/path/to/Bulbasaur/target/release/fuzzer \
-i /path/to/seeds \
-o /path/to/output \
-j 4 \
-b 0 \
-M 0 \
-f targets/<program>_full \
-t targets/<program>_trace \
-x dict/<program>.dict \
-- targets/<program>_fast @@
| Parameter |
Description |
-i |
Initial seed corpus directory |
-o |
Output directory |
-j |
Number of parallel threads |
-b |
CPU core to bind to (optional) |
-M |
Sync mode (0 = primary node) (optional, used for multi-instance coordination) |
-f |
Path to the full-instrumented target binary |
-t |
Path to the trace-instrumented target binary |
-x |
Dictionary file; can be specified multiple times (optional) |
-- |
Separator; everything after is the fast target and its arguments; @@ is the input file placeholder |
source /path/to/Bulbasaur/llm_scripts/.venv/bin/activate
export OPENAI_API_KEY="your-api-key"
export OPENAI_BASE_URL="https://api.openai.com/v1"
export OPENAI_MODEL="gpt-4o"
python3 /path/to/Bulbasaur/llm_scripts/bulbasaur_llm_bridge.py \
--fuzzer target/release/fuzzer \
--fast-target targets/<program>_fast \
--full-target targets/<program>_full \
--trace-target targets/<program>_trace \
--debug-target targets/<program>_debug \
--corpus seeds/ \
--output-dir output/ \
--branch-mapping targets/branch_loc.csv \
--source-base-path /path/to/target/src \
--function-loc targets/function_loc.csv \
--callgraph targets/callgraph_final.dot \
--dict dict/<program>.dict \
--jobs 4 --cpu-id 0 \
--exec-args @@
The bridge script automatically starts the fuzzer, establishes a TCP socket, and handles all LLM mutation requests end-to-end. See llm_scripts/README.md for details.
| Parameter |
Description |
--fuzzer |
Path to the fuzzer executable |
--fast-target |
Path to the fast-instrumented target binary |
--full-target |
Path to the full-instrumented target binary |
--trace-target |
Path to the trace-instrumented target binary |
--debug-target |
Path to the debug-instrumented target binary (contains branch location info) |
--corpus |
Initial seed corpus directory |
--output-dir |
Output directory |
--branch-mapping |
Branch → source location mapping file (branch_loc.csv) |
--source-base-path |
Root directory of the target program's source code |
--function-loc |
Function → source location mapping file (optional, used for callgraph queries) |
--callgraph |
Callgraph file (callgraph_final.dot) (optional, used for caller/callee queries) |
--dict |
Dictionary file (optional) |
--jobs |
Number of parallel threads (optional, default 1) |
--cpu-id |
CPU core to bind to (optional, default 0) |
--exec-args |
Arguments passed to the target program; @@ is the input file placeholder |