WW-5355 Integrate W-TinyLfu cache and use by default

[kusalk]

WW-5355

Current state

Struts currently caches the following:

• compiled OGNL expressions
• BeanInfo objects

There are currently 2 cache options:

• Basic (OgnlDefaultCache.java)
• LRU (OgnlLRUCache.java)

By default, both caches will use the 'basic' option.

However, they can be configured to use the 'LRU' option using the following configuration:

• struts.ognl.expressionCacheLRUMode=true
• struts.ognl.beanInfoCacheLRUMode=true

Motivation

The 'basic' cache option flushes the cache when its max size is reached. This is highly ineffective in the face of malicious requests.

The 'LRU' option has a better eviction policy but is backed by a synchronized LinkedHashMap which hampers raw performance greatly.

Instead I propose Caffeine, which "is a high performance, near optimal caching library" that implements the W-TinyLfu algorithm.

Some raw read/write benchmarks for WTLFU as implemented in Caffeine can be found here.

Please also find this paper that evaluated the performance of WTLFU, including against malicious requests (thanks @ben-manes):

• An evaluation of cache management policies under workloads with malicious requests

Changes introduced

In this PR I am introducing a 3rd cache option:

• WTLFU (OgnlCaffeineCache.java)

The previous configuration constants were booleans and thus only allowed for 2 options. To accomodate the 3rd option, I've replaced them with the following configuration:

• struts.ognl.expressionCacheType=basic|lru|wtlfu
• struts.ognl.beanInfoCacheType=basic|lru|wtlfu

Additionally, I've made both caches default to 'WTLFU' in default.properties.

Note that the 'basic' cache option will still be used to bootstrap the container. This allows consumers who have configured an alternative cache type to exclude the caffeine dependency without any issues.

Original PR description

I see very limited advantage to using the default cache over the LRU one? The eviction process is faster but at the cost of having to repopulate the whole cache from scratch!

Keen to hear other thoughts or anything I may have missed

Perhaps in the future we can move to a more advanced algorithm such as the ones provided by Caffeine, although I'm not sure how effective they'd be given the cache can be easily attacked.

[kusalk]

@JCgH4164838Gh792C124B5

[kusalk]

Nothing to see here, just made this code more digestible

[JCgH4164838Gh792C124B5]

Looks reasonable to me.

[kusalk]

These init values are inconsequential as far as I can tell as they are immediately overridden by the constructor

[JCgH4164838Gh792C124B5]

I think setting a positive non-zero value for the initializer was to avoid the instance ever having a cacheEvictionLimit of zero (which "new AtomicInteger()" would). Also, if someone built a custom cache implementation extending OgnlDefaultCache with an overridden constructor that did not call super(), a (hopefully) reasonable nonzero initial value would be ensured.

[kusalk]

The overriding is a fair point - I'll move the initialisation of the whole field into the constructor

[ben-manes]

fwiw, this would change from a concurrent cache to a synchronized one. It looks like the original code replaced an unbounded concurrent map. The performance difference may be unacceptable of explain the concern without benchmarks/profiling.

Caffeine is very resilient to attacks, like hash flooding and being scan resilient. An independent analysis might be of interest, An evaluation of cache management policies under workloads with malicious requests.

[kusalk]

Good call out @ben-manes, I completely glossed over the change from concurrent map to synchronised map (and its performance implications).

And thank you for that analysis on resistance to attacks.

In that case I may just go ahead and integrate Caffeine as it seems rather straightforward anyway.

[JCgH4164838Gh792C124B5]

Hi @kusalk. Thanks for reaching out to invite comments on the potential cache implementation changes. 😄

Switching to LRU mode by default might be a bit risky performance-wise, until someone benchmarks performance with it on/off.

In terms of potentially integrating Caffeine to handle caching, that sounds interesting. Maybe making it another option (with a wrapper implementing the OgnlCache interface) would be one way to do so ?

In that way, I think that might keep the library dependency as optional, depending on what cache implementation was chosen via configuration (even if a Caffeine-based cache was to become the default cache implementation for the framework). Others might have different thoughts on the matter ...

Regards.

[JCgH4164838Gh792C124B5]

I think setting a positive non-zero value for the initializer was to avoid the instance ever having a cacheEvictionLimit of zero (which "new AtomicInteger()" would). Also, if someone built a custom cache implementation extending OgnlDefaultCache with an overridden constructor that did not call super(), a (hopefully) reasonable nonzero initial value would be ensured.

[JCgH4164838Gh792C124B5]

The OgnlDefaultCache comment above would apply here as well.

[JCgH4164838Gh792C124B5]

It looks like the wording of that log warning has been invariant as far back as the history for the file goes. Does changing it by reducing the wording detail (other than maybe fixing the "is bein" typo) make it less clear ?

I am unsure of how frequently this log statement might get triggered, but adding "new RuntimeException()" as a parameter would (I think ?) result in a stack-trace being output each time. That might potentially create a lot of log clutter (a trade-off, if the stack-trace gives better context) ?

[kusalk]

Currently, this method is only called by ChainingInterceptor within Struts, and from what I can tell, these parameters will never be null. Although it is also a public method. Calling this method with null values is improper usage and the stack trace will provide better context for such an issue to be resolved. The previous warning message wasn't very helpful.

[JCgH4164838Gh792C124B5]

Looks reasonable to me.

[JCgH4164838Gh792C124B5]

If an (uncommented) initial value it to be used/set in default.properties, maybe it should match the programmatic defaults in the factory and cache instances ?

Whether 10000 (or 25000) is a reasonable default might not be determined without some benchmarks.

This comment would apply to any of the numeric size choices in the properties file.

[kusalk]

Yeah I agree that it would be better to have the defaults in the code and properties file be consistent (as well as the accompanying comments in the properties file). I'll amend this.

[kusalk]

I ended up defining the defaults in the properties file and removing defaults from the code - except for required values when bootstrapping the container. (And except for a deprecated constructor which is awaiting deletion)

[JCgH4164838Gh792C124B5]

@ben-manes already pointed out potential implications in making the LRU mode cache active by default (switching from a concurrent to synchronized cache). It might be safer to keep LRU mode caching off by default, at least until someone can confirm if performance of the LRU mode cache is acceptable under load (benchmarking).

[JCgH4164838Gh792C124B5]

Above comment for numeric defaults applies here as well.

[JCgH4164838Gh792C124B5]

Above comment on LRU mode defaults applies here as well.

[kusalk]

Thank you for the well considered review @JCgH4164838Gh792C124B5

Yep I no longer intend to make LRU (backed by a synchronised LinkedHashMap) the default given the performance implications. And yes I intend to keep the cache implementation configurable, even with the implementation of Caffeine.

I think choosing a default cache size will always be a challenge as it is subject to multiple application-specific factors so the best we can do here is to encourage developers to adjust the cache size as needed.

[kusalk]

I found that previously, struts.ognl.expressionCacheLRUMode=true was not reliable due to setter injection not guaranteeing the order of operations. I've thus refactored the code to use constructor injection.

[kusalk]

Extracted bootstrap constants into a public static final field for reuse by the default Struts configuration provider and any test code as needed. Adding new required constants was previously a pain

[kusalk]

Making this factory class thread-safe seemed unnecessary

[kusalk]

Fixed this bug

[kusalk]

Doesn't make much sense to inject this both in the factory and here. Plus, Caffeine doesn't support changing the max size after construction (and neither does LRU really), so we'd have to flush/reconstruct the cache to continue supporting this method. I can't see much use for changing cache max size mid-life anyway so I've just gone ahead and deprecated it.

[ben-manes]

cache.policy().eviction().ifPresent(eviction -> {
  eviction.setMaximum(2 * eviction.getMaximum());
});

The Policy api contains various methods for pragmatic needs, while keeping the core apis simple and focused on the common needs.

[kusalk]

I've taken care to maintain full API compatibility given that these classes are extension points and thus public API

[ben-manes]

cache.asMap().putIfAbsent(key, value)

[ben-manes]

cache.asMap().size()

[kusalk]

Thanks @ben-manes, amended!

[lukaszlenart]

Are these different implementations of cache layer? Shouldn't this go through the extension point?

[kusalk]

I was wondering the same thing - I was only maintaining the design introduced in #528.

I simply replaced struts.ognl.expressionCacheLRUMode=true|false with struts.ognl.expressionCacheType=basic|lru|wtlfu

Let me look into refactoring this, it will likely be a breaking change though.

[kusalk]

Yeah given the breaking nature, I'm more inclined to take on this refactor as part of 7.0, all good for me to create a follow-up card for it?

[lukaszlenart]

Thanks! That would make more sense and then we can remove all the properties and leave that to a given implementation. Please create the ticket :)

[kusalk]

WW-5356

[lukaszlenart]

Could you adjust the ticket's description because right now I'm a bit confused what's the scope of the ticket.

[sonarcloud]

Kudos, SonarCloud Quality Gate passed!   

0 Bugs
0 Vulnerabilities
0 Security Hotspots
13 Code Smells

90.1% Coverage
0.0% Duplication

[kusalk]

@lukaszlenart I've updated the PR description :)