test: verify PC symbolization across all layers

Kotlin unit test: instruments CoverageInstrumentationTarget and checks
that buildEdgeLocations() produces correct source file path, method
names, function-entry flags, and non-zero line numbers.

C++ unit test: exercises SymbolizePC format specifier parsing (%p, %F,
%L, %s, %l, %c) and verifies buffer truncation safety.

Shell integration test: runs the native launcher with -print_pcs=1 on
a trivial target and greps for symbolized NEW_PC lines.

Author: oetr

src/main/native/com/code_intelligence/jazzer/driver/BUILD.bazel

@@ -189,3 +189,14 @@ cc_test(
         "@rules_jni//jni",
     ],
 )
+
+cc_test(
+    name = "synthetic_symbolizer_test",
+    size = "small",
+    srcs = ["synthetic_symbolizer_test.cpp"],
+    deps = [
+        ":synthetic_symbolizer",
+        "@googletest//:gtest",
+        "@googletest//:gtest_main",
+    ],
+)

src/main/native/com/code_intelligence/jazzer/driver/synthetic_symbolizer_test.cpp

@@ -0,0 +1,71 @@
+// Copyright 2026 Code Intelligence GmbH
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include "synthetic_symbolizer.h"
+
+#include <cstdint>
+#include <cstring>
+#include <string>
+
+#include "gtest/gtest.h"
+
+// Stubs for libFuzzer symbols pulled in transitively via counters_tracker.
+extern "C" {
+void __sanitizer_cov_8bit_counters_init(uint8_t *, uint8_t *) {}
+void __sanitizer_cov_pcs_init(const uintptr_t *, const uintptr_t *) {}
+size_t __sanitizer_cov_get_observed_pcs(uintptr_t **) { return 0; }
+}
+
+// Helper: call SymbolizePC with an unregistered PC and return the result.
+static std::string Symbolize(uintptr_t pc, const char *fmt,
+                             size_t buf_size = 1024) {
+  std::string buf(buf_size, '\0');
+  jazzer::SymbolizePC(pc, fmt, buf.data(), buf_size);
+  return {buf.c_str()};
+}
+
+// The default libFuzzer format for DescribePC is "%p %F %L".
+// With no registered locations, we should get clean <unknown> fallback.
+TEST(SyntheticSymbolizerTest, UnregisteredPCProducesUnknownFallback) {
+  auto result = Symbolize(42, "%p %F %L");
+  // %p should be eaten (virtual PCs are meaningless), leaving "%F %L".
+  EXPECT_NE(std::string::npos, result.find("in <unknown>"));
+  EXPECT_NE(std::string::npos, result.find("<unknown>:0"));
+  // No hex address should appear (the %p was consumed).
+  EXPECT_EQ(std::string::npos, result.find("0x"));
+}
+
+// A small buffer should truncate without crashing.
+TEST(SyntheticSymbolizerTest, SmallBufferTruncatesSafely) {
+  char tiny[8] = {};
+  jazzer::SymbolizePC(42, "%F %L", tiny, sizeof(tiny));
+  // Must be null-terminated and not overflow.
+  EXPECT_LT(strlen(tiny), sizeof(tiny));
+
+  // Zero-size buffer is a no-op.
+  char zero = 'X';
+  jazzer::SymbolizePC(42, "%F", &zero, 0);
+  EXPECT_EQ('X', zero);
+}
+
+// Verify individual format specifiers produce the right fallback shape.
+TEST(SyntheticSymbolizerTest, FormatSpecifiers) {
+  EXPECT_EQ("in <unknown>", Symbolize(42, "%F"));
+  EXPECT_EQ("<unknown>:0", Symbolize(42, "%L"));
+  EXPECT_EQ("<unknown>", Symbolize(42, "%s"));
+  EXPECT_EQ("0", Symbolize(42, "%l"));
+  EXPECT_EQ("0", Symbolize(42, "%c"));
+  // Literal text passes through.
+  EXPECT_EQ("hello", Symbolize(42, "hello"));
+}

src/test/java/com/code_intelligence/jazzer/instrumentor/BUILD.bazel

@@ -50,6 +50,26 @@ wrapped_kt_jvm_test(
     ],
 )
 
+wrapped_kt_jvm_test(
+    name = "edge_location_capture_test",
+    size = "small",
+    srcs = [
+        "CoverageInstrumentationTarget.java",
+        "EdgeLocationCaptureTest.kt",
+        "MockCoverageMap.java",
+    ],
+    associates = [
+        "//src/main/java/com/code_intelligence/jazzer/instrumentor:instrumentor",
+    ],
+    test_class = "com.code_intelligence.jazzer.instrumentor.EdgeLocationCaptureTest",
+    deps = [
+        ":patch_test_utils",
+        "//src/main/java/com/code_intelligence/jazzer/runtime:coverage_map",
+        "@maven//:junit_junit",
+        "@rules_kotlin//kotlin/compiler:kotlin-test",
+    ],
+)
+
 wrapped_kt_jvm_test(
     name = "descriptor_utils_test",
     size = "small",

src/test/java/com/code_intelligence/jazzer/instrumentor/EdgeLocationCaptureTest.kt

@@ -0,0 +1,78 @@
+/*
+ * Copyright 2026 Code Intelligence GmbH
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.code_intelligence.jazzer.instrumentor
+
+import com.code_intelligence.jazzer.instrumentor.PatchTestUtils.classToBytecode
+import org.junit.Test
+import kotlin.test.assertEquals
+import kotlin.test.assertNotNull
+import kotlin.test.assertTrue
+
+class EdgeLocationCaptureTest {
+    @Test
+    fun testEdgeLocationCapture() {
+        val internalClassName = CoverageInstrumentationTarget::class.java.name.replace('.', '/')
+        val instrumentor =
+            EdgeCoverageInstrumentor(
+                ClassInstrumentor.defaultEdgeCoverageStrategy,
+                MockCoverageMap::class.java,
+                0,
+            )
+        instrumentor.instrument(internalClassName, classToBytecode(CoverageInstrumentationTarget::class.java))
+
+        val locations = instrumentor.buildEdgeLocations()
+        assertNotNull(locations, "Expected non-null locations for a class with edges")
+
+        // Source file should combine the package prefix with the SourceFile attribute.
+        assertEquals(
+            "com/code_intelligence/jazzer/instrumentor/CoverageInstrumentationTarget.java",
+            locations.sourceFile,
+        )
+
+        // Method names should be qualified as SimpleClassName.method.
+        assertTrue(
+            locations.methodNames.any { it == "CoverageInstrumentationTarget.<init>" },
+            "Expected constructor in method names, got: ${locations.methodNames.toList()}",
+        )
+        assertTrue(
+            locations.methodNames.any { it == "CoverageInstrumentationTarget.selfCheck" },
+            "Expected selfCheck in method names, got: ${locations.methodNames.toList()}",
+        )
+
+        // Flat array must have exactly 2 ints per edge (packedLine, methodIdx).
+        assertEquals(instrumentor.numEdges * 2, locations.edgeData.size)
+
+        // First edge should have the function-entry bit set (sign bit).
+        val firstPackedLine = locations.edgeData[0]
+        assertTrue(firstPackedLine < 0, "First edge should have function-entry bit (sign bit) set")
+
+        // Its actual line number should be positive (class was compiled with debug info).
+        val firstLine = firstPackedLine and 0x7FFFFFFF
+        assertTrue(firstLine > 0, "Line number should be > 0 for a class with debug info")
+
+        // Second edge of the same method should NOT have the function-entry bit set.
+        // Find the second edge that shares the same methodIdx as the first.
+        val firstMethodIdx = locations.edgeData[1]
+        for (i in 1 until instrumentor.numEdges) {
+            if (locations.edgeData[2 * i + 1] == firstMethodIdx) {
+                val subsequentPackedLine = locations.edgeData[2 * i]
+                assertTrue(subsequentPackedLine >= 0, "Subsequent edge should not have function-entry bit")
+                break
+            }
+        }
+    }
+}

tests/BUILD.bazel

@@ -451,6 +451,30 @@ java_binary(
     srcs = ["src/test/java/com/example/CrashResistantCoverageTarget.java"],
 )
 
+java_binary(
+    name = "PrintPcsTarget",
+    testonly = True,
+    srcs = ["src/test/java/com/example/PrintPcsTarget.java"],
+    create_executable = False,
+    deps = ["//deploy:jazzer-api"],
+)
+
+sh_test(
+    name = "print_pcs_symbolization_test",
+    size = "large",
+    srcs = ["src/test/shell/print_pcs_symbolization_test.sh"],
+    args = [
+        "$(rlocationpath //launcher:jazzer)",
+        "$(rlocationpath :PrintPcsTarget_deploy.jar)",
+    ],
+    data = [
+        ":PrintPcsTarget_deploy.jar",
+        "//launcher:jazzer",
+    ],
+    target_compatible_with = LINUX_ONLY,
+    deps = ["@bazel_tools//tools/bash/runfiles"],
+)
+
 sh_test(
     name = "crash_resistant_coverage_test",
     srcs = ["src/test/shell/crash_resistant_coverage_test.sh"],

tests/src/test/java/com/example/PrintPcsTarget.java

@@ -0,0 +1,31 @@
+/*
+ * Copyright 2026 Code Intelligence GmbH
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.example;
+
+import com.code_intelligence.jazzer.api.FuzzedDataProvider;
+
+/** Minimal fuzz target used to verify -print_pcs symbolization. */
+public class PrintPcsTarget {
+  public static void fuzzerTestOneInput(FuzzedDataProvider data) {
+    int x = data.consumeInt();
+    if (x > 1000) {
+      sink(x);
+    }
+  }
+
+  private static void sink(int x) {}
+}

tests/src/test/shell/print_pcs_symbolization_test.sh

@@ -0,0 +1,51 @@
+#!/bin/bash
+#
+# Copyright 2026 Code Intelligence GmbH
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+# Verify that -print_pcs=1 produces symbolized Java source locations
+# instead of meaningless hex addresses.
+
+# --- begin runfiles.bash initialization v2 ---
+set -uo pipefail; f=bazel_tools/tools/bash/runfiles/runfiles.bash
+source "${RUNFILES_DIR:-/dev/null}/$f" 2>/dev/null || \
+  source "$(grep -sm1 "^$f " "${RUNFILES_MANIFEST_FILE:-/dev/null}" | cut -f2- -d' ')" 2>/dev/null || \
+  source "$0.runfiles/$f" 2>/dev/null || \
+  source "$(grep -sm1 "^$f " "$0.runfiles_manifest" | cut -f2- -d' ')" 2>/dev/null || \
+  source "$(grep -sm1 "^$f " "$0.exe.runfiles_manifest" | cut -f2- -d' ')" 2>/dev/null || \
+  { echo>&2 "ERROR: cannot find $f"; exit 1; }; f=; set -e
+# --- end runfiles.bash initialization v2 ---
+
+function fail() {
+  echo "FAILED: $1"
+  exit 1
+}
+
+JAZZER="$(rlocation "$1")"
+TARGET_JAR="$(rlocation "$2")"
+output="$TEST_TMPDIR/output"
+
+# A short burst of runs is enough to discover the target's coverage edges.
+"$JAZZER" --cp="$TARGET_JAR" --target_class=com.example.PrintPcsTarget \
+    --instrumentation_includes="com.example.**" \
+    -print_pcs=1 -runs=10 2>&1 | tee "$output" || true
+
+# Verify at least one NEW_PC line has a symbolized Java source location:
+# "in <ClassName>.<method> <path>.java:<line>"
+if ! grep -qP 'NEW_PC:.*in \S+\.\S+ \S+\.java:\d+' "$output"; then
+  echo "Output was:"
+  cat "$output"
+  fail "Expected symbolized NEW_PC lines with Java source locations"
+fi