feat(fuzzer): symbolize CJS PCs with project-relative paths

Capture CJS edge source locations during instrumentation and register
those mappings so libFuzzer can resolve fake PCs to real JS lines.
Normalize both CJS and ESM filenames to project-relative paths before
registration so NEW_PC output is concise and stable.

Author: oetr

packages/instrumentor/edgeIdStrategy.ts

@@ -40,6 +40,8 @@ if (process.listeners) {
 
 export interface EdgeIdStrategy {
 	nextEdgeId(): number;
+	/** Return the next edge ID that will be allocated, without consuming it. */
+	peekNextEdgeId(): number;
 	startForSourceFile(filename: string): void;
 	commitIdCount(filename: string): void;
 }
@@ -52,6 +54,10 @@ export abstract class IncrementingEdgeIdStrategy implements EdgeIdStrategy {
 		return this._nextEdgeId++;
 	}
 
+	peekNextEdgeId(): number {
+		return this._nextEdgeId;
+	}
+
 	abstract startForSourceFile(filename: string): void;
 	abstract commitIdCount(filename: string): void;
 }
@@ -241,6 +247,10 @@ export class ZeroEdgeIdStrategy implements EdgeIdStrategy {
 		return 0;
 	}
 
+	peekNextEdgeId(): number {
+		return 0;
+	}
+
 	startForSourceFile(filename: string): void {
 		// Nothing to do here
 	}

packages/instrumentor/instrument.ts

@@ -26,11 +26,12 @@ import {
 } from "@babel/core";
 import { hookRequire, TransformerOptions } from "istanbul-lib-hook";
 
+import { fuzzer } from "@jazzer.js/fuzzer";
 import { hookManager, HookType } from "@jazzer.js/hooking";
 
 import { EdgeIdStrategy, MemorySyncIdStrategy } from "./edgeIdStrategy";
 import { instrumentationPlugins } from "./plugin";
-import { codeCoverage } from "./plugins/codeCoverage";
+import { cjsCoverage, CjsCoverageResult } from "./plugins/codeCoverage";
 import { compareHooks } from "./plugins/compareHooks";
 import { functionHooks } from "./plugins/functionHooks";
 import { sourceCodeCoverage } from "./plugins/sourceCodeCoverage";
@@ -63,8 +64,20 @@ export interface SerializedHook {
 	async: boolean;
 }
 
+const PROJECT_ROOT_PREFIX = (() => {
+	const cwd = path.resolve(process.cwd());
+	return cwd.endsWith(path.sep) ? cwd : `${cwd}${path.sep}`;
+})();
+
+function stripProjectRootPrefix(filename: string): string {
+	return filename.startsWith(PROJECT_ROOT_PREFIX)
+		? filename.slice(PROJECT_ROOT_PREFIX.length)
+		: filename;
+}
+
 export class Instrumentor {
 	private loaderPort: MessagePort | null = null;
+	private readonly cjsCoverage: CjsCoverageResult;
 
 	constructor(
 		private readonly includes: string[] = [],
@@ -82,6 +95,7 @@ export class Instrumentor {
 		}
 		this.includes = Instrumentor.cleanup(includes);
 		this.excludes = Instrumentor.cleanup(excludes);
+		this.cjsCoverage = cjsCoverage(this.idStrategy);
 	}
 
 	init(): () => void {
@@ -112,9 +126,10 @@ export class Instrumentor {
 
 		const shouldInstrumentFile = this.shouldInstrumentForFuzzing(filename);
 		if (shouldInstrumentFile) {
+			this.cjsCoverage.clear();
 			transformations.push(
 				...instrumentationPlugins.plugins,
-				codeCoverage(this.idStrategy),
+				this.cjsCoverage.plugin,
 				compareHooks,
 			);
 		}
@@ -154,11 +169,32 @@ export class Instrumentor {
 			}
 		}
 		if (shouldInstrumentFile) {
+			this.registerCjsPCLocations(filename);
 			this.idStrategy.commitIdCount(filename);
 		}
 		return result;
 	}
 
+	private registerCjsPCLocations(filename: string): void {
+		const entries = this.cjsCoverage.edgeEntries();
+		if (entries.length === 0) return;
+
+		const flat = new Int32Array(entries.length * 4);
+		for (let i = 0; i < entries.length; i++) {
+			const e = entries[i];
+			flat[i * 4] = e[0];
+			flat[i * 4 + 1] = e[1];
+			flat[i * 4 + 2] = e[2];
+			flat[i * 4 + 3] = e[3];
+		}
+		fuzzer.coverageTracker.registerPCLocations(
+			stripProjectRootPrefix(filename),
+			this.cjsCoverage.funcNames(),
+			flat,
+			0,
+		);
+	}
+
 	// eslint-disable-next-line @typescript-eslint/no-explicit-any
 	private asInputSourceOption(inputSourceMap: any): any {
 		// Empty input source maps mess up the coverage report.

packages/instrumentor/plugins/codeCoverage.ts

@@ -18,15 +18,52 @@ import { PluginTarget, types } from "@babel/core";
 
 import { EdgeIdStrategy } from "../edgeIdStrategy";
 
-import { makeCoverageVisitor } from "./coverageVisitor";
+import {
+	EdgeLocation,
+	makeCoverageVisitor,
+	StringInterner,
+} from "./coverageVisitor";
+import type { EdgeEntry } from "./esmCodeCoverage";
 
-export function codeCoverage(idStrategy: EdgeIdStrategy): () => PluginTarget {
-	return () => ({
-		visitor: makeCoverageVisitor(() =>
-			types.callExpression(
-				types.identifier("Fuzzer.coverageTracker.incrementCounter"),
-				[types.numericLiteral(idStrategy.nextEdgeId())],
+export interface CjsCoverageResult {
+	plugin: () => PluginTarget;
+	/** Deduplicated function name table accumulated so far. */
+	funcNames: () => string[];
+	/** Edge entries accumulated since the last clear(). */
+	edgeEntries: () => EdgeEntry[];
+	/** Reset accumulated entries — call after registering each file's locations. */
+	clear: () => void;
+}
+
+export function cjsCoverage(idStrategy: EdgeIdStrategy): CjsCoverageResult {
+	const funcNames = new StringInterner();
+	const entries: EdgeEntry[] = [];
+
+	const onEdge = (loc: EdgeLocation): void => {
+		const id = idStrategy.peekNextEdgeId();
+		entries.push([id, loc.line, loc.col, funcNames.intern(loc.func)]);
+	};
+
+	return {
+		plugin: () => ({
+			visitor: makeCoverageVisitor(
+				() =>
+					types.callExpression(
+						types.identifier("Fuzzer.coverageTracker.incrementCounter"),
+						[types.numericLiteral(idStrategy.nextEdgeId())],
+					),
+				onEdge,
 			),
-		),
-	});
+		}),
+		funcNames: () => funcNames.strings(),
+		edgeEntries: () => entries,
+		clear: () => {
+			entries.length = 0;
+			funcNames.clear();
+		},
+	};
+}
+
+export function codeCoverage(idStrategy: EdgeIdStrategy): () => PluginTarget {
+	return cjsCoverage(idStrategy).plugin;
 }