test(fuzz): v4 C-ABI stateful op-sequence fuzz (stretch)

[membphis]

Background

Part of the qjson fuzz harness (#63). The v1/v2 targets drive the safe Rust
API (Document::parse_with_options + cursor methods) and therefore never
touch the unsafe pointer juggling at the FFI layer.

CLAUDE.md names the critical invariants that only the C ABI can violate:
scratch-pointer invalidation across *_get_str calls, the 'a → 'static
lifetime transmute in qjson_parse, cursor-after-free, and double-free.

Depends on #63. Stretch goal — open after v1/v2 land.

Goal

A stateful, op-sequence fuzz target over the C ABI: generate a sequence
qjson_parse → {qjson_get_* / qjson_cursor_* / qjson_cursor_object_entry_at}* → qjson_free from arbitrary input and run it under ASAN to surface UAF /
double-free / OOB in the cursor + skip-cache + scratch machinery.

Scope (this issue = one PR)

• Add the arbitrary dev-dependency; model an op enum
  (Parse / GetStr / GetI64 / GetF64 / GetBool / CursorField / CursorIndex /
  ObjectEntryAt / Free).
• Decode &[u8] into an op sequence and drive the C ABI under ASAN.
• Respect the get_str pointer-invalidation contract (consume the
  (ptr,len) immediately, before the next *_get_str) so the harness does
  not flag a by-design footgun as a bug.

Acceptance Criteria

• Op-sequence fuzzing runs clean under ASAN (no UAF / double-free / OOB).
• The get_str lifetime contract is respected (no false positives from
  holding a stale pointer across calls).

Notes

• Marginal value over the safe-API targets is concentrated in cursor /
  skip-cache OOB and free-timing (UAF / double-free); core decode logic
  overlaps with v2 (test(fuzz): v2 lazy value-equality differential + Phase 2 walker #72).
• Relates to ci: dependency vulnerability scan (cargo-audit) and memory safety check (ASAN) #66 (ASAN) — same sanitizer, different driver.

Affected files

• fuzz/fuzz_targets/fuzz_ffi_ops.rs (new)
• fuzz/Cargo.toml (arbitrary dep)

Part of #63. Depends on #63. Relates to #66.

[coderabbitai]

🔗 Related PRs

#43 - test: add cjson and simdjson fixture coverage [merged]
#51 - perf: skip redundant validation in eager decode, inline depth check [closed]

---

📝 Issue Planner

_{Check the box below or use the @coderabbitai plan command to generate an implementation plan and prompts that you can use with your favorite coding assistant.}

• Create Plan

---

🧪 Issue enrichment is currently in open beta.

You can configure auto-planning by selecting labels in the issue_enrichment configuration.

To disable automatic issue enrichment, add the following to your .coderabbit.yaml:

issue_enrichment:
  auto_enrich:
    enabled: false

💬 Have feedback or questions? Drop into our discord!