Skip to content
STIMSMITH

CSR-transition coverage

Technique

CSR-transition coverage is a ProcessorFuzz coverage-guidance technique positioned as an alternative to RTL register coverage. The supplied evidence primarily supports its motivation: prior register coverage can reward datapath-register activity that does not meaningfully represent processor FSM state, causing fuzzers to keep unhelpful inputs.

First seen 5/28/2026
Last seen 6/8/2026
Evidence 24 chunks
Wiki v2

WIKI

Overview

CSR-transition coverage is a coverage-guidance technique associated with ProcessorFuzz. In the supplied ProcessorFuzz paper excerpts, the technique is motivated as a new coverage metric intended to address a weakness in prior processor-fuzzing feedback based on RTL register coverage. [C1]

Motivation

READ FULL ARTICLE →

NEIGHBORHOOD

No graph connections found for this entity yet. It may appear in future ingestion runs.

explore full graph →

RELATIONSHIPS

9 connections
Control and Status Registers uses → 100% 6e
CSR-transition coverage monitors transitions in Control and Status Registers.
Transition Unit uses → 95% 4e
CSR-transition coverage uses the Transition Unit to extract and process CSR transitions.
ProcessorFuzz ← implements 100% 4e
ProcessorFuzz implements the CSR-transition coverage metric to guide fuzzing.
register coverage compares with → 100% 3e
CSR-transition coverage is compared with register coverage as a more precise metric.
ProcessorFuzz paper ← introduces 100% 2e
The paper introduces the CSR-transition coverage metric as a novel coverage signal for processor fuzzing.
extended ISA trace log uses → 95% 2e
CSR-transition coverage processes extended ISA trace logs to identify CSR transitions.
Transition Map uses → 95% 2e
CSR-transition coverage uses the Transition Map to store observed transitions.
Finite State Machine uses → 95% 2e
CSR-transition coverage tracks FSM state transitions in the processor via CSR changes.
ProcessorFuzz: Processor Fuzzing with Control and Status Registers Guidance ← introduces 100% 1e
The paper proposes CSR-transition coverage as a novel coverage metric for processor fuzzing.

LINKED ENTITIES

7 links
Transition Map USES The provided related-entity metadata identifies Transition Map as a concept used by CSR-transition coverage; the supplied evidence excerpt does not describe its mechanics.
ProcessorFuzz paper INTRODUCES Extracted graph relationship
ProcessorFuzz IMPLEMENTS Extracted graph relationship
Control and Status Registers USES Extracted graph relationship
Transition Unit USES Extracted graph relationship
extended ISA trace log USES Extracted graph relationship
register coverage COMPARES_WITH Extracted graph relationship

CITATIONS

6 sources
6 citations — click to expand
[1] ProcessorFuzz presents a new coverage metric to address problems in prior register-coverage feedback. ProcessorFuzz: Processor Fuzzing with Control and
[2] DIFUZZRTL register coverage monitors value changes in registers that control multiplexer selection signals, using those values as approximations of processor FSM states. ProcessorFuzz: Processor Fuzzing with Control and
[3] Register coverage can be misleading because datapath registers may have minimal control over the processor FSM state, yet still cause inputs to be treated as interesting. ProcessorFuzz: Processor Fuzzing with Control and
[4] In the Rocket Core example, the MulDiv module and especially its remainder register are major contributors to DIFUZZRTL register-coverage increases. ProcessorFuzz: Processor Fuzzing with Control and
[5] Processor fuzzing in the paper uses RTL simulation and ISA simulation as differential-testing references, with mismatches indicating potential processor bugs. ProcessorFuzz: Processor Fuzzing with Control and
[6] The ProcessorFuzz paper reports eight new bugs in three processor designs and one new bug in a reference model. ProcessorFuzz: Processor Fuzzing with Control and