Bug 1441918 comment 90 has highlighted that Firefox currently generates a lot of events (potentially around 7x and more) on the Microsoft-Windows-Threat-Intelligence ETW provider compared to competitors. Antivirus software products, including but not limited to Windows Defender, listen to this ETW provider (and others) to monitor system activity and detect malicious behavior.
Generating events on ETW providers that AV listen to indirectly impacts power usage, because antivirus code will run to analyze each event. It can lead to catastrophic situations if the antivirus itself is not optimized for power usage; see bug 1441918 comment 87 for an example where Windows Defender was using a classic Windows pattern which unfortunately led to a lot of wasted CPU time. Firefox was more impacted by this performance issue compared to competitors, because of the number of events we generate.
The attached text file lists all the events that Firefox Nightly Debug currently generates on Microsoft-Windows-Threat-Intelligence during a casual browsing session on my machine (browsing and watching a video on YouTube, browsing Reddit, browsing Wikipedia, browsing some news website... altogether), grouped by call stacks with event count and percentage of total. Doing this with Debug allowed me to get more detailed stacks.
To summarize, in my casual browsing session:
- 95.5% of the events originate from calls to
- 1.8% from calls to
- 1.6% from calls to
- 1.0% from calls to
- 0.1% from calls to
js::jit::ReprotectRegion account for 92.9% of all events, originating in particular from
We should try to reduce the number of events that Firefox generates, which will reduce the CPU usage from AV software. Bug 1822650 should help address this for the JIT-related part.
We should also double check CPU usage from major AV products to check if some of them might have poorly optimized event analysis code, as this would currently impact our users more than users of competitor browsers, similar to bug 1441918 for Windows Defender.