diff --git a/JDK-8186780.patch b/JDK-8186780.patch new file mode 100644 index 0000000..1463527 --- /dev/null +++ b/JDK-8186780.patch @@ -0,0 +1,19 @@ +diff --git a/src/hotspot/os_cpu/linux_x86/os_linux_x86.cpp b/src/hotspot/os_cpu/linux_x86/os_linux_x86.cpp +index c97d918..b949bfa 100644 +--- a/src/hotspot/os_cpu/linux_x86/os_linux_x86.cpp ++++ b/src/hotspot/os_cpu/linux_x86/os_linux_x86.cpp +@@ -98,13 +98,8 @@ address os::current_stack_pointer() { + register void *esp; + __asm__("mov %%" SPELL_REG_SP ", %0":"=r"(esp)); + return (address) ((char*)esp + sizeof(long)*2); +-#elif defined(__clang__) +- intptr_t* esp; +- __asm__ __volatile__ ("mov %%" SPELL_REG_SP ", %0":"=r"(esp):); +- return (address) esp; + #else +- register void *esp __asm__ (SPELL_REG_SP); +- return (address) esp; ++ return (address)__builtin_frame_address(0); + #endif + } + diff --git a/JDK-8211029.patch b/JDK-8211029.patch new file mode 100644 index 0000000..6848fd8 --- /dev/null +++ b/JDK-8211029.patch @@ -0,0 +1,40 @@ +# HG changeset patch +# User aph +# Date 1538411387 14400 +# Node ID 7cbb77546f87eaa3d9b96e1bcccbddebafbde1e4 +# Parent 5bdf60cd0ed01c9d57111be3e72d6383fdd60d74 +8211333: AArch64: Fix another build failure after JDK-8211029 +Reviewed-by: shade, aph +Contributed-by: pengfei.li@arm.com + +diff -r 5bdf60cd0ed0 -r 7cbb77546f87 src/hotspot/cpu/aarch64/macroAssembler_aarch64.cpp +--- a/src/hotspot/cpu/aarch64/macroAssembler_aarch64.cpp Mon Oct 01 16:41:10 2018 +0200 ++++ b/src/hotspot/cpu/aarch64/macroAssembler_aarch64.cpp Mon Oct 01 12:29:47 2018 -0400 +@@ -1505,7 +1505,7 @@ + #ifndef PRODUCT + { + char buffer[64]; +- snprintf(buffer, sizeof(buffer), "0x%"PRIX64, imm64); ++ snprintf(buffer, sizeof(buffer), "0x%" PRIX64, imm64); + block_comment(buffer); + } + #endif +@@ -1568,7 +1568,7 @@ + #ifndef PRODUCT + { + char buffer[64]; +- snprintf(buffer, sizeof(buffer), "0x%"PRIX64, imm64); ++ snprintf(buffer, sizeof(buffer), "0x%" PRIX64, imm64); + block_comment(buffer); + } + #endif +@@ -1681,7 +1681,7 @@ + #ifndef PRODUCT + { + char buffer[64]; +- snprintf(buffer, sizeof(buffer), "0x%"PRIX32, imm32); ++ snprintf(buffer, sizeof(buffer), "0x%" PRIX32, imm32); + block_comment(buffer); + } + #endif + diff --git a/JDK-8211170.patch b/JDK-8211170.patch new file mode 100644 index 0000000..aca9dc6 --- /dev/null +++ b/JDK-8211170.patch @@ -0,0 +1,66 @@ +# HG changeset patch +# User aph +# Date 1537981860 -3600 +# Node ID 8f0f7f2ae20bf68a114da6a6fdb09aa8a6c5d1de +# Parent ec4c3c287ca718e279be0d4c0956b375cea16afe +8211170: AArch64: Warnings in C1 and template interpreter +Reviewed-by: adinn + +diff -r ec4c3c287ca7 -r 8f0f7f2ae20b src/hotspot/cpu/aarch64/c1_LIRAssembler_aarch64.cpp +--- a/src/hotspot/cpu/aarch64/c1_LIRAssembler_aarch64.cpp Tue Sep 18 20:49:44 2018 +0200 ++++ b/src/hotspot/cpu/aarch64/c1_LIRAssembler_aarch64.cpp Wed Sep 26 18:11:00 2018 +0100 +@@ -1709,6 +1709,7 @@ + default: ShouldNotReachHere(); + } + break; ++ default: + ShouldNotReachHere(); + } + } else { +diff -r ec4c3c287ca7 -r 8f0f7f2ae20b src/hotspot/cpu/aarch64/c1_LIRGenerator_aarch64.cpp +--- a/src/hotspot/cpu/aarch64/c1_LIRGenerator_aarch64.cpp Tue Sep 18 20:49:44 2018 +0200 ++++ b/src/hotspot/cpu/aarch64/c1_LIRGenerator_aarch64.cpp Wed Sep 26 18:11:00 2018 +0100 +@@ -584,8 +584,8 @@ + case doubleTag: do_ArithmeticOp_FPU(x); return; + case longTag: do_ArithmeticOp_Long(x); return; + case intTag: do_ArithmeticOp_Int(x); return; ++ default: ShouldNotReachHere(); return; + } +- ShouldNotReachHere(); + } + + // _ishl, _lshl, _ishr, _lshr, _iushr, _lushr +@@ -792,9 +792,13 @@ + __ abs(value.result(), dst, LIR_OprFact::illegalOpr); + break; + } ++ default: ++ ShouldNotReachHere(); + } + break; + } ++ default: ++ ShouldNotReachHere(); + } + } + +diff -r ec4c3c287ca7 -r 8f0f7f2ae20b src/hotspot/cpu/aarch64/templateTable_aarch64.cpp +--- a/src/hotspot/cpu/aarch64/templateTable_aarch64.cpp Tue Sep 18 20:49:44 2018 +0200 ++++ b/src/hotspot/cpu/aarch64/templateTable_aarch64.cpp Wed Sep 26 18:11:00 2018 +0100 +@@ -2329,6 +2329,7 @@ + switch (code) { + case Bytecodes::_nofast_getfield: code = Bytecodes::_getfield; break; + case Bytecodes::_nofast_putfield: code = Bytecodes::_putfield; break; ++ default: break; + } + + assert(byte_no == f1_byte || byte_no == f2_byte, "byte_no out of range"); +@@ -2953,6 +2954,7 @@ + case Bytecodes::_fast_dputfield: __ pop_d(); break; + case Bytecodes::_fast_fputfield: __ pop_f(); break; + case Bytecodes::_fast_lputfield: __ pop_l(r0); break; ++ default: break; + } + __ bind(L2); + } + diff --git a/java-11-openjdk.rpmlintrc b/java-11-openjdk.rpmlintrc index 814cb51..704d2ff 100644 --- a/java-11-openjdk.rpmlintrc +++ b/java-11-openjdk.rpmlintrc @@ -8,3 +8,6 @@ addFilter("W: binary-or-shlib-defines-rpath .*/usr/lib/jvm/.*") addFilter("W: devel-file-in-non-devel-package .*/usr/lib/jvm/.*-slowdebug/.*") # allow long summaries to avoid odd diffs with Fedora addFilter("E: summary-too-long") +# add an exception as written in +# http://wiki.rosalab.ru/ru/index.php/Rpmlint_Errors#non-readable +addFilter("E: non-readable") diff --git a/java-11-openjdk.spec b/java-11-openjdk.spec index 2959235..279395a 100644 --- a/java-11-openjdk.spec +++ b/java-11-openjdk.spec @@ -18,16 +18,24 @@ # # Enable fastdebug builds by default on relevant arches. +%ifarch %{ix86} +%bcond_with fastdebug +%else %bcond_without fastdebug +%endif # Enable slowdebug builds by default on relevant arches. +%ifarch %{ix86} +%bcond_with slowdebug +%else %bcond_without slowdebug +%endif # Enable release builds by default on relevant arches. %bcond_without release # Enable static library builds by default. -%bcond_without staticlibs +%bcond_with staticlibs # Workaround for stripping of debug symbols from static libraries %if %{with staticlibs} @@ -135,8 +143,6 @@ %global shenandoah_arches x86_64 %{aarch64} # Set of architectures for which we build the Z garbage collector %global zgc_arches x86_64 -# Set of architectures for which alt-java has SSB mitigation -%global ssbd_arches x86_64 # By default, we build a slowdebug build during main build on JIT architectures %if %{with slowdebug} @@ -225,13 +231,13 @@ # See RHBZ#1861401 %define _lto_cflags %{nil} -# Filter out flags from the optflags macro that cause problems with the OpenJDK build +# Filter out flags from the macro that cause problems with the OpenJDK build # We filter out -O flags so that the optimization of HotSpot is not lowered from O3 to O2 # We filter out -Wall which will otherwise cause HotSpot to produce hundreds of thousands of warnings (100+mb logs) # We replace it with -Wformat (required by -Werror=format-security) and -Wno-cpp to avoid FORTIFY_SOURCE warnings # We filter out -fexceptions as the HotSpot build explicitly does -fno-exceptions and it's otherwise the default for C++ %ifarch %{ix86} -%global optflags %optflags -fno-PIC +%global optflags %optflags -fno-PIC -mstackrealign %endif %global ourflags %(echo %optflags | sed -e 's|-Wall|-Wformat -Wno-cpp|' | sed -r -e 's|-O[0-9]*||') %global ourcppflags %(echo %ourflags | sed -e 's|-fexceptions||') @@ -433,8 +439,6 @@ %define sdkbindir() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/bin} %define jrebindir() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/bin} -%global alt_java_name alt-java - %global rpm_state_dir %{_localstatedir}/lib/rpm-state/ # For flatpack builds hard-code /usr/sbin/alternatives, @@ -479,7 +483,6 @@ ext=%{_extension} alternatives \\ --install %{_bindir}/java java %{jrebindir -- %{?1}}/java $PRIORITY --family %{name}.%{_arch} \\ --slave %{_jvmdir}/jre jre %{_jvmdir}/%{sdkdir -- %{?1}} \\ - --slave %{_bindir}/%{alt_java_name} %{alt_java_name} %{jrebindir -- %{?1}}/%{alt_java_name} \\ --slave %{_bindir}/jjs jjs %{jrebindir -- %{?1}}/jjs \\ --slave %{_bindir}/keytool keytool %{jrebindir -- %{?1}}/keytool \\ --slave %{_bindir}/pack200 pack200 %{jrebindir -- %{?1}}/pack200 \\ @@ -488,8 +491,6 @@ alternatives \\ --slave %{_bindir}/unpack200 unpack200 %{jrebindir -- %{?1}}/unpack200 \\ --slave %{_mandir}/man1/java.1$ext java.1$ext \\ %{_mandir}/man1/java-%{uniquesuffix -- %{?1}}.1$ext \\ - --slave %{_mandir}/man1/%{alt_java_name}.1$ext %{alt_java_name}.1$ext \\ - %{_mandir}/man1/%{alt_java_name}-%{uniquesuffix -- %{?1}}.1$ext \\ --slave %{_mandir}/man1/jjs.1$ext jjs.1$ext \\ %{_mandir}/man1/jjs-%{uniquesuffix -- %{?1}}.1$ext \\ --slave %{_mandir}/man1/keytool.1$ext keytool.1$ext \\ @@ -557,7 +558,7 @@ if [ "%{?1}" == %{debug_suffix} ]; then let PRIORITY=PRIORITY-1 fi -ext=.gz +ext=.xz alternatives \\ --install %{_bindir}/javac javac %{sdkbindir -- %{?1}}/javac $PRIORITY --family %{name}.%{_arch} \\ --slave %{_jvmdir}/java java_sdk %{_jvmdir}/%{sdkdir -- %{?1}} \\ @@ -714,7 +715,6 @@ exit 0 %{_jvmdir}/%{jrelnk -- %{?1}} %dir %{_jvmdir}/%{sdkdir -- %{?1}}/bin %{_jvmdir}/%{sdkdir -- %{?1}}/bin/java -%{_jvmdir}/%{sdkdir -- %{?1}}/bin/%{alt_java_name} %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jjs %{_jvmdir}/%{sdkdir -- %{?1}}/bin/keytool %{_jvmdir}/%{sdkdir -- %{?1}}/bin/pack200 @@ -767,7 +767,6 @@ exit 0 %endif %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsctp.so %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsunec.so -%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsystemconf.so %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libunpack.so %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libverify.so %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libzip.so @@ -775,7 +774,6 @@ exit 0 %{_jvmdir}/%{sdkdir -- %{?1}}/lib/jfr/default.jfc %{_jvmdir}/%{sdkdir -- %{?1}}/lib/jfr/profile.jfc %{_mandir}/man1/java-%{uniquesuffix -- %{?1}}.1* -%{_mandir}/man1/%{alt_java_name}-%{uniquesuffix -- %{?1}}.1* %{_mandir}/man1/jjs-%{uniquesuffix -- %{?1}}.1* %{_mandir}/man1/keytool-%{uniquesuffix -- %{?1}}.1* %{_mandir}/man1/pack200-%{uniquesuffix -- %{?1}}.1* @@ -810,7 +808,6 @@ exit 0 %config(noreplace) %{etcjavadir -- %{?1}}/conf/security/java.security %config(noreplace) %{etcjavadir -- %{?1}}/conf/logging.properties %config(noreplace) %{etcjavadir -- %{?1}}/conf/security/nss.cfg -%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/nss.fips.cfg %config(noreplace) %{etcjavadir -- %{?1}}/conf/management/jmxremote.access # this is conifg template, thus not config-noreplace %config %{etcjavadir -- %{?1}}/conf/management/jmxremote.password.template @@ -822,7 +819,6 @@ exit 0 %if %is_system_jdk %if %{is_release_build -- %{?1}} %ghost %{_bindir}/java -%ghost %{_bindir}/%{alt_java_name} %ghost %{_jvmdir}/jre # https://bugzilla.redhat.com/show_bug.cgi?id=1312019 %ghost %{_bindir}/jjs @@ -910,7 +906,6 @@ exit 0 %if %{is_release_build -- %{?1}} %ghost %{_bindir}/javac %ghost %{_jvmdir}/java -%ghost %{_jvmdir}/%{alt_java_name} %ghost %{_bindir}/jaotc %ghost %{_bindir}/jlink %ghost %{_bindir}/jmod @@ -1228,9 +1223,6 @@ Source303: https://download.bell-sw.com/java/11.0.10+9/bellsoft-jdk11.0.10+9-lin # Ensure vendor settings are correct Source16: CheckVendor.java -# nss fips configuration file -Source17: nss.fips.cfg.in - ############################################ # # RPM/distribution specific patches @@ -1243,25 +1235,7 @@ Patch1: rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch Patch2: rh1648644-java_access_bridge_privileged_security.patch # NSS via SunPKCS11 Provider (disabled due to memory leak). Patch1000: rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch -# RH1750419: enable build of speculative store bypass hardened alt-java (CVE-2018-3639) -Patch600: rh1750419-redhat_alt_java.patch -# RH1582504: Use RSA as default for keytool, as DSA is disabled in all crypto policies except LEGACY -Patch1003: rh1842572-rsa_default_for_keytool.patch -# FIPS support patches -# RH1655466: Support RHEL FIPS mode using SunPKCS11 provider -Patch1001: rh1655466-global_crypto_and_fips.patch -# RH1818909: No ciphersuites availale for SSLSocket in FIPS mode -Patch1002: rh1818909-fips_default_keystore_type.patch -# RH1860986: Disable TLSv1.3 with the NSS-FIPS provider until PKCS#11 v3.0 support is available -Patch1004: rh1860986-disable_tlsv1.3_in_fips_mode.patch -# RH1915071: Always initialise JavaSecuritySystemConfiguratorAccess -Patch1007: rh1915071-always_initialise_configurator_access.patch -# RH1929465: Improve system FIPS detection -Patch1008: rh1929465-improve_system_FIPS_detection.patch -# RH1996182: Login to the NSS software token in FIPS mode -Patch1009: rh1996182-login_to_nss_software_token.patch -Patch1010: rh1996182-extend_security_policy.patch ############################################# # @@ -1283,8 +1257,6 @@ Patch1010: rh1996182-extend_security_policy.patch Patch3: rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch # PR3694, RH1340845: Add security.useSystemPropertiesFile option to java.security to use system crypto policy Patch4: pr3694-rh1340845-support_fedora_rhel_system_crypto_policy.patch -# PR3695: Allow use of system crypto policy to be disabled by the user -Patch7: pr3695-toggle_system_crypto_policy.patch ############################################# # @@ -1300,6 +1272,11 @@ Patch8: jdk8269668-rh1977671-aarch64_lib_path_fix.patch # ROSA patch Patch10: clang_stack.patch +Patch11: JDK-8186780.patch + +# aarch64 +Patch12: JDK-8211029.patch +Patch13: JDK-8211170.patch %if %{with clang} BuildRequires: clang @@ -1673,21 +1650,18 @@ pushd %{top_level_dir_name} %patch2 -p1 %patch3 -p1 %patch4 -p1 -%patch7 -p1 %patch8 -p1 +%if %{with clang} %patch10 -p1 +%patch11 -p1 +%endif +%ifarch aarch64 +%patch12 -p1 +%patch13 -p1 +%endif popd # openjdk %patch1000 -%patch600 -%patch1001 -%patch1002 -%patch1003 -%patch1004 -%patch1007 -%patch1008 -%patch1009 -%patch1010 # Extract systemtap tapsets %if %{with_systemtap} @@ -1738,10 +1712,6 @@ done # Setup nss.cfg sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE11} > nss.cfg -# Setup nss.fips.cfg -sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE17} > nss.fips.cfg -sed -i -e "s:@NSS_SECMOD@:/etc/pki/nssdb:g" nss.fips.cfg - %build %if %{with clang} export CC="clang" @@ -1838,7 +1808,6 @@ bash ${top_dir_abs_src_path}/configure \ %endif --with-debug-level=$debugbuild \ --with-native-debug-symbols=$debug_symbols \ - --disable-sysconf-nss \ --enable-unlimited-crypto \ --with-zlib=${link_opt} \ --with-libjpeg=${link_opt} \ @@ -1858,7 +1827,7 @@ bash ${top_dir_abs_src_path}/configure \ %if %{with clang} --with-toolchain-type="clang" \ %endif - -- + %{nil} make \ JAVAC_FLAGS=-g \ @@ -1892,10 +1861,6 @@ find ${top_dir_abs_main_build_path}/images/%{jdkimage}/bin/ -exec chmod +x {} \; # Install nss.cfg right away as we will be using the JRE above export JAVA_HOME=${top_dir_abs_main_build_path}/images/%{jdkimage} -# Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies) -# FIPS does not make sense in ROSA, we also use --disable-sysconf-nss -#install -m 644 nss.fips.cfg $JAVA_HOME/conf/security/ - # Install nss.cfg right away as we will be using the JRE above install -m 644 nss.cfg $JAVA_HOME/conf/security/ @@ -1905,13 +1870,6 @@ rm $JAVA_HOME/lib/tzdb.dat ln -s %{_datadir}/javazi-1.8/tzdb.dat $JAVA_HOME/lib/tzdb.dat %endif -# Create fake alt-java as a placeholder for future alt-java -pushd ${JAVA_HOME} -# add alt-java man page -echo "Hardened java binary recommended for launching untrusted code from the Web e.g. javaws" > man/man1/%{alt_java_name}.1 -cat man/man1/java.1 >> man/man1/%{alt_java_name}.1 -popd - # build cycles done # end of release / debug cycle loop @@ -1951,13 +1909,6 @@ $JAVA_HOME/bin/java $(echo $(basename %{SOURCE16})|sed "s|\.java||") "%{oj_vendo # Check java launcher has no SSB mitigation if ! nm $JAVA_HOME/bin/java | grep set_speculation ; then true ; else false; fi -# Check alt-java launcher has SSB mitigation on supported architectures -%ifarch %{ssbd_arches} -nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation -%else -if ! nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation ; then true ; else false; fi -%endif - %if %{include_staticlibs} # Check debug symbols in static libraries (smoke test) export STATIC_LIBS_HOME=${top_dir_abs_staticlibs_build_path}/images/%{static_libs_image}