microsoft
diff --git a/‎Cargo.lock
Lines changed: 21 additions & 6 deletions b/‎Cargo.lock
Lines changed: 21 additions & 6 deletions
diff --git a/‎Cargo.toml
Lines changed: 7 additions & 0 deletions b/‎Cargo.toml
Lines changed: 7 additions & 0 deletions
diff --git a/‎README.md
Lines changed: 78 additions & 0 deletions b/‎README.md
Lines changed: 78 additions & 0 deletions
diff --git a/‎benches/aci_benchmark.rs
Lines changed: 80 additions & 0 deletions b/‎benches/aci_benchmark.rs
Lines changed: 80 additions & 0 deletions
diff --git a/‎benches/regorus_benchmark.rs
Lines changed: 37 additions & 2 deletions b/‎benches/regorus_benchmark.rs
Lines changed: 37 additions & 2 deletions
diff --git a/‎bindings/ffi/Cargo.lock
Lines changed: 21 additions & 6 deletions b/‎bindings/ffi/Cargo.lock
Lines changed: 21 additions & 6 deletions
@@ -31,6 +31,7 @@ http = []
 glob = ["dep:globset"]
 graph = []
 jsonschema = ["dep:jsonschema"]
+mimalloc = ["dep:mimalloc"]
 no_std = ["lazy_static/spin_no_std"]
 opa-runtime = []
 regex = ["dep:regex"]
@@ -49,6 +50,7 @@ full-opa = [
     "hex",
     "http",
     "jsonschema",
+    "mimalloc",
     "opa-runtime",
     "regex",
     "semver",
@@ -109,6 +111,7 @@ rand = { version = "0.9.0", default-features = false, features = ["thread_rng"],
 
 # Causes the project to link with the Spectre-mitigated CRT and libs.
 msvc_spectre_libs = { version = "0.1", features = ["error"], optional = true }
+mimalloc = { path = "mimalloc", optional = true }
 
 [dev-dependencies]
 anyhow = "1.0.45"
@@ -148,6 +151,10 @@ test=false
 name = "regorus_benchmark"
 harness = false
 
+[[bench]]
+name = "aci_benchmark"
+harness = false
+
 [[example]]
 name="regorus"
 harness=false
 
@@ -274,6 +274,84 @@ Benchmark 1: opa eval -b tests/aci -d tests/aci/data.json -i tests/aci/input.jso
   Range (min … max):    43.8 ms …  46.7 ms    62 runs
 
 ```
+
+Note that the above comparison includes the overhead of parsing and processing policies as well as launching 
+the regorus and opa executables each time. OPA is intended to preload the policies (bundle) beforehand and then evaluate
+the same policies on different inputs. See [details](https://github.com/open-policy-agent/opa/pull/7298).
+
+Regorus microbenchmarks can be run for a deeper look:
+
+```bash
+$ cargo bench --frozen aci
+    Finished `bench` profile [optimized + debuginfo] target(s) in 0.40s
+     Running unittests src/lib.rs (target/release/deps/regorus-9c0b72d40d272320)
+
+running 0 tests
+
+test result: ok. 0 passed; 0 failed; 0 ignored; 0 measured; 112 filtered out; finished in 0.00s
+
+     Running benches/aci_benchmark.rs (target/release/deps/aci_benchmark-9a0c12733454b523)
+Gnuplot not found, using plotters backend
+case /aci/mount_device data.policy.mount_device
+                        time:   [11.539 µs 11.549 µs 11.562 µs]
+Found 18 outliers among 100 measurements (18.00%)
+  7 (7.00%) high mild
+  11 (11.00%) high severe
+
+case /aci/mount_overlay data.policy.mount_overlay
+                        time:   [27.436 µs 27.481 µs 27.550 µs]
+Found 11 outliers among 100 measurements (11.00%)
+  2 (2.00%) high mild
+  9 (9.00%) high severe
+
+case /aci/scratch_mount data.policy.scratch_mount
+                        time:   [7.1673 µs 7.1756 µs 7.1877 µs]
+Found 11 outliers among 100 measurements (11.00%)
+  3 (3.00%) high mild
+  8 (8.00%) high severe
+
+case /aci/create_container data.policy.create_container
+                        time:   [290.22 µs 290.52 µs 290.77 µs]
+Found 10 outliers among 100 measurements (10.00%)
+  2 (2.00%) high mild
+  8 (8.00%) high severe
+
+case /aci/shutdown_container data.policy.shutdown_container
+                        time:   [4.0729 µs 4.0886 µs 4.1024 µs]
+Found 8 outliers among 100 measurements (8.00%)
+  4 (4.00%) high mild
+  4 (4.00%) high severe
+
+case /aci/scratch_unmount data.policy.scratch_unmount
+                        time:   [3.4765 µs 3.4808 µs 3.4861 µs]
+Found 10 outliers among 100 measurements (10.00%)
+  2 (2.00%) high mild
+  8 (8.00%) high severe
+
+case /aci/unmount_overlay data.policy.unmount_overlay
+                        time:   [3.4646 µs 3.4793 µs 3.4958 µs]
+Found 28 outliers among 100 measurements (28.00%)
+  16 (16.00%) low mild
+  3 (3.00%) high mild
+  9 (9.00%) high severe
+
+case /aci/unmount_device data.policy.unmount_device
+                        time:   [3.5041 µs 3.5080 µs 3.5120 µs]
+Found 14 outliers among 100 measurements (14.00%)
+  2 (2.00%) high mild
+  12 (12.00%) high severe
+
+case /aci/load_fragment data.policy.load_fragment
+                        time:   [45.028 µs 45.081 µs 45.130 µs]
+Found 26 outliers among 100 measurements (26.00%)
+  16 (16.00%) low mild
+  1 (1.00%) high mild
+  9 (9.00%) high severe
+
+     Running benches/regorus_benchmark.rs (target/release/deps/regorus_benchmark-c6a3f929bb7168bc)
+```
+
+
 ## OPA Conformance
 
 Regorus has been verified to be compliant with [OPA v1.2.0](https://github.com/open-policy-agent/opa/releases/tag/v1.2.0)
 
@@ -0,0 +1,80 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+use regorus::{Engine, Value};
+
+use criterion::{criterion_group, criterion_main, BenchmarkId, Criterion};
+use serde::{Deserialize, Serialize};
+use walkdir::WalkDir;
+
+use std::path::Path;
+
+#[derive(Serialize, Deserialize, PartialEq, Debug)]
+struct TestCase {
+    note: String,
+    data: Value,
+    input: Value,
+    modules: Vec<String>,
+    query: String,
+    want_result: Value,
+}
+
+#[derive(Serialize, Deserialize, PartialEq, Debug)]
+struct YamlTest {
+    cases: Vec<TestCase>,
+}
+
+fn aci_policy_eval(c: &mut Criterion) {
+    let dir = Path::new("tests/aci");
+    for entry in WalkDir::new(dir)
+        .sort_by_file_name()
+        .into_iter()
+        .filter_map(|e| e.ok())
+    {
+        let path = entry.path();
+        if !path.to_string_lossy().ends_with(".yaml") {
+            continue;
+        }
+
+        let yaml = std::fs::read(path).expect("failed to read yaml test");
+        let yaml = String::from_utf8_lossy(&yaml);
+        let test: YamlTest = serde_yaml::from_str(&yaml).expect("failed to deserialize yaml test");
+
+        for case in &test.cases {
+            let rule = case.query.replace("=x", "");
+            c.bench_with_input(
+                BenchmarkId::new("case ", format!("{} {}", &case.note, &rule)),
+                &case,
+                |b, case| {
+                    let mut engine = Engine::new();
+                    engine.set_rego_v0(true);
+
+                    engine
+                        .add_data(case.data.clone())
+                        .expect("failed to add data");
+                    engine.set_input(case.input.clone());
+
+                    for (idx, rego) in case.modules.iter().enumerate() {
+                        if rego.ends_with(".rego") {
+                            let path = dir.join(rego);
+                            let path = path.to_str().expect("not a valid path");
+                            engine
+                                .add_policy_from_file(path)
+                                .expect("failed to add policy");
+                        } else {
+                            engine
+                                .add_policy(format!("rego{idx}.rego"), rego.clone())
+                                .expect("failed to add policy");
+                        }
+                    }
+
+                    b.iter(|| {
+                        engine.eval_rule(rule.clone()).unwrap();
+                    })
+                },
+            );
+        }
+    }
+}
+
+criterion_group!(aci_benches, aci_policy_eval);
+criterion_main!(aci_benches);
@@ -1,6 +1,6 @@
 use std::hint::black_box;
 
-use regorus::Engine;
+use regorus::{Engine, Value};
 
 use criterion::{criterion_group, criterion_main, BenchmarkId, Criterion};
 use serde_json::json;
@@ -93,9 +93,44 @@ fn allow_with_simple_membership(c: &mut Criterion) {
     group.finish();
 }
 
+fn aci_policy_eval(c: &mut Criterion) {
+    let mut group = c.benchmark_group("ACI Policy Eval");
+    let rules = ["data.policy.mount_overlay", "data.policy.mount_device"];
+    for rule in rules {
+        group.bench_with_input(BenchmarkId::new("rule", rule), &rule, |b, rule| {
+            let mut engine = Engine::new();
+            engine.set_rego_v0(true);
+
+            engine
+                .add_policy_from_file("tests/aci/api.rego")
+                .expect("failed to add api.rego");
+            engine
+                .add_policy_from_file("tests/aci/framework.rego")
+                .expect("failed to add framework.rego");
+            engine
+                .add_policy_from_file("tests/aci/policy.rego")
+                .expect("failed to add policy.rego");
+            engine
+                .add_data(
+                    Value::from_json_file("tests/aci/data.json").expect("failed to load data.json"),
+                )
+                .expect("failed to add data");
+            let input =
+                Value::from_json_file("tests/aci/input.json").expect("failed to load input.json");
+            engine.set_input(input.clone());
+            engine.eval_rule(rule.to_string()).unwrap();
+            b.iter(|| {
+                engine.eval_rule(rule.to_string()).unwrap();
+            })
+        });
+    }
+    group.finish();
+}
+
 criterion_group!(
     benches,
     allow_with_simple_equality,
-    allow_with_simple_membership
+    allow_with_simple_membership,
+    aci_policy_eval
 );
 criterion_main!(benches);