[8u] RFR: 8203190: SessionId.hashCode generates too many collisions

Severin Gehwolf sgehwolf at redhat.com
Thu May 16 17:51:25 UTC 2019 

Hi,

Could I please get a review of this OpenJDK 8u only fix? JDKs 11+ don't
seems to have this issue as with the TLS 1.3 feature (JDK-8196584)
SessionId.hashCode() got changed to use Arrays.hashCode() already.

webrev: http://cr.openjdk.java.net/~sgehwolf/webrevs/JDK-8203190/01/webrev/
Bug: https://bugs.openjdk.java.net/browse/JDK-8203190

The rationale for the fix are these assumptions:

a) elements in trees on hash collision of LinkedHashMap used internally
by the MemoryCache class become prohibitively large for many SessionId
entries in the cache, b) moderate speed of the new hashCode() impl will
not have a detrimental effect on performance overall.

Comparison of performance of hashCode impls[1]:

Benchmark                    Mode  Cnt         Score         Error  Units
SessionIDBench.newHashCode  thrpt  100  43649538.284 ±  678702.696  ops/s
SessionIDBench.oldHashCode  thrpt  100  94068843.923 ± 1379930.266  ops/s

Collision testing[2] showed that indeed, the current hashCode()
implementation of SessionId produces more collissions and, thus,
produce more elements in trees for collision resolution in the
underlying LinkedHashMap. The default cache expiry is 24 hours per
entry and this can result in millions of entries in the cache in some
circumstances[3].

Before:
##################################################
Collision test for 100 sessions:
------------------------------------------------
Total number of collisions: 4
Max length of collision list over all buckets: 2

Collision test for 20480 sessions:
------------------------------------------------
Total number of collisions: 18311
Max length of collision list over all buckets: 30

Collision test for 10000000 sessions:
------------------------------------------------
Total number of collisions: 9996395
Max length of collision list over all buckets: 9709
##################################################

After:
##################################################
Collision test for 100 sessions:
------------------------------------------------
Total number of collisions: 0

Collision test for 20480 sessions:
------------------------------------------------
Total number of collisions: 0

Collision test for 10000000 sessions:
------------------------------------------------
Total number of collisions: 11530
Max length of collision list over all buckets: 2
##################################################


Testing: Above testing, and make test. No new failures.

Thoughts?

Thanks,
Severin

[1] http://cr.openjdk.java.net/~sgehwolf/webrevs/JDK-8203190/SessionIDBench.java
[2] http://cr.openjdk.java.net/~sgehwolf/webrevs/JDK-8203190/SessionIdCollissionTest.java
[3] https://bugs.openjdk.java.net/browse/JDK-8210985

More information about the security-dev mailing list