2.2.1. Code Instrumentation

Code instrumentation aims to insert code fragments at compile-time, which is useful for path tracing and testing during the fuzzing process. AFL [7] is a greybox fuzzer using edge (branch) coverage as feedback. Before the fuzzing loop stage, AFL first uses afl-gcc or afl-clang as instrumentation commands to trace edge coverage. AFL preserves a 64KB shared bitmap *Bitmap* to record edge coverage information including whether the edge has been visited, and the count of hits. AFL assigns a random number to represent each basic block in the program and uses the XOR and right shift operation for the current basic block and the previous basic block to mark each edge. Each edge is used as an offset of *Bitmap* and the value is the count of hits.

The specific formula for coverage calculation is as follows [9].

$$\text{cur\\_location} = \text{Random}()\tag{2}$$

$$\text{Bitmap}[\text{cur\\_location} \oplus \text{prev\\_location}] + + \tag{3}$$

*prev*\_*location* = *cur*\_*location* >> 1 (4)
