Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/0xricksanchez/AFL_Runner/llms.txt

Use this file to discover all available pages before exploring further.

aflr gen constructs the full sequence of afl-fuzz command lines that would be used for a multi-core fuzzing campaign and prints them to stdout — without creating any session, spawning any process, or touching the filesystem. It applies the same multi-core strategy logic as aflr run: one primary fuzzer is assigned the -M role, remaining runners receive secondary -S roles with power-schedule and instrumentation assignments drawn from the configured mode. Use aflr gen whenever you want to audit the exact commands, feed them into an external orchestrator, or verify that your binary paths and options resolve correctly before committing to a live campaign.

Synopsis

aflr gen [OPTIONS] [-- <TARGET_ARGS>...]

Options

Target Binaries

-t, --target
path
Path to the AFL++-instrumented target binary to fuzz. This is the main binary used by the primary fuzzer instance and most secondaries. Either this flag or --config must be provided.
-s, --san-target
path
Path to a *SAN-instrumented build of the target (e.g. compiled with AddressSanitizer). When provided, aflr designates one secondary runner to execute against this binary.
-c, --cmpl-target
path
Path to a CMPLOG-instrumented binary. One secondary fuzzer instance will be generated in CMPLOG mode (-c) targeting this binary to improve comparison-based coverage.
-l, --cmpc-target
path
Path to a Laf-intel/CMPCOV-instrumented binary. One secondary instance will be generated with LAF_INTEL environment settings pointing to this binary.

Fuzzing Configuration

-n, --runners
integer
default:"1"
Number of afl-fuzz command lines to generate. The first is always the primary (-M); the rest are secondaries (-S). Defaults to 1 if not set.
-i, --input-dir
path
default:"/tmp/afl_input"
Path to the seed corpus directory passed as the -i argument to every generated afl-fuzz invocation. Defaults to /tmp/afl_input.
-o, --output-dir
path
default:"/tmp/afl_output"
Path to the AFL++ output directory passed as the -o argument to every generated command. Defaults to /tmp/afl_output.
-x, --dictionary
path
Path to a token dictionary file. When provided, the -x flag is appended to all generated afl-fuzz invocations.
-b, --afl-binary
string
Override the afl-fuzz binary name or path used in the generated command strings. Useful when generating commands intended for a specific AFL++ installation.
-m, --mode
enum
default:"multiple-cores"
Selects the command-generation strategy. Controls which AFL++ flags, power schedules, and environment variables are distributed across the runner set. Accepted values:
  • default — minimal flag set, close to a bare afl-fuzz invocation
  • multiple-cores(default) full multi-core strategy with power schedule rotation and instrumentation-aware secondary assignment
  • ci-fuzzing — lightweight flag set suited for short continuous integration runs
--seed
integer
Integer seed for aflr’s internal PRNG. Fixes the random assignments of power schedules and secondary roles so that aflr gen produces identical output across multiple invocations given the same inputs.
--use-seed-afl
bool
default:"false"
When set, includes AFL_RANDOM_SEED=<value> in the generated environment for each afl-fuzz invocation. Requires --seed to be specified.
--nyx-mode
bool
default:"false"
Generates commands targeting AFL++ Nyx mode. Requires a Nyx-enabled AFL++ build when the commands are eventually executed.
--config
path
Path to a TOML configuration file. Config file values are merged before command generation; explicit CLI flags take precedence.

Target Arguments

aflr gen [OPTIONS] -- <TARGET_ARGS>...
Pass target binary arguments after a -- separator. Use @@ where AFL++ should substitute the mutated input file path. These arguments are appended to every generated afl-fuzz invocation after the target binary.

Examples

# Preview the 8-runner command set for a single binary
aflr gen -t ./target_afl -i ./corpus -o /tmp/out -n 8

# Include SAN and CMPLOG binaries in the generated commands
aflr gen -t ./target_afl -s ./target_asan -c ./target_cmplog -n 16

# Generate commands in CI fuzzing mode
aflr gen -t ./target_afl -i ./corpus -o /tmp/out -n 4 -m ci-fuzzing

# Deterministic generation — same seed always produces the same output
aflr gen -t ./target_afl -i ./corpus -o /tmp/out -n 8 --seed 12345

# Load configuration from a TOML file
aflr gen --config ./aflr_cfg.toml

# Full multi-binary set with a dictionary and target arguments
aflr gen -t ./target_afl -s ./target_asan -c ./target_cmplog -l ./target_cmpcov \
  -i ./corpus -o /tmp/out -n 16 -x ./tokens.dict -- @@

# Verify AFL_RANDOM_SEED propagation
aflr gen -t ./target_afl -i ./corpus -o /tmp/out -n 4 --seed 99 --use-seed-afl
aflr gen is the safest way to validate your configuration before launching a campaign. Pipe its output to a file or shell script to build custom orchestration pipelines, integrate with CI systems, or wrap individual commands with resource-limiting tools like taskset or cgroups wrappers — without any of the session-management overhead of aflr run.
aflr gen never writes to disk or launches processes. If the target binary path does not exist, aflr will still resolve and print the commands — validation of binary existence happens at execution time in aflr run.

Build docs developers (and LLMs) love