feat(fuzz): Add cargo-afl coverage-guided fuzzer for the lex/parse/VM pipeline.

Author: dylan-sutton-chavez

.gitignore

@@ -37,4 +37,10 @@ pkg/
 
 # Secrets
 .env
-.env.*
+.env.*
+
+# Fuzz
+**/in/
+**/out/
+**/target/
+**/edge.dict

compiler/README.md

@@ -64,6 +64,18 @@ fn main() {
 
 The download URL is derived from `CARGO_PKG_VERSION`, so a tag bump is the only retarget. Use `branch = "main"` for unreleased work. Requires `curl` on PATH; gated by the default-on `prebuilt` feature.
 
+## Fuzzing
+
+Coverage-guided fuzzing of the lex -> parse -> VM pipeline lives in [`fuzz-afl/`](fuzz-afl/), built on [cargo-afl](https://github.com/rust-fuzz/afl.rs) (AFL++) and running on stable Rust.
+
+```bash
+cd fuzz-afl
+./seeds.sh # generate corpus + dictionary from vm.json (once)
+cargo afl build && cargo afl fuzz -i in -o out -x edge.dict target/debug/afl-pipeline
+```
+
+Seeds and the dictionary are generated from `tests/cases/vm.json`, so they are gitignored. Under WSL, prefix the fuzz command with `AFL_SKIP_CPUFREQ=1 AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1`. See [Fuzzing](https://edgepython.com/implementation/fuzzing) for details.
+
 ## References
 
 1. **Aho, Sethi & Ullman**, *Compilers: Principles, Techniques and Tools* (1986). LUT-based lexer.

compiler/fuzz-afl/Cargo.toml

@@ -0,0 +1,20 @@
+[package]
+name = "edge-python-afl"
+version = "0.0.0"
+publish = false
+edition = "2024"
+
+# Standalone workspace so the parent workspace does not adopt this crate.
+[workspace]
+
+[dependencies]
+afl = "0.18.2"
+
+# `default-features = false` drops `prebuilt` so the build skips the wasm download.
+[dependencies.edge-python]
+path = ".."
+default-features = false
+
+[[bin]]
+name = "afl-pipeline"
+path = "src/main.rs"

compiler/fuzz-afl/seeds.sh

@@ -0,0 +1,86 @@
+#!/usr/bin/env bash
+# Regenerates the fuzz inputs from the single source of truth (tests/cases/vm.json). `in/` (seed corpus) and `edge.dict` are gitignored artifacts; run this once before fuzzing. Pure bash, no extra runtime.
+set -euo pipefail
+cd "$(dirname "$0")"
+
+# Seed corpus: one file per unique `src` in the VM test fixtures. grep -oP pulls each JSON string body (handling \" and \\); sed unescapes the common escapes.
+rm -rf in && mkdir -p in
+while IFS= read -r raw; do
+    src=$(printf '%s' "$raw" | sed -e 's/\\\\/\x01/g' \
+        -e 's/\\n/\n/g' -e 's/\\t/\t/g' -e 's/\\r/\r/g' -e 's/\\"/"/g' \
+        -e 's/\x01/\\/g')
+    [ -z "$src" ] && continue
+    name=$(printf '%s' "$src" | sha1sum | cut -c1-16)
+    printf '%s' "$src" > "in/$name"
+done < <(grep -oP '"src":\s*"\K(?:[^"\\]|\\.)*' ../tests/cases/vm.json)
+echo "seeds: $(ls in | wc -l)"
+
+# Token dictionary: keywords, operators, and builtins for the AFL++ mutator.
+cat > edge.dict <<'DICT'
+# Edge Python token dictionary for AFL++ (-x edge.dict). Generated by seeds.sh.
+
+# keywords
+"if"
+"else"
+"elif"
+"for"
+"while"
+"def"
+"class"
+"return"
+"import"
+"from"
+"try"
+"except"
+"with"
+"yield"
+"async"
+"await"
+"pass"
+"break"
+"continue"
+"True"
+"False"
+"None"
+"and"
+"or"
+"not"
+"in"
+"is"
+"lambda"
+"assert"
+"del"
+"raise"
+
+# operators and punctuation
+"->"
+":="
+"=="
+"!="
+"<="
+">="
+"**"
+"//"
+"<<"
+">>"
+"+="
+"-="
+"*="
+"/="
+"..."
+
+# builtins and common identifiers
+"print("
+"len("
+"range("
+"int("
+"str("
+"list("
+"dict("
+"set("
+"input("
+"self"
+"__init__"
+"f\"{"
+DICT
+echo "dict: $(grep -c '^"' edge.dict) entries"

compiler/fuzz-afl/src/main.rs

@@ -0,0 +1,23 @@
+use afl::fuzz;
+
+use compiler::modules::lexer::lex;
+use compiler::modules::parser::Parser;
+use compiler::modules::vm::{Limits, VM};
+
+fn main() {
+    fuzz!(|data: &[u8]| {
+        // Source is text; reject non-UTF-8 rather than counting it as coverage.
+        let Ok(src) = core::str::from_utf8(data) else { return };
+
+        let (tokens, _lex_errs) = lex(src);
+        let (chunk, parse_errs) = Parser::new(src, tokens.into_iter()).parse();
+
+        // Only valid programs reach the VM; the chunk is unreliable after a parse error.
+        if !parse_errs.is_empty() {
+            return;
+        }
+
+        // Bounded budget turns runaway loops and allocations into VmErr, not hangs.
+        let _ = VM::with_limits(&chunk, Limits::sandbox()).run();
+    });
+}

docs/pages/implementation/_meta.js

@@ -2,5 +2,6 @@ export default {
     '--- implementation': { type: 'separator', title: 'Implementation' },
     design: 'Design',
     lexical: 'Lexical',
-    syntax: 'Syntax'
+    syntax: 'Syntax',
+    fuzzing: 'Fuzzing'
 }

docs/pages/implementation/fuzzing.md

@@ -0,0 +1,34 @@
+---
+title: "Fuzzing"
+description: "Coverage-guided fuzzing of the lex, parse, and VM pipeline with cargo-afl on stable Rust."
+---
+
+## Overview
+
+The fuzzer drives the full `lex -> parse -> VM` pipeline against mutated input, looking for panics, arithmetic overflow, and memory faults. It lives in [`compiler/fuzz-afl/`](https://github.com/dylan-sutton-chavez/edge-python/tree/main/compiler/fuzz-afl) and is built on [cargo-afl](https://github.com/rust-fuzz/afl.rs) (AFL++), which instruments via AFL++'s LLVM passes and therefore runs on **stable Rust**, no nightly toolchain required.
+
+The target runs the VM under `Limits::sandbox()`, so runaway loops and allocations become a `VmErr` instead of a hang, and any real crash is a genuine bug rather than resource exhaustion. See [Limits and errors](/reference/limits-and-errors).
+
+## Running it
+
+```bash
+cd compiler/fuzz-afl
+./seeds.sh # generate corpus + dictionary from vm.json (once)
+cargo afl build # instrument on stable, no nightly
+cargo afl fuzz -i in -o out -x edge.dict target/debug/afl-pipeline
+```
+
+Under WSL, prefix the fuzz command with `AFL_SKIP_CPUFREQ=1 AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1` to bypass the core-pattern and CPU-governor checks. Crashes and hangs land in `out/default/`. Reproduce one by piping it back into the target:
+
+```bash
+./target/debug/afl-pipeline < out/default/crashes/<id>
+```
+
+## Inputs are generated, not committed
+
+The seed corpus (`in/`) and the token dictionary (`edge.dict`) are derived from a single source of truth, `tests/cases/vm.json`, so they are gitignored and regenerated by `seeds.sh`:
+
+- **`in/`**: one file per unique program `src` in the VM test fixtures, giving AFL valid starting points that already exercise most of the language.
+- **`edge.dict`**: keywords, operators, and common builtins, so the byte mutator splices real tokens instead of discovering them blindly.
+
+Only three files are tracked: `Cargo.toml`, `src/main.rs`, and `seeds.sh`. The corpus, dictionary, AFL output, and build artifacts are all reproducible.