test: ESM instrumentation integration test

oetr · oetr · commit cb88f56fac61 · 2026-03-27T01:38:59.000+01:00
A pure .mjs module compares input against a 16-byte random string
literal.  Without the ESM compare hooks replacing === with
traceStrCmp, libFuzzer cannot discover the string by brute force.

The test spawns jazzer, which instruments the ES module through
the new loader hook, and asserts the fuzzer finds the secret
within the run budget.
diff --git a/tests/esm_instrumentation/esm_instrumentation.test.js b/tests/esm_instrumentation/esm_instrumentation.test.js
@@ -0,0 +1,48 @@
+/*
+ * Copyright 2026 Code Intelligence GmbH
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+const { FuzzTestBuilder, cleanCrashFilesIn } = require("../helpers.js");
+
+// module.register() is needed for ESM loader hooks.
+const [major, minor] = process.versions.node.split(".").map(Number);
+const supportsEsmHooks = major > 20 || (major === 20 && minor >= 6);
+
+const describeOrSkip = supportsEsmHooks ? describe : describe.skip;
+
+describeOrSkip("ESM instrumentation", () => {
+	afterAll(async () => {
+		await cleanCrashFilesIn(__dirname);
+	});
+
+	it("should find a 16-byte string via compare hooks in an ES module", () => {
+		// target.mjs compares against the literal "a]3;d*F!pk29&bAc".
+		// Without the ESM compare hooks replacing === with traceStrCmp,
+		// libFuzzer cannot discover a 16-byte random string.
+		const fuzzTest = new FuzzTestBuilder()
+			.fuzzEntryPoint("fuzz")
+			.fuzzFile("fuzz.mjs")
+			.dir(__dirname)
+			.sync(true)
+			.disableBugDetectors([".*"])
+			.expectedErrors("Error")
+			.runs(5000000)
+			.seed(111994470)
+			.build();
+
+		fuzzTest.execute();
+		expect(fuzzTest.stderr).toContain("Found the ESM secret!");
+	});
+});
diff --git a/tests/esm_instrumentation/fuzz.mjs b/tests/esm_instrumentation/fuzz.mjs
@@ -0,0 +1,24 @@
+/*
+ * Copyright 2026 Code Intelligence GmbH
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+import { checkSecret } from "./target.mjs";
+
+/**
+ * @param { Buffer } data
+ */
+export function fuzz(data) {
+	checkSecret(data.toString());
+}
diff --git a/tests/esm_instrumentation/package.json b/tests/esm_instrumentation/package.json
@@ -0,0 +1,12 @@
+{
+	"name": "jazzerjs-esm-instrumentation-test",
+	"version": "1.0.0",
+	"description": "Integration test: coverage-guided fuzzing of a pure ES module",
+	"scripts": {
+		"fuzz": "jest --config '{}'",
+		"dryRun": "echo \"Skipped: requires Node >= 20.6 for ESM loader hooks\""
+	},
+	"devDependencies": {
+		"@jazzer.js/core": "file:../../packages/core"
+	}
+}
diff --git a/tests/esm_instrumentation/target.mjs b/tests/esm_instrumentation/target.mjs
@@ -0,0 +1,27 @@
+/*
+ * Copyright 2026 Code Intelligence GmbH
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/**
+ * A pure ES module with a string-literal comparison.  The compare
+ * hooks replace the === with a traceStrCmp call that leaks the
+ * literal to libFuzzer's mutation engine.  Without that feedback
+ * a 16-byte random string cannot be found by brute force.
+ */
+export function checkSecret(s) {
+	if (s === "a]3;d*F!pk29&bAc") {
+		throw new Error("Found the ESM secret!");
+	}
+}
