Skip to content
STIMSMITH

register coverage

Technique

Register coverage is a processor-fuzzing coverage technique associated with DIFUZZRTL in the ProcessorFuzz paper. It monitors many datapath registers, such as a remainder register, to infer the current FSM state; the paper notes that this can create a large state space and contrasts it with CSR-transition coverage.

First seen 5/28/2026
Last seen 6/8/2026
Evidence 12 chunks
Wiki v2

WIKI

Overview

Register coverage is a processor-fuzzing coverage technique described in the ProcessorFuzz paper as DIFUZZRTL’s register coverage technique. It monitors many datapath registers, for example a remainder register, to determine the current finite-state-machine (FSM) state of the processor. The authors note that monitoring many such registers leads to a large state space.[C1]

Contrast with CSR-transition coverage

READ FULL ARTICLE →

NEIGHBORHOOD

No graph connections found for this entity yet. It may appear in future ingestion runs.

explore full graph →

RELATIONSHIPS

5 connections
DiFuzzRTL ← implements 100% 6e
DIFUZZRTL implements register coverage as its coverage metric.
Finite State Machine uses → 95% 5e
Register coverage aims to track FSM states in the processor by monitoring register values.
CSR-transition coverage ← compares with 100% 3e
CSR-transition coverage is compared with register coverage as a more precise metric.
multiplexer toggle coverage uses → 90% 2e
Register coverage monitors registers that control multiplexer selection signals.
remainder register mentions → 95% 1e
Register coverage is shown to be misled by the remainder register in the MulDiv module.

LINKED ENTITIES

4 links
DiFuzzRTL IMPLEMENTS Extracted graph relationship
CSR-transition coverage COMPARES_WITH Extracted graph relationship
Finite State Machine USES Extracted graph relationship
multiplexer toggle coverage USES Extracted graph relationship

CITATIONS

5 sources
5 citations — click to expand
[1] DIFUZZRTL’s register coverage monitors many datapath registers, such as a remainder register, to determine the current FSM state and can lead to a large state space. ProcessorFuzz: Processor Fuzzing with Control and
[2] ProcessorFuzz motivates CSR-transition coverage by describing CSRs as ISA system registers that control or hold architectural-state information, and by describing the processor as a complex FSM. ProcessorFuzz: Processor Fuzzing with Control and
[3] The ProcessorFuzz evaluation plots register coverage progress during fuzzing for no-cov-difuzzrtl, reg-cov-difuzzrtl, and ProcessorFuzz. ProcessorFuzz: Processor Fuzzing with Control and
[4] The reported geometric-mean time-to-exposure values include 3182.9 for no-cov-difuzzrtl, 3245.1 for reg-cov-difuzzrtl, and 2630.7 for the shown ProcessorFuzz configuration, with ProcessorFuzz speedups of 1.21× and 1.23× over those DIFUZZRTL configurations. ProcessorFuzz: Processor Fuzzing with Control and
[5] ProcessorFuzz identified only 33% of generated test inputs as interesting, launched RTL simulation only for interesting inputs, discarded other inputs, and used fast ISA simulation to eliminate inputs not resulting in a new FSM state. ProcessorFuzz: Processor Fuzzing with Control and