// Copyright 2026 syzkaller project authors. All rights reserved.
// Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.

package assessmenet

import (
	"fmt"

	"github.com/google/syzkaller/pkg/aflow"
	"github.com/google/syzkaller/pkg/aflow/action/kernel"
	"github.com/google/syzkaller/pkg/aflow/ai"
	"github.com/google/syzkaller/pkg/aflow/tool/codesearcher"
	"github.com/google/syzkaller/pkg/report/crash"
)

type moderationInputs struct {
	BugTitle          string
	CrashReport       string
	KernelRepo        string
	KernelCommit      string
	KernelConfig      string
	CodesearchToolBin string
}

type moderationOutputs struct {
	Confident   bool
	Actionable  bool
	Explanation string
}

func init() {
	aflow.Register[moderationInputs, moderationOutputs](
		ai.WorkflowModeration,
		"assess if a bug report is consistent and actionable or not",
		&aflow.Flow{
			Root: &aflow.Pipeline{
				Actions: []aflow.Action{
					aflow.NewFuncAction("extract-crash-type", extractCrashType),
					kernel.Checkout,
					kernel.Build,
					codesearcher.PrepareIndex,
					&aflow.LLMAgent{
						Name:  "expert",
						Model: aflow.GoodBalancedModel,
						Reply: "Explanation",
						Outputs: aflow.LLMOutputs[struct {
							Confident  bool `jsonschema:"If you are confident in the verdict of the analysis or not."`
							Actionable bool `jsonschema:"If the report is actionable or not."`
						}](),
						Temperature: 1,
						Instruction: moderationInstruction,
						Prompt:      moderationPrompt,
						Tools:       codesearcher.Tools,
					},
				},
			},
		},
	)
}

const moderationInstruction = `
You are an experienced Linux kernel developer tasked with determining if the given kernel bug
report is actionable or not. Actionable means that it contains enough info to root cause
the underlying bug, and that the report is self-consistent and makes sense, rather than
e.g. a one-off nonsensical crash induced by a previous memory corruption.

{{if .IsUAF}}
The bug report is about a use-after-free bug generated by KASAN tool.
It should contain 3 stack traces: the bad memory access stack, the heap block allocation stack,
and the heap block free stack. If the report does not contain 3 stacks, it's not actionable.

All 3 stack traces should be related to the same object type,
and usually be in the same kernel subsystem (at least leaf stack frames).
An example of an actionable and consistent report would be: first access stack relates
to an access to a field of struct Foo, allocation/free stacks relate to allocation/free
of the struct Foo.
In inconsistent/nonsensical reports an access may be to a struct Foo, but allocation
stack allocates a different structure in a different subsystem.
Look for other suspicious signals/inconsistencies that can make this report hard to
debug/understand. 
{{end}}

In the final reply explain why you think the report is self-consistent and actionable,
or why it's inconsistent and/or not actionable.

Use the provided tools to confirm any assumptions, variables/fields being accessed, etc.
In particular, don't make assumptions about the kernel source code,
use codesearch tools to read the actual source code.
`

const moderationPrompt = `
The bug report is:

{{.CrashReport}}
`

type extractArgs struct {
	BugTitle string
}

type extractResult struct {
	IsUAF bool
}

func extractCrashType(ctx *aflow.Context, args extractArgs) (extractResult, error) {
	var res extractResult
	typ := crash.TitleToType(args.BugTitle)
	switch {
	case typ.IsUAF():
		res.IsUAF = true
	default:
		return res, fmt.Errorf("unsupported bug type")
	}
	return res, nil
}