Subject class creation performance optimization oportunity

Mkrtchyan, Tigran tigran.mkrtchyan at desy.de
Wed Jun 25 07:59:55 UTC 2025 

Dear security-devs,

While benchmarking various parts of our code, I noticed unexpected (but fully explainable) behavior of how an instance of the Subject class can be created.

The intuitive one is to create a set of Principals and then pass it to the constructor. However, it turned out that creating an empty subject and populating it with desire principles is much faster:


    Benchmark                               Mode  Cnt        Score       Error  Units
    SubjectBenchmark.subjectByAddingToSet  thrpt    9  2061025.436 ± 24807.881  ops/s
    SubjectBenchmark.subjectByPassingSet   thrpt    9  1341492.178 ± 34701.882  ops/s


The reason is that the Subject class performs extra checks on the provided set, which first creates a null-clean LinkedList copy of the collection. Makes sense.
However, `Set#of` returns immutable, null clean sets, so there is no reason for an extra copy.


Best regards,
   Tigran.


The benchmark code:

```
@BenchmarkMode(Mode.Throughput)
@State(Scope.Benchmark)
public class SubjectBenchmark {


    @Benchmark
    public Subject subjectByAddingToSet() {
        Subject subject = new Subject();
        subject.getPrincipals().add(new UnixNumericUserPrincipal(0));
        subject.getPrincipals().add(new UnixNumericGroupPrincipal(0, true));
        subject.getPrincipals().add(new UnixNumericGroupPrincipal(1, false));
        subject.getPrincipals().add(new UnixNumericGroupPrincipal(2, false));
        subject.getPrincipals().add(new UnixNumericGroupPrincipal(3, false));
        subject.getPrincipals().add(new UnixNumericGroupPrincipal(4, false));
        subject.getPrincipals().add(new UnixNumericGroupPrincipal(5, false));
        subject.getPrincipals().add(new UnixNumericGroupPrincipal(6, false));
        subject.setReadOnly();
        return subject;
    }


    @Benchmark
    public Subject subjectByPassingSet() {

        Principal[] principals = new Principal[]{
              new UnixNumericUserPrincipal(0),
              new UnixNumericGroupPrincipal(0, true),
              new UnixNumericGroupPrincipal(1, false),
              new UnixNumericGroupPrincipal(2, false),
              new UnixNumericGroupPrincipal(3, false),
              new UnixNumericGroupPrincipal(4, false),
              new UnixNumericGroupPrincipal(5, false),
              new UnixNumericGroupPrincipal(6, false)
        };

        return new Subject(true, Set.of(principals), Set.of(), Set.of());
    }
}
```
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2826 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20250625/5f9f8256/smime.p7s>

More information about the security-dev mailing list