This document explains how to run AFL++ with fuzz drivers generated by PromptFuzz.
It covers:
- environment and preconditions
- end-to-end workflow
- coverage and crash triage
- common pitfalls
PromptFuzz mainly targets LibFuzzer, but this repository also provides AFL++ support through:
- AFL-instrumented library artifacts generated by each library:
build.sh - generated fuzz drivers by normal PromptFuzz workflow:
output/<project>/exploit_fuzzers/ - helper script
experiments/afl_script.pyto compile the generated harnesses and analyze AFL runs
The AFL workflow is:
- Build target library artifacts (including
_afl.astatic library). - Generate PromptFuzz exploit fuzzers (until the
cargo run --bin harness -- <project> fuse-fuzzer}command). - Compile an AFL executable from generated
.ccfiles. - Run AFL++ and collect queues/crashes.
- Reuse AFL queue to compute coverage and sanitize crashes with PromptFuzz tools.
The examples below use libaom. Replace with your target project name.
In the library building scripts, we support additional AFL++ instrumentations (this step generates AFL variant libraries such as *_afl.a):
cd libraries/libaom
bash build.shYou should check this building artifacts. Expected outputs include:
- AFL static library under
output/build/libaom/lib/with suffix_afl.a
From repo root:
cd /root/promptfuzz
cargo run --bin fuzzer -- libaomThen fuse and compile generated programs to exploit fuzzers:
cargo run --bin harness -- libaom fuse-fuzzerThis should create directories like:
output/libaom/exploit_fuzzers/Fuzzer_000/
Use the helper script:
python3 experiments/afl_script.py libaom --compileThe script compiles all .cc files in:
output/libaom/exploit_fuzzers/Fuzzer_000/
and produces:
output/libaom/exploit_fuzzers/Fuzzer_000/afl_fuzzer
Run from the fuzzer directory:
cd output/libaom/exploit_fuzzers/Fuzzer_000
afl-fuzz -i corpus -o output -V 86400 -t 10000 -- ./afl_fuzzerFor network-facing targets, use bwrap isolation (as suggested by the script):
bwrap --bind / / --dev /dev --proc /proc --unshare-net --tmpfs /tmp -- \
afl-fuzz -i corpus -o output -V 86400 -t 10000 -- ./afl_fuzzerAfter AFL finishes, run:
python3 experiments/afl_script.py libaom --analyzeThis does two things:
- Copies AFL queue files into
minimized_corpus(for coverage replay). - Copies AFL crashes into
work/ascrash-*files.
Then use PromptFuzz commands:
cargo run --bin harness -- libaom coverage collect
cargo run --bin harness -- libaom coverage report
cargo run --bin harness -- libaom sanitize-crashCause: target library was not built with AFL artifacts.
Fix:
- rerun the corresponding
libraries/<project>/build.sh - verify
output/build/<project>/lib/*_afl.aexists - let LLMs to fix the corresponding issues in the build scripts.
Cause: exploit fuzzers have not been generated/fused yet.
Fix:
- run
cargo run --bin fuzzer -- <project> - run
cargo run --bin harness -- <project> fuse-fuzzer
Cause: corpus/ is empty or missing.
Fix:
- check corpus generated by library build script
- seed
corpus/with a few valid files before AFL run
Cause: experiments/afl_script.py uses hard-coded root /root/promptfuzz.
Fix:
- run in container path
/root/promptfuzz, or - update
ROOT_DIRinexperiments/afl_script.py
# 1) Build library artifacts
cd /root/promptfuzz/libraries/libaom && bash build.sh
# 2) Generate and fuse PromptFuzz drivers
cd /root/promptfuzz
cargo run --bin fuzzer -- libaom
cargo run --bin harness -- libaom fuse-fuzzer
# 3) Compile AFL binary
python3 experiments/afl_script.py libaom --compile
# 4) Run AFL
cd output/libaom/exploit_fuzzers/Fuzzer_000
afl-fuzz -i corpus -o output -V 86400 -t 10000 -- ./afl_fuzzer
# 5) Analyze and report
python3 experiments/afl_script.py libaom --analyze
cargo run --bin harness -- libaom coverage collect
cargo run --bin harness -- libaom coverage report
cargo run --bin harness -- libaom sanitize-crash