Documentation Index
Fetch the complete documentation index at: https://mintlify.com/0xricksanchez/AFL_Runner/llms.txt
Use this file to discover all available pages before exploring further.
aflr cov takes the queue/ directories produced by a running or completed AFL++ campaign and replays every test case through a separately compiled LLVM coverage-instrumented binary. It collects raw .profraw files in parallel, merges them with llvm-profdata, and then calls llvm-cov show (HTML) or llvm-cov report (text) to produce a human-readable coverage report. This gives you precise source-level coverage data — down to individual lines and branches — without modifying your fuzzing pipeline.
PrerequisitesThe following tools must be on your
PATH before running aflr cov:llvm-profdata— merges raw coverage profilesllvm-cov— generates show/report outputgenhtml— renders LCOV HTML (used internally)lcov— coverage data processing
apt install llvm. On Fedora/RHEL: dnf install llvm.Your coverage binary must also be compiled with LLVM source-based coverage instrumentation (see Step 1). aflr cov validates this with readelf at startup and exits early if the binary is missing the required covrec symbols.Compile a coverage-instrumented binary
You need a build of the target that emits LLVM source-based coverage data. AFL++ exposes this via the Alternatively, compile directly with Either approach produces a binary that writes a
AFL_LLVM_CPROF environment variable:clang coverage flags without going through afl-cc:.profraw file to the path in LLVM_PROFILE_FILE on each execution — which is exactly how aflr cov drives it.Run coverage collection (HTML report)
Point The Open
aflr cov at the coverage binary and the top-level AFL++ output directory. It will discover every <instance>/queue/ subdirectory automatically, process all queue files in parallel, and write an HTML report to <afl_out>/coverage_html/.-i flag here is the AFL++ output directory (the -o you passed to aflr run), not the seed corpus. aflr cov walks its subdirectories looking for queue/ folders.When the run completes you will see:/tmp/afl_out/coverage_html/index.html in a browser to explore source-level hit counts and branch coverage.(Optional) Generate a text report instead
For scripted pipelines or CI environments where a browser is not available, pass The text output lists each source file with its line, function, and region coverage percentages — easy to grep or pipe into a coverage gate.
--text-report to emit a llvm-cov report-style summary to stdout instead of writing HTML files:(Optional) Per-queue-directory split reports
By default, Split reports are useful for comparing the coverage contribution of individual instances — for example, verifying that your CMPLOG runners are reaching code that plain AFL++ instances miss.
aflr cov merges all queue directories from all fuzzer instances into a single unified report. Passing --split-report generates a separate HTML report for each fuzzer instance instead, written to <afl_out>/coverage_html/instance_0/, instance_1/, and so on.(Optional) Pass extra llvm-cov flags
Use
-a / --show-args to pass additional flags directly to llvm-cov show, and -r / --report-args for llvm-cov report. Refer to the llvm-cov documentation for the full list of accepted options.Pass target arguments after --
If your target reads from a file (uses
@@ in the fuzzing harness), pass the argument list after -- so AFL Runner forwards them to the binary on each queue-file replay:aflr cov detects @@ in the argument list and substitutes the actual queue file path for each run. Without @@ it pipes the file contents to the target’s stdin.