Documentation Index
Fetch the complete documentation index at: https://mintlify.com/ispras/casr/llms.txt
Use this file to discover all available pages before exploring further.
casr-js analyzes JavaScript crash output from Node.js — unhandled exceptions and V8 stack traces — and produces structured .casrep reports. It integrates with both Jazzer.js, the Node.js coverage-guided fuzzer from Code Intelligence, and jsfuzz, making it the standard report generator for JavaScript fuzzing pipelines in CASR.
The tool detects the error type and message from the first line of stderr (matching patterns like TypeError:, ReferenceError:, Thrown at:, etc.), then extracts the V8 at … stack frames, resolves the crash line to a source file and line number, and embeds the source snippet when available.
When invoked via node or jsfuzz, the executable path recorded in the report is set to the .js script rather than the interpreter itself, giving more meaningful crash fingerprints. For npx jazzer, the fuzzer target script path is used.
Synopsis
-- separator is required. Everything after it is the command CASR will execute (typically node <script.js>, npx jazzer <target.js>, or jsfuzz <target.js>).
Options
Path to save the
.casrep report file. If a directory is provided, the report filename is generated automatically from the crash context.Print the CASR report as JSON to stdout instead of writing it to a file. Mutually exclusive with
--output; exactly one of the two is required.Path to a file fed to the target program’s standard input. Useful when the fuzz target reads corpus bytes from stdin.
Maximum number of seconds to wait for the target process to finish. A value of
0 disables the timeout entirely.Path to a file containing regular expressions for function names and file paths that should be excluded from stack trace analysis.
A path prefix removed from every file path in the stack trace and crash line. Also settable via
CASR_STRIP_PATH.Shared library paths injected via
LD_PRELOAD into the target process only. Space or colon delimited. Also settable via CASR_PRELOAD.Stack trace parsing
casr-js parses V8-format stack traces. Each at frame is processed to extract:
- Function name (including
[as method]aliases andeval atchains) - Source file (absolute paths only; relative paths and
<anonymous>entries are preserved but filtered from crash-line resolution) - Line and column numbers
unknown location are skipped. eval frames with nested eval chains are resolved to their originating source location.
Examples
Analyze a plain Node.js script that throws an unhandled exception:Fuzzer integration
casr-js handles single-crash analysis. For bulk triage of Jazzer.js or jsfuzz crash directories, use casr-libfuzzer, which auto-detects JavaScript targets and invokes casr-js for each crash file.
If no JavaScript-style error is found in stderr but sanitizer output is present,
casr-js automatically delegates to casr-san. This handles cases where native Node.js addons crash via AddressSanitizer rather than a JS exception.