Hi @thdusdl1219, I have a question about the method of coverage calculation.

I tried to run your program, but the coverage rate is approximately a straight line.

First, the target program is JavaScriptCore. By adjusting the afl-llvm-pass.so.cc code, the number of inserted piles is recorded each time the pile is inserted, that is, the variable inst_blocks is summed. The result is that JavaScriptCore has 875,102 points in total. I use ((MAP_SIZE << 3)-count_bits(virgin_bits)) to record the position covered by the fuzzing process. Of course, the coverage of the initial seed will be recorded first. I run the program with a single thread.

After running the original seed, the number of locations covered by the record is 147,483, and the coverage rate is about 17%. After running for 10 hours, the number of locations covered was 148,864, and the coverage rate was still around 17%. There was no significant improvement as mentioned in the paper. Of course, it may be because the target program is different, but I don't think it should have such a big impact.

It may be that the calculation method is different, so I want to know how you calculate the coverage of the target program.

Thank you.