feat(fuzzer): add module-scoped coverage counter regions

Each ESM module will need its own coverage counter buffer, independent
of the shared global coverage map used by CJS modules.  libFuzzer
supports multiple disjoint counter regions, so we add a C++ function
that registers per-module buffers and a TypeScript API to allocate them.

The GC-prevention array in CoverageTracker keeps module buffers alive
for the process lifetime, matching libFuzzer's expectation that counter
memory remains valid.

Author: oetr

packages/fuzzer/addon.ts

@@ -40,6 +40,7 @@ export type StartFuzzingAsyncFn = (
 type NativeAddon = {
 	registerCoverageMap: (buffer: Buffer) => void;
 	registerNewCounters: (oldNumCounters: number, newNumCounters: number) => void;
+	registerModuleCounters: (buffer: Buffer) => void;
 
 	traceUnequalStrings: (
 		hookId: number,

packages/fuzzer/coverage.ts

@@ -22,6 +22,11 @@ export class CoverageTracker {
 	private readonly coverageMap: Buffer;
 	private currentNumCounters: number;
 
+	// Per-module counter buffers registered independently with libFuzzer.
+	// We must prevent GC from reclaiming these while libFuzzer still
+	// monitors the underlying memory.
+	private readonly moduleCounters: Buffer[] = [];
+
 	constructor() {
 		this.coverageMap = Buffer.alloc(CoverageTracker.MAX_NUM_COUNTERS, 0);
 		this.currentNumCounters = CoverageTracker.INITIAL_NUM_COUNTERS;
@@ -65,6 +70,18 @@ export class CoverageTracker {
 	readCounter(edgeId: number): number {
 		return this.coverageMap.readUint8(edgeId);
 	}
+
+	/**
+	 * Allocate an independent counter buffer for a single module and
+	 * register it with libFuzzer as a new coverage region.  This lets
+	 * each ESM module own its own counters without sharing global IDs.
+	 */
+	createModuleCounters(size: number): Buffer {
+		const buf = Buffer.alloc(size, 0);
+		this.moduleCounters.push(buf);
+		addon.registerModuleCounters(buf);
+		return buf;
+	}
 }
 
 export const coverageTracker = new CoverageTracker();

packages/fuzzer/shared/callbacks.cpp

@@ -21,6 +21,8 @@ void RegisterCallbackExports(Napi::Env env, Napi::Object exports) {
       Napi::Function::New<RegisterCoverageMap>(env);
   exports["registerNewCounters"] =
       Napi::Function::New<RegisterNewCounters>(env);
+  exports["registerModuleCounters"] =
+      Napi::Function::New<RegisterModuleCounters>(env);
   exports["traceUnequalStrings"] =
       Napi::Function::New<TraceUnequalStrings>(env);
   exports["traceStringContainment"] =

packages/fuzzer/shared/coverage.cpp

@@ -89,3 +89,33 @@ void RegisterNewCounters(const Napi::CallbackInfo &info) {
   __sanitizer_cov_pcs_init((uintptr_t *)(gPCEntries + old_num_counters),
                            (uintptr_t *)(gPCEntries + new_num_counters));
 }
+
+// Monotonically increasing fake PC so that each module's counters get
+// unique program-counter entries that don't collide with the shared
+// coverage map or with each other.
+static uintptr_t gNextModulePC = 0x10000000;
+
+// Register an independent coverage counter region for a single ES module.
+// libFuzzer supports multiple disjoint counter regions; each call here
+// hands it a fresh one.
+void RegisterModuleCounters(const Napi::CallbackInfo &info) {
+  if (info.Length() != 1 || !info[0].IsBuffer()) {
+    throw Napi::Error::New(info.Env(),
+                           "Need one argument: a Buffer of 8-bit counters");
+  }
+
+  auto buf = info[0].As<Napi::Buffer<uint8_t>>();
+  auto size = buf.Length();
+  if (size == 0) {
+    return;
+  }
+
+  auto *pcEntries = new PCTableEntry[size];
+  for (std::size_t i = 0; i < size; ++i) {
+    pcEntries[i] = {gNextModulePC++, 0};
+  }
+
+  __sanitizer_cov_8bit_counters_init(buf.Data(), buf.Data() + size);
+  __sanitizer_cov_pcs_init(reinterpret_cast<uintptr_t *>(pcEntries),
+                           reinterpret_cast<uintptr_t *>(pcEntries + size));
+}

packages/fuzzer/shared/coverage.h

@@ -17,3 +17,4 @@
 
 void RegisterCoverageMap(const Napi::CallbackInfo &info);
 void RegisterNewCounters(const Napi::CallbackInfo &info);
+void RegisterModuleCounters(const Napi::CallbackInfo &info);