Logic Fuzzer
ToolLogic Fuzzer is a processor verification technique introduced in “Effective Processor Verification with Logic Fuzzer Enhanced Co-simulation.” It fuzzes internal RTL logic rather than only external input stimuli, creating irregular microarchitectural execution flows during Dromajo-based co-simulation. In the reported evaluation on CVA6, BlackParrot, and BOOM, adding Logic Fuzzer to Dromajo increased exposed bugs from nine to thirteen without adding new tests.
First seen 5/27/2026
Last seen 5/28/2026
Evidence 9 chunks
Wiki v1
WIKI
Overview
Logic Fuzzer (LF) is a processor verification technique introduced for simulation-phase bug finding in RISC-V cores. Its purpose is to push a processor outside normal execution flow or operating conditions so that co-simulation can expose difficult, simulation-resistant functional bugs. The paper positions LF as an enhancement to Dromajo-based co-simulation, where Dromajo acts as the comparison framework and LF perturbs internal RTL behavior during the same tests. [C1][C2]
Unlike input-stimuli fuzzing, which stresses the design-under-test from the outside, Logic Fuzzer uses an “inside-out” approach: it fuzzes actual RTL logic wherever possible. The authors explicitly distinguish LF from external stimulus fuzzers such as RFUZZ-like flows and property-based input generation. [C3]
NEIGHBORHOOD
No graph connections found for this entity yet. It may appear in future ingestion runs.
explore full graph →RELATIONSHIPS
24 connectionsLogic Fuzzer is embedded into the Dromajo infrastructure for operation.
The paper introduces Logic Fuzzer as a novel tool for processor verification.
Logic Fuzzer is distinguished from input-stimuli fuzzing, taking an inside-out approach rather than outside-in.
Logic Fuzzer uses DPI calls to interface with RTL during simulation.
Logic Fuzzer implements congestors as one of its fuzzing mechanisms.
Logic Fuzzer implements table mutators as one of its fuzzing mechanisms.
Logic Fuzzer implements mispredicted path fuzzing by inserting instructions into mispredicted paths.
Logic Fuzzer is accessed from RTL through DPI calls via extended Dromajo APIs.
Logic Fuzzer was applied to CVA6 to find additional bugs.
The Logic Fuzzer implements table mutators to fuzz RTL memories.
The Logic Fuzzer implements mispredicted path fuzzing to stress speculative execution.
Logic Fuzzer was applied to BOOM, including inserting congestors at the ROB ready signal.
Logic Fuzzer can fuzz branch predictor tables to exercise mispredicted paths.
Logic Fuzzer applies congestors to the reorder buffer's ready signal.
Logic Fuzzer fuzzes Branch Target Buffer entries to generate atypical instruction addresses.
Logic Fuzzer mutates cache tag arrays and valid bits to stress cache behavior.
Logic Fuzzer uses Chiffre for automatic congestor insertion into RTL.
The Logic Fuzzer implements congestors as one of its fuzzing techniques.
Toggle coverage is used as a proxy metric to demonstrate the effectiveness of Logic Fuzzer.
Logic Fuzzer can randomly invalidate TLB entries to stress TLB behavior.
Logic Fuzzer was applied to BlackParrot to find additional bugs.
The same mispredicted path fuzzing technique can be applied to the Return Address Stack.
Logic Fuzzer randomizes microarchitectural states to expose bugs.
Logic Fuzzer leverages FIRRTL compiler for circuit transformation during congestor insertion.
LINKED ENTITIES
19 linksEffective Processor Verification with Logic Fuzzer Enhanced Co-simulation INTRODUCES Extracted graph relationship
congestor USES Extracted graph relationship
table mutator USES Extracted graph relationship
mispredicted path fuzzing USES Extracted graph relationship
DPI calls USES Extracted graph relationship
toggle coverage USES Extracted graph relationship
input-stimuli fuzzing COMPARES_WITH Extracted graph relationship
CVA6 EVALUATES Extracted graph relationship
BlackParrot EVALUATES Extracted graph relationship
BOOM EVALUATES Extracted graph relationship
microarchitectural state USES Extracted graph relationship
branch predictor USES Extracted graph relationship
reorder buffer USES Extracted graph relationship
Branch Target Buffer USES Extracted graph relationship
cache USES Extracted graph relationship
TLB USES Extracted graph relationship
Return Address Stack USES Extracted graph relationship
Chiffre USES Extracted graph relationship
Dromajo DEPENDS_ON Extracted graph relationship
CITATIONS
15 sources15 citations — click to expand
[1] Logic Fuzzer is introduced as a novel technique for finding more simulation-phase processor bugs. [PDF] Effective Processor Verification with Logic Fuzzer Enhanced Co ...
[2] Logic Fuzzer brings processor execution outside normal flow or operating parameters and is evaluated with Dromajo. [PDF] Effective Processor Verification with Logic Fuzzer Enhanced Co ...
[3] Logic Fuzzer differs from input-stimuli fuzzing by using an inside-out approach that fuzzes RTL logic rather than only stressing the DUT externally. [PDF] Effective Processor Verification with Logic Fuzzer Enhanced Co ...
[4] Increasing coverage is not Logic Fuzzer’s main purpose, and most LF-found bugs did not correlate with toggle coverage. [PDF] Effective Processor Verification with Logic Fuzzer Enhanced Co ...
[5] Logic Fuzzer may create microarchitectural states unreachable by normal programs, and such co-simulation failures are treated as potential bugs requiring confirmation. [PDF] Effective Processor Verification with Logic Fuzzer Enhanced Co ...
[6] Logic Fuzzer was embedded into Dromajo, with APIs allowing RTL access through DPI calls and JSON-based fuzzer configuration. [PDF] Effective Processor Verification with Logic Fuzzer Enhanced Co ...
[7] Table mutators can mutate cache tag arrays and valid bits to steer cache accesses with small RTL changes. [PDF] Effective Processor Verification with Logic Fuzzer Enhanced Co ...
[8] Congestors are configured for identified congestible signals with periods and seeds specified in JSON. [PDF] Effective Processor Verification with Logic Fuzzer Enhanced Co ...
[9] A BOOM reorder-buffer ready-signal congestor activated additional frontend, core, and load-store-unit logic. [PDF] Effective Processor Verification with Logic Fuzzer Enhanced Co ...
[10] Mispredicted-path fuzzing improved instruction coverage in CVA6’s mispredicted path, where over 200 non-fuzzed tests did not reach 60% coverage and fuzzing could reach 100%. [PDF] Effective Processor Verification with Logic Fuzzer Enhanced Co ...
[11] BTB fuzzing can provide false or random predicted addresses and may create iTLB page faults on the mispredicted path. [PDF] Effective Processor Verification with Logic Fuzzer Enhanced Co ...
[12] Chiffre was used for a proof-of-concept automatic congestor insertion experiment in BOOM. [PDF] Effective Processor Verification with Logic Fuzzer Enhanced Co ...
[13] The evaluation used CVA6, BlackParrot, and BOOM; Dromajo alone found nine bugs, while Dromajo with Logic Fuzzer exposed thirteen using the same tests. [PDF] Effective Processor Verification with Logic Fuzzer Enhanced Co ...
[14] An LF-exposed CVA6 bug involved mutating ITLB entries so that a valid entry translated to a nonexistent memory region and caused an exception mismatch. [PDF] Effective Processor Verification with Logic Fuzzer Enhanced Co ...
[15] An LF-exposed BlackParrot bug involved BTB fuzzing that generated an off-chip-memory address and froze the system when no routed tile device matched. [PDF] Effective Processor Verification with Logic Fuzzer Enhanced Co ...