oriented variants: a slower, logging-enabled co-simulation can be useful after fuzzing for clustering failing inputs and identifying the instruction associated with a bug. [C3]
  • Configuration effort: the paper contrasts its approach with earlier work, noting that the earlier cross-level testing setup required significant manual effort to create an appropriate co-simulation for different processor configurations. [C4]

LINKED ENTITIES

4 links
Efficient Cross-Level Testing for Processor Verification: A RISC-V Case-Study USES
co-simulation testbench IMPLEMENTS
Cross-Level Testing USES
Efficient Cross-Level Processor Verification using Coverage-guided Fuzzing USED_BY

CITATIONS

4 sources
4 citations
[1] The fuzzing case study evaluates co-simulation for processor verification using VexRiscv as the RTL DUT, a RISC-V VP ISS as reference, Verilator translation to C++, and a common SystemC testbench. Efficient Cross-Level Processor Verification using Coverage-guided Fuzzing
[2] The fuzzing flow adds CSR write/read instruction pairs so CSR misbehavior is propagated into a register and made detectable by the Execution Controller. Efficient Cross-Level Processor Verification using Coverage-guided Fuzzing
[3] The post-processing flow uses a custom co-simulation that logs executed instructions and addresses, is slower due to hard-disk writes, does not require fuzzing coverage instrumentation, and is used to extract the instruction leading to a bug. Efficient Cross-Level Processor Verification using Coverage-guided Fuzzing
[4] The fuzzing paper contrasts its approach with earlier cross-level testing work, identified in the references as 'Efficient Cross-Level Testing for Processor Verification: A RISC-V Case-Study,' noting that the earlier setup required significant manual effort for co-simulation across processor configurations. Efficient Cross-Level Processor Verification using Coverage-guided Fuzzing

VERSION HISTORY

v4 · 5/30/2026 · gpt-5.5 (current)
v3 · 5/28/2026 · gpt-5.5
v2 · 5/27/2026 · gpt-5.5
v1 · 5/25/2026 · gpt-5.5