Skip to content
STIMSMITH

Enhanced Havoc Mutation

Technique

Enhanced Havoc Mutation is a problem-specific enhancement to AFL's havoc mutation flow for RISC-V processor verification. It extends random havoc-style mutation with RISC-V instruction insertion, size-preserving instruction replacement, compressed-instruction support, and CSR-focused write/read mutation patterns intended to expose CSR misbehavior to an Execution Controller.

First seen 5/26/2026
Last seen 5/29/2026
Evidence 3 chunks
Wiki v1

WIKI

Overview

Enhanced Havoc Mutation is described as one of two problem-specific mutation techniques added to AFL in a coverage-guided fuzzing approach for cross-level processor verification; the other technique is Fast Exploration. The source characterizes the original AFL havoc mutation as a combination of single mutations applied at random positions, then describes Enhanced Havoc as extending that flow with RISC-V-specific operations. [C1]

Mutation behavior

READ FULL ARTICLE →

NEIGHBORHOOD

No graph connections found for this entity yet. It may appear in future ingestion runs.

explore full graph →

RELATIONSHIPS

3 connections
Efficient Cross-Level Processor Verification using Coverage-guided Fuzzing ← introduces 100% 2e
The paper introduces the Enhanced Havoc mutation as a custom AFL mutation for processor verification.
AFL extends → 90% 2e
Enhanced Havoc Mutation is a custom mutation designed to enhance AFL's fuzzing performance for processor verification.
CSR Testing uses → 90% 1e
The Enhanced Havoc mutation includes CSR instruction insertion/replacement for CSR testing.

LINKED ENTITIES

2 links
AFL extends_mutation_flow_of The evidence states that the work enhances AFL and describes Enhanced Havoc relative to the original AFL havoc mutation.
Fast Exploration Mutation sibling_technique The evidence presents Fast Exploration and Enhanced Havoc as the two problem-specific enhanced mutations.

CITATIONS

7 sources
7 citations — click to expand
[1] Enhanced Havoc is one of two problem-specific enhanced mutations for AFL, alongside Fast Exploration, and the original havoc mutation applies single mutations at random positions. Efficient Cross-Level Processor Verification using Coverage-guided Fuzzing
[2] Enhanced Havoc adds insertion of RISC-V instructions; unlike Fast Exploration, its instruction arguments are not fixed to zero and it supports compressed instructions. Efficient Cross-Level Processor Verification using Coverage-guided Fuzzing
[3] Enhanced Havoc includes a replacement variant that does not change the size of the test vector, in contrast to insertion which makes the test vector longer. Efficient Cross-Level Processor Verification using Coverage-guided Fuzzing
[4] Enhanced Havoc integrates CSR testing by adding two CSR instructions, first writing and then reading the same CSR, so possible CSR misbehavior is propagated into a register and made detectable by the Execution Controller. Efficient Cross-Level Processor Verification using Coverage-guided Fuzzing
[5] The evaluation context uses fuzzing with co-simulation, VexRiscv as the RISC-V RTL DUT, a RISC-V VP-derived ISS as reference, Verilator to translate the RTL core to C++, and a common SystemC testbench. Efficient Cross-Level Processor Verification using Coverage-guided Fuzzing
[6] The Execution Controller prevents infinite loops and detects processor-core mismatches, using register-value changes as synchronization and comparison points. Efficient Cross-Level Processor Verification using Coverage-guided Fuzzing
[7] The reported fuzzing-results table shows Enhanced AFL with mean 274.43 unique crashes and sum 2021 unique crashes, compared with Vanilla AFL mean 237.36 and sum 1619. Efficient Cross-Level Processor Verification using Coverage-guided Fuzzing