Closed Bug 1501126 Opened 6 years ago Closed 6 years ago

[Mac] Enable sandbox early startup by default on Nightly

Categories

(Core :: Security: Process Sandboxing, enhancement, P1)

Product:
Core
Component:
Security: Process Sandboxing
Version:
65 Branch
Platform:
Unspecified
macOS
Type:
enhancement

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla65
Tracking Flags:
Tracking Status
firefox65 --- fixed

People

(Reporter: haik, Assigned: haik)

References

(Depends on 1 open bug)

Details

Attachments

(1 file)

Bug 1501126 - [Mac] Enable sandbox early startup by default on Nightly r?Alex_Gaynor
47 bytes, text/x-phabricator-request
Details | Review 
Enable the early startup mode of the Mac content sandbox by default in Nightly by default (by setting security.sandbox.content.mac.earlyinit=true).
Assignee: nobody → haftandilian
Depends on: 1501121, 1431441
Priority: -- → P1
Depends on: 1502228
From bug 1431441 comment 33 by Ionut
> Before the backout, we noticed these big performance regressions:
> 
> == Change summary for alert #16766 (as of Fri, 12 Oct 2018 13:23:55 GMT) ==
> 
> Regressions:
> 
> 16%  sessionrestore osx-10-10 opt e10s stylo                     640.67 -> 745.17
> 13%  ts_paint osx-10-10 opt e10s stylo                           707.67 -> 802.83
> 13%  sessionrestore_no_auto_restore osx-10-10 opt e10s stylo     675.29 -> 764.67
> 13%  ts_paint_webext osx-10-10 opt e10s stylo                    712.33 -> 803.92
> 
> For up to date results, see: https://treeherder.mozilla.org/perf.html#/alerts?id=16766

The changes move our call to sandbox_init_with_parameters() in content processes from being run on the main thread event loop during initialization to early in main.

I do not think the regressions in sessionrestore, ts_paint, or ts_paint_webext are meaningful because it appears that those tests previously (without the code changes) didn't include the execution time of sandbox_init_with_parameters(), but do now that the function has been moved. I tested this by adding a 0.5 second busy loop in the original code site and found that it didn't affect those benchmarks.

That wasn't the case for sessionrestore_no_auto_restore.

I need some help understanding exactly what these tests are timing though. Ionut, are you able to help with that or is there someone you can recommend?

I also found that sandbox_init_with_parameters() is much slower on older hardware like we have on try. Some rough numbers I collected for the average execution time:

2008 MacBook with macOS 10.9:                         500ms
try hardware (t-yosemite-r7-186) with macOS 10.10:    122ms
2015 MacBook Air with macOS 10.14:                     15ms
2012 MacBook Pro with macOS 10.11:                     14ms
2018 MacBook Pro with macOS 10.14:                      8ms
Flags: needinfo?(igoldan)
@Ionut, jmaher offered to help with my questions. Is it OK to land while still resolving this?
(In reply to Haik Aftandilian [:haik] from comment #1)
> From bug 1431441 comment 33 by Ionut
> > Before the backout, we noticed these big performance regressions:
> > 
> > == Change summary for alert #16766 (as of Fri, 12 Oct 2018 13:23:55 GMT) ==
> > 
> > Regressions:
> > 
> > 16%  sessionrestore osx-10-10 opt e10s stylo                     640.67 -> 745.17
> > 13%  ts_paint osx-10-10 opt e10s stylo                           707.67 -> 802.83
> > 13%  sessionrestore_no_auto_restore osx-10-10 opt e10s stylo     675.29 -> 764.67
> > 13%  ts_paint_webext osx-10-10 opt e10s stylo                    712.33 -> 803.92
> > 
> > For up to date results, see: https://treeherder.mozilla.org/perf.html#/alerts?id=16766
>
> I need some help understanding exactly what these tests are timing though.
> Ionut, are you able to help with that or is there someone you can recommend?

Yes, for sessionrestore* test you can contact :mikedeboer.
As for ts_paint, it used to be :milan, but now I think one of the contacts would be :davidb.
(In reply to Haik Aftandilian [:haik] from comment #2)
> @Ionut, jmaher offered to help with my questions. Is it OK to land while
> still resolving this?

You can land this, it's just that I need constant feedback on the evolution of the fix, from your behalf.
Flags: needinfo?(igoldan)
Depends on: 1505445
I think bug 1505445 will address the talos regressions listed in comment 3. I plan to land this fix after bug 1505445 which is out for review.
Set security.sandbox.content.mac.earlyinit=true to enable sandbox early startup by default on Nightly only.
Blocks: 1505573
Pushed by haftandilian@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/22d335fc020f
[Mac] Enable sandbox early startup by default on Nightly r=Alex_Gaynor
https://hg.mozilla.org/mozilla-central/rev/22d335fc020f
Status: NEW → RESOLVED
Closed: 6 years ago
status-firefox65: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla65
Depends on: 1506776
Depends on: 1506495
Depends on: 1524694
Regressions: 1588821
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: