Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Experiment ac rust/v11 #9911

Closed
wants to merge 16 commits into from
Closed

Experiment ac rust/v11 #9911

wants to merge 16 commits into from

Conversation

victorjulien
Copy link
Member

replace #9904, includes #9908

Implement "ac-rs" using the aho-corasick Rust crate. Sadly, it doesn't give the performance I hoped for. Don't see more ways to optimize it.

Results

Intel Xeon E5-2680v4

profile-mpm-sandnet.pcap-open.rules-ac-ks/packet_stats.log:PROF_DETECT_PF_PAYLOAD      IPv4       6        401142              942        4209906         25619         10.3b  37.61 
profile-mpm-sandnet.pcap-open.rules-ac-rs/packet_stats.log:PROF_DETECT_PF_PAYLOAD      IPv4       6        401141              945       20108490         53608         21.5b  45.88 
profile-mpm-sandnet.pcap-open.rules-ac/packet_stats.log:PROF_DETECT_PF_PAYLOAD      IPv4       6        401142              882         832744         23083          9.3b  36.24 
profile-mpm-sandnet.pcap-open.rules-hs/packet_stats.log:PROF_DETECT_PF_PAYLOAD      IPv4       6        401143              942        3383613         12789          5.1b  28.60 
profile-mpm-sandnet.pcap-pro.rules-ac-ks/packet_stats.log:PROF_DETECT_PF_PAYLOAD      IPv4       6        401140              902        1086180         34368         13.8b  38.75 
profile-mpm-sandnet.pcap-pro.rules-ac-rs/packet_stats.log:PROF_DETECT_PF_PAYLOAD      IPv4       6        401140              951       19817724         57077         22.9b  43.69 
profile-mpm-sandnet.pcap-pro.rules-ac/packet_stats.log:PROF_DETECT_PF_PAYLOAD      IPv4       6        401141              900        1482510         30627         12.3b  37.36 
profile-mpm-sandnet.pcap-pro.rules-hs/packet_stats.log:PROF_DETECT_PF_PAYLOAD      IPv4       6        401142              960         888276         20900          8.4b  33.08

HS almost 3x AC-RS, AC almost 2x AC-RS.

AMD Threadripper 2990wx

profile-mpm-sandnet.pcap-open.rules-ac-ks/packet_stats.log:PROF_DETECT_PF_PAYLOAD      IPv4       6        401143             1320        2114310         24750          9.9b  33.05 
profile-mpm-sandnet.pcap-open.rules-ac-rs/packet_stats.log:PROF_DETECT_PF_PAYLOAD      IPv4       6        401140             1350        2273430         56612         22.7b  42.61 
profile-mpm-sandnet.pcap-open.rules-ac/packet_stats.log:PROF_DETECT_PF_PAYLOAD      IPv4       6        401143             1350        2251170         24463          9.8b  32.14 
profile-mpm-sandnet.pcap-pro.rules-ac-ks/packet_stats.log:PROF_DETECT_PF_PAYLOAD      IPv4       6        401139             1350       12749880         40299         16.2b  34.29 
profile-mpm-sandnet.pcap-pro.rules-ac-rs/packet_stats.log:PROF_DETECT_PF_PAYLOAD      IPv4       6        401141             1350        4107720         68919         27.6b  40.23 
profile-mpm-sandnet.pcap-pro.rules-ac/packet_stats.log:PROF_DETECT_PF_PAYLOAD      IPv4       6        401144             1320        2062860         38447         15.4b  32.51

AC almost 2x

Intel Xeon W-2245

profile-mpm-sandnet.pcap-open.rules-ac-ks/packet_stats.log:PROF_DETECT_PF_PAYLOAD      IPv4       6        401143             1078         725199         29635         11.9b  34.61 
profile-mpm-sandnet.pcap-open.rules-ac/packet_stats.log:PROF_DETECT_PF_PAYLOAD      IPv4       6        401142             1088        2425744         28189         11.3b  33.55 
profile-mpm-sandnet.pcap-open.rules-ac-rs/packet_stats.log:PROF_DETECT_PF_PAYLOAD      IPv4       6        401146             1111        2915524         70305         28.2b  44.42 
profile-mpm-sandnet.pcap-open.rules-hs/packet_stats.log:PROF_DETECT_PF_PAYLOAD      IPv4       6        401142             1252         504847         15159          6.1b  26.25 
profile-mpm-sandnet.pcap-pro.rules-ac-ks/packet_stats.log:PROF_DETECT_PF_PAYLOAD      IPv4       6        401141             1083        2541907         42546         17.1b  35.06 
profile-mpm-sandnet.pcap-pro.rules-ac/packet_stats.log:PROF_DETECT_PF_PAYLOAD      IPv4       6        401143             1100        2530907         38909         15.6b  33.28 
profile-mpm-sandnet.pcap-pro.rules-ac-rs/packet_stats.log:PROF_DETECT_PF_PAYLOAD      IPv4       6        401140             1083        2829304         76386         30.6b  41.15 
profile-mpm-sandnet.pcap-pro.rules-hs/packet_stats.log:PROF_DETECT_PF_PAYLOAD      IPv4       6        401144             1228        1248314         24381          9.8b  29.02

HS is 3x the perf, AC 2x.

@victorjulien
detect: minor cleanup
574c8b5 
MPM_HS does not need a guard.
@victorjulien
mpm: remove ac-bs implementation
d6f5a5a 
Ticket: OISF#6586.
@victorjulien
mpm/ac: return only unique match count
9d574e6 
Bring implementation in line with Hyperscan, which only counts unique matches.

Update test to reflect the new behavior.
@victorjulien
mpm/ac-ks: return only unique match count
8419a22 
Bring implementation in line with Hyperscan, which only counts unique matches.

Update test to reflect the new behavior.
@victorjulien
mpm: document Search callback return value
08c0fff
@victorjulien
mpm/ac-bs: add warning if still used
7618e8e 
Fall back to default matcher.

Ticket OISF#6586.
@victorjulien
mpm: cleanup pattern free function
3cab038 
Avoid redundant pointer checks; instead check once.
@victorjulien
mpm: free sids in MpmFreePattern as well
6907588
@victorjulien
util/prefilter: constify sids
b94c359
@victorjulien
rust: add copyright header to common.rs
b092417
@victorjulien
mpm/ac-rs: AC matcher based on aho-corasick crate
bcb8b0a 
Count uniq matches only, like the Hyperscan implementation.
Default to single context, similar to other algos.

Ticket: OISF#3847.
@victorjulien
mpm: helper script for mpm benching
4e25f54
@codecov Codecov
Copy link

codecov bot commented Nov 28, 2023
edited

Codecov Report

Attention: 133 lines in your changes are missing coverage. Please review.

Comparison is base (d005fff) 82.45% compared to head (8db2ca4) 82.39%.
Report is 134 commits behind head on master.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master    #9911      +/-   ##
==========================================
- Coverage   82.45%   82.39%   -0.07%     
==========================================
  Files         972      972              
  Lines      273057   272519     -538     
==========================================
- Hits       225156   224538     -618     
- Misses      47901    47981      +80
Flag Coverage Δ
fuzzcorpus 64.40% <10.34%> (+0.03%) ⬆️
suricata-verify 61.25% <10.83%> (+0.16%) ⬆️
unittests 62.91% <84.73%> (-0.01%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

@victorjulien victorjulien mentioned this pull request Nov 28, 2023
Closed
victorjulien
victorjulien commented Nov 28, 2023
View reviewed changes
rust/src/mpm_ac_rs.rs Outdated
{
let haystack = build_slice!(data, data_len as usize);
let mut match_cnt : u32 = 0;
// array of bools for patterns we found
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

comment is wrong, it's used as a bitarray now

@victorjulien
Copy link
Member Author

Updated numbers after setting "kind" to DFA based on BurntSushi/aho-corasick#136 (comment)

Intel Xeon W-2245

profile-mpm-sandnet.pcap-open.rules-ac-ks/packet_stats.log:PROF_DETECT_PF_PAYLOAD      IPv4       6        401143             1078         725199         29635         11.9b  34.61 
profile-mpm-sandnet.pcap-open.rules-ac/packet_stats.log:PROF_DETECT_PF_PAYLOAD      IPv4       6        401142             1088        2425744         28189         11.3b  33.55 
profile-mpm-sandnet.pcap-open.rules-ac-rs/packet_stats.log:PROF_DETECT_PF_PAYLOAD      IPv4       6        401140             1083        2492467         39820         16.0b  39.83 
profile-mpm-sandnet.pcap-open.rules-hs/packet_stats.log:PROF_DETECT_PF_PAYLOAD      IPv4       6        401142             1252         504847         15159          6.1b  26.25 
profile-mpm-sandnet.pcap-pro.rules-ac-ks/packet_stats.log:PROF_DETECT_PF_PAYLOAD      IPv4       6        401141             1083        2541907         42546         17.1b  35.06 
profile-mpm-sandnet.pcap-pro.rules-ac/packet_stats.log:PROF_DETECT_PF_PAYLOAD      IPv4       6        401143             1100        2530907         38909         15.6b  33.28 
profile-mpm-sandnet.pcap-pro.rules-ac-rs/packet_stats.log:PROF_DETECT_PF_PAYLOAD      IPv4       6        401141             1073        1325263         57487         23.1b  40.56 
profile-mpm-sandnet.pcap-pro.rules-hs/packet_stats.log:PROF_DETECT_PF_PAYLOAD      IPv4       6        401144             1228        1248314         24381          9.8b  29.02

So in open, this improves things from 28.2b to 16b ticks.
In pro from 30.6b ticks to 23.1b. However still considerably slower than the others.

AMD Threadripper 2990wx

profile-mpm-sandnet.pcap-open.rules-ac-ks/packet_stats.log:PROF_DETECT_PF_PAYLOAD      IPv4       6        401143             1320        2114310         24750          9.9b  33.05 
profile-mpm-sandnet.pcap-open.rules-ac-rs/packet_stats.log:PROF_DETECT_PF_PAYLOAD      IPv4       6        401141             1350       10578090         35419         14.2b  38.42 
profile-mpm-sandnet.pcap-open.rules-ac/packet_stats.log:PROF_DETECT_PF_PAYLOAD      IPv4       6        401143             1350        2251170         24463          9.8b  32.14 
profile-mpm-sandnet.pcap-pro.rules-ac-ks/packet_stats.log:PROF_DETECT_PF_PAYLOAD      IPv4       6        401139             1350       12749880         40299         16.2b  34.29 
profile-mpm-sandnet.pcap-pro.rules-ac-rs/packet_stats.log:PROF_DETECT_PF_PAYLOAD      IPv4       6        401142             1350       11825370         57434         23.0b  39.84 
profile-mpm-sandnet.pcap-pro.rules-ac/packet_stats.log:PROF_DETECT_PF_PAYLOAD      IPv4       6        401144             1320        2062860         38447         15.4b  32.51

Open: 22.7b -> 14.2b
Pro: 27.6b -> 23b
So again, a good improvement but still slower than what we already have.

@suricata-qa
Copy link

WARNING:

field baseline test %
SURI_TLPW2_autofp_stats_chk
.uptime 181 191 105.52%

Pipeline 16764

@suricata-qa
Copy link

Information: QA ran without warnings.

Pipeline 16765

@victorjulien
Copy link
Member Author

Direct DFA calls attempt has the following results

Intel Xeon W-2245

profile-mpm-sandnet.pcap-open.rules-ac-rs/packet_stats.log:PROF_DETECT_PF_PAYLOAD      IPv4       6        401143             1135        2724221         39536         15.9b  39.57 
profile-mpm-sandnet.pcap-pro.rules-ac-rs/packet_stats.log:PROF_DETECT_PF_PAYLOAD      IPv4       6        401140             1074        2606235         56937         22.8b  40.66

So a small improvement over the last attempt.

AMD Threadripper 2990wx

profile-mpm-sandnet.pcap-open.rules-ac-rs/packet_stats.log:PROF_DETECT_PF_PAYLOAD      IPv4       6        401141             1350       10436310         34459         13.8b  38.41 
profile-mpm-sandnet.pcap-pro.rules-ac-rs/packet_stats.log:PROF_DETECT_PF_PAYLOAD      IPv4       6        401142             1350       10303920         56272         22.6b  39.30

Also a small improvement, but still not where we'd hope things to land.

@victorjulien
Copy link
Member Author

Explicitly disabling the prefilter feature seems to have a minimal effect.

@suricata-qa
Copy link

WARNING:

field baseline test %
SURI_TLPW2_autofp_stats_chk
.uptime 181 192 106.08%

Pipeline 16777

@suricata-qa
Copy link

Information: QA ran without warnings.

Pipeline 16779

@catenacyber catenacyber added the needs rebase Needs rebase to master label Dec 21, 2023
@victorjulien
Copy link
Member Author

Performance wasn't there to justify doing more work on this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jasonish jasonish Awaiting requested review from jasonish jasonish will be requested when the pull request is marked ready for review jasonish is a code owner

Assignees
No one assigned
Labels
needs rebase Needs rebase to master
Milestone
No milestone
3 participants
@victorjulien @suricata-qa @catenacyber