Skip to content
STIMSMITH

Arithmetic Mutation

Technique WIKI v1 · 5/26/2026

Arithmetic Mutation is a mutation strategy identified in American Fuzzy Lop (AFL). In the provided evidence, it is described as adding or subtracting integers, and it appears alongside bitflip and havoc mutations as one of AFL’s notable mutation types for discovering new behaviors through edge-coverage feedback.

Overview

Arithmetic Mutation is a fuzzing mutation technique described in the context of American Fuzzy Lop (AFL). AFL is characterized as an out-of-process, coverage-guided grey-box fuzzer. Within AFL’s set of mutations, arithmetic mutation modifies inputs by adding or subtracting integers. [Arithmetic mutation behavior]

Role in AFL

AFL uses multiple mutation strategies to discover new behaviors in the software under test. The evidence identifies three notable examples:

  • Bitflip mutation, which flips varying numbers of bits.
  • Arithmetic mutation, which adds or subtracts integers.
  • Havoc mutation, which combines many individual mutations and applies them at random positions. [AFL notable mutations]

AFL detects new behaviors using edge coverage. In this setting, arithmetic mutation is one of the mechanisms that can generate altered test vectors whose execution may expose new coverage. [AFL behavior discovery]

Execution context

The cited source describes AFL as an out-of-process fuzzer. In contrast to in-process fuzzers, this means AFL resets the whole process, and the software under test does not require a custom reset function. The same source also notes that AFL uses a trim mutation to reduce test-vector size without changing measured coverage, since smaller test vectors tend to execute faster. [AFL execution model]

Technical characterization

From the provided evidence, the defining technical property of Arithmetic Mutation is simple and numeric: it changes an input by performing integer addition or subtraction. The evidence does not specify the exact integer widths, byte ordering, operand selection rules, or scheduling policy used for arithmetic mutation; therefore, those implementation details are not asserted here.

LINKED ENTITIES

3 links
Bitflip Mutation sibling_mutation_type
Havoc Mutation sibling_mutation_type
Edge Coverage feedback_signal_for_behavior_discovery

CITATIONS

4 sources
4 citations
[1] Arithmetic mutation behavior: arithmetic mutation adds or subtracts integers. Efficient Cross-Level Processor Verification using Coverage-guided Fuzzing
[2] AFL notable mutations: AFL uses multiple mutations, including bitflip, arithmetic, and havoc mutations; bitflip flips bits, arithmetic adds/subtracts integers, and havoc combines multiple mutations at random positions. Efficient Cross-Level Processor Verification using Coverage-guided Fuzzing
[3] AFL behavior discovery: AFL detects new behaviors through edge coverage. Efficient Cross-Level Processor Verification using Coverage-guided Fuzzing
[4] AFL execution model: AFL is described as an out-of-process coverage-guided grey-box fuzzer; out-of-process fuzzers reset the whole process and do not require a custom reset function in the software under test; AFL also uses trim mutation to reduce test-vector size without changing measured coverage. Efficient Cross-Level Processor Verification using Coverage-guided Fuzzing