Imagine a following code:

```
Subject s1 = ... ;
Subject s2 = ... ;
s2.getPrincipals().addAll(s1.getPrincipals());
```

The Subject's SecureSet.addAll checks that provided Set doesn't contains 'null' values by calling collectionNullClean, which calls SecureSet#contains:

```
try {
   hasNullElements = coll.contains(null);
} catch (NullPointerException npe) {
```

The SecureSet#contains itself checks for 'null' values, the NPE is always generated. As SecureSet doesn't allow null values, it will be much simpler to return false right away:

```
       public boolean contains(Object o) {
         if (o == null) {
              // null values rejected by add
              return false;
         }
         ...
       }
```

Here is the benchmark results:

Benchmark Mode Cnt Score Error Units
SubjectBenchmark.jdkSubject thrpt 20 473086.025 ± 7661.215 ops/s
SubjectBenchmark.patchedSubject thrpt 20 2529016.530 ± 50982.465 ops/s

Here, patched version has 5x higher throughput.