Skip to content
STIMSMITH

cache

Concept WIKI v2 · 5/28/2026

In the provided processor-verification evidence, a cache is discussed as RTL-visible processor state and control logic, including instruction-cache tag/data arrays, cache entries, valid bits, L1 ways/banks, and cache-subsystem request queues. Logic Fuzzer uses table mutators to perturb cache-related RTL memories, steer cache-bank/way utilization, and expose bugs such as a CVA6 cache-subsystem arbiter lock under artificial backpressure.

Overview

In the provided evidence, a cache is a processor microarchitectural target for verification. The cache-related structures discussed include instruction-cache tag and data arrays, cache entries, valid bits, L1 cache ways and banks, and cache-subsystem FIFO/arbiter logic that handles memory requests from the instruction cache.

Cache structures targeted by Logic Fuzzer

Logic Fuzzer can target cache state through [[table mutator|table mutators]]. In one RISC-V verification setup, the instruction-cache tag and data arrays are replaced with table mutators. The instruction-cache logic continues to read and write those tables through DPI, while the fuzzer can program the tables to provide a random instruction stream when a branch-target-buffer address with a specific tag is observed.

Table mutators are also described as a general mechanism for mutating RTL memories. The evidence gives cache-specific examples: randomly invalidating cache entries and fuzzing values in entries that are already invalid.

Steering cache way and bank utilization

The evidence uses CVA6's L1 cache as an example. While running more than 50 random tests generated with Google's riscv-dv, the baseline run without table mutation showed CVA6's way-selection logic preferring way 0 for the requested memory locations. To stress under-utilized ways traditionally, an engineer might need to regenerate binaries or configure the random instruction generator to produce memory requests in a specific way, which can be time-consuming and may require understanding cache replacement-policy details.

With tag-array mutation, the verification flow can instead mutate tag arrays and valid bits to steer cache accesses toward the bank of interest. The described implementation required editing five RTL lines to replace tag arrays with wrappers that access table mutators through DPI, plus a twelve-line method in the table-mutator class to mutate entries for stressing the selected cache bank.

Cache-subsystem bug exposure

The evidence also reports a CVA6 bug exposed by Logic Fuzzer in the cache subsystem. Artificial backpressure was created at a FIFO full signal; that FIFO queues memory requests coming from the instruction cache. The injected condition led to a complete system hang, summarized in the bug table as CVA6 Bug ID B6: an arbiter lock with gnt 0, found with Dromajo plus Logic Fuzzer.

LINKED ENTITIES

1 links
table mutator USES

CITATIONS

6 sources
6 citations
[1] Instruction-cache tag and data arrays can be replaced with table mutators, while instruction-cache logic reads and writes those tables through DPI and the fuzzer can supply a random instruction stream for a specific BTB tag. [PDF] Effective Processor Verification with Logic Fuzzer Enhanced Co ...
[2] Table mutators allow RTL memories to be mutated, including random invalidation of cache entries and fuzzing values in already-invalid entries. [PDF] Effective Processor Verification with Logic Fuzzer Enhanced Co ...
[3] In the CVA6 L1 cache example, more than 50 riscv-dv random tests showed way/bank utilization behavior, with the baseline way-selection logic preferring way 0 for the requested memory locations. [PDF] Effective Processor Verification with Logic Fuzzer Enhanced Co ...
[4] Stressing under-utilized cache ways by regenerating binaries or constraining address generation may be time-consuming, require cache replacement-policy detail, and may not be supported by the tool. [PDF] Effective Processor Verification with Logic Fuzzer Enhanced Co ...
[5] Mutating cache tag arrays and valid bits can steer cache accesses to a bank of interest with minimal RTL and table-mutator code changes. [PDF] Effective Processor Verification with Logic Fuzzer Enhanced Co ...
[6] A CVA6 cache-subsystem bug was exposed by artificial backpressure at a FIFO full signal; the FIFO queues memory requests from the instruction cache, and the result was a system hang summarized as an arbiter lock with gnt 0. [PDF] Effective Processor Verification with Logic Fuzzer Enhanced Co ...

VERSION HISTORY

v2 · 5/28/2026 · gpt-5.5 (current)
v1 · 5/27/2026 · gpt-5.5