pkg/fuzzer: add the PatchTest flag

When the option is set, more time is spent on "exec fuzz" and less time
is spent minimizing the programs.

1 files changed, 10 insertions, 2 deletions

diff --git a/pkg/fuzzer/fuzzer.go b/pkg/fuzzer/fuzzer.go
index ba6d93651..3dac022ad 100644
--- a/pkg/fuzzer/fuzzer.go
+++ b/pkg/fuzzer/fuzzer.go
@@ -87,13 +87,20 @@ func newExecQueues(fuzzer *Fuzzer) execQueues {
 		triageQueue:          queue.DynamicOrder(),
 		smashQueue:           queue.Plain(),
 	}
+	// Alternate smash jobs with exec/fuzz to spread attention to the wider area.
+	skipQueue := 3
+	if fuzzer.Config.PatchTest {
+		// When we do patch fuzzing, we do not focus on finding and persisting
+		// new coverage that much, so it's reasonable to spend more time just
+		// mutating various corpus programs.
+		skipQueue = 2
+	}
 	// Sources are listed in the order, in which they will be polled.
 	ret.source = queue.Order(
 		ret.triageCandidateQueue,
 		ret.candidateQueue,
 		ret.triageQueue,
-		// Alternate smash jobs with exec/fuzz once in 3 times.
-		queue.Alternate(ret.smashQueue, 3),
+		queue.Alternate(ret.smashQueue, skipQueue),
 		queue.Callback(fuzzer.genFuzz),
 	)
 	return ret
@@ -198,6 +205,7 @@ type Config struct {
 	NoMutateCalls  map[int]bool
 	FetchRawCover  bool
 	NewInputFilter func(call string) bool
+	PatchTest      bool
 }
 
 func (fuzzer *Fuzzer) triageProgCall(p *prog.Prog, info *flatrpc.CallInfo, call int, triage *map[int]*triageCall) {