platform: posix: drain-or-abort loop for fuzz testcase isolation

The libFuzzer harness used to stage the testcase bytes, raise the
fuzz IRQ, and then unconditionally run the native_sim scheduler for
CONFIG_ZEPHYR_POSIX_FUZZ_TICKS ticks before returning. That has two
problems for reproducibility:

  * If the OS finishes draining the IPC much faster than the tick
    budget (the common case), we still burn the full budget, which
    slows exec/s without buying any coverage.
  * If the OS does NOT finish within the budget (deep handlers, long
    pipeline walks, large payloads), the staged input buffer plus
    the per-call fuzz_in[] queue carry over into the next testcase.
    That leaks state across cases and is the root cause of crashes
    that disappear when replayed individually.

Split the budget into POSIX_FUZZ_DRAIN_QUANTA (=8) quanta and after
each one ask the IPC layer whether anything is still pending; return
as soon as the queue is empty, otherwise run the abort hook to wipe
both the raw fuzz buffer and the staged IPC payload before the next
call. Together with the hooks added in the previous commit this
guarantees that LLVMFuzzerTestOneInput observes a clean staging
state on entry regardless of what the previous case did.

No protocol or coverage change is intended; the goal is reproducible
crashes and slightly higher throughput on short inputs.

Signed-off-by: Tomasz Leman <tomasz.m.leman@intel.com>

Author: tmleman

src/platform/posix/fuzz.c

@@ -10,37 +10,68 @@
 #include <zephyr/sys/time_units.h>
 #include <nsi_cpu_if.h>
 #include <nsi_main_semipublic.h>
+#include <platform/fuzz.h>
 
 const uint8_t *posix_fuzz_buf;
 size_t posix_fuzz_sz;
 
+/* Number of simulator quanta the budget is split into for the
+ * drain-or-abort loop. More quanta = earlier exit on quick testcases.
+ */
+#define POSIX_FUZZ_DRAIN_QUANTA 8
+
 /**
  * Entry point for fuzzing. Works by placing the data
  * into two known symbols, triggering an app-visible interrupt, and
- * then letting the simulator run for a fixed amount of time (intended to be
- * "long enough" to handle the event and reach a quiescent state
- * again)
+ * then letting the simulator run for up to a fixed amount of time
+ * split into small quanta, exiting as soon as the OS has drained the
+ * staged fuzz input. If the budget is exhausted before drain we drop
+ * pending state to keep testcases isolated.
  */
 NATIVE_SIMULATOR_IF
 int LLVMFuzzerTestOneInput(const uint8_t *data, size_t sz)
 {
 	static bool runner_initialized;
+	uint64_t total_us;
+	uint64_t quantum_us;
+	int i;
 
 	if (!runner_initialized) {
 		nsi_init(0, NULL);
 		runner_initialized = true;
 	}
 
+	total_us = k_ticks_to_us_ceil64(CONFIG_ZEPHYR_POSIX_FUZZ_TICKS);
+	quantum_us = (total_us + POSIX_FUZZ_DRAIN_QUANTA - 1) / POSIX_FUZZ_DRAIN_QUANTA;
+	if (quantum_us == 0)
+		quantum_us = 1;
+
+	/* Fresh testcase: drop any leftovers from a previous case before
+	 * staging the new buffer, so state from the prior input cannot
+	 * influence this one.
+	 */
+	posix_fuzz_case_begin();
+
 	/* Provide the fuzz data to the embedded OS as an interrupt, with
 	 * "DMA-like" data placed into posix_fuzz_buf/sz.
 	 */
 	posix_fuzz_buf = data;
 	posix_fuzz_sz = sz;
 	hw_irq_ctrl_set_irq(CONFIG_ZEPHYR_POSIX_FUZZ_IRQ);
 
-	/* Give the OS time to process whatever happened in that
-	 * interrupt and reach an idle state.
+	/* Bounded drain loop: run simulator in small quanta and exit
+	 * as soon as both the raw input buffer and the staged IPC
+	 * queue are empty.
+	 */
+	for (i = 0; i < POSIX_FUZZ_DRAIN_QUANTA; i++) {
+		nsi_exec_for(quantum_us);
+		if (!posix_fuzz_case_pending())
+			return 0;
+	}
+
+	/* Budget exhausted without full drain: hard reset so the next
+	 * testcase starts clean.
 	 */
-	nsi_exec_for(k_ticks_to_us_ceil64(CONFIG_ZEPHYR_POSIX_FUZZ_TICKS));
+	posix_fuzz_case_abort();
 	return 0;
 }