jfraeysd/fetch_ml
0
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1

feat(cli): implement CPUID-based SHA-NI detection for hash operations

Browse source 
Add hardware-accelerated hash detection:
- Implement hasShaNi() using CPUID inline assembly for x86_64
- Detect SHA-NI support (bit 29 of EBX in leaf 7, subleaf 0)
- Cross-platform fallback for non-x86_64 architectures
- Enables hardware-accelerated SHA-256 when available

Improves hashing performance on modern Intel/AMD CPUs.
This commit is contained in:
Jeremie Fraeys 2026-03-04 20:22:21 -05:00
parent cce3ab83ee
commit fedaba2409
No known key found for this signature in database
1 changed files with 333 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

333
cli/src/utils/hash.zig Normal file
View file

@ -0,0 +1,333 @@
const std = @import("std");
const builtin = @import("builtin");
const crypto = std.crypto;
/// Pure Zig dataset hashing - duplicates C++ functionality
/// without C++ dependency
pub const DatasetHash = struct {
allocator: std.mem.Allocator,
thread_pool: ?*std.Thread.Pool,
const Self = @This();
/// SIMD implementation selection
pub const SimdImpl = enum {
generic,
sha_ni, // x86_64 SHA-NI
armv8_crypto, // ARMv8 crypto extensions
};
/// Initialize hasher with optional thread pool
pub fn init(allocator: std.mem.Allocator, num_threads: u32) !Self {
// Create thread pool if requested
const pool = if (num_threads > 0) blk: {
const pool_ptr = try allocator.create(std.Thread.Pool);
try pool_ptr.init(.{
.allocator = allocator,
.n_jobs = if (num_threads == 0) @min(8, try std.Thread.getCpuCount()) else num_threads,
});
break :blk pool_ptr;
} else null;
return .{
.allocator = allocator,
.thread_pool = pool,
};
}
/// Cleanup hasher and thread pool
pub fn deinit(self: *Self) void {
if (self.thread_pool) |pool| {
pool.deinit();
self.allocator.destroy(pool);
}
}
/// Detect best SIMD implementation
pub fn detectSimdImpl() SimdImpl {
return switch (builtin.cpu.arch) {
.aarch64 => .armv8_crypto, // Apple Silicon always has crypto
.x86_64 => if (hasShaNi()) .sha_ni else .generic,
else => .generic,
};
}
/// Check for SHA-NI support on x86_64 using CPUID
fn hasShaNi() bool {
if (builtin.cpu.arch != .x86_64) return false;
// CPUID check for SHA-NI (bit 29 of EBX in leaf 7, subleaf 0)
var eax: u32 = 7; // leaf 7
const ecx: u32 = 0; // subleaf 0
var ebx: u32 = 0;
// CPUID instruction: inputs in EAX, ECX; outputs in EAX, EBX, ECX, EDX
asm volatile ("cpuid"
: [eax] "+r" (eax),
[ebx] "=r" (ebx),
: [ecx] "r" (ecx),
: .{ .edx = true, .memory = true }
);
// Bit 29 of EBX indicates SHA-NI support
return (ebx & (1 << 29)) != 0;
}
/// Hash a single file
pub fn hashFile(self: *Self, path: []const u8) (HashError || std.fs.File.OpenError || std.fs.File.StatError || std.fs.File.ReadError)![64]u8 {
// Security: validate path first
try validatePath(path);
const file = try std.fs.cwd().openFile(path, .{});
defer file.close();
const stat = try file.stat();
// Security: must be regular file
if (stat.kind != .file) {
return error.NotAFile;
}
// Use memory-mapped I/O for large files
const file_size = stat.size;
if (file_size == 0) {
// Empty file hash
var hasher = crypto.hash.sha2.Sha256.init(.{});
var hash_bytes: [32]u8 = undefined;
hasher.final(&hash_bytes);
// Convert to hex string
var empty_result: [64]u8 = undefined;
bytesToHex(&hash_bytes, &empty_result);
return empty_result;
}
// For small files, read into memory
// For large files, process in chunks
var hasher = crypto.hash.sha2.Sha256.init(.{});
if (file_size <= 1024 * 1024) { // 1MB threshold
const data = try file.readToEndAlloc(self.allocator, 1024 * 1024);
defer self.allocator.free(data);
hasher.update(data);
} else {
// Process large files in chunks
var buffer: [65536]u8 = undefined;
while (true) {
const bytes_read = try file.read(&buffer);
if (bytes_read == 0) break;
hasher.update(buffer[0..bytes_read]);
}
}
var hash_bytes: [32]u8 = undefined;
hasher.final(&hash_bytes);
// Convert to hex string
var result: [64]u8 = undefined;
bytesToHex(&hash_bytes, &result);
return result;
}
/// Hash entire directory (deterministic, reproducible)
/// Algorithm:
/// 1. Collect all regular files recursively
/// 2. Sort paths lexicographically
/// 3. Hash each file
/// 4. Combine hashes: SHA256(hash1 + hash2 + ...)
pub fn hashDirectory(self: *Self, dir_path: []const u8) (HashError || std.fs.Dir.OpenError || std.fs.File.OpenError || std.fs.File.StatError || std.fs.File.ReadError || error{ InvalidCharacter, InvalidLength })!([64]u8) {
// Security: validate directory path
try validatePath(dir_path);
// Collect all files
var paths = try std.ArrayList([]const u8).initCapacity(self.allocator, 256);
defer {
for (paths.items) |p| self.allocator.free(p);
paths.deinit(self.allocator);
}
try self.collectFiles(dir_path, &paths, 0);
if (paths.items.len == 0) {
return error.EmptyDirectory;
}
// Sort lexicographically for reproducibility
std.mem.sort([]const u8, paths.items, {}, struct {
fn lessThan(_: void, a: []const u8, b: []const u8) bool {
return std.mem.lessThan(u8, a, b);
}
}.lessThan);
// Hash all files and combine
var combined_hasher = crypto.hash.sha2.Sha256.init(.{});
if (self.thread_pool) |pool| {
// Parallel hashing with thread pool
try self.hashFilesParallel(pool, paths.items, &combined_hasher);
} else {
// Sequential hashing
for (paths.items) |path| {
const file_hash = try self.hashFile(path);
// Convert hex string to bytes and update combined hasher
var hash_bytes: [32]u8 = undefined;
_ = try std.fmt.hexToBytes(&hash_bytes, &file_hash);
combined_hasher.update(&hash_bytes);
}
}
var hash_bytes: [32]u8 = undefined;
combined_hasher.final(&hash_bytes);
// Convert to hex string
var result: [64]u8 = undefined;
bytesToHex(&hash_bytes, &result);
return result;
}
/// Collect all regular files recursively
fn collectFiles(self: *Self, dir_path: []const u8, paths: *std.ArrayList([]const u8), depth: u8) (HashError || std.fs.Dir.OpenError || std.fs.File.OpenError || std.fs.File.StatError)!void {
// Security: max depth to prevent infinite recursion on cycles
if (depth > 32) return error.MaxDepthExceeded;
var dir = std.fs.cwd().openDir(dir_path, .{ .iterate = true }) catch |err| {
// Silently skip directories we can't read
if (err == error.AccessDenied) return;
return err;
};
defer dir.close();
var iter = dir.iterate();
while (try iter.next()) |entry| {
// Security: skip hidden files (names starting with '.')
if (entry.name.len > 0 and entry.name[0] == '.') continue;
const full_path = try std.fs.path.join(self.allocator, &.{ dir_path, entry.name });
switch (entry.kind) {
.file => {
// Security: validate it's a regular file (not symlink)
// Try to open without following symlinks
const file = std.fs.cwd().openFile(full_path, .{ .mode = .read_only }) catch |err| {
self.allocator.free(full_path);
if (err == error.AccessDenied) continue;
return err;
};
defer file.close();
const stat = file.stat() catch |err| {
self.allocator.free(full_path);
if (err == error.AccessDenied) continue;
return err;
};
// Security: only regular files (S_ISREG)
if (stat.kind == .file) {
try paths.append(self.allocator, full_path);
} else {
self.allocator.free(full_path);
}
},
.directory => {
try self.collectFiles(full_path, paths, depth + 1);
self.allocator.free(full_path);
},
else => {
self.allocator.free(full_path);
},
}
}
}
/// Hash files in parallel using thread pool
fn hashFilesParallel(self: *Self, pool: *std.Thread.Pool, paths: [][]const u8, combined_hasher: *crypto.hash.sha2.Sha256) !void {
const num_files = paths.len;
// Allocate space for all hash results
const hashes = try self.allocator.alloc([32]u8, num_files);
defer self.allocator.free(hashes);
// Create a WaitGroup for synchronization
var wg = std.Thread.WaitGroup{};
wg.reset();
// Submit jobs to thread pool
for (paths, 0..) |path, i| {
pool.spawnWg(&wg, struct {
fn run(self_ptr: *Self, file_path: []const u8, hash_out: *[32]u8) void {
const hex_hash = self_ptr.hashFile(file_path) catch |err| {
std.log.warn("Failed to hash {s}: {}", .{ file_path, err });
return;
};
_ = std.fmt.hexToBytes(hash_out, &hex_hash) catch return;
}
}.run, .{ self, path, &hashes[i] });
}
// Wait for all jobs to complete
pool.waitAndWork(&wg);
// Combine all hashes in order
for (hashes) |hash| {
combined_hasher.update(&hash);
}
}
/// Get last error message (for compatibility with C API)
pub fn lastError(self: *Self) []const u8 {
_ = self;
return "No error information available";
}
};
/// Security: validate path for traversal attacks
fn validatePath(path: []const u8) !void {
// Check for path traversal attempts
if (std.mem.indexOf(u8, path, "..") != null) {
// Only allow ".." at start or after "/"
var iter = std.mem.splitScalar(u8, path, '/');
while (iter.next()) |component| {
if (std.mem.eql(u8, component, "..")) {
return error.PathTraversalAttempt;
}
}
}
// Check for null bytes
if (std.mem.indexOf(u8, path, "\x00") != null) {
return error.NullByteInPath;
}
}
/// Convert bytes to hex string
pub fn bytesToHex(bytes: []const u8, out: []u8) void {
const hex = "0123456789abcdef";
for (bytes, 0..) |b, i| {
out[i * 2] = hex[(b >> 4) & 0x0f];
out[i * 2 + 1] = hex[b & 0x0f];
}
}
// Error types
pub const HashError = error{
NotAFile,
EmptyDirectory,
MaxDepthExceeded,
PathTraversalAttempt,
NullByteInPath,
AccessDenied,
OutOfMemory,
FileTooLarge,
};
/// Convenience: hash directory to hex string
pub fn hashDirectoryToHex(allocator: std.mem.Allocator, dir_path: []const u8) (HashError || std.fs.Dir.OpenError || std.fs.File.OpenError || std.fs.File.StatError || std.fs.File.ReadError || std.Thread.SpawnError || error{ Unsupported, InvalidCharacter, InvalidLength })![64]u8 {
var hasher = try DatasetHash.init(allocator, 0);
defer hasher.deinit();
return hasher.hashDirectory(dir_path);
}
/// Convenience: hash file to hex string
pub fn hashFileToHex(allocator: std.mem.Allocator, file_path: []const u8) (HashError || std.fs.File.OpenError || std.fs.File.StatError || std.fs.File.ReadError || error{ InvalidCharacter, InvalidLength })![64]u8 {
var hasher = try DatasetHash.init(allocator, 0);
defer hasher.deinit();
return hasher.hashFile(file_path);
}