RFR: 8270317: Large Allocation in CipherSuite

djelinski github.com+30433125+djelinski at openjdk.java.net
Wed Jul 14 20:29:14 UTC 2021


On Wed, 14 Jul 2021 17:06:02 GMT, Clive Verghese <cverghese at openjdk.org> wrote:

> ### Benchmark results 
> 
> I have benchmarked 3 cases.
> 
> 1. The current situation. 
> 
> Benchmark                                                        (cipherSuite)  Mode  Cnt    Score   Error  Units
> CipherSuiteBench.benchmarkCipherSuite                   TLS_AES_256_GCM_SHA384  avgt   25  124.783 ? 2.050  ns/op
> CipherSuiteBench.benchmarkCipherSuite  TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384  avgt   25  125.403 ? 0.554  ns/op
> CipherSuiteBench.benchmarkCipherSuite      TLS_DHE_DSS_WITH_AES_128_CBC_SHA256  avgt   25  127.117 ? 0.789  ns/op
> CipherSuiteBench.benchmarkCipherSuite         TLS_DHE_RSA_WITH_AES_256_CBC_SHA  avgt   25  127.869 ? 1.112  ns/op
> 
> 
> 2. Use `static final array` instead of calling `CipherSuite.values` each time. 
> 
> Benchmark                                                        (cipherSuite)  Mode  Cnt   Score   Error  Units
> CipherSuiteBench.benchmarkCipherSuite                   TLS_AES_256_GCM_SHA384  avgt   25  10.146 ? 0.252  ns/op
> CipherSuiteBench.benchmarkCipherSuite  TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384  avgt   25  30.501 ? 0.207  ns/op
> CipherSuiteBench.benchmarkCipherSuite      TLS_DHE_DSS_WITH_AES_128_CBC_SHA256  avgt   25  47.375 ? 0.150  ns/op
> CipherSuiteBench.benchmarkCipherSuite         TLS_DHE_RSA_WITH_AES_256_CBC_SHA  avgt   25  55.887 ? 3.786  ns/op
> 
> 
> 3. Using Hashmap for lookup instead of iterating through the array each time. (Method in this PR)
> 
> Benchmark                                                        (cipherSuite)  Mode  Cnt   Score   Error  Units
> CipherSuiteBench.benchmarkCipherSuite                   TLS_AES_256_GCM_SHA384  avgt   25  13.533 ? 0.148  ns/op
> CipherSuiteBench.benchmarkCipherSuite  TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384  avgt   25  11.269 ? 0.147  ns/op
> CipherSuiteBench.benchmarkCipherSuite      TLS_DHE_DSS_WITH_AES_128_CBC_SHA256  avgt   25  11.507 ? 0.107  ns/op
> CipherSuiteBench.benchmarkCipherSuite         TLS_DHE_RSA_WITH_AES_256_CBC_SHA  avgt   25  10.932 ? 0.146  ns/op
> 
> 
> I have picked 4 cipher suite from the start of the list and are roughly 10 positions apart. I have opted to go with HashMap for name and id lookup as they provide a more consistent times and benchmarks are similar for the first few cipher suits in the enum as well.

The benchmark you provided looks a bit odd... In variant 1 best and worst cases differ by 3 ns, and in variant 2 they differ by 45 ns. The algorithm is supposed to be the same, so... Where does the difference come from?

src/java.base/share/classes/sun/security/ssl/CipherSuite.java line 916:

> 914:     static String nameOf(int id) {
> 915:         if (maps_id.containsKey(id)) {
> 916:             return maps_id.get(id).name;

Would it make sense to skip `containsKey` and null-check the value returned by `get` instead?

-------------

PR: https://git.openjdk.java.net/jdk/pull/4783



More information about the security-dev mailing list