perf: OnceLock regex caching, release profile, BLAKE3 mmap, deferred clone

Performance optimizations:
- Add [profile.release] with LTO, codegen-units=1, strip, panic=abort
- Cache 7 Regex compilations via OnceLock statics in analyzer.rs
  (avoids recompiling on every file, especially analyze_cross_language
  which runs on every source file in the project)
- Use BLAKE3 update_mmap for memory-mapped file hashing in assemblyline
- Remove raw_bytes.clone() in UTF-8 check (use str::from_utf8 borrow)
- Defer bindings.clone() in signature engine unify_fact until after
  variant match (avoids wasted allocation on mismatch path)
- Use as_deref() for signal comparison instead of allocating strings
- Add missing SPDX header to diagnostics.rs

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: hyperpolymath

Cargo.lock

@@ -23,7 +23,7 @@ encoding_rs = "0.8"
 crossterm = "0.26"
 eframe = "0.27"
 rayon = "1.10"
-blake3 = "1.5"
+blake3 = { version = "1.5", features = ["mmap"] }
 sha2 = "0.10"
 hex = "0.4"
 getrandom = "0.2"
@@ -36,6 +36,13 @@ signing = ["ed25519-dalek"]
 [dev-dependencies]
 tempfile = "3.8"
 
+[profile.release]
+opt-level = 3
+lto = "thin"
+codegen-units = 1
+strip = "symbols"
+panic = "abort"
+
 [[bin]]
 name = "panic-attack"
 path = "src/main.rs"

Cargo.toml

@@ -13,6 +13,17 @@ use regex::Regex;
 use std::collections::{HashMap, HashSet};
 use std::fs;
 use std::path::{Path, PathBuf};
+use std::sync::OnceLock;
+
+/// Pre-compiled regexes for hot-path pattern matching.
+/// Using OnceLock avoids recompiling on every file analyzed.
+static RE_UNCHECKED_MALLOC: OnceLock<Regex> = OnceLock::new();
+static RE_ELIXIR_APPLY: OnceLock<Regex> = OnceLock::new();
+static RE_PONY_FFI: OnceLock<Regex> = OnceLock::new();
+static RE_SHELL_UNQUOTED_VAR: OnceLock<Regex> = OnceLock::new();
+static RE_HTTP_URL: OnceLock<Regex> = OnceLock::new();
+static RE_HTTP_LOCALHOST: OnceLock<Regex> = OnceLock::new();
+static RE_HARDCODED_SECRET: OnceLock<Regex> = OnceLock::new();
 
 pub struct Analyzer {
     target: PathBuf,
@@ -115,9 +126,10 @@ impl Analyzer {
                 }
             };
 
-            // Try UTF-8 first, then Latin-1 fallback
-            let content = match String::from_utf8(raw_bytes.clone()) {
-                Ok(s) => s,
+            // Try UTF-8 first, then Latin-1 fallback.
+            // Use str::from_utf8 to borrow rather than cloning raw_bytes.
+            let content = match std::str::from_utf8(&raw_bytes) {
+                Ok(s) => s.to_owned(),
                 Err(_) => {
                     let (cow, _, had_errors) = encoding_rs::WINDOWS_1252.decode(&raw_bytes);
                     if had_errors {
@@ -639,7 +651,7 @@ impl Analyzer {
         stats.threading_constructs += content.matches("pthread_").count();
         stats.threading_constructs += content.matches("std::thread").count();
 
-        let unchecked_malloc = Regex::new(r"malloc\([^)]+\)\s*;").unwrap();
+        let unchecked_malloc = RE_UNCHECKED_MALLOC.get_or_init(|| Regex::new(r"malloc\([^)]+\)\s*;").unwrap());
         if unchecked_malloc.is_match(content) {
             weak_points.push(WeakPoint {
                 category: WeakPointCategory::UncheckedAllocation,
@@ -1000,7 +1012,7 @@ impl Analyzer {
         }
 
         // Unsafe apply
-        let apply_re = Regex::new(r"apply\([^,]+,\s*[^,]+,").unwrap();
+        let apply_re = RE_ELIXIR_APPLY.get_or_init(|| Regex::new(r"apply\([^,]+,\s*[^,]+,").unwrap());
         if apply_re.is_match(content) {
             weak_points.push(WeakPoint {
                 category: WeakPointCategory::DynamicCodeExecution,
@@ -1787,7 +1799,7 @@ impl Analyzer {
         file_path: &str,
     ) -> Result<()> {
         // FFI calls (@ prefix)
-        let ffi_re = Regex::new(r"@[a-zA-Z_]\w*\[").unwrap();
+        let ffi_re = RE_PONY_FFI.get_or_init(|| Regex::new(r"@[a-zA-Z_]\w*\[").unwrap());
         let ffi_count = ffi_re.find_iter(content).count();
         stats.unsafe_blocks += ffi_count;
 
@@ -1914,7 +1926,7 @@ impl Analyzer {
         }
 
         // Unquoted variable expansion (potential injection)
-        let unquoted_var = Regex::new(r#"\$[A-Za-z_]\w*"#).unwrap();
+        let unquoted_var = RE_SHELL_UNQUOTED_VAR.get_or_init(|| Regex::new(r#"\$[A-Za-z_]\w*"#).unwrap());
         let dollar_vars = unquoted_var.find_iter(content).count();
         // Only flag if high number of unquoted vars
         if dollar_vars > 20 {
@@ -2119,9 +2131,9 @@ impl Analyzer {
     ) -> Result<()> {
         // HTTP (insecure) URLs - should be HTTPS
         // Count http:// URLs that are NOT localhost/127.0.0.1 (those are fine)
-        let http_re = Regex::new(r#"http://[a-zA-Z0-9]"#).unwrap();
-        let http_localhost_re =
-            Regex::new(r#"http://(localhost|127\.0\.0\.1|0\.0\.0\.0|\[::1\])"#).unwrap();
+        let http_re = RE_HTTP_URL.get_or_init(|| Regex::new(r#"http://[a-zA-Z0-9]"#).unwrap());
+        let http_localhost_re = RE_HTTP_LOCALHOST.get_or_init(||
+            Regex::new(r#"http://(localhost|127\.0\.0\.1|0\.0\.0\.0|\[::1\])"#).unwrap());
         let http_total = http_re.find_iter(content).count();
         let http_local = http_localhost_re.find_iter(content).count();
         let http_count = http_total.saturating_sub(http_local);
@@ -2136,9 +2148,9 @@ impl Analyzer {
         }
 
         // Hardcoded secrets patterns
-        let secret_re = Regex::new(
+        let secret_re = RE_HARDCODED_SECRET.get_or_init(|| Regex::new(
             r#"(?i)(api[_-]?key|api[_-]?secret|password|passwd|secret[_-]?key|access[_-]?token|private[_-]?key)\s*[=:]\s*["'][^"']{8,}"#
-        ).unwrap();
+        ).unwrap());
         if secret_re.is_match(content) {
             weak_points.push(WeakPoint {
                 category: WeakPointCategory::HardcodedSecret,

src/assail/analyzer.rs

@@ -16,7 +16,6 @@ use rayon::prelude::*;
 use serde::{Deserialize, Serialize};
 use std::collections::HashMap;
 use std::fs;
-use std::io::Read;
 use std::path::{Path, PathBuf};
 
 /// Configuration for an assemblyline run.
@@ -173,18 +172,10 @@ fn collect_source_hashes(
     Ok(())
 }
 
-/// Hash a single file with BLAKE3
+/// Hash a single file with BLAKE3 using memory-mapped I/O for performance
 fn hash_file(path: &Path) -> Result<blake3::Hash> {
-    let mut file = fs::File::open(path)?;
     let mut hasher = blake3::Hasher::new();
-    let mut buf = [0u8; 16384];
-    loop {
-        let n = file.read(&mut buf)?;
-        if n == 0 {
-            break;
-        }
-        hasher.update(&buf[..n]);
-    }
+    hasher.update_mmap(path)?;
     Ok(hasher.finalize())
 }
 

src/assemblyline.rs

@@ -1,3 +1,5 @@
+// SPDX-License-Identifier: PMPL-1.0-or-later
+
 use crate::a2ml::Manifest;
 use anyhow::{anyhow, Context, Result};
 use std::env;

src/diagnostics.rs

@@ -141,8 +141,8 @@ impl SignatureEngine {
     /// A variable name (uppercase string like "X") unifies with any string value.
     /// Location 0 in a pattern acts as a wildcard matching any location.
     fn unify_fact(&self, pattern: &Fact, fact: &Fact, bindings: &Bindings) -> Option<Bindings> {
-        let mut new_bindings = bindings.clone();
-
+        // Clone bindings only after confirming variant match to avoid
+        // wasted allocations on the common mismatch path.
         match (pattern, fact) {
             (
                 Fact::Alloc {
@@ -194,6 +194,7 @@ impl SignatureEngine {
                     location: floc,
                 },
             ) => {
+                let mut new_bindings = bindings.clone();
                 self.bind_var(pvar, &BoundValue::Str(fvar.clone()), &mut new_bindings)?;
                 self.bind_loc(*ploc, *floc, pvar, &mut new_bindings)?;
                 Some(new_bindings)
@@ -218,6 +219,7 @@ impl SignatureEngine {
                     location: floc,
                 },
             ) => {
+                let mut new_bindings = bindings.clone();
                 self.bind_var(pmut, &BoundValue::Str(fmut.clone()), &mut new_bindings)?;
                 self.bind_loc(*ploc, *floc, pmut, &mut new_bindings)?;
                 Some(new_bindings)
@@ -242,6 +244,7 @@ impl SignatureEngine {
                     location: floc,
                 },
             ) => {
+                let mut new_bindings = bindings.clone();
                 self.bind_var(pid, &BoundValue::Str(fid.clone()), &mut new_bindings)?;
                 self.bind_loc(*ploc, *floc, pid, &mut new_bindings)?;
                 Some(new_bindings)
@@ -256,11 +259,12 @@ impl SignatureEngine {
                     after: fa,
                 },
             ) => {
+                let mut new_bindings = bindings.clone();
                 self.bind_loc(*pb, *fb, "before", &mut new_bindings)?;
                 self.bind_loc(*pa, *fa, "after", &mut new_bindings)?;
                 Some(new_bindings)
             }
-            _ => None, // Variant mismatch — pattern doesn't match this fact
+            _ => None, // Variant mismatch — no clone wasted
         }
     }
 
@@ -490,14 +494,14 @@ impl SignatureEngine {
         }
 
         // Signal-based facts
-        if crash.signal == Some("SIGSEGV".to_string()) {
+        if crash.signal.as_deref() == Some("SIGSEGV") {
             facts.insert(Fact::Use {
                 var: "null_ptr".to_string(),
                 location: 0,
             });
         }
 
-        if crash.signal == Some("SIGABRT".to_string()) {
+        if crash.signal.as_deref() == Some("SIGABRT") {
             facts.insert(Fact::Free {
                 var: "abort_var".to_string(),
                 location: 0,
@@ -568,7 +572,7 @@ impl SignatureEngine {
         }
 
         // Null pointer dereference — SIGSEGV or explicit mention
-        if crash.signal == Some("SIGSEGV".to_string())
+        if crash.signal.as_deref() == Some("SIGSEGV")
             || stderr.contains("null pointer")
             || stderr.contains("nullptr")
             || stderr.contains("nil pointer")