Skip to content
STIMSMITH

Fast Exploration Mutation

Technique

Fast Exploration Mutation is a deterministic, problem-specific mutation used in an enhanced AFL-based coverage-guided fuzzing workflow for cross-level processor verification. It adds a preliminary exploration phase that inserts RISC-V instructions with fixed zero arguments, retains only coverage-increasing test vectors, and then applies bitflip mutation iteratively to expand instruction-sequence coverage while controlling state-space growth.

First seen 5/26/2026
Last seen 5/29/2026
Evidence 2 chunks
Wiki v1

WIKI

Overview

Fast Exploration Mutation is described as a deterministic mutation designed to increase the exploration speed of a coverage-guided fuzzer. It appears in the enhanced mutation set for an AFL-based processor-verification workflow, alongside Enhanced Havoc.

Procedure

READ FULL ARTICLE →

NEIGHBORHOOD

No graph connections found for this entity yet. It may appear in future ingestion runs.

explore full graph →

RELATIONSHIPS

3 connections
AFL extends → 90% 4e
Fast Exploration Mutation is a custom mutation designed to enhance AFL's fuzzing performance for processor verification.
Efficient Cross-Level Processor Verification using Coverage-guided Fuzzing ← introduces 100% 2e
The paper introduces the Fast Exploration mutation as a custom AFL mutation for processor verification.
Bitflip Mutation uses → 85% 1e
The Fast Exploration mutation uses bitflip mutation as part of its prephase.

LINKED ENTITIES

1 links
AFL enhances The evidence states that Fast Exploration is part of problem-specific mutations designed to enhance AFL, a coverage-guided fuzzer.

CITATIONS

11 sources
11 citations — click to expand
[1] Fast Exploration is a deterministic mutation designed to boost the exploration speed of the fuzzer. Efficient Cross-Level Processor Verification using Coverage-guided Fuzzing
[2] Fast Exploration adds a preliminary exploration phase before the normal mutation procedure. Efficient Cross-Level Processor Verification using Coverage-guided Fuzzing
[3] The phase inserts each RISC-V instruction at the beginning of every test vector. Efficient Cross-Level Processor Verification using Coverage-guided Fuzzing
[4] Instruction arguments are fixed to source/destination register x0 and immediate 0, with addi x0, x0, 0 given as an example. Efficient Cross-Level Processor Verification using Coverage-guided Fuzzing
[5] After insertion, the fuzzer executes the new test vector and saves it only if it increases coverage, which limits the state space and helps prevent state-space explosion. Efficient Cross-Level Processor Verification using Coverage-guided Fuzzing
[6] Fast Exploration then uses bitflip mutation to cover possible arguments and uncover unknown instructions. Efficient Cross-Level Processor Verification using Coverage-guided Fuzzing
[7] Instruction insertion and bitflip mutation are repeated iteratively until no new test vectors are found. Efficient Cross-Level Processor Verification using Coverage-guided Fuzzing
[8] The mutation prephase is intended to cover an extensive range of the RISC-V instruction-sequence state space without scalability problems or dependence on a lucky random seed. Efficient Cross-Level Processor Verification using Coverage-guided Fuzzing
[9] The described overhead is low because RV32I has 40 instructions, the operations are applied only to coverage-reaching test vectors, and bitflip was moved into this phase rather than added as new overhead. Efficient Cross-Level Processor Verification using Coverage-guided Fuzzing
[10] The authors state that implementing the mutation was straightforward because AFL's simple design made control-flow adjustments easy. Efficient Cross-Level Processor Verification using Coverage-guided Fuzzing
[11] Enhanced Havoc is another enhanced mutation that also inserts RISC-V instructions, but its arguments are not fixed to zero, it supports compressed instructions, and it includes a replacement variant that preserves test-vector size. Efficient Cross-Level Processor Verification using Coverage-guided Fuzzing