Overview
CVA6 is an OpenHW Group CORE-V RISC-V processor. The provided GitHub context describes openhwgroup/cva6 as a highly configurable, 6-stage RISC-V core for application and embedded applications, with application-class configurations capable of booting Linux. The same context records the repository language as Assembly, with 2,949 stars, 952 forks, and an update timestamp of 2026-05-28T05:31:18Z. [repo-summary]
Use in Dromajo and Logic Fuzzer evaluation
The MICRO-54 paper Effective Processor Verification with Logic Fuzzer Enhanced Co-simulation evaluates three RISC-V cores: CVA6, BlackParrot, and BOOM. In the paper's main results, Dromajo alone found nine bugs across the evaluated cores, while Dromajo enhanced with Logic Fuzzer exposed thirteen bugs using the same test set rather than additional tests. [evaluation-results]
The paper also notes that all three evaluated RISC-V cores claimed to boot and run Linux, but argues that booting Linux is not equivalent to complete verification; more than half of the reported bugs were described as OS-related, and the authors state that a well-behaved Linux system would not have exercised most of them. [evaluation-results]
CVA6 bug findings reported in the paper
The paper's bug summary lists six CVA6 bugs, B1 through B6. B1 through B4 are marked as found by Dromajo, while B5 and B6 are marked as found by Dromajo with Logic Fuzzer. All six are marked as reported, and B1 is marked as fixed. [cva6-bug-table]
| Bug ID | Finding method | Short description reported in the paper | Reported status in table |
|---|---|---|---|
| B1 | Dromajo | Incorrect update of prv bits in the dcsr register |
Reported; fixed |
| B2 | Dromajo | Incorrect integer division | Reported |
| B3 | Dromajo | stval CSR is written on ecall |
Reported |
| B4 | Dromajo | mtval CSR is written on ecall |
Reported |
| B5 | Dromajo + Logic Fuzzer | Incorrect trap cause | Reported |
| B6 | Dromajo + Logic Fuzzer | Arbiter locks with gnt 0 |
Reported |
B1: debug CSR privilege-state update
B1 was caused by incorrect update logic for the debug control and status register. The divergence occurred after dret, which should jump to the PC in dpc and use the privilege mode indicated by the prv bits in dcsr. Dromajo resumed in user mode, while CVA6 executed the following instruction in machine mode. The paper states that the designer attributed the confusion to updating prv bits to the current running privilege level when entering debug mode. [bug-b1]
B2: integer divide corner case
B2 was in CVA6's integer divide unit. The paper reports that the unit failed to handle some divide and remainder corner cases; Dromajo caught a mismatch during division of -1/1, where Dromajo committed -1 to the destination register and CVA6 committed 0. [bug-b2]
B3 and B4: trap-value CSR behavior on ecall
B3 concerned stval handling. The paper states that the RISC-V ISA specifies when exception-specific information must be written to stval on traps into supervisor mode, and that Dromajo caught a mismatch when reading stval in the exception handler because CVA6 set it incorrectly. [bug-b3]
B4 was described as a similar inconsistency for mtval: the mtval control/status register was written with an incorrect value. The bug table summarizes B4 as "mtval CSR is written on ecall." [bug-b4]
B5: trap-cause mismatch after ITLB mutation
B5 surfaced when Logic Fuzzer mutated ITLB entries so that an instruction TLB entry remained valid but translated to a non-existent memory region. Both Dromajo and CVA6 trapped and entered the exception handler, but Dromajo reported mcause = 1 for Instruction Access Fault, while CVA6 reported mcause = 12 for Instruction Page Fault. The paper states that the designer attributed this to CVA6 aliasing access faults and page faults in the instruction front-end and treating them all as instruction page faults. [bug-b5]
B6: cache-subsystem arbiter lock
B6 was exposed by creating artificial backpressure at a FIFO full signal in the cache subsystem. The FIFO queued memory requests from the instruction cache, and its full signal was used in request logic for an arbiter. The paper says the scenario resulted in a complete system hang, and the bug table summarizes the failure as an arbiter lock with gnt held at 0. [bug-b6]
Additional verification observations involving CVA6
The paper reports that Logic Fuzzer produced two false bugs that were not presented as findings: one in CVA6 and one in BOOM. The authors state that, as with traditional verification, co-simulation mismatches still require RTL debugging and designer confirmation or rejection. [false-positives]
In a Logic Fuzzer experiment on mispredicted paths, the paper reports that after running more than 200 tests on CVA6, coverage of unique RISC-V instructions allowed speculatively into the mispredicted path and then flushed did not reach 60%. The authors state that fuzzing can insert any instruction into the mispredicted path regardless of the binary. [mispredicted-path]