Documentation Index
Fetch the complete documentation index at: https://mintlify.com/ispras/casr/llms.txt
Use this file to discover all available pages before exploring further.
casr-libfuzzer provides a single-command crash triage pipeline for
libFuzzer-based fuzzers (C/C++,
go-fuzz,
Atheris,
Jazzer,
Jazzer.js,
jsfuzz,
luzer) and
LibAFL-based fuzzers. It reads a
directory of crash seeds, automatically selects the right CASR reporter for the
target language, generates crash reports in parallel, deduplicates them, and
clusters the unique findings. The workflow is the same as casr-afl but
targeted at libFuzzer’s flat crash-file layout.
Usage
Options Reference
Logging verbosity. Use
debug for detailed per-crash output. Possible
values: info, debug.Number of parallel jobs used when generating CASR reports. Defaults to half
the number of available CPU cores. Must be ≥ 1.
Per-crash execution timeout in seconds.
0 disables the timeout. Useful for
targets that may hang on certain inputs.Directory containing crash files produced by libFuzzer or LibAFL. libFuzzer
names its crash files
crash-<hash> and leak files leak-<hash>. LibAFL
directories are detected automatically by the presence of a .metadata file.
Defaults to the current working directory.Destination directory for triaged reports. After a successful run it contains
cluster sub-directories (
cl1/, cl2/, …).Path to a cluster directory produced by a previous
casr-libfuzzer run.
Only crashes that are new relative to that previous run are triaged and merged
into the existing clusters. Can also be set via the CASR_PREV_CLUSTERS_DIR
environment variable.Delete the output directory before starting if it already exists.
Skip the clustering step. Produces only deduplicated reports in the output
directory without cluster sub-directories.
Command line for a non-instrumented build of the same fuzz target. When
provided,
casr-gdb is invoked on every unique crash in addition to the
primary reporter, producing supplementary .gdb.casrep files for severity
estimation without sanitizers. The value should be a quoted string with the
target path and arguments, e.g. './load_sydr @@'.Only compatible with casr-san and casr-gdb targets (not usable for
Python, Java, JS, or Lua targets).Override automatic reporter detection. Possible values:
auto— detect from the binary’s symbols and the command line (default)gdb— always usecasr-gdbsan— always usecasr-sanjava— always usecasr-javajs— always usecasr-jspython— always usecasr-python
libFuzzer (C/C++) Example
-t 30 sets a 30-second per-crash timeout, which is recommended for
libFuzzer targets that could hang.
Atheris (Python) Example
Atheris crash files are plain files in a directory. Unzip any required dependencies first, then pointcasr-libfuzzer at the crash directory and the
Python fuzzer script:
casr-libfuzzer detects the .py extension and automatically uses
casr-python as the reporter.
Jazzer.js (JavaScript) Example
Installxml2js and the Jazzer.js core package, then triage:
npx jazzer invocation pattern is recognized automatically and
casr-js is used as the reporter.
Luzer (Lua) Example
Build the Lua target library and the luzer harness, then triage:.lua extension triggers automatic selection of casr-lua.
LibAFL Example
LibAFL crash directories contain a.metadata file which casr-libfuzzer
uses to auto-detect the LibAFL layout. Pass @@ in the arguments if your
target reads the crash file from the command line:
Adding GDB Reports for Uninstrumented Binaries
To generate supplementary GDB-based reports alongside the primary ASAN reports (for severity estimation without sanitizers), pass--casr-gdb-args with the
uninstrumented target path:
.casrep (from casr-san) and a
.gdb.casrep (from casr-gdb via the uninstrumented binary).
Rust Target Note
Set
RUST_BACKTRACE=1 (or RUST_BACKTRACE=full) when triaging crashes from
Rust fuzz targets. When this variable is present, casr-san uses the Rust
backtrace instead of the ASAN stack trace for analysis and deduplication.