fix exploreState type guard to accept numeric state

[metsw24-max]

exploreState guards its input with typeof state !== "string", but state is the numeric value forwarded to tracePcIndir and on to the native __sanitizer_cov_trace_pc_indir_with_pc hook. Every documented call passes a number, so the guard always returns early and the hint is silently dropped, while a stray string would reach the native handler unchecked. Switch the check to typeof state !== "number", matching the signature and the string guards in guideTowardsEquality and guideTowardsContainment. Includes a regression test.

[metsw24-max]

gentle ping

[oetr]

@metsw24-max Can you explain in detail how you found this issue and what your setup is?

[metsw24-max]

How I found it

Reading through the guidance helpers in packages/fuzzer/trace.ts. exploreState sits right next to guideTowardsEquality and guideTowardsContainment, and those two guard their string params with typeof x !== "string". exploreState uses the same !== "string" check, but its state param is typed and documented as a number and gets forwarded to tracePcIndir. So the guard trips on every valid numeric call and the hint is dropped, while a stray string would slip past into the native handler. It reads like a copy-paste from the string helpers rather than intended behaviour.

Setup

Nothing elaborate, this came from reading the source rather than a fuzzing run, since a silently dropped hint won't surface as a crash. To confirm, I mocked ./addon in trace.test.ts and checked that tracer.exploreState(state, id) actually reaches tracePcIndir; with the old !== "string" guard it never does. Just the repo's normal node/jest setup, running the fuzzer package tests.

Happy to move the test if you'd rather it lived elsewhere.

[oetr]

@metsw24-max Can you check if mocking all of these is strictly necessary? If not, please remove:

		traceUnequalStrings: jest.fn(),
		traceStringContainment: jest.fn(),
		traceIntegerCompare: jest.fn(),