Add AFL coverage instructions (#369)

.github/.cspell/project-dictionary.txt

@@ -10,6 +10,7 @@ fprofile
 instrprof
 libclang
 libhello
+LOOPCOUNT
 mcdc
 microkernel
 MSYSTEM

README.md

@@ -21,6 +21,7 @@ This is a wrapper around rustc [`-C instrument-coverage`][instrument-coverage] a
   - [Merge coverages generated under different test conditions](#merge-coverages-generated-under-different-test-conditions)
   - [Get coverage of C/C++ code linked to Rust library/binary](#get-coverage-of-cc-code-linked-to-rust-librarybinary)
   - [Get coverage of external tests](#get-coverage-of-external-tests)
+  - [Get coverage of AFL fuzzers](#get-coverage-of-afl-fuzzers)
   - [Exclude file from coverage](#exclude-file-from-coverage)
   - [Exclude code from coverage](#exclude-code-from-coverage)
   - [Continuous Integration](#continuous-integration)
@@ -485,6 +486,24 @@ Note: To include coverage for doctests you also need to pass `--doctests` to bot
 > Invoke-Expression (cargo llvm-cov show-env --with-pwsh-env-prefix | Out-String)
 > ```
 
+### Get coverage of AFL fuzzers
+
+Cargo-llvm-cov can be used with [AFL.rs](https://github.com/rust-fuzz/afl.rs) similar to the way external tests are done, but with a few caveats.
+
+```sh
+# Set environment variables and clean workspace
+source <(cargo llvm-cov show-env --export-prefix)
+cargo llvm-cov clean --workspace
+# Build the fuzz target
+cargo afl build
+# Run the fuzzer, the AFL_FUZZER_LOOPCOUNT is needed, because otherwise .profraw files aren't emitted
+# To get coverage of current corpus, minimize it and set it as input, then run the fuzzer until it processes the corpus
+AFL_FUZZER_LOOPCOUNT=20 cargo afl fuzz -c - -i in -o out target/debug/fuzz-target
+# Generate report
+# If you pass `--release` to `cargo afl build`, you also need to pass `--release` to `cargo llvm-cov report`
+cargo llvm-cov report --lcov
+```
+
 ### Exclude file from coverage
 
 To exclude specific file patterns from the report, use the `--ignore-filename-regex` option.