feat(instrumentor): register ESM source maps for stack trace rewriting

The ESM loader now generates separate source map objects instead of
inline ones and registers them with the main-thread SourceMapRegistry
via a preamble call.  This lets source-map-support (which hooks
Error.prepareStackTrace globally) remap ESM stack traces to original
source positions.

The preamble line-shift problem — where prepending code after Babel
made all source map lines off by one — is fixed by shifting the VLQ
mappings: each prepended semicolon represents an unmapped generated
line, pushing all real mappings down by the correct offset.

Author: oetr

packages/instrumentor/esm-loader.mts

@@ -126,7 +126,7 @@ function instrumentModule(code: string, filename: string): string | null {
 		transformed = transformSync(code, {
 			filename,
 			sourceFileName: filename,
-			sourceMaps: "inline",
+			sourceMaps: true,
 			plugins,
 			sourceType: "module",
 		});
@@ -141,13 +141,31 @@ function instrumentModule(code: string, filename: string): string | null {
 		return null;
 	}
 
-	// Prepend a one-liner that allocates this module's counter buffer
-	// and registers it with libFuzzer via the main-thread Fuzzer global.
-	const preamble =
-		`const ${COUNTER_ARRAY} = ` +
-		`Fuzzer.coverageTracker.createModuleCounters(${edges});\n`;
+	// Build a preamble that runs on the main thread before the module
+	// body.  It allocates the per-module coverage counter buffer and,
+	// when a source map is available, registers it with the main-thread
+	// SourceMapRegistry so that source-map-support can remap stack
+	// traces back to the original source.
+	const preambleLines = [
+		`const ${COUNTER_ARRAY} = Fuzzer.coverageTracker.createModuleCounters(${edges});`,
+	];
+
+	if (transformed.map) {
+		// Shift the source map to account for the preamble lines we are
+		// about to prepend.  In VLQ-encoded mappings each semicolon
+		// represents one generated line; prepending them pushes all real
+		// mappings down by the right amount.
+		const preambleOffset = preambleLines.length + 1; // +1 for the registration line itself
+		const shifted = {
+			...transformed.map,
+			mappings: ";".repeat(preambleOffset) + transformed.map.mappings,
+		};
+		preambleLines.push(
+			`__jazzer_registerSourceMap(${JSON.stringify(filename)}, ${JSON.stringify(shifted)});`,
+		);
+	}
 
-	return preamble + transformed.code;
+	return preambleLines.join("\n") + "\n" + transformed.code;
 }
 
 // ── Include / exclude filtering ──────────────────────────────────

packages/instrumentor/instrument.ts

@@ -72,6 +72,19 @@ export class Instrumentor {
 		if (this.includes.includes("jazzer.js")) {
 			this.unloadInternalModules();
 		}
+
+		// Expose a registration function so ESM modules can feed their
+		// source maps back to the main-thread registry.  The ESM loader
+		// thread cannot access this registry directly, but the preamble
+		// code it emits runs on the main thread during module evaluation
+		// — before the module body, and therefore before any error could
+		// need the map for stack-trace rewriting.
+		const registry = this.sourceMapRegistry;
+		(globalThis as Record<string, unknown>).__jazzer_registerSourceMap = (
+			filename: string,
+			map: SourceMap,
+		) => registry.registerSourceMap(filename, map);
+
 		return this.sourceMapRegistry.installSourceMapSupport();
 	}