Closed Bug 1677501 Opened 4 years ago Closed 3 years ago

PK11_ListCerts called by DoHHeuristics.jsm during late startup does a lot of main thread I/O to cert9.db

Categories

(Core :: Networking: DNS, defect, P2)

Product:
Core
Component:
Networking: DNS
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
85 Branch
Project Flags:
Performance Impact high
Tracking Flags:
Tracking Status
firefox85 --- fixed

People

(Reporter: florian, Assigned: valentin)

References

(Blocks 1 open bug)

Details

(Keywords: main-thread-io, perf, perf:responsiveness, Whiteboard: [fxperf][bhr:PK11_ListCerts][necko-triaged])

Attachments

(1 file, 2 obsolete files)

Bug 1677501 - Add nsIX509CertDB.asyncHasThirdPartyRoots and use it in DoHHeuristics.jsm r=keeler!,Gijs!
47 bytes, text/x-phabricator-request
Details | Review

When looking at BHR data from our nightly users, PK11_ListCerts represents more than 1% of the total hang time. (http://queze.net/bhr/test/#row=&filter=PK11_ListCerts)

The stacks show that some JS code calls nsNSSCertificateDB::GetCerts. Most stacks aren't very helpful after that, mostly showing that we are resuming from within an async function.

A few of the stacks reported through BHR show /modules/DoHHeuristics.jsm:221 which points to https://searchfox.org/mozilla-central/rev/ff82c973f8ccb0475ec32439e9ec07014b3a681f/browser/components/doh/DoHHeuristics.jsm#221,230

After setting the doh-rollout.enabled pref to true in about:config, I could reproduce on my slow reference laptop. Here's what this looks like in a startup profile with that preference enabled: https://share.firefox.dev/3ntRYOX

Excellent find, Florian. Thanks for this report.

Dana, do you think we can replace this code with something that doesn't impact performance?
Maybe we can just check these prefs

Assignee: nobody → valentin.gosu
Blocks: doh-rollout
Severity: -- → S2
Flags: needinfo?(dkeeler)
Priority: -- → P2
Whiteboard: [fxperf][qf][bhr:PK11_ListCerts] → [fxperf][qf][bhr:PK11_ListCerts][necko-triaged]

security.enterprise_roots.enabled is already checked, and security.enterprise_roots.auto-enabled is only relevant insofar as it can set security.enterprise_roots.enabled to true.
Basically, if you want to check if there are any third-party trust anchors in the on-disk certificate database, you have to read the on-disk certificate database. One option could be to not do that. The other option would be to make getCerts() asynchronous, so at least the main thread isn't blocked. Note that this change would also improve main-thread-blocking in other cases, such as the certificate manager.

Flags: needinfo?(dkeeler)
Whiteboard: [fxperf][qf][bhr:PK11_ListCerts][necko-triaged] → [fxperf][qf:p1:responsiveness][bhr:PK11_ListCerts][necko-triaged]

This allows us to avoid calling any NSSCertificateDB methods on the main
thread or allocating memory for xpconnect wrappers of cert objects.

Attachment #9188550 - Attachment is obsolete: true
See Also: → 1679954

Comment on attachment 9188549 [details]
Bug 1677501 - Add nsIX509CertDB.asyncGetCerts r=keeler

Revision D97425 was moved to bug 1679954. Setting attachment 9188549 [details] to obsolete.

Attachment #9188549 - Attachment is obsolete: true
Pushed by valentin.gosu@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/7351aa88de95
Add nsIX509CertDB.asyncHasThirdPartyRoots and use it in DoHHeuristics.jsm r=keeler,Gijs,nhnt11

https://hg.mozilla.org/mozilla-central/rev/7351aa88de95

Status: NEW → RESOLVED
Closed: 3 years ago
status-firefox85: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 85 Branch
Performance Impact: --- → P1
Keywords: perf:responsiveness
Whiteboard: [fxperf][qf:p1:responsiveness][bhr:PK11_ListCerts][necko-triaged] → [fxperf][bhr:PK11_ListCerts][necko-triaged]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: