RFR: 8072692: Improve performance of SecurityManager.checkPackageAccess

Weijun Wang weijun.wang at oracle.com
Wed Jun 17 00:42:26 UTC 2015

1478             final int plast = restrictedPkg.length() - 1;

Why is it named plast?

1494    //    - we check that restrictedPkg.length is pkg.length + 1,
1495    //    - we check that restrictedPkg starts with pkg,
1496    //    - and we check that the last character in restrictedPkg
1497    //      is '.'

Seems redundant. The check below is not difficult to read.

Also, is checking the "." at the end of restrictedPkg useful? On the one 
hand we know every item in package.access should always end with it. On 
the other hand, if someone really adds a "sun" there, the 1st part of 
the check could go wrong (For example, "sunw" matches). IMHO, either we 
don't check it at all (hoping property is always set correctly), or we 
always check for it (cover both "sun.tail" and "sun").


On 06/16/2015 10:54 PM, Sean Mullan wrote:
> This is the sixth in a series of fixes for JEP 232 (Improve Secure
> Application Performance) [1].
> webrev: http://cr.openjdk.java.net/~mullan/webrevs/8072692/webrev.00/
> bug: https://bugs.openjdk.java.net/browse/JDK-8072692
> This fix adds several optimizations to the package matching algorithm
> used by the SecurityManager.checkPackageAcccess method. These
> improvements result in a 5-7x increase in throughput of this method. A
> performance chart has been attached to the bug with more information.
> A new test is included which uses a state machine to verify that the
> matching algorithm is working correctly.
> Special thanks to Daniel Fuchs for contributing this fix and the test.
> Thanks,
> Sean
> [1] http://openjdk.java.net/jeps/232

More information about the security-dev mailing list