how AFL engine utilize the testcases generated by symbolic execution?

[Mambaboy]

Hi, guys When running the afl-cgc, it puzzles me very much that what parameter should I set for the varialbe driller_path, which means the the location of driller executable. Is that the run.py in the driller module?

Also, there is not a '-D' paremeter in "_start_afl_instance" function, to start an AFL instance, which belongs to Class Fuzzer in the Fuzzer module. That's so odd!

And I have run the run.py, but it just generates some testcases by symbolic exectuion, how would the AFL engine utilize these testcases?

Can you give some information about these questions? Thank you very much!

[Mambaboy]

Does anybody know something about how AFL utilizes the test-cases generated by driller engine? It puzzles me a lot, and I wish someone can give some information. It is very plesure of you!

[zardus]

Driller-produced testcases are synchronized into AFL via AFL's concurrency implementation, similar to how inputs from AFL's fuzzer slaves are synchronized. They're then mutated by AFL in the course of its normal operation to identify more inputs into the program.

[Mambaboy]

It is very kind of you to help me with the problem. Thank you very much!