WindowServer connection never being terminated
Categories
(Core :: Security: Process Sandboxing, enhancement, P2)
Tracking
()
Tracking | Status | |
---|---|---|
firefox95 | --- | fixed |
People
(Reporter: alex.plaskett, Assigned: haik)
References
Details
(Keywords: sec-want, Whiteboard: [adv-main95-])
Attachments
(1 file)
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Comment 2•6 years ago
|
||
Assignee | ||
Comment 3•5 years ago
|
||
This may also depend on non-native for Mac. On 10.14, without the WindowServer, some HTML form elements such as radio buttons are not rendered. More debugging needed.
Comment 4•5 years ago
|
||
:handyman, do you think you could weigh in on the WebGL bits here? Without reproducing Alex's research - what bugs would you guess are blockers for this, to give us an idea of when we can re-evaluate the situation here?
Assignee | ||
Comment 5•5 years ago
|
||
For testing, setting the pref security.sandbox.content.mac.disconnect-windowserver=true
(which doesn't exist by default) will change the sandbox rules to not allow the WindowServer connection.
Comment 6•5 years ago
|
||
Bug tracking for this is not great ATM but some useful bugs:
Bug 1621762 - Add IpdlQueue option for remote WebGL
Current WIP that adds functionality for Linux/Mac WebGL remoting. This will land soon.
Bug 1624726 - Refactor of WebGL remoting classes
Just some code cleanup.
Bug 1607940 - WebGL out-of-process prototype
The bug for landing webgl remoting turned on. ATM, this is only planned for Windows as there may well be bad performance regressions on other platforms (but that is not certain). If regressions aren't too bad then we will use this to enable all platforms. There are a few pieces of this that are still somewhat unsettled (I think just related to textures and VR) but otherwise the plan for this is concrete. We can make this the dependency for now.
Comment 7•5 years ago
|
||
I should clarify that bug 1621762 adds some behavior needed for Linux and Mac but won't be a complete working implementation that people can play with.
Assignee | ||
Comment 8•3 years ago
|
||
Drop the window server connection from the content process sandbox when out-of-process WebGL is enabled.
Updated•3 years ago
|
Comment 10•3 years ago
|
||
bugherder |
Comment 11•3 years ago
|
||
(In reply to Pulsebot from comment #9)
Pushed by haftandilian@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/5aaf8123b97a
WindowServer connection never being terminated r=spohl
== Change summary for alert #32053 (as of Fri, 22 Oct 2021 11:58:42 GMT) ==
Improvements:
Ratio | Test | Platform | Options | Absolute values (old vs new) |
---|---|---|---|---|
74% | cpstartup content-process-startup | macosx1015-64-shippable-qr | e10s fission stylo webrender | 420.58 -> 109.33 |
73% | cpstartup content-process-startup | macosx1015-64-shippable-qr | e10s stylo webrender | 399.29 -> 108.92 |
72% | cpstartup content-process-startup | macosx1015-64-shippable-qr | e10s stylo webrender | 386.08 -> 109.92 |
70% | cpstartup content-process-startup | macosx1015-64-shippable-qr | e10s fission stylo webrender | 369.21 -> 112.00 |
70% | cpstartup content-process-startup | macosx1015-64-shippable-qr | e10s stylo webrender-sw | 385.96 -> 117.25 |
... | ... | ... | ... | ... |
7% | perf_reftest_singletons coalesce-2.html | macosx1014-64-shippable-qr | e10s stylo webrender | 205.19 -> 190.66 |
For up to date results, see: https://treeherder.mozilla.org/perfherder/alerts?id=32053
Updated•3 years ago
|
Assignee | ||
Comment 12•3 years ago
|
||
On a MacBook Pro 13-inch, M1, 2020, the change in cpstartup with the profiler running is around a 30% reduction (from 70ms to 48ms) from some quick measurements.
One noticeable difference in the profiles on the 2020 M1 with/without the fix is that before removing WindowServer access, the call to mozilla::ipc::SetThisProcessName() ends up in macOS SkyLight function SLSMainConnectionID() presumably getting the WindowServer connection info which takes ~20ms. This gets skipped with this change and that amounts to most of the difference on this faster machine. (Faster when compared to the CI test machines.)
Updated•3 years ago
|
Updated•3 years ago
|
Description
•