Performance benchmarks¶
Micro-benchmarks via criterion.rs, primarily verifying that the auth hot path won't bottleneck the gateway.
Auth hot path (futu-auth)¶
Every request through the gateway goes through: SHA-256 hash → KeyStore scan →
scope mapping → check_and_commit → metrics counter bump. The sum should stay
in the hundreds-of-ns range.
| Function | Per-call | Notes |
|---|---|---|
scope_for_proto_id(u32) |
~0.3-0.6 ns | Pure inline match |
hash_plaintext(32-byte) |
~217 ns | SHA-256; faster with hardware accel |
KeyStore::verify (1 key) |
~430 ns | Constant-time compare |
KeyStore::verify (10 keys) |
~2.0 µs | Linear scan |
KeyStore::verify (100 keys) |
~16.8 µs | Still µs-level |
RuntimeCounters::check_and_commit (full CheckCtx) |
~82 ns | All 7 steps |
RuntimeCounters::check_full_skip_rate |
~44 ns | Handler-layer call, skips rate |
MetricsRegistry::record_event |
~55 ns | DashMap insert-or-inc |
MetricsRegistry::render_prometheus (160 rows) |
~26 µs | Only on /metrics scrape |
Total auth overhead: a typical REST request (10-key KeyStore + full check + audit + metrics) ≈ 2.5 µs, dwarfed by protobuf / IO / business logic.
Run¶
HTML report: target/criterion/report/index.html.
Other crates¶
cargo bench -p futu-codec— 44-byte frame header + AES-128 body- Other crates don't ship standalone bench suites (IO-heavy code is covered by integration tests)
Environment¶
Numbers above run on MacBook (Apple Silicon) with release profile. Linux x86_64 in production should be in the same order of magnitude.
Load model¶
For one trading API request:
Client → Gateway (inbound):
- TCP or HTTP parse ~µs
- Bearer token extract ns-level
- KeyStore::verify ~2 µs (10-key store)
- scope_for_path/proto <1 ns
- check_and_commit (trade) ~82 ns
- audit event ~55 ns
→ subtotal auth: ~2.5 µs
Business logic:
- protobuf decode ~µs
- handler 10-100 µs
- forward to Futu backend + RTT 10-100 ms ← dominant cost
Outbound:
- protobuf encode ~µs
- TCP send µs
Takeaway: auth overhead < 0.01 ms, far below the network RTT to the Futu
backend (even same-HK-datacenter is ms-level). DashMap's concurrent locks
inside check_and_commit don't show up as a hot spot.