cache NIOSSLContext (saves 27k allocs per conn)

weissi · weissi · commit c6bfa2329f5b · 2021-05-08T12:42:24.000+01:00
Motivation:

At the moment, AHC assumes that creating a `NIOSSLContext` is both cheap
and doesn't block.

Neither of these two assumptions are true.

To create a `NIOSSLContext`, BoringSSL will have to read a lot of
certificates in the trust store (on disk) which require a lot of ASN1
parsing and much much more.

On my Ubuntu test machine, creating one `NIOSSLContext` is about 27,000
allocations!!! To make it worse, AHC allocates a fresh `NIOSSLContext`
for _every single connection_, whether HTTP or HTTPS. Yes, correct.

Modification:

- Cache NIOSSLContexts per TLSConfiguration in a LRU cache
- Don't get an NIOSSLContext for HTTP (plain text) connections

Result:

New connections should be _much_ faster in general assuming that you're
not using a different TLSConfiguration for every connection.
diff --git a/Sources/AsyncHTTPClient/ConnectionPool.swift b/Sources/AsyncHTTPClient/ConnectionPool.swift
@@ -20,6 +20,7 @@ import NIOHTTP1
 import NIOHTTPCompression
 import NIOTLS
 import NIOTransportServices
+import NIOSSL
 
 /// A connection pool that manages and creates new connections to hosts respecting the specified preferences
 ///
@@ -41,6 +42,8 @@ final class ConnectionPool {
 
     private let backgroundActivityLogger: Logger
 
+    let sslContextCache = SSLContextCache()
+
     init(configuration: HTTPClient.Configuration, backgroundActivityLogger: Logger) {
         self.configuration = configuration
         self.backgroundActivityLogger = backgroundActivityLogger
@@ -106,6 +109,8 @@ final class ConnectionPool {
             self.providers.values
         }
 
+        self.sslContextCache.shutdown()
+
         return EventLoopFuture.reduce(true, providers.map { $0.close() }, on: eventLoop) { $0 && $1 }
     }
 
@@ -249,14 +254,15 @@ class HTTP1ConnectionProvider {
                 } else {
                     logger.trace("opening fresh connection (found matching but inactive connection)",
                                  metadata: ["ahc-dead-connection": "\(connection)"])
-                    self.makeChannel(preference: waiter.preference).whenComplete { result in
+                    self.makeChannel(preference: waiter.preference,
+                                     logger: logger).whenComplete { result in
                         self.connect(result, waiter: waiter, logger: logger)
                     }
                 }
             }
         case .create(let waiter):
             logger.trace("opening fresh connection (no connections to reuse available)")
-            self.makeChannel(preference: waiter.preference).whenComplete { result in
+            self.makeChannel(preference: waiter.preference, logger: logger).whenComplete { result in
                 self.connect(result, waiter: waiter, logger: logger)
             }
         case .replace(let connection, let waiter):
@@ -266,7 +272,7 @@ class HTTP1ConnectionProvider {
                 logger.trace("opening fresh connection (replacing exising connection)",
                              metadata: ["ahc-old-connection": "\(connection)",
                                         "ahc-waiter": "\(waiter)"])
-                self.makeChannel(preference: waiter.preference).whenComplete { result in
+                self.makeChannel(preference: waiter.preference, logger: logger).whenComplete { result in
                     self.connect(result, waiter: waiter, logger: logger)
                 }
             }
@@ -434,8 +440,14 @@ class HTTP1ConnectionProvider {
         return self.closePromise.futureResult.map { true }
     }
 
-    private func makeChannel(preference: HTTPClient.EventLoopPreference) -> EventLoopFuture<Channel> {
-        return NIOClientTCPBootstrap.makeHTTP1Channel(destination: self.key, eventLoop: self.eventLoop, configuration: self.configuration, preference: preference)
+    private func makeChannel(preference: HTTPClient.EventLoopPreference,
+                             logger: Logger) -> EventLoopFuture<Channel> {
+        return NIOClientTCPBootstrap.makeHTTP1Channel(destination: self.key,
+                                                      eventLoop: self.eventLoop,
+                                                      configuration: self.configuration,
+                                                      sslContextCache: self.pool.sslContextCache,
+                                                      preference: preference,
+                                                      logger: logger)
     }
 
     /// A `Waiter` represents a request that waits for a connection when none is
diff --git a/Sources/AsyncHTTPClient/HTTPClient.swift b/Sources/AsyncHTTPClient/HTTPClient.swift
@@ -900,7 +900,9 @@ extension ChannelPipeline {
         try sync.addHandler(handler)
     }
 
-    func syncAddLateSSLHandlerIfNeeded(for key: ConnectionPool.Key, tlsConfiguration: TLSConfiguration?, handshakePromise: EventLoopPromise<Void>) {
+    func syncAddLateSSLHandlerIfNeeded(for key: ConnectionPool.Key,
+                                       sslContext: NIOSSLContext,
+                                       handshakePromise: EventLoopPromise<Void>) {
         precondition(key.scheme.requiresTLS)
 
         do {
@@ -913,10 +915,9 @@ extension ChannelPipeline {
             try synchronousPipelineView.addHandler(eventsHandler, name: TLSEventsHandler.handlerName)
 
             // Then we add the SSL handler.
-            let tlsConfiguration = tlsConfiguration ?? TLSConfiguration.forClient()
-            let context = try NIOSSLContext(configuration: tlsConfiguration)
             try synchronousPipelineView.addHandler(
-                try NIOSSLClientHandler(context: context, serverHostname: (key.host.isIPAddress || key.host.isEmpty) ? nil : key.host),
+                try NIOSSLClientHandler(context: sslContext,
+                                        serverHostname: (key.host.isIPAddress || key.host.isEmpty) ? nil : key.host),
                 position: .before(eventsHandler)
             )
         } catch {
diff --git a/Sources/AsyncHTTPClient/LRUCache.swift b/Sources/AsyncHTTPClient/LRUCache.swift
@@ -0,0 +1,101 @@
+//===----------------------------------------------------------------------===//
+//
+// This source file is part of the AsyncHTTPClient open source project
+//
+// Copyright (c) 2021 Apple Inc. and the AsyncHTTPClient project authors
+// Licensed under Apache License v2.0
+//
+// See LICENSE.txt for license information
+// See CONTRIBUTORS.txt for the list of AsyncHTTPClient project authors
+//
+// SPDX-License-Identifier: Apache-2.0
+//
+//===----------------------------------------------------------------------===//
+
+struct LRUCache<Key: Equatable & Hashable,
+                Value> {
+    private typealias Generation = UInt64
+    private struct Element {
+        var generation: Generation
+        var key: Key
+        var value: Value
+    }
+
+    private var generation: Generation = 0
+    private var elements: [Element]
+
+    init(capacity: Int = 8) {
+        self.elements = []
+        self.elements.reserveCapacity(capacity)
+    }
+
+    private mutating func findIndex(key: Key) -> Int? {
+        self.generation += 1
+
+        let found = self.elements.firstIndex { element in
+            element.key == key
+        }
+
+        return found
+    }
+
+    mutating func find(key: Key) -> Value? {
+        if let found = self.findIndex(key: key) {
+            self.elements[found].generation = self.generation
+            return self.elements[found].value
+        } else {
+            return nil
+        }
+    }
+
+    @discardableResult
+    mutating func append(key: Key, value: Value) -> Value {
+        let newElement = Element(generation: self.generation,
+                                 key: key,
+                                 value: value)
+        if let found = self.findIndex(key: key) {
+            self.elements[found] = newElement
+            return value
+        }
+
+        if self.elements.count < self.elements.capacity {
+            self.elements.append(newElement)
+            return value
+        }
+        assert(self.elements.count == self.elements.capacity)
+
+        let minIndex = self.elements.minIndex { l, r in
+            l.generation < r.generation
+        }!
+
+        self.elements.swapAt(minIndex, self.elements.endIndex - 1)
+        self.elements.removeLast()
+        self.elements.append(newElement)
+
+        return value
+    }
+
+    mutating func findOrAppend(key: Key, _ valueGenerator: (Key) -> Value) -> Value {
+        if let found = self.find(key: key) {
+            return found
+        }
+
+        return self.append(key: key, value: valueGenerator(key))
+    }
+}
+
+extension Array {
+    func minIndex(by areInIncreasingOrder: (Element, Element) throws -> Bool) rethrows -> Index? {
+        var minSoFar: (Index, Element)? = nil
+
+        for indexElement in self.enumerated() {
+            if let min = minSoFar {
+                if try areInIncreasingOrder(indexElement.1, min.1) {
+                    minSoFar = indexElement
+                }
+            }
+        }
+
+        return minSoFar.map { $0.0 }
+    }
+}
diff --git a/Sources/AsyncHTTPClient/SSLContextCache.swift b/Sources/AsyncHTTPClient/SSLContextCache.swift
@@ -0,0 +1,76 @@
+//===----------------------------------------------------------------------===//
+//
+// This source file is part of the AsyncHTTPClient open source project
+//
+// Copyright (c) 2018-2019 Apple Inc. and the AsyncHTTPClient project authors
+// Licensed under Apache License v2.0
+//
+// See LICENSE.txt for license information
+// See CONTRIBUTORS.txt for the list of AsyncHTTPClient project authors
+//
+// SPDX-License-Identifier: Apache-2.0
+//
+//===----------------------------------------------------------------------===//
+
+import Logging
+import NIO
+import NIOSSL
+import NIOConcurrencyHelpers
+
+class SSLContextCache {
+    private var running = true
+    private let lock = Lock()
+    private var sslContextCache = LRUCache<BestEffortHashableTLSConfiguration, NIOSSLContext>()
+    private let threadPool = NIOThreadPool(numberOfThreads: 1)
+
+    init() {
+        self.threadPool.start()
+    }
+
+    func shutdown() {
+        self.lock.withLock {
+            precondition(self.running == true)
+            self.running = false
+            self.threadPool.shutdownGracefully { maybeError in
+                precondition(maybeError == nil, "\(maybeError!)")
+            }
+        }
+    }
+
+    deinit {
+        assert(!self.running)
+    }
+}
+
+extension SSLContextCache {
+    func sslContext(tlsConfiguration: TLSConfiguration,
+                    eventLoop: EventLoop,
+                    logger: Logger) -> EventLoopFuture<NIOSSLContext> {
+        let eqTLSConfiguration = BestEffortHashableTLSConfiguration(wrapping: tlsConfiguration)
+        let sslContext = self.lock.withLock {
+            self.sslContextCache.find(key: eqTLSConfiguration)
+        }
+
+        if let sslContext = sslContext {
+            logger.debug("found SSL context in cache",
+                         metadata: ["ahc-tls-config": "\(tlsConfiguration)"])
+            return eventLoop.makeSucceededFuture(sslContext)
+        }
+
+        logger.debug("creating new SSL context",
+                     metadata: ["ahc-tls-config": "\(tlsConfiguration)"])
+        let newSSLContext = self.threadPool.runIfActive(eventLoop: eventLoop) {
+            return try NIOSSLContext(configuration: tlsConfiguration)
+        }
+
+        newSSLContext.whenSuccess { (newSSLContext: NIOSSLContext) -> Void in
+            self.lock.withLock { () -> Void in
+                self.sslContextCache.append(key: eqTLSConfiguration,
+                                            value: newSSLContext)
+            }
+        }
+
+        return newSSLContext
+    }
+}
+
diff --git a/Sources/AsyncHTTPClient/Utils.swift b/Sources/AsyncHTTPClient/Utils.swift
@@ -21,6 +21,7 @@ import NIOHTTP1
 import NIOHTTPCompression
 import NIOSSL
 import NIOTransportServices
+import Logging
 
 internal extension String {
     var isIPAddress: Bool {
@@ -144,7 +145,12 @@ extension NIOClientTCPBootstrap {
             }
     }
 
-    static func makeHTTP1Channel(destination: ConnectionPool.Key, eventLoop: EventLoop, configuration: HTTPClient.Configuration, preference: HTTPClient.EventLoopPreference) -> EventLoopFuture<Channel> {
+    static func makeHTTP1Channel(destination: ConnectionPool.Key,
+                                 eventLoop: EventLoop,
+                                 configuration: HTTPClient.Configuration,
+                                 sslContextCache: SSLContextCache,
+                                 preference: HTTPClient.EventLoopPreference,
+                                 logger: Logger) -> EventLoopFuture<Channel> {
         let channelEventLoop = preference.bestEventLoop ?? eventLoop
 
         let key = destination
@@ -166,14 +172,29 @@ extension NIOClientTCPBootstrap {
             channel = bootstrap.connect(unixDomainSocketPath: key.unixPath)
         }
 
+        let requiresLateSSLHandler = configuration.proxy != nil && requiresTLS
+        let sslContext: EventLoopFuture<NIOSSLContext?>
+        if key.scheme.requiresTLS || requiresLateSSLHandler {
+            sslContext = sslContextCache.sslContext(tlsConfiguration: destination.tlsConfiguration?.base ?? .forClient(),
+                                                    eventLoop: eventLoop,
+                                                    logger: logger).map { $0 }
+        } else {
+            sslContext = eventLoop.makeSucceededFuture(nil)
+        }
+
         return channel.flatMap { channel in
+            sslContext.map { sslContext in
+                (channel, sslContext)
+            }
+        }.flatMap { (channel, sslContext) in
             let requiresTLS = key.scheme.requiresTLS
-            let requiresLateSSLHandler = configuration.proxy != nil && requiresTLS
             let handshakeFuture: EventLoopFuture<Void>
 
             if requiresLateSSLHandler {
                 let handshakePromise = channel.eventLoop.makePromise(of: Void.self)
-                channel.pipeline.syncAddLateSSLHandlerIfNeeded(for: key, tlsConfiguration: configuration.tlsConfiguration, handshakePromise: handshakePromise)
+                channel.pipeline.syncAddLateSSLHandlerIfNeeded(for: key,
+                                                               sslContext: sslContext!,
+                                                               handshakePromise: handshakePromise)
                 handshakeFuture = handshakePromise.futureResult
             } else if requiresTLS {
                 do {
diff --git a/Tests/AsyncHTTPClientTests/ConnectionTests.swift b/Tests/AsyncHTTPClientTests/ConnectionTests.swift
@@ -19,6 +19,7 @@ import XCTest
 class ConnectionTests: XCTestCase {
     var eventLoop: EmbeddedEventLoop!
     var http1ConnectionProvider: HTTP1ConnectionProvider!
+    var pool: ConnectionPool!
 
     func buildState(connection: Connection, release: Bool) {
         XCTAssertTrue(self.http1ConnectionProvider.state.enqueue())
@@ -131,24 +132,30 @@ class ConnectionTests: XCTestCase {
     }
 
     override func setUp() {
+        XCTAssertNil(self.pool)
         XCTAssertNil(self.eventLoop)
         XCTAssertNil(self.http1ConnectionProvider)
         self.eventLoop = EmbeddedEventLoop()
-        XCTAssertNoThrow(self.http1ConnectionProvider = try HTTP1ConnectionProvider(key: .init(.init(url: "http://some.test")),
-                                                                                    eventLoop: self.eventLoop,
-                                                                                    configuration: .init(),
-                                                                                    pool: .init(configuration: .init(),
-                                                                                                backgroundActivityLogger: HTTPClient.loggingDisabled),
-                                                                                    backgroundActivityLogger: HTTPClient.loggingDisabled))
+        self.pool = ConnectionPool(configuration: .init(),
+                                   backgroundActivityLogger: HTTPClient.loggingDisabled)
+        XCTAssertNoThrow(self.http1ConnectionProvider =
+                            try HTTP1ConnectionProvider(key: .init(.init(url: "http://some.test")),
+                                                        eventLoop: self.eventLoop,
+                                                        configuration: .init(),
+                                                        pool: self.pool,
+                                                        backgroundActivityLogger: HTTPClient.loggingDisabled))
     }
 
     override func tearDown() {
+        XCTAssertNotNil(self.pool)
         XCTAssertNotNil(self.eventLoop)
         XCTAssertNotNil(self.http1ConnectionProvider)
         XCTAssertNoThrow(try self.http1ConnectionProvider.close().wait())
         XCTAssertNoThrow(try self.eventLoop.syncShutdownGracefully())
-        self.eventLoop = nil
         self.http1ConnectionProvider = nil
+        XCTAssertTrue(try self.pool.close(on: self.eventLoop).wait())
+        self.eventLoop = nil
+        self.pool = nil
     }
 }
 
