feat(driver): symbolize Java PCs so libFuzzer prints source locations

Override __sanitizer_symbolize_pc to resolve synthetic coverage PCs
back to Java source file, method name, and line number.

SourceLocationRegistry receives per-edge metadata from the instrumentor
via JNI.  The C++ symbolizer uses an async-signal-safe spinlock so it
can run from crash/timeout signal handlers.  Strings are interned via
unordered_map and copied into stack-local buffers while locked to avoid
use-after-free.  Function-entry PC flags are set outside the spinlock
to prevent nested locking.

Author: oetr

src/main/java/com/code_intelligence/jazzer/runtime/BUILD.bazel

@@ -161,6 +161,15 @@ java_jni_library(
     ],
 )
 
+java_jni_library(
+    name = "source_location_registry",
+    srcs = ["SourceLocationRegistry.java"],
+    visibility = [
+        "//src/main/java/com/code_intelligence/jazzer/instrumentor:__pkg__",
+        "//src/main/native/com/code_intelligence/jazzer/driver:__pkg__",
+    ],
+)
+
 java_library(
     name = "runtime",
     srcs = [
@@ -188,6 +197,7 @@ java_library(
         ":constants",
         ":coverage_map",
         ":extra_counters_tracker",
+        ":source_location_registry",
         ":trace_data_flow_native_callbacks",
         "//src/main/java/com/code_intelligence/jazzer/api:hooks",
     ],

src/main/java/com/code_intelligence/jazzer/runtime/SourceLocationRegistry.java

@@ -0,0 +1,46 @@
+/*
+ * Copyright 2026 Code Intelligence GmbH
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.code_intelligence.jazzer.runtime;
+
+import com.github.fmeum.rules_jni.RulesJni;
+
+/**
+ * Registers per-edge source location metadata with the native symbolizer so that libFuzzer's {@code
+ * -print_pcs}, {@code -print_funcs}, and {@code -print_coverage} flags show Java source locations
+ * instead of meaningless hex addresses.
+ *
+ * <p>Called from the instrumentor after each class is instrumented. Thread-safe on the native side.
+ */
+public final class SourceLocationRegistry {
+  static {
+    RulesJni.loadLibrary("jazzer_driver", "/com/code_intelligence/jazzer/driver");
+  }
+
+  private SourceLocationRegistry() {}
+
+  /**
+   * Register source locations for a contiguous range of coverage edge IDs.
+   *
+   * @param sourceFile Qualified source path (e.g. "com/example/Foo.java")
+   * @param methodNames Deduplicated method name table for this class
+   * @param firstEdgeId Global ID of the first edge in this class
+   * @param edgeData Flat array: [packedLine0, methodIdx0, packedLine1, methodIdx1, ...]. The sign
+   *     bit of each packedLine encodes whether the edge is a function entry point.
+   */
+  public static native void registerLocations(
+      String sourceFile, String[] methodNames, int firstEdgeId, int[] edgeData);
+}

src/main/native/com/code_intelligence/jazzer/driver/BUILD.bazel

@@ -30,6 +30,7 @@ cc_library(
         ":jazzer_fuzzer_callbacks",
         ":libfuzzer_callbacks",
         ":mutator",
+        ":synthetic_symbolizer",
     ],
 )
 
@@ -56,6 +57,18 @@ cc_library(
     alwayslink = True,
 )
 
+cc_library(
+    name = "synthetic_symbolizer",
+    srcs = ["synthetic_symbolizer.cpp"],
+    hdrs = ["synthetic_symbolizer.h"],
+    deps = [
+        ":counters_tracker",
+        "//src/main/java/com/code_intelligence/jazzer/runtime:source_location_registry.hdrs",
+    ],
+    # JNI symbols are only referenced dynamically.
+    alwayslink = True,
+)
+
 cc_library(
     name = "fuzz_target_runner",
     srcs = ["fuzz_target_runner.cpp"],
@@ -156,6 +169,7 @@ cc_library(
 cc_library(
     name = "sanitizer_symbols",
     srcs = ["sanitizer_symbols.cpp"],
+    deps = [":synthetic_symbolizer"],
     # Symbols are referenced dynamically by libFuzzer.
     alwayslink = True,
 )

src/main/native/com/code_intelligence/jazzer/driver/sanitizer_symbols.cpp

@@ -12,6 +12,8 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
+#include "synthetic_symbolizer.h"
+
 // Suppress libFuzzer warnings about missing sanitizer methods in non-sanitizer
 // builds.
 extern "C" [[maybe_unused]] int __sanitizer_acquire_crash_state() { return 1; }
@@ -24,3 +26,13 @@ void DumpJvmStackTraces();
 extern "C" [[maybe_unused]] void __sanitizer_print_stack_trace() {
   jazzer::DumpJvmStackTraces();
 }
+
+// Override libFuzzer's weak __sanitizer_symbolize_pc so that -print_pcs=1,
+// -print_funcs=1, and -print_coverage=1 show Java source locations.
+extern "C" [[maybe_unused]] void __sanitizer_symbolize_pc(void *pc,
+                                                          const char *fmt,
+                                                          char *out_buf,
+                                                          size_t out_buf_size) {
+  jazzer::SymbolizePC(reinterpret_cast<uintptr_t>(pc), fmt, out_buf,
+                      out_buf_size);
+}