test: mixed CJS+ESM fuzzing and compareHooks unit tests

Add an integration test where the fuzz target imports both a CJS
module (hookRequire path) and an ESM module (loader hook path).
Each function compares against a 10-byte random string literal
that can only be discovered through compare hooks feeding
dictionary entries to libFuzzer from both instrumentation paths.

Also add unit tests for esmCodeCoverage combined with compareHooks
(string, number, variable-to-variable, slice-then-compare) and
for complex logical expression chains (regression coverage for the
NeverZero arithmetic that avoids visitor recursion).

Author: oetr

packages/instrumentor/plugins/esmCodeCoverage.test.ts

@@ -14,16 +14,20 @@
  * limitations under the License.
  */
 
-import { transformSync } from "@babel/core";
+import { PluginItem, transformSync } from "@babel/core";
 
+import { compareHooks } from "./compareHooks";
 import { esmCodeCoverage } from "./esmCodeCoverage";
 import { removeIndentation } from "./testhelpers";
 
-function transform(code: string): { code: string; edgeCount: number } {
+function transform(
+	code: string,
+	extraPlugins: PluginItem[] = [],
+): { code: string; edgeCount: number } {
 	const coverage = esmCodeCoverage();
 	const result = transformSync(removeIndentation(code), {
 		filename: "test-module.mjs",
-		plugins: [coverage.plugin],
+		plugins: [coverage.plugin, ...extraPlugins],
 	});
 	return {
 		code: removeIndentation(result?.code),
@@ -109,4 +113,110 @@ describe("ESM code coverage instrumentation", () => {
 		const { edgeCount } = transform(`|const x = 42;`);
 		expect(edgeCount).toBe(0);
 	});
+
+	describe("combined with compareHooks", () => {
+		it("should replace string-literal === with traceStrCmp", () => {
+			const { code } = transform(
+				`
+				|export function check(s) {
+				|  return s === "secret";
+				|}`,
+				[compareHooks],
+			);
+
+			// The === against a string literal must be replaced.
+			expect(code).toContain("Fuzzer.tracer.traceStrCmp");
+			expect(code).toContain('"secret"');
+			expect(code).toContain('"==="');
+			// The raw === should be gone from the check expression.
+			expect(code).not.toMatch(/s\s*===\s*"secret"/);
+		});
+
+		it("should replace number-literal === with traceNumberCmp", () => {
+			const { code } = transform(
+				`
+				|export function classify(n) {
+				|  if (n > 10) return "big";
+				|  if (n === 0) return "zero";
+				|  return "small";
+				|}`,
+				[compareHooks],
+			);
+
+			expect(code).toContain("Fuzzer.tracer.traceNumberCmp");
+		});
+
+		it("should NOT hook variable-to-variable comparisons", () => {
+			// compareHooks only fires when one operand is a literal.
+			// Comparing two identifiers is not hooked (same as CJS).
+			const { code } = transform(
+				`
+				|const target = "something";
+				|export function check(s) {
+				|  return s === target;
+				|}`,
+				[compareHooks],
+			);
+
+			expect(code).not.toContain("Fuzzer.tracer.traceStrCmp");
+		});
+
+		it("should hook slice-then-compare patterns", () => {
+			// This is the pattern used in the integration tests.
+			const { code } = transform(
+				`
+				|export function verify(s) {
+				|  if (s.slice(0, 16) === "a]3;d*F!pk29&bAc") {
+				|    throw new Error("found it");
+				|  }
+				|}`,
+				[compareHooks],
+			);
+
+			expect(code).toContain("Fuzzer.tracer.traceStrCmp");
+			expect(code).toContain("a]3;d*F!pk29&bAc");
+		});
+
+		it("should produce both coverage and hooks together", () => {
+			const { code, edgeCount } = transform(
+				`
+				|export function check(s) {
+				|  if (s === "secret") {
+				|    return true;
+				|  }
+				|  return false;
+				|}`,
+				[compareHooks],
+			);
+
+			// Coverage counters from esmCodeCoverage
+			expect(code).toContain("__jazzer_cov[");
+			expect(edgeCount).toBeGreaterThan(0);
+			// Compare hooks
+			expect(code).toContain("Fuzzer.tracer.traceStrCmp");
+		});
+	});
+
+	describe("logical expression handling", () => {
+		it("should instrument nested logical expressions", () => {
+			const { code, edgeCount } = transform(`
+				|const x = a || b && c;`);
+
+			// Should have instrumented the leaves of the logical tree.
+			expect(edgeCount).toBeGreaterThanOrEqual(2);
+			expect(code).toContain("__jazzer_cov[");
+		});
+
+		it("should not infinite-loop on complex logical chains", () => {
+			// This would cause infinite recursion if the counter
+			// expression contained || or &&.
+			const { code, edgeCount } = transform(`
+				|function f() {
+				|  return a || b || c || d || e;
+				|}`);
+
+			expect(edgeCount).toBeGreaterThan(0);
+			expect(code).toContain("__jazzer_cov[");
+		});
+	});
 });

tests/esm_cjs_mixed/cjs-check.cjs

@@ -0,0 +1,27 @@
+/*
+ * Copyright 2026 Code Intelligence GmbH
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/**
+ * CJS module — instrumented via hookRequire (require.extensions).
+ *
+ * The 10-byte random string cannot be brute-forced; the fuzzer
+ * needs the CJS compare hooks to discover it.
+ */
+function checkCjs(s) {
+	return s === "r4Tp!mZ@8s";
+}
+
+module.exports = { checkCjs: checkCjs };

tests/esm_cjs_mixed/esm-check.mjs

@@ -0,0 +1,25 @@
+/*
+ * Copyright 2026 Code Intelligence GmbH
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/**
+ * ESM module — instrumented via the ESM loader hook (module.register).
+ *
+ * The 10-byte random string cannot be brute-forced; the fuzzer
+ * needs the ESM compare hooks to discover it.
+ */
+export function checkEsm(s) {
+	return s === "Vj9!xR2#nP";
+}

tests/esm_cjs_mixed/esm_cjs_mixed.test.js

@@ -0,0 +1,50 @@
+/*
+ * Copyright 2026 Code Intelligence GmbH
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+const { FuzzTestBuilder, cleanCrashFilesIn } = require("../helpers.js");
+
+// module.register() is needed for ESM loader hooks.
+const [major, minor] = process.versions.node.split(".").map(Number);
+const supportsEsmHooks = major > 20 || (major === 20 && minor >= 6);
+
+const describeOrSkip = supportsEsmHooks ? describe : describe.skip;
+
+describeOrSkip("Mixed CJS + ESM instrumentation", () => {
+	afterAll(async () => {
+		await cleanCrashFilesIn(__dirname);
+	});
+
+	it("should find a secret split across a CJS and an ESM module", () => {
+		// The fuzz target imports checkPrefix from cjs-check.cjs
+		// (instrumented via hookRequire) and checkSuffix from
+		// esm-check.mjs (instrumented via the ESM loader hook).
+		// Both halves are 16-byte random string literals that can
+		// only be discovered through their respective compare hooks.
+		const fuzzTest = new FuzzTestBuilder()
+			.fuzzEntryPoint("fuzz")
+			.fuzzFile("fuzz.mjs")
+			.dir(__dirname)
+			.sync(true)
+			.disableBugDetectors([".*"])
+			.expectedErrors("Error")
+			.runs(5000000)
+			.seed(111994470)
+			.build();
+
+		fuzzTest.execute();
+		expect(fuzzTest.stderr).toContain("Found the mixed CJS+ESM secret!");
+	});
+});

tests/esm_cjs_mixed/fuzz.mjs

@@ -0,0 +1,40 @@
+/*
+ * Copyright 2026 Code Intelligence GmbH
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/**
+ * ESM fuzz target that imports from BOTH a CJS module and an ESM
+ * module.  Each function checks a 16-byte random string literal:
+ *
+ *   - cjs-check.cjs  verifies bytes  0..15  (hookRequire path)
+ *   - esm-check.mjs  verifies bytes 16..31  (ESM loader path)
+ *
+ * Both functions are called unconditionally so that both compare
+ * hooks fire on every fuzzing iteration, feeding libFuzzer
+ * dictionary entries from both instrumentation paths.
+ */
+
+import { checkCjs } from "./cjs-check.cjs";
+import { checkEsm } from "./esm-check.mjs";
+import { FuzzedDataProvider } from "@jazzer.js/core";
+
+export function fuzz(data) {
+	const fdp = new FuzzedDataProvider(data);
+	const cjsOk = checkCjs(fdp.consumeString(10));
+	const esmOk = checkEsm(fdp.consumeString(10));
+	if (cjsOk && esmOk) {
+		throw new Error("Found the mixed CJS+ESM secret!");
+	}
+}

tests/esm_cjs_mixed/package.json

@@ -0,0 +1,12 @@
+{
+	"name": "jazzerjs-esm-cjs-mixed-test",
+	"version": "1.0.0",
+	"description": "Integration test: fuzzer finds a secret split across CJS and ESM modules",
+	"scripts": {
+		"fuzz": "jest --config '{}'",
+		"dryRun": "echo \"Skipped: requires Node >= 20.6 for ESM loader hooks\""
+	},
+	"devDependencies": {
+		"@jazzer.js/core": "file:../../packages/core"
+	}
+}