Fix redundant xor in Ngram calculation (#1901)

* fix double xor * tmp * clp * no notnightly * fix * plural
2024-03-07 14:49:01 +01:00 · 2024-03-07 14:49:01 +01:00 · 9a2e7b0e64
commit 9a2e7b0e64
parent 2ac075024b
3 changed files with 50 additions and 15 deletions
--- a/fuzzers/libfuzzer_libpng_centralized/src/lib.rs
+++ b/fuzzers/libfuzzer_libpng_centralized/src/lib.rs
@ -201,7 +201,7 @@ pub extern "C" fn libafl_main() {

        // Create the executor for an in-process function with one observer for edge coverage and one for the execution time
        #[cfg(target_os = "linux")]
-        let mut executor = InProcessExecutor::batched_timeouts(
+        let mut executor = InProcessExecutor::batched_timeout(
            &mut harness,
            tuple_list!(edges_observer, time_observer),
            &mut fuzzer,
--- a/fuzzers/libfuzzer_libpng_launcher/src/lib.rs
+++ b/fuzzers/libfuzzer_libpng_launcher/src/lib.rs
@ -202,7 +202,7 @@ pub extern "C" fn libafl_main() {

        // Create the executor for an in-process function with one observer for edge coverage and one for the execution time
        #[cfg(target_os = "linux")]
-        let mut executor = InProcessExecutor::batched_timeouts(
+        let mut executor = InProcessExecutor::batched_timeout(
            &mut harness,
            tuple_list!(edges_observer, time_observer),
            &mut fuzzer,
--- a/libafl_targets/src/sancov_pcguard.rs
+++ b/libafl_targets/src/sancov_pcguard.rs
@ -20,14 +20,33 @@ compile_error!(
    "the libafl_targets `sancov_pcguard_edges` and `sancov_pcguard_hitcounts` features are mutually exclusive."
 );

+#[cfg(any(feature = "sancov_ngram4", feature = "sancov_ngram8"))]
+use core::ops::ShlAssign;
+
 #[cfg(feature = "sancov_ngram4")]
 #[rustversion::nightly]
 type Ngram4 = core::simd::u32x4;

+#[cfg(feature = "sancov_ngram8")]
+#[rustversion::nightly]
+type Ngram8 = core::simd::u32x8;
+
 /// The array holding the previous locs. This is required for NGRAM-4 instrumentation
 #[cfg(feature = "sancov_ngram4")]
 #[rustversion::nightly]
-pub static mut PREV_ARRAY: Ngram4 = Ngram4::from_array([0, 0, 0, 0]);
+pub static mut PREV_ARRAY_4: Ngram4 = Ngram4::from_array([0, 0, 0, 0]);
+
+#[cfg(feature = "sancov_ngram8")]
+#[rustversion::nightly]
+pub static mut PREV_ARRAY_8: Ngram8 = Ngram8::from_array([0, 0, 0, 0, 0, 0, 0, 0]);
+
+#[cfg(feature = "sancov_ngram4")]
+#[rustversion::nightly]
+pub static SHR_4: Ngram4 = Ngram4::from_array([1, 1, 1, 1]);
+
+#[cfg(feature = "sancov_ngram8")]
+#[rustversion::nightly]
+pub static SHR_8: Ngram8 = Ngram8::from_array([1, 1, 1, 1, 1, 1, 1, 1]);

 /// The hook to initialize ngram everytime we run the harness
 #[cfg(feature = "sancov_ngram4")]
@ -40,7 +59,7 @@ pub struct NgramHook {}
 #[derive(Default, Debug, Clone, Copy)]
 pub struct CtxHook {}

-#[cfg(feature = "sancov_ngram4")]
+#[cfg(any(feature = "sancov_ngram4", feature = "sancov_ngram8"))]
 #[rustversion::nightly]
 impl ExecutorHook for NgramHook {
    fn init<E: HasObservers, S>(&mut self, _state: &mut S) {}
@ -51,8 +70,14 @@ impl ExecutorHook for NgramHook {
        _mgr: &mut EM,
        _input: &I,
    ) {
+        #[cfg(feature = "sancov_ngram4")]
        unsafe {
-            PREV_ARRAY = Ngram4::from_array([0, 0, 0, 0]);
+            PREV_ARRAY_4 = Ngram4::from_array([0, 0, 0, 0]);
+        }
+
+        #[cfg(feature = "sancov_ngram8")]
+        unsafe {
+            PREV_ARRAY_8 = Ngram8::from_array([0, 0, 0, 0, 0, 0, 0, 0])
        }
    }
    fn post_exec<EM, I, S, Z>(
@ -90,21 +115,31 @@ impl ExecutorHook for CtxHook {
 }

 #[rustversion::nightly]
-#[cfg(feature = "sancov_ngram4")]
-unsafe fn update_ngram(mut pos: usize) -> usize {
+#[allow(unused)]
+#[inline]
+#[cfg(any(feature = "sancov_ngram4", feature = "sancov_ngram8"))]
+unsafe fn update_ngram(pos: usize) -> usize {
+    let mut reduced = pos;
    #[cfg(feature = "sancov_ngram4")]
    {
-        PREV_ARRAY = PREV_ARRAY.rotate_elements_right::<1>();
-        PREV_ARRAY.as_mut_array()[0] = pos as u32;
-        let reduced = PREV_ARRAY.reduce_xor() as usize;
-        pos ^= reduced;
-        pos %= EDGES_MAP_SIZE;
+        PREV_ARRAY_4 = PREV_ARRAY_4.rotate_elements_right::<1>();
+        PREV_ARRAY_4.shl_assign(SHR_4);
+        PREV_ARRAY_4.as_mut_array()[0] = pos as u32;
+        reduced = PREV_ARRAY_4.reduce_xor() as usize;
    }
-    pos
+    #[cfg(feature = "sancov_ngram8")]
+    {
+        PREV_ARRAY_8 = PREV_ARRAY_8.rotate_elements_right::<1>();
+        PREV_ARRAY_8.shl_assign(SHR_8);
+        PREV_ARRAY_8.as_mut_array()[0] = pos as u32;
+        reduced = PREV_ARRAY_8.reduce_xor() as usize;
+    }
+    reduced %= EDGES_MAP_SIZE;
+    reduced
 }

 #[rustversion::not(nightly)]
-#[cfg(feature = "sancov_ngram4")]
+#[cfg(any(feature = "sancov_ngram4", feature = "sancov_ngram8"))]
 unsafe fn update_ngram(pos: usize) -> usize {
    pos
 }
@ -124,7 +159,7 @@ extern "C" {
 pub unsafe extern "C" fn __sanitizer_cov_trace_pc_guard(guard: *mut u32) {
    let mut pos = *guard as usize;

-    #[cfg(feature = "sancov_ngram4")]
+    #[cfg(any(feature = "sancov_ngram4", feature = "sancov_ngram8"))]
    {
        pos = update_ngram(pos);
        // println!("Wrinting to {} {}", pos, EDGES_MAP_SIZE);