Yes, this is to be expected. The dfa build algorithm can have exponential state explosive. Expr simplification is a technique to help avoid/mitigate that from happening. There is no reason that expr simplification shouldn't be done.
In the past Jamie had disabled it for a couple of reasons. 1. for very simple profiles it isn't needed, and causes compilation to slow down a little, vs. not having it. (this was on click, with phones slow processor). 2. expr simplification could in its own rights in the past could be pathalogical as it makes multiple passes, working on simplifying expressions to deal with this explosion issue. In these cases, while it would reduce memory overhead of the compile it would slow down the compile significantly. Case 2 was taken care of but putting a hard cap on the number of passes simplification will do, in upstream commit 2809060be parser: limit the number of passes expr tree simplification does (MR: https://gitlab.com/apparmor/apparmor/merge_requests/246) This was found to achieve the majority of simplification gains without multiple passes where as few as a single change was made. And there is of course MR 711 that mvo has already brought up. There is some other work that will further improve expr simplification when it lands, so we should see further performance improvements in the future. -- You received this bug notification because you are a member of AppArmor Developers, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/2025030 Title: apparmor_parser -O no-expr-simplify problematic Status in snapd: New Bug description: There was a recent issue with a core refresh that caused breakage. Upon further investigation it turns out that the apparmor_parser uses an substantial of memory. Upon some more investigation it turns out that that -O no-expr- simplify makes both time to compile and memory usage increase 10x. Tested with 22.04 but I see the same ballpark results with 16.04: $ /usr/bin/time --verbose apparmor_parser -S 2.59/profiles/snap.screenly-client.command-executor > /dev/null Command being timed: "apparmor_parser -S 2.59/profiles/snap.screenly-client.command-executor" User time (seconds): 4.32 Maximum resident set size (kbytes): 117392 $ /usr/bin/time --verbose apparmor_parser -O no-expr-simplify -S 2.59/profiles/snap.screenly-client.command-executor > /dev/null Command being timed: "apparmor_parser -O no-expr-simplify -S 2.59/profiles/snap.screenly-client.command-executor" User time (seconds): 40.64 Maximum resident set size (kbytes): 1015816 Profile is attached. It seems like we seriously need to consider dropping "-O no-expr-simplify". For context: https://bugs.launchpad.net/ubuntu-rtm/+source/apparmor/+bug/1383858 is why it was added in the first place And some recent work to make things faster: https://gitlab.com/apparmor/apparmor/-/merge_requests/711 To manage notifications about this bug go to: https://bugs.launchpad.net/snapd/+bug/2025030/+subscriptions