Fast Exploration Mutation Wiki

Fast Exploration Mutation

Technique WIKI v1 · 5/26/2026

Fast Exploration Mutation is a deterministic, problem-specific mutation used in an enhanced AFL-based coverage-guided fuzzing workflow for cross-level processor verification. It adds a preliminary exploration phase that inserts RISC-V instructions with fixed zero arguments, retains only coverage-increasing test vectors, and then applies bitflip mutation iteratively to expand instruction-sequence coverage while controlling state-space growth.

Overview

Fast Exploration Mutation is described as a deterministic mutation designed to increase the exploration speed of a coverage-guided fuzzer. It appears in the enhanced mutation set for an AFL-based processor-verification workflow, alongside Enhanced Havoc.

Procedure

Fast Exploration adds a preliminary exploration phase before the normal mutation procedure. The phase begins by inserting each RISC-V instruction at the beginning of every test vector. Instruction arguments are fixed to source/destination register x0 and immediate 0; the paper gives addi x0, x0, 0 as an example inserted instruction.

After insertion, the fuzzer executes the newly generated test vector. The test vector is saved only if it increases coverage. This coverage-gated retention is used to limit the state space and prevent state-space explosion.

The technique then applies bitflip mutation. The stated purpose of the bitflips is to cover possible instruction arguments and uncover unknown instructions. Instruction insertion and bitflip mutation are repeated iteratively until no new test vectors are found.

Intended effect

The mutation prephase is intended to cover a broad region of the RISC-V instruction-sequence state space without relying on a lucky random seed and without running into scalability problems.

Overhead characteristics

The described implementation has low overhead for three reasons:

RV32I contains only 40 different instructions.
The insertion and bitflip operations are applied only to test vectors that reach new coverage points, not to every generated test vector.
Bitflip mutation does not add new actual overhead because it is moved into this phase rather than added as an extra later operation.

Implementation note

The authors state that implementing the mutation for their case study was straightforward because AFL's simple design made control-flow adjustments easy.

Relationship to Enhanced Havoc

Enhanced Havoc is described separately as another enhanced mutation. Like Fast Exploration, it adds insertion of RISC-V instructions, but unlike Fast Exploration its instruction arguments are not fixed to zero and it also supports compressed instructions. Enhanced Havoc also includes a replacement variant that does not change the size of the test vector.

LINKED ENTITIES

1 links

AFL enhances

CITATIONS

11 sources

11 citations

[1] Fast Exploration is a deterministic mutation designed to boost the exploration speed of the fuzzer. Efficient Cross-Level Processor Verification using Coverage-guided Fuzzing

[2] Fast Exploration adds a preliminary exploration phase before the normal mutation procedure. Efficient Cross-Level Processor Verification using Coverage-guided Fuzzing

[3] The phase inserts each RISC-V instruction at the beginning of every test vector. Efficient Cross-Level Processor Verification using Coverage-guided Fuzzing

[4] Instruction arguments are fixed to source/destination register x0 and immediate 0, with addi x0, x0, 0 given as an example. Efficient Cross-Level Processor Verification using Coverage-guided Fuzzing

[5] After insertion, the fuzzer executes the new test vector and saves it only if it increases coverage, which limits the state space and helps prevent state-space explosion. Efficient Cross-Level Processor Verification using Coverage-guided Fuzzing

[6] Fast Exploration then uses bitflip mutation to cover possible arguments and uncover unknown instructions. Efficient Cross-Level Processor Verification using Coverage-guided Fuzzing

[7] Instruction insertion and bitflip mutation are repeated iteratively until no new test vectors are found. Efficient Cross-Level Processor Verification using Coverage-guided Fuzzing

[8] The mutation prephase is intended to cover an extensive range of the RISC-V instruction-sequence state space without scalability problems or dependence on a lucky random seed. Efficient Cross-Level Processor Verification using Coverage-guided Fuzzing

[9] The described overhead is low because RV32I has 40 instructions, the operations are applied only to coverage-reaching test vectors, and bitflip was moved into this phase rather than added as new overhead. Efficient Cross-Level Processor Verification using Coverage-guided Fuzzing

[10] The authors state that implementing the mutation was straightforward because AFL's simple design made control-flow adjustments easy. Efficient Cross-Level Processor Verification using Coverage-guided Fuzzing

[11] Enhanced Havoc is another enhanced mutation that also inserts RISC-V instructions, but its arguments are not fixed to zero, it supports compressed instructions, and it includes a replacement variant that preserves test-vector size. Efficient Cross-Level Processor Verification using Coverage-guided Fuzzing