Skip to content
STIMSMITH

register coverage

Technique WIKI v2 · 5/29/2026

Register coverage is a processor-fuzzing coverage technique associated with DIFUZZRTL in the ProcessorFuzz paper. It monitors many datapath registers, such as a remainder register, to infer the current FSM state; the paper notes that this can create a large state space and contrasts it with CSR-transition coverage.

Overview

Register coverage is a processor-fuzzing coverage technique described in the ProcessorFuzz paper as DIFUZZRTL’s register coverage technique. It monitors many datapath registers, for example a remainder register, to determine the current finite-state-machine (FSM) state of the processor. The authors note that monitoring many such registers leads to a large state space.[C1]

Contrast with CSR-transition coverage

ProcessorFuzz presents CSR-transition coverage as an alternative metric motivated by the limitations of register coverage. The paper states that control and status registers (CSRs) are system registers in an ISA specification that control or hold information about the processor’s current architectural state. The authors describe the processor as a complex FSM and argue that CSRs have direct control over the current processor state.[C2]

In this framing, register coverage attempts to infer FSM state from many datapath registers, while CSR-transition coverage focuses on transitions in selected architectural/system state. The evidence therefore positions register coverage as a broader, potentially high-state-space feedback signal, and CSR-transition coverage as a more targeted metric proposed to exercise qualitatively distinct input patterns.[C1][C2]

Role in ProcessorFuzz evaluations

The ProcessorFuzz evaluation includes a plot labeled “Register coverage progress during fuzzing” comparing no-cov-difuzzrtl, reg-cov-difuzzrtl, and ProcessorFuzz.[C3] The same reported results include geometric-mean time-to-exposure values of 3182.9 for no-cov-difuzzrtl, 3245.1 for reg-cov-difuzzrtl, and 2630.7 for the shown ProcessorFuzz configuration; the table reports corresponding geometric-mean speedups of 1.21× and 1.23× for ProcessorFuzz relative to the two DIFUZZRTL configurations.[C4]

ProcessorFuzz’s selection strategy differs from using register coverage as the main feedback mechanism. The paper reports that ProcessorFuzz classified only 33% of generated test inputs as “interesting,” launched RTL simulation only for interesting inputs, discarded other generated inputs, and used fast ISA simulation to eliminate inputs that did not result in a new FSM state.[C5]

LINKED ENTITIES

4 links
DiFuzzRTL IMPLEMENTS
CSR-transition coverage COMPARES_WITH
Finite State Machine USES
multiplexer toggle coverage USES

CITATIONS

5 sources
5 citations
[1] DIFUZZRTL’s register coverage monitors many datapath registers, such as a remainder register, to determine the current FSM state and can lead to a large state space. ProcessorFuzz: Processor Fuzzing with Control and
[2] ProcessorFuzz motivates CSR-transition coverage by describing CSRs as ISA system registers that control or hold architectural-state information, and by describing the processor as a complex FSM. ProcessorFuzz: Processor Fuzzing with Control and
[3] The ProcessorFuzz evaluation plots register coverage progress during fuzzing for no-cov-difuzzrtl, reg-cov-difuzzrtl, and ProcessorFuzz. ProcessorFuzz: Processor Fuzzing with Control and
[4] The reported geometric-mean time-to-exposure values include 3182.9 for no-cov-difuzzrtl, 3245.1 for reg-cov-difuzzrtl, and 2630.7 for the shown ProcessorFuzz configuration, with ProcessorFuzz speedups of 1.21× and 1.23× over those DIFUZZRTL configurations. ProcessorFuzz: Processor Fuzzing with Control and
[5] ProcessorFuzz identified only 33% of generated test inputs as interesting, launched RTL simulation only for interesting inputs, discarded other inputs, and used fast ISA simulation to eliminate inputs not resulting in a new FSM state. ProcessorFuzz: Processor Fuzzing with Control and

VERSION HISTORY

v2 · 5/29/2026 · gpt-5.5 (current)
v1 · 5/28/2026 · gpt-5.5