Overview

A congestor is described as the simplest type of Logic Fuzzer. It is inserted into RTL control logic to create artificial congestion or backpressure while the same verification binaries continue to run. A canonical example is adding an OR gate at a FIFO full signal so that full can be asserted even when the FIFO is not actually full; random activation of this inserted logic produces artificial backpressure. The same idea can also be applied at busy signals and ready-valid handshake signals. [C1]

Purpose

The technique is used to stir up microarchitectural execution and expose behavior that may not be reached by ordinary test programs. The cited work evaluates this by comparing runs with and without Logic Fuzzers enabled, and by observing additional activity and bugs during co-simulation. [C2]

A Logic Fuzzer can create microarchitectural states that may not be reachable by any real program. The paper treats resulting co-simulation failures as potential bugs that must be confirmed or disproved; the bugs presented in the paper were confirmed by designers. [C3]

How it works

A congestor targets a design signal where backpressure can be introduced. For example:

• On a FIFO full signal, it can randomly force the FIFO to appear full.
• On a ready signal, it can randomly pull the signal low to prevent progress.
• It can also be placed on busy signals or ready-valid handshake signals. [C1]

For implementation, the verification engineer first identifies the design’s congestible points, potentially with designer input. The fuzzer object is then configured to create a matching number of congestor objects, and each congestor’s period and random seed are configured in a JSON file. [C4]

The paper also reports a proof-of-concept automatic insertion flow for the BOOM core: engineers annotated RTL signals, and Chiffre automatically broke the annotated signal and inserted the congestor between the two sides. [C5]

Coverage and activity effects

The paper uses toggle coverage to show that adding congestors can create new design activity. A signal is considered toggled if it switches 0 → 1 and 1 → 0 at least once during a test. Toggle coverage is presented as a proxy metric used in industry and academia to gain confidence in a design-under-test. [C6]

In one BOOM example, a congestor was inserted at the ready signal of the Reorder Buffer. The congestor randomly pulled the ready signal low at moments when the ROB was actually ready. This caused 12 additional signals to toggle in the frontend module, 40 in the core module, and 32 in the load-store unit. The authors state that this demonstrated that a single congestor could activate logic not touched by more than 200 tests. [C7]

Example bug exposure

In BlackParrot, the paper describes a FIFO queue between the frontend and backend that carries commands such as PC redirects and state resets. A bug was exposed by inserting a congestor at the FIFO’s ready signal and randomly pulling it low. During tests, Dromajo detected a mismatch because BlackParrot began committing instructions with the wrong PC. According to the designer, the backend could not handle the backpressure; because there were no stalling points past decode, some backend commands could be lost if the queue was not ready. [C8]

Relationship to other Logic Fuzzer techniques

Congestors are one category of Logic Fuzzer. The same work also describes table mutators, which mutate RTL memories such as branch predictor tables, cache entries, or TLB entries. Congestors differ in that they perturb control-flow or backpressure signals rather than mutating stored table contents. [C1]