On Mon, Nov 10, 2014 at 6:51 PM, Nicholas Nethercote <n.netherc...@gmail.com> wrote: > I've been doing some heap allocation profiling and found that during > basic usage NSS accounts for 1/3 of all of Firefox's cumulative (*not* > live) heap allocations. We're talking gigabytes of allocations in > short browsing sessions. That is *insane*. > > I filed https://bugzilla.mozilla.org/show_bug.cgi?id=1095272 about > this. I've written several patches that fix problems, one of which has > r+ and is awaiting checkin; check the dependent bugs.
In your analysis, it would be better to use a call stack trace depth larger than 5 that allows us to see what non-NSS function is calling into NSS. The checks done in mozilla::pkix's CheckPublicKeySize can easily be optimized. But, first check how often the call stack contains CheckPublicKey vs VerifySignedData; CheckPublicKey can be optimized even more than VerifySignedData. My original plans for VerifySignedData was for it to have a cache added to it, if/when performance testing showed that there was a performance problem. It is likely that such a cache is important, even without the heap thrashing that you are concerned about. Also, there is already a bug on file about caching and coalescing SSL server cert verification results in SSLServerCertVerification. This is trickier than the type of caching you can do in VerifySignedData but it is potentially a bigger win. Also, I think recent changes to Gecko's connection management (the "parallelism to a new host restricted to 1" bug being fixed) made it more important to do at least the coalescing part. Note that when bug 1036103 is fixed (which will be basically whenever I get around to posting one more patch), it will be possible to avoid any of the NSS CERT_* API during certificate verification, if people are willing to do a little (probably quite a bit, actiually) refactoring. That that, except for the calls to SECKEY_DecodeDERSubjectPublicKeyInfo and SECKEY_ExtractPublicKey in CheckPublicKeySize, mozilla::pkix allocates no memory at all, ever (once CheckNameConstraints is replaced, which is the thing that is one patch away from happening). Cheers, Brian -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
