search

google / AFL

american fuzzy lop - a security-oriented fuzzer
https://lcamtuf.coredump.cx/afl/
Apache License 2.0
3.67k stars 631 forks source link

How to calculate coverage? #138

Open 1789120321 opened 3 years ago

1789120321 commented 3 years ago

AFL is a classic fuzzer. There are many studies based on AFL. However, my known work does not explain how to calculate coverage.

I use llvm mode for instrumentation. Accumulate the inst_blocks in afl_llvm_pass.so.cc as the total number of instrumentation. Use ((MAP_SIZE << 3)-count_bits(virgin_bits)) as the number of positions covered in the code. However, the results did not meet expectations.

If anyone knows how to get the coverage, can I trouble you with some suggestions? Thank you!

walter708 commented 3 years ago

https://github.com/mrash/afl-cov

1789120321 commented 3 years ago

@walter708 But afl-cov only supports gcc, and I want to collect the coverage of chakracore compiled by afl-clang-fast. So I use Clang's SOURCE-BASED CODE COVERAGE to collect coverage, but I found that when there are many running files, it cannot be calculated. So is there any other way?

domenukk commented 3 years ago

The afl-cov fork by @vanhauser-thc works with llvm. https://github.com/vanhauser-thc/afl-cov

1789120321 commented 3 years ago

The afl-cov fork by @vanhauser-thc works with llvm. https://github.com/vanhauser-thc/afl-cov

Because if afl runs for a long time, it will generate tens of thousands of files. Does this version of afl-cov support processing a large number of files?