Skip to content
STIMSMITH

mutation engine

Concept

A mutation engine is the input-variation component used in fuzzing workflows to turn interesting inputs into new candidate inputs. In the provided ProcessorFuzz evidence, ProcessorFuzz deliberately reuses the mutation engine from DIFUZZRTL so that its evaluation compares coverage-feedback mechanisms—register coverage versus CSR-transition coverage—rather than comparing different input-generation mechanisms.

First seen 5/28/2026
Last seen 6/8/2026
Evidence 8 chunks
Wiki v2

WIKI

Overview

A mutation engine is the input-generation component in a fuzzing loop that applies mutations to an input and produces new inputs for later fuzzing rounds. In coverage-based greybox fuzzing (CGF), the fuzzer records runtime coverage to decide whether an input is "interesting"; when it is, CGF applies mutations to that input to generate new inputs that are fed to the program under test in subsequent rounds.[1]

Role in ProcessorFuzz

READ FULL ARTICLE →

NEIGHBORHOOD

No graph connections found for this entity yet. It may appear in future ingestion runs.

explore full graph →

RELATIONSHIPS

3 connections
ProcessorFuzz ← uses 100% 6e
ProcessorFuzz applies a mutation engine to generate new test inputs from interesting ones.
DiFuzzRTL ← uses 90% 2e
DIFUZZRTL provides an open-source mutation engine that ProcessorFuzz also uses.
Coverage-based Greybox Fuzzing ← uses 90% 1e
CGF applies mutations to interesting inputs to generate new test inputs.

LINKED ENTITIES

2 links
ProcessorFuzz USES Extracted graph relationship
Coverage-based Greybox Fuzzing USES Extracted graph relationship

CITATIONS

6 sources
6 citations — click to expand
[1] Coverage-based greybox fuzzing records runtime coverage to determine whether an input is interesting and then applies mutations to interesting inputs to generate new inputs for later fuzzing rounds. ProcessorFuzz: Processor Fuzzing with Control and
[2] ProcessorFuzz uses CSR-transition coverage by monitoring transitions in Control and Status Registers to guide processor fuzzing toward unique processor states. ProcessorFuzz: Processor Fuzzing with Control and
[3] ProcessorFuzz uses ISA simulation to rapidly determine whether a test input is interesting, and the paper states that ISA simulation is significantly faster than RTL simulation. ProcessorFuzz: Processor Fuzzing with Control and
[4] ProcessorFuzz's transition unit checks CSR-transition tuples against a transition map; new transitions are added to the map and mark the current input as interesting. ProcessorFuzz: Processor Fuzzing with Control and
[5] ProcessorFuzz used the same mutation engine provided by DIFUZZRTL's open-source repository so that the evaluation compared register coverage and CSR-transition coverage rather than input-generation mechanisms. ProcessorFuzz: Processor Fuzzing with Control and
[6] If an input produces a unique CSR transition, ProcessorFuzz runs RTL simulation, compares the extended RTL trace log with the extended ISA trace log, and treats differences as potential processor-design bugs; inputs without unique transitions are discarded. ProcessorFuzz: Processor Fuzzing with Control and