CodeIntelligenceTesting
diff --git a/‎packages/fuzzer/coverage.ts‎
Lines changed: 2 additions & 1 deletion b/‎packages/fuzzer/coverage.ts‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎packages/fuzzer/shared/coverage.cpp‎
Lines changed: 34 additions & 4 deletions b/‎packages/fuzzer/shared/coverage.cpp‎
Lines changed: 34 additions & 4 deletions
diff --git a/‎packages/instrumentor/SourceMapRegistry.ts‎
Lines changed: 120 additions & 0 deletions b/‎packages/instrumentor/SourceMapRegistry.ts‎
Lines changed: 120 additions & 0 deletions
diff --git a/‎packages/instrumentor/esm-loader.mts‎
Lines changed: 22 additions & 10 deletions b/‎packages/instrumentor/esm-loader.mts‎
Lines changed: 22 additions & 10 deletions
@@ -95,7 +95,8 @@ export class CoverageTracker {
 	 *
 	 * @param filename  Source file path
 	 * @param funcNames Deduplicated function name table
-	 * @param entries   Flat Int32Array: [edgeId, line, col, funcIdx, ...]
+	 * @param entries   Flat Int32Array:
+	 *                  [edgeId, line, col, funcIdx, isFuncEntry, ...]
 	 * @param pcBase    For ESM: the pcBase from createModuleCounters.
 	 *                  For CJS: pass 0 (edge IDs are already global PCs).
 	 */
 
@@ -27,15 +27,23 @@ namespace {
 // We register an array of 8-bit coverage counters with libFuzzer. The array is
 // populated from JavaScript using Buffer.
 uint8_t *gCoverageCounters = nullptr;
+size_t gCoverageCountersSize = 0;
 
 // PC-Table is used by libfuzzer to keep track of program addresses
 // corresponding to coverage counters. The flags determine whether the
-// corresponding counter is the beginning of a function; we don't currently use
-// it.
+// corresponding counter is the beginning of a function.
 struct PCTableEntry {
   uintptr_t PC, PCFlags;
 };
 
+struct ModulePCTable {
+  uintptr_t basePC;
+  size_t numEntries;
+  PCTableEntry *entries;
+};
+
+std::vector<ModulePCTable> gModulePCTables;
+
 // The array of supplementary information for coverage counters. Each entry
 // corresponds to an entry in gCoverageCounters; since we don't know the actual
 // addresses of our counters in JS land, we fill this table with fake
@@ -54,6 +62,7 @@ void RegisterCoverageMap(const Napi::CallbackInfo &info) {
   auto buf = info[0].As<Napi::Buffer<uint8_t>>();
 
   gCoverageCounters = reinterpret_cast<uint8_t *>(buf.Data());
+  gCoverageCountersSize = buf.Length();
   // Fill the PC table with fake entries. The only requirement is that the fake
   // addresses must not collide with the locations of real counters (e.g., from
   // instrumented C++ code). Therefore, we just use the address of the counter
@@ -122,6 +131,7 @@ Napi::Value RegisterModuleCounters(const Napi::CallbackInfo &info) {
   __sanitizer_cov_8bit_counters_init(buf.Data(), buf.Data() + size);
   __sanitizer_cov_pcs_init(reinterpret_cast<uintptr_t *>(pcEntries),
                            reinterpret_cast<uintptr_t *>(pcEntries + size));
+  gModulePCTables.push_back({basePC, size, pcEntries});
 
   return Napi::Number::New(info.Env(), static_cast<double>(basePC));
 }
@@ -155,6 +165,13 @@ uint32_t internString(const std::string &s) {
   return static_cast<uint32_t>(gStringTable.size() - 1);
 }
 
+ModulePCTable *findModulePCTable(uintptr_t basePC) {
+  for (auto &table : gModulePCTables) {
+    if (table.basePC == basePC) return &table;
+  }
+  return nullptr;
+}
+
 // Undo libFuzzer's GetNextInstructionPc before lookup.
 uintptr_t toPCTablePC(uintptr_t symbolizerPC) {
 #if defined(__aarch64__) || defined(__arm__)
@@ -167,7 +184,8 @@ uintptr_t toPCTablePC(uintptr_t symbolizerPC) {
 } // namespace
 
 // Called from JS: registerPCLocations(filename, funcNames[], entries[], pcBase)
-// entries is a flat Int32Array: [edgeId, line, col, funcIdx, ...]
+// entries is a flat Int32Array:
+// [edgeId, line, col, funcIdx, isFuncEntry, ...]
 // pcBase: for ESM pass the value returned by registerModuleCounters;
 //         for CJS pass 0 (edge IDs are already global PCs).
 void RegisterPCLocations(const Napi::CallbackInfo &info) {
@@ -199,12 +217,14 @@ void RegisterPCLocations(const Napi::CallbackInfo &info) {
   bool isEsm = pcBase >= ESM_BASE;
   auto baseOffset = isEsm ? pcBase - ESM_BASE : pcBase;
   auto &locations = isEsm ? gEsmLocations : gCjsLocations;
+  auto *modulePCTable = isEsm ? findModulePCTable(pcBase) : nullptr;
 
-  for (size_t i = 0; i + 3 < length; i += 4) {
+  for (size_t i = 0; i + 4 < length; i += 5) {
     auto edgeId = static_cast<uint32_t>(data[i]);
     auto line = static_cast<uint32_t>(data[i + 1]);
     auto col = static_cast<uint32_t>(data[i + 2]);
     auto localFuncIdx = static_cast<uint32_t>(data[i + 3]);
+    bool isFuncEntry = data[i + 4] != 0;
 
     auto idx = baseOffset + edgeId;
     if (idx >= locations.size()) {
@@ -214,6 +234,16 @@ void RegisterPCLocations(const Napi::CallbackInfo &info) {
     uint32_t globalFuncIdx =
         localFuncIdx < funcIndices.size() ? funcIndices[localFuncIdx] : 0;
     locations[idx] = {fileIdx, globalFuncIdx, line, col};
+
+    if (!isFuncEntry) continue;
+
+    if (isEsm) {
+      if (modulePCTable != nullptr && edgeId < modulePCTable->numEntries) {
+        modulePCTable->entries[edgeId].PCFlags |= 1;
+      }
+    } else if (gPCEntries != nullptr && edgeId < gCoverageCountersSize) {
+      gPCEntries[edgeId].PCFlags |= 1;
+    }
   }
 }
 
 
@@ -14,6 +14,10 @@
  * limitations under the License.
  */
 
+import * as fs from "fs";
+import * as path from "path";
+import { fileURLToPath } from "url";
+
 import { RawSourceMap } from "source-map";
 import sms from "source-map-support";
 
@@ -39,6 +43,8 @@ const regex = RegExp(
 	"mg",
 );
 
+const URL_PREFIX = /^[a-zA-Z][a-zA-Z0-9+.-]*:\/\//;
+
 /**
  * Extracts the inline source map from a code string.
  *
@@ -54,14 +60,128 @@ export function extractInlineSourceMap(code: string): SourceMap | undefined {
 	}
 }
 
+/**
+ * Extracts a source map from code, preferring inline data URLs and
+ * falling back to file-based sourceMappingURL comments.
+ */
+export function extractSourceMap(
+	code: string,
+	filename: string,
+): SourceMap | undefined {
+	return (
+		extractInlineSourceMap(code) ?? extractExternalSourceMap(code, filename)
+	);
+}
+
+function extractExternalSourceMap(
+	code: string,
+	filename: string,
+): SourceMap | undefined {
+	const sourceMapUrl = extractSourceMapUrl(code);
+	if (!sourceMapUrl || sourceMapUrl.startsWith("data:")) {
+		return;
+	}
+
+	const sanitizedUrl = sourceMapUrl.split("#", 1)[0].split("?", 1)[0];
+	const mapPath = resolveSourceMapPath(filename, sanitizedUrl);
+	if (!mapPath) {
+		return;
+	}
+
+	try {
+		const mapContent = fs.readFileSync(mapPath, "utf8");
+		return JSON.parse(mapContent);
+	} catch {
+		return;
+	}
+}
+
+function extractSourceMapUrl(code: string): string | undefined {
+	let lineEnd = code.length;
+	while (lineEnd >= 0) {
+		let lineStart = code.lastIndexOf("\n", lineEnd - 1);
+		lineStart = lineStart === -1 ? 0 : lineStart + 1;
+
+		const sourceMapUrl = parseSourceMapDirective(
+			code.slice(lineStart, lineEnd).trim(),
+		);
+		if (sourceMapUrl) {
+			return sourceMapUrl;
+		}
+
+		if (lineStart === 0) {
+			break;
+		}
+
+		lineEnd = lineStart - 1;
+		if (lineEnd > 0 && code[lineEnd - 1] === "\r") {
+			lineEnd--;
+		}
+	}
+}
+
+function parseSourceMapDirective(line: string): string | undefined {
+	if (!line) {
+		return;
+	}
+
+	let body: string;
+	if ((line.startsWith("//#") || line.startsWith("//@")) && line.length >= 3) {
+		body = line.slice(3);
+	} else if (
+		(line.startsWith("/*#") || line.startsWith("/*@")) &&
+		line.length >= 3
+	) {
+		body = line.endsWith("*/") ? line.slice(3, -2) : line.slice(3);
+	} else {
+		return;
+	}
+
+	body = body.trimStart();
+	const directive = "sourceMappingURL=";
+	if (!body.startsWith(directive)) {
+		return;
+	}
+
+	const sourceMapUrl = body.slice(directive.length).trim();
+	return sourceMapUrl || undefined;
+}
+
+function resolveSourceMapPath(
+	filename: string,
+	sourceMapUrl: string,
+): string | undefined {
+	if (!sourceMapUrl) {
+		return;
+	}
+
+	if (sourceMapUrl.startsWith("file://")) {
+		return fileURLToPath(sourceMapUrl);
+	}
+	if (URL_PREFIX.test(sourceMapUrl)) {
+		return;
+	}
+
+	let decodedUrl = sourceMapUrl;
+	try {
+		decodedUrl = decodeURIComponent(sourceMapUrl);
+	} catch {
+		// Keep undecoded value if it contains invalid escapes.
+	}
+
+	return path.resolve(path.dirname(filename), decodedUrl);
+}
+
 export function toRawSourceMap(
 	sourceMap?: SourceMap,
 ): RawSourceMap | undefined {
 	if (sourceMap) {
 		return {
 			version: sourceMap.version.toString(),
+			file: sourceMap.file,
 			sources: sourceMap.sources ?? [],
 			names: sourceMap.names,
+			sourceRoot: sourceMap.sourceRoot,
 			sourcesContent: sourceMap.sourcesContent,
 			mappings: sourceMap.mappings,
 		};
 
@@ -43,6 +43,10 @@ const { sourceCodeCoverage } =
 	require("./plugins/sourceCodeCoverage.js") as typeof import("./plugins/sourceCodeCoverage.js");
 const { functionHooks } =
 	require("./plugins/functionHooks.js") as typeof import("./plugins/functionHooks.js");
+const { buildPCLocationBatches } =
+	require("./pcLocationBatches.js") as typeof import("./pcLocationBatches.js");
+const { extractSourceMap, toRawSourceMap } =
+	require("./SourceMapRegistry.js") as typeof import("./SourceMapRegistry.js");
 
 // The loader thread has its own CJS module cache, so this is a
 // separate HookManager instance from the main thread's.  We populate
@@ -136,6 +140,7 @@ export const load: LoadFn = async function load(url, context, nextLoad) {
 
 function instrumentModule(code: string, filename: string): string | null {
 	drainHookUpdates();
+	const inputSourceMap = extractSourceMap(code, filename);
 
 	const fuzzerCoverage = esmCodeCoverage();
 
@@ -163,6 +168,7 @@ function instrumentModule(code: string, filename: string): string | null {
 			filename,
 			sourceFileName: filename,
 			sourceMaps: true,
+			inputSourceMap: toRawSourceMap(inputSourceMap) as any,
 			plugins,
 			sourceType: "module",
 		});
@@ -176,8 +182,6 @@ function instrumentModule(code: string, filename: string): string | null {
 	if (edges === 0 || !transformed?.code) {
 		return null;
 	}
-	const displayFilename = stripProjectRootPrefix(filename);
-
 	// Build a preamble that runs on the main thread before the module
 	// body.  It allocates the per-module coverage counter buffer and,
 	// when a source map is available, registers it with the main-thread
@@ -188,18 +192,26 @@ function instrumentModule(code: string, filename: string): string | null {
 	];
 
 	// Register edge-to-source mappings for PC symbolization.
-	// Serialized as a flat array: [id, line, col, funcIdx, ...]
+	// Serialized as a flat array:
+	// [id, line, col, funcIdx, isFuncEntry, ...]
 	const edgeEntries = fuzzerCoverage.edgeEntries();
 	if (edgeEntries.length > 0) {
-		const flat = edgeEntries.flat();
 		const funcNames = fuzzerCoverage.funcNames();
-		preambleLines.push(
-			`Fuzzer.coverageTracker.registerPCLocations(` +
-				`${JSON.stringify(displayFilename)},` +
-				`${JSON.stringify(funcNames)},` +
-				`new Int32Array(${JSON.stringify(flat)}),` +
-				`__jazzer_pcBase);`,
+		const batches = buildPCLocationBatches(
+			edgeEntries,
+			filename,
+			inputSourceMap,
+			stripProjectRootPrefix,
 		);
+		for (const batch of batches) {
+			preambleLines.push(
+				`Fuzzer.coverageTracker.registerPCLocations(` +
+					`${JSON.stringify(batch.filename)},` +
+					`${JSON.stringify(funcNames)},` +
+					`new Int32Array(${JSON.stringify(Array.from(batch.entries))}),` +
+					`__jazzer_pcBase);`,
+			);
+		}
 	}
 
 	if (transformed.map) {