From 945e91b794873481a34fe25de502ba96c8dc2a6b Mon Sep 17 00:00:00 2001
From: Aleksandr Nogikh <nogikh@google.com>
Date: Sun, 20 Oct 2024 22:49:41 +0200
Subject: pkg/fuzzer: add the PatchTest flag

When the option is set, more time is spent on "exec fuzz" and less time
is spent minimizing the programs.
---
 pkg/fuzzer/fuzzer.go | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

(limited to 'pkg/fuzzer/fuzzer.go')

diff --git a/pkg/fuzzer/fuzzer.go b/pkg/fuzzer/fuzzer.go
index ba6d93651..3dac022ad 100644
--- a/pkg/fuzzer/fuzzer.go
+++ b/pkg/fuzzer/fuzzer.go
@@ -87,13 +87,20 @@ func newExecQueues(fuzzer *Fuzzer) execQueues {
 		triageQueue:          queue.DynamicOrder(),
 		smashQueue:           queue.Plain(),
 	}
+	// Alternate smash jobs with exec/fuzz to spread attention to the wider area.
+	skipQueue := 3
+	if fuzzer.Config.PatchTest {
+		// When we do patch fuzzing, we do not focus on finding and persisting
+		// new coverage that much, so it's reasonable to spend more time just
+		// mutating various corpus programs.
+		skipQueue = 2
+	}
 	// Sources are listed in the order, in which they will be polled.
 	ret.source = queue.Order(
 		ret.triageCandidateQueue,
 		ret.candidateQueue,
 		ret.triageQueue,
-		// Alternate smash jobs with exec/fuzz once in 3 times.
-		queue.Alternate(ret.smashQueue, 3),
+		queue.Alternate(ret.smashQueue, skipQueue),
 		queue.Callback(fuzzer.genFuzz),
 	)
 	return ret
@@ -198,6 +205,7 @@ type Config struct {
 	NoMutateCalls  map[int]bool
 	FetchRawCover  bool
 	NewInputFilter func(call string) bool
+	PatchTest      bool
 }
 
 func (fuzzer *Fuzzer) triageProgCall(p *prog.Prog, info *flatrpc.CallInfo, call int, triage *map[int]*triageCall) {
-- 
cgit mrf-deployment