CASR’s fuzzing crash triage pipeline transforms a raw pile of fuzzer-generated crashes into an organized, deduplicated, and severity-ranked set of reports. Instead of manually replaying hundreds of crashing inputs, you let CASR generate detailedDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/ispras/casr/llms.txt
Use this file to discover all available pages before exploring further.
.casrep files, cluster them by similarity, and surface the unique findings — ready for inspection or upload to a vulnerability tracker.
Manual Triage Pipeline
When working with raw crash directories produced by any fuzzer, you can follow these five steps to triage crashes end-to-end:Create crash reports
Run the appropriate CASR reporter on each crashing input. Choose the tool that matches your target’s language and instrumentation:
casr-san— sanitizer-instrumented binaries (ASAN, MSAN)casr-gdb— uninstrumented compiled binaries (via GDB)casr-python— Python targets (including Atheris)casr-java— Java targets (including Jazzer)casr-js— JavaScript targets (Jazzer.js, jsfuzz)casr-csharp— C# targets (Sharpfuzz)
.casrep JSON file containing severity, stack trace, registers, disassembly, and source context.Deduplicate reports
Remove exact-duplicate reports before clustering to keep the dataset clean:Deduplication compares filtered stack traces, so two reports for the same root cause are collapsed into one.
Cluster deduplicated reports
Group the remaining reports by crash similarity. Closely related crashes end up in the same cluster so that each cluster represents a distinct bug:The output directory contains sub-directories
cl1/, cl2/, … each holding one cluster’s .casrep files.Handle UBSAN errors
UndefinedBehaviorSanitizer findings require a separate step.
casr-ubsan replays each input against the UBSAN-instrumented binary, generates reports, and deduplicates them by crash line:Review or upload findings
Inspect clustered reports interactively with the TUI:Or upload new and unique findings directly to DefectDojo for centralized vulnerability management:
Automated Pipelines
For the two most common fuzzing ecosystems, CASR provides single-command pipeline tools that run steps 1–3 automatically:casr-afl
Triage crashes from AFL++ and Sharpfuzz (C#) campaigns. Reads AFL’s
multi-worker output directories, picks the right reporter per target type,
deduplicates, and clusters — all in one command.
casr-libfuzzer
Triage crashes from libFuzzer, LibAFL, Atheris, Jazzer, Jazzer.js,
jsfuzz, luzer, and go-fuzz campaigns. Supports GDB supplementary reports
for uninstrumented builds.
casr-ubsan and casr-dojo are not included in the automated pipeline and
must always be run manually as separate steps after casr-afl or
casr-libfuzzer completes.Supported Fuzzers
Continuous Fuzzing and Report Accumulation
In long-running or CI-based fuzzing campaigns, new crashes accumulate over time. CASR supports incremental triage so that re-running the pipeline only processes genuinely new findings and merges them into the existing cluster set. Pass the path to the previously triaged cluster directory with--join (or set the CASR_PREV_CLUSTERS_DIR environment variable):
--join is provided, CASR computes the difference between the new crash set and the previous cluster set, clusters only the new unique reports, and then merges them with the existing clusters. This avoids re-triaging crashes you have already reviewed.
The same flag is available on casr-libfuzzer:
Rust Target Note
When triaging crashes from Rust fuzz targets, set
RUST_BACKTRACE=1 (or RUST_BACKTRACE=full) before running casr-afl or
casr-libfuzzer. When this variable is present, casr-san uses the Rust
backtrace instead of the ASAN stack trace for analysis and deduplication.