Make fuzzer action capping probabilistic

[MattWindsor91]

The fuzzer always, at the moment, picks a constant number of actions, presently set at 40. This is problematic for various reasons:

• some bugs may need far more than 40 actions, but
• increasing the uniform action count slows down fuzzer generation while not necessarily always increasing the likelihood of the 'long tail' bugs being found.

We ideally want to make the number of fuzzer actions the fuzzer takes probabilistic, but still fairly controllable by the user.

I've spent altogether too much time trying to think of a good probability distribution to model this, since the actual thing we're modelling (number of fuzzer actions until bug) depends on a lot of complex interactions we don't fully understand (and, of course, varies between compiler, compiler version, target, type of action, etc etc). I'm imagining it boils down to one or more of:

• a Poisson distribution ('I want on average about 40 fuzzer actions per run');
• a geometric distribution ('I expect each action will fail to trigger a bug with probability 90%');
• a hard cap ('and under no circumstances do I want over 1000 fuzzer actions per run').

Maybe something like we use a Poisson distribution to get a baseline number of actions, and then a geometric to induce long tails (this would be fairly straightforward to implement). Hmm.

Thoughts?

[MattWindsor91]

Fixed as of 15660e900b503607d72ee7674a4a0899dc185049.