Optimized hot paths, less redundancy and memory usage

Author: jschick04

src/EventLogExpert.Eventing/EventProviderDatabase/EventProviderDbContext.cs

@@ -44,15 +44,15 @@ protected override void OnModelCreating(ModelBuilder modelBuilder)
 
         modelBuilder.Entity<ProviderDetails>()
             .Property(e => e.Messages)
-            .HasConversion<CompressedJsonValueConverter<IEnumerable<MessageModel>>>();
+            .HasConversion<CompressedJsonValueConverter<IReadOnlyList<MessageModel>>>();
 
         modelBuilder.Entity<ProviderDetails>()
             .Property(e => e.Parameters)
             .HasConversion<CompressedJsonValueConverter<IEnumerable<MessageModel>>>();
 
         modelBuilder.Entity<ProviderDetails>()
             .Property(e => e.Events)
-            .HasConversion<CompressedJsonValueConverter<IEnumerable<EventModel>>>();
+            .HasConversion<CompressedJsonValueConverter<IReadOnlyList<EventModel>>>();
 
         modelBuilder.Entity<ProviderDetails>()
             .Property(e => e.Keywords)
@@ -137,8 +137,6 @@ public void PerformUpgradeIfNeeded()
                 };
                 allProviderDetails.Add(p);
             }
-
-            detailsReader.Close();
         }
         else
         {
@@ -156,10 +154,10 @@ public void PerformUpgradeIfNeeded()
                 };
                 allProviderDetails.Add(p);
             }
-
-            detailsReader.Close();
         }
 
+        detailsReader.Close();
+
         command.CommandText = "DROP TABLE \"ProviderDetails\"";
         command.ExecuteNonQuery();
         command.CommandText = "VACUUM";

src/EventLogExpert.Eventing/EventResolvers/EventProviderDatabaseEventResolver.cs

@@ -70,15 +70,18 @@ protected override void Dispose(bool disposing)
 
     public void ResolveProviderDetails(EventRecord eventRecord)
     {
+        ObjectDisposedException.ThrowIf(IsDisposed, nameof(EventProviderDatabaseEventResolver));
+
+        // Fast path: ConcurrentDictionary is thread-safe for reads, so we can check
+        // without any lock. This avoids serializing all 8 parallel reader threads on
+        // the UpgradeableReadLock for providers that are already cached.
+        if (ProviderDetails.ContainsKey(eventRecord.ProviderName)) { return; }
+
         ProviderDetailsLock.EnterUpgradeableReadLock();
 
         try
         {
-            // Early disposed check for fail-fast behavior. This is a defensive check only;
-            // the authoritative check is inside _databaseAccessLock below.
-            // A race window exists here, but it's handled by the check inside the lock.
-            ObjectDisposedException.ThrowIf(IsDisposed, nameof(EventProviderDatabaseEventResolver));
-
+            // Re-check after acquiring lock - another thread may have added this provider
             if (ProviderDetails.ContainsKey(eventRecord.ProviderName))
             {
                 return;
@@ -88,7 +91,7 @@ public void ResolveProviderDetails(EventRecord eventRecord)
 
             try
             {
-                // Double-check after acquiring write lock - another thread may have added this provider
+                // Triple-check after acquiring write lock
                 if (ProviderDetails.ContainsKey(eventRecord.ProviderName))
                 {
                     return;

src/EventLogExpert.Eventing/EventResolvers/EventResolverBase.cs

@@ -79,11 +79,15 @@ public virtual DisplayEventModel ResolveEvent(EventRecord eventRecord)
 
         var keywords = GetKeywordsFromBitmask(eventRecord);
 
+        // Resolve the modern event once and reuse for both description and task name
+        ProviderDetails.TryGetValue(eventRecord.ProviderName, out var details);
+        var modernEvent = details is not null ? GetModernEvent(eventRecord, details) : null;
+
         return new DisplayEventModel(eventRecord.PathName, eventRecord.PathType)
         {
             ActivityId = eventRecord.ActivityId,
             ComputerName = _cache?.GetOrAddValue(eventRecord.ComputerName) ?? eventRecord.ComputerName,
-            Description = ResolveDescription(eventRecord),
+            Description = ResolveDescription(eventRecord, details, modernEvent),
             Id = eventRecord.Id,
             Keywords = keywords,
             KeywordsDisplayName = string.Join(", ", keywords),
@@ -92,7 +96,7 @@ public virtual DisplayEventModel ResolveEvent(EventRecord eventRecord)
             ProcessId = eventRecord.ProcessId,
             RecordId = eventRecord.RecordId,
             Source = _cache?.GetOrAddValue(eventRecord.ProviderName) ?? eventRecord.ProviderName,
-            TaskCategory = ResolveTaskName(eventRecord),
+            TaskCategory = ResolveTaskName(eventRecord, details, modernEvent),
             ThreadId = eventRecord.ThreadId,
             TimeCreated = eventRecord.TimeCreated,
             UserId = eventRecord.UserId,
@@ -322,6 +326,7 @@ private string FormatDescription(
         IEnumerable<MessageModel> parameters)
     {
         string returnDescription;
+
         if (string.IsNullOrWhiteSpace(descriptionTemplate))
         {
             // If there is only one property then this is what certain EventRecords look like
@@ -470,11 +475,10 @@ private List<string> GetKeywordsFromBitmask(EventRecord eventRecord)
 
         foreach (var k in s_standardKeywords.Keys)
         {
-            if ((eventRecord.Keywords.Value & k) == k)
-            {
-                var keyword = s_standardKeywords[k].TrimEnd('\0');
-                returnValue.Add(_cache?.GetOrAddValue(keyword) ?? keyword);
-            }
+            if ((eventRecord.Keywords.Value & k) != k) { continue; }
+
+            var keyword = s_standardKeywords[k].TrimEnd('\0');
+            returnValue.Add(_cache?.GetOrAddValue(keyword) ?? keyword);
         }
 
         if (!ProviderDetails.TryGetValue(eventRecord.ProviderName, out var details) || details is null)
@@ -486,18 +490,16 @@ private List<string> GetKeywordsFromBitmask(EventRecord eventRecord)
         // so let's skip those.
         var lower32 = eventRecord.Keywords.Value & 0xFFFFFFFF;
 
-        if (lower32 != 0)
+        if (lower32 == 0) { return returnValue; }
+        
+        foreach (var k in details.Keywords.Keys)
         {
-            foreach (var k in details.Keywords.Keys)
-            {
-                if ((lower32 & k) == k)
-                {
-                    var keyword = details.Keywords[k].TrimEnd('\0');
-                    returnValue.Add(_cache?.GetOrAddValue(keyword) ?? keyword);
-                }
-            }
-        }
+            if ((lower32 & k) != k) { continue; }
 
+            var keyword = details.Keywords[k].TrimEnd('\0');
+            returnValue.Add(_cache?.GetOrAddValue(keyword) ?? keyword);
+        }
+        
         return returnValue;
     }
 
@@ -513,10 +515,22 @@ private List<string> GetKeywordsFromBitmask(EventRecord eventRecord)
 
         int eventPropertyCount = eventRecord.Properties.Count;
 
-        EventModel? modernEvent = details.Events
-            .FirstOrDefault(e => e.Id == eventRecord.Id &&
-                e.Version == eventRecord.Version &&
-                e.LogName == eventRecord.LogName);
+        // Use indexed lookup instead of linear scan
+        var candidateEvents = details.GetEventsById(eventRecord.Id);
+
+        EventModel? modernEvent = null;
+
+        foreach (var e in candidateEvents)
+        {
+            if (e.Id != eventRecord.Id || e.Version != eventRecord.Version || e.LogName != eventRecord.LogName)
+            {
+                continue;
+            }
+
+            modernEvent = e;
+
+            break;
+        }
 
         if (modernEvent is not null && DoesTemplateMatchPropertyCount(modernEvent.Template, eventPropertyCount))
         {
@@ -532,8 +546,10 @@ private List<string> GetKeywordsFromBitmask(EventRecord eventRecord)
                 LogLevel.Debug);
         }
 
-        foreach (var @event in details.Events.Where(e => e.Id == eventRecord.Id && e.LogName == eventRecord.LogName))
+        foreach (var @event in candidateEvents)
         {
+            if (@event.LogName != eventRecord.LogName) { continue; }
+
             if (!DoesTemplateMatchPropertyCount(@event.Template, eventPropertyCount)) { continue; }
 
             Logger?.Trace($"{nameof(GetModernEvent)}: Match by Id/LogName with template - EventId={eventRecord.Id}, LogName={eventRecord.LogName}, MatchedVersion={@event.Version}",
@@ -544,8 +560,10 @@ private List<string> GetKeywordsFromBitmask(EventRecord eventRecord)
 
         // Try again forcing the long to a short and with no log name.
         // This is needed for providers such as Microsoft-Windows-Complus
-        foreach (var @event in details.Events.Where(e => (short)e.Id == eventRecord.Id && e.Version == eventRecord.Version))
+        foreach (var @event in details.Events)
         {
+            if ((short)@event.Id != eventRecord.Id || @event.Version != eventRecord.Version) { continue; }
+
             if (!DoesTemplateMatchPropertyCount(@event.Template, eventPropertyCount)) { continue; }
 
             Logger?.Trace($"{nameof(GetModernEvent)}: Match by short Id/Version fallback - EventId={eventRecord.Id}, Version={eventRecord.Version}",
@@ -554,50 +572,47 @@ private List<string> GetKeywordsFromBitmask(EventRecord eventRecord)
             return @event;
         }
 
-        var candidateCount = details.Events.Count(e => e.Id == eventRecord.Id);
-
-        Logger?.Trace($"{nameof(GetModernEvent)}: No matching event found - EventId={eventRecord.Id}, Version={eventRecord.Version}, LogName={eventRecord.LogName}, PropertyCount={eventPropertyCount}, CandidateEventsWithSameId={candidateCount}",
+        Logger?.Trace($"{nameof(GetModernEvent)}: No matching event found - EventId={eventRecord.Id}, Version={eventRecord.Version}, LogName={eventRecord.LogName}, PropertyCount={eventPropertyCount}, CandidateEventsWithSameId={candidateEvents.Count}",
             LogLevel.Debug);
 
         return null;
     }
 
     /// <summary>Resolve event descriptions from an event record.</summary>
-    private string ResolveDescription(EventRecord eventRecord)
+    private string ResolveDescription(EventRecord eventRecord, ProviderDetails? details, EventModel? modernEvent)
     {
-        if (!ProviderDetails.TryGetValue(eventRecord.ProviderName, out var details) || details is null)
+        if (details is null)
         {
             Logger?.Trace($"{nameof(ResolveDescription)}: No provider details available - Provider={eventRecord.ProviderName}, EventId={eventRecord.Id}, RecordId={eventRecord.RecordId}",
                 LogLevel.Debug);
 
             return DefaultNoProviderDescription;
         }
 
-        var @event = GetModernEvent(eventRecord, details);
-        var properties = GetFormattedProperties(@event?.Template, eventRecord.Properties);
+        var properties = GetFormattedProperties(modernEvent?.Template, eventRecord.Properties);
 
-        if (!string.IsNullOrEmpty(@event?.Description))
+        if (!string.IsNullOrEmpty(modernEvent?.Description))
         {
             Logger?.Trace($"{nameof(ResolveDescription)}: Using modern event description - Provider={eventRecord.ProviderName}, EventId={eventRecord.Id}, PropertyCount={properties.Count}",
                 LogLevel.Debug);
 
-            return FormatDescription(properties, @event?.Description, details.Parameters);
+            return FormatDescription(properties, modernEvent?.Description, details.Parameters);
         }
 
-        // Legacy provider message lookup, if there is multiple messages then move on so we don't show wrong description
-        var legacyMessage = details.Messages.Where(m => m.ShortId == eventRecord.Id).ToList();
+        // Legacy provider message lookup using indexed dictionary
+        var legacyMessages = details.GetMessagesByShortId((short)eventRecord.Id);
 
-        if (legacyMessage.Count == 1)
+        if (legacyMessages.Count == 1)
         {
             Logger?.Trace($"{nameof(ResolveDescription)}: Using legacy message - Provider={eventRecord.ProviderName}, EventId={eventRecord.Id}, PropertyCount={properties.Count}",
                 LogLevel.Debug);
 
-            return FormatDescription(properties, legacyMessage.First().Text, details.Parameters);
+            return FormatDescription(properties, legacyMessages[0].Text, details.Parameters);
         }
 
-        if (legacyMessage.Count > 1)
+        if (legacyMessages.Count > 1)
         {
-            Logger?.Trace($"{nameof(ResolveDescription)}: Multiple legacy messages found, skipping - Provider={eventRecord.ProviderName}, EventId={eventRecord.Id}, MessageCount={legacyMessage.Count}",
+            Logger?.Trace($"{nameof(ResolveDescription)}: Multiple legacy messages found, skipping - Provider={eventRecord.ProviderName}, EventId={eventRecord.Id}, MessageCount={legacyMessages.Count}",
                 LogLevel.Debug);
         }
 
@@ -617,16 +632,14 @@ private string ResolveDescription(EventRecord eventRecord)
     }
 
     /// <summary>Resolve event task names from an event record.</summary>
-    private string ResolveTaskName(EventRecord eventRecord)
+    private string ResolveTaskName(EventRecord eventRecord, ProviderDetails? details, EventModel? modernEvent)
     {
-        if (!ProviderDetails.TryGetValue(eventRecord.ProviderName, out var details) || details is null)
+        if (details is null)
         {
             return string.Empty;
         }
 
-        var @event = GetModernEvent(eventRecord, details);
-
-        if (@event?.Task is not null && details.Tasks.TryGetValue(@event.Task, out var taskName))
+        if (modernEvent?.Task is not null && details.Tasks.TryGetValue(modernEvent.Task, out var taskName))
         {
             taskName = taskName.TrimEnd('\0');
             return _cache?.GetOrAddValue(taskName) ?? taskName;
@@ -645,9 +658,18 @@ private string ResolveTaskName(EventRecord eventRecord)
             return _cache?.GetOrAddValue(taskName) ?? taskName;
         }
 
-        var potentialTaskNames = details.Messages
-            .Where(m => m.ShortId == eventRecord.Task && m.LogLink != null && m.LogLink == eventRecord.LogName)
-            .ToList();
+        // Use indexed lookup instead of linear scan with .ToList()
+        var messagesByShortId = details.GetMessagesByShortId((short)eventRecord.Task);
+
+        List<MessageModel>? potentialTaskNames = null;
+
+        foreach (var m in messagesByShortId)
+        {
+            if (m.LogLink is null || m.LogLink != eventRecord.LogName) { continue; }
+
+            potentialTaskNames ??= [];
+            potentialTaskNames.Add(m);
+        }
 
         if (potentialTaskNames is { Count: > 0 })
         {

src/EventLogExpert.Eventing/EventResolvers/LocalProviderEventResolver.cs

@@ -18,19 +18,22 @@ internal LocalProviderEventResolver(IEventResolverCache? cache = null, ITraceLog
 
     public void ResolveProviderDetails(EventRecord eventRecord)
     {
+        ObjectDisposedException.ThrowIf(IsDisposed, nameof(LocalProviderEventResolver));
+
+        // Fast path: ConcurrentDictionary is thread-safe for reads
+        if (ProviderDetails.ContainsKey(eventRecord.ProviderName)) { return; }
+
         ProviderDetailsLock.EnterUpgradeableReadLock();
 
         try
         {
-            ObjectDisposedException.ThrowIf(IsDisposed, nameof(LocalProviderEventResolver));
-
+            // Re-check after acquiring lock
             if (ProviderDetails.ContainsKey(eventRecord.ProviderName)) { return; }
 
             ProviderDetailsLock.EnterWriteLock();
 
             try
             {
-                // Double-check in case another thread added the provider details while we were waiting.
                 if (ProviderDetails.ContainsKey(eventRecord.ProviderName)) { return; }
 
                 var details = new EventMessageProvider(eventRecord.ProviderName, Logger).LoadProviderDetails();

src/EventLogExpert.Eventing/Providers/EventMessageProvider.cs

@@ -244,7 +244,7 @@ private ProviderDetails LoadMessagesFromModernProvider(ProviderMetadata provider
             _logger?.Trace($"Failed to load Tasks for modern provider: {_providerName}. Exception:\n{ex}");
         }
 
-        _logger?.Trace($"Returning {provider.Events.Count()} events for provider {_providerName}");
+        _logger?.Trace($"Returning {provider.Events.Count} events for provider {_providerName}");
 
         return provider;
     }