Documentation Index
Fetch the complete documentation index at: https://mintlify.com/ispras/casr/llms.txt
Use this file to discover all available pages before exploring further.
casr-afl is a fully automated crash triage pipeline for AFL++ and the AFL-based C# fuzzer Sharpfuzz. It walks the AFL++ multi-worker output directory, detects the appropriate CASR reporter for each target binary (ASAN-instrumented binaries use casr-san; all others use casr-gdb), generates crash reports in parallel, deduplicates them, and finally clusters the unique reports — producing a tidy directory tree where each sub-directory represents a distinct crash class.
casr-gdb and casr-san must both be present in PATH before running
casr-afl.Usage
Options Reference
Logging verbosity. Use
debug to see per-crash tool invocations and
deduplication decisions. Possible values: info, debug.Number of parallel jobs used when generating CASR reports. Defaults to half
the number of available CPU cores. Must be ≥ 1.
Per-crash execution timeout in seconds.
0 disables the timeout entirely.
Setting a timeout prevents casr-afl from stalling on inputs that hang the
target.Path to the AFL++ work directory. This is the top-level directory that
contains one sub-directory per fuzzer instance (e.g.
afl_main-worker/,
afl_s01-worker/). You can also pass a single vanilla AFL instance directory
directly — casr-afl detects both layouts automatically.Destination directory for triaged reports. After a successful run it contains
cluster sub-directories (
cl1/, cl2/, …) each holding one or more
.casrep files that represent the same root cause.Path to a directory containing cluster output from a previous
casr-afl
run. When provided, only crashes that are new relative to the previous run
are triaged and merged into the existing clusters. Can also be set via the
CASR_PREV_CLUSTERS_DIR environment variable.Delete the output directory before starting if it already exists. Without
this flag,
casr-afl will exit with an error rather than overwrite an
existing output directory.When set, the target command passed after
-- is used directly to replay
crashes instead of reading cmdline files from the AFL worker directories.
Required when using a vanilla AFL directory layout that lacks cmdline files.Skip the clustering step. Reports are still generated and deduplicated, but
they are placed directly in the output directory without cluster
sub-directories. Useful when you only need raw deduplicated reports quickly.
Override automatic reporter detection. Possible values:
auto— detect the correct tool from the binary’s symbols and the command line (default)gdb— always usecasr-gdbsan— always usecasr-sancsharp— always usecasr-csharp
CASR_PREV_CLUSTERS_DIR
Setting theCASR_PREV_CLUSTERS_DIR environment variable is equivalent to
passing --join <path>. It is convenient in CI environments where you want to
point at the previous run’s output without modifying the command line:
AFL++ Example (Ubuntu 20.04+)
Copy the test binaries and runcasr-afl against the AFL++ output directory:
.casrep; reports
generated by casr-gdb for uninstrumented builds are saved as .gdb.casrep.
Adding GDB Reports for Uninstrumented Binaries
To additionally generate GDB crash reports for a non-instrumented build of the same target (useful for severity estimation without sanitizers), pass the uninstrumented binary after--:
casr-afl will produce a .gdb.casrep file alongside the primary .casrep
report for each unique ASAN crash. The @@ placeholder is replaced with the
path to each crash seed at runtime.
Sharpfuzz Example
Triaging C# crashes requires building the target first.casr-afl reads the
cmdline file inside the AFL directory to determine how to invoke the target:
cmdline file (for example when the
project needs --no-build to avoid rebuilding on every replay), use
--ignore-cmdline:
cmdline files), you
must always supply the run arguments explicitly:
Rust Target Note
Set
RUST_BACKTRACE=1 (or RUST_BACKTRACE=full) when triaging crashes from
Rust fuzz targets. When this environment variable is present, casr-san uses
the Rust backtrace instead of the ASAN stack trace for analysis and
deduplication.