cmd/compile: inline calls to libfuzzerIncrementCounter

Author: kyakdan

src/cmd/compile/internal/typecheck/builtin.go

@@ -265,7 +265,6 @@ func libfuzzerTraceConstCmp1(uint8, uint8)
 func libfuzzerTraceConstCmp2(uint16, uint16)
 func libfuzzerTraceConstCmp4(uint32, uint32)
 func libfuzzerTraceConstCmp8(uint64, uint64)
-func libfuzzerIncrementCounter(*uint8)
 
 // This function should be called by the fuzz target on start to register the 8bit counters with libfuzzer
 func LibfuzzerInitializeCounters()

src/cmd/compile/internal/typecheck/builtin/runtime.go

@@ -451,11 +451,21 @@ func (o *orderState) edge() {
 	// is still necessary.
 	counter.Linksym().Type = objabi.SLIBFUZZER_8BIT_COUNTER
 
-	var init ir.Nodes
-	init.Append(mkcall("libfuzzerIncrementCounter", nil, &init, ir.NewAddrExpr(base.Pos, counter)))
-	for _, n := range init.Take() {
-		o.append(n)
-	}
+	// We guarantee that the counter never becomes zero again once it has been
+	// incremented once. This implementation follows the NeverZero optimization
+	// presented by the paper:
+	// "AFL++: Combining Incremental Steps of Fuzzing Research"
+	// The NeverZero policy avoids the overflow to 0 by always adding the carry flag
+	// to the counter and so, if an edge is executed at least one time, the entry is
+	// never 0. The Saturated Counters policy freezes the counter when it reaches
+	// the value of 255. In a range of experiments performed, it is observed that
+	// NeverZero is very effective and improves performance in terms of coverage and
+	// speed (the seed selection now takes into account edges that were hidden before).
+	// Saturated Counters, however, decreases the overall performance.
+	o.append(ir.NewIfStmt(base.Pos,
+		ir.NewBinaryExpr(base.Pos, ir.OEQ, counter, ir.NewInt(0xff)),
+		[]ir.Node{ir.NewAssignOpStmt(base.Pos, ir.OADD, counter, ir.NewInt(1))},
+		[]ir.Node{ir.NewAssignStmt(base.Pos, counter, ir.NewInt(1))}))
 }
 
 // orderBlock orders the block of statements in n into a new slice,

src/cmd/compile/internal/walk/order.go

@@ -18,8 +18,6 @@ import _ "unsafe" // for go:linkname
 //go:linkname libfuzzerTraceConstCmp4 runtime.libfuzzerTraceConstCmp4
 //go:linkname libfuzzerTraceConstCmp8 runtime.libfuzzerTraceConstCmp8
 
-//go:linkname libfuzzerIncrementCounter runtime.libfuzzerIncrementCounter
-
 func libfuzzerTraceCmp1(arg0, arg1 uint8)  {}
 func libfuzzerTraceCmp2(arg0, arg1 uint16) {}
 func libfuzzerTraceCmp4(arg0, arg1 uint32) {}
@@ -29,5 +27,3 @@ func libfuzzerTraceConstCmp1(arg0, arg1 uint8)  {}
 func libfuzzerTraceConstCmp2(arg0, arg1 uint16) {}
 func libfuzzerTraceConstCmp4(arg0, arg1 uint32) {}
 func libfuzzerTraceConstCmp8(arg0, arg1 uint64) {}
-
-func libfuzzerIncrementCounter(counter *uint8) {}

src/cmd/internal/goobj/builtinlist.go

@@ -59,18 +59,6 @@ func LibfuzzerInitializeCounters() {
 	libfuzzerCallTraceInit(&__sanitizer_cov_pcs_init, &pcTables[0], &pcTables[size-1])
 }
 
-// libfuzzerIncrementCounter guarantees that the counter never becomes zero
-// again once it has been incremented once. It implements the NeverZero
-// optimization presented by the paper:
-// "AFL++: Combining Incremental Steps of Fuzzing Research"
-func libfuzzerIncrementCounter(counter *uint8) {
-	if *counter == 0xff {
-		*counter = 1
-	} else {
-		*counter++
-	}
-}
-
 //go:linkname __sanitizer_cov_trace_cmp1 __sanitizer_cov_trace_cmp1
 //go:cgo_import_static __sanitizer_cov_trace_cmp1
 var __sanitizer_cov_trace_cmp1 byte