RFR: 8296507: GCM using more memory than necessary with in-place operations

[Anthony Scarpino]

On Wed, 16 Nov 2022 16:57:14 GMT, Mark Powers <mpowers at openjdk.org> wrote:

>> I would like a review of an update to the GCM code.  A recent report showed that GCM memory usage for TLS was very large.  This was a result of in-place buffers, which TLS uses, and how the code handled the combined intrinsic method during decryption.  A temporary buffer was used because the combined intrinsic does gctr before ghash which results in a bad tag.  The fix is to not use the combined intrinsic during in-place decryption and depend on the individual GHASH and CounterMode intrinsics.  Direct ByteBuffers are not affected as they are not used by the intrinsics directly.
>> 
>> The reduction in the memory usage boosted performance back to where it was before despite using slower intrinsics (gctr & ghash individually).  The extra memory allocation for the temporary buffer out-weighted the faster intrinsic.
>> 
>> 
>>     JDK 17:   122913.554 ops/sec
>>     JDK 19:    94885.008 ops/sec
>>     Post fix: 122735.804 ops/sec 
>> 
>> There is no regression test because this is a memory change and test coverage already existing.
>
> src/java.base/share/classes/com/sun/crypto/provider/GaloisCounterMode.java line 592:
> 
>> 590: 
>> 591:         int len = 0;
>> 592:         // Loop if input length is greater than the SPLIT_LEN
> 
> comment doesn't add anything not already obvious from the code

yeah.. probably right

> src/java.base/share/classes/com/sun/crypto/provider/GaloisCounterMode.java line 694:
> 
>> 692:         int originalOutOfs = 0;
>> 693: 
>> 694:         // True if op is in-place array decryption with the input & output
> 
> // Setting `inPlaceArray` to true turns off combined intrinsic processing.

yeah that's better

-------------

PR: https://git.openjdk.org/jdk/pull/11121