Avoid global monitor on every bind in getDefaultPasswordPolicy#669
Open
vharseko wants to merge 1 commit into
Open
Avoid global monitor on every bind in getDefaultPasswordPolicy#669vharseko wants to merge 1 commit into
vharseko wants to merge 1 commit into
Conversation
getDefaultPasswordPolicy() took the authenticationPolicies monitor on every call just to read an already-cached value, and the method is called for every authentication. Under concurrent BIND load JFR shows worker threads blocking on this monitor (96 contention events / ~2 s blocked per 80 s window at 16 worker threads once other bind-path locks are removed). Make the defaultPasswordPolicy cache volatile and read it lock-free, falling back to the existing synchronized slow path only when the cache is empty (startup or configuration change). All mutations already happen under the authenticationPolicies monitor.
maximthomas
approved these changes
Jul 2, 2026
This was referenced Jul 2, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Another BIND hot-path serialization point found while profiling after #660:
DirectoryServer.getDefaultPasswordPolicy()takes the globalauthenticationPoliciesmonitor on every call just to read analready-cached value — and the method is called for every authentication
(
AuthenticationPolicy.forUserresolves the default policy for any userwithout a per-user policy). This PR makes the cache read lock-free.
Problem
JFR
jdk.JavaMonitorEnterunder concurrent BIND load shows worker threadsblocking on this monitor; contention grows as the other bind-path locks are
removed:
Change
defaultPasswordPolicybecomesvolatile; all mutations already happenunder the
authenticationPoliciesmonitor (register/deregister/reset),so the cache stays coherent.
getDefaultPasswordPolicy()returns the cached value lock-free and fallsback to the existing synchronized slow path (unchanged, including its
assertions) only when the cache is empty — at startup or right after a
configuration change.
Benchmark / verification
Environment: packaged server built from this tree,
jebackend, 5,000users (
uid=user.N,{SSHA}) viasetup --sampleData 5000, JDK 11,8-core host, 2 GB heap, both access loggers disabled for comparability with
the #667/#668 profiles.
Load:
authrate— 200 persistent connections re-binding as random users,30 s warm-up:
Profiling:
jcmd <pid> JFR.start settings=profile duration=80sduringsteady state;
jfr print --events jdk.JavaMonitorEnteraggregated bymonitor class + first application frame.
Result: zero
JavaMonitorEnterevents atgetDefaultPasswordPolicy(24–96 before, depending on how many other bind-path locks were already
removed).
authrateerrors: 0. Throughput at the 8-core saturation pointis unchanged within noise, as expected for a fix whose value is removing a
serialization ceiling on wider machines — same rationale as #667.
Testing
mvn -P precommit -pl opendj-server-legacy verifyforBindOperationTestCase(1140),PasswordPolicyTestCase(143),SubentryPasswordPolicyTestCase(11): 1294 tests, 0 failures.Files
opendj-server-legacy/src/main/java/org/opends/server/core/DirectoryServer.java