chore: rely on nss-rs for NSS initialization and test DB by larseggert · Pull Request #3621 · mozilla/neqo

larseggert · 2026-05-15T14:02:05Z

Delegate NSS init in fixture_init to nss-rs's own test-fixture crate instead of duplicating the logic. Remove test-fixture/db — the NSS database now comes from nss-rs, which exposes TEST_FIXTURE_DB as the default path for neqo-server --db. Update CI and scripts accordingly.

larseggert · 2026-05-15T14:02:23Z

Depends on mozilla/nss-rs#56

martinthomson

I can't see a problem here, other than the challenge of finding the db from the NSS crate (which I hope the tests will sort out)

codecov · 2026-05-18T06:42:46Z

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 95.01%. Comparing base (006442d) to head (2efd786).
⚠️ Report is 4 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3621      +/-   ##
==========================================
- Coverage   95.11%   95.01%   -0.11%     
==========================================
  Files         111      116       +5     
  Lines       37999    38357     +358     
  Branches    37999    38357     +358     
==========================================
+ Hits        36144    36443     +299     
- Misses       1159     1215      +56     
- Partials      696      699       +3

Flag	Coverage Δ
freebsd	`94.18% <ø> (-0.10%)`	⬇️
linux	`95.15% <ø> (+0.03%)`	⬆️
macos	`95.10% <ø> (+0.03%)`	⬆️
windows	`95.15% <ø> (+0.03%)`	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Components	Coverage Δ
neqo-common	`98.61% <ø> (ø)`
neqo-http3	`93.92% <ø> (ø)`
neqo-qpack	`95.62% <ø> (+0.48%)`	⬆️
neqo-transport	`95.80% <ø> (-0.01%)`	⬇️
neqo-udp	`84.90% <ø> (ø)`
mtu	`86.61% <ø> (ø)`

Delegate NSS init in `fixture_init` to `nss-rs`'s own `test-fixture` crate instead of duplicating the logic. Remove `test-fixture/db` — the NSS database now comes from `nss-rs`, which exposes `TEST_FIXTURE_DB` as the default path for `neqo-server --db`. Update CI and scripts accordingly.

github-actions · 2026-05-18T08:08:05Z

Client/server transfer results

Performance differences relative to 7b0962d.

No significant performance differences.

Table above only shows statistically significant changes. See all results below.

All results

Transfer of 33554432 bytes over loopback, min. 100 runs. All unit-less numbers are in milliseconds.

Client vs. server (params)	Mean ± σ	Min	Max	MiB/s ± σ	Δ `baseline`	Δ `baseline`
google-google-nopacing	461.1 ± 2.1	455.9	474.9	69.4 ± 15.2
google-neqo-cubic	266.3 ± 2.0	263.5	272.4	120.2 ± 16.0	-0.5	-0.2%
msquic-msquic-nopacing	130.3 ± 40.8	112.2	408.3	245.7 ± 0.8
msquic-neqo-cubic	150.0 ± 22.3	119.6	240.4	213.3 ± 1.4	4.5	3.1%
neqo-google-cubic	767.3 ± 6.9	703.7	777.0	41.7 ± 4.6	-0.8	-0.1%
neqo-msquic-cubic	145.5 ± 1.8	141.5	153.4	219.9 ± 17.8	0.1	0.1%
neqo-neqo-cubic	86.4 ± 2.4	81.7	91.0	370.4 ± 13.3	-0.0	-0.0%
neqo-neqo-cubic-nopacing	86.2 ± 2.6	78.5	92.9	371.4 ± 12.3	-0.5	-0.6%
neqo-neqo-newreno	87.0 ± 3.3	81.9	104.4	367.9 ± 9.7	0.3	0.4%
neqo-neqo-newreno-nopacing	85.8 ± 2.9	79.7	93.1	373.1 ± 11.0	-0.6	-0.7%
neqo-quiche-cubic	188.8 ± 2.5	184.6	196.1	169.5 ± 12.8	-0.4	-0.2%
neqo-s2n-cubic	214.4 ± 1.8	210.9	226.9	149.3 ± 17.8	0.0	0.0%
quiche-neqo-cubic	176.2 ± 3.3	168.6	185.7	181.6 ± 9.7	-0.3	-0.2%
quiche-quiche-nopacing	139.2 ± 3.3	132.8	147.4	229.9 ± 9.7
s2n-neqo-cubic	217.5 ± 4.1	207.5	226.9	147.2 ± 7.8	-0.3	-0.1%
s2n-s2n-nopacing	289.4 ± 19.8	279.0	387.7	110.6 ± 1.6

Download data for profiler.firefox.com or download performance comparison data.

Copilot

Pull request overview

This PR moves Neqo’s NSS test database setup to the nss-rs test fixture, removing the in-repo test DB dependency and updating server defaults, tests, docs, and CI packaging to use the nss-rs-provided database.

Changes:

Delegates test-fixture NSS initialization to nss-test-fixture.
Makes neqo-server --db optional and defaults it to the nss-rs fixture DB.
Updates docs, benchmarks, scripts, and workflows to stop depending on test-fixture/db.

Reviewed changes

Copilot reviewed 18 out of 21 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
`test/upload_test.sh`	Removes explicit server DB path.
`test/README.md`	Updates upload test instructions for default DB behavior.
`test-fixture/src/lib.rs`	Delegates NSS fixture setup to nss-rs.
`test-fixture/db/pkcs11.txt`	Removes committed NSS DB metadata.
`test-fixture/Cargo.toml`	Adds nss-rs test fixture dependency.
`README.md`	Updates local Firefox testing command.
`neqo-bin/src/server/mod.rs`	Makes server DB argument optional and uses nss-rs fixture default.
`neqo-bin/src/lib.rs`	Uses shared test fixture initialization in tests.
`neqo-bin/Cargo.toml`	Adds nss fixture dependencies for server/tests/benches.
`neqo-bin/benches/main.rs`	Uses shared fixture initialization in benchmarks.
`Cargo.toml`	Updates nss-rs and adds nss test fixture workspace dependency.
`Cargo.lock`	Locks nss-rs 0.11.0 and the new fixture package.
`AGENTS.md`	Updates contributor guidance for NSS setup.
`.github/workflows/profile.yml`	Removes old NSS DB env usage from profiling jobs.
`.github/workflows/perfcompare.yml`	Exports the new fixture DB environment for perf comparison.
`.github/workflows/bench.yml`	Exports and forwards the new fixture DB environment for benchmarks.
`.github/scripts/perfcompare.py`	Preserves the new fixture DB env through sudo.
`.github/actions/check-android/action.yml`	Pushes the nss-rs fixture DB for Android tests.
`.github/actions/build-neqo/action.yml`	Packages the nss-rs fixture DB into build artifacts.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Signed-off-by: Lars Eggert <lars@eggert.org>

github-actions · 2026-05-18T08:48:11Z

Benchmark results

Significant performance differences relative to 7b0962d.

streams-flow-controlled/walltime/1-streams/each-4194304-bytes: 💔 Performance has regressed by +1.3004%.

       time:   [33.063 ms 33.143 ms 33.252 ms]
       change: [+1.0248% +1.3004% +1.6832] (p = 0.00 < 0.05)
       Performance has regressed.
Found 2 outliers among 100 measurements (2.00%)
1 (1.00%) high mild
1 (1.00%) high severe

All results

transfer/1-conn/1-100mb-resp (aka. Download): No change in performance detected.

       time:   [184.00 ms 184.55 ms 185.18 ms]
       thrpt:  [540.01 MiB/s 541.87 MiB/s 543.48 MiB/s]
change:
       time:   [-0.1493% +0.2150% +0.5853] (p = 0.27 > 0.05)
       thrpt:  [-0.5819% -0.2145% +0.1495]
       No change in performance detected.
Found 3 outliers among 100 measurements (3.00%)
2 (2.00%) high mild
1 (1.00%) high severe

transfer/1-conn/10_000-parallel-1b-resp (aka. RPS): No change in performance detected.

       time:   [279.10 ms 281.19 ms 283.27 ms]
       thrpt:  [35.302 Kelem/s 35.563 Kelem/s 35.830 Kelem/s]
change:
       time:   [-1.7070% -0.7410% +0.2904] (p = 0.16 > 0.05)
       thrpt:  [-0.2896% +0.7466% +1.7367]
       No change in performance detected.

transfer/1-conn/1-1b-resp (aka. HPS): No change in performance detected.

       time:   [39.103 ms 39.261 ms 39.438 ms]
       thrpt:  [25.356   B/s 25.470   B/s 25.573   B/s]
change:
       time:   [-0.6635% -0.0463% +0.5660] (p = 0.89 > 0.05)
       thrpt:  [-0.5628% +0.0463% +0.6679]
       No change in performance detected.
Found 12 outliers among 100 measurements (12.00%)
6 (6.00%) high mild
6 (6.00%) high severe

transfer/1-conn/1-100mb-req (aka. Upload): Change within noise threshold.

       time:   [186.25 ms 186.55 ms 186.85 ms]
       thrpt:  [535.19 MiB/s 536.05 MiB/s 536.90 MiB/s]
change:
       time:   [-1.0115% -0.7697% -0.5460] (p = 0.00 < 0.05)
       thrpt:  [+0.5490% +0.7757% +1.0218]
       Change within noise threshold.
Found 2 outliers among 100 measurements (2.00%)
2 (2.00%) high mild

streams/walltime/1-streams/each-1000-bytes: Change within noise threshold.

       time:   [587.57 µs 589.73 µs 592.23 µs]
       change: [-1.4532% -0.8689% -0.2521] (p = 0.00 < 0.05)
       Change within noise threshold.
Found 11 outliers among 100 measurements (11.00%)
1 (1.00%) high mild
10 (10.00%) high severe

streams/walltime/1000-streams/each-1-bytes: Change within noise threshold.

       time:   [11.995 ms 12.018 ms 12.041 ms]
       change: [-0.9736% -0.7213% -0.4686] (p = 0.00 < 0.05)
       Change within noise threshold.
Found 1 outliers among 100 measurements (1.00%)
1 (1.00%) high mild

streams/walltime/1000-streams/each-1000-bytes: Change within noise threshold.

       time:   [42.558 ms 42.598 ms 42.638 ms]
       change: [+0.4327% +0.6444% +0.8216] (p = 0.00 < 0.05)
       Change within noise threshold.
Found 1 outliers among 100 measurements (1.00%)
1 (1.00%) high mild

streams-flow-controlled/walltime/1-streams/each-4194304-bytes: 💔 Performance has regressed by +1.3004%.

       time:   [33.063 ms 33.143 ms 33.252 ms]
       change: [+1.0248% +1.3004% +1.6832] (p = 0.00 < 0.05)
       Performance has regressed.
Found 2 outliers among 100 measurements (2.00%)
1 (1.00%) high mild
1 (1.00%) high severe

streams-flow-controlled/walltime/10-streams/each-1048576-bytes: No change in performance detected.

       time:   [94.317 ms 95.564 ms 96.852 ms]
       change: [-2.1300% -0.2900% +1.7933] (p = 0.77 > 0.05)
       No change in performance detected.

transfer/walltime/pacing-false/varying-seeds: Change within noise threshold.

       time:   [22.417 ms 22.430 ms 22.444 ms]
       change: [-0.6687% -0.5135% -0.3773] (p = 0.00 < 0.05)
       Change within noise threshold.
Found 2 outliers among 100 measurements (2.00%)
2 (2.00%) high mild

transfer/walltime/pacing-true/varying-seeds: Change within noise threshold.

       time:   [22.744 ms 22.759 ms 22.775 ms]
       change: [-0.6230% -0.5049% -0.3930] (p = 0.00 < 0.05)
       Change within noise threshold.
Found 1 outliers among 100 measurements (1.00%)
1 (1.00%) high mild

transfer/walltime/pacing-false/same-seed: Change within noise threshold.

       time:   [22.340 ms 22.355 ms 22.372 ms]
       change: [-0.8931% -0.7760% -0.6577] (p = 0.00 < 0.05)
       Change within noise threshold.
Found 2 outliers among 100 measurements (2.00%)
2 (2.00%) high mild

transfer/walltime/pacing-true/same-seed: Change within noise threshold.

       time:   [22.561 ms 22.575 ms 22.588 ms]
       change: [-1.4927% -1.3321% -1.1953] (p = 0.00 < 0.05)
       Change within noise threshold.
Found 1 outliers among 100 measurements (1.00%)
1 (1.00%) high mild

Download data for profiler.firefox.com or download performance comparison data.

github-actions · 2026-05-18T08:54:08Z

Failed Interop Tests

QUIC Interop Runner, client vs. server, differences relative to main at 7b0962d.

neqo-pr as client	neqo-pr as server
neqo-pr vs. go-x-net: BP BA neqo-pr vs. haproxy: BP BA neqo-pr vs. kwik: BP BA neqo-pr vs. lsquic: run cancelled after 20 min neqo-pr vs. msquic: A L1 C1 neqo-pr vs. mvfst: A BP BA neqo-pr vs. neqo: A neqo-pr vs. nginx: BP BA neqo-pr vs. ngtcp2: CM neqo-pr vs. picoquic: A ⚠️BA neqo-pr vs. quic-go: A neqo-pr vs. quic-zig: B neqo-pr vs. quiche: BP BA neqo-pr vs. s2n-quic: CM neqo-pr vs. tquic: S BP BA neqo-pr vs. xquic: A L1	aioquic vs. neqo-pr: ⚠️C1 CM go-x-net vs. neqo-pr: ⚠️BA CM kwik vs. neqo-pr: BP BA CM msquic vs. neqo-pr: CM mvfst vs. neqo-pr: Z A L1 C1 CM neqo vs. neqo-pr: A openssl vs. neqo-pr: LR M A CM quic-go vs. neqo-pr: CM quiche vs. neqo-pr: ⚠️C1 CM quinn vs. neqo-pr: V2 CM s2n-quic vs. neqo-pr: CM tquic vs. neqo-pr: CM xquic vs. neqo-pr: M CM

All results

Succeeded Interop Tests

QUIC Interop Runner, client vs. server

neqo-pr as client

neqo-pr vs. aioquic: H DC LR C20 M S R Z 3 B U A L1 L2 C1 C2 6 V2 BP BA
neqo-pr vs. go-x-net: H DC LR M B U A L2 C2 6
neqo-pr vs. haproxy: H DC LR C20 M S R Z 3 B U A L1 L2 C1 C2 6 V2
neqo-pr vs. kwik: H DC LR C20 M S R Z 3 B U A L1 L2 C1 C2 6 V2
neqo-pr vs. linuxquic: H DC LR C20 M S R Z 3 B U E A L1 L2 C1 C2 6 V2 BP BA CM
neqo-pr vs. msquic: H DC LR C20 M S R Z B U L2 C2 6 V2 BP BA
neqo-pr vs. mvfst: H DC LR M R Z 3 B U L1 L2 C1 C2 6
neqo-pr vs. neqo: H DC LR C20 M S R Z 3 B U E L1 L2 C1 C2 6 V2 BP BA CM
neqo-pr vs. nginx: H DC LR C20 M S R Z 3 B U A L1 L2 C1 C2 6
neqo-pr vs. ngtcp2: H DC LR C20 M S R Z 3 B U E A L1 L2 C1 C2 6 V2 BP BA
neqo-pr vs. picoquic: H DC LR C20 M S R Z 3 B U E L1 L2 C1 C2 6 V2 BP ⚠️BA CM
neqo-pr vs. quic-go: H DC LR C20 M S R Z 3 B U L1 L2 C1 C2 6 BP BA
neqo-pr vs. quic-zig: H DC LR C20 M S R Z 3 U E A L1 L2 C1 C2 6 V2 BP BA CM
neqo-pr vs. quiche: H DC LR C20 M S R Z 3 B U A L1 L2 C1 C2 6
neqo-pr vs. quinn: H DC LR C20 M S R Z 3 B U E A L1 L2 C1 C2 6 BP BA
neqo-pr vs. s2n-quic: H DC LR C20 M S R 3 B U E A L1 L2 C1 C2 6 BP BA
neqo-pr vs. tquic: H DC LR C20 M R Z 3 B U A L1 L2 C1 C2 6
neqo-pr vs. xquic: H DC LR C20 M S R Z 3 B U L2 C1 C2 6 BP BA

neqo-pr as server

aioquic vs. neqo-pr: H DC LR C20 M S R Z 3 B U A L1 L2 ⚠️C1 C2 6 V2 BP BA
chrome vs. neqo-pr: 3
go-x-net vs. neqo-pr: H DC LR M B U A L2 C2 6 BP ⚠️BA
kwik vs. neqo-pr: H DC LR C20 M S R Z 3 B U A L1 L2 C1 C2 6 V2
linuxquic vs. neqo-pr: H DC LR C20 M S R Z 3 B U E A L1 L2 C1 C2 6 V2 BP BA CM
lsquic vs. neqo-pr: H DC LR C20 M S R Z 3 B E A L1 L2 C1 C2 6 V2 BP BA CM
msquic vs. neqo-pr: H DC LR C20 M S R Z B U A L1 L2 C1 C2 6 V2 BP BA
mvfst vs. neqo-pr: H DC LR M 3 B L2 C2 6 BP BA
neqo vs. neqo-pr: H DC LR C20 M S R Z 3 B U E L1 L2 C1 C2 6 V2 BP BA CM
ngtcp2 vs. neqo-pr: H DC LR C20 M S R Z 3 B U E A L1 L2 C1 C2 6 V2 BP BA CM
openssl vs. neqo-pr: H DC C20 S R 3 B L2 C2 6 BP BA
picoquic vs. neqo-pr: H DC LR C20 M S R Z 3 B U E A L1 L2 C1 C2 6 V2 BP BA CM
quic-go vs. neqo-pr: H DC LR C20 M S R Z 3 B U A L1 L2 C1 C2 6 BP BA
quic-zig vs. neqo-pr: H DC LR C20 M S R Z 3 B U E A L1 L2 C1 C2 6 V2 BP BA CM
quiche vs. neqo-pr: H DC LR M S R Z 3 B A L1 L2 ⚠️C1 C2 6 BP BA
quinn vs. neqo-pr: H DC LR C20 M S R Z 3 B U E A L1 L2 C1 C2 6 BP BA
s2n-quic vs. neqo-pr: H DC LR M S R 3 B E A L1 L2 C1 C2 6 BP BA
tquic vs. neqo-pr: H DC LR M S R Z 3 B A L1 L2 C1 C2 6 BP BA
xquic vs. neqo-pr: H DC LR C20 S R Z 3 B U A L1 L2 C1 C2 6 BP BA

Unsupported Interop Tests

QUIC Interop Runner, client vs. server

neqo-pr as client

neqo-pr vs. aioquic: E CM
neqo-pr vs. go-x-net: C20 S R Z 3 E L1 C1 V2 CM
neqo-pr vs. haproxy: E CM
neqo-pr vs. kwik: E CM
neqo-pr vs. msquic: 3 E CM
neqo-pr vs. mvfst: C20 S E V2 CM
neqo-pr vs. nginx: E V2 CM
neqo-pr vs. quic-go: E V2 CM
neqo-pr vs. quiche: E V2 CM
neqo-pr vs. quinn: V2 CM
neqo-pr vs. s2n-quic: Z V2
neqo-pr vs. tquic: E V2 CM
neqo-pr vs. xquic: E V2 CM

neqo-pr as server

aioquic vs. neqo-pr: E
chrome vs. neqo-pr: H DC LR C20 M S R Z B U E A L1 L2 C1 C2 6 V2 BP BA CM
go-x-net vs. neqo-pr: C20 S R Z 3 E L1 C1 V2
kwik vs. neqo-pr: E
lsquic vs. neqo-pr: U
msquic vs. neqo-pr: 3 E
mvfst vs. neqo-pr: C20 S R U E V2
openssl vs. neqo-pr: Z U E L1 C1 V2
quic-go vs. neqo-pr: E V2
quiche vs. neqo-pr: C20 U E V2
s2n-quic vs. neqo-pr: C20 Z U V2
tquic vs. neqo-pr: C20 U E V2
xquic vs. neqo-pr: E V2

larseggert force-pushed the chore-simplify-nss-init branch from 4824dad to 9f9ba48 Compare May 15, 2026 14:08

martinthomson approved these changes May 15, 2026

View reviewed changes

larseggert force-pushed the chore-simplify-nss-init branch from 9f9ba48 to f885bcc Compare May 18, 2026 06:35

larseggert force-pushed the chore-simplify-nss-init branch 2 times, most recently from 0ca0d67 to aaa87c0 Compare May 18, 2026 07:20

larseggert force-pushed the chore-simplify-nss-init branch from aaa87c0 to f9af700 Compare May 18, 2026 07:40

larseggert marked this pull request as ready for review May 18, 2026 08:09

larseggert requested review from KershawChang and mxinden as code owners May 18, 2026 08:09

Copilot AI review requested due to automatic review settings May 18, 2026 08:09

Copilot started reviewing on behalf of larseggert May 18, 2026 08:09 View session

Copilot AI reviewed May 18, 2026

View reviewed changes

Comment thread .github/actions/check-android/action.yml

Comment thread Cargo.toml Outdated

Potential fix for pull request finding

2efd786

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Signed-off-by: Lars Eggert <lars@eggert.org>

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore: rely on nss-rs for NSS initialization and test DB#3621

chore: rely on nss-rs for NSS initialization and test DB#3621
larseggert wants to merge 2 commits into
mozilla:mainfrom
larseggert:chore-simplify-nss-init

larseggert commented May 15, 2026

Uh oh!

larseggert commented May 15, 2026

Uh oh!

martinthomson left a comment

Uh oh!

codecov Bot commented May 18, 2026 •

edited

Loading

Uh oh!

github-actions Bot commented May 18, 2026

Uh oh!

Copilot AI left a comment

Uh oh!

Uh oh!

Uh oh!

github-actions Bot commented May 18, 2026

Uh oh!

github-actions Bot commented May 18, 2026

Succeeded Interop Tests

neqo-pr as client

neqo-pr as server

Unsupported Interop Tests

neqo-pr as client

neqo-pr as server

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Conversation

larseggert commented May 15, 2026

Uh oh!

larseggert commented May 15, 2026

Uh oh!

martinthomson left a comment

Choose a reason for hiding this comment

Uh oh!

codecov Bot commented May 18, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

github-actions Bot commented May 18, 2026

Client/server transfer results

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Reviewed changes

Uh oh!

Uh oh!

Uh oh!

github-actions Bot commented May 18, 2026

Benchmark results

Uh oh!

github-actions Bot commented May 18, 2026

Failed Interop Tests

Succeeded Interop Tests

neqo-pr as client

neqo-pr as server

Unsupported Interop Tests

neqo-pr as client

neqo-pr as server

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

codecov Bot commented May 18, 2026 •

edited

Loading