help reduce peak memory usage in some cases.
Also disbale remove_unreachable, as the current dfa code isn't generating
unreachable states, and minimization removes any states that are connected
but redundant.
hold permission information. We currently keep them in a table with a
refcount so that they don't go away, until we delete the table.
We can simulate this by getting rid of the refcount, and making dup and release
virtual, and overriding it for the special accept nodes.
improves minimization performance, it can slow down total creation time and
result in larger compressed dfas.
This is because it results in the dfa not being completely minimized which
with the current O(n2) dfa table compression algorithm can result in slower
compressed dfa generation.
first hash does hashing on state just state transitions, which always results
in a performance improvement.
The second does hashing based off of accept permissions, which can create
more initial states but can result in not being able to achieve a true
minimum dfa. This can also lead to slowing down total dfa creation because
while minimization, compression can take longer if the dfa isn't completely
minimized.
permission hashing is currently required, as minimization does not accumulate
redundant Node permissions.
memory than just using the NodeSet size to short circuit comparison but it
improves on the case where compared sets have the same size. It is possible
that this will slow down small dfa generation slightly but the trade off for
large dfa's (which are the slow ones to generate) is worth it.
This results in another performance bump over using the NodeSize is NodeSet
comparison, and the amount of improvement increases with larger dfas
of pointers when it isn't necessary. This results in a nice little
performance increase in dfa creation.
This is more of a proof of concept patch, and is replaced by the next
patch which does better short circuiting via hashing
the large side, and I experimented with different ways to split this up but in
the end, anything I could do would result in a series of dependent patches
that would require all of them to be applied to get meaningful functional
changes.
The patch structural reworks the dfa so that
- there is a new State class, it takes the place of sets of nodes in the
dfa, and allows storing state information within the state
- removes the dfa transition table, which mapped sets of nodes to a
transition table, by moving the transition into the new state class
- computes dfa state permissions once (stored in the state)
- expression tree nodes are independent from a created dfa. This allows
computed expression trees, and sets of Nodes (used as protostates when
computing the dfa). To be managed independent of the dfa life time.
This will allow reducing the amount of memory used, in the future,
and will also allow separating the expression tree logic out into
its own file.
The patch has some effect on reducing peak memory usage, and computation
time. The actual amount of reduction is dependent on the number of states
in the dfa with larger saving being achieved on larger dfas. Eg. for
the test evince profile I was using it makes the parser about 7% faster with a
peak memory usage about 12% less.
This patch changes the initial partition hashing of minimization resulting
in slightly smaller dfas.
of a mix of symlinks to non-prefixed comands, and "apparmor_" prefixed
commands.
This also refactors the manpage generation slightly since we no longer
need special cases for the manpages, and drops aa-eventd from the default
list of tools to install (it also lacks a manpage).
exported in the environment. Without it, merely setting the CFLAGS
environment variable would not affect the compilation of the parser,
though it was still possible to override it by passing the variable
as an argument (e.g. make all CFLAGS="-Oinsane -Wextra-special").
It also makes the default CFLAGS for the parser consistent with
the default for the C++ dfa library, and passes the flags on to
the library.
An audit of the other bits of C showed that they either supported
CFLAGS during configure or were otherwise honoring CFLAGS when set
as environment variable.
the common/Make.rules file into common/Version so that libapparmor's
configure.in can make use of it, meaning there's one less thing to
adjust when updating the version. It also bumps the trunk version
from 2.5 to 2.5.90 in (perhaps excessively long) preparation for the
2.6.0 release, and to indicate that it's newer than the 2.5.x branch.
tarballs and converts some of the common/Make.rules targets to get
version information from bzr. As part of this, the tarball generation
creates a .stamp_rev file in the common directory which contains both
the name of the bzr repo exported from as well as the revision.
This just adds prototypes to all functions to make further cleanup
slightly easier by getting perl to complain if not enough args are
passed to a function. Perl doesn't appear to complain about this in
every case even with prototypes, which is kind of annoying.
One of the uses of eval { } wasn't checking $@ for errors, so if
something bad happened, it'd be silently ignored. This just adds in
an extra check to die if we hit a failure.
loopback mounted filesystem to operate on, to guarantee that the mount
option user_xattr is enabled (it's disabled by default on Ubuntu).
With this change, a number of the user xattr testcases that were
expected to pass but weren't started working; however, some of the
ones that were failing as expected are now passing. I've touched up
the expectations as well.
script and add an additional sleep before the parser invocation that
generates the cache file for the first time, to avoid failures in the
"Profiles are cached when requested:" test on ext3 and other filesystems
without fine-grained enough timestamps.
