Don't enable RDD process on platforms without sandboxing

RESOLVED FIXED in Firefox 68

Status

()

enhancement
P3
normal
Rank:
25
RESOLVED FIXED
5 months ago
3 months ago

People

(Reporter: jbeich, Assigned: mjf)

Tracking

(Blocks 1 bug)

Trunk
mozilla68
Unspecified
FreeBSD
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox67 wontfix, firefox68- fixed)

Details

Attachments

(2 attachments, 1 obsolete attachment)

RDD is only implemented for Tier1 platforms. Elsewhere it's an indirection with marginal benefit. For one, my system can play AV1 videos in 2160p60 smoothly but with RDD rendering freezes after a few frames.

While I can see it being reasonable to disable this on platforms that don't have sandboxing, the salient thing here is that RDD is apparently broken on FreeBSD. Should we open a separate bug for that?

Rank: 25
Priority: -- → P3

Someone reported perf drop affects Linux as well. If that is fixed I don't think we need to do anything FreeBSD-specific. Anyway, this bug is ill-formed.

https://www.reddit.com/r/AV1/comments/b3bcft/firefox_nightly_now_uses_dav1d_021/

Status: NEW → RESOLVED
Closed: 5 months ago
Resolution: --- → INCOMPLETE
Blocks: RDD

CPU usage dropped to reasonable levels after bug 1538474 but it's not neglible. RDD currently adds around 18% overhead on my i7-6700k when watching 2160p60 windowed via file://. Memory overhead from extra processes is also bigger on Tier3 due to lack of mozjemalloc support but I can't compare (no Tier1 box around).

Status: RESOLVED → REOPENED
Resolution: INCOMPLETE → ---

:mjf, can you help landing this? I can't use Phabricator due to bug 1536716.

Note, a cheap way to improve security on Tier3 would be --with-system-dav1d but it wouldn't protect against stuff unfixed upstream unlike process sandboxing.

Flags: needinfo?(mfroman)

Jan, just to make sure we are on the same page here: on FreeBSD you are not using any specific sandboxing for Firefox in general, right?

And so because of the lack of sandboxing the RDD process only results in performance loss without any security gain like on the other Tier 1 platforms.

In general I'm ok with that approach. But as a heads up: we are planing on moving more codecs into the RDD process going forward. At some point we might not want to support decoding happening any where else then in the RDD process any more. In terms of performance we have some ideas how to make that better before we get to this point.

Flags: needinfo?(jbeich)

Note: I think the patch in bug 1515497 will make it impossible to turn on AV1 without RDD being turned on as well.

See Also: → 1515497

(In reply to Nils Ohlmeier [:drno] from comment #7)

Jan, just to make sure we are on the same page here: on FreeBSD you are not
using any specific sandboxing for Firefox in general, right?

Correct. Firefox doesn't support sandboxing on FreeBSD but process sandboxing is possible on FreeBSD via Capsicum. For each process type the bar for adding sandboxing increases.

For OpenBSD see bug 1457092. I don't know if process sandboxing is possible on DragonFly, NetBSD and Solaris

And so because of the lack of sandboxing the RDD process only results in
performance loss without any security gain like on the other Tier 1
platforms.

Does RDD inherit main process sandboxing? If not dav1d would lose sandboxing when RDD is enabled on OpenBSD when --enable-sandbox is passed (e.g., downstream).

(In reply to Nils Ohlmeier [:drno] from comment #8)

Note: I think the patch in bug 1515497 will make it impossible to turn on
AV1 without RDD being turned on as well.

Thanks for notifying. That rationale is OK but the fix is ugly, so (as part of this bug) it'd end up even more ugly.

Flags: needinfo?(jbeich)

Err, regarding bug 1515497 nothing needs to be done here. AV1 still works fine and so does Vorbis (bug 1500596).

(In reply to Jan Beich from comment #10)

Err, regarding bug 1515497 nothing needs to be done here. AV1 still works fine and so does Vorbis (bug 1500596).

Jan, you're definitely correct here. Part of bug 1515497 makes certain that if RDD is enabled, we can't accidentally fall back to decoding AV1 on the content process. However, if RDD is not enabled, AV1 can be decoded in the content process.

I will take a look at your patch.

Flags: needinfo?(mfroman)

[Tracking Requested - why for this release]:
Performance. On 32-bit architectures (e.g., x86) memory for userland processes is capped at ~3 GB, so a new process for AV1 decoding increases the chance of memory thrashing. mozjemalloc is N/A on Tier3 to mitigate.

Firefox 68 will be ESR, so facilitates downstream to be on the same page.

Assignee: nobody → mfroman
Pushed by mfroman@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/8f3c6a2c4df1
don't enable RDD process on platforms without sandboxing. r=drno
Status: REOPENED → RESOLVED
Closed: 5 months ago3 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla68

(In reply to Julien Cristau [:jcristau] from comment #16)

Tier 3, not tracking.

AV1 is now over 12% of the videos Firefox plays in beta, and that number will keep growing once it goes into release next week. This is not Tier3. We're talking millions of use a day.

Flags: needinfo?(jcristau)

oh, I see FreeBSD. my bad

Flags: needinfo?(jcristau)

Thanks for reminding the BSDs users that nobody cares about them :)

You need to log in before you can comment on or make changes to this bug.