afl-sancov 
Whatis?
afl-sancov is a fork of afl-cov (version 0.5) that works on Clang/LLVM sanitizer instrumented binaries.
But why?
- Cannot use afl-cov (Gcov/lcov) reliably on crashing tests
- Coverage info from crashing tests can be used towards Spectrum based fault localization
Getting Started
Example and full usage
See docs/Example.md
Directory structure for locating coverage files
- afl-sync-dir
- sancov (Root dir for coverage info)
- delta-diff (Dir for differential spectrum)
- Bunch of json files summarizing delta coverage between crashing and queue inputs
- delta-diff (Dir for differential spectrum)
- sancov (Root dir for coverage info)
Issues and pull requests
I am happy to take both. If there is demand, I can work on polishing the delta-diff feature
Credits
A large part of afl-sancov development and testing has been possible due to Michael Rash's excellent tool and the open-source fuzzing community at afl-users and beyond. So, thank you all :-)