docs: document backend-specific engine usage

Explain how to select LibAFL or libFuzzer and call out the places where their supported options still differ.

Author: oetr

README.md

@@ -17,8 +17,9 @@
 
 Jazzer.js is a coverage-guided, in-process fuzzer for the
 [Node.js](https://nodejs.org) platform developed by
-[Code Intelligence](https://www.code-intelligence.com). It is based on
-[libFuzzer](https://llvm.org/docs/LibFuzzer.html) and brings many of its
+[Code Intelligence](https://www.code-intelligence.com). It supports
+[libFuzzer](https://llvm.org/docs/LibFuzzer.html) and
+[LibAFL](https://github.com/AFLplusplus/LibAFL) backends and brings
 instrumentation-powered mutation features to the JavaScript ecosystem.
 
 ## Quickstart
@@ -47,6 +48,9 @@ To use Jazzer.js in your own project follow these few simple steps:
    npx jazzer FuzzTarget
    ```
 
+   CLI fuzzing uses the LibAFL backend by default. To run with libFuzzer
+   instead, add `--engine=libfuzzer`.
+
 4. Enjoy fuzzing!
 
 ## Usage

docs/fuzz-settings.md

@@ -589,13 +589,53 @@ JAZZER_FUZZ_ENTRY_POINT=buzz npx jazzer my-fuzz-file
 _Note:_ In Jest mode, this option cannot be set via environment variable.
 Instead use the native Jest flag `--testNamePattern` as described above.
 
+### `engine` : [string]
+
+Default: `"libafl"` in CLI mode, `"libfuzzer"` in Jest mode
+
+Select the native fuzzing backend.
+
+- `libfuzzer`: use the existing libFuzzer backend.
+- `afl` (alias for `libafl`): use the LibAFL backend.
+
+**CLI:** Select the backend with `--engine`, for example:
+
+```bash
+npx jazzer my-fuzz-file --engine=afl
+```
+
+**Jest:** Set it in `.jazzerjsrc.json`:
+
+```json
+{
+	"engine": "afl"
+}
+```
+
+LibAFL supports both `fuzzing` and `regression` mode.
+
 ### `fuzzerOptions` : [array\<string\>]
 
 Default: []
 
-Pass options to native fuzzing engine (Jazzer.js uses libFuzzer).
+Pass options to the selected native fuzzing engine.
+
+For `engine=libfuzzer`, Jazzer.js supports the full libFuzzer-style argument
+list.
+
+For `engine=afl`/`engine=libafl`, Jazzer.js currently supports these options:
+
+- `-runs=<N>`
+- `-seed=<N>`
+- `-max_len=<N>`
+- `-max_total_time=<seconds>`
+- `-artifact_prefix=<path-prefix>`
+- `-dict=<path>`
+- non-flag entries interpreted as corpus directories
+
+Unsupported engine-specific flags are rejected with an explicit error.
 
-For a list of available options, see the
+For the `libfuzzer` backend, see the
 [libFuzzer documentation](https://llvm.org/docs/LibFuzzer.html#options). To get
 a quick overview of all available options, call Jazzer.js with the libFuzzer
 argument `-help`. Here is an example for the CLI mode:

packages/fuzzer/README.md

@@ -1,16 +1,17 @@
 # @jazzer.js/fuzzer
 
-This module provides a native Node.js addon which loads libfuzzer into Node.js.
-Users can install it with `npm install`, which tries to download a prebuilt
-shared object from GitHub but falls back to compilation on the user's machine if
-there is no suitable binary.
-
-Loading the addon initializes libFuzzer and the sanitizer runtime. Users can
-then start the fuzzer with the exported `startFuzzing` or `startFuzzingAsync`
-functions; see [the test](fuzzer.test.ts) for an example. In sync mode
-(`--sync`), the fuzzer runs on the main thread and blocks the event loop. In the
-default async mode, libFuzzer runs on a separate native thread and communicates
-with the JS event loop via a thread-safe function.
+This module provides a native Node.js addon that hosts Jazzer.js fuzzing
+backends inside Node.js. Users can install it with `npm install`, which tries to
+download a prebuilt shared object from GitHub but falls back to compilation on
+the user's machine if there is no suitable binary.
+
+Loading the addon initializes the sanitizer runtime and fuzzing hooks. Users can
+start the libFuzzer backend with `startFuzzing` or `startFuzzingAsync`, and the
+LibAFL backend with `startLibAfl` or `startLibAflAsync`; see
+[the tests](fuzzer.test.ts) for examples. In sync mode (`--sync`), the fuzzer
+runs on the main thread and blocks the event loop. In the default async mode,
+the native backend runs on a separate thread and communicates with the JS event
+loop via a thread-safe function.
 
 ## Development