Documentation Index
Fetch the complete documentation index at: https://mintlify.com/0xricksanchez/AFL_Runner/llms.txt
Use this file to discover all available pages before exploring further.
aflr cov automates the coverage-reporting workflow that follows a fuzzing campaign. It walks the AFL++ output directory, discovers all queue subdirectories produced by the fuzzer instances, replays each queued input through your coverage-instrumented target binary to generate raw LLVM profile data, merges the profiles with llvm-profdata, and finally produces a coverage report using llvm-cov. The result is either an interactive HTML report (default) or a plain-text summary, optionally split per fuzzer queue directory. Use aflr cov after a campaign run to understand which code paths the fuzzer has reached and which remain uncovered.
Synopsis
Prerequisites
The following tools must be available onPATH before invoking aflr cov:
llvm-profdata— merges raw LLVM profile filesllvm-cov— generates coverage reports from merged profilesgenhtml— converts LCOV data to HTML (required for HTML reports)lcov— LCOV coverage data processor
Options
Target
Path to the coverage-instrumented target binary. This binary is the one compiled with
AFL_LLVM_CPROF=1 or equivalent LLVM source-based coverage flags, not the AFL++-instrumented binary used during fuzzing. Either this flag or --config must be provided.Directories
The top-level AFL++ output directory — the same path passed as
-o during the fuzzing campaign. aflr cov searches this directory recursively for queue/ subdirectories containing the corpus inputs to replay. Defaults to /tmp/afl_output.Report Format
When set,
aflr cov generates a separate coverage report for each individual fuzzer’s queue/ subdirectory rather than merging all profiles into a single unified report. Useful for comparing coverage contributions across primary and secondary fuzzer instances.Force a plain-text coverage summary instead of the default HTML report. The text output is written to stdout and contains per-file and per-function coverage percentages.
Extra llvm-cov Arguments
A list of additional arguments forwarded verbatim to
llvm-cov show. Use this to pass flags such as --show-line-counts-or-regions, --ignore-filename-regex, or source file filters.A list of additional arguments forwarded verbatim to
llvm-cov report. Use this to pass flags such as --ignore-filename-regex or --use-color.Configuration
Path to a TOML configuration file. Config file values for the
[coverage] and [target] sections are merged with CLI flags; explicit CLI flags take precedence.Target Arguments
-- separator. Use @@ as a placeholder where the input file path should be substituted during corpus replay. These arguments are passed directly to each invocation of the coverage binary.
Examples
The target binary must be compiled with LLVM source-based coverage instrumentation. When using AFL++‘s LLVM mode, set
AFL_LLVM_CPROF=1 at compile time to produce a binary suitable for aflr cov. This is a separate build from your AFL-instrumented binary — you typically maintain three builds: one for AFL++ (target_afl), one for sanitizers (target_asan), and one for coverage (target_cov).