testing/libfuzzer/blackbox_coverage.md
This document explains how to generate a local code coverage report for a blackbox fuzzer. A local coverage report helps you visualize which code paths your fuzzer exercises.
The view_fuzzer_coverage.py script automates building the target with coverage instrumentation, running the target against the test corpus generated by your blackbox fuzzer, and generating an HTML report.
This guide assumes you have already run your blackbox fuzzer to generate the output files that you want to run against the coverage-enabled target.
Run the view_fuzzer_coverage.py script and provide the path to your test
corpus directory. The script will automatically configure the build, compile the
target, run it, and generate the report.
In your terminal, navigate to the src directory and run:
tools/code_coverage/view_fuzzer_coverage.py \
--fuzzer-type blackbox \
--target <target_binary> \
--corpora-dir <path_to_corpora_dir> \
--testcase-timeout <seconds> \
--retain-build-dir
view_fuzzer_coverage.py runs with vpython3, which is required to use xvfb
when targeting chrome.
Once the script finishes, it will automatically attempt to open the generated
HTML report (index.html) in Chrome.
If you are running this on a remote machine, you can start an HTTP server in the output HTML directory to view the report from your local browser:
cd out/coverage-html
python3 -m http.server 8000
Then open a browser on your local machine and navigate to
<REMOTE_IP>:8000/index.html. Replace <REMOTE_IP> with your remote machine's
IP address or hostname.