Skip to content

Commit

Permalink
perf: reduce the number of atoms generated for patterns that end in a…
Browse files Browse the repository at this point in the history
… wildcard

For example, for pattern `{01 02 ??}` generate a two-bytes atom `01 02` instead of 256 3-bytes atoms.
  • Loading branch information
plusvic committed Aug 10, 2023
1 parent d11413c commit b289619
Show file tree
Hide file tree
Showing 2 changed files with 17 additions and 2 deletions.
2 changes: 1 addition & 1 deletion yara-x/src/compiler/atoms/quality.rs
Original file line number Diff line number Diff line change
Expand Up @@ -88,7 +88,7 @@ where
// bytes_present corresponds to that unique byte.
match bytes_present.first_one().unwrap() {
0x00 | 0x20 | 0x90 | 0xcc | 0xff => {
q -= 10 * atom_len as i32;
q -= 10 * atom_len;
}
_ => {
q += 2;
Expand Down
17 changes: 16 additions & 1 deletion yara-x/src/re/compiler.rs
Original file line number Diff line number Diff line change
Expand Up @@ -1035,7 +1035,9 @@ fn concat_seq(seqs: &[Seq]) -> Option<Seq> {
}
}

for seq in seqs.iter().take(DESIRED_ATOM_SIZE) {
let mut it = seqs.iter().take(DESIRED_ATOM_SIZE).peekable();

while let Some(seq) = it.next() {
// If the cross product of `result` with `seq` produces too many
// literals, stop trying to add more sequences to the result and
// return what we have so far.
Expand All @@ -1045,6 +1047,19 @@ fn concat_seq(seqs: &[Seq]) -> Option<Seq> {
_ => {}
}

// If this is the last sequence, and it is a sequence of exactly
// 256 bytes, we better ignore it because the last byte is actually
// useless. This is the case with a pattern like { 01 02 ?? }, where
// the ?? at the end triggers this condition. In a case like this one
// don't want 256 3-bytes literals, we better have a single 2-bytes
// literal.
if it.peek().is_none()
&& matches!(seq.len(), Some(256))
&& matches!(seq.max_literal_len(), Some(1))
{
break;
}

// If every element in the sequence is inexact, then a cross
// product will always be a no-op. Thus, there is nothing else we
// can add to it and can quit early. Note that this also includes
Expand Down

0 comments on commit b289619

Please sign in to comment.