Documentation Index
Fetch the complete documentation index at: https://mintlify.com/0xricksanchez/AFL_Runner/llms.txt
Use this file to discover all available pages before exploring further.
aflr gen constructs the full sequence of afl-fuzz command lines that would be used for a multi-core fuzzing campaign and prints them to stdout — without creating any session, spawning any process, or touching the filesystem. It applies the same multi-core strategy logic as aflr run: one primary fuzzer is assigned the -M role, remaining runners receive secondary -S roles with power-schedule and instrumentation assignments drawn from the configured mode. Use aflr gen whenever you want to audit the exact commands, feed them into an external orchestrator, or verify that your binary paths and options resolve correctly before committing to a live campaign.
Synopsis
Options
Target Binaries
Path to the AFL++-instrumented target binary to fuzz. This is the main binary used by the primary fuzzer instance and most secondaries. Either this flag or
--config must be provided.Path to a
*SAN-instrumented build of the target (e.g. compiled with AddressSanitizer). When provided, aflr designates one secondary runner to execute against this binary.Path to a
CMPLOG-instrumented binary. One secondary fuzzer instance will be generated in CMPLOG mode (-c) targeting this binary to improve comparison-based coverage.Path to a
Laf-intel/CMPCOV-instrumented binary. One secondary instance will be generated with LAF_INTEL environment settings pointing to this binary.Fuzzing Configuration
Number of
afl-fuzz command lines to generate. The first is always the primary (-M); the rest are secondaries (-S). Defaults to 1 if not set.Path to the seed corpus directory passed as the
-i argument to every generated afl-fuzz invocation. Defaults to /tmp/afl_input.Path to the AFL++ output directory passed as the
-o argument to every generated command. Defaults to /tmp/afl_output.Path to a token dictionary file. When provided, the
-x flag is appended to all generated afl-fuzz invocations.Override the
afl-fuzz binary name or path used in the generated command strings. Useful when generating commands intended for a specific AFL++ installation.Selects the command-generation strategy. Controls which AFL++ flags, power schedules, and environment variables are distributed across the runner set. Accepted values:
default— minimal flag set, close to a bareafl-fuzzinvocationmultiple-cores— (default) full multi-core strategy with power schedule rotation and instrumentation-aware secondary assignmentci-fuzzing— lightweight flag set suited for short continuous integration runs
Integer seed for aflr’s internal PRNG. Fixes the random assignments of power schedules and secondary roles so that
aflr gen produces identical output across multiple invocations given the same inputs.When set, includes
AFL_RANDOM_SEED=<value> in the generated environment for each afl-fuzz invocation. Requires --seed to be specified.Generates commands targeting AFL++ Nyx mode. Requires a Nyx-enabled AFL++ build when the commands are eventually executed.
Path to a TOML configuration file. Config file values are merged before command generation; explicit CLI flags take precedence.
Target Arguments
-- separator. Use @@ where AFL++ should substitute the mutated input file path. These arguments are appended to every generated afl-fuzz invocation after the target binary.
Examples
aflr gen never writes to disk or launches processes. If the target binary path does not exist, aflr will still resolve and print the commands — validation of binary existence happens at execution time in aflr run.