Add generation coverage after stop fuzzing

[Klavishnik]

https://clang.llvm.org/docs/SourceBasedCodeCoverage.html

[0xricksanchez]

I can imagine a aflr cov sub-command that would aggregate the coverage data across all runs and just outputs it in some form, probably the HTML report would be best.. However, updating the compilation process would currently still be a user thing to do

[Klavishnik]

That's right. To collect coverage, it is necessary to make a new build of the project with special compilation flags, and this must be done by the user, not aflr. An instrumented binary, when run, will generaterate additional files that will contain code coverage data. Therefore, in the configuration file (maybe) you will have to make two parameters - the path to the binary and the path to the source folder. With clang, the coverage will be collected into a file. .profraw, which can then be converted into an HTML report. I can send bash commands for this. It is also worth adding conditions for stop fuzzing by time when new paths are not found.

[Klavishnik]

There are some my scripts for getting coverage by vanilla afl++ fuzzing:

send output samples from fuzzing to instrumented bin

#!/bin/bash
for file in out/*/queue/*
do
    ./bin_cov < $file
done

After that step you get .default.profraw file in source dir

get coverage, get html report

    llvm-profdata merge -sparse default.profraw -o foo.profdata
    llvm-cov show  bin_cov -instr-profile=foo.profdata
    llvm-cov report bin_cov  -instr-profile=foo.profdata
    llvm-cov show bin_cov  -instr-profile=foo.profdata -format=html -output-dir=coverage_report_clang
    rm foo.profdata default.profraw 

[0xricksanchez]

I'll try to work on this in a timely manner. PRs are very much appreciated though!

[Klavishnik]

Unfortunately I don't know the rust. I tried to understand the project code, but I didn’t understand anything....