Skip to content

Navigation Menu

Sign in

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

AFL++ cannot generate coverage reports using gcov in libfuzzer mode #2330

Answered by vanhauser-thc
nut799 asked this question in Q&A
AFL++ cannot generate coverage reports using gcov in libfuzzer mode #2330
@nut799 nut799
Mar 18, 2025 · 1 comment
Answered by vanhauser-thc Return to top
Discussion options

nut799
Mar 18, 2025

I am working a project, using afl-gcc-fast afl-g++-fast as compiler.
And using AFL++ libfuzzer mode.
Find in libfuzzer mode , could not using gcov to generate coverage reports( gcda file not created).

In AFL++ with GCC, in normal mode(not libfuzzer mode), when using the following compile options:
-fsanitize=address -ftest-coverage -fprofile-arcs GCC's features allow the generation of corresponding .gcno files.
During runtime, pressing CTRL + C quit fuzzer, it will generates the corresponding .gcda files, which can then be used to generate a visual coverage report.

However, in AFL++'s libfuzzer mode, even when using the same compile options:

-fsanitize=address -ftest-coverage -fprofile-arcs The same steps do not automatically generate .gcda files when CTRL + C is pressed to stop the fuzzer.

I attempted to listen for the SIGSEGV & SIGINT event during initialization:

extern "C" void __gcov_dump();

//void __gcov_flush(void);
void fuzz(const char *f, int size){
        if(size < 4)
            return;

        /*close the code to test CTRL +C case
        if(f[0] == 'c'){
                if(f[1] == 'o'){
                        char* p=0;
                        *p = 0x13;//crash here
                }

        }*/
 
}
void signal_handler(int sig, siginfo_t *si, void *unused) {
    __gcov_dump(); //force create gcda

    if (sig == SIGINT) {
        exit(0);  
    }

    if (sig == SIGSEGV) {
        struct sigaction *old_sa = (struct sigaction *)unused; 
        if (old_sa && old_sa->sa_sigaction) {
            old_sa->sa_sigaction(sig, si, unused);
        }

        exit(1); 
    }
}

struct sigaction sa;
struct sigaction old_sa_segv; 

void registerSignalHandler() {
    sa.sa_sigaction = signal_handler;
    sa.sa_flags = SA_SIGINFO; 

    sigaction(SIGSEGV, NULL, &old_sa_segv); //save old SIGSEGV handler
    sigaction(SIGSEGV, &sa, NULL);// for crash event


    sigaction(SIGINT, &sa, NULL); //for CTRL +C quit
}
extern "C" int LLVMFuzzerInitialize(int *argc, char ***argv) {
    registerSignalHandler();

    return 0;
}

using namespace std;

extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
    fuzz((const char *)data, size);

    return 0;
}
 
`

However, when the fuzzer running and CTRL + C is pressed to exit,
no .gcda files are generated.

So, I would like to know how to ensure that when CTRL + C is pressed to exit, .gcda files are generated and coverage reports can be obtained.
You must be logged in to vote
Answered by vanhauser-thc Mar 18, 2025

that is not how you generate coverage, and combing gcov with fuzzing instrumentation just slows things horribly down.
if you try to make this work you are on your own :-)
Use https://github.com/vanhauser-thc/afl-cov instead.

View full answer

Replies: 1 comment

Comment options

vanhauser-thc
Mar 18, 2025
Maintainer

that is not how you generate coverage, and combing gcov with fuzzing instrumentation just slows things horribly down.
if you try to make this work you are on your own :-)
Use https://github.com/vanhauser-thc/afl-cov instead.
You must be logged in to vote
0 replies
Answer selected by nut799
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Category
🙏
Q&A
Labels
None yet
2 participants
@nut799 @vanhauser-thc
Morty Proxy This is a proxified and sanitized view of the page, visit original site.