Overview

Multiplexer toggle coverage is a coverage-guidance technique for hardware fuzzing that centers feedback on multiplexer activity in a design. In the processor-fuzzing literature, multiplexer-focused feedback is motivated by the role of multiplexers and their selection logic in exposing control-state behavior during RTL simulation.

A closely related processor-fuzzing metric, DIFUZZRTL's register coverage, monitors value changes in registers that control multiplexer selection signals. The stated intuition is that values in those registers can represent unique states in the processor finite-state machine (FSM), so guiding a fuzzer with that feedback can help explore additional FSM states.

Use in fuzzing workflows

In hardware coverage-guided fuzzing, the design under test is simulated with generated inputs and feedback from the simulation is used to decide which inputs are interesting. The provided evidence describes processor fuzzing workflows that compare RTL-simulator results against an ISA simulator as a reference model; differences between the RTL and ISA outputs indicate potential processor bugs.

Within that setting, multiplexer toggle coverage supplies structural feedback from the RTL rather than relying only on software-style coverage metrics. The related entity data identifies RFUZZ as a tool that implements multiplexer toggle coverage.

Limitations

The available evidence highlights two important limitations for multiplexer-monitoring approaches:

• Performance overhead: monitoring multiplexers in complex designs can introduce excessive performance overhead.
• HDL coupling: RFUZZ and related work by Li et al. are described as highly coupled to Chisel HDL, which limits the applicability of those approaches to designs outside that ecosystem.

These limitations motivated later work such as ProcessorFuzz to emphasize HDL-agnostic and more selective coverage strategies rather than direct monitoring of many low-level structures.