From 9a2e7b0e647e286c9919826211b463eec80fcdb1 Mon Sep 17 00:00:00 2001 From: "Dongjia \"toka\" Zhang" Date: Thu, 7 Mar 2024 14:49:01 +0100 Subject: [PATCH] Fix redundant xor in Ngram calculation (#1901) * fix double xor * tmp * clp * no notnightly * fix * plural --- .../libfuzzer_libpng_centralized/src/lib.rs | 2 +- fuzzers/libfuzzer_libpng_launcher/src/lib.rs | 2 +- libafl_targets/src/sancov_pcguard.rs | 61 +++++++++++++++---- 3 files changed, 50 insertions(+), 15 deletions(-) diff --git a/fuzzers/libfuzzer_libpng_centralized/src/lib.rs b/fuzzers/libfuzzer_libpng_centralized/src/lib.rs index d799e81196..d4a2afc432 100644 --- a/fuzzers/libfuzzer_libpng_centralized/src/lib.rs +++ b/fuzzers/libfuzzer_libpng_centralized/src/lib.rs @@ -201,7 +201,7 @@ pub extern "C" fn libafl_main() { // Create the executor for an in-process function with one observer for edge coverage and one for the execution time #[cfg(target_os = "linux")] - let mut executor = InProcessExecutor::batched_timeouts( + let mut executor = InProcessExecutor::batched_timeout( &mut harness, tuple_list!(edges_observer, time_observer), &mut fuzzer, diff --git a/fuzzers/libfuzzer_libpng_launcher/src/lib.rs b/fuzzers/libfuzzer_libpng_launcher/src/lib.rs index 3b452bf681..9765761f4f 100644 --- a/fuzzers/libfuzzer_libpng_launcher/src/lib.rs +++ b/fuzzers/libfuzzer_libpng_launcher/src/lib.rs @@ -202,7 +202,7 @@ pub extern "C" fn libafl_main() { // Create the executor for an in-process function with one observer for edge coverage and one for the execution time #[cfg(target_os = "linux")] - let mut executor = InProcessExecutor::batched_timeouts( + let mut executor = InProcessExecutor::batched_timeout( &mut harness, tuple_list!(edges_observer, time_observer), &mut fuzzer, diff --git a/libafl_targets/src/sancov_pcguard.rs b/libafl_targets/src/sancov_pcguard.rs index 38d795bc89..737b7992fd 100644 --- a/libafl_targets/src/sancov_pcguard.rs +++ b/libafl_targets/src/sancov_pcguard.rs @@ -20,14 +20,33 @@ compile_error!( "the libafl_targets `sancov_pcguard_edges` and `sancov_pcguard_hitcounts` features are mutually exclusive." ); +#[cfg(any(feature = "sancov_ngram4", feature = "sancov_ngram8"))] +use core::ops::ShlAssign; + #[cfg(feature = "sancov_ngram4")] #[rustversion::nightly] type Ngram4 = core::simd::u32x4; +#[cfg(feature = "sancov_ngram8")] +#[rustversion::nightly] +type Ngram8 = core::simd::u32x8; + /// The array holding the previous locs. This is required for NGRAM-4 instrumentation #[cfg(feature = "sancov_ngram4")] #[rustversion::nightly] -pub static mut PREV_ARRAY: Ngram4 = Ngram4::from_array([0, 0, 0, 0]); +pub static mut PREV_ARRAY_4: Ngram4 = Ngram4::from_array([0, 0, 0, 0]); + +#[cfg(feature = "sancov_ngram8")] +#[rustversion::nightly] +pub static mut PREV_ARRAY_8: Ngram8 = Ngram8::from_array([0, 0, 0, 0, 0, 0, 0, 0]); + +#[cfg(feature = "sancov_ngram4")] +#[rustversion::nightly] +pub static SHR_4: Ngram4 = Ngram4::from_array([1, 1, 1, 1]); + +#[cfg(feature = "sancov_ngram8")] +#[rustversion::nightly] +pub static SHR_8: Ngram8 = Ngram8::from_array([1, 1, 1, 1, 1, 1, 1, 1]); /// The hook to initialize ngram everytime we run the harness #[cfg(feature = "sancov_ngram4")] @@ -40,7 +59,7 @@ pub struct NgramHook {} #[derive(Default, Debug, Clone, Copy)] pub struct CtxHook {} -#[cfg(feature = "sancov_ngram4")] +#[cfg(any(feature = "sancov_ngram4", feature = "sancov_ngram8"))] #[rustversion::nightly] impl ExecutorHook for NgramHook { fn init(&mut self, _state: &mut S) {} @@ -51,8 +70,14 @@ impl ExecutorHook for NgramHook { _mgr: &mut EM, _input: &I, ) { + #[cfg(feature = "sancov_ngram4")] unsafe { - PREV_ARRAY = Ngram4::from_array([0, 0, 0, 0]); + PREV_ARRAY_4 = Ngram4::from_array([0, 0, 0, 0]); + } + + #[cfg(feature = "sancov_ngram8")] + unsafe { + PREV_ARRAY_8 = Ngram8::from_array([0, 0, 0, 0, 0, 0, 0, 0]) } } fn post_exec( @@ -90,21 +115,31 @@ impl ExecutorHook for CtxHook { } #[rustversion::nightly] -#[cfg(feature = "sancov_ngram4")] -unsafe fn update_ngram(mut pos: usize) -> usize { +#[allow(unused)] +#[inline] +#[cfg(any(feature = "sancov_ngram4", feature = "sancov_ngram8"))] +unsafe fn update_ngram(pos: usize) -> usize { + let mut reduced = pos; #[cfg(feature = "sancov_ngram4")] { - PREV_ARRAY = PREV_ARRAY.rotate_elements_right::<1>(); - PREV_ARRAY.as_mut_array()[0] = pos as u32; - let reduced = PREV_ARRAY.reduce_xor() as usize; - pos ^= reduced; - pos %= EDGES_MAP_SIZE; + PREV_ARRAY_4 = PREV_ARRAY_4.rotate_elements_right::<1>(); + PREV_ARRAY_4.shl_assign(SHR_4); + PREV_ARRAY_4.as_mut_array()[0] = pos as u32; + reduced = PREV_ARRAY_4.reduce_xor() as usize; } - pos + #[cfg(feature = "sancov_ngram8")] + { + PREV_ARRAY_8 = PREV_ARRAY_8.rotate_elements_right::<1>(); + PREV_ARRAY_8.shl_assign(SHR_8); + PREV_ARRAY_8.as_mut_array()[0] = pos as u32; + reduced = PREV_ARRAY_8.reduce_xor() as usize; + } + reduced %= EDGES_MAP_SIZE; + reduced } #[rustversion::not(nightly)] -#[cfg(feature = "sancov_ngram4")] +#[cfg(any(feature = "sancov_ngram4", feature = "sancov_ngram8"))] unsafe fn update_ngram(pos: usize) -> usize { pos } @@ -124,7 +159,7 @@ extern "C" { pub unsafe extern "C" fn __sanitizer_cov_trace_pc_guard(guard: *mut u32) { let mut pos = *guard as usize; - #[cfg(feature = "sancov_ngram4")] + #[cfg(any(feature = "sancov_ngram4", feature = "sancov_ngram8"))] { pos = update_ngram(pos); // println!("Wrinting to {} {}", pos, EDGES_MAP_SIZE);