On Wed, 9 Jun 2021 07:53:43 GMT, Dongbo He <dongb...@openjdk.org> wrote:
> Now AlgorithmConstraints:checkAlgorithm uses List to check if an algorithm > has been disabled. It is less efficient when there are more disabled elements > in the list, we can use Set instead of List to speed up the search. > > Patch contains a benchmark that can be run with `make test > TEST="micro:java.security.AlgorithmConstraintsPermits"`. > Baseline results before patch: > > Benchmark (algorithm) Mode Cnt Score > Error Units > AlgorithmConstraintsPermits.permits SSLv3 avgt 5 21.687 ? > 1.118 ns/op > AlgorithmConstraintsPermits.permits DES avgt 5 324.216 ? > 6.233 ns/op > AlgorithmConstraintsPermits.permits NULL avgt 5 709.462 ? > 51.259 ns/op > AlgorithmConstraintsPermits.permits TLS1.3 avgt 5 687.497 ? > 170.181 ns/op > > Benchmark results after patch: > > Benchmark (algorithm) Mode Cnt Score Error > Units > AlgorithmConstraintsPermits.permits SSLv3 avgt 5 46.407 ? 1.057 > ns/op > AlgorithmConstraintsPermits.permits DES avgt 5 65.722 ? 0.578 > ns/op > AlgorithmConstraintsPermits.permits NULL avgt 5 43.988 ? 1.264 > ns/op > AlgorithmConstraintsPermits.permits TLS1.3 avgt 5 399.546 ? 11.194 > ns/op > > SSLv3, DES, NULL are the first, middle and last element in > `jdk.tls.disabledAlgorithms` from `conf/security/java.security`. > > Tomcat(maxKeepAliveRequests=1, which will disable HTTP/1.0 keep-alive)+Jmeter: > Before patch: > > summary + 50349 in 00:00:30 = 1678.4/s Avg: 238 Min: 188 Max: 298 Err: > 0 (0.00%) Active: 400 Started: 400 Finished: 0 > summary = 135183 in 00:01:22 = 1654.5/s Avg: 226 Min: 16 Max: 1281 Err: > 0 (0.00%) > summary + 50240 in 00:00:30 = 1674.1/s Avg: 238 Min: 200 Max: 308 Err: > 0 (0.00%) Active: 400 Started: 400 Finished: 0 > summary = 185423 in 00:01:52 = 1659.7/s Avg: 229 Min: 16 Max: 1281 Err: > 0 (0.00%) > summary + 50351 in 00:00:30 = 1678.4/s Avg: 238 Min: 191 Max: 306 Err: > 0 (0.00%) Active: 400 Started: 400 Finished: 0 > summary = 235774 in 00:02:22 = 1663.7/s Avg: 231 Min: 16 Max: 1281 Err: > 0 (0.00%) > summary + 50461 in 00:00:30 = 1681.9/s Avg: 237 Min: 174 Max: 303 Err: > 0 (0.00%) Active: 400 Started: 400 Finished: 0 > > After patch: > > summary + 59003 in 00:00:30 = 1966.6/s Avg: 203 Min: 158 Max: 272 Err: > 0 (0.00%) Active: 400 Started: 400 Finished: 0 > summary = 146675 in 00:01:18 = 1884.6/s Avg: 198 Min: 26 Max: 697 Err: > 0 (0.00%) > summary + 58965 in 00:00:30 = 1965.9/s Avg: 203 Min: 166 Max: 257 Err: > 0 (0.00%) Active: 400 Started: 400 Finished: 0 > summary = 205640 in 00:01:48 = 1907.2/s Avg: 199 Min: 26 Max: 697 Err: > 0 (0.00%) > summary + 59104 in 00:00:30 = 1969.1/s Avg: 203 Min: 157 Max: 266 Err: > 0 (0.00%) Active: 400 Started: 400 Finished: 0 > summary = 264744 in 00:02:18 = 1920.7/s Avg: 200 Min: 26 Max: 697 Err: > 0 (0.00%) > summary + 59323 in 00:00:30 = 1977.6/s Avg: 202 Min: 158 Max: 256 Err: > 0 (0.00%) Active: 400 Started: 400 Finished: 0 > > > Testing: tier1, tier2 I think it would be worthwhile to see if we can take this a step further, and leverage the `Constraint` objects that are already created and stored in the `Constraints` object in a `HashMap<String, List<Constraint>>`. The key is the algorithm `String`, and the value is a `List` of `Constraint` objects that apply to it. If the algorithm is completely disabled, the `List` would contain one entry `Constraint.DisabledConstraint` (which has a `permits` method that always returns `false`). This way we could potentially eliminate the List/Set cache entirely and just use the HashMap to check if the algorithm is disabled. ------------- PR: https://git.openjdk.java.net/jdk/pull/4424
