[apparmor] [Bug 2025030] Re: apparmor_parser -O no-expr-simplify problematic

John Johansen 2025030 at bugs.launchpad.net
Mon Jun 26 09:52:48 UTC 2023 

Yes, this is to be expected. The dfa build algorithm can have
exponential state explosive. Expr simplification is a technique to help
avoid/mitigate that from happening. There is no reason that expr
simplification shouldn't be done.

In the past Jamie had disabled it for a couple of reasons.

1. for very simple profiles it isn't needed, and causes compilation to
slow down a little, vs. not having it. (this was on click, with phones
slow processor).

2. expr simplification could in its own rights in the past could be
pathalogical as it makes multiple passes, working on simplifying
expressions to deal with this explosion issue. In these cases, while it
would reduce memory overhead of the compile it would slow down the
compile significantly.


Case 2 was taken care of but putting a hard cap on the number of passes simplification will do, in upstream commit

2809060be parser: limit the number of passes expr tree simplification
does (MR: https://gitlab.com/apparmor/apparmor/merge_requests/246)

This was found to achieve the majority of simplification gains without
multiple passes where as few as a single change was made. And there is
of course MR 711 that mvo has already brought up. There is some other
work that will further improve expr simplification when it lands, so we
should see further performance improvements in the future.

-- 
You received this bug notification because you are a member of AppArmor
Developers, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/2025030

Title:
  apparmor_parser -O no-expr-simplify problematic

Status in snapd:
  New

Bug description:
  There was a recent issue with a core refresh that caused breakage.
  Upon further investigation it turns out that the apparmor_parser uses
  an substantial of memory.

  Upon some more investigation it turns out that that -O no-expr-
  simplify makes both time to compile and memory usage increase 10x.
  Tested with 22.04 but I see the same ballpark results with 16.04:

  $ /usr/bin/time --verbose apparmor_parser -S 2.59/profiles/snap.screenly-client.command-executor > /dev/null
      Command being timed: "apparmor_parser -S 2.59/profiles/snap.screenly-client.command-executor"
      User time (seconds): 4.32
      Maximum resident set size (kbytes): 117392

  $ /usr/bin/time --verbose apparmor_parser  -O no-expr-simplify -S 2.59/profiles/snap.screenly-client.command-executor > /dev/null
      Command being timed: "apparmor_parser -O no-expr-simplify -S 2.59/profiles/snap.screenly-client.command-executor"
      User time (seconds): 40.64
      Maximum resident set size (kbytes): 1015816

  Profile is attached.

  
  It seems like we seriously need to consider dropping "-O no-expr-simplify". 

  For context:
  https://bugs.launchpad.net/ubuntu-rtm/+source/apparmor/+bug/1383858
  is why it was added in the first place

  And some recent work to make things faster:
  https://gitlab.com/apparmor/apparmor/-/merge_requests/711

To manage notifications about this bug go to:
https://bugs.launchpad.net/snapd/+bug/2025030/+subscriptions

More information about the AppArmor mailing list