coverage for libfuzzer

libfuzzer is good but checking the coverage the tools are not as advanced as what gcc has available.

hence these tools to have gcc coverage on libfuzzer fuzzing targets

NOTE: by default clang/clang++ is used. if you want to use gcc/g++ instead then specify the -g option in cov-build.sh and cov-generate.sh, and edit cov-compile.sh to use the g++ line instead.

how-to

step 1: build the target

build the target library for coverage with cov-build.sh. usually enough is a

$ cov-build.sh ./configure --disable-shared

step 2: build the coverage tool

same as the fuzz.cc harness to fuzz, we need to have a tool built to to get the coverage. this is easy:

Execute with your fuzzing harness: ./cov-compile.sh fuzz.cc .libs/libfoo.a -Iinclude -I.

Basically the same options you needed to compile your fuzzing harness but omit -o outputfile.

step 3: gather the coverage

simply run the cov-generate.sh script with the libfuzzer queue directory and the compiled cov binary (you must still be in the source top directory of the for coverage compiled target):

$ cov-generate.sh ../libTARGET/queue ./cov

step 4: view the coverage

open a webbrowser for ./report/index.html