Antiforgery perf improvements (includes new DataProtection API usage) #64751
+1,223
−434
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
DeagleGross
added
area-perf
Contributor
There was a problem hiding this comment.
Pull request overview
This PR introduces significant performance improvements to the Antiforgery system by leveraging new span-based DataProtection APIs introduced in #44758. The changes eliminate buffer allocations and stream-based serialization in favor of direct span operations, resulting in substantial improvements across all measured scenarios: 13-15% reduction in allocations and 15-20% improvement in throughput.
Key Changes:
- Span-based DataProtection: Replaces byte array allocations with
ISpanDataProtectorfor zero-copy data protection operations - 7-bit encoding utilities: Adds shared utilities for efficient length-prefixed string serialization using span-based APIs
- Removed object pooling: Eliminates
AntiforgerySerializationContextpooling infrastructure now that allocations are minimal
Reviewed changes
Copilot reviewed 24 out of 24 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
src/Shared/Encoding/Int7BitEncodingUtils.cs |
Adds span-based methods for reading/writing 7-bit encoded integers and strings |
src/Shared/test/Shared.Tests/Encoding/Int7BitEncodingUtilsTests.cs |
Comprehensive test coverage for new encoding utilities |
src/Shared/WebEncoders/WebEncoders.cs |
Adds Base64Url decoding directly to span for .NET 9+ |
src/Antiforgery/src/Internal/DefaultClaimUidExtractor.cs |
Converts to span-based claim UID extraction using stack allocation and direct SHA256 hashing |
src/Antiforgery/src/Internal/DefaultAntiforgeryTokenSerializer.cs |
Converts to span-based serialization using ISpanDataProtector API |
src/Antiforgery/src/Internal/DefaultAntiforgeryTokenGenerator.cs |
Updates to use span-based claim UID comparison |
src/Antiforgery/src/Internal/AntiforgerySerializationContext.cs |
Removed - no longer needed with span-based approach |
src/Antiforgery/src/Internal/AntiforgerySerializationContextPooledObjectPolicy.cs |
Removed - pooling infrastructure no longer needed |
src/Antiforgery/src/AntiforgeryServiceCollectionExtensions.cs |
Removes object pool registration |
src/Antiforgery/test/DefaultClaimUidExtractorTest.cs |
Updates tests for new span-based API signature |
src/Antiforgery/test/DefaultAntiforgeryTokenSerializerTest.cs |
Adds TestSpanDataProtector mock implementation |
src/Antiforgery/test/DefaultAntiforgeryTokenGeneratorTest.cs |
Adds DummyClaimUidExtractor helper for testing |
src/Antiforgery/benchmarks/Microsoft.AspNetCore.Antiforgery.Benchmarks/* |
New benchmark project with comprehensive performance tests |
src/Antiforgery/src/Internal/DefaultAntiforgeryTokenSerializer.cs
Outdated
Show resolved
Hide resolved
src/Antiforgery/src/Internal/DefaultAntiforgeryTokenSerializer.cs
Outdated
Show resolved
Hide resolved
...y/benchmarks/Microsoft.AspNetCore.Antiforgery.Benchmarks/Benchmarks/AntiforgeryBenchmarks.cs
Show resolved
Hide resolved
3 tasks
halter73
reviewed
Dec 12, 2025
| public void SetupGetAndStoreTokens() | ||
| { | ||
| // Create a fresh context for each iteration to simulate real-world usage | ||
| _getAndStoreTokensContext = CreateHttpContext(); |
Member
There was a problem hiding this comment.
I know this gets excluded from the measurement, but it does create GC pressure. Could we get more accurate numbers by resetting the HttpContext between iterations?
halter73
reviewed
Dec 12, 2025
| throw new FormatException("Failed to decode token as Base64 char sequence."); | ||
| } | ||
|
|
||
| var tokenBytesDecoded = tokenBytes.Slice(0, bytesWritten); |
Member
There was a problem hiding this comment.
Nit: any reason for using Slice over [..bytesWriten]?
halter73
reviewed
Dec 12, 2025
| private static BinaryBlob? GetClaimUidBlob(string? base64ClaimUid) | ||
| { | ||
| if (base64ClaimUid == null) | ||
| bool AreIdenticalClaimUids(Span<byte> claimUidBytes) |
| { | ||
| return !extractedClaimUidBytes; | ||
| } | ||
| if (requestToken.ClaimUid.Length != claimUidBytes.Length) |
Member
There was a problem hiding this comment.
Suggested change
| if (requestToken.ClaimUid.Length != claimUidBytes.Length) | |
| if (requestToken.ClaimUid.Length != claimUidBytes.Length) |
| { | ||
| return false; | ||
| } | ||
| return requestToken.ClaimUid.GetData().SequenceEqual(claimUidBytes); |
Member
There was a problem hiding this comment.
Suggested change
| return requestToken.ClaimUid.GetData().SequenceEqual(claimUidBytes); | |
| return requestToken.ClaimUid.GetData().SequenceEqual(claimUidBytes); |
Comment on lines
+35
to
+36
| var rent = tokenDecodedSize < 256 | ||
| ? stackalloc byte[255] |
Member
There was a problem hiding this comment.
Suggested change
| var rent = tokenDecodedSize < 256 | |
| ? stackalloc byte[255] | |
| var rent = tokenDecodedSize <= 256 | |
| ? stackalloc byte[256] |
Member
There was a problem hiding this comment.
I'd prefer using powers of 2, looks more elegant and might be more beneficial for byte alignment.
|
|
||
| if (_perfCryptoSystem is not null) | ||
| { | ||
| var protectBuffer = new RefPooledArrayBufferWriter<byte>(stackalloc byte[255]); |
Member
There was a problem hiding this comment.
Suggested change
| var protectBuffer = new RefPooledArrayBufferWriter<byte>(stackalloc byte[255]); | |
| using var protectBuffer = new RefPooledArrayBufferWriter<byte>(stackalloc byte[256]); |
| } | ||
| else | ||
| { | ||
| var usernameByteCount = System.Text.Encoding.UTF8.GetByteCount(token.Username!); |
| var protectBuffer = new RefPooledArrayBufferWriter<byte>(stackalloc byte[255]); | ||
| try | ||
| { | ||
| _perfCryptoSystem!.Protect(tokenBytes, ref protectBuffer); |
Member
There was a problem hiding this comment.
Suggested change
| _perfCryptoSystem!.Protect(tokenBytes, ref protectBuffer); | |
| _perfCryptoSystem.Protect(tokenBytes, ref protectBuffer); |
| return new string(chars, startIndex: 0, length: outputLength); | ||
| if (_perfCryptoSystem is not null) | ||
| { | ||
| var protectBuffer = new RefPooledArrayBufferWriter<byte>(stackalloc byte[255]); |
Member
There was a problem hiding this comment.
Suggested change
| var protectBuffer = new RefPooledArrayBufferWriter<byte>(stackalloc byte[255]); | |
| using var protectBuffer = new RefPooledArrayBufferWriter<byte>(stackalloc byte[255]); |
| } | ||
|
|
||
| private byte[] ComputeSha256(IEnumerable<string> parameters) | ||
| private static void ComputeSha256(IList<string> parameters, Span<byte> destination) |
Member
There was a problem hiding this comment.
Suggested change
| private static void ComputeSha256(IList<string> parameters, Span<byte> destination) | |
| private static void ComputeSha256(List<string> parameters, Span<byte> destination) |
Use concrete types for internal methods.
| var serializationContext = _pool.Get(); | ||
|
|
||
| try | ||
| // Calculate total size needed for serialization |
Member
There was a problem hiding this comment.
Suggested change
| // Calculate total size needed for serialization | |
| Debug.Assert(destination.Length >= SHA256.HashSizeInBytes); | |
| // Calculate total size needed for serialization |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
#44758 introduced new DataProtection API, and in this PR I am changing Antiforgery implementation to use a high-performance DataProtection API. Moreover, going through the implementation, I've refactored to improve performance here and there. The results are listed below.
The main idea of the improvement is to use the DataProtection API, which does not make us allocate any buffer. This is a hot-path in Antiforgery, because token serialization and deserialization may happen multiple times for different tokens per single request.
Before, we had to allocate a buffer, fill it in with the token data, pass it into the
dataProtectorand later we were using streams API, which also allocate and may be doing extra job instead of writing to the destination buffer. There are less of extra types used today, which should give some benefit to the usage.I have tested the changes via crank, but unfortunately I dont see a heavy improvement in RPS speed (around 4% RPS improvement only). I suspect those improvements mostly focus on allocation reduction, meaning in the long run it will give more RPS.
IAntiforgeryTokenSerializer
IAntiforgeryTokenGenerator
IAntiforgery
Relates to #50065