I have submitted the issue https://bgithub.xyz/AFLplusplus/AFLplusplus/issues/2503 using my partner's account 'bigchengz'.
FIx isssue https://bgithub.xyz/AFLplusplus/AFLplusplus/issues/2503:Incorrect guard offset calculation for __afl_coverage_interesting calls and comparison instructions in FunctionGuardArray.
Description:
I've identified a buffer layout issue in the PCGUARD instrumentation mode, The FunctionGuardArray size calculation is correct but the offset calculations for special instrumentation guards is incorrect, which mabe leads to a buffer overflow.
Problem Analysis:
In instrumentation/SanitizerCoveragePCGUARD.so.cc:969-976, Since cnt_hidden_sel_inc is always 0 now，the FunctionGuardArray size is correctly calculated as:

AllBlocks.size() + (first + cnt_cov + cnt_sel_inc - skip_blocks)
However, the offset calculations for special calls and comparison instructions don't account for skip_blocks .

Expected Layout:

[0 to AllBlocks.size() - skip_blocks - 1] -> Used basic blocks
[AllBlocks.size() - skip_blocks to AllBlocks.size() - skip_blocks + cnt_cov - 1] -> Special calls
[AllBlocks.size() - skip_blocks + cnt_cov to ...] -> Comparison instructions
Current Layout:

[0 to AllBlocks.size() - skip_blocks - 1] -> Used basic blocks
[AllBlocks.size() - skip_blocks to AllBlocks.size() - 1] -> Unused space (wasted)
[AllBlocks.size() + 1 to AllBlocks.size() + cnt_cov] -> Special calls
[AllBlocks.size() + cnt_cov to ...] -> Comparison instructions
Specific Issues:

Special call (_afl_coverage_interesting ) offset calculation in instrumentation/SanitizerCoveragePCGUARD.so.cc:1017-1021:
Current: (++special + AllBlocks.size()) * 4
Should be: (special++ + AllBlocks.size() - skip_blocks) * 4
Comparison instructions offset calculation in instrumentation/SanitizerCoveragePCGUARD.so.cc:1117-1120:
Current: (cnt_cov + local_selects++ + AllBlocks.size())
Should be: (cnt_cov + local_selects++ + AllBlocks.size() - skip_blocks)