Enhanced Havoc Mutation Wiki

Enhanced Havoc Mutation

Technique WIKI v1 · 5/26/2026

Enhanced Havoc Mutation is a problem-specific enhancement to AFL's havoc mutation flow for RISC-V processor verification. It extends random havoc-style mutation with RISC-V instruction insertion, size-preserving instruction replacement, compressed-instruction support, and CSR-focused write/read mutation patterns intended to expose CSR misbehavior to an Execution Controller.

Overview

Enhanced Havoc Mutation is described as one of two problem-specific mutation techniques added to AFL in a coverage-guided fuzzing approach for cross-level processor verification; the other technique is Fast Exploration. The source characterizes the original AFL havoc mutation as a combination of single mutations applied at random positions, then describes Enhanced Havoc as extending that flow with RISC-V-specific operations. [C1]

Mutation behavior

Enhanced Havoc adds insertion of RISC-V instructions during havoc-style mutation. Unlike the related Fast Exploration mutation, the inserted instruction arguments are not fixed to zero, and the technique also supports compressed instructions. [C2]

The technique also adds a replacement variant. Whereas insertion makes a test vector longer, the replacement variant does not change the size of the test vector. [C3]

CSR testing support

Enhanced Havoc includes improvements for testing RISC-V Control and Status Registers (CSRs). The CSR insertion/replacement functionality always adds two CSR instructions: the first writes a CSR, and the second reads the same CSR. This pattern is intended to propagate possible CSR misbehavior directly into a register so that the Execution Controller can detect it. [C4]

Verification context

The technique appears in a processor-verification flow that uses fuzzing with co-simulation. In the reported case study, the device under test is the open-source RISC-V VexRiscv RTL processor, and the reference ISS is extracted from the open-source RISC-V VP. The RTL core is translated to C++ using Verilator and embedded with the ISS into a common SystemC testbench. [C5]

The Execution Controller in this flow has two purposes: preventing infinite loops and detecting mismatches between processor cores. It compares architectural effects at synchronization points where register values change. [C6]

Reported evaluation context

The paper reports fuzzing results comparing Vanilla AFL and Enhanced AFL. In the table shown, Enhanced AFL has a mean of 274.43 unique crashes versus 237.36 for Vanilla AFL, and a sum of 2021 unique crashes versus 1619 for Vanilla AFL. These figures describe the evaluated enhanced AFL configuration rather than isolating Enhanced Havoc alone. [C7]

LINKED ENTITIES

2 links

AFL extends_mutation_flow_of

Fast Exploration Mutation sibling_technique

CITATIONS

7 sources

7 citations

[1] Enhanced Havoc is one of two problem-specific enhanced mutations for AFL, alongside Fast Exploration, and the original havoc mutation applies single mutations at random positions. Efficient Cross-Level Processor Verification using Coverage-guided Fuzzing

[2] Enhanced Havoc adds insertion of RISC-V instructions; unlike Fast Exploration, its instruction arguments are not fixed to zero and it supports compressed instructions. Efficient Cross-Level Processor Verification using Coverage-guided Fuzzing

[3] Enhanced Havoc includes a replacement variant that does not change the size of the test vector, in contrast to insertion which makes the test vector longer. Efficient Cross-Level Processor Verification using Coverage-guided Fuzzing

[4] Enhanced Havoc integrates CSR testing by adding two CSR instructions, first writing and then reading the same CSR, so possible CSR misbehavior is propagated into a register and made detectable by the Execution Controller. Efficient Cross-Level Processor Verification using Coverage-guided Fuzzing

[5] The evaluation context uses fuzzing with co-simulation, VexRiscv as the RISC-V RTL DUT, a RISC-V VP-derived ISS as reference, Verilator to translate the RTL core to C++, and a common SystemC testbench. Efficient Cross-Level Processor Verification using Coverage-guided Fuzzing

[6] The Execution Controller prevents infinite loops and detects processor-core mismatches, using register-value changes as synchronization and comparison points. Efficient Cross-Level Processor Verification using Coverage-guided Fuzzing

[7] The reported fuzzing-results table shows Enhanced AFL with mean 274.43 unique crashes and sum 2021 unique crashes, compared with Vanilla AFL mean 237.36 and sum 1619. Efficient Cross-Level Processor Verification using Coverage-guided Fuzzing