Documentation Index
Fetch the complete documentation index at: https://mintlify.com/ispras/casr/llms.txt
Use this file to discover all available pages before exploring further.
casr-ubsan runs a UBSAN-instrumented binary against every file in one or more input
directories, collects all UndefinedBehaviorSanitizer warnings, deduplicates them by
crash line (source file and line number), and generates a structured .casrep report
for each unique warning in parallel. Results are written to an output directory.
Unlike casr-san and casr-gdb, which operate on a single crash at a time,
casr-ubsan is a batch triage tool: it accepts entire fuzzer corpus directories as
input and produces a deduplicated set of reports in one pass.
Synopsis
Options
Controls the verbosity of log output. Use
debug for verbose per-input diagnostics.Possible values: info, debugNumber of parallel worker threads used when extracting and generating reports. Defaults
to half of the available CPU cores.
Per-input execution timeout in seconds. A value of
0 disables the timeout.One or more directories containing input files (crash seeds, corpus entries, etc.).
casr-ubsan runs the target against every regular file found by recursively walking
each directory. This flag accepts directories, not individual files.Output directory where deduplicated
.casrep reports and their corresponding input
files will be saved. The directory is created if it does not exist. If it already
exists and is non-empty, casr-ubsan will exit with an error unless --force-remove
is specified.Forcibly remove the output directory and recreate it before writing reports. Use with
care — all previous contents of the output directory will be deleted.
One or more shared library paths to inject into the target process via
LD_PRELOAD,
without affecting the casr-ubsan process itself. Space ( ) and colon (:) are
both valid delimiters. Can also be set via the CASR_PRELOAD environment variable.Deduplication
UBSAN deduplication is based on crash line comparison (source file and line number), not on stack trace hashing. The rationale is that many distinct inputs may trigger the same undefined-behaviour site; deduplication removes those duplicates first, then generates one report per unique site. Column numbers are stripped when comparing crash lines, so errors at the same line but different columns are treated as the same crash.Examples
Compile with UBSAN and triage a corpus
Compile the target with UBSAN
Build your binary with undefined behaviour sanitizer and debug symbols:
Run casr-ubsan against an input directory
Pass the input directory with
-i and specify an output directory with -o. Use
@@ as a placeholder for the input file path in the argument list:Multiple input directories
Pass several input directories in a single invocation:Read input from stdin
Omit@@ to have casr-ubsan pass each input file on stdin:
Limit parallelism and set a timeout
Overwrite an existing output directory
Notes
Input must be directories — Unlike
casr-san and casr-gdb, casr-ubsan does
not accept individual files with -i. The argument must be a directory path. Each
regular file inside the directory tree is used as one input to the target binary.UBSAN options are set automatically —
casr-ubsan sets
UBSAN_OPTIONS=print_stacktrace=1,report_error_type=1,symbolize=1 before running the
target. If UBSAN_OPTIONS is already set in the environment, casr-ubsan merges
these required values rather than replacing your settings.