feat(instrumentor): seed compare-hook PRNG from libFuzzer seed

Replace crypto.randomInt(512) in fakePC() with a deterministic
xorshift32 PRNG seeded from the libFuzzer -seed= value.  This makes
TORC slot assignments identical across runs, so a given seed produces
the exact same mutation schedule every time.

If no seed is provided, one is generated, injected into the libFuzzer
args, and printed — giving full reproducibility from a single seed.

The seed flows from the CLI through the Instrumentor to both the CJS
transform path (main thread) and the ESM loader (via module.register
initialization data).

Author: oetr

packages/core/core.ts

@@ -82,9 +82,30 @@ declare global {
 	var options: OptionsManager;
 }
 
+/**
+ * Extract -seed=N from the libFuzzer arguments.  If absent, generate
+ * a random seed and inject it so both the instrumentation layer and
+ * libFuzzer use the same value — making the entire run reproducible
+ * from a single seed.
+ */
+function resolveInstrumentationSeed(options: OptionsManager): number {
+	const fuzzerOpts = options.get("fuzzerOptions");
+	const seedArg = fuzzerOpts.find((a: string) => a.startsWith("-seed="));
+	if (seedArg) {
+		const parsed = parseInt(seedArg.split("=")[1], 10);
+		// libFuzzer treats -seed=0 as "pick random", so we do the same.
+		if (parsed !== 0) return parsed;
+	}
+	const generated = Math.floor(Math.random() * 0x7fff_fffe) + 1; // [1, 2^31-1]
+	fuzzerOpts.push(`-seed=${generated}`);
+	console.error(`INFO: Using generated seed: ${generated}`);
+	return generated;
+}
+
 export async function initFuzzing(
 	options: OptionsManager,
 ): Promise<Instrumentor> {
+	const seed = resolveInstrumentationSeed(options);
 	const instrumentor = new Instrumentor(
 		options.get("includes"),
 		options.get("excludes"),
@@ -94,6 +115,8 @@ export async function initFuzzing(
 		options.get("idSyncFile")
 			? new FileSyncIdStrategy(options.get("idSyncFile"))
 			: new MemorySyncIdStrategy(),
+		undefined, // sourceMapRegistry — use default
+		seed,
 	);
 	registerInstrumentor(instrumentor);
 

packages/instrumentor/esm-loader.mts

@@ -48,6 +48,8 @@ const { functionHooks } =
 // it with stub hooks from the serialized data we receive via the port.
 const { hookManager: loaderHookManager } =
 	require("@jazzer.js/hooking") as typeof import("@jazzer.js/hooking");
+const { setSeed } =
+	require("./plugins/helpers.js") as typeof import("./plugins/helpers.js");
 
 // Already-instrumented code contains this marker.
 const INSTRUMENTATION_MARKER = "Fuzzer.coverageTracker.incrementCounter";
@@ -59,6 +61,7 @@ interface LoaderConfig {
 	includes: string[];
 	excludes: string[];
 	coverage: boolean;
+	seed?: number;
 	port?: MessagePort;
 }
 
@@ -67,6 +70,9 @@ let loaderPort: MessagePort | null = null;
 
 export function initialize(data: LoaderConfig): void {
 	config = data;
+	if (data.seed != null) {
+		setSeed(data.seed);
+	}
 	if (data.port) {
 		loaderPort = data.port;
 	}

packages/instrumentor/instrument.ts

@@ -33,6 +33,7 @@ import { instrumentationPlugins } from "./plugin";
 import { codeCoverage } from "./plugins/codeCoverage";
 import { compareHooks } from "./plugins/compareHooks";
 import { functionHooks } from "./plugins/functionHooks";
+import { setSeed } from "./plugins/helpers";
 import { sourceCodeCoverage } from "./plugins/sourceCodeCoverage";
 import {
 	extractInlineSourceMap,
@@ -74,6 +75,7 @@ export class Instrumentor {
 		private readonly isDryRun = false,
 		private readonly idStrategy: EdgeIdStrategy = new MemorySyncIdStrategy(),
 		private readonly sourceMapRegistry: SourceMapRegistry = new SourceMapRegistry(),
+		private readonly _seed: number = 0xdead_beef,
 	) {
 		// This is our default case where we want to include everything and exclude the "node_modules" folder.
 		if (includes.length === 0 && excludes.length === 0) {
@@ -85,6 +87,8 @@ export class Instrumentor {
 	}
 
 	init(): () => void {
+		setSeed(this._seed);
+
 		if (this.includes.includes("jazzer.js")) {
 			this.unloadInternalModules();
 		}
@@ -231,6 +235,10 @@ export class Instrumentor {
 		return this.shouldCollectSourceCodeCoverage;
 	}
 
+	get seed(): number {
+		return this._seed;
+	}
+
 	/** Connect the main-thread side of the loader MessagePort. */
 	setLoaderPort(port: MessagePort): void {
 		this.loaderPort = port;
@@ -346,6 +354,7 @@ function registerEsmHooks(instrumentor: Instrumentor): void {
 			includes: instrumentor.includePatterns,
 			excludes: instrumentor.excludePatterns,
 			coverage: instrumentor.coverageEnabled,
+			seed: instrumentor.seed,
 		};
 
 		const options: {

packages/instrumentor/plugins/helpers.ts

@@ -14,11 +14,21 @@
  * limitations under the License.
  */
 
-import * as crypto from "crypto";
-
 import { types } from "@babel/core";
 import { NumericLiteral } from "@babel/types";
 
+// xorshift32 PRNG for deterministic compare-hook TORC slot assignments.
+// Seeded once at startup so that a given -seed= value produces identical
+// mutation schedules across runs.
+let state = 0xdead_beef;
+
+export function setSeed(seed: number): void {
+	state = seed | 1; // xorshift requires non-zero state
+}
+
 export function fakePC(): NumericLiteral {
-	return types.numericLiteral(crypto.randomInt(512));
+	state ^= state << 13;
+	state ^= state >> 17;
+	state ^= state << 5;
+	return types.numericLiteral((state >>> 0) % 512);
 }