Add code coverage reports

- Add integration tests for source code coverage report generation
- Refine the interplay between the flags "dry run" (-d) and "custom
hooks" (-h). Now the custom hooking works even in dry run mode.
- Simplify the FuzzedDataProvider test to decrease the chances of the
test failing on MacOS (this fuzz test is expected to find an exception
within some time)

Author: oetr

.config/test-jazzerjsrc.json

@@ -1,5 +1,5 @@
 {
 	"includes": ["target"],
 	"excludes": ["nothing"],
-	"fuzzerOptions": ["-runs=-1", "-rss_limit_mb=16000"]
+	"fuzzerOptions": ["-rss_limit_mb=16000"]
 }

docs/fuzz-targets.md

@@ -172,3 +172,39 @@ flag, so that only the most important parameters are discussed here.
 | `--sync`                                                                | Enables synchronous fuzzing. **May only be used for entirely synchronous code**.                                                                                                                                                                                                                         |
 | `-h`, `--custom_hooks`                                                  | Filenames with custom hooks. Several hooks per file are possible. See further details in [docs/fuzz-settings.md](docs/fuzz-settings.md).                                                                                                                                                                 |
 | `--help`                                                                | Detailed help message containing all flags.                                                                                                                                                                                                                                                              |
+
+## Coverage report generation
+
+To generate a coverage report, add the `--coverage` flag to the Jazzer.js CLI.
+In this example, the `--coverage` flag is combined with the dry run flag `-d`
+that disables internal instrumentation used by the fuzzer.
+
+```shell
+npx jazzer -d <fuzzer parameters> --corpus <corpus directories> --coverage -- <libFuzzer parameters>
+```
+
+Alternatively, you can add a new script to your package.json:
+
+```json
+"scripts": {
+	"coverage": "jazzer -d -i target -i another_target -e nothing <fuzzer parameters> --corpus <corpus directories> --coverage -- <libFuzzer parameters>"
+}
+```
+
+Files matched by the flags `--include` or `--custom_hooks`, and not matched by
+the flag `--exclude` will be included in the coverage report. It is recommended
+to disable coverage report generation during fuzzing, because of a substantial
+overhead that it adds.
+
+### Coverage report directory
+
+By default, the coverage reports can be found in the `./coverage` directory.
+This default directory can be changed by setting the flag
+`--coverageDirectory=<another coverage directory>`.
+
+### Coverage reporters
+
+The desired report format can be set by the flag `--coverageReports`, which by
+default is set to `--coverageReports clover json lcov text`. See
+[here](https://github.com/istanbuljs/istanbuljs/tree/master/packages/istanbul-reports/lib)
+for a list of supported coverage reporters.

docs/jest-integration.md

@@ -47,7 +47,8 @@ runner.
 	"name": "jest-integration-example",
 	"scripts": {
 		"test": "jest",
-		"fuzz": "JAZZER_FUZZ=1 jest"
+		"fuzz": "JAZZER_FUZZ=1 jest",
+		"coverage": "jest --coverage"
 	},
 	"devDependencies": {
 		"@jazzer.js/jest-runner": "1.1.0",
@@ -283,6 +284,22 @@ Time:        0.335 s, estimated 1 s
 Ran all test suites.
 ```
 
+### Coverage report generation
+
+To generate a coverage report, run jest with the `--coverage` flag:
+
+```shell
+npx jest --coverage
+```
+
+Additional options for coverage report generation are described in the
+[fuzz targets documentation](./fuzz-targets.md#coverage-report-generation).
+
+The desired report format can be set by the flag `--coverageReports`, which by
+default is set to `--coverageReports clover json lcov text`. See
+[here](https://github.com/istanbuljs/istanbuljs/tree/master/packages/istanbul-reports/lib)
+for a list of supported coverage reporters.
+
 ## IDE Integration
 
 As the Jest test framework foundations are used by the Jazzer.js fuzz test
@@ -309,6 +326,5 @@ offer good extension points and common test framework features have to be
 reimplemented.
 
 - Mock functions
-- Coverage generation
 - Isolated workers
 - Test-based timeouts (third parameter to `test` functions)

examples/custom-hooks/corpus/01b5ae35a1205c6573dc7fea507fd01a1c0d7d03

@@ -0,0 +1 @@
+��������