strategy.c

/*
 * Multi-strategy syscall-picker rotation: arm-selection policies.
 *
 * Two arm-selection policies are wired in here: a fixed round-robin
 * (the original picker) and a UCB1 bandit picker.  Both consume the
 * per-strategy edge attribution recorded in
 * shm->pc_edge_calls_by_strategy[]; the bandit treats those call
 * counts as the reward signal and biases future window picks toward
 * arms producing new-edge calls the fastest, while still occasionally
 * exploring the others so a temporarily-stuck arm doesn't starve
 * forever.  The parallel pc_edge_count_by_strategy[] series (real
 * bucket counts) is surfaced in dump_strategy_stats() as a diagnostic
 * but does not currently feed the learner.
 *
 * Picker mode is selected once at parse_args() time via --strategy
 * and stashed in shm->picker_mode so every child agrees on the
 * policy.  The CAS-winning child at a rotation boundary calls
 * pick_next_strategy() and bandit_record_pull(), runs the bandit
 * math itself, and writes the outcome back to shm->current_strategy.
 *
 * UCB1 is tractable here because the arm count is tiny (NR_STRATEGIES
 * is a handful -- three today, see enum strategy_t) and the picker only
 * runs once per STRATEGY_WINDOW (~100 sec at 10K iter/sec).
 * Floating-point sqrt and log inside the picker are noise relative to
 * the work done in the window itself.
 */

#include <limits.h>
#include <math.h>
#include <stdint.h>
#include <stdlib.h>
#include <string.h>

#include "child.h"		/* struct childdata */
#include "cmp_hints.h"		/* cmp_hints_shm */
#include "cred_throttle.h"	/* cred_class_for_nr, CRED_CLASS_NR */
#include "debug.h"
#include "kcov.h"		/* KCOV_CMP_RECORDS_MAX, kcov_shm */
#include "params.h"
#include "rnd.h"
#include "shm.h"
#include "stats.h"		/* stats_log_write */
#include "stats_ring.h"		/* parent_stats */
#include "strategy.h"
#include "syscall.h"		/* MAX_NR_SYSCALL */
#include "tables.h"		/* syscalls, max_nr_syscalls */
#include "utils.h"

/* Same KCOV_CMP_CONST bit cmp_hints.c uses; from uapi/linux/kcov.h. */
#define KCOV_CMP_CONST  (1U << 0)
#define WORDS_PER_CMP   4

/*
 * Set by parse_args() before init_shm() runs, then propagated into
 * shm->picker_mode where every child reads it on the rotation path.
 * Not declared in a header — only params.c writes it and only
 * init_shm() reads it.
 *
 * Default is PICKER_BANDIT_UCB1: the plateau-intervention layer in
 * select_next_strategy() is bandit-gated, and the mode-aware default
 * for explorer_children (see clamp_default_explorer_children() in
 * params.c) only allocates the strategy-independent explorer pool
 * under bandit mode.  Defaulting to round-robin made both of those
 * adaptive paths silently inert -- a plateau under the round-robin
 * default would flip kcov_shm->plateau_active with nothing on the
 * picker side to respond.  --strategy=round-robin (alias rr) and
 * --strategy=bandit (aliases ucb1, bandit-ucb1) remain available as
 * explicit overrides.
 */
enum picker_mode_t picker_mode_arg = PICKER_BANDIT_UCB1;

/*
 * UCB1 exploration constant.  Standard derivation gives c = sqrt(2);
 * we leave it tunable because reward magnitudes (edges-per-window)
 * are not in [0,1] and the right exploration weight depends on the
 * normalisation choice.  Rewards are normalised by the largest
 * mean-reward observed across arms (see ucb1_score), so a c near 1
 * keeps the exploration term comparable to the exploit term.
 */
#define UCB1_EXPLORATION_C 1.41421356  /* sqrt(2) */

/*
 * EMA discount for the recent_pulls_x1000[]/recent_reward_x1000[]
 * counters defined in shm.h.  Each non-intervention window multiplies
 * every arm's counter by gamma = 1 - alpha, then increments the
 * active arm by 1.0 / window_reward.  Alpha = 0.05 gives a half-life
 * of log(0.5)/log(0.95) ≈ 13.5 windows -- around 22 minutes of fleet
 * wall time at the ~100 sec/window cadence, comfortably inside the
 * 10-30 window design target and short enough that the picker
 * recovers within a few rotations when an arm's yield collapses.
 *
 * BANDIT_EMA_SCALE is the fixed-point divisor: counters are stored
 * as their real value times 1000 so the integer math stays exact for
 * the alpha=0.05 step.
 */
#define BANDIT_EMA_ALPHA_X1000  50UL
#define BANDIT_EMA_SCALE        1000UL

/*
 * Decay one fixed-point counter by gamma = 1 - alpha.  Operates on
 * the parts-per-thousand value: 950/1000 stays integer and the
 * multiplication can't overflow because the inputs cap at
 * ~SCALE/alpha * (typical per-window reward) = a few million for
 * recent_pulls_x1000 (≤ 20000) and on the order of 1e9 for
 * recent_reward_x1000 (bounded by the headroom of unsigned long).
 */
static inline unsigned long bandit_ema_decay(unsigned long x_x1000)
{
	return (x_x1000 * (BANDIT_EMA_SCALE - BANDIT_EMA_ALPHA_X1000)
		+ BANDIT_EMA_SCALE / 2) /
	       BANDIT_EMA_SCALE;
}

/*
 * Translate the --strategy=NAME argument into a picker_mode_t.
 * Recognises the human-friendly aliases ("round-robin", "rr",
 * "bandit", "ucb1", "bandit-ucb1").  Returns false on unknown
 * input so the caller can emit a tidy error before exiting.
 */
bool parse_picker_mode(const char *name, enum picker_mode_t *out)
{
	if (name == NULL || out == NULL)
		return false;

	if (strcmp(name, "round-robin") == 0 ||
	    strcmp(name, "rr") == 0) {
		*out = PICKER_ROUND_ROBIN;
		return true;
	}
	if (strcmp(name, "bandit") == 0 ||
	    strcmp(name, "ucb1") == 0 ||
	    strcmp(name, "bandit-ucb1") == 0) {
		*out = PICKER_BANDIT_UCB1;
		return true;
	}
	return false;
}

const char *picker_mode_name(enum picker_mode_t mode)
{
	switch (mode) {
	case PICKER_ROUND_ROBIN:	return "round-robin";
	case PICKER_BANDIT_UCB1:	return "bandit-ucb1";
	}
	return "unknown";
}

const char *strategy_name(int arm)
{
	switch (arm) {
	case STRATEGY_HEURISTIC:		return "HEURISTIC";
	case STRATEGY_RANDOM:			return "RANDOM";
	case STRATEGY_COVERAGE_FRONTIER:	return "COVERAGE_FRONTIER";
	default:				return "?";
	}
}

bool is_strategy_eligible(int arm)
{
	if (arm < 0 || arm >= NR_STRATEGIES)
		return false;
	return true;
}

/*
 * Record the just-finished window: bump pull count for the arm that
 * was active, add its edge yield plus the CMP-novelty term to the
 * cumulative reward, and update the diagnostic CMP-share running sum.
 * Called by the CAS-winning child during maybe_rotate_strategy(),
 * which serialises with the picker — so picker-side reads of
 * bandit_pulls[] / bandit_reward_calls[] / bandit_reward_pc_edge_count[]
 * / bandit_cmp_share_sum_x1000[] inside pick_next_strategy() are
 * covered by the strategy-switch store's release semantics on the
 * next CAS winner.
 *
 * dump_strategy_stats() is parent-side and runs outside the CAS
 * protocol, so it can race a child that is mid-update here.  To keep
 * its per-arm reads from tearing against these writes, the writes use
 * __atomic_fetch_add(..., RELAXED) and dump_strategy_stats() pairs
 * them with __atomic_load_n(..., RELAXED).  Relaxed is sufficient: the
 * dump is a diagnostic snapshot with no ordering requirement against
 * other shm fields.  The stats counter bump uses an atomic add for the
 * same reason.
 *
 * pc_edge_calls is the per-window pc_edge_calls_by_strategy delta
 * (calls with >=1 new edge).  pc_edge_count is the parallel
 * pc_edge_count_by_strategy delta (real bucket-edge bits flipped).
 * cmp_new_constants is the per-window bandit_cmp_new_constants delta.
 *
 * The learner-facing combined reward is
 *   pc_edge_calls + cmp_new_constants / CMP_BANDIT_REWARD_WEIGHT_RECIPROCAL
 * (integer division — sub-weight CMP residues round to zero so a
 * window with a handful of novel constants doesn't perturb the
 * headline PC signal).  The pc_edge_count delta accumulates into the
 * parallel diagnostic reward (no cmp term folded in) so the operator
 * can compare what the real-count reward would have looked like.
 */
void bandit_record_pull(int arm, enum strategy_selection_reason reason,
			unsigned long pc_edge_calls,
			unsigned long pc_edge_count,
			unsigned long cmp_new_constants,
			unsigned long warn_fires,
			bool was_chaos)
{
	unsigned long cmp_term;
	unsigned long trans_term;
	unsigned long total;
	unsigned int chaos_idx;
	int i;

	if (arm < 0 || arm >= NR_STRATEGIES)
		return;
	if (reason < 0 || reason >= NR_SELECTION_REASONS)
		return;

	cmp_term = cmp_new_constants / CMP_BANDIT_REWARD_WEIGHT_RECIPROCAL;

	/* Transition-reward window delta.  Read from shm->stats directly
	 * rather than threaded through a new parameter so the function
	 * signature (and its declaration in include/strategy.h) stays
	 * unchanged.  The transition window-start snapshot is reseeded
	 * during the rotation handler in maybe_rotate_strategy (random-
	 * syscall.c) at the same RELAXED cadence as the pc_edge_*_at_
	 * window_start pair; computing the delta here is symmetric to how
	 * maybe_rotate_strategy computes pc_edge_calls / pc_edge_count
	 * before calling in.
	 *
	 * trans_term divides the raw transition delta by TRANSITION_BANDIT_
	 * REWARD_WEIGHT_RECIPROCAL (= 4, a 0.25 secondary weight matching
	 * the CMP-term shape) and is added only under COMBINED mode.  The
	 * per-call cap that prevents one pathological trace from
	 * monopolizing the window lives at the source bump in random-
	 * syscall.c (TRANSITION_PER_CALL_REWARD_CAP); no additional cap
	 * is needed here.  Under SHADOW_ONLY/OFF trans_term stays zero so
	 * the bandit reward total is byte-identical to the pre-knob
	 * baseline. */
	if (__atomic_load_n(&kcov_transition_reward_mode,
			    __ATOMIC_RELAXED) ==
	    KCOV_TRANSITION_REWARD_COMBINED) {
		unsigned long trans_now = __atomic_load_n(
			&shm->stats.transition_edge_count_by_strategy[arm],
			__ATOMIC_RELAXED);
		unsigned long trans_start = __atomic_load_n(
			&shm->stats.transition_edge_count_at_window_start,
			__ATOMIC_RELAXED);
		unsigned long trans_delta = (trans_now >= trans_start) ?
					     (trans_now - trans_start) : 0UL;

		trans_term = trans_delta /
			     TRANSITION_BANDIT_REWARD_WEIGHT_RECIPROCAL;
	} else {
		trans_term = 0;
	}

	total = pc_edge_calls + cmp_term + trans_term;

	/* Always bucket the just-finished window by (arm, reason) before
	 * any cohort-gated learner update.  These matrices are diagnostic
	 * (the picker does not score against them) so they capture every
	 * window including SR_PLATEAU_FORCE -- intervention reward is the
	 * exact signal a future plateau-rescue classifier wants to read
	 * back, and excluding it here would silently zero the cohort the
	 * classifier is meant to study. */
	__atomic_fetch_add(&shm->bandit_pulls_by_reason[arm][reason], 1UL,
			   __ATOMIC_RELAXED);
	__atomic_fetch_add(&shm->bandit_reward_calls_by_reason[arm][reason],
			   total, __ATOMIC_RELAXED);
	__atomic_fetch_add(
		&shm->bandit_reward_pc_edge_count_by_reason[arm][reason],
		pc_edge_count, __ATOMIC_RELAXED);

	/* SR_PLATEAU_FORCE windows skip the learner-facing updates: an
	 * intervention window ran STRATEGY_RANDOM because every arm was
	 * stalled, which is structurally different from "RANDOM scored
	 * best under UCB" (the bandit had no input on the pick).  Folding
	 * the forced window into bandit_pulls[] / bandit_reward_calls[] /
	 * the recent_*_x1000 EMA contaminates the learner so the bandit
	 * can't tell policy-chosen RANDOM windows from forced RANDOM
	 * windows once the plateau clears.  The caller-side guard that
	 * used to gate this call moved in here so the by-reason bucketing
	 * above stays unconditional. */
	if (reason == SR_PLATEAU_FORCE)
		return;

	/* Per-arm x chaos-state cohort attribution -- chaos-mode V2.  Sits
	 * below the SR_PLATEAU_FORCE early-return so the by_chaos cohort
	 * sums reconcile with the flat bandit_pulls[] / bandit_reward_calls[]
	 * totals updated immediately below: an intervention window that
	 * lands inside a chaos window must drop from both cohorts together,
	 * otherwise sum_arm sum_chaos bandit_pulls_by_chaos[arm][c] runs
	 * ahead of sum_arm bandit_pulls[arm] by the SR_PLATEAU_FORCE count
	 * and the operator-facing cohort ratio drifts.
	 *
	 * was_chaos is sampled by the caller in maybe_rotate_strategy
	 * before cmp_hints_chaos_tick advances the schedule, so it reflects
	 * the chaos state in effect across the just-finished window rather
	 * than the state for the upcoming one.  The warn_fires delta is the
	 * caller-computed kmsg_warn_fires_now - kmsg_warn_fires_at_window_
	 * start delta for the same window.  Observation only -- no consumer
	 * in select_next_strategy or ucb1_score reads these arrays; V3
	 * action mode will wire them into the picker once the significance
	 * gate from the design doc clears. */
	chaos_idx = was_chaos ? 1u : 0u;
	__atomic_fetch_add(&shm->bandit_pulls_by_chaos[arm][chaos_idx], 1UL,
			   __ATOMIC_RELAXED);
	__atomic_fetch_add(&shm->bandit_reward_calls_by_chaos[arm][chaos_idx],
			   total, __ATOMIC_RELAXED);
	__atomic_fetch_add(&shm->bandit_warn_fires_by_chaos[arm][chaos_idx],
			   warn_fires, __ATOMIC_RELAXED);

	__atomic_fetch_add(&shm->bandit_pulls[arm], 1UL, __ATOMIC_RELAXED);
	__atomic_fetch_add(&shm->bandit_reward_calls[arm], total,
			   __ATOMIC_RELAXED);
	__atomic_fetch_add(&shm->bandit_reward_pc_edge_count[arm],
			   pc_edge_count, __ATOMIC_RELAXED);

	/* Discounted "recent" series update.  Decay every arm's counters
	 * by gamma = 1 - alpha first, THEN credit the active arm with one
	 * effective pull and the window's reward.  Decaying all arms (not
	 * just the pulled one) is what keeps the UCB1 explore-term
	 * denominator meaningful under discounting -- an arm that stops
	 * being picked must see its effective sample count shrink so the
	 * picker eventually re-tries it.  Single writer (CAS-serialised
	 * rotation path) so plain reads of the old values are safe;
	 * RELEASE stores back so the parent-side dump's RELAXED loads see
	 * complete values rather than torn intermediates.  This update
	 * runs alongside the lifetime fields above; ucb1_score() reads the
	 * recent series for both exploit and explore terms (D-UCB), while
	 * cold-start in pick_next_strategy() reads the lifetime by-reason
	 * aggregate (sum across r of bandit_pulls_by_reason[i][r]) -- "never
	 * observed by any path, including SR_PLATEAU_FORCE" rather than
	 * "not observed lately" -- and the lifetime fields also back
	 * dump_strategy_stats. */
	for (i = 0; i < NR_STRATEGIES; i++) {
		unsigned long p = __atomic_load_n(&shm->recent_pulls_x1000[i],
						  __ATOMIC_RELAXED);
		unsigned long r = __atomic_load_n(&shm->recent_reward_x1000[i],
						  __ATOMIC_RELAXED);

		__atomic_store_n(&shm->recent_pulls_x1000[i],
				 bandit_ema_decay(p), __ATOMIC_RELAXED);
		__atomic_store_n(&shm->recent_reward_x1000[i],
				 bandit_ema_decay(r), __ATOMIC_RELAXED);
	}
	__atomic_fetch_add(&shm->recent_pulls_x1000[arm], BANDIT_EMA_SCALE,
			   __ATOMIC_RELAXED);
	__atomic_fetch_add(&shm->recent_reward_x1000[arm],
			   total * BANDIT_EMA_SCALE, __ATOMIC_RELAXED);

	if (cmp_term == 0)
		return;

	__atomic_fetch_add(&shm->stats.bandit_cmp_reward_added, 1UL,
			   __ATOMIC_RELAXED);

	/* Per-arm running sum of cmp_term's share of the combined reward,
	 * scaled to parts per thousand.  Total is non-zero here because
	 * cmp_term > 0.  Averaged at end-of-run to surface the empirical
	 * CMP weighting per arm so the 0.25 constant can be tuned. */
	__atomic_fetch_add(&shm->bandit_cmp_share_sum_x1000[arm],
			   (cmp_term * 1000UL) / total,
			   __ATOMIC_RELAXED);
}

/*
 * Per-syscall comparison-constant novelty bloom.
 *
 * Two complementary 64-bit hashes derive ten-bit indices into a
 * 1024-bit (128-byte) bloom filter per syscall.  The multipliers are
 * splitmix64-style high-entropy odd constants; XOR-folding the upper
 * half into the index defeats the multiplier's tendency to leave low
 * bits weakly mixed when val itself has small magnitude (true for
 * many comparison constants the kernel checks against -- length
 * limits, error codes, magic numbers in the first few KiB of address
 * space).  Two hashes is the textbook efficient point for k below
 * ~3% FPR at the loads expected here (a few hundred distinct
 * constants per syscall over the K-window decay).
 */
static inline uint32_t cmp_bloom_h1(unsigned long val)
{
	uint64_t x = (uint64_t)val * 0x9e3779b97f4a7c15ULL;
	x ^= x >> 32;
	return (uint32_t)(x & 0x3FF);
}

static inline uint32_t cmp_bloom_h2(unsigned long val)
{
	uint64_t x = (uint64_t)val * 0xbf58476d1ce4e5b9ULL;
	x ^= x >> 32;
	x ^= x >> 16;
	return (uint32_t)(x & 0x3FF);
}

/*
 * Same "boring constant" filter cmp_hints.c uses (interesting_value).
 * Kept private here so the two filters can drift independently if it
 * turns out the novelty signal benefits from a different threshold
 * than the hint-substitution pool.
 */
static bool cmp_novelty_interesting(unsigned long val)
{
	if (val == 0 || val == 1)
		return false;
	if (val == (unsigned long) -1)
		return false;
	if (val < 4)
		return false;
	return true;
}

/*
 * Lazy bloom decay.  If the entry's window_tag is more than
 * CMP_NOVELTY_DECAY_WINDOWS rotations behind the current rotation
 * counter, zero the bloom and republish the tag.  CAS protects against
 * multiple children racing to clear the same entry — the loser sees
 * the new tag on the second load and skips the clear.  Children that
 * race the clear and observe a half-zeroed bloom may miss-credit a
 * constant as novel; that is benign for a noisy diagnostic counter
 * and self-correcting on the next observation.
 */
static void cmp_bloom_maybe_decay(struct cmp_novelty_entry *e,
				  uint32_t now)
{
	uint32_t tag = __atomic_load_n(&e->window_tag, __ATOMIC_RELAXED);

	if (now - tag <= CMP_NOVELTY_DECAY_WINDOWS)
		return;

	if (!__atomic_compare_exchange_n(&e->window_tag, &tag, now,
					 false,
					 __ATOMIC_RELAXED, __ATOMIC_RELAXED))
		return;

	memset((void *)e->bloom, 0, sizeof(e->bloom));
}

/*
 * Test-and-set one bloom bit.  Returns true if the bit was previously
 * clear (the constant is novel along this hash).  Bits are atomic at
 * byte granularity; the caller treats "either hash bit was clear" as
 * "constant is novel".
 */
static bool cmp_bloom_set(uint8_t *bloom, uint32_t bit)
{
	uint8_t mask = (uint8_t)(1U << (bit & 7));
	uint8_t prev = __atomic_fetch_or(&bloom[bit >> 3], mask,
					 __ATOMIC_RELAXED);

	return (prev & mask) == 0;
}

unsigned long bandit_cmp_observe(unsigned long *trace_buf, unsigned int nr,
				bool do32, bool is_explorer,
				int strategy_at_pick)
{
	struct cmp_novelty_entry *e;
	unsigned long count, i;
	unsigned long novel = 0;
	uint32_t now;

	if (trace_buf == NULL || nr >= MAX_NR_SYSCALL)
		return 0;

	count = __atomic_load_n(&trace_buf[0], __ATOMIC_RELAXED);
	if (count == 0)
		return 0;
	if (count > KCOV_CMP_RECORDS_MAX)
		count = KCOV_CMP_RECORDS_MAX;

	e = &shm->cmp_novelty[nr][do32 ? 1 : 0];
	now = (uint32_t)__atomic_load_n(&shm->bandit_window_count,
					__ATOMIC_RELAXED);
	cmp_bloom_maybe_decay(e, now);

	for (i = 0; i < count; i++) {
		unsigned long type = trace_buf[1 + i * WORDS_PER_CMP];
		unsigned long arg1 = trace_buf[1 + i * WORDS_PER_CMP + 1];
		bool novel_here;

		if (!(type & KCOV_CMP_CONST))
			continue;

		/* arg1 is the compile-time constant under KCOV_CMP_CONST
		 * (clang/gcc's __sanitizer_cov_trace_const_cmpN convention);
		 * arg2 is the runtime value the kernel compared it against
		 * and would just credit the bandit for novelty in the
		 * fuzzer's own input distribution. */
		if (!cmp_novelty_interesting(arg1))
			continue;

		novel_here = cmp_bloom_set(e->bloom, cmp_bloom_h1(arg1));
		novel_here = cmp_bloom_set(e->bloom, cmp_bloom_h2(arg1)) ||
			     novel_here;
		if (novel_here)
			novel++;
	}

	if (novel == 0)
		return 0;

	/* Per-arm bandit attribution is gated separately from the return
	 * value: explorer-pool children run a different strategy than
	 * whatever the bandit picked, so crediting their CMP novelty into
	 * bandit_cmp_new_constants[] would misattribute their work and bias
	 * the bandit's reward calculation.  Out-of-range strategy_at_pick
	 * (including the -1 sentinel for pre-first-pick) likewise skips
	 * attribution.  The bloom updates above and the `novel` return
	 * still propagate so the global novelty horizon stays consistent
	 * across the fleet and so callers can use CMP novelty from
	 * explorers as a corpus-save signal.
	 *
	 * Attribute to the arm that PICKED the syscall, snapshotted in
	 * set_syscall_nr().  Re-reading shm->current_strategy here would
	 * misattribute any call whose syscall started under one arm and
	 * completed under another (rotation lands mid-syscall) -- frequent
	 * for long or blocking syscalls. */
	if (!is_explorer &&
	    strategy_at_pick >= 0 && strategy_at_pick < NR_STRATEGIES) {
		__atomic_fetch_add(
			&shm->bandit_cmp_new_constants[strategy_at_pick],
			novel, __ATOMIC_RELAXED);
	}

	return novel;
}

/*
 * Per-syscall frontier-edge ring accessors.
 *
 * The ring is a fixed-width window of FRONTIER_DECAY_WINDOWS slots per
 * syscall; the slot currently being filled is (frontier_slot &
 * (FRONTIER_DECAY_WINDOWS - 1)).  Producers (kcov_collect on the
 * new-edge branch) atomic-add into the current slot.  The rotation hook
 * advances the slot index and zeroes the slot it just moved into, so
 * sums across the ring give the trailing K-window frontier count for
 * each syscall -- effectively a sliding window with discrete decay.
 *
 * FRONTIER_DECAY_WINDOWS is currently 8 (see strategy.h); the AND-mask
 * approach assumes it stays a power of two -- enforced by the
 * static_assert below so a future change to a non-pot value fails at
 * compile time rather than silently producing wrong slot indices.
 */
_Static_assert((FRONTIER_DECAY_WINDOWS &
		(FRONTIER_DECAY_WINDOWS - 1)) == 0,
	       "FRONTIER_DECAY_WINDOWS must be a power of two");

void frontier_record_new_edge(unsigned int nr)
{
	uint32_t slot;
	unsigned long w;
	unsigned int cached;

	if (nr >= MAX_NR_SYSCALL)
		return;

	slot = __atomic_load_n(&shm->frontier_slot, __ATOMIC_RELAXED) &
	       (FRONTIER_DECAY_WINDOWS - 1);
	__atomic_fetch_add(&shm->frontier_history[nr][slot], 1U,
			   __ATOMIC_RELAXED);
	__atomic_fetch_add(&shm->frontier_recent_count_cached[nr], 1U,
			   __ATOMIC_RELAXED);

	/* RedQueen-source PC-edge attribution.  When the call that produced
	 * this new edge was a replay of a corpus entry whose args were
	 * originally captured under in_reexec (i.e. the RedQueen re-exec
	 * path harvested those args), credit the win to the dedicated
	 * rq_sourced_pcedge_wins_per_syscall[] counter so the periodic
	 * dump can report PC-edge conversion of RedQueen-sourced saves
	 * separately from the bulk per-strategy attribution.  Observability
	 * only -- no selection / reward code reads this counter.  RELAXED
	 * add-fetch matches the surrounding accounting. */
	{
		struct childdata *cc = this_child();

		if (cc != NULL && cc->replay_rq_sourced)
			__atomic_fetch_add(
				&shm->stats.rq_sourced_pcedge_wins_per_syscall[nr],
				1UL, __ATOMIC_RELAXED);

		/* errno-gradient-save conversion counter.  Sibling of the
		 * rq_sourced bump above for the errno-source provenance lane.
		 * Bumped only when the call that produced this PC win was a
		 * replay of a corpus entry whose errno_sourced flag was set --
		 * i.e. a downstream PC-edge win from an errno-gradient save.
		 * Observability only; cumulative-diagnostic semantics matches
		 * the rest of the strategy.c accounting. */
		if (cc != NULL && cc->replay_errno_sourced)
			__atomic_fetch_add(
				&shm->stats.errno_sourced_pcedge_wins_per_syscall[nr],
				1UL, __ATOMIC_RELAXED);
	}

	/* SHADOW-ONLY silent-streak reset.  This function is the canonical
	 * per-syscall new-edge productive-event hook -- already called from
	 * kcov_collect()'s found_new branch when a syscall's call has
	 * produced at least one fresh bucket bit, which is also the path
	 * that contributes the positive local_distinct_pcs delta the
	 * coverage-frontier picker treats as the "productive" signal.
	 * Resetting the silent-streak counter here therefore reuses the
	 * existing per-syscall productive-edge collection site -- no new
	 * collection path is added.
	 *
	 * The counter and the global frontier_shadow_decay_candidates it
	 * edge-triggers in random-syscall.c's silent-regime accept site
	 * are observability-only: no live selection or scoring code reads
	 * them, so the reset cannot perturb the picker distribution. */
	__atomic_store_n(
		&shm->stats.frontier_silent_streak_per_syscall[nr],
		0UL, __ATOMIC_RELAXED);

	/* SHADOW-ONLY no-novelty baseline snapshot, paired with the streak
	 * reset above.  Snapshots the current value of the two non-PC-edge
	 * novelty signals (per-syscall CMP-pool inserts and per-syscall
	 * SUCCESS-bucket errno count) so the silent-regime accept site can
	 * detect whether either fired during the next silent streak via a
	 * cheap current-vs-baseline equality test.  A streak reset here is
	 * the right moment to refresh the baselines: by construction this
	 * call also bumped per_syscall_edges, so PC-edge novelty IS the
	 * reset event and the no-novelty UNLESS clause is being re-armed
	 * for the next streak.
	 *
	 * Same observability-only contract as the streak counter above --
	 * no selection or scoring code reads these baselines, only the
	 * shadow decay predicate at the silent-regime accept site does.
	 * kcov_shm NULL-checked because frontier_record_new_edge is
	 * unreachable without a coverage trace under collection, but the
	 * guard matches the pattern other kcov_shm consumers follow. */
	if (kcov_shm != NULL) {
		unsigned long cmp_snap, errno_snap;

		cmp_snap = __atomic_load_n(
			&kcov_shm->per_syscall_cmp_inserts[nr],
			__ATOMIC_RELAXED);
		errno_snap = __atomic_load_n(
			&kcov_shm->per_syscall_errno[nr][ERRNO_BUCKET_SUCCESS],
			__ATOMIC_RELAXED);
		__atomic_store_n(
			&shm->stats.frontier_silent_cmp_baseline[nr],
			cmp_snap, __ATOMIC_RELAXED);
		__atomic_store_n(
			&shm->stats.frontier_silent_errno_success_baseline[nr],
			errno_snap, __ATOMIC_RELAXED);
	}

	/* Ratchet the cached max upward if this bump pushed nr's recent
	 * count past it.  No CAS: a racing producer that also raises the
	 * max can clobber our store with its (also-correct) value, and a
	 * racing rotation will overwrite with the authoritative recompute.
	 * Both outcomes leave the cache within one window's slack. */
	w = frontier_recent_count(nr);
	if (w > UINT_MAX)
		w = UINT_MAX;
	cached = __atomic_load_n(&shm->frontier_max_weight_cached,
				 __ATOMIC_RELAXED);
	if ((unsigned int)w > cached)
		__atomic_store_n(&shm->frontier_max_weight_cached,
				 (unsigned int)w, __ATOMIC_RELAXED);
}

/*
 * Transition-discovery sibling of frontier_record_new_edge().  Bumps
 * the same per-syscall frontier-edge ring + cached max + silent-streak
 * reset triple, treating a transition-slot flip as evidence that the
 * syscall is currently producing fresh control-flow coverage.  The
 * canonical signal pattern this commit promotes is "PC-edge discovery
 * plateaued while transition discovery still moves" -- so under
 * COMBINED mode the frontier ring needs to be pushed up for syscalls
 * producing transitions but no fresh PC bucket bits, otherwise the
 * silent-regime picker steers away from exactly the syscalls that are
 * still earning the post-plateau coverage.
 *
 * Caller-side gates (in random-syscall.c at the kcov_collect call
 * site) handle the kcov_transition_reward_mode == COMBINED and
 * !child->is_explorer and !child->kcov.remote_mode filters before
 * invoking, so this function only sees calls that should bump the
 * ring.  The RedQueen-source PC-edge attribution branch in
 * frontier_record_new_edge() is deliberately omitted here -- that
 * counter measures PC-edge wins from RedQueen-sourced corpus replays
 * and a transition discovery is a different signal.  The silent-streak
 * reset DOES apply: a syscall producing transitions has demonstrably
 * been productive this window, which is the streak's reset semantics
 * (frontier_silent_streak_per_syscall is a "consecutive cold windows"
 * counter, agnostic to PC vs transition).
 */
void frontier_record_transition_edge(unsigned int nr)
{
	uint32_t slot;
	unsigned long w;
	unsigned int cached;

	if (nr >= MAX_NR_SYSCALL)
		return;

	slot = __atomic_load_n(&shm->frontier_slot, __ATOMIC_RELAXED) &
	       (FRONTIER_DECAY_WINDOWS - 1);
	__atomic_fetch_add(&shm->frontier_history[nr][slot], 1U,
			   __ATOMIC_RELAXED);
	__atomic_fetch_add(&shm->frontier_recent_count_cached[nr], 1U,
			   __ATOMIC_RELAXED);

	__atomic_store_n(
		&shm->stats.frontier_silent_streak_per_syscall[nr],
		0UL, __ATOMIC_RELAXED);

	/* SHADOW-ONLY no-novelty baseline snapshot.  Mirror of the snapshot
	 * pair in frontier_record_new_edge(): a transition-edge discovery
	 * is also a productive event for the streak's purposes, so the
	 * decay predicate's UNLESS-clause baselines re-arm here too.  Same
	 * observability-only contract; see the matching block in
	 * frontier_record_new_edge() for full rationale. */
	if (kcov_shm != NULL) {
		unsigned long cmp_snap, errno_snap;

		cmp_snap = __atomic_load_n(
			&kcov_shm->per_syscall_cmp_inserts[nr],
			__ATOMIC_RELAXED);
		errno_snap = __atomic_load_n(
			&kcov_shm->per_syscall_errno[nr][ERRNO_BUCKET_SUCCESS],
			__ATOMIC_RELAXED);
		__atomic_store_n(
			&shm->stats.frontier_silent_cmp_baseline[nr],
			cmp_snap, __ATOMIC_RELAXED);
		__atomic_store_n(
			&shm->stats.frontier_silent_errno_success_baseline[nr],
			errno_snap, __ATOMIC_RELAXED);
	}

	w = frontier_recent_count(nr);
	if (w > UINT_MAX)
		w = UINT_MAX;
	cached = __atomic_load_n(&shm->frontier_max_weight_cached,
				 __ATOMIC_RELAXED);
	if ((unsigned int)w > cached)
		__atomic_store_n(&shm->frontier_max_weight_cached,
				 (unsigned int)w, __ATOMIC_RELAXED);
}

unsigned long frontier_recent_count(unsigned int nr)
{
	if (nr >= MAX_NR_SYSCALL)
		return 0;

	return __atomic_load_n(&shm->frontier_recent_count_cached[nr],
			       __ATOMIC_RELAXED);
}

/*
 * Errno-plateau decay predicate for the coverage-frontier picker's
 * silent-regime accept site.  See the FRONTIER_ERRNO_PLATEAU_* contract
 * in include/strategy.h for the design rationale; the four novelty-
 * restore lanes (PC edge / transition / CMP / new-errno) are all the
 * predicate ever needs because the underlying counters are monotonic --
 * any productive event flips the predicate permanently false for that
 * syscall without requiring a per-syscall reset hook in frontier_
 * record_new_edge / frontier_record_transition_edge.
 *
 * Reads are RELAXED.  A torn or stale snapshot only shifts the predicate
 * by at most one call's worth of evidence, well inside the slack the
 * outer accept/retry loop already tolerates, and the inequality tests
 * cannot misclassify across the threshold by more than one increment.
 *
 * Returns false when kcov_shm is NULL or nr is out of range so the
 * caller's accept gate degrades to the historical accept distribution
 * rather than wedging on a NULL deref -- matches the kcov-less fallback
 * frontier_cold_weight already takes.
 */
bool frontier_errno_plateau_should_decay(unsigned int nr, bool do32)
{
	unsigned long calls, edges, cmp_inserts, transition_edges;
	unsigned long max_failure_bucket = 0;
	unsigned int bucket;

	if (kcov_shm == NULL || nr >= MAX_NR_SYSCALL)
		return false;

	/* Coordinate with the landed --cred-throttle gate: credential-class
	 * syscalls have their own EPERM/EINVAL dominance throttle keyed on
	 * cred_class_* counters in cred_throttle.c, and a credential-class
	 * pick already burns its rejection budget on that gate.  Excluding
	 * the set here keeps a credential syscall from being decayed by both
	 * gates in lock-step -- the cred-throttle reject lands first inside
	 * set_syscall_nr_coverage_frontier, so this predicate only ever sees
	 * a credential pick that the throttle already let through. */
	if (cred_class_for_nr(nr, do32) != CRED_CLASS_NR)
		return false;

	calls = __atomic_load_n(&kcov_shm->per_syscall_calls[nr],
				__ATOMIC_RELAXED);
	if (calls < FRONTIER_ERRNO_PLATEAU_MIN_CALLS)
		return false;

	/* PC-edge novelty lane.  per_syscall_edges has call-count semantics
	 * (see include/kcov.h): one bump per call that discovered at least
	 * one fresh bucket bit.  A non-zero value means the syscall has been
	 * productive in PC-coverage terms at least once across its lifetime,
	 * so the decay must release.  Counter is monotonic non-decreasing,
	 * so once edges > 0 the predicate is permanently false for nr. */
	edges = __atomic_load_n(&kcov_shm->per_syscall_edges[nr],
				__ATOMIC_RELAXED);
	if (edges > 0)
		return false;

	/* CMP novelty lane.  per_syscall_cmp_inserts counts fresh inserts
	 * and evict-replaces in cmp_hints' per-syscall pool (dedup-refresh
	 * hits do not count, matching the global counter's semantics).  A
	 * syscall producing CMP signal without PC-edge progress is still
	 * earning post-plateau coverage of a different shape, so don't
	 * decay it.  Monotonic non-decreasing same as the edges counter. */
	cmp_inserts = __atomic_load_n(&kcov_shm->per_syscall_cmp_inserts[nr],
				      __ATOMIC_RELAXED);
	if (cmp_inserts > 0)
		return false;

	/* Transition-novelty lane.  per_syscall_transition_edges_real_local
	 * counts local-mode trace transition-slot first-flips (a new
	 * (prev_canon_pc, cur_canon_pc) ordering observed) for this syscall.
	 * Like the CMP lane: a syscall flipping new transition slots is
	 * earning control-flow coverage the PC bitmap misses, so the decay
	 * must release.  Monotonic non-decreasing. */
	transition_edges = __atomic_load_n(
		&kcov_shm->per_syscall_transition_edges_real_local[nr],
		__ATOMIC_RELAXED);
	if (transition_edges > 0)
		return false;

	/* New-errno novelty lane.  Scan the 7 non-SUCCESS buckets and find
	 * the dominant one.  SUCCESS is excluded from the dominance test
	 * because a syscall returning SUCCESS but bumping no PC edges is
	 * still exercising kernel state worth probing -- the decay targets
	 * syscalls whose calls the kernel is REJECTING with a single fixed
	 * errno.  Any new bucket (including a late SUCCESS) bumps per_
	 * syscall_calls and dilutes the dominant failure ratio below
	 * DOM_PCT, restoring the syscall to full sampling. */
	for (bucket = ERRNO_BUCKET_SUCCESS + 1;
	     bucket < ERRNO_BUCKET_NR; bucket++) {
		unsigned long c = __atomic_load_n(
			&kcov_shm->per_syscall_errno[nr][bucket],
			__ATOMIC_RELAXED);
		if (c > max_failure_bucket)
			max_failure_bucket = c;
	}
	/* Percent check rearranged to integer-safe form, matching the same
	 * shape cred_throttle_should_reject uses for HARD_FAIL_PCT. */
	if (max_failure_bucket * 100UL <
	    (unsigned long)FRONTIER_ERRNO_PLATEAU_DOM_PCT * calls)
		return false;

	return true;
}

void frontier_window_advance(void)
{
	uint32_t cur, next;
	unsigned int nr;
	unsigned long max_weight = 0;

	/* Clear-then-publish, the opposite of the previous order.  The old
	 * code bumped frontier_slot first and then aged out the slot it had
	 * just published, which opened a window in which a producer could
	 * (a) add into the new slot before we cleared it, (b) have that
	 * write exchanged back to zero, and (c) issue its cached-sum
	 * increment AFTER our subtract.  In the worst case the rotator's
	 * fetch_sub ran with an old_slot value that was larger than the
	 * cached running sum -- because part of the producer's contribution
	 * was already in the slot but not yet in the cached counter -- so
	 * the subtract wrapped negative and the cached count flipped to a
	 * near-UINT32_MAX weight.  That bogus weight is consumed by
	 * random-syscall.c's frontier roulette wheel; an arm-wide blow-up
	 * either collapses the wheel onto one syscall or pushes the
	 * rejection sampler into an effectively-uniform reject loop.
	 *
	 * We now compute the next slot index without publishing it, age out
	 * the slot's contents from every per-nr running sum while no
	 * producer is targeting that slot (frontier_slot still points to
	 * the previous slot), and only then bump frontier_slot.  A producer
	 * racing the rotation keeps adding into the previous slot for a
	 * handful of instructions -- a bounded window-boundary attribution
	 * error -- instead of having its addition silently dropped or
	 * inverting the cached sum.
	 *
	 * The saturating subtract is kept as a hard guard: even with the
	 * reorder, a CAS-clamped update means a producer that races our
	 * read-modify-write on cached can't drive it negative.  Hitting the
	 * clamp bumps frontier_underflow_prevented -- the metric is
	 * expected to read zero in steady state. */
	cur = __atomic_load_n(&shm->frontier_slot, __ATOMIC_RELAXED);
	next = (cur + 1U) & (FRONTIER_DECAY_WINDOWS - 1);

	for (nr = 0; nr < MAX_NR_SYSCALL; nr++) {
		uint32_t old_slot;
		uint32_t old_cached;
		uint32_t new_sum;

		old_slot = __atomic_exchange_n(&shm->frontier_history[nr][next],
					       0U, __ATOMIC_RELAXED);

		/* CAS loop so a concurrent producer's fetch_add against the
		 * cached counter cannot be lost and cannot underflow the
		 * sum.  Producers should not be racing this nr at this
		 * point (frontier_slot still names the previous slot) but
		 * the loop costs at most a handful of retries and removes
		 * the underflow case unconditionally. */
		old_cached = __atomic_load_n(
			&shm->frontier_recent_count_cached[nr],
			__ATOMIC_RELAXED);
		for (;;) {
			if (old_cached >= old_slot)
				new_sum = old_cached - old_slot;
			else
				new_sum = 0;
			if (__atomic_compare_exchange_n(
				    &shm->frontier_recent_count_cached[nr],
				    &old_cached, new_sum, false,
				    __ATOMIC_RELAXED, __ATOMIC_RELAXED))
				break;
		}
		if (old_cached < old_slot)
			__atomic_add_fetch(
				&shm->stats.frontier_underflow_prevented,
				1UL, __ATOMIC_RELAXED);
		if (new_sum > max_weight)
			max_weight = new_sum;
	}

	/* Publish the new slot only after every per-nr clear has landed.
	 * From this point producers see the freshly-zeroed slot. */
	__atomic_store_n(&shm->frontier_slot, cur + 1U, __ATOMIC_RELAXED);

	if (max_weight > UINT_MAX)
		max_weight = UINT_MAX;
	__atomic_store_n(&shm->frontier_max_weight_cached,
			 (unsigned int)max_weight, __ATOMIC_RELAXED);
}

/*
 * Compute the UCB1 score for one arm.  Discounted formulation
 * (D-UCB): the lifetime bandit_pulls[]/bandit_reward_calls[] series
 * is replaced by the rolling exponentially-decayed counters
 * recent_pulls_x1000[]/recent_reward_x1000[] so the picker tracks
 * recent yield instead of the lifetime average.  Kernel coverage
 * discovery is non-stationary -- early windows mine out easy edges
 * and late windows degrade -- so an arm's last few windows are the
 * relevant signal, not its 2024 mean.
 *
 *     score_i = mean_reward_i / norm + c * sqrt(ln(N) / n_i)
 *
 * where:
 *   mean_reward_i = recent_reward_x1000[i] / recent_pulls_x1000[i]
 *                   (the x1000 fixed-point cancels, leaving the
 *                   discounted mean reward in the original calls
 *                   units the lifetime series used)
 *   norm          = max over arms of mean_reward_j (or 1 if all zero)
 *   N             = sum across arms of n_j (effective discounted
 *                   sample size, the D-UCB analogue of total_pulls)
 *   n_i           = recent_pulls_x1000[i] / 1000.0
 *   c             = UCB1_EXPLORATION_C
 *
 * Normalising the exploit term by the largest observed mean keeps it
 * in roughly the same range as the exploration term (~1) regardless
 * of whether per-window rewards are in the hundreds or hundreds of
 * thousands.  Without normalisation, a UCB1 picker over edges-per-
 * window degenerates into "always pick the arm with the highest
 * cumulative average" because the exploit term dwarfs sqrt(ln/n).
 *
 * The reward signal consumed here is still the CALL-COUNT series
 * (recent_reward_x1000[] is the discounted form of
 * bandit_reward_calls[] -- calls-with-≥1-edge plus the weighted CMP
 * novelty term).  The parallel real bucket-count series
 * (bandit_reward_pc_edge_count[]) remains a lifetime diagnostic and
 * does not feed the score; switching the learner to a discounted
 * bucket-count signal is a separate decision once both signals have
 * been observed under discounting against real run data.
 *
 * pulls_x1000 == 0 clamps to 1: an arm whose discounted count
 * decayed all the way to zero (≈140 windows of no selection at
 * gamma=0.95) is by definition starved, the resulting huge explore
 * term is the correct outcome.  The clamp keeps the division
 * well-defined rather than relying on a separate guard.
 */
static double ucb1_score(int arm, double total_n, double norm)
{
	unsigned long pulls_x1000 = __atomic_load_n(&shm->recent_pulls_x1000[arm],
						    __ATOMIC_RELAXED);
	unsigned long reward_x1000 = __atomic_load_n(&shm->recent_reward_x1000[arm],
						     __ATOMIC_RELAXED);
	double n_i, mean, exploit, explore;

	if (pulls_x1000 == 0)
		pulls_x1000 = 1;

	n_i = (double)pulls_x1000 / (double)BANDIT_EMA_SCALE;
	mean = (double)reward_x1000 / (double)pulls_x1000;
	exploit = mean / norm;
	explore = UCB1_EXPLORATION_C * sqrt(log(total_n) / n_i);

	return exploit + explore;
}

/*
 * Sum across reasons of the by-reason pull matrix.  Used by the
 * cold-start scan so an arm exercised under SR_PLATEAU_FORCE counts
 * as "has been selected": bandit_pulls[] is deliberately not bumped
 * on forced-intervention windows (see bandit_record_pull) so the UCB
 * learner's reward history stays clean, but bandit_pulls_by_reason[]
 * captures every window unconditionally, and summing across reasons
 * gives the true "ever picked?" answer that cold-start wants.
 * NR_STRATEGIES * NR_SELECTION_REASONS is currently 12 cells; the
 * cold-start scan only fires until each eligible arm has been picked
 * once, so the cost is irrelevant.
 */
static unsigned long bandit_total_picks(int arm)
{
	unsigned long total = 0;
	int r;

	for (r = 0; r < NR_SELECTION_REASONS; r++)
		total += __atomic_load_n(&shm->bandit_pulls_by_reason[arm][r],
					 __ATOMIC_RELAXED);
	return total;
}

/*
 * Pick the arm to run during the next window using the configured
 * arm-selection POLICY only.  Returns an index in [0, NR_STRATEGIES)
 * and writes the reason path through *reason_out.  The caller
 * (maybe_rotate_strategy via select_next_strategy) has already
 * updated bandit_pulls[]/bandit_reward_calls[] (plus the parallel
 * bandit_reward_pc_edge_count[] diagnostic series) AND the
 * discounted recent_pulls_x1000[]/recent_reward_x1000[] series for
 * the just-finished window unless that window was a forced
 * intervention.  UCB1 scoring reads the discounted recent series
 * (D-UCB, see ucb1_score) so non-stationary kernel coverage
 * discovery doesn't let early-run wins dominate late-run picks.
 *
 * Cold-start: any arm that has never been selected by any path --
 * UCB pick, round-robin, prior cold-start, or plateau-force --
 * wins immediately (UCB1's convention: every arm gets one pull
 * before the score formula makes sense).  The trigger reads the
 * lifetime by-reason aggregate rather than bandit_pulls[] so a
 * plateau-force window counts as "selected" even though the
 * learner-facing bandit_pulls[] is deliberately not bumped on
 * forced rotations (see bandit_record_pull).  Lifetime rather than
 * discounted pulls because cold-start is a once-per-arm trigger;
 * using the decayed count would re-fire after the discount horizon
 * and turn the learner into slow round-robin.  Ties broken in
 * favour of the lower index, which keeps the warm-up deterministic.
 *
 * Round-robin mode bypasses the bandit entirely and just steps to
 * the next arm — same behaviour as Phase 1.
 *
 * Plateau-driven interventions used to live inside this function as
 * an early-return override; they now sit one level up in
 * select_next_strategy() so forced-intervention windows can be kept
 * out of the UCB learner's pull/reward history.  This picker is pure
 * policy — no intervention awareness.
 */
int pick_next_strategy(int prev, enum strategy_selection_reason *reason_out)
{
	enum picker_mode_t mode;
	bool eligible[NR_STRATEGIES];
	double total_n = 0.0;
	double max_mean = 0.0;
	double best_score;
	int best_arm = -1;
	int i;

	/* Empty active-syscall pool guard.  If every syscall has been
	 * deactivated (either nr_active_syscalls on uniarch, or both 32/64
	 * counters on biarch), the per-arm weighting below has nothing
	 * meaningful to score and can silently land on a non-RANDOM arm
	 * whose strategy routine has no useful work to do.  Short-circuit
	 * to STRATEGY_RANDOM -- the random picker copes with an empty pool
	 * via its own fallbacks -- and emit a one-shot log so the
	 * degenerate condition is visible without spamming. */
	if (shm->nr_active_syscalls == 0 &&
	    shm->nr_active_32bit_syscalls == 0 &&
	    shm->nr_active_64bit_syscalls == 0) {
		static bool warned;
		if (!warned) {
			warned = true;
			outputerr("pick_next_strategy: active-syscall pool empty -- forcing STRATEGY_RANDOM\n");
		}
		*reason_out = SR_NORMAL_UCB;
		return STRATEGY_RANDOM;
	}

	mode = __atomic_load_n(&shm->picker_mode, __ATOMIC_RELAXED);

	/* Cache per-arm eligibility once.  No arm has an expensive precondition
	 * today, but the hook stays so a future arm with one slots in here
	 * without changing the picker dispatch. */
	for (i = 0; i < NR_STRATEGIES; i++)
		eligible[i] = is_strategy_eligible(i);

	if (mode == PICKER_ROUND_ROBIN) {
		int next = prev;
		*reason_out = SR_ROUND_ROBIN;
		for (i = 0; i < NR_STRATEGIES; i++) {
			next = (next + 1) % NR_STRATEGIES;
			if (eligible[next])
				return next;
		}
		/* Every arm ineligible — should not happen because at least
		 * STRATEGY_HEURISTIC and STRATEGY_RANDOM have no preconditions.
		 * Fall back to the historical Phase 1 behaviour rather than
		 * returning -1 to a caller that expects a valid index. */
		return (prev + 1) % NR_STRATEGIES;
	}

	/* Cold-start reads the LIFETIME by-reason aggregate (see
	 * bandit_total_picks) rather than the learner-facing
	 * bandit_pulls[i].  bandit_pulls[] is deliberately not bumped on
	 * SR_PLATEAU_FORCE windows -- forced-intervention rotations are
	 * excluded from the UCB reward history so the learner can't
	 * confuse a policy-chosen STRATEGY_RANDOM window with a
	 * plateau-forced one -- so an arm that has only ever been
	 * exercised under plateau-force still reads zero in
	 * bandit_pulls[].  Keying cold-start off that would keep firing
	 * for the same arm every rotation, trapping the picker behind
	 * the forced-RANDOM slot under low fleet iter rates and starving
	 * the remaining arms.  The by-reason aggregate captures every
	 * window (including SR_PLATEAU_FORCE) so it treats "selected at
	 * least once by any path" as cold-start-satisfying; bandit_pulls[]
	 * still gates UCB scoring.  Recent (discounted) pulls are
	 * intentionally NOT consulted here -- cold-start is a "never
	 * observed" trigger, not a "haven't been observed lately" one,
	 * and reading recent_pulls_x1000 would re-fire cold-start every
	 * ~140 windows for any arm the picker has stopped choosing. */
	for (i = 0; i < NR_STRATEGIES; i++) {
		if (!eligible[i])
			continue;
		if (bandit_total_picks(i) == 0) {
			*reason_out = SR_COLD_START;
			return i;
		}
	}

	/* total_n: sum of discounted effective-sample counts across
	 * eligible arms.  D-UCB analogue of vanilla UCB1's "total pulls"
	 * in the ln(N) explore-term numerator.  Floor at 1.0 so log()
	 * stays non-negative on a fresh post-cold-start run where the
	 * sum hasn't grown above unity yet. */
	for (i = 0; i < NR_STRATEGIES; i++) {
		if (!eligible[i])
			continue;
		total_n += (double)__atomic_load_n(&shm->recent_pulls_x1000[i],
						   __ATOMIC_RELAXED) /
			   (double)BANDIT_EMA_SCALE;
	}
	if (total_n < 1.0)
		total_n = 1.0;

	/* Normalise by the largest discounted mean-reward across eligible
	 * arms so the exploit term lives in the same numeric range as the
	 * exploration term.  Falls back to 1.0 when every arm has yielded
	 * zero edges in the recent horizon (well-defined and harmless).
	 * Skips arms whose discounted pulls decayed to zero -- their
	 * "mean" is undefined, and they will get a huge explore-term
	 * score from ucb1_score's pulls_x1000==0 clamp so the picker will
	 * re-try them on this pass anyway. */
	for (i = 0; i < NR_STRATEGIES; i++) {
		unsigned long p, r;
		double mean;

		if (!eligible[i])
			continue;
		p = __atomic_load_n(&shm->recent_pulls_x1000[i],
				    __ATOMIC_RELAXED);
		r = __atomic_load_n(&shm->recent_reward_x1000[i],
				    __ATOMIC_RELAXED);
		if (p == 0)
			continue;
		mean = (double)r / (double)p;
		if (mean > max_mean)
			max_mean = mean;
	}
	if (max_mean <= 0.0)
		max_mean = 1.0;

	best_score = -1.0;
	for (i = 0; i < NR_STRATEGIES; i++) {
		double s;

		if (!eligible[i])
			continue;
		s = ucb1_score(i, total_n, max_mean);
		if (best_arm < 0 || s > best_score) {
			best_score = s;
			best_arm = i;
		}
	}
	if (best_arm < 0)
		best_arm = STRATEGY_HEURISTIC;
	*reason_out = SR_NORMAL_UCB;
	return best_arm;
}

/*
 * Intervention layer above pick_next_strategy().  Today's only
 * intervention is plateau-driven: when kcov reports the fleet's
 * edge-discovery rate is stalled, force STRATEGY_RANDOM with reason
 * SR_PLATEAU_FORCE without consulting the UCB scorer, so the bandit
 * is shaken out of whatever local minimum it has settled into.  The
 * rotation site checks the stamped reason at window close and skips
 * the bandit_record_pull() call for SR_PLATEAU_FORCE windows so the
 * learner's reward history stays clean of intervention noise.
 *
 * Round-robin mode bypasses the intervention -- its own cycling
 * already includes RANDOM, and forcing it here would collapse the
 * cycle to one arm.
 *
 * Future dispatches will replace the "force STRATEGY_RANDOM" policy
 * with smarter interventions (e.g. a classifier that picks the arm
 * most likely to break the stall) inside this function; the
 * separation between intervention and learner keeps that work from
 * disturbing the UCB scoring path.
 */
/*
 * Random-rescue amplification thresholds.  A class must clear an
 * absolute floor (so a handful of stray rescues do not whip the
 * orchestrator around between arms) AND a 2x lead over the second-best
 * class (so two near-tied classes default back to plain RANDOM rather
 * than coin-flipping the intervention).  Both numbers are conservative
 * -- the amplification is a temporary modifier on a single intervention
 * window, easy to recover from on the next rotation if the dominant
 * class shifts.
 */
#define RRC_AMPLIFY_MIN_COUNT  32UL
#define RRC_AMPLIFY_LEAD_RATIO 2UL

/*
 * Compute the dominant rescue class from the cumulative counters.
 * Returns RRC_NR_CLASSES (the "no amplification" sentinel) when no
 * class clears both the floor and the lead-over-second-best threshold.
 * Placeholder classes (RRC_UNUSUAL_FD_PRODUCER, RRC_WRONG_TYPE_FD,
 * RRC_PERSONA_GATED) are scanned so the comparison sees them, but the
 * classifier never credits a rescue to them today so they cannot win;
 * the orchestrator's bias dispatch treats them as plain RANDOM
 * regardless, which is also the behaviour for RRC_UNKNOWN.
 */
static enum random_rescue_class dominant_rescue_class(void)
{
	unsigned long best = 0;
	unsigned long second = 0;
	enum random_rescue_class best_class = RRC_NR_CLASSES;
	int i;

	for (i = 0; i < RRC_NR_CLASSES; i++) {
		unsigned long c = __atomic_load_n(
			&shm->random_rescue_class_count[i], __ATOMIC_RELAXED);
		if (c > best) {
			second = best;
			best = c;
			best_class = (enum random_rescue_class)i;
		} else if (c > second) {
			second = c;
		}
	}

	if (best < RRC_AMPLIFY_MIN_COUNT)
		return RRC_NR_CLASSES;
	if (best < second * RRC_AMPLIFY_LEAD_RATIO)
		return RRC_NR_CLASSES;
	return best_class;
}

/*
 * Map a dominant rescue class to the targeted intervention arm.
 * Defaults to STRATEGY_RANDOM (the historical pre-classifier
 * behaviour) for classes that do not have a structured replay
 * available -- placeholder classes whose underlying infrastructure
 * does not exist yet, the unknown bucket, and the "no class
 * dominant" sentinel.
 */
static int amplified_intervention_arm(enum random_rescue_class c)
{
	switch (c) {
	case RRC_COLD_SKIP:
		/* Heuristic with cold-skip suppressed -- the set_syscall_nr_
		 * heuristic read of plateau_rescue_amplified_class will
		 * short-circuit the kcov_syscall_cold_skip_pct retry while
		 * the intervention runs. */
		return STRATEGY_HEURISTIC;
	case RRC_CMP_DERIVED:
		/* Frontier-weighted picker.  RRC_CMP_DERIVED rescues fired
		 * on syscalls whose cmp_hints pool carried at least one
		 * learned constant, so the kernel is emitting comparison
		 * records the args generator could land but the per-syscall
		 * pick distribution is not steering to.  The frontier picker
		 * roulette-weights by per-syscall near-coverage signal,
		 * which is the closest structured proxy available for "this
		 * syscall is one new constant away from a fresh edge" --
		 * exactly the shape the cmp_rising_pc_flat hypothesis
		 * describes at the fleet level. */
		return STRATEGY_COVERAGE_FRONTIER;
	case RRC_UNUSUAL_FD_PRODUCER:
	case RRC_WRONG_TYPE_FD:
	case RRC_PERSONA_GATED:
	case RRC_UNKNOWN:
	case RRC_NR_CLASSES:
		break;
	}
	return STRATEGY_RANDOM;
}

int select_next_strategy(int prev,
			 enum strategy_selection_reason *reason_out)
{
	enum picker_mode_t mode;

	mode = __atomic_load_n(&shm->picker_mode, __ATOMIC_RELAXED);

	if (mode == PICKER_BANDIT_UCB1 &&
	    kcov_shm != NULL &&
	    __atomic_load_n(&kcov_shm->plateau_active, __ATOMIC_ACQUIRE)) {
		enum random_rescue_class amplified = RRC_NR_CLASSES;
		enum plateau_intervention_mode pim;
		unsigned long rot;
		int arm;

		/* Round-robin among the intervention modes.  The fetch_add
		 * returns the PREVIOUS counter value, so each rotation
		 * picks a mode cleanly without coordination between
		 * concurrent rotations -- the CAS in maybe_rotate_strategy
		 * already serialises which child runs select_next_strategy
		 * in the first place, but the fetch_add semantics keep the
		 * rotation correct even if a future refactor lets multiple
		 * writers in.
		 *
		 * The counter only ticks during plateau windows, so a
		 * fresh plateau picks up wherever the previous one left
		 * off rather than always starting from PIM_UNIFORM_RANDOM
		 * -- this matters when the plateau detector flaps between
		 * active and inactive across consecutive rotations and an
		 * always-from-zero counter would bias the early windows of
		 * each plateau toward the same mode. */
		rot = __atomic_fetch_add(
			&shm->plateau_intervention_rotation_counter, 1UL,
			__ATOMIC_RELAXED);
		pim = (enum plateau_intervention_mode)(rot % NR_PIM_MODES);

		/* Cold-ring deweight: PIM_COVERAGE_FRONTIER is a near-no-op
		 * when the per-syscall frontier rings have aged out everywhere
		 * (frontier_max_weight_cached == 0), the defining state of a
		 * deep plateau.  set_syscall_nr_coverage_frontier still drives
		 * forward via the silent-regime lifetime-ratio fallback, but
		 * a real run that re-plateaued after the rescue fired observed
		 * 9 childops self-demoting on "zero_edges" inside their canary
		 * window -- the rescue's PIM rotation pinned ~25% of windows
		 * on FRONTIER, the silent fallback found no new edges in the
		 * canary horizon, the canary gate demoted the ops, throughput
		 * collapsed to idle.  The rescue fired and did nothing.
		 *
		 * Substitute the cold FRONTIER slot with PIM_UNIFORM_RANDOM:
		 * it needs no populated ring, runs the historical pre-
		 * classifier baseline that does not feed the canary demote
		 * gate, and breaks the demote-to-idle spiral.  PIM_ANTI_PRIOR
		 * still occupies its own rotation slot, so each cold-ring
		 * cycle still hits both no-ring-needed modes (the cycle
		 * becomes UNIFORM:ANTI:RRC:UNIFORM-was-FRONTIER).
		 *
		 * Approach is skip-when-cold (single conditional substitution)
		 * rather than weight-to-zero (per-rotation NR_PIM_MODES
		 * remapping plus an active-modes mask).  Skip keeps the
		 * per-mode windows array, mode-name tables, and check-static
		 * gates stable -- substituting one enum value into another
		 * cell costs no new surface.  Weight-to-zero would add a
		 * second source of truth for "which modes are active" without
		 * changing steady-state behaviour.
		 *
		 * Threshold is == 0 (strict) rather than the picker's <= 2
		 * silent-regime threshold: at max_weight 1 or 2 the live
		 * regime still has a trickle of signal and we want FRONTIER
		 * to keep running on it.  Only the fully-aged-out case (no
		 * ratchet at all this rotation) gets the substitution.
		 *
		 * RELAXED load: the cache is itself updated RELAXED on every
		 * frontier_bump() and on each window-rotation recompute, and
		 * the picker reads it RELAXED, so an in-flight bump is
		 * acceptable here -- we read it once at the rotation boundary
		 * and either choice (skip or run) is safe and self-corrects
		 * on the next rotation when the cache settles.
		 *
		 * PIM_RRC_BIASED is deliberately NOT cold-deweighted: it can
		 * dispatch to FRONTIER via the RRC_CMP_DERIVED leg of
		 * amplified_intervention_arm(), but only when the classifier
		 * has accumulated positive evidence that the kernel is
		 * emitting comparison records the picker is not steering to.
		 * The cold ring does not contradict that signal -- a syscall
		 * with a populated cmp_hints pool and zero current frontier
		 * weight is exactly the case CMP_DERIVED amplification exists
		 * to escalate. */
		if (pim == PIM_COVERAGE_FRONTIER &&
		    __atomic_load_n(&shm->frontier_max_weight_cached,
				    __ATOMIC_RELAXED) == 0) {
			pim = PIM_UNIFORM_RANDOM;
			__atomic_fetch_add(
				&shm->stats.frontier_intervention_cold_skipped,
				1UL, __ATOMIC_RELAXED);
		}

		switch (pim) {
		case PIM_RRC_BIASED:
			/* Random-rescue classifier dispatch path.  Reuses
			 * the existing dominant_rescue_class +
			 * amplified_intervention_arm pair so the classifier-
			 * driven structured replay shape stays the same as
			 * when amplification was the only intervention mode;
			 * only the SCHEDULING of when it runs differs, not
			 * the internals. */
			amplified = dominant_rescue_class();
			arm = amplified_intervention_arm(amplified);
			break;
		case PIM_ANTI_PRIOR:
			/* Refresh the baseline at the rotation boundary so
			 * the per-call accept gate inside set_syscall_nr_
			 * random reads a value that matches the picker's
			 * CURRENT distribution.  Recomputing every rotation
			 * (rather than once-at-init) lets the bias track the
			 * learned distribution as it drifts across the run.
			 *
			 * STRATEGY_RANDOM is the arm regardless of mode -- the
			 * anti-prior bias rides per-call inside the random
			 * picker, not at the strategy-selection layer. */
			plateau_anti_prior_refresh_baseline();
			arm = STRATEGY_RANDOM;
			break;
		case PIM_COVERAGE_FRONTIER:
			/* Frontier-weighted picker, unconditional.  The
			 * bandit is short-circuited for the duration of the
			 * plateau, so without this rotation slot the
			 * coverage-frontier arm cannot be selected at all
			 * during a plateau window -- the exact windows where
			 * chasing near-coverage edges is most likely to
			 * unstick discovery.  No baseline refresh needed:
			 * the frontier picker reads its own per-syscall
			 * near-coverage ring on every pick. */
			arm = STRATEGY_COVERAGE_FRONTIER;
			break;
		case PIM_UNIFORM_RANDOM:
		default:
			/* Baseline mode: STRATEGY_RANDOM with no per-call
			 * bias.  Kept as a rotation slot so the A/B
			 * comparison has an anchor -- without it,
			 * "anti-prior helped" and "RRC-bias helped" both
			 * reduce to comparisons against each other rather
			 * than against the historical pre-classifier
			 * intervention shape. */
			arm = STRATEGY_RANDOM;
			break;
		}

		/* Publish the amplified class and intervention mode BEFORE
		 * the reason store on current_selection_reason in
		 * maybe_rotate_strategy.  The rotation site stores
		 * current_selection_reason with RELAXED ordering and pairs
		 * it with the current_strategy RELEASE store, so a child
		 * observing the new strategy also sees both freshly-
		 * published fields on its next pick.  RRC_NR_CLASSES means
		 * "no class dominant"; PIM_UNIFORM_RANDOM is published
		 * outside the intervention branch below so the anti-prior
		 * gate cannot stay latched on after the plateau lifts. */
		__atomic_store_n(&shm->plateau_rescue_amplified_class,
				 (int)amplified, __ATOMIC_RELAXED);
		__atomic_store_n(&shm->plateau_intervention_mode_current,
				 (int)pim, __ATOMIC_RELAXED);
		__atomic_fetch_add(
			&shm->plateau_intervention_mode_windows[pim], 1UL,
			__ATOMIC_RELAXED);
		__atomic_fetch_add(&shm->stats.plateau_forced_windows, 1UL,
				   __ATOMIC_RELAXED);
		/* Side-channel count of intervention-forced frontier picks.
		 * Bumped here so both the unconditional PIM_COVERAGE_FRONTIER
		 * slot AND the PIM_RRC_BIASED dispatch that maps RRC_CMP_
		 * DERIVED to the frontier arm get attributed.  Deliberately
		 * NOT a bandit_pulls[STRATEGY_COVERAGE_FRONTIER] bump: D-UCB's
		 * exploration bonus assumes pulls reflect policy choice, not
		 * an intervention rescue, and folding the forced window into
		 * the learner's reward series would shift the arm's apparent
		 * yield toward the intervention cohort for the rest of the
		 * run. */
		if (arm == STRATEGY_COVERAGE_FRONTIER)
			__atomic_fetch_add(
				&shm->stats.frontier_intervention_pulls,
				1UL, __ATOMIC_RELAXED);
		*reason_out = SR_PLATEAU_FORCE;
		return arm;
	}

	/* Not in a plateau intervention -- clear the amplification AND the
	 * mode so neither the RRC bias dispatch nor the anti-prior accept
	 * gate can stay latched on after the plateau lifts.  Both reset to
	 * the "no bias" sentinel (RRC_NR_CLASSES / PIM_UNIFORM_RANDOM)
	 * because their hot-path gates short-circuit cleanly on those
	 * values. */
	__atomic_store_n(&shm->plateau_rescue_amplified_class,
			 (int)RRC_NR_CLASSES, __ATOMIC_RELAXED);
	__atomic_store_n(&shm->plateau_intervention_mode_current,
			 (int)PIM_UNIFORM_RANDOM, __ATOMIC_RELAXED);

	return pick_next_strategy(prev, reason_out);
}

const char *strategy_selection_reason_name(enum strategy_selection_reason r)
{
	switch (r) {
	case SR_NORMAL_UCB:	return "NORMAL_UCB";
	case SR_ROUND_ROBIN:	return "ROUND_ROBIN";
	case SR_COLD_START:	return "COLD_START";
	case SR_PLATEAU_FORCE:	return "PLATEAU_FORCE";
	case NR_SELECTION_REASONS:	break;	/* sentinel */
	}
	return "?";
}

void strategy_plateau_response(void)
{
	/* Force the strategy picker to rotate on the next syscall dispatch
	 * so the intervention layer in select_next_strategy (returns
	 * STRATEGY_RANDOM with SR_PLATEAU_FORCE while plateau_active is set)
	 * takes effect within seconds rather than waiting up to
	 * STRATEGY_WINDOW (1UL << 17 = ~131K ops, ~65 sec at 2K iter/sec)
	 * for the natural rotation cadence.  Setting syscalls_at_last_switch to 0
	 * makes maybe_rotate_strategy trip on the next call from any child;
	 * the CAS guard there ensures only one child does the rotation work
	 * even though every child sees the trigger.  After this fires once,
	 * the field advances to op_count and the next forced rotation waits
	 * for the usual window — which is fine, because the intervention
	 * stays latched on plateau_active for as long as the plateau
	 * persists. */
	__atomic_store_n(&shm->syscalls_at_last_switch, 0UL, __ATOMIC_RELAXED);

	/* Arm the per-plateau-window snapshot the rule evaluator diffs
	 * against on every subsequent stats tick.  Called on the rising
	 * edge into plateau_active so the entry baseline reflects the
	 * counter values at the moment discovery actually stalled, not
	 * whatever they happened to be at the previous stats tick. */
	strategy_plateau_hypothesis_enter();
}

void plateau_snapshot_capture(struct plateau_window_snapshot *snap)
{
	unsigned int op, nr, nr_max;

	if (snap == NULL)
		return;

	memset(snap, 0, sizeof(*snap));

	if (kcov_shm != NULL) {
		snap->pc_edges = __atomic_load_n(&kcov_shm->edges_found,
						 __ATOMIC_RELAXED);
		snap->cmp_unique = __atomic_load_n(
			&kcov_shm->cmp_hints_unique_inserts, __ATOMIC_RELAXED);
		/* total_calls / remote_calls now drained from per-child
		 * stats_ring into parent_stats; kcov_shm->total_calls is
		 * reserved for the last_edge_at[] / last_efault_at[]
		 * stamp source and the cold-skip gap denominator only,
		 * kcov_shm->remote_calls is no longer bumped.  See
		 * stats_ring.h. */
		snap->remote_calls = parent_stats.remote_calls;
		snap->total_calls = parent_stats.total_calls;

		/* Per-group new-edge attribution.  per_syscall_edges is a
		 * CALL-COUNT signal (a syscall that uncovers 50 distinct
		 * edges in one call bumps by 1, not 50 -- see the field
		 * comment in include/kcov.h) so the per-group sum here is
		 * the headline "how many CALLS in this group produced any
		 * new coverage" series.  The single-group-dominant rule
		 * compares per-group deltas against the total delta; both
		 * sides share the same units so the ratio is well-defined. */
		nr_max = max_nr_syscalls;
		if (nr_max > MAX_NR_SYSCALL)
			nr_max = MAX_NR_SYSCALL;
		for (nr = 0; nr < nr_max; nr++) {
			struct syscallentry *entry;
			unsigned int grp;
			unsigned long e;

			if (syscalls == NULL)
				break;
			entry = syscalls[nr].entry;
			if (entry == NULL)
				continue;
			grp = entry->group;
			if (grp >= NR_GROUPS)
				continue;
			e = __atomic_load_n(&kcov_shm->per_syscall_edges[nr],
					    __ATOMIC_RELAXED);
			snap->group_edges[grp] += e;
		}
	}

	snap->bandit_edges = __atomic_load_n(
		&shm->stats.bandit_pool_edges_discovered, __ATOMIC_RELAXED);
	snap->explorer_edges = __atomic_load_n(
		&shm->stats.explorer_pool_edges_discovered, __ATOMIC_RELAXED);
	snap->frontier_picks = __atomic_load_n(
		&shm->stats.frontier_strategy_picks, __ATOMIC_RELAXED);
	/* Bandit-side pulls + intervention-forced picks.  The bandit
	 * counter advances only on policy-chosen windows; the
	 * intervention counter advances only on SR_PLATEAU_FORCE
	 * windows that resolved to STRATEGY_COVERAGE_FRONTIER.  Their
	 * sum is "all rotations that selected the frontier arm",
	 * regardless of selection path.  Without the intervention
	 * term the plateau classifier's frontier_cold rule was
	 * structurally blind to intervention-driven frontier work --
	 * the bandit cannot pull the frontier arm during a plateau,
	 * so frontier_pulls stayed at 0 for the entire window and
	 * the rule's "pulls > 0 && picks == 0" predicate could never
	 * fire even when the intervention layer was already
	 * exercising the frontier picker. */
	snap->frontier_pulls = __atomic_load_n(
		&shm->bandit_pulls[STRATEGY_COVERAGE_FRONTIER],
		__ATOMIC_RELAXED) +
		__atomic_load_n(
			&shm->stats.frontier_intervention_pulls,
			__ATOMIC_RELAXED);
	snap->frontier_live_picks = __atomic_load_n(
		&shm->stats.frontier_live_picks, __ATOMIC_RELAXED);
	snap->frontier_silent_picks = __atomic_load_n(
		&shm->stats.frontier_silent_picks, __ATOMIC_RELAXED);

	for (op = 0; op < NR_CHILD_OP_TYPES; op++) {
		snap->childop_edges_total += __atomic_load_n(
			&shm->stats.childop_edges_discovered[op],
			__ATOMIC_RELAXED);
		snap->childop_calls_total += __atomic_load_n(
			&shm->stats.childop_calls_with_edges[op],
			__ATOMIC_RELAXED);
	}
}

/* Saturating-subtract: a - b clamped to 0.  See the field comment on
 * struct plateau_window_snapshot for why an inversion (concurrent
 * writer / counter reset) needs to fold to zero rather than wrap. */
static unsigned long sat_sub(unsigned long a, unsigned long b)
{
	return (a >= b) ? (a - b) : 0UL;
}

void plateau_snapshot_delta(struct plateau_window_snapshot *out,
			    const struct plateau_window_snapshot *entry,
			    const struct plateau_window_snapshot *now)
{
	unsigned int grp;

	if (out == NULL || entry == NULL || now == NULL)
		return;

	out->pc_edges = sat_sub(now->pc_edges, entry->pc_edges);
	out->cmp_unique = sat_sub(now->cmp_unique, entry->cmp_unique);
	out->bandit_edges = sat_sub(now->bandit_edges, entry->bandit_edges);
	out->explorer_edges = sat_sub(now->explorer_edges,
				      entry->explorer_edges);
	out->childop_edges_total = sat_sub(now->childop_edges_total,
					   entry->childop_edges_total);
	out->childop_calls_total = sat_sub(now->childop_calls_total,
					   entry->childop_calls_total);
	out->remote_calls = sat_sub(now->remote_calls, entry->remote_calls);
	out->total_calls = sat_sub(now->total_calls, entry->total_calls);
	out->frontier_picks = sat_sub(now->frontier_picks,
				      entry->frontier_picks);
	out->frontier_pulls = sat_sub(now->frontier_pulls,
				      entry->frontier_pulls);
	out->frontier_live_picks = sat_sub(now->frontier_live_picks,
					   entry->frontier_live_picks);
	out->frontier_silent_picks = sat_sub(now->frontier_silent_picks,
					     entry->frontier_silent_picks);
	for (grp = 0; grp < NR_GROUPS; grp++)
		out->group_edges[grp] = sat_sub(now->group_edges[grp],
						entry->group_edges[grp]);
}

/*
 * Plateau hypothesis classifier driver.
 *
 * Parent-private state: the tick driver only runs on the parent path
 * (called from print_stats()) so no atomics or locking are needed
 * for the file-local arrays below.  The publish path into
 * shm->plateau_current_hypothesis uses RELAXED atomics so consumer
 * gates in child.c and minicorpus.c read a consistent value -- see
 * the strategy.h consumer-contract block for the gates.
 *
 * hypothesis_entry_snap is captured once on the rising edge into
 * plateau_active and held until the matching falling edge.  Per-tick
 * deltas are diff'd against this snapshot rather than against the
 * previous tick so a rule that requires sustained signal (e.g.
 * cmp_unique delta of 1000+) trips on the cumulative growth across
 * the plateau window rather than racing with whatever the last tick
 * happened to capture.
 *
 * hypothesis_current is the rule that fired on the LAST tick; tracked
 * so we only stats_log_write on transitions (entry to FOO, FOO to BAR,
 * BAR to NONE) instead of every tick.  Long plateaus would otherwise
 * spam stats.log with one line per stats interval per hypothesis.
 */
static struct plateau_window_snapshot hypothesis_entry_snap;
static bool hypothesis_entry_armed;
static struct plateau_window_snapshot hypothesis_last_delta;
static enum plateau_hypothesis hypothesis_current = PLATEAU_HYPOTHESIS_NONE;
static unsigned long hypothesis_fires[NR_PLATEAU_HYPOTHESES];

const char *strategy_plateau_hypothesis_name(enum plateau_hypothesis h)
{
	switch (h) {
	case PLATEAU_HYPOTHESIS_NONE:
		return "NONE";
	case PLATEAU_HYPOTHESIS_CMP_RISING_PC_FLAT:
		return "cmp_rising_pc_flat";
	case PLATEAU_HYPOTHESIS_CHILDOP_DOMINANT:
		return "childop_dominant";
	case PLATEAU_HYPOTHESIS_REMOTE_DOMINANT:
		return "remote_dominant";
	case PLATEAU_HYPOTHESIS_FRONTIER_COLD:
		return "frontier_cold";
	case PLATEAU_HYPOTHESIS_SINGLE_GROUP_DOMINANT:
		return "single_group_dominant";
	case NR_PLATEAU_HYPOTHESES:
		break;	/* sentinel */
	}
	return "?";
}

/* Rule 1: cmp_unique still climbing while pc_edges is flat.
 *
 * Direct evidence the kernel is still emitting novel CMP records that
 * survive bloom + pool dedup, but those records aren't translating
 * into PC-edge coverage gains.  Either the cmp_hints consumer isn't
 * injecting the new constants effectively or the constants are
 * landing on argument slots the syscall doesn't validate against.
 * Either way the operator-meaningful signal is "CMP says progress,
 * PC says stalled". */
#define PHC_CMP_RISING_DELTA		1000UL

/* Rule 2: childop alt-op invocations are out-discovering generic
 * syscall picks by 2:1 on the per-pool new-edge attribution.
 * generic_edges is (bandit_edges + explorer_edges) -- both pools
 * dispatch through CHILD_OP_SYSCALL exclusively, so the sum is the
 * non-alt-op denominator the rule needs.  Compared against the
 * childop_calls_total CALL count (not childop_edges_total): the
 * syscall-path counters on the RHS are bumped by 1 per productive
 * call, so the LHS must use the parallel call-count counter or a
 * single alt-op invocation that surfaces 10 edges biases the ratio
 * 10:1 against syscall picks and the rule over-fires. */
#define PHC_CHILDOP_DOMINANT_RATIO	2UL

/* Rule 3: KCOV_REMOTE_ENABLE share has outgrown inline KCOV by 2:1
 * AND the remote-mode delta is non-trivial (the rule only matters
 * when remote is actually contributing -- a kernel without remote
 * KCOV reports remote_calls == 0 forever and the ratio is
 * meaningless).  remote_calls is a SUBSET of total_calls (a call
 * with KCOV_REMOTE_ENABLE bumps both); inline = total - remote. */
#define PHC_REMOTE_DOMINANT_RATIO	2UL
#define PHC_REMOTE_DOMINANT_MIN		100UL

/* Rule 5: one syscall group accounts for more than 70% of the
 * fleet's per-syscall-edges delta.  Conservative: only fires when
 * the total per-group sum is non-trivial so a fresh plateau window
 * with two edges in one group doesn't immediately trip a 100%
 * single-group classification. */
#define PHC_SINGLE_GROUP_PCT		70UL
#define PHC_SINGLE_GROUP_MIN		50UL

enum plateau_hypothesis strategy_plateau_hypothesis_check(
		const struct plateau_window_snapshot *entry,
		const struct plateau_window_snapshot *now)
{
	struct plateau_window_snapshot delta;
	unsigned long generic_edges, total_group_edges, max_group, inline_calls;
	unsigned int grp;

	if (entry == NULL || now == NULL)
		return PLATEAU_HYPOTHESIS_NONE;

	plateau_snapshot_delta(&delta, entry, now);

	/* Rule 1: CMP climbing, PC flat. */
	if (delta.cmp_unique > PHC_CMP_RISING_DELTA &&
	    delta.pc_edges == 0)
		return PLATEAU_HYPOTHESIS_CMP_RISING_PC_FLAT;

	/* Rule 2: childop alt-ops dominate.  Call-count vs call-count;
	 * see PHC_CHILDOP_DOMINANT_RATIO comment for the unit rationale. */
	generic_edges = delta.bandit_edges + delta.explorer_edges;
	if (delta.childop_calls_total >
	    PHC_CHILDOP_DOMINANT_RATIO * generic_edges &&
	    delta.childop_calls_total > 0)
		return PLATEAU_HYPOTHESIS_CHILDOP_DOMINANT;

	/* Rule 3: remote KCOV dominates inline KCOV.  inline_calls is
	 * derived rather than stored to avoid carrying redundant state. */
	inline_calls = sat_sub(delta.total_calls, delta.remote_calls);
	if (delta.remote_calls > PHC_REMOTE_DOMINANT_MIN &&
	    delta.remote_calls > PHC_REMOTE_DOMINANT_RATIO * inline_calls)
		return PLATEAU_HYPOTHESIS_REMOTE_DOMINANT;

	/* Rule 4: frontier cold.  The bandit selected the coverage-
	 * frontier arm at least once during the plateau window but the
	 * weighted-accept gate inside the picker rejected every
	 * candidate, so no frontier-weighted call ran.  The pulls > 0
	 * predicate is what makes this a real signal: without it the
	 * rule would also fire on plateaus where the bandit simply
	 * never pulled CFV (uninformative -- could be a policy
	 * accident, could be a starved arm), and the rule classifier
	 * would attribute "frontier cold" to windows that say nothing
	 * about the frontier picker's behaviour. */
	if (delta.frontier_pulls > 0 && delta.frontier_picks == 0)
		return PLATEAU_HYPOTHESIS_FRONTIER_COLD;

	/* Rule 5: single group dominates. */
	total_group_edges = 0;
	max_group = 0;
	for (grp = 0; grp < NR_GROUPS; grp++) {
		total_group_edges += delta.group_edges[grp];
		if (delta.group_edges[grp] > max_group)
			max_group = delta.group_edges[grp];
	}
	if (total_group_edges > PHC_SINGLE_GROUP_MIN &&
	    max_group * 100UL > PHC_SINGLE_GROUP_PCT * total_group_edges)
		return PLATEAU_HYPOTHESIS_SINGLE_GROUP_DOMINANT;

	return PLATEAU_HYPOTHESIS_NONE;
}

void strategy_plateau_hypothesis_enter(void)
{
	plateau_snapshot_capture(&hypothesis_entry_snap);
	hypothesis_entry_armed = true;
	memset(&hypothesis_last_delta, 0, sizeof(hypothesis_last_delta));
	hypothesis_current = PLATEAU_HYPOTHESIS_NONE;
}

void strategy_plateau_hypothesis_tick(void)
{
	struct plateau_window_snapshot now;
	enum plateau_hypothesis fired;

	if (kcov_shm == NULL)
		return;

	if (!__atomic_load_n(&kcov_shm->plateau_active, __ATOMIC_ACQUIRE)) {
		/* Plateau cleared: drop the entry snapshot so the next
		 * plateau gets a fresh baseline.  hypothesis_fires[] is
		 * NOT cleared -- the fire-count distribution is a
		 * cumulative across-plateau statistic. */
		if (hypothesis_entry_armed) {
			hypothesis_entry_armed = false;
			hypothesis_current = PLATEAU_HYPOTHESIS_NONE;
			memset(&hypothesis_last_delta, 0,
			       sizeof(hypothesis_last_delta));
		}
		/* Phase 2: publish the cleared hypothesis so the
		 * select_next_strategy pin-gate drops on the next
		 * rotation.  Done outside the entry_armed guard so a
		 * spurious tick after rearm-cancel (or before the first
		 * arm) still leaves shm in the NONE sentinel state. */
		__atomic_store_n(&shm->plateau_current_hypothesis,
				 (int)PLATEAU_HYPOTHESIS_NONE,
				 __ATOMIC_RELAXED);
		return;
	}

	/* Plateau detector fired before the orchestrator armed the entry
	 * snapshot (e.g. operator started under an existing plateau).
	 * Arm lazily so subsequent ticks see real deltas. */
	if (!hypothesis_entry_armed)
		strategy_plateau_hypothesis_enter();

	plateau_snapshot_capture(&now);
	plateau_snapshot_delta(&hypothesis_last_delta,
			       &hypothesis_entry_snap, &now);
	fired = strategy_plateau_hypothesis_check(&hypothesis_entry_snap, &now);

	if (fired != hypothesis_current) {
		if (fired != PLATEAU_HYPOTHESIS_NONE) {
			hypothesis_fires[fired]++;
			stats_log_write(
				"plateau hypothesis: %s fired (cmp_delta=+%lu/window pc_delta=+%lu/window childop_calls_delta=+%lu childop_edges_delta=+%lu generic_delta=+%lu remote_delta=+%lu/+%lu frontier_pulls=%lu frontier_picks=%lu frontier_live=%lu frontier_silent=%lu)\n",
				strategy_plateau_hypothesis_name(fired),
				hypothesis_last_delta.cmp_unique,
				hypothesis_last_delta.pc_edges,
				hypothesis_last_delta.childop_calls_total,
				hypothesis_last_delta.childop_edges_total,
				hypothesis_last_delta.bandit_edges +
				hypothesis_last_delta.explorer_edges,
				hypothesis_last_delta.remote_calls,
				hypothesis_last_delta.total_calls,
				hypothesis_last_delta.frontier_pulls,
				hypothesis_last_delta.frontier_picks,
				hypothesis_last_delta.frontier_live_picks,
				hypothesis_last_delta.frontier_silent_picks);
		} else {
			stats_log_write(
				"plateau hypothesis: NONE (no rule matched window deltas)\n");
		}
		hypothesis_current = fired;
	}

	/* Phase 2: publish the live hypothesis to shm on every tick (not
	 * just transitions) so a child that missed the transition tick
	 * still observes the current value on its next rotation. */
	__atomic_store_n(&shm->plateau_current_hypothesis,
			 (int)hypothesis_current, __ATOMIC_RELAXED);
}

enum plateau_hypothesis strategy_plateau_hypothesis_current(void)
{
	return hypothesis_current;
}

const struct plateau_window_snapshot *strategy_plateau_hypothesis_delta(void)
{
	return &hypothesis_last_delta;
}

unsigned long strategy_plateau_hypothesis_fires(enum plateau_hypothesis h)
{
	if (h < 0 || h >= NR_PLATEAU_HYPOTHESES)
		return 0;
	return hypothesis_fires[h];
}

/*
 * RRC_COLD_SKIP threshold.  STRATEGY_HEURISTIC's kcov_syscall_cold_skip_pct
 * returns the per-syscall probability the heuristic picker rejects the
 * candidate on the cold-skip retry; 50 is the baseline the heuristic uses
 * for a freshly-cold syscall (see kcov.c).  A SR_PLATEAU_FORCE rescue
 * whose rec->nr scores at or above the baseline would have been skipped
 * by the heuristic at least half the time -- enough that the RANDOM
 * intervention is plausibly the only path that exercised it.
 */
#define RRC_COLD_SKIP_PCT 50U

bool plateau_rescue_bias_active_for(enum random_rescue_class c)
{
	if (c < 0 || c >= RRC_NR_CLASSES)
		return false;
	if (kcov_shm == NULL ||
	    !__atomic_load_n(&kcov_shm->plateau_active, __ATOMIC_ACQUIRE))
		return false;
	/* ACQUIRE-load current_strategy pairs with the RELEASE-store in
	 * maybe_rotate_strategy.  Callers reach this gate from paths that
	 * may not have done their own acquire (notably the explorer pool,
	 * which short-circuits past set_syscall_nr's hot-picker acquire),
	 * so fence here to guarantee the subsequent relaxed reads of
	 * current_selection_reason and plateau_rescue_amplified_class see
	 * the values the orchestrator published before the rotation. */
	(void)__atomic_load_n(&shm->current_strategy, __ATOMIC_ACQUIRE);
	if (__atomic_load_n(&shm->current_selection_reason, __ATOMIC_RELAXED) !=
	    SR_PLATEAU_FORCE)
		return false;
	return __atomic_load_n(&shm->plateau_rescue_amplified_class,
			       __ATOMIC_RELAXED) == (int)c;
}

/*
 * Anti-prior boost cap.  The acceptance formula is structured so a
 * syscall at the baseline mean accepts at 1/ANTI_PRIOR_MAX_BOOST,
 * cold-end saturates at full uniform acceptance (1.0), and over-picked
 * syscalls bottom out at 1/ANTI_PRIOR_MAX_BOOST^2.  8 keeps the cold-
 * end boost large enough to materially shift the picker's distribution
 * away from its learned priors during the intervention without
 * collapsing the rotation onto a single syscall whose calls=0 reading
 * reflects a genuine broken-in-this-kernel arm rather than picker
 * suppression.  The cap is the SOLE knob trinity exposes against the
 * "100x boost a stuck syscall" pathology the design comment in
 * include/strategy.h warns about.
 */
#define ANTI_PRIOR_MAX_BOOST 8UL

/*
 * Pre-computed threshold range for the rejection-sampling roll.  Held
 * as a literal so the inner-loop divides fold to a single shift on the
 * target ISA; ANTI_PRIOR_MAX_BOOST stays as the human-meaningful knob.
 */
#define ANTI_PRIOR_THRESHOLD_SCALE \
	(ANTI_PRIOR_MAX_BOOST * ANTI_PRIOR_MAX_BOOST)

bool plateau_anti_prior_active(void)
{
	if (kcov_shm == NULL ||
	    !__atomic_load_n(&kcov_shm->plateau_active, __ATOMIC_ACQUIRE))
		return false;
	/* ACQUIRE-load current_strategy pairs with the RELEASE-store in
	 * maybe_rotate_strategy.  Fenced here rather than relying on the
	 * caller because set_syscall_nr_random is also entered from the
	 * explorer path, which bypasses set_syscall_nr's hot-picker
	 * acquire.  Without this fence the subsequent relaxed reads of
	 * current_selection_reason and plateau_intervention_mode_current
	 * could disagree with the just-rotated strategy, e.g. masking an
	 * intended PIM_ANTI_PRIOR window or leaving stale intervention
	 * state visible after a plateau lifts. */
	(void)__atomic_load_n(&shm->current_strategy, __ATOMIC_ACQUIRE);
	if (__atomic_load_n(&shm->current_selection_reason, __ATOMIC_RELAXED) !=
	    SR_PLATEAU_FORCE)
		return false;
	return __atomic_load_n(&shm->plateau_intervention_mode_current,
			       __ATOMIC_RELAXED) == (int)PIM_ANTI_PRIOR;
}

bool plateau_anti_prior_accept(unsigned int nr)
{
	unsigned long baseline;
	uint8_t weight;

	if (nr >= MAX_NR_SYSCALL)
		return true;

	baseline = __atomic_load_n(&shm->plateau_anti_prior_baseline_calls,
				   __ATOMIC_RELAXED);
	/* No baseline yet -- the orchestrator has not selected an
	 * anti-prior rotation in this run.  Pass unconditionally so the
	 * picker degenerates to uniform until the cache is populated.
	 * Also covers the kcov_shm==NULL case: refresh_baseline writes
	 * baseline=0 on that path, so the gate short-circuits without
	 * needing a separate kcov_shm probe here. */
	if (baseline == 0)
		return true;

	/* Read the pre-computed acceptance weight.  Visibility of the
	 * weight table is guaranteed by the caller's prior ACQUIRE-load of
	 * current_strategy (via plateau_anti_prior_active), which pairs
	 * with the RELEASE-store in maybe_rotate_strategy that publishes
	 * every store refresh_baseline made on the rotation path.  See the
	 * weight-array comment in struct shm_s for the publish ordering
	 * contract.  The full inversion math (clamp / divide / cap) lives
	 * in plateau_anti_prior_refresh_baseline so the per-retry inner
	 * loop in set_syscall_nr_random reduces to one relaxed load, one
	 * modulo, and one compare. */
	weight = __atomic_load_n(&shm->plateau_anti_prior_accept_weight[nr],
				 __ATOMIC_RELAXED);

	return rnd_modulo_u32(ANTI_PRIOR_THRESHOLD_SCALE) < weight;
}

void plateau_anti_prior_refresh_baseline(void)
{
	unsigned long calls_snapshot[MAX_NR_SYSCALL];
	unsigned long sum = 0;
	unsigned int i;
	unsigned long baseline;
	unsigned long floor_calls, ceil_calls;

	if (kcov_shm == NULL) {
		__atomic_store_n(&shm->plateau_anti_prior_baseline_calls, 0UL,
				 __ATOMIC_RELAXED);
		return;
	}

	/* Mean across the full per_syscall_calls slot range.  Indexing by
	 * MAX_NR_SYSCALL (not max_nr_syscalls) matches the array
	 * dimension and keeps the baseline stable across biarch builds
	 * where the per_syscall_calls slot is shared by both arches.
	 * O(MAX_NR_SYSCALL) walk on the rotation path, never on the hot
	 * pick path.  Snapshot each slot into calls_snapshot[] so the
	 * per-slot weight pass below reuses the same observation the
	 * baseline was computed from. */
	for (i = 0; i < MAX_NR_SYSCALL; i++) {
		calls_snapshot[i] = __atomic_load_n(
			&kcov_shm->per_syscall_calls[i],
			__ATOMIC_RELAXED);
		sum += calls_snapshot[i];
	}
	baseline = sum / MAX_NR_SYSCALL;

	/* Publish at least 1 when the mean truncates to zero so the accept
	 * gate's "baseline=0 short-circuit to pass" branch only fires
	 * before any rotation has populated the cache, not when the fleet
	 * is genuinely too young for any syscall to have averaged a full
	 * call.  Without the floor a cold-start run that hit a plateau
	 * within its first MAX_NR_SYSCALL ops would have the anti-prior
	 * rotation silently degenerate to uniform pick. */
	if (baseline == 0 && sum > 0)
		baseline = 1;

	/* Pre-compute the per-syscall acceptance weights so the hot-path
	 * picker only does one load + modulo + compare per candidate.  The
	 * formula mirrors what plateau_anti_prior_accept used to do per
	 * call, exactly:
	 *
	 *   floor   = max(1, baseline / MAX_BOOST)
	 *   ceil    = baseline * MAX_BOOST
	 *   clamped = clamp(calls, floor, ceil)
	 *   weight  = min((MAX_BOOST * baseline) / clamped,
	 *                 ANTI_PRIOR_THRESHOLD_SCALE)
	 *
	 * For the same baseline and the same per-syscall calls reading,
	 * the resulting weight is bit-identical to what the per-call path
	 * computed.  The only behavioural delta is that calls[nr] is
	 * snapshotted here at rotation time rather than re-read on every
	 * candidate; an intervention window is short relative to the rate
	 * any single syscall's lifetime count can shift, and the
	 * statistical bias the gate imposes is keyed off the baseline-
	 * relative ratio, not the absolute call count.  The per-slot
	 * reads themselves are also taken from calls_snapshot[] (filled
	 * in pass 1 above), so each slot's published weight is derived
	 * from the exact same observation that fed into the baseline -
	 * a concurrent mid-rotation increment can no longer skew one
	 * pass relative to the other.
	 *
	 * weight is bounded by ANTI_PRIOR_THRESHOLD_SCALE (= 64 today, =
	 * MAX_BOOST^2) and never zero, so the uint8_t slot is sufficient.
	 *
	 * The whole array is written under RELAXED ordering; visibility
	 * rides on the RELEASE-store of current_strategy that
	 * maybe_rotate_strategy emits after select_next_strategy returns,
	 * paired with the picker-side ACQUIRE-load inside
	 * plateau_anti_prior_active.  Mirrors the existing publish pattern
	 * for plateau_intervention_mode_current. */
	if (baseline > 0) {
		floor_calls = baseline / ANTI_PRIOR_MAX_BOOST;
		if (floor_calls == 0)
			floor_calls = 1;
		ceil_calls = baseline * ANTI_PRIOR_MAX_BOOST;

		for (i = 0; i < MAX_NR_SYSCALL; i++) {
			unsigned long calls, clamped, weight;

			calls = calls_snapshot[i];
			clamped = calls;
			if (clamped < floor_calls)
				clamped = floor_calls;
			else if (clamped > ceil_calls)
				clamped = ceil_calls;

			weight = (ANTI_PRIOR_MAX_BOOST * baseline) / clamped;
			if (weight > ANTI_PRIOR_THRESHOLD_SCALE)
				weight = ANTI_PRIOR_THRESHOLD_SCALE;

			__atomic_store_n(
				&shm->plateau_anti_prior_accept_weight[i],
				(uint8_t)weight, __ATOMIC_RELAXED);
		}
	}

	__atomic_store_n(&shm->plateau_anti_prior_baseline_calls, baseline,
			 __ATOMIC_RELAXED);
}

const char *plateau_intervention_mode_name(enum plateau_intervention_mode m)
{
	switch (m) {
	case PIM_UNIFORM_RANDOM:	return "UNIFORM_RANDOM";
	case PIM_ANTI_PRIOR:		return "ANTI_PRIOR";
	case PIM_RRC_BIASED:		return "RRC_BIASED";
	case PIM_COVERAGE_FRONTIER:	return "COVERAGE_FRONTIER";
	case NR_PIM_MODES:		break;	/* sentinel */
	}
	return "?";
}

const char *random_rescue_class_name(enum random_rescue_class c)
{
	switch (c) {
	case RRC_COLD_SKIP:		return "COLD_SKIP";
	case RRC_UNUSUAL_FD_PRODUCER:	return "UNUSUAL_FD_PRODUCER";
	case RRC_WRONG_TYPE_FD:		return "WRONG_TYPE_FD";
	case RRC_CMP_DERIVED:		return "CMP_DERIVED";
	case RRC_PERSONA_GATED:		return "PERSONA_GATED";
	case RRC_UNKNOWN:		return "UNKNOWN";
	case RRC_NR_CLASSES:		break;	/* sentinel */
	}
	return "?";
}

enum random_rescue_class classify_random_rescue(struct syscallrecord *rec,
						struct childdata *child,
						unsigned int cold_skip_pct_before)
{
	unsigned int curr;

	if (rec == NULL || child == NULL)
		return RRC_UNKNOWN;
	if (rec->nr >= MAX_NR_SYSCALL)
		return RRC_UNKNOWN;

	curr = (unsigned int)rec->nr;

	/* RRC_COLD_SKIP.  Heuristic picker would have rejected this nr at
	 * least half the time on the cold-skip retry path, so a RANDOM
	 * rescue that lands new edges on it is most plausibly recovering
	 * coverage the heuristic was filtering out.  The check runs against
	 * the same kcov_syscall_cold_skip_pct() the heuristic consults --
	 * but uses the caller's pre-kcov_collect snapshot, not a fresh
	 * read.  kcov_collect bumps last_edge_at[nr] on a new edge, which
	 * is exactly the case the rescue classifier fires on; a live read
	 * here would always see gap=0 and never return RRC_COLD_SKIP for
	 * the cold-syscall rescues this class exists to surface. */
	if (cold_skip_pct_before >= RRC_COLD_SKIP_PCT)
		return RRC_COLD_SKIP;

	/* RRC_CMP_DERIVED.  generate-args.c's ARG_OP / ARG_LIST /
	 * gen_undefined_arg paths roll a 1-in-16 cmp_hints_try_get on every
	 * call; if rec->nr has any hints in its pool, a learned constant
	 * may have carried this RANDOM call past a kernel validation check
	 * the structured pickers were not aware of.  Hint-pool occupancy is
	 * a soft signal (the per-call substitution probability is fixed and
	 * we have no per-call attribution), but a non-empty pool is the
	 * narrowest evidence available without adding per-call tracking. */
	if (cmp_hints_shm != NULL && curr < MAX_NR_SYSCALL &&
	    cmp_hints_pool_safe_count(&cmp_hints_shm->pools[curr][rec->do32bit ? 1 : 0]) > 0)
		return RRC_CMP_DERIVED;

	/* RRC_UNUSUAL_FD_PRODUCER / RRC_WRONG_TYPE_FD / RRC_PERSONA_GATED
	 * detection requires per-call fd-source tracking and persona
	 * attribution infrastructure that does not yet exist.  Rescues that
	 * land here fall through to UNKNOWN; the orchestrator's bias
	 * dispatch handles those classes for the future infrastructure to
	 * wire in without an enum reorder. */

	return RRC_UNKNOWN;
}

/*
 * Operator-facing summary, called from dump_stats() at end of run.
 * Always shows the picker mode (cheap context); per-arm pulls and
 * mean reward are printed in both modes whenever any window has
 * completed (total_pulls > 0) -- round-robin runs through
 * bandit_record_pull() too, so its per-arm yield is meaningful even
 * though the picker itself ignores the reward signal.  Suppressed
 * only when total_pulls is zero (run too short for any window to
 * close).
 */
static void dump_strategy_stats_header(void)
{
	enum picker_mode_t mode;

	mode = __atomic_load_n(&shm->picker_mode, __ATOMIC_RELAXED);

	output(0, "strategy picker: %s\n", picker_mode_name(mode));
}

/* Forced-intervention cohort.  These windows ran STRATEGY_RANDOM
 * over the picker's head because the kcov plateau detector
 * reported the fleet was stalled; their pulls/reward are
 * deliberately NOT folded into the per-arm bandit_pulls[] /
 * bandit_reward_calls[] series so a forced-RANDOM intervention
 * does not get conflated with a policy-chosen RANDOM in the
 * learner's history. */
static void dump_strategy_stats_plateau_forced_cohort(void)
{
	unsigned long plateau_forced;

	plateau_forced = __atomic_load_n(&shm->stats.plateau_forced_windows,
					 __ATOMIC_RELAXED);
	if (plateau_forced > 0)
		output(0, "  plateau-forced windows: %lu (forced over picker via SR_PLATEAU_FORCE, excluded from UCB learner)\n",
		       plateau_forced);
}

/* Plateau intervention mode rotation distribution.  Suppressed when
 * no plateau-forced window has run yet (plateau_forced == 0); when
 * it has, the per-mode window counts let the operator divide each
 * mode's contribution to rescue yield by the windows it actually
 * ran without reconstructing the rotation history from bandit_
 * pulls_by_reason.  The current mode line names what the next pick
 * during a live intervention would run; PIM_UNIFORM_RANDOM is the
 * resting value outside an intervention so a "current mode:
 * UNIFORM_RANDOM" reading at end-of-run is correct (the
 * orchestrator cleared the mode on the last non-intervention
 * rotation), not the most recent intervention mode. */
static void dump_strategy_stats_intervention_modes(void)
{
	unsigned long plateau_forced;

	plateau_forced = __atomic_load_n(&shm->stats.plateau_forced_windows,
					 __ATOMIC_RELAXED);

	if (plateau_forced > 0) {
		unsigned long mode_windows[NR_PIM_MODES];
		int pim;
		int cur_mode;

		for (pim = 0; pim < NR_PIM_MODES; pim++)
			mode_windows[pim] = __atomic_load_n(
				&shm->plateau_intervention_mode_windows[pim],
				__ATOMIC_RELAXED);

		output(0, "  intervention modes:");
		for (pim = 0; pim < NR_PIM_MODES; pim++)
			output(0, " %s=%lu",
			       plateau_intervention_mode_name(
				       (enum plateau_intervention_mode)pim),
			       mode_windows[pim]);
		output(0, "\n");

		cur_mode = __atomic_load_n(
			&shm->plateau_intervention_mode_current,
			__ATOMIC_RELAXED);
		if (cur_mode >= 0 && cur_mode < NR_PIM_MODES)
			output(0, "  intervention mode current: %s (live during an active plateau, resets to UNIFORM_RANDOM otherwise)\n",
			       plateau_intervention_mode_name(
				       (enum plateau_intervention_mode)cur_mode));

		/* Anti-prior baseline (mean per-syscall call count cached at
		 * the last PIM_ANTI_PRIOR rotation).  Zero means no
		 * anti-prior rotation has fired yet; non-zero means the
		 * accept gate has been live at some point with this
		 * baseline value as the inversion midpoint. */
		{
			unsigned long ap_baseline = __atomic_load_n(
				&shm->plateau_anti_prior_baseline_calls,
				__ATOMIC_RELAXED);
			if (ap_baseline > 0)
				output(0, "  anti-prior baseline: %lu calls/syscall (mean across MAX_NR_SYSCALL at last refresh)\n",
				       ap_baseline);
		}

	}
}

/* Random-rescue classifier distribution.  Per-class counts only
 * accumulate during SR_PLATEAU_FORCE intervention windows, so a
 * run that never plateaued prints nothing here; on a run that
 * did, the dominant class plus the currently-published
 * amplification field together tell the operator which targeted
 * intervention the orchestrator settled on by run-end.  Zero
 * buckets are suppressed so the placeholder classes (UNUSUAL_FD_
 * PRODUCER, WRONG_TYPE_FD, PERSONA_GATED) stay quiet until their
 * detection infrastructure lands and starts crediting rescues to
 * them. */
static void dump_strategy_stats_rescue_classes(void)
{
	unsigned long total_rescues = 0;
	int c;

	for (c = 0; c < RRC_NR_CLASSES; c++)
		total_rescues += __atomic_load_n(
			&shm->random_rescue_class_count[c],
			__ATOMIC_RELAXED);

	if (total_rescues > 0) {
		int amp = __atomic_load_n(
			&shm->plateau_rescue_amplified_class,
			__ATOMIC_RELAXED);

		output(0, "  rescue classes: total=%lu", total_rescues);
		for (c = 0; c < RRC_NR_CLASSES; c++) {
			unsigned long count = __atomic_load_n(
				&shm->random_rescue_class_count[c],
				__ATOMIC_RELAXED);
			if (count == 0)
				continue;
			output(0, " %s=%lu",
			       random_rescue_class_name(
				       (enum random_rescue_class)c),
			       count);
		}
		output(0, "\n");

		/* Amplified class is the orchestrator's current
		 * pick; RRC_NR_CLASSES means no class is being
		 * amplified (either the run is not in a plateau
		 * intervention right now or no class cleared the
		 * dominance threshold).  Print the threshold
		 * outcome explicitly so the operator can
		 * distinguish "no amplification because below
		 * floor" from "no amplification because the lead
		 * over the runner-up was too thin". */
		if (amp >= 0 && amp < RRC_NR_CLASSES)
			output(0, "  rescue amplified: %s (next intervention biased toward this class's structured replay)\n",
			       random_rescue_class_name(
				       (enum random_rescue_class)amp));
		else
			output(0, "  rescue amplified: none (no class crossed the %lu-rescue floor with a %lux lead)\n",
			       RRC_AMPLIFY_MIN_COUNT,
			       RRC_AMPLIFY_LEAD_RATIO);
	}
}

/* Hybrid bandit/explorer split summary.  Suppressed when the run had
 * no explorers reserved (explorer_children == 0) -- the bandit-pool
 * counter still ran but there is nothing to compare it against.
 *
 * Framed as a head-to-head competition: both pools feed the same
 * global KCOV edge bitmap and CMP bloom, so each first-discovery
 * edge is credited to whichever pool reached it first.  The lead
 * line shows the direct edge-share split so the operator can see
 * at a glance whether the always-on STRATEGY_RANDOM baseline is
 * stealing a disproportionate share of easy coverage from the
 * learned strategy.  Beyond the head-to-head line this block
 * derives:
 *   - per-child rate for each pool (edges / pool size), so the
 *     larger pool isn't credited just for having more workers
 *   - explorer fleet share for context against the edge share
 *   - one-line verdict (over-performing / at parity / under-)
 *     against the 2x-fleet-share threshold from the design doc.
 *     Hitting >=2x sustained across multiple runs is the trigger
 *     for considering per-child bandit (Option C). */
static void dump_strategy_stats_edge_race(void)
{
	unsigned long explorer_edges, bandit_edges;

	if (explorer_children > 0) {
		unsigned int bandit_children;
		unsigned long total_edges;
		unsigned long per_explorer, per_bandit;
		unsigned long ratio_x100;
		const char *verdict;

		explorer_edges = __atomic_load_n(
			&shm->stats.explorer_pool_edges_discovered,
			__ATOMIC_RELAXED);
		bandit_edges = __atomic_load_n(
			&shm->stats.bandit_pool_edges_discovered,
			__ATOMIC_RELAXED);
		bandit_children = max_children > explorer_children ?
			max_children - explorer_children : 0;
		total_edges = explorer_edges + bandit_edges;

		/* Per-child rate: rounded down to nearest whole edge.  A run
		 * too short for meaningful per-child rates renders as zero
		 * and that's an informative diagnostic. */
		per_explorer = explorer_edges / explorer_children;
		per_bandit = bandit_children > 0 ?
			bandit_edges / bandit_children : 0;

		/* Head-to-head competing-pools line.  The two pools both
		 * feed the same global KCOV edge bitmap and CMP bloom -- a
		 * first-discovery edge is credited to whichever pool reached
		 * it first, so the per-pool counters represent direct
		 * competition for the same coverage surface, not two
		 * independent measurements.  Render them on one line with
		 * the edge-share split as a percentage so the operator can
		 * see the head-to-head outcome at a glance, then break the
		 * components out beneath for the per-child rate. */
		if (total_edges > 0) {
			unsigned long e_share_pct_x10 =
				(explorer_edges * 1000UL) / total_edges;
			unsigned long b_share_pct_x10 = 1000UL - e_share_pct_x10;

			output(0, "  edge race: explorer %lu (%lu.%lu%%) vs bandit %lu (%lu.%lu%%) of %lu first-discovery edges\n",
			       explorer_edges,
			       e_share_pct_x10 / 10, e_share_pct_x10 % 10,
			       bandit_edges,
			       b_share_pct_x10 / 10, b_share_pct_x10 % 10,
			       total_edges);
		} else {
			output(0, "  edge race: explorer %lu vs bandit %lu (no edges yet)\n",
			       explorer_edges, bandit_edges);
		}
		output(0, "    explorer: %u children, %lu edges (%lu per child)\n",
		       explorer_children, explorer_edges, per_explorer);
		output(0, "    bandit:   %u children, %lu edges (%lu per child)\n",
		       bandit_children, bandit_edges, per_bandit);

		/* Edge-share verdict against the fleet-share-normalised
		 * ratio.  Suppressed on a zero-edge run or when there are
		 * no bandit children -- nothing meaningful to compare. */
		if (total_edges > 0 && bandit_children > 0) {
			unsigned int fleet_pct_x10 =
				explorer_children * 1000U / max_children;

			output(0, "    fleet share: explorer %u/%u children (%u.%u%%)\n",
			       explorer_children, max_children,
			       fleet_pct_x10 / 10U, fleet_pct_x10 % 10U);

			/* ratio = (explorer_edges / total_edges) /
			 *        (explorer_children / max_children)
			 * computed as a single integer division to avoid
			 * losing precision when the fleet share is tiny
			 * (e.g. --explorer-children=1 with -C16384). */
			ratio_x100 = (explorer_edges *
				      (unsigned long)max_children * 100UL) /
				     (total_edges *
				      (unsigned long)explorer_children);
			if (ratio_x100 >= 200)
				verdict = "explorer pool over-performing (>=2x fleet share -- per-child bandit trigger met)";
			else if (ratio_x100 <= 50)
				verdict = "explorer pool under-performing (bandit is winning the easy edges)";
			else
				verdict = "explorer pool at parity";
			output(0, "    verdict: %s (edge-share/fleet-share ratio %lu.%02lux)\n",
			       verdict,
			       ratio_x100 / 100, ratio_x100 % 100);
		}
	}
}

static void dump_strategy_stats_arms(void)
{
	unsigned long total_pulls = 0;
	int i;

	for (i = 0; i < NR_STRATEGIES; i++)
		total_pulls += __atomic_load_n(&shm->bandit_pulls[i],
					       __ATOMIC_RELAXED);

	if (total_pulls == 0)
		return;

	for (i = 0; i < NR_STRATEGIES; i++) {
		unsigned long pulls = __atomic_load_n(&shm->bandit_pulls[i],
						      __ATOMIC_RELAXED);
		unsigned long reward = __atomic_load_n(
			&shm->bandit_reward_calls[i], __ATOMIC_RELAXED);
		unsigned long reward_pc_edges = __atomic_load_n(
			&shm->bandit_reward_pc_edge_count[i], __ATOMIC_RELAXED);
		unsigned long cmp_new = __atomic_load_n(
			&shm->bandit_cmp_new_constants[i], __ATOMIC_RELAXED);
		unsigned long share_sum = __atomic_load_n(
			&shm->bandit_cmp_share_sum_x1000[i], __ATOMIC_RELAXED);
		unsigned long picks = __atomic_load_n(&shm->strategy_picks[i],
						      __ATOMIC_RELAXED);
		unsigned long bandit_ops = __atomic_load_n(
			&shm->strategy_bandit_pool_ops[i], __ATOMIC_RELAXED);
		unsigned long completed = __atomic_load_n(
			&shm->strategy_completed_calls[i], __ATOMIC_RELAXED);
		unsigned long mean_calls_x1000 = pulls ? (reward * 1000UL / pulls) : 0;
		/* Parallel mean for the real bucket-edge series, so the operator
		 * can eyeball how the two reward shapes would score each arm.
		 * Strictly >= the call-count mean (a call that produces N edges
		 * adds N to this series but only 1 to the call-count series). */
		unsigned long mean_pc_edges_x1000 =
			pulls ? (reward_pc_edges * 1000UL / pulls) : 0;
		/* Average per-window CMP share, parts per thousand.  Divides
		 * by total pulls (not just CMP-contributing pulls) so a low
		 * value can mean either "CMP rarely fires" or "CMP fires but
		 * is small relative to PC reward" — both are interesting for
		 * tuning the 0.25 weight constant. */
		unsigned long share_avg_x1000 = pulls ? (share_sum / pulls) : 0;

		output(0, "  arm[%d]: pulls=%lu reward_calls=%lu mean_calls=%lu.%03lu/window reward_edge_count=%lu mean_edge_count=%lu.%03lu/window cmp_novel=%lu cmp_share=%lu.%lu%%\n",
		       i, pulls, reward,
		       mean_calls_x1000 / 1000UL, mean_calls_x1000 % 1000UL,
		       reward_pc_edges,
		       mean_pc_edges_x1000 / 1000UL,
		       mean_pc_edges_x1000 % 1000UL,
		       cmp_new,
		       share_avg_x1000 / 10UL, share_avg_x1000 % 10UL);

		/* Exposure line: per-arm syscall-level denominators alongside
		 * the window-level reward summary above.  picks is the widest
		 * population (all dispatched syscalls credited to the arm,
		 * explorer included); bandit_ops is the strict bandit-pool
		 * subset (picks - bandit_ops is the explorer contribution,
		 * which is zero for non-RANDOM arms by construction);
		 * completed is the count that reached the end of dispatch_step
		 * without a set_syscall_nr FAIL upstream.  The
		 * completed/picks ratio surfaces arms whose picker policy is
		 * burning picks on unsatisfiable pick-side gates without
		 * actually dispatching a call. */
		if (picks > 0) {
			unsigned long success_x1000 =
				(completed * 1000UL) / picks;
			output(0, "    exposure: picks=%lu bandit_ops=%lu completed=%lu (success=%lu.%lu%%)\n",
			       picks, bandit_ops, completed,
			       success_x1000 / 10UL, success_x1000 % 10UL);
		}

		/* Reason breakdown: split this arm's window count and reward
		 * by selection path.  Walk all reasons but only print the
		 * ones with nonzero pulls so cold paths (e.g. SR_ROUND_ROBIN
		 * under PICKER_BANDIT_UCB1, SR_PLATEAU_FORCE on a run that
		 * never hit a plateau) stay quiet.  PLATEAU_FORCE rewards
		 * appear here even though they are excluded from the
		 * per-arm bandit_pulls / bandit_reward_calls totals above --
		 * the per-reason matrix is exactly where the intervention
		 * cohort's reward goes so the operator can size it against
		 * the policy cohort.  Format: REASON=pulls/reward_calls, one
		 * leading-space-indented continuation line per arm. */
		{
			bool any_reason = false;
			int r;

			for (r = 0; r < NR_SELECTION_REASONS; r++) {
				unsigned long rp = __atomic_load_n(
					&shm->bandit_pulls_by_reason[i][r],
					__ATOMIC_RELAXED);
				unsigned long rr = __atomic_load_n(
					&shm->bandit_reward_calls_by_reason[i][r],
					__ATOMIC_RELAXED);
				if (rp == 0)
					continue;
				if (!any_reason) {
					output(0, "    reasons:");
					any_reason = true;
				}
				output(0, " %s=%lu/%lu",
				       strategy_selection_reason_name(
					       (enum strategy_selection_reason)r),
				       rp, rr);
			}
			if (any_reason)
				output(0, "\n");
		}

		/* Chaos cohort breakdown: this arm's per-window WARN-fire
		 * rate split by chaos state.  The chaos schedule fires every
		 * CHAOS_WINDOW_MODULO'th window (1-in-8 today) and suppresses
		 * cmp_hints injection for the duration, leaving the random
		 * argument generator unbiased.  The V2 hypothesis is that
		 * chaos-on windows produce measurably more kernel diagnostic
		 * events than chaos-off windows -- the per-arm rate split
		 * here is the headline observation.  Suppressed when both
		 * cohorts are at zero pulls (arm never selected) so an arm
		 * the picker has not visited stays quiet.  WARN fires are
		 * rendered as parts per thousand of the cohort's pulls so the
		 * two cohorts are directly comparable across orders of
		 * magnitude difference in their window counts (chaos-on
		 * cohort is ~1/(MODULO-1) the size of chaos-off in steady
		 * state). */
		{
			unsigned long c_pulls[2], c_warn[2];
			int c;

			for (c = 0; c < 2; c++) {
				c_pulls[c] = __atomic_load_n(
					&shm->bandit_pulls_by_chaos[i][c],
					__ATOMIC_RELAXED);
				c_warn[c] = __atomic_load_n(
					&shm->bandit_warn_fires_by_chaos[i][c],
					__ATOMIC_RELAXED);
			}
			if (c_pulls[0] + c_pulls[1] > 0) {
				unsigned long off_rate_x1000 = c_pulls[0] ?
					(c_warn[0] * 1000UL / c_pulls[0]) : 0;
				unsigned long on_rate_x1000 = c_pulls[1] ?
					(c_warn[1] * 1000UL / c_pulls[1]) : 0;

				output(0, "    chaos: off=%lu/%lu (%lu.%03lu warn/window) on=%lu/%lu (%lu.%03lu warn/window)\n",
				       c_pulls[0], c_warn[0],
				       off_rate_x1000 / 1000UL,
				       off_rate_x1000 % 1000UL,
				       c_pulls[1], c_warn[1],
				       on_rate_x1000 / 1000UL,
				       on_rate_x1000 % 1000UL);
			}
		}
	}
}

void __cold dump_strategy_stats(void)
{
	dump_strategy_stats_header();
	dump_strategy_stats_plateau_forced_cohort();
	dump_strategy_stats_intervention_modes();
	dump_strategy_stats_rescue_classes();
	dump_strategy_stats_edge_race();
	dump_strategy_stats_arms();
}