rollup : Initial integration

Author: rootvector2

.claude/scheduled_tasks.lock

@@ -0,0 +1 @@
+{"sessionId":"3db4c6a4-83c9-4fa5-9c27-472daefee6e6","pid":16680,"procStart":"Thu May 14 16:45:36 2026","acquiredAt":1778777160785}

projects/rollup/Dockerfile

@@ -0,0 +1,33 @@
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+################################################################################
+
+FROM gcr.io/oss-fuzz-base/base-builder-javascript
+
+# Clone the upstream repository so OSS-Fuzz tracks the source.
+RUN git clone --depth 1 https://github.com/rollup/rollup.git
+
+# Set up a separate workspace where Rollup is installed from npm
+# (the published package ships prebuilt native bindings, avoiding a Rust/WASM
+# toolchain inside the fuzz image).
+RUN mkdir -p $SRC/rollup-fuzz
+
+COPY build.sh $SRC/
+COPY package.json $SRC/rollup-fuzz/
+COPY fuzz_parse_ast.js $SRC/rollup-fuzz/
+COPY fuzz_log_filter.js $SRC/rollup-fuzz/
+COPY fuzz_bundle.js $SRC/rollup-fuzz/
+
+WORKDIR $SRC/rollup-fuzz

projects/rollup/build.sh

@@ -0,0 +1,27 @@
+#!/bin/bash -eu
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+################################################################################
+
+# Install rollup (from npm, ships prebuilt native bindings for linux-x64-gnu)
+# together with Jazzer.js, in the fuzz workspace prepared by the Dockerfile.
+npm install
+npm install --save-dev @jazzer.js/core
+
+# Build fuzzers. The "-i rollup" flag tells Jazzer.js to instrument the
+# rollup package so coverage is tracked across rollup's JavaScript runtime.
+compile_javascript_fuzzer rollup-fuzz fuzz_parse_ast -i rollup --sync
+compile_javascript_fuzzer rollup-fuzz fuzz_log_filter -i rollup --sync
+compile_javascript_fuzzer rollup-fuzz fuzz_bundle -i rollup

projects/rollup/fuzz_bundle.js

@@ -0,0 +1,134 @@
+// Copyright 2026 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+////////////////////////////////////////////////////////////////////////////////
+
+const { FuzzedDataProvider } = require("@jazzer.js/core");
+const { rollup } = require("rollup");
+
+const FORMATS = ["amd", "cjs", "es", "iife", "system", "umd"];
+const GENERATED_CODE = ["es5", "es2015"];
+
+function virtualPlugin(entryCode) {
+  return {
+    name: "virtual-entry",
+    resolveId(source) {
+      if (source === "entry.js") {
+        return source;
+      }
+      // Mark every other import as external so we don't touch the real
+      // filesystem while still exercising import-resolution code paths.
+      return { id: source, external: true };
+    },
+    load(id) {
+      if (id === "entry.js") {
+        return entryCode;
+      }
+      return null;
+    },
+  };
+}
+
+module.exports.fuzz = async function (data) {
+  const provider = new FuzzedDataProvider(data);
+
+  const inputOptions = {
+    input: "entry.js",
+    plugins: [virtualPlugin(provider.consumeString(provider.consumeIntegralInRange(0, 4096)))],
+    onLog: () => {},
+    treeshake: provider.consumeBoolean(),
+  };
+
+  const outputOptions = {
+    format: FORMATS[provider.consumeIntegralInRange(0, FORMATS.length - 1)],
+    name: provider.consumeString(provider.consumeIntegralInRange(0, 32)),
+    generatedCode:
+      GENERATED_CODE[provider.consumeIntegralInRange(0, GENERATED_CODE.length - 1)],
+    compact: provider.consumeBoolean(),
+    sourcemap: provider.consumeBoolean(),
+    strict: provider.consumeBoolean(),
+    esModule: provider.consumeBoolean(),
+  };
+
+  let bundle;
+  try {
+    bundle = await rollup(inputOptions);
+    await bundle.generate(outputOptions);
+  } catch (error) {
+    if (!isExpectedBundleError(error)) {
+      throw error;
+    }
+  } finally {
+    if (bundle) {
+      try {
+        await bundle.close();
+      } catch (_) {
+        // ignore close errors
+      }
+    }
+  }
+};
+
+function isExpectedBundleError(error) {
+  if (!error) {
+    return false;
+  }
+  if (typeof error.code === "string" && EXPECTED_CODES.has(error.code)) {
+    return true;
+  }
+  const message =
+    typeof error.message === "string" ? error.message.toLowerCase() : "";
+  return EXPECTED_MESSAGES.some((m) => message.includes(m));
+}
+
+// Rollup raises these structured error codes for malformed or unsupported
+// input; they are expected when fuzzing arbitrary source code and option
+// combinations.
+const EXPECTED_CODES = new Set([
+  "PARSE_ERROR",
+  "UNRESOLVED_IMPORT",
+  "MISSING_EXPORT",
+  "INVALID_OPTION",
+  "INVALID_EXPORT_OPTION",
+  "VALIDATION_ERROR",
+  "MISSING_NAME_OPTION_FOR_IIFE_EXPORT",
+  "MISSING_NAME_OPTION_FOR_UMD_EXPORT",
+  "MIXED_EXPORTS",
+  "AMBIGUOUS_EXTERNAL_NAMESPACES",
+  "INVALID_EXTERNAL_ID",
+  "MODULE_LEVEL_DIRECTIVE",
+  "INVALID_PLUGIN_HOOK",
+  "ILLEGAL_REASSIGNMENT",
+  "ILLEGAL_IDENTIFIER_AS_NAME",
+  "BAD_LOADER",
+  "ASSET_NOT_FINALISED",
+  "CHUNK_NOT_GENERATED",
+  "FILE_NAME_CONFLICT",
+  "INVALID_CONFIG_MODULE_FORMAT",
+  "INPUT_HOOK_IN_OUTPUT_PLUGIN",
+  "PLUGIN_ERROR",
+]);
+
+const EXPECTED_MESSAGES = [
+  "parse error",
+  "unexpected",
+  "unterminated",
+  "must be supplied",
+  "invalid value",
+  "is not exported",
+  "could not resolve",
+  "is not a valid",
+  "exports is not specified",
+  "you must supply",
+];

projects/rollup/fuzz_log_filter.js

@@ -0,0 +1,81 @@
+// Copyright 2026 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+////////////////////////////////////////////////////////////////////////////////
+
+const { FuzzedDataProvider } = require("@jazzer.js/core");
+const { getLogFilter } = require("rollup/getLogFilter");
+
+const LOG_FIELDS = [
+  "code",
+  "message",
+  "id",
+  "plugin",
+  "hook",
+  "pluginCode",
+  "binding",
+  "url",
+  "loc",
+];
+
+module.exports.fuzz = function (data) {
+  const provider = new FuzzedDataProvider(data);
+
+  const filterCount = provider.consumeIntegralInRange(0, 6);
+  const filters = [];
+  for (let i = 0; i < filterCount; i++) {
+    filters.push(provider.consumeString(provider.consumeIntegralInRange(0, 80)));
+  }
+
+  let logFilter;
+  try {
+    logFilter = getLogFilter(filters);
+  } catch (error) {
+    if (!isExpectedFilterError(error)) {
+      throw error;
+    }
+    return;
+  }
+
+  if (typeof logFilter !== "function") {
+    return;
+  }
+
+  const log = {};
+  const fieldCount = provider.consumeIntegralInRange(0, LOG_FIELDS.length);
+  for (let i = 0; i < fieldCount; i++) {
+    const field = LOG_FIELDS[i];
+    log[field] = provider.consumeString(provider.consumeIntegralInRange(0, 60));
+  }
+
+  try {
+    logFilter(log);
+  } catch (error) {
+    if (!isExpectedFilterError(error)) {
+      throw error;
+    }
+  }
+};
+
+function isExpectedFilterError(error) {
+  if (!error || typeof error.message !== "string") {
+    return false;
+  }
+  const message = error.message.toLowerCase();
+  return (
+    error.code === "INVALID_LOG_FILTER" ||
+    message.includes("invalid filter") ||
+    message.includes("log filter")
+  );
+}

projects/rollup/fuzz_parse_ast.js

@@ -0,0 +1,58 @@
+// Copyright 2026 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+////////////////////////////////////////////////////////////////////////////////
+
+const { FuzzedDataProvider } = require("@jazzer.js/core");
+const { parseAst } = require("rollup/parseAst");
+
+module.exports.fuzz = function (data) {
+  const provider = new FuzzedDataProvider(data);
+
+  const options = {
+    allowReturnOutsideFunction: provider.consumeBoolean(),
+    jsx: provider.consumeBoolean(),
+  };
+
+  const code = provider.consumeRemainingAsString();
+
+  try {
+    parseAst(code, options);
+  } catch (error) {
+    if (!isExpectedError(error)) {
+      throw error;
+    }
+  }
+};
+
+function isExpectedError(error) {
+  if (!error || typeof error.message !== "string") {
+    return false;
+  }
+  const message = error.message.toLowerCase();
+  // Rollup's parser throws structured PARSE_ERROR codes for invalid input.
+  // These are expected for fuzzed (typically malformed) source code.
+  if (error.code === "PARSE_ERROR") {
+    return true;
+  }
+  return EXPECTED_MESSAGES.some((m) => message.includes(m));
+}
+
+const EXPECTED_MESSAGES = [
+  "parse error",
+  "unexpected",
+  "unterminated",
+  "invalid",
+  "expected",
+];

projects/rollup/package.json

@@ -0,0 +1,9 @@
+{
+  "name": "rollup-fuzz",
+  "version": "1.0.0",
+  "description": "OSS-Fuzz fuzz targets for Rollup",
+  "private": true,
+  "dependencies": {
+    "rollup": "latest"
+  }
+}

projects/rollup/project.yaml

@@ -0,0 +1,9 @@
+homepage: https://rollupjs.org
+language: javascript
+primary_contact: "lukas.taegert-atkinson@tngtech.com"
+main_repo: https://github.com/rollup/rollup
+fuzzing_engines:
+  - libfuzzer
+sanitizers:
+  - none
+base_os_version: ubuntu-24-04