Friday, May 22, 2020

macOS 10.15: Slow by Design

Allan Odgaard (via Cocoa-Dev, Hacker News):

In episode 379 of ATP both Marco Arment and John Siracusa described noticeable delays and stalls after upgrading to macOS 10.15.

[…]

Another way to reduce the delays is by disabling System Integrity Protection. I say reduce, because I still do get some delays even with SIP disabled, but the system does overall feel much faster, and I would strongly recommend anyone who thinks their system is sluggish to do the same.

[…]

Apple delays execution while waiting for a reply from their server. This check for me takes close to a second. […] This is not just for files downloaded from the internet, nor is it only when you launch them via Finder, this is everything. So even if you write a one line shell script and run it in a terminal, you will get a delay!

[…]

Surprisingly though, just obtaining the display name or icon for one of these folders will trigger Apple’s code to verify that the client is allowed to access the location.

[…]

Specifically calling SecKeychainFindGenericPassword can cause noticeable delays, on a bad internet day I had this call stall for 3.3 seconds and this was with System Integrity Protection disabled!

[…]

This is the worst issue, sometimes, things will stall for 5-30 seconds [at application launch].

[…]

With SIP enabled and on a bad internet day I can have the entire machine freeze for 1-2 seconds every 10th minute, not to mention everything just being sluggish.

It’s worse in Catalina, but I’ve been seeing frequent problems since Mojave:

Marco Arment:

The macOS security team needs to ask themselves hard questions about their implementation choices when very smart people are disabling huge parts of their OS security layer just to get reasonable performance from common tasks.

Sean Heber:

Apple needs to do something about this. The random stalls and slowness are pervasive, infuriating, annoying, and perhaps even approaching demoralizing.

Jeff Johnson:

This is why Apple needs remote workers, not just in the US but worldwide. Any feature that requires phoning home to Cupertino is going to be very fast in Cupertino, but possibly very slow elsewhere.

Previously:

Update (2020-05-22): nut_bunnies:

I just got a new 13” MBP and sold my 2015 Pro that was on Mojave. It could be a botched backup migration but twice now I’ve had app and service lockups permeate throughout the system and apps that required a reboot to stop

Update (2020-05-25): Greg Hurrell (tweet, Hacker News):

Apple seems bent on locking things down in the name of security (a laudable effort), but at the cost of breaking shit for developers who just want to get along with their work. First came System Integrity Protection which was only a minor annoyance and probably a net win in terms of the security-vs-convenience trade-off. But then it was followed by an increasingly draconian series of cumbersome security measures, culminating with incessant authorization prompts reminiscent of Windows Vista’s infamous User Account Control and, most recently, with the horrible network-gated permission checks to do simple things like, er, running executables.

Jeff Johnson (tweet, Hacker News):

You can verify that there’s an online check by taking packet traces. […] Is Catalina trying to check the notarization of the executable? The evidence strongly indicates yes.

[…]

By the way, you can block macOS notarization checks without turning off your internet connection by installing Little Snitch and setting the rules to deny any outgoing connection from syspolicyd.

[…]

What about compiled command-line tools that are not scripts but not apps either? I created a simple “Hello World” project in Xcode, and I changed the build settings so that the tool was not code signed at all by Xcode. When I ran the tool for the first time, there was no online notarization check, which was a bit surprising to me. When I looked at the Xcode build transcript, though, I found the explanation. The final phase of the build, after the linking phase, was “Register execution policy exception”. Xcode called builtin-RegisterExecutionPolicyException on my tool. This gave the tool permission to execute on my Mac without getting checked.

[…]

One major problem, though, is that this information is not documented anywhere, to my knowledge.

enadu02:

Xcode (the UI) is able to bypass GateKeeper checks for things it builds.

The “Developer Tool” pane in System Prefs, Security, Privacy is the same power. Drag anything into that list you’d like to grant the same privilege (such as xcodebuild). This is inherited by child processes as well.

The point of this is to avoid malware packing bits of Xcode with itself and silently compiling itself on the target machine, thus bypassing system security policy.

dTal:

Making this about speed is burying the lede. From a privacy and user-freedom perspective, it’s horrifying.

Don’t think so? Apple now theoretically has a centralized database of every Mac user who’s ever used youtube-dl. Or Tor. Or TrueCrypt.

Rui Carmo:

Besides the potential for failure (Apple has historically been mediocre at doing online systems, except for the iTunes/App Store, which is finely honed and cached up the wazoo), the potential for data gathering is serious enough that I can see Macs being banned from use in public sector clients outside the US (development or not).

And even if it can be argued that this caches results and normal users will mostly run things from the App Store and seldom notice any delays, it is something that ought to be surfaced properly for developers and power users alike.

Howard Oakley:

One other strange thing which happens to shell scripts the first time that they are run in Catalina is that a com.apple.macl xattr is added to them, containing a UUID which is common across several scripts, at least. That doesn’t appear to contribute to any delay in launching the script, but is further evidence that what is recorded in the unified log is no reflection on the processes which have taken place. It also raises further questions about the purpose of this new type of xattr, which had previously been associated with per-document privacy control by TCC.

Previously:

Update (2020-06-03): Daniel Jalkut:

macOS 10.15 Catalina has a new “Stand Reminder” mode, just like the Apple Watch. When your mouse and entire screen freezes, just get up and stand for one minute and it will probably be unfrozen when you’re done.

I really thought this problem would get better but it seems to be worse with every update to 10.15. More common than ever and I don’t think it’s a hardware issue. Lots of other people seem to experience it, too. Exactly the kind of thing that wouldn’t show up in quality metrics.

Jonathan Deutsch:

I’m hitting this on my new MBP 16" a lot. For me the entire computer is functional, but there’s probably some sort of graphics card/driver issue. I can quickly resolve with locking the screen (cmd-ctr-q), escape to display sleep, space to login (with watch getting me back in).

Update (2022-09-26): See also: Hacker News.

16 Comments RSS · Twitter

Mayson Lancaster

Scrolling in Safari on iPad and Mac will hang for seconds at a time. 13.5 and 10.15. Trackpad cursor on Mac responds, but scrolling hangs.

Shane Stanley

Cheer up. Some simple tests show AppleScriptObjC code seems to have been slowed by a factor approaching 10.

Sending hashes/content of every file you download/open/execute back to the mothership is exactly the nightmare scenario used to warn against Microsoft Windows, before Google became the preeminent privacy threat. The frog is boiled.

When are people like Gruber going to start calling out Craig Federighi for the long time lousy state of Mac software and the Mac OS. I don't understand how he's avoided criticism for so long. Eddy Cue was rightly criticized when he was screwing up, but somehow Federighi is untouchable.

I presume this will continue the trend whereby each major Mac operating system has an annoying flaw or bug for which users must hope their Mac is supported on the next major release if they'd like a fix. When people pine for 10.6 I think what they miss as much as the UI is the stability that was achieved before 10.7 was released and the absence of half-baked features.

When are people like Gruber going to start calling out Craig Federighi...

Looking at the example of Jony Ive, the day after he announces he's leaving Apple.

I don't understand how he's avoided criticism for so long.

He puts forth a likable persona. It's a shame he missed his calling in PR, because that would have kept him far away from software.

Maybe I have a particularly good connection to Apple CDN servers, but I haven't experienced any of this.

@vintner Well, Microsoft has been doing it since Windows 8, it's called SmartScreen.

Jiří Fiala

Weird, I'm getting those beach balls and hangs after I DISABLE SIP. Catalina runs fine on my 2015 5k iMac with SIP enabled.

@Carlos To get to the point of your system freezing up, I think one factor is the internet connection, but another is how many new processes you launch.

It appears that a lot of low-level system APIs now communicate with system daemons that handle capability requests, and they do so using dispatch queues, so there is an upper limit on how many requests they can process.

I don’t think I have seen a check take *less* than 150 ms, and 300 ms is not unusual.

On my system, if I build software, the build system will create about 22 new processes per second, if we assume that each process will send two requests to the system daemons, that each check takes 300 ms, and the system daemons can handle 8 concurrent checks, then we are filling up the queues too fast, in concrete numbers, if a build would normally run for 10 seconds, this build will now run for 17 seconds, during which the capability request queues are filled, so any software on your system that may need to request a capability, which could be something as simple as showing the ~/Downloads folder in a preferences window, will stall.

In other words: If you do not “stress” the system, you probably won’t see it freeze up, but your typical developer is very likely to stress the system beyond its capabilities.

This reminds me a bit of the poor state Apple left their WiFi drivers in when they stopped supporting Lion: every 5-10 seconds, packets would just get outright dropped for 1-2 seconds.

"It’s worse in Catalina, but I’ve been seeing frequent problems since Mojave"

I'm glad it's not just me. I've been avoiding Catalina, but even Mojave has crashed on me more times than every other version of Mac OS X combined -- and I've been using it since 10.0.

[…] macOS is becoming horribly buggy with each new release and although Apple has finally fixed the Macbook butterfly keyboard problems I have reconsidered Apple products several times recently. This started with migrating my notes from Apple Notes to plain text Markdown format but 11 years after leaving Vista, I have been reconsidering Windows. […]

@remmah
Whoa nelly!!! Is that why 10.7 felt so slow to use when connected to the Internet? I mean, the system as a whole felt slower to me on 10.7 vs 10.6, at least on older Core 2 Duo MacBooks, but maybe that's why networking was kind of hit and miss for me?

@Nathan
Yeah, it took a long time to figure out what was going on, since the original complaint that caused me to investigate was 'the Internet is intermittently slow'. We did fresh installs, had the Genius Bar eventually replace everything aside from the screen, no luck.

I forget why, but eventually I ran the ping utility and discovered that packets were consistently getting dropped at those rough intervals. The eventual workaround was to use a generic USB WiFi adapter that had its own 3rd-party kext. The problem went away immediately after setting that up (installing Windows 8 also worked).

I took the time to bring the MacBook back to the Genius Bar to demonstrate that the problem was Apple's WiFi driver. The genius said they'd report it to engineering, but Lion was only getting security updates by then, so it never got fixed.

I added this onto the twitter thread:

Follow-up: I debugged with a friend at  but we didn't get very far, so I filed a bug but never got a response. After waiting a bit, I returned the machine and got a differently spec'd 16" MBP and have not had this problem with it.

Leave a Comment