Enable SIMD acceleration for stable rust toolchain (#3140)

* initial support

* migrate SAND

* Update comments

* Fmt

* Clippy

* Fix missing docs

* fmt fix

* clippy again

* weird clippy

* clippy

* Fix

* Allow new SIMDMapFeedback

* Fix features

* Fix features again

* Allow custom names

* Fix imports

* Fix imports

* Fmt

* Fix missing implementations

* Requires std to simd

* DO NOT Overwrite names

* Format toml

* no_std fix

* fmt

* Use SIMDMapFeedback for libfuzzer_libpng

* no_std (?)

* clippy

* fix no_alloc

* allow cargo docs to enable all features

* clippy again

* Fix missing import

* Fix cargo docs

* Naive simplify_map doesn't require wide

* Accidentally commit the file

* more fine grined features

* Fix clippy.ps1

* Fix wide256 for simplify_map

* Renaming to SimdMapFeedback

* Dynamic dispatch

* Fix naming

* Move to simd.rs

* clippy

* clippy

* dispatch earlier

* Fix clippy

* clippy

* clippy

* Revert previous change

* Fix comments

* Update comments for std_covmap_is_interesting

* remove SIMD and choose fastest implementation based on target_arch

* no longer nightly imports

* Fix

* upstream benchmark code

* Fix docs

* Fix libfuzzer_libpng

* Disable clippy for benchmark

* clippy

* clippy again

---------

Co-authored-by: Dongjia "toka" Zhang <[email protected]>

Author: wtdcode

fuzzers/inprocess/libfuzzer_libpng/src/lib.rs

@@ -62,6 +62,8 @@ pub extern "C" fn libafl_main() {
 #[cfg(not(test))]
 fn fuzz(corpus_dirs: &[PathBuf], objective_dir: PathBuf, broker_port: u16) -> Result<(), Error> {
     // 'While the stats are state, they are usually used in the broker - which is likely never restarted
+
+    use libafl::feedbacks::simd::{SimdImplmentation, SimdMapFeedback};
     let monitor = MultiMonitor::new(|s| println!("{s}"));
 
     // The restarting state will spawn the same process again as child, then restarted it each time it crashes.
@@ -93,8 +95,7 @@ fn fuzz(corpus_dirs: &[PathBuf], objective_dir: PathBuf, broker_port: u16) -> Re
     // Create an observation channel to keep track of the execution time
     let time_observer = TimeObserver::new("time");
 
-    let map_feedback = MaxMapFeedback::new(&edges_observer);
-
+    let map_feedback = SimdMapFeedback::new(MaxMapFeedback::new(&edges_observer));
     let calibration = CalibrationStage::new(&map_feedback);
 
     // Feedback to rate the interestingness of an input

libafl/Cargo.toml

@@ -39,6 +39,7 @@ default = [
   "regex",
   "serdeany_autoreg",
   "libafl_bolts/xxh3",
+  "stable_simd",
 ]
 document-features = ["dep:document-features"]
 
@@ -195,6 +196,9 @@ nautilus = [
   "regex",
 ]
 
+## Use the best SIMD implementation by our [benchmark](https://github.com/wtdcode/libafl_simd_bench)
+stable_simd = ["libafl_bolts/stable_simd"]
+
 [[example]]
 name = "tui_mock"
 path = "./examples/tui_mock/main.rs"

libafl/src/executors/sand.rs

@@ -9,6 +9,7 @@ use core::marker::PhantomData;
 
 use libafl_bolts::{
     AsIter, Error, Named, hash_std,
+    simd::std_simplify_map,
     tuples::{Handle, MatchName, MatchNameRef},
 };
 
@@ -148,14 +149,10 @@ where
         let kind = self.executor.run_target(fuzzer, state, mgr, input)?;
         let ot = self.executor.observers();
         let ob = ot.get(&self.ob_ref).unwrap().as_ref();
-        let initial = ob.initial();
         let mut covs = ob.to_vec();
         match self.pattern {
             SANDExecutionPattern::SimplifiedTrace => {
-                // TODO: SIMD Optimizations
-                for it in &mut covs {
-                    *it = if *it == initial { 0x1 } else { 0x80 };
-                }
+                std_simplify_map(&mut covs);
             }
             SANDExecutionPattern::UniqueTrace => {
                 classify_counts(covs.as_mut_slice());

libafl/src/feedbacks/map.rs

@@ -1,18 +1,16 @@
 //! Map feedback, maximizing or minimizing maps, for example the afl-style map observer.
 
 use alloc::{borrow::Cow, vec::Vec};
-#[rustversion::nightly]
-use core::simd::prelude::SimdOrd;
 use core::{
     fmt::Debug,
     marker::PhantomData,
     ops::{BitAnd, BitOr, Deref, DerefMut},
 };
 
 #[rustversion::nightly]
-use libafl_bolts::AsSlice;
+use libafl_bolts::simd::std_covmap_is_interesting;
 use libafl_bolts::{
-    AsIter, HasRefCnt, Named,
+    AsIter, AsSlice, HasRefCnt, Named,
     tuples::{Handle, Handled, MatchName, MatchNameRef},
 };
 use num_traits::PrimInt;
@@ -548,7 +546,7 @@ where
         observers: &OT,
         _exit_kind: &ExitKind,
     ) -> Result<bool, Error> {
-        Ok(self.is_interesting_u8_simd_optimized(state, observers))
+        Ok(self.is_interesting_u8_simd_optimized(state, observers, std_covmap_is_interesting))
     }
 }
 
@@ -604,117 +602,6 @@ where
     }
 }
 
-/// Specialize for the common coverage map size, maximization of u8s
-#[rustversion::nightly]
-impl<C, O> MapFeedback<C, DifferentIsNovel, O, MaxReducer>
-where
-    O: MapObserver<Entry = u8> + for<'a> AsSlice<'a, Entry = u8> + for<'a> AsIter<'a, Item = u8>,
-    C: CanTrack + AsRef<O>,
-{
-    fn is_interesting_u8_simd_optimized<S, OT>(&mut self, state: &mut S, observers: &OT) -> bool
-    where
-        S: HasNamedMetadata,
-        OT: MatchName,
-    {
-        // 128 bits vectors
-        type VectorType = core::simd::u8x16;
-
-        let mut interesting = false;
-        // TODO Replace with match_name_type when stable
-        let observer = observers.get(&self.map_ref).expect("MapObserver not found. This is likely because you entered the crash handler with the wrong executor/observer").as_ref();
-
-        let map_state = state
-            .named_metadata_map_mut()
-            .get_mut::<MapFeedbackMetadata<u8>>(&self.name)
-            .unwrap();
-        let size = observer.usable_count();
-        let len = observer.len();
-        if map_state.history_map.len() < len {
-            map_state.history_map.resize(len, u8::default());
-        }
-
-        let map = observer.as_slice();
-        debug_assert!(map.len() >= size);
-
-        let history_map = map_state.history_map.as_slice();
-
-        // Non vector implementation for reference
-        /*for (i, history) in history_map.iter_mut().enumerate() {
-            let item = map[i];
-            let reduced = MaxReducer::reduce(*history, item);
-            if DifferentIsNovel::is_novel(*history, reduced) {
-                *history = reduced;
-                interesting = true;
-                if self.novelties.is_some() {
-                    self.novelties.as_mut().unwrap().push(i);
-                }
-            }
-        }*/
-
-        let steps = size / VectorType::LEN;
-        let left = size % VectorType::LEN;
-
-        if let Some(novelties) = self.novelties.as_mut() {
-            novelties.clear();
-            for step in 0..steps {
-                let i = step * VectorType::LEN;
-                let history = VectorType::from_slice(&history_map[i..]);
-                let items = VectorType::from_slice(&map[i..]);
-
-                if items.simd_max(history) != history {
-                    interesting = true;
-                    unsafe {
-                        for j in i..(i + VectorType::LEN) {
-                            let item = *map.get_unchecked(j);
-                            if item > *history_map.get_unchecked(j) {
-                                novelties.push(j);
-                            }
-                        }
-                    }
-                }
-            }
-
-            for j in (size - left)..size {
-                unsafe {
-                    let item = *map.get_unchecked(j);
-                    if item > *history_map.get_unchecked(j) {
-                        interesting = true;
-                        novelties.push(j);
-                    }
-                }
-            }
-        } else {
-            for step in 0..steps {
-                let i = step * VectorType::LEN;
-                let history = VectorType::from_slice(&history_map[i..]);
-                let items = VectorType::from_slice(&map[i..]);
-
-                if items.simd_max(history) != history {
-                    interesting = true;
-                    break;
-                }
-            }
-
-            if !interesting {
-                for j in (size - left)..size {
-                    unsafe {
-                        let item = *map.get_unchecked(j);
-                        if item > *history_map.get_unchecked(j) {
-                            interesting = true;
-                            break;
-                        }
-                    }
-                }
-            }
-        }
-        #[cfg(feature = "track_hit_feedbacks")]
-        {
-            self.last_result = Some(interesting);
-        }
-        interesting
-    }
-}
-
 impl<C, N, O, R> HasObserverHandle for MapFeedback<C, N, O, R> {
     type Observer = C;
 
@@ -789,6 +676,67 @@ where
     }
 }
 
+/// Specialize for the common coverage map size, maximization of u8s
+impl<C, O> MapFeedback<C, DifferentIsNovel, O, MaxReducer>
+where
+    O: MapObserver<Entry = u8> + for<'a> AsSlice<'a, Entry = u8> + for<'a> AsIter<'a, Item = u8>,
+    C: CanTrack + AsRef<O>,
+{
+    #[allow(dead_code)] // this is true on stable wihout "stable_simd"
+    pub(crate) fn is_interesting_u8_simd_optimized<S, OT, F>(
+        &mut self,
+        state: &mut S,
+        observers: &OT,
+        simd: F,
+    ) -> bool
+    where
+        S: HasNamedMetadata,
+        OT: MatchName,
+        F: FnOnce(&[u8], &[u8], bool) -> (bool, Vec<usize>),
+    {
+        // TODO Replace with match_name_type when stable
+        let observer = observers.get(&self.map_ref).expect("MapObserver not found. This is likely because you entered the crash handler with the wrong executor/observer").as_ref();
+
+        let map_state = state
+            .named_metadata_map_mut()
+            .get_mut::<MapFeedbackMetadata<u8>>(&self.name)
+            .unwrap();
+        let size = observer.usable_count();
+        let len = observer.len();
+        if map_state.history_map.len() < len {
+            map_state.history_map.resize(len, u8::default());
+        }
+
+        let map = observer.as_slice();
+        debug_assert!(map.len() >= size);
+
+        let history_map = map_state.history_map.as_slice();
+
+        // Non vector implementation for reference
+        /*for (i, history) in history_map.iter_mut().enumerate() {
+            let item = map[i];
+            let reduced = MaxReducer::reduce(*history, item);
+            if DifferentIsNovel::is_novel(*history, reduced) {
+                *history = reduced;
+                interesting = true;
+                if self.novelties.is_some() {
+                    self.novelties.as_mut().unwrap().push(i);
+                }
+            }
+        }*/
+
+        let (interesting, novelties) = simd(history_map, &map, self.novelties.is_some());
+        if let Some(nov) = self.novelties.as_mut() {
+            *nov = novelties;
+        }
+        #[cfg(feature = "track_hit_feedbacks")]
+        {
+            self.last_result = Some(interesting);
+        }
+        interesting
+    }
+}
+
 #[cfg(test)]
 mod tests {
     use crate::feedbacks::{AllIsNovel, IsNovel, NextPow2IsNovel};

libafl/src/feedbacks/mod.rs

@@ -46,6 +46,8 @@ pub mod map;
 pub mod nautilus;
 #[cfg(feature = "std")]
 pub mod new_hash_feedback;
+#[cfg(feature = "stable_simd")]
+pub mod simd;
 #[cfg(feature = "std")]
 pub mod stdio;
 pub mod transferred;