fix(libafl): support lazy ESM coverage

Allocate ESM counters from the shared global map and let libAFL observe its active length instead of a startup snapshot. This keeps lazy import() coverage deterministic via the existing edge ID strategy and locks in the behavior with integration tests. Also ignore host Babel config for runtime transforms so ESM instrumentation keeps module semantics intact.

Author: oetr

packages/fuzzer/addon.ts

@@ -61,7 +61,6 @@ export type StartLibAflAsyncFn = (
 type NativeAddon = {
 	registerCoverageMap: (buffer: Buffer) => void;
 	registerNewCounters: (oldNumCounters: number, newNumCounters: number) => void;
-	registerModuleCounters: (buffer: Buffer) => void;
 
 	traceUnequalStrings: (
 		hookId: number,

packages/fuzzer/coverage.ts

@@ -16,17 +16,23 @@
 
 import { addon } from "./addon";
 
+type CoverageRangeAllocator = (filename: string, edgeCount: number) => number;
+
+function getCoverageRangeAllocator(): CoverageRangeAllocator {
+	const allocator = (globalThis as Record<string, unknown>)
+		.__jazzer_reserveCoverageRange;
+	if (typeof allocator !== "function") {
+		throw new Error("Coverage range allocator was not initialized");
+	}
+	return allocator as CoverageRangeAllocator;
+}
+
 export class CoverageTracker {
 	private static readonly MAX_NUM_COUNTERS: number = 1 << 20;
 	private static readonly INITIAL_NUM_COUNTERS: number = 1 << 9;
 	private readonly coverageMap: Buffer;
 	private currentNumCounters: number;
 
-	// Per-module counter buffers registered independently with libFuzzer.
-	// We must prevent GC from reclaiming these while libFuzzer still
-	// monitors the underlying memory.
-	private readonly moduleCounters: Buffer[] = [];
-
 	constructor() {
 		this.coverageMap = Buffer.alloc(CoverageTracker.MAX_NUM_COUNTERS, 0);
 		this.currentNumCounters = CoverageTracker.INITIAL_NUM_COUNTERS;
@@ -71,16 +77,17 @@ export class CoverageTracker {
 		return this.coverageMap.readUint8(edgeId);
 	}
 
-	/**
-	 * Allocate an independent counter buffer for a single module and
-	 * register it with libFuzzer as a new coverage region.  This lets
-	 * each ESM module own its own counters without sharing global IDs.
-	 */
-	createModuleCounters(size: number): Buffer {
-		const buf = Buffer.alloc(size, 0);
-		this.moduleCounters.push(buf);
-		addon.registerModuleCounters(buf);
-		return buf;
+	createModuleCounters(filename: string, edgeCount: number): Buffer {
+		if (!Number.isInteger(edgeCount) || edgeCount < 0) {
+			throw new Error(`Invalid edge count: ${edgeCount}`);
+		}
+		if (edgeCount === 0) {
+			return Buffer.alloc(0);
+		}
+
+		const firstEdgeId = getCoverageRangeAllocator()(filename, edgeCount);
+		this.enlargeCountersBufferIfNeeded(firstEdgeId + edgeCount - 1);
+		return this.coverageMap.subarray(firstEdgeId, firstEdgeId + edgeCount);
 	}
 }
 

packages/fuzzer/libafl_runtime.cpp

@@ -593,20 +593,23 @@ ParsedRuntimeOptions ParseRuntimeOptions(Napi::Env env,
 
 JazzerLibAflRuntimeSharedMaps SharedMapsForRuntime(Napi::Env env) {
   auto *edges = CoverageCounters();
-  const auto edges_len = CoverageCountersSize();
+  const auto edges_capacity = CoverageCountersCapacity();
+  auto *edges_size = CoverageCountersSizePointer();
   auto *cmp = CompareFeedbackMap();
   const auto cmp_len = CompareFeedbackMapSize();
   auto *compare_log = CompareLog();
   auto *finding_info = &gFindingInfo;
 
-  if (edges == nullptr || edges_len == 0 || cmp == nullptr || cmp_len == 0 ||
-      compare_log == nullptr || finding_info == nullptr) {
+  if (edges == nullptr || edges_capacity == 0 || edges_size == nullptr ||
+      cmp == nullptr || cmp_len == 0 || compare_log == nullptr ||
+      finding_info == nullptr) {
     throw Napi::Error::New(
         env,
         "Coverage maps were not initialized before the LibAFL backend started");
   }
 
-  return {edges, edges_len, cmp, cmp_len, compare_log, finding_info};
+  return {edges, edges_capacity, edges_size, cmp,
+          cmp_len, compare_log, finding_info};
 }
 
 bool CollectRegressionCorpusFiles(

packages/fuzzer/libafl_runtime.h

@@ -44,7 +44,8 @@ struct JazzerLibAflRuntimeOptions {
 
 struct JazzerLibAflRuntimeSharedMaps {
   uint8_t *edges;
-  size_t edges_len;
+  size_t edges_capacity;
+  size_t *edges_size;
   uint8_t *cmp;
   size_t cmp_len;
   JazzerLibAflCompareLog *compare_log;

packages/fuzzer/rust/src/lib.rs

@@ -8,6 +8,7 @@ use std::fs;
 use std::io::IsTerminal;
 use std::path::PathBuf;
 use std::rc::Rc;
+use std::slice;
 use std::time::{Duration, Instant};
 
 use libafl::{
@@ -26,7 +27,9 @@ use libafl::{
         havoc_mutations::havoc_mutations, scheduled::HavocScheduledMutator, tokens_mutations,
         I2SRandReplace, Tokens,
     },
-    observers::{CanTrack, HitcountsMapObserver, StdMapObserver},
+    observers::{
+        CanTrack, HitcountsMapObserver, StdMapObserver, VariableMapObserver,
+    },
     schedulers::{
         powersched::PowerSchedule, IndexesLenTimeMinimizerScheduler, PowerQueueScheduler,
     },
@@ -82,7 +85,8 @@ pub struct JazzerLibAflRuntimeOptions {
 #[repr(C)]
 pub struct JazzerLibAflRuntimeSharedMaps {
     pub edges: *mut u8,
-    pub edges_len: usize,
+    pub edges_capacity: usize,
+    pub edges_size: *mut usize,
     pub cmp: *mut u8,
     pub cmp_len: usize,
     pub compare_log: *mut JazzerLibAflCompareLog,
@@ -619,23 +623,40 @@ fn clear_finding_info(ptr: *mut JazzerLibAflFindingInfo) {
     }
 }
 
+fn edge_map_len(maps: &JazzerLibAflRuntimeSharedMaps) -> usize {
+    if maps.edges_size.is_null() {
+        0
+    } else {
+        unsafe { (*maps.edges_size).min(maps.edges_capacity) }
+    }
+}
+
+fn has_non_zero_coverage(ptr: *mut u8, len: usize) -> bool {
+    if ptr.is_null() || len == 0 {
+        return false;
+    }
+
+    unsafe { slice::from_raw_parts(ptr, len).iter().any(|slot| *slot != 0) }
+}
+
 fn ensure_non_empty_edge_map(ptr: *mut u8, len: usize) -> bool {
+    if has_non_zero_coverage(ptr, len) {
+        return false;
+    }
+
     if ptr.is_null() || len == 0 {
         return false;
     }
 
     unsafe {
-        let map = std::slice::from_raw_parts_mut(ptr, len);
-        if map.iter().all(|slot| *slot == 0) {
-            // Power scheduling rejects corpus entries that never hit any edge.
-            // Preserve the old behavior for uninstrumented callbacks by marking
-            // one synthetic edge only when the target left the map untouched.
-            map[0] = 1;
-            return true;
-        }
+        let map = slice::from_raw_parts_mut(ptr, len);
+        // Power scheduling rejects corpus entries that never hit any edge.
+        // Preserve the old behavior for uninstrumented callbacks by marking
+        // one synthetic edge only when the target left every coverage region untouched.
+        map[0] = 1;
     }
 
-    false
+    true
 }
 
 unsafe fn parse_corpus_directories(options: &JazzerLibAflRuntimeOptions) -> Option<Vec<PathBuf>> {
@@ -713,7 +734,8 @@ pub unsafe extern "C" fn jazzer_libafl_runtime_run(
     let options = &*options;
     let maps = &*maps;
     if maps.edges.is_null()
-        || maps.edges_len == 0
+        || maps.edges_capacity == 0
+        || maps.edges_size.is_null()
         || maps.cmp.is_null()
         || maps.cmp_len == 0
         || maps.compare_log.is_null()
@@ -749,11 +771,14 @@ pub unsafe extern "C" fn jazzer_libafl_runtime_run(
     let (monitor, monitor_state) = LibAflMonitor::new(maps.finding_info);
     let mut mgr = SimpleEventManager::new(monitor);
 
-    let edges_observer = HitcountsMapObserver::new(StdMapObserver::from_mut_ptr(
-        "edges",
-        maps.edges,
-        maps.edges_len,
-    ))
+    let edges_observer = HitcountsMapObserver::new(
+        VariableMapObserver::from_mut_ptr(
+            "edges",
+            maps.edges,
+            maps.edges_capacity,
+            maps.edges_size,
+        ),
+    )
     .track_indices();
     let cmp_observer =
         HitcountsMapObserver::new(StdMapObserver::from_mut_ptr("cmp", maps.cmp, maps.cmp_len));
@@ -814,7 +839,7 @@ pub unsafe extern "C" fn jazzer_libafl_runtime_run(
     let timeout_found = Cell::new(false);
 
     let mut harness = |input: &BytesInput| {
-        clear_shared_map(maps.edges, maps.edges_len);
+        clear_shared_map(maps.edges, edge_map_len(maps));
         clear_shared_map(maps.cmp, maps.cmp_len);
         clear_compare_log(maps.compare_log);
         clear_finding_info(maps.finding_info);
@@ -823,7 +848,10 @@ pub unsafe extern "C" fn jazzer_libafl_runtime_run(
         let bytes = bytes.as_slice();
         let size = bytes.len().min(options.max_len);
         let status = unsafe { execute_one(user_data, bytes.as_ptr(), size) };
-        let synthetic_edges = ensure_non_empty_edge_map(maps.edges, maps.edges_len);
+        let synthetic_edges = ensure_non_empty_edge_map(
+            maps.edges,
+            edge_map_len(maps),
+        );
         monitor_state.borrow_mut().last_edges_are_synthetic = synthetic_edges;
         match status {
             EXECUTION_CONTINUE => ExitKind::Ok,

packages/fuzzer/shared/callbacks.cpp

@@ -21,8 +21,6 @@ void RegisterCallbackExports(Napi::Env env, Napi::Object exports) {
       Napi::Function::New<RegisterCoverageMap>(env);
   exports["registerNewCounters"] =
       Napi::Function::New<RegisterNewCounters>(env);
-  exports["registerModuleCounters"] =
-      Napi::Function::New<RegisterModuleCounters>(env);
   exports["traceUnequalStrings"] =
       Napi::Function::New<TraceUnequalStrings>(env);
   exports["traceStringContainment"] =

packages/fuzzer/shared/coverage.cpp

@@ -25,8 +25,10 @@ void __sanitizer_cov_pcs_init(const uintptr_t *pcs_beg,
 
 namespace {
 // Shared coverage counter buffer populated from JavaScript using Buffer.
-// Individual slices are registered with libFuzzer by RegisterNewCounters.
+// It is preallocated on the JavaScript side; registerNewCounters grows the
+// active prefix that the fuzzing backends should observe.
 uint8_t *gCoverageCounters = nullptr;
+std::size_t gCoverageCountersCapacity = 0;
 std::size_t gCoverageCountersSize = 0;
 
 // PC-Table is used by libFuzzer to keep track of program addresses
@@ -78,6 +80,7 @@ void RegisterCoverageMap(const Napi::CallbackInfo &info) {
   auto buf = info[0].As<Napi::Buffer<uint8_t>>();
 
   gCoverageCounters = reinterpret_cast<uint8_t *>(buf.Data());
+  gCoverageCountersCapacity = buf.Length();
 }
 
 void RegisterNewCounters(const Napi::CallbackInfo &info) {
@@ -98,6 +101,10 @@ void RegisterNewCounters(const Napi::CallbackInfo &info) {
         info.Env(),
         "new_num_counters must not be smaller than old_num_counters");
   }
+  if (static_cast<std::size_t>(new_num_counters) > gCoverageCountersCapacity) {
+    throw Napi::Error::New(info.Env(),
+                           "new_num_counters exceeds the coverage map size");
+  }
   if (new_num_counters == old_num_counters) {
     return;
   }
@@ -107,28 +114,14 @@ void RegisterNewCounters(const Napi::CallbackInfo &info) {
   gCoverageCountersSize = static_cast<std::size_t>(new_num_counters);
 }
 
-// Register an independent coverage counter region for a single ES module.
-// libFuzzer supports multiple disjoint counter regions; each call here
-// hands it a fresh one.
-void RegisterModuleCounters(const Napi::CallbackInfo &info) {
-  if (info.Length() != 1 || !info[0].IsBuffer()) {
-    throw Napi::Error::New(info.Env(),
-                           "Need one argument: a Buffer of 8-bit counters");
-  }
-
-  auto buf = info[0].As<Napi::Buffer<uint8_t>>();
-  auto size = buf.Length();
-  if (size == 0) {
-    return;
-  }
-
-  RegisterCounterRange(buf.Data(), buf.Data() + size);
-}
-
 uint8_t *CoverageCounters() { return gCoverageCounters; }
 
+std::size_t CoverageCountersCapacity() { return gCoverageCountersCapacity; }
+
 std::size_t CoverageCountersSize() { return gCoverageCountersSize; }
 
+std::size_t *CoverageCountersSizePointer() { return &gCoverageCountersSize; }
+
 void ClearCoverageCounters() {
   if (gCoverageCounters == nullptr || gCoverageCountersSize == 0) {
     return;

packages/fuzzer/shared/coverage.h

@@ -19,8 +19,9 @@
 
 void RegisterCoverageMap(const Napi::CallbackInfo &info);
 void RegisterNewCounters(const Napi::CallbackInfo &info);
-void RegisterModuleCounters(const Napi::CallbackInfo &info);
 
 uint8_t *CoverageCounters();
+std::size_t CoverageCountersCapacity();
 std::size_t CoverageCountersSize();
+std::size_t *CoverageCountersSizePointer();
 void ClearCoverageCounters();