Skip to content
STIMSMITH

Havoc Mutation

Technique WIKI v1 · 5/26/2026

Havoc mutation is a notable mutation strategy used by American Fuzzy Lop (AFL). In the provided evidence, it is described as a combination of many individual mutations applied at random positions to help discover new behaviors in coverage-guided fuzzing.

Overview

Havoc mutation is one of the notable mutation types used by American Fuzzy Lop (AFL), an out-of-process, coverage-guided grey-box fuzzer. AFL uses mutations to discover new program behaviors, with new behaviors detected through edge coverage. [C1]

How it works

The provided evidence defines havoc mutation as “a combination of a multitude of individual mutations” that applies those mutations at random positions. [C2]

Within AFL’s mutation set, havoc mutation is listed alongside:

  • Bitflip mutations, which flip varying numbers of bits.
  • Arithmetic mutations, which add or subtract integers.
  • Havoc mutation, which combines many individual mutations and applies them randomly. [C3]

Role in AFL fuzzing

AFL uses a range of mutations to explore new behaviors in the software under test. Havoc mutation contributes to this exploration by applying multiple mutation operations at random positions, rather than performing a single narrowly defined operation such as bit flipping or integer addition/subtraction. [C1][C2][C3]

Context

The cited source discusses AFL in the context of coverage-guided fuzzing for processor verification. It notes that AFL is out-of-process, meaning it resets the whole process and the software under test does not require a custom reset function. [C4]

CITATIONS

4 sources
4 citations
[1] AFL is an out-of-process coverage-guided grey-box fuzzer that uses mutations to discover new behaviors detected through edge coverage. Efficient Cross-Level Processor Verification using Coverage-guided Fuzzing
[2] Havoc mutation is a combination of many individual mutations applied at random positions. Efficient Cross-Level Processor Verification using Coverage-guided Fuzzing
[3] AFL notable mutations include bitflip mutations, arithmetic mutations, and havoc mutation; bitflip flips varying numbers of bits and arithmetic adds or subtracts integers. Efficient Cross-Level Processor Verification using Coverage-guided Fuzzing
[4] Out-of-process fuzzers reset the whole process, so the software under test does not require a custom reset function. Efficient Cross-Level Processor Verification using Coverage-guided Fuzzing