Question about code structure

[AshrafIbrahim03]

I'm trying to build a dummy HTTP fuzzer for practice using libafl. I'm particularly stuck where I want to create a feedback that takes in some status codes and its is_interesting function is simply seeing if any HTTP status codes run into are in the set the HTTPFeedback has. I've been looking through this repo's code trying to find the point at which there is communication between the harness and the observer. I found the EndpointCoverageClient in src/coverage_clients and found the IndexMap between the status code, path, method and the coverage type. I'm still confused about where the particular coverage type of the EndpointCoverageClient gets mutated.

Specifically, how does the information that isn't the ExitKind get passed from inside the harness to something outside the harness? I understand fundamentally how the different parts work, it's just very confusing how that data actually leaves the harness.

[grebnetiew]

In our case, we do use the ExitKind to indicate success or failure of the target (normally interpreting 5xx status codes as crashes, as well as deviations of responses from the spec).

The observers in our case are coverage observers (MultiMapObserver in fuzzer.rs), and their coverage maps are (unsafely) shared with the coverage clients. The coverage clients are instructed by the harness when an input test begins and ends, and can thus make sure the coverage map reflects the coverage of an input when the harness finishes running.