FPGA logic synthesis tools harbor latent vulnerabilities, yet existing testing approaches suffer from low vulnerability detection rates due to insufficient semantic richness and logical complexity in test programs. This paper proposes VERMEI, an automated vulnerability mining framework targeting synthesis tools. Its core innovation lies in (1) introducing “zombie logic regions” as equivalence-preserving mutation sources, and (2) leveraging Bayesian sampling over historical designs to extract highly reusable logic fragments, enabling generation of test variants with intricate control flow and rich semantics. VERMEI then identifies zombie logic via simulation and localizes vulnerabilities via differential comparison of synthesis outputs. Evaluated on Yosys, Vivado, and Quartus, VERMEI discovered 15 vulnerabilities within five months—nine confirmed by vendors as previously unknown—demonstrating substantial improvement over state-of-the-art methods.

FPGA (Field-Programmable Gate Array) logic synthesis tools are key components in the EDA (Electronic Design Automation) toolchain. They convert hardware designs written in description languages such as Verilog into gate-level representations for FPGAs. However, defects in these tools may lead to unexpected behaviors and pose security risks. Therefore, it is crucial to harden these tools through testing. Although several methods have been proposed to automatically test FPGA logic synthesis tools, the challenge remains of insufficient semantic and logical complexity in test programs. In this paper, we propose VERMEI, a new method for testing FPGA logic synthesis tools. VERMEI consists of three modules: preprocessing, equivalent mutation, and bug identification. The preprocessing module identifies zombie logic (inactive code with no impact on the circuit output) in seed programs through simulation and coverage analysis. The equivalent mutation module generates equivalent variants of seed programs by pruning or inserting logic fragments in zombie areas. It uses Bayesian sampling to extract logic fragments from historical Verilog designs, making the generated variants have complex control flows and structures. The bug identification module, based on differential testing, compares the synthesized outputs of seed and variant programs to identify bugs. Experiments on Yosys, Vivado, and Quartus demonstrate that VERMEI outperforms the state-of-the-art methods. Within five months, VERMEI reported 15 bugs to vendors, 9 of which were confirmed as new.