Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/ispras/casr/llms.txt

Use this file to discover all available pages before exploring further.

In this guide you will compile a small C++ program with AddressSanitizer, trigger a crash, capture a structured .casrep report with casr-san, inspect it interactively with casr-cli, and then run casr-cluster to deduplicate and group a collection of reports. By the end you will have a working triage pipeline you can adapt to your own projects.
1

Install CASR

If you have not installed CASR yet, the fastest path is via Cargo:
cargo install casr
For full installation options — prebuilt binaries, Docker, build-from-source — see the Installation guide.
2

Create a test program with AddressSanitizer

Save the following double-free example as test_asan_df.cpp:
#include <iostream>

int main(int argc, char** argv)
{
    int* a = (int*)malloc(sizeof(int));
    free(a);
    free(a);  // double-free — triggers ASAN
    return 0;
}
Compile with AddressSanitizer enabled and debug symbols included:
clang++ -fsanitize=address -O0 -g test_asan_df.cpp -o test_asan_df
The -O0 -g flags disable optimizations and embed debug info so that CASR can include source-level context (file name, line number, surrounding code) inside the report.
3

Generate a crash report

Run casr-san and pass the target binary after the -- separator. CASR intercepts the AddressSanitizer output, enriches it with OS metadata, register values, and disassembly, then writes a .casrep file:
casr-san -o asan.casrep -- ./test_asan_df
On success you will see a confirmation line and the report will be saved to asan.casrep.What’s inside a .casrep file?Reports are plain JSON — you can open them with any text editor or process them programmatically. Here is a representative excerpt:
{
  "Date": "2024-06-01T10:22:05.123456+00:00",
  "OS": "Ubuntu",
  "OSRelease": "22.04",
  "Architecture": "amd64",
  "ExecutablePath": "/home/user/test_asan_df",
  "ProcCmdline": "/home/user/test_asan_df",
  "CrashSeverity": {
    "Type": "NOT_EXPLOITABLE",
    "ShortDescription": "HeapDoubleFree",
    "Description": "Double free on heap",
    "Explanation": "The target attempted to free a heap buffer that was already freed."
  },
  "Stacktrace": [
    "#0 0x... in free /llvm/lib/asan/asan_malloc_linux.cpp:52",
    "#1 0x... in main /home/user/test_asan_df.cpp:7:5",
    "#2 0x... in __libc_start_main"
  ],
  "CrashLine": "/home/user/test_asan_df.cpp:7:5",
  "Source": [
    "      5      int* a = (int*)malloc(sizeof(int));",
    "      6      free(a);",
    "--->  7      free(a);",
    "      8      return 0;"
  ],
  "AsanReport": [
    "==12345==ERROR: AddressSanitizer: attempting double-free on 0x... in thread T0",
    "..."
  ]
}
Key fields at a glance:
FieldDescription
CrashSeverity.TypeExploitability class: EXPLOITABLE, PROBABLY_EXPLOITABLE, NOT_EXPLOITABLE, NOT_CRITICAL
CrashSeverity.ShortDescriptionHuman-readable crash type (e.g. HeapDoubleFree, SourceAv)
StacktraceFull symbolized stack trace
CrashLineSource file and line where the crash occurred
SourceCode snippet around the crash site
AsanReportRaw sanitizer output captured from stderr
4

View the report

casr-cli opens the report in an interactive TUI that lets you navigate the stack trace, review source context, and inspect register values and disassembly — all without leaving the terminal:
casr-cli asan.casrep
You can also point casr-cli at a directory of reports to see joint cluster statistics — total crashes, severity distribution, unique crash types:
casr-cli reports/
Export an entire cluster directory to SARIF format for upload to GitHub Advanced Security, GitLab, or any SARIF-compatible tool:
casr-cli --sarif out.sarif --tool libfuzzer --source-root /myproject clusters/
5

Deduplicate reports

After a fuzzing run you typically have hundreds of crash inputs that trigger the same underlying bug. casr-cluster -d compares stack traces and copies only the unique reports into a new output directory:
casr-cluster -d reports/ dedup/
  • Input: reports/ — directory containing raw .casrep files
  • Output: dedup/ — deduplicated subset, one report per unique crash
Deduplication is based on stack-trace similarity using the gdb-command library. CASR also disables ASLR before analysis so that addresses are stable across runs.
6

Cluster reports

Once duplicates are removed, casr-cluster -c groups the remaining reports by root-cause similarity. Each cluster corresponds to a distinct crash location in the code:
casr-cluster -c dedup/ clusters/
  • Input: dedup/ — deduplicated reports from the previous step
  • Output: clusters/ — subdirectories cl1/, cl2/, … each containing related reports
Browse the clusters interactively:
casr-cli clusters/
Or open a specific cluster:
casr-cli clusters/cl1/

Full Triage Pipeline at a Glance

# 1. Compile target with ASAN
clang++ -fsanitize=address -O0 -g target.cpp -o target_asan

# 2. Generate reports for all crash inputs
mkdir reports
for input in crashes/*; do
  casr-san -o "reports/$(basename "$input").casrep" -- ./target_asan "$input"
done

# 3. Deduplicate
casr-cluster -d reports/ dedup/

# 4. Cluster
casr-cluster -c dedup/ clusters/

# 5. Review
casr-cli clusters/

Next Steps

casr-san

Learn all flags for ASAN, MSAN, and stdin-based crash collection.

casr-cluster

Advanced clustering options including similarity thresholds and UBSAN triage.

casr-afl / casr-libfuzzer

One-command end-to-end triage for AFL++ and libFuzzer campaigns.

Build docs developers (and LLMs) love