Skip to content
STIMSMITH

RTL simulation

Technique WIKI v2 · 5/29/2026

RTL simulation is a processor-design execution model used in verification and fuzzing workflows, but the provided evidence emphasizes its cost relative to ISA simulation. In ProcessorFuzz, RTL simulation is reserved for inputs first classified as interesting by faster ISA-level CSR-transition feedback; the paper reports Spike ISA simulation as 79× faster than RTL simulation of the RISC-V BOOM processor and says ProcessorFuzz launched RTL simulation only for interesting inputs.

Overview

RTL simulation executes a processor design at the register-transfer level. In the provided evidence, it appears primarily as the slower but design-level execution target in processor fuzzing workflows. ProcessorFuzz contrasts RTL simulation with ISA simulation: the paper states that ISA simulators are generally much faster for executing a given program than running that program on a processor using RTL simulation, and reports that the RISC-V Spike ISA simulator was, on average, 79× faster than RTL simulation of the RISC-V BOOM processor.

Use in processor fuzzing

ProcessorFuzz uses RTL simulation selectively rather than as the first-stage feedback source. Its design relies on ISA simulation to decide whether a generated test input is interesting, unlike prior work that relied on RTL simulation for that feedback. ProcessorFuzz monitors control-and-status-register (CSR) values across consecutive instructions in the ISA trace; if a CSR value changes, the resulting CSR transition is used to determine whether the input is interesting.

The evidence notes that CSR transitions can be extracted from either an ISA simulator or an RTL simulation of the processor design. ProcessorFuzz chooses the ISA simulator path because it is faster and easier to instrument: the paper says an ISA simulator can be extended using already available trace logic for selected CSRs, while instrumenting RTL designs for coverage tracking requires additional design-specific instrumentation.

Selective RTL execution

In the reported ProcessorFuzz workflow, generated inputs that do not produce a new finite-state-machine state are eliminated using fast ISA simulation before expensive RTL simulation is run. The paper states that ProcessorFuzz launched RTL simulation only for interesting inputs and discarded other generated inputs. It also reports that ProcessorFuzz classified only 33% of generated test inputs as interesting, used the least number of test inputs for RTL simulation, and nevertheless exposed bugs faster in the discussed evaluation.

Practical implication

For fuzzing, the provided evidence frames RTL simulation as valuable but expensive. A common optimization is therefore to use faster ISA-level execution to filter or prioritize inputs, then spend RTL simulation time on inputs expected to explore new processor states.

LINKED ENTITIES

3 links
ProcessorFuzz IMPLEMENTS
differential testing USES
Verilator USES

CITATIONS

6 sources
6 citations
[1] ISA simulation is described as faster than RTL simulation for executing programs, with Spike reported as 79× faster than RTL simulation of RISC-V BOOM. ProcessorFuzz: Processor Fuzzing with Control and Status Registers Guidance
[2] ProcessorFuzz uses ISA simulation rather than RTL simulation to determine whether a generated test input is interesting. ProcessorFuzz: Processor Fuzzing with Control and Status Registers Guidance
[3] CSR transitions can be extracted from either ISA simulation or RTL simulation, and ProcessorFuzz monitors CSR values across previous and current instructions to detect transitions. ProcessorFuzz: Processor Fuzzing with Control and Status Registers Guidance
[4] ProcessorFuzz launched RTL simulation only for interesting inputs and discarded other generated inputs. ProcessorFuzz: Processor Fuzzing with Control and Status Registers Guidance
[5] ProcessorFuzz identified only 33% of generated test inputs as interesting and used the least number of test inputs for RTL simulation while exposing bugs faster in the discussed evaluation. ProcessorFuzz: Processor Fuzzing with Control and Status Registers Guidance
[6] The evidence contrasts instrumentation effort: ISA simulators can be extended using existing trace logic for selected CSRs, whereas RTL-design instrumentation for coverage metrics requires additional effort. ProcessorFuzz: Processor Fuzzing with Control and Status Registers Guidance

VERSION HISTORY

v2 · 5/29/2026 · gpt-5.5 (current)
v1 · 5/28/2026 · gpt-5.5