feat(instrumentor): ESM code coverage plugin

Extract the shared coverage visitor logic (which AST nodes to
instrument, how to wrap branches) out of codeCoverage into
coverageVisitor.  Both CJS and ESM plugins now build on this.

The new esmCodeCoverage plugin generates direct array writes to a
module-local __jazzer_cov buffer instead of calling the global
incrementCounter function.  Edge IDs are module-scoped (starting
at 0 per file), so no cross-thread coordination is needed between
the CJS instrumentor and the ESM loader.

The NeverZero increment uses (x % 255) + 1 rather than the more
obvious (x + 1) & 255 || 1, because Babel re-visits generated AST
and a LogicalExpression in the counter statement would trigger
infinite recursion in the coverage visitor.

Author: oetr

packages/instrumentor/plugins/codeCoverage.ts

@@ -14,111 +14,19 @@
  * limitations under the License.
  */
 
-import { NodePath, PluginTarget, types } from "@babel/core";
-import {
-	BlockStatement,
-	ConditionalExpression,
-	Expression,
-	ExpressionStatement,
-	Function,
-	IfStatement,
-	isBlockStatement,
-	isLogicalExpression,
-	LogicalExpression,
-	Loop,
-	Statement,
-	SwitchStatement,
-	TryStatement,
-} from "@babel/types";
+import { PluginTarget, types } from "@babel/core";
 
 import { EdgeIdStrategy } from "../edgeIdStrategy";
 
-export function codeCoverage(idStrategy: EdgeIdStrategy): () => PluginTarget {
-	function addCounterToStmt(stmt: Statement): BlockStatement {
-		const counterStmt = makeCounterIncStmt();
-		if (isBlockStatement(stmt)) {
-			const br = stmt as BlockStatement;
-			br.body.unshift(counterStmt);
-			return br;
-		} else {
-			return types.blockStatement([counterStmt, stmt]);
-		}
-	}
-
-	function makeCounterIncStmt(): ExpressionStatement {
-		return types.expressionStatement(makeCounterIncExpr());
-	}
+import { makeCoverageVisitor } from "./coverageVisitor";
 
-	function makeCounterIncExpr(): Expression {
-		return types.callExpression(
-			types.identifier("Fuzzer.coverageTracker.incrementCounter"),
-			[types.numericLiteral(idStrategy.nextEdgeId())],
-		);
-	}
-
-	return () => {
-		return {
-			visitor: {
-				Function(path: NodePath<Function>) {
-					if (isBlockStatement(path.node.body)) {
-						const bodyStmt = path.node.body as BlockStatement;
-						if (bodyStmt) {
-							bodyStmt.body.unshift(makeCounterIncStmt());
-						}
-					}
-				},
-				IfStatement(path: NodePath<IfStatement>) {
-					path.node.consequent = addCounterToStmt(path.node.consequent);
-					if (path.node.alternate) {
-						path.node.alternate = addCounterToStmt(path.node.alternate);
-					}
-					path.insertAfter(makeCounterIncStmt());
-				},
-				SwitchStatement(path: NodePath<SwitchStatement>) {
-					path.node.cases.forEach((caseStmt) =>
-						caseStmt.consequent.unshift(makeCounterIncStmt()),
-					);
-					path.insertAfter(makeCounterIncStmt());
-				},
-				Loop(path: NodePath<Loop>) {
-					path.node.body = addCounterToStmt(path.node.body);
-					path.insertAfter(makeCounterIncStmt());
-				},
-				TryStatement(path: NodePath<TryStatement>) {
-					const catchStmt = path.node.handler;
-					if (catchStmt) {
-						catchStmt.body.body.unshift(makeCounterIncStmt());
-					}
-					path.insertAfter(makeCounterIncStmt());
-				},
-				LogicalExpression(path: NodePath<LogicalExpression>) {
-					if (!isLogicalExpression(path.node.left)) {
-						path.node.left = types.sequenceExpression([
-							makeCounterIncExpr(),
-							path.node.left,
-						]);
-					}
-					if (!isLogicalExpression(path.node.right)) {
-						path.node.right = types.sequenceExpression([
-							makeCounterIncExpr(),
-							path.node.right,
-						]);
-					}
-				},
-				ConditionalExpression(path: NodePath<ConditionalExpression>) {
-					path.node.consequent = types.sequenceExpression([
-						makeCounterIncExpr(),
-						path.node.consequent,
-					]);
-					path.node.alternate = types.sequenceExpression([
-						makeCounterIncExpr(),
-						path.node.alternate,
-					]);
-					if (isBlockStatement(path.parent)) {
-						path.insertAfter(makeCounterIncStmt());
-					}
-				},
-			},
-		};
-	};
+export function codeCoverage(idStrategy: EdgeIdStrategy): () => PluginTarget {
+	return () => ({
+		visitor: makeCoverageVisitor(() =>
+			types.callExpression(
+				types.identifier("Fuzzer.coverageTracker.incrementCounter"),
+				[types.numericLiteral(idStrategy.nextEdgeId())],
+			),
+		),
+	});
 }

packages/instrumentor/plugins/coverageVisitor.ts

@@ -0,0 +1,120 @@
+/*
+ * Copyright 2026 Code Intelligence GmbH
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/**
+ * Shared coverage instrumentation visitor.
+ *
+ * Both the CJS instrumentor (incrementCounter calls) and the ESM
+ * instrumentor (direct array writes) inject counters at the same
+ * AST locations.  This module captures that shared visitor shape
+ * and lets each variant supply its own expression generator.
+ */
+
+import { NodePath, types, Visitor } from "@babel/core";
+import {
+	BlockStatement,
+	ConditionalExpression,
+	Expression,
+	ExpressionStatement,
+	Function,
+	IfStatement,
+	isBlockStatement,
+	isLogicalExpression,
+	LogicalExpression,
+	Loop,
+	Statement,
+	SwitchStatement,
+	TryStatement,
+} from "@babel/types";
+
+/**
+ * Build a Babel visitor that inserts a counter expression at every
+ * branch point.  The caller decides what that expression looks like.
+ */
+export function makeCoverageVisitor(
+	makeCounterExpr: () => Expression,
+): Visitor {
+	function makeStmt(): ExpressionStatement {
+		return types.expressionStatement(makeCounterExpr());
+	}
+
+	function wrapWithCounter(stmt: Statement): BlockStatement {
+		const counter = makeStmt();
+		if (isBlockStatement(stmt)) {
+			stmt.body.unshift(counter);
+			return stmt;
+		}
+		return types.blockStatement([counter, stmt]);
+	}
+
+	return {
+		Function(path: NodePath<Function>) {
+			if (isBlockStatement(path.node.body)) {
+				path.node.body.body.unshift(makeStmt());
+			}
+		},
+		IfStatement(path: NodePath<IfStatement>) {
+			path.node.consequent = wrapWithCounter(path.node.consequent);
+			if (path.node.alternate) {
+				path.node.alternate = wrapWithCounter(path.node.alternate);
+			}
+			path.insertAfter(makeStmt());
+		},
+		SwitchStatement(path: NodePath<SwitchStatement>) {
+			for (const caseClause of path.node.cases) {
+				caseClause.consequent.unshift(makeStmt());
+			}
+			path.insertAfter(makeStmt());
+		},
+		Loop(path: NodePath<Loop>) {
+			path.node.body = wrapWithCounter(path.node.body);
+			path.insertAfter(makeStmt());
+		},
+		TryStatement(path: NodePath<TryStatement>) {
+			if (path.node.handler) {
+				path.node.handler.body.body.unshift(makeStmt());
+			}
+			path.insertAfter(makeStmt());
+		},
+		LogicalExpression(path: NodePath<LogicalExpression>) {
+			if (!isLogicalExpression(path.node.left)) {
+				path.node.left = types.sequenceExpression([
+					makeCounterExpr(),
+					path.node.left,
+				]);
+			}
+			if (!isLogicalExpression(path.node.right)) {
+				path.node.right = types.sequenceExpression([
+					makeCounterExpr(),
+					path.node.right,
+				]);
+			}
+		},
+		ConditionalExpression(path: NodePath<ConditionalExpression>) {
+			path.node.consequent = types.sequenceExpression([
+				makeCounterExpr(),
+				path.node.consequent,
+			]);
+			path.node.alternate = types.sequenceExpression([
+				makeCounterExpr(),
+				path.node.alternate,
+			]);
+			if (isBlockStatement(path.parent)) {
+				path.insertAfter(makeStmt());
+			}
+		},
+	};
+}

packages/instrumentor/plugins/esmCodeCoverage.test.ts

@@ -0,0 +1,112 @@
+/*
+ * Copyright 2026 Code Intelligence GmbH
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+import { transformSync } from "@babel/core";
+
+import { esmCodeCoverage } from "./esmCodeCoverage";
+import { removeIndentation } from "./testhelpers";
+
+function transform(code: string): { code: string; edgeCount: number } {
+	const coverage = esmCodeCoverage();
+	const result = transformSync(removeIndentation(code), {
+		filename: "test-module.mjs",
+		plugins: [coverage.plugin],
+	});
+	return {
+		code: removeIndentation(result?.code),
+		edgeCount: coverage.edgeCount(),
+	};
+}
+
+describe("ESM code coverage instrumentation", () => {
+	it("should emit direct array writes, not incrementCounter", () => {
+		const { code, edgeCount } = transform(`
+			|function foo() {
+			|  return 1;
+			|}`);
+
+		expect(code).toContain("__jazzer_cov[0]");
+		expect(code).not.toContain("incrementCounter");
+		expect(edgeCount).toBe(1);
+	});
+
+	it("should implement NeverZero via % 255 + 1", () => {
+		const { code } = transform(`
+			|function foo() {
+			|  return 1;
+			|}`);
+
+		expect(code).toContain("% 255");
+		expect(code).toContain("+ 1");
+		// Must NOT contain || or ?: to avoid infinite visitor recursion.
+		expect(code).not.toMatch(/\|\||[?:]/);
+	});
+
+	it("should assign sequential module-local IDs", () => {
+		const { code, edgeCount } = transform(`
+			|function foo() {
+			|  if (a) {
+			|    return 1;
+			|  } else {
+			|    return 2;
+			|  }
+			|}`);
+
+		// Function body, if-consequent, if-alternate, after-if
+		expect(edgeCount).toBe(4);
+		expect(code).toContain("__jazzer_cov[0]");
+		expect(code).toContain("__jazzer_cov[1]");
+		expect(code).toContain("__jazzer_cov[2]");
+		expect(code).toContain("__jazzer_cov[3]");
+	});
+
+	it("should instrument all branch types", () => {
+		const { edgeCount } = transform(`
+			|function foo(x) {
+			|  if (x > 0) { return 1; }
+			|  switch (x) {
+			|    case -1: return -1;
+			|    default: return 0;
+			|  }
+			|  for (let i = 0; i < x; i++) { sum += i; }
+			|  try { bar(); } catch (e) { log(e); }
+			|  const y = x > 0 ? 1 : 0;
+			|  const z = a || b;
+			|}`);
+
+		// This is a smoke test -- the exact count depends on how
+		// many edges each construct produces.  We just verify the
+		// number is reasonable (> 10 for this code) and non-zero.
+		expect(edgeCount).toBeGreaterThan(10);
+	});
+
+	it("should start edge IDs at 0 for each new module", () => {
+		const first = transform(`|function a() { return 1; }`);
+		const second = transform(`|function b() { return 2; }`);
+
+		// Both modules should use __jazzer_cov[0] since IDs are
+		// module-local, not global.
+		expect(first.code).toContain("__jazzer_cov[0]");
+		expect(second.code).toContain("__jazzer_cov[0]");
+		expect(first.edgeCount).toBe(1);
+		expect(second.edgeCount).toBe(1);
+	});
+
+	it("should return 0 edges for code with no branches", () => {
+		const { edgeCount } = transform(`|const x = 42;`);
+		expect(edgeCount).toBe(0);
+	});
+});