perf(core): cut candidate scoring and hash sequence overhead

[r0ny123]

Summary

Three related, behavior-preserving hot-path tweaks. Single optimization class: avoidable per-call Python overhead in Intel candidate scoring and PIC/OPC hash sequence assembly.

1. PIC/OPC hash byte conversion (SmdaFunction, SmdaBasicBlock)

Replace bytes([ord(c) for c in "".join(seqs)]) with "".join(seqs).encode("ascii") in the four hash-sequence helpers (getPicHashSequence, getOpcHashSequence, getPicBlockHashSequence, getOpcBlockHashSequence).

The escaper only emits ASCII (hex chars + ?), so the encoded bytes are bit-identical. The per-character Python loop is gone.

2. Hoist sorted prologue lengths (FunctionCandidate)

sorted([int(length_str) for length_str in COMMON_PROLOGUES], reverse=True) was rebuilt on every call to hasCommonFunctionStart / getFunctionStartScore. Both are reached from calculateScore, getCharacteristics, __str__, and toJson, so every candidate touched the list many times. Lifted to module-level _COMMON_PROLOGUE_LENGTHS.

3. call_ref_sources list → set (FunctionCandidate)

The inner CFG-recovery loop does addr not in call_ref_sources on every call instruction; with a list that's O(n) per call and quadratic for hot targets (popular runtime stubs accumulate many sources). Set makes add/discard/membership O(1). Verified no external order dependence (grep across src/ and tests/): only len() and truthiness are used externally. The single [0] read was inside __str__'s len == 1 branch and is now next(iter(...)).

Measurements (focused bench, asprox fixture, Python 3.11.15)

Path	Before	After	Δ
calculateScore × 200_000	322.2 ms	179.9 ms	−44%
getPicBlockHashSequence × 2140 blocks	36.3 ms	31.1 ms	−14%
getOpcHashSequence × 105 funcs	47.3 ms	43.7 ms	−8%
getOpcBlockHashSequence × 2140 blocks	50.3 ms	47.6 ms	−5%
getPicHashSequence × 105 funcs	31.0 ms	30.1 ms	−3%
disassembleBuffer (e2e, asprox)	1617 ms	1579 ms	−2.4%

Microbench on a representative 3.7 KB escaped sequence: bytes([ord(c) for c in s]) vs s.encode("ascii") is ~600x slower per call — the e2e gain looks small because Capstone/escaper work dominates a single call, but the cost scales linearly with function/block count, so larger binaries see proportionally larger absolute savings.

Behavior compatibility

• pic_hash, opc_hash, and serialized report sha256 unchanged on asprox.
• Public report schema unchanged.
• All 90 tests + 43 subtests pass.
• make lint (ruff check + format check) clean.

Test plan

• python -m pytest tests/test* — 90 passed, 43 subtests passed in 13.56 s
• python -m ruff check . — All checks passed
• python -m ruff format --check . — 94 files already formatted
• Before/after benchmark on asprox fixture (numbers above)
• Verified report serialization assertions in testIntegration.testAsproxMarshalling / testCutwailMarshalling still hold

Residual perf risk

None expected. Set iteration order isn't insertion order, but no caller reads call_ref_sources in an order-dependent way. The only read of an element by index was the __str__ single-element case, which by definition has one element.

Out of scope for this branch (noted during the sweep, deferred)

• IndirectCallAnalyzer.searchBlock is O(blocks × instructions) inside a 3-deep recursion — a one-shot addr → block index would help, but is more invasive.
• SmdaFunction.getNormalizedBlockRefs is recomputed unconditionally; safe caching requires tracking architecture_metadata mutation.
• BinaryInfo.getImportedFunctions calls PeSymbolProvider(None).parseSymbols(lief_result) and discards the result before re-instantiating for parseImports — looks like wasted work but warrants a separate audit of provider side effects.
• Loaders re-lief.parse() the same buffer across getArchitecture / getCodeAreas calls. BinaryInfo already caches, but the static *FileLoader accessors do not.