Gray-box fuzzing struggles with precisely flipping the final conditional branch—i.e., preserving the path prefix while inverting only the last comparison—due to coarse-grained reliance on coverage signals. Method: This paper formally defines consistency constraints over conditional sequences within a “local space” and proposes a path-guided input search algorithm based on symbolic condition modeling and constraint-driven guidance. It employs lightweight program instrumentation to extract Boolean evaluation sequences of numeric comparisons (e.g., *x ≤ y*), enabling fine-grained local path mutation without coverage feedback. Contribution/Results: Evaluated on the TestComp 2024 benchmark, our approach significantly improves branch-flipping success rates and new-path discovery efficiency. Experimental results demonstrate the effectiveness, precision, and scalability of the local-space search strategy, establishing a foundation for semantics-aware, constraint-guided gray-box fuzzing.

We consider gray-box fuzzing of a program instrumented such that information about evaluation of program expressions converting values of numerical types to Boolean, like x<= y, is recorded during each program's execution. Given that information for an executed program path, we formally define the problem for finding input such that program's execution with that input evaluates all those expressions in the same order and with the same Boolean values as in the original execution path, except for the last one, which is evaluated to the opposite value. Then we also provide an algorithm searching for a solution of the problem effectively. The effectiveness of the algorithm is demonstrated empirically via its evaluation on the TestComp 2024 benchmark suite.