RFR: 8072692: Improve performance of SecurityManager.checkPackageAccess

Daniel Fuchs daniel.fuchs at oracle.com
Tue Jun 16 17:41:07 UTC 2015


On 16/06/15 18:49, Thomas Lußnig wrote:
> Hi,
>
> two points that come directly to my mind when i checked the code:
>
> 1) An Error in the description.
>
> +            // If plast >= plen then restrictedPkg is longer than pkg by at
> +            // least one char. This means pkg cannot start with restrictedPkg,
> +            // since restrictedPkg will be longer than pkg.
> +            //
> +            // Similarly if plast != plen, then pkg + "." cannot be the same
> +            // as restrictedPkg, since pkg + "." will have a different length
> +            // than restrictedPkg.
>
> 	If this would be correct then where would never be an match because
> 	!(plast >= plen) && !(plast != plen) must be true for an possible match.
> 	That could be rewriten to (plast < plen) && (plast == plen) and this is always FALSE.

Hi Thomas - I believe the description is correct:

plast >= plen  <=> restrictedPkg.length() -1 >= pkg.length()
                <=> restrictedPkg.length() >= pkg.length() + 1
which does means pkg.startsWith(restrictedPkg) == false

plast != plen  <=> restrictedPkg.length() -1 != pkg.length()
                <=> restrictedPkg.length() != pkg.length() + 1
which does means that restrictedPkg.equals(pkg + ".") == false


> 2) Would it be worth to use the state Engine instead of looping over the array ?

When I investigated the issue I found that using the state engine only
brought a marginal improvement - compared to what is proposed here.
Given the additional complexity that the state engine brings - I
believe that looping over the array is the appropriate choice.

The state engine is still in the test in case someone decides one
day that the marginal improvements are worthy ;-)

best regards,

-- daniel


>
> Gruß Thomas
>
>
>
> On 16.06.2015 16:54, Sean Mullan wrote:
>> This is the sixth in a series of fixes for JEP 232 (Improve Secure
>> Application Performance) [1].
>>
>> webrev: http://cr.openjdk.java.net/~mullan/webrevs/8072692/webrev.00/
>> bug: https://bugs.openjdk.java.net/browse/JDK-8072692
>>
>> This fix adds several optimizations to the package matching algorithm
>> used by the SecurityManager.checkPackageAcccess method. These
>> improvements result in a 5-7x increase in throughput of this method. A
>> performance chart has been attached to the bug with more information.
>>
>> A new test is included which uses a state machine to verify that the
>> matching algorithm is working correctly.
>>
>> Special thanks to Daniel Fuchs for contributing this fix and the test.
>>
>> Thanks,
>> Sean
>>
>> [1] http://openjdk.java.net/jeps/232
>




More information about the security-dev mailing list