From 7d90702f0ca27201e0b82f772635335e6acb4984 Mon Sep 17 00:00:00 2001 From: slava86 Date: Sat, 21 Aug 2021 00:09:00 +0300 Subject: [PATCH 01/10] https://bugs.openjdk.java.net/browse/JDK-8263557;build with clang12 --- ...-NULL-dereference-in-Arena-destruct_.patch | 29 +++++++++++++++++++ java-11-openjdk.spec | 4 ++- 2 files changed, 32 insertions(+), 1 deletion(-) create mode 100644 0001-8263557-Possible-NULL-dereference-in-Arena-destruct_.patch diff --git a/0001-8263557-Possible-NULL-dereference-in-Arena-destruct_.patch b/0001-8263557-Possible-NULL-dereference-in-Arena-destruct_.patch new file mode 100644 index 0000000..f32bba3 --- /dev/null +++ b/0001-8263557-Possible-NULL-dereference-in-Arena-destruct_.patch @@ -0,0 +1,29 @@ +From c484d8904285652246c3af212a4211b9a8955149 Mon Sep 17 00:00:00 2001 +From: Thomas Stuefe +Date: Tue, 16 Mar 2021 05:49:01 +0000 +Subject: [PATCH] 8263557: Possible NULL dereference in + Arena::destruct_contents() + +Reviewed-by: kbarrett, coleenp +--- + src/hotspot/share/memory/arena.cpp | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/hotspot/share/memory/arena.cpp b/src/hotspot/share/memory/arena.cpp +index 8388f68c359..16059bed9be 100644 +--- a/src/hotspot/share/memory/arena.cpp ++++ b/src/hotspot/share/memory/arena.cpp +@@ -310,7 +310,9 @@ void Arena::destruct_contents() { + // reset size before chop to avoid a rare racing condition + // that can have total arena memory exceed total chunk memory + set_size_in_bytes(0); +- _first->chop(); ++ if (_first != NULL) { ++ _first->chop(); ++ } + reset(); + } + +-- +2.31.1 + diff --git a/java-11-openjdk.spec b/java-11-openjdk.spec index d5cf0ce..45e70e2 100644 --- a/java-11-openjdk.spec +++ b/java-11-openjdk.spec @@ -245,7 +245,7 @@ %global top_level_dir_name %{origin} %global minorver 0 %global buildver 6 -%global rpmrelease 0 +%global rpmrelease 1 #%%global tagsuffix "" # priority must be 8 digits in total; untill openjdk 1.8 we were using 18..... so when moving to 11 we had to add another digit %if %is_system_jdk @@ -1182,6 +1182,7 @@ Patch8: s390-8214206_fix.patch # JDK-8247874: Replacement in VersionProps.java.template not working when --with-vendor-bug-url contains '&' Patch9: jdk8247874-fix_ampersand_in_vm_bug_url.patch Patch10: clang_stack.patch +Patch11: 0001-8263557-Possible-NULL-dereference-in-Arena-destruct_.patch ############################################# # # JDK 9+ only patches @@ -1460,6 +1461,7 @@ pushd %{top_level_dir_name} %patch8 -p1 %patch9 -p1 %patch10 -p1 +%patch11 -p1 popd # openjdk %patch1000 From 57bcc7e82e5a151e5a1c6077e4450389b79b2265 Mon Sep 17 00:00:00 2001 From: Mikhail Novosyolov Date: Sun, 3 Oct 2021 01:13:14 +0300 Subject: [PATCH 02/10] fix mans extensions ROSA uses *.xz, not *.gz, there were broken symlinks: $ file /etc/alternatives/java.1.gz /etc/alternatives/java.1.gz: broken symbolic link to /usr/share/man/man1/java-java-1.8.0-openjdk-1.8.0.252.b02-0.1.ea.x86_64.1.gz --- java-11-openjdk.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/java-11-openjdk.spec b/java-11-openjdk.spec index 45e70e2..0cb9731 100644 --- a/java-11-openjdk.spec +++ b/java-11-openjdk.spec @@ -374,7 +374,7 @@ if [ "%{?1}" == %{debug_suffix} ]; then let PRIORITY=PRIORITY-1 fi -ext=.gz +ext=%{_extension} alternatives \\ --install %{_bindir}/java java %{jrebindir -- %{?1}}/java $PRIORITY --family %{name}.%{_arch} \\ --slave %{_jvmdir}/jre jre %{_jvmdir}/%{sdkdir -- %{?1}} \\ From 0f9c095d889ff68c9b704d9a79a665d997542a13 Mon Sep 17 00:00:00 2001 From: Mikhail Novosyolov Date: Sun, 3 Oct 2021 01:15:18 +0300 Subject: [PATCH 03/10] Adapt to rpm 4.17 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Based on: https://src.fedoraproject.org/rpms/java-11-openjdk/c/2adbf848e0830d263953b4ab1a9214d372b4479b?branch=rawhide https://src.fedoraproject.org/rpms/java-11-openjdk/c/0eeb4a6e133c5efadb90a511da40c774b82b7363?branch=rawhide copy-jdk-configs have also been updated to pick https://pagure.io/copy_jdk_configs/c/88b1aeb3472132166d558915dcf706c4d39d915e?branch=master Error was: ``` Запуск скриптлета: java-1.8.0-openjdk-headless-1:1.8.0.252.b02-0.1.ea.x86_64 1/1 ошибка: lua script failed: /usr/libexec/copy_jdk_configs.lua:43: attempt to index a nil value (global 'arg') Error in PRETRANS scriptlet in rpm package java-1.8.0-openjdk-headless ``` --- java-11-openjdk.spec | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/java-11-openjdk.spec b/java-11-openjdk.spec index 0cb9731..989ab93 100644 --- a/java-11-openjdk.spec +++ b/java-11-openjdk.spec @@ -927,7 +927,7 @@ Requires: lksctp-tools%{?_isa} # tool to copy jdk's configs - should be Recommends only, but then only dnf/yum enforce it, # not rpm transaction and so no configs are persisted when pure rpm -u is run. It may be # considered as regression -Requires: copy-jdk-configs >= 3.3 +Requires: copy-jdk-configs >= 4.0 OrderWithRequires: copy-jdk-configs # for printing support Requires: cups-libs @@ -1885,7 +1885,13 @@ done -- whether copy-jdk-configs is installed or not. If so, then configs are copied -- (copy_jdk_configs from %%{_libexecdir} used) or not copied at all local posix = require "posix" -local debug = false + +if (os.getenv("debug") == "true") then + debug = true; + print("cjc: in spec debug is on") +else + debug = false; +end SOURCE1 = "%{rpm_state_dir}/copy_jdk_configs.lua" SOURCE2 = "%{_libexecdir}/copy_jdk_configs.lua" @@ -1913,9 +1919,10 @@ else return end end --- run content of included file with fake args -arg = {"--currentjvm", "%{uniquesuffix %{nil}}", "--jvmdir", "%{_jvmdir %{nil}}", "--origname", "%{name}", "--origjavaver", "%{javaver}", "--arch", "%{_arch}", "--temp", "%{rpm_state_dir}/%{name}.%{_arch}"} -require "copy_jdk_configs.lua" +arg = nil ; -- it is better to null the arg up, no meter if they exists or not, and use cjc as module in unified way, instead of relaying on "main" method during require "copy_jdk_configs.lua" +cjc = require "copy_jdk_configs.lua" +args = {"--currentjvm", "%{uniquesuffix %{nil}}", "--jvmdir", "%{_jvmdir %{nil}}", "--origname", "%{name}", "--origjavaver", "%{javaver}", "--arch", "%{_arch}", "--temp", "%{rpm_state_dir}/%{name}.%{_arch}"} +cjc.mainProgram(args) %post %{post_script %{nil}} From 6dab179720712da96f9128f0aa3318fc8c22fd47 Mon Sep 17 00:00:00 2001 From: Mikhail Novosyolov Date: Sun, 3 Oct 2021 02:56:04 +0300 Subject: [PATCH 04/10] Update to 11.0.12.0.7 Sync with Fedora Rawhide I ran `git diff 5aa1da8f..83375279 > /tmp/java.diff` in Fedora's git and applied the diff partly manually. Took sources from https://download-ib01.fedoraproject.org/pub/fedora/linux/development/rawhide/Everything/source/tree/Packages/j/java-11-openjdk-11.0.12.0.7-7.fc36.src.rpm --- .abf.yml | 5 +- ...-NULL-dereference-in-Arena-destruct_.patch | 29 - CheckVendor.java | 57 + NEWS | 1790 ++++++++++++++ generate_source_tarball.sh | 172 ++ java-11-openjdk.spec | 883 ++++--- java-11-openjdk.spec.orig | 2051 +++++++++++++++++ jdk8247874-fix_ampersand_in_vm_bug_url.patch | 25 - ...69668-rh1977671-aarch64_lib_path_fix.patch | 32 + nss.fips.cfg.in | 6 + remove-intree-libraries.sh | 34 +- ...E_2018_3639-speculative_store_bypass.patch | 61 - rh1655466-global_crypto_and_fips.patch | 205 ++ rh1750419-redhat_alt_java.patch | 116 + rh1818909-fips_default_keystore_type.patch | 52 + rh1842572-rsa_default_for_keytool.patch | 12 + rh1860986-disable_tlsv1.3_in_fips_mode.patch | 311 +++ ...lways_initialise_configurator_access.patch | 68 + rh1929465-improve_system_FIPS_detection.patch | 430 ++++ rh1996182-extend_security_policy.patch | 18 + rh1996182-login_to_nss_software_token.patch | 66 + s390-8214206_fix.patch | 12 - 22 files changed, 6038 insertions(+), 397 deletions(-) delete mode 100644 0001-8263557-Possible-NULL-dereference-in-Arena-destruct_.patch create mode 100644 CheckVendor.java create mode 100755 generate_source_tarball.sh create mode 100644 java-11-openjdk.spec.orig delete mode 100644 jdk8247874-fix_ampersand_in_vm_bug_url.patch create mode 100644 jdk8269668-rh1977671-aarch64_lib_path_fix.patch create mode 100644 nss.fips.cfg.in delete mode 100644 rh1566890-CVE_2018_3639-speculative_store_bypass.patch create mode 100644 rh1655466-global_crypto_and_fips.patch create mode 100644 rh1750419-redhat_alt_java.patch create mode 100644 rh1818909-fips_default_keystore_type.patch create mode 100644 rh1842572-rsa_default_for_keytool.patch create mode 100644 rh1860986-disable_tlsv1.3_in_fips_mode.patch create mode 100644 rh1915071-always_initialise_configurator_access.patch create mode 100644 rh1929465-improve_system_FIPS_detection.patch create mode 100644 rh1996182-extend_security_policy.patch create mode 100644 rh1996182-login_to_nss_software_token.patch delete mode 100644 s390-8214206_fix.patch diff --git a/.abf.yml b/.abf.yml index 0da1d79..244b349 100644 --- a/.abf.yml +++ b/.abf.yml @@ -1,7 +1,6 @@ sources: - OpenJDK11U-jdk_x64_linux_hotspot_11.0.7_10.tar.gz: 5627bcceee613c4764c120e941c8d24b3e5a6e33 bellsoft-jdk11.0.10+9-linux-aarch64.tar.gz: 6eed6f7cf4167316b2f22ebb5f3119b0869eb554 bellsoft-jdk11.0.10+9-linux-amd64.tar.gz: 32e0fe99199c9691e616af48355157139c0c8e60 bellsoft-jdk11.0.10+9-linux-i586.tar.gz: 301b8efbf861f823b8f44cc22385020cf85d4be3 - shenandoah-jdk11-shenandoah-jdk-11.0.8+6-4curve.tar.xz: 675c2ab8b8793ab87d0cf9b77b2196b71f4afbca - tapsets-icedtea-3.15.0.tar.xz: 7ae2cba67467825b2c2a5fec7aea041865023002 + jdk-updates-jdk11u-jdk-11.0.12+7-4curve-clean.tar.xz: 6453aa42343678f2e4a86362921ff373625f3ed3 + tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz: c8281ee37b77d535c9c1af86609a531958ff7b34 diff --git a/0001-8263557-Possible-NULL-dereference-in-Arena-destruct_.patch b/0001-8263557-Possible-NULL-dereference-in-Arena-destruct_.patch deleted file mode 100644 index f32bba3..0000000 --- a/0001-8263557-Possible-NULL-dereference-in-Arena-destruct_.patch +++ /dev/null @@ -1,29 +0,0 @@ -From c484d8904285652246c3af212a4211b9a8955149 Mon Sep 17 00:00:00 2001 -From: Thomas Stuefe -Date: Tue, 16 Mar 2021 05:49:01 +0000 -Subject: [PATCH] 8263557: Possible NULL dereference in - Arena::destruct_contents() - -Reviewed-by: kbarrett, coleenp ---- - src/hotspot/share/memory/arena.cpp | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/src/hotspot/share/memory/arena.cpp b/src/hotspot/share/memory/arena.cpp -index 8388f68c359..16059bed9be 100644 ---- a/src/hotspot/share/memory/arena.cpp -+++ b/src/hotspot/share/memory/arena.cpp -@@ -310,7 +310,9 @@ void Arena::destruct_contents() { - // reset size before chop to avoid a rare racing condition - // that can have total arena memory exceed total chunk memory - set_size_in_bytes(0); -- _first->chop(); -+ if (_first != NULL) { -+ _first->chop(); -+ } - reset(); - } - --- -2.31.1 - diff --git a/CheckVendor.java b/CheckVendor.java new file mode 100644 index 0000000..e2101cf --- /dev/null +++ b/CheckVendor.java @@ -0,0 +1,57 @@ +/* CheckVendor -- Check the vendor properties match specified values. + Copyright (C) 2020 Red Hat, Inc. + +This program is free software: you can redistribute it and/or modify +it under the terms of the GNU Affero General Public License as +published by the Free Software Foundation, either version 3 of the +License, or (at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU Affero General Public License for more details. + +You should have received a copy of the GNU Affero General Public License +along with this program. If not, see . +*/ + +/** + * @test + */ +public class CheckVendor { + + public static void main(String[] args) { + if (args.length < 3) { + System.err.println("CheckVendor "); + System.exit(1); + } + + String vendor = System.getProperty("java.vendor"); + String expectedVendor = args[0]; + String vendorURL = System.getProperty("java.vendor.url"); + String expectedVendorURL = args[1]; + String vendorBugURL = System.getProperty("java.vendor.url.bug"); + String expectedVendorBugURL = args[2]; + + if (!expectedVendor.equals(vendor)) { + System.err.printf("Invalid vendor %s, expected %s\n", + vendor, expectedVendor); + System.exit(2); + } + + if (!expectedVendorURL.equals(vendorURL)) { + System.err.printf("Invalid vendor URL %s, expected %s\n", + vendorURL, expectedVendorURL); + System.exit(3); + } + + if (!expectedVendorBugURL.equals(vendorBugURL)) { + System.err.printf("Invalid vendor bug URL%s, expected %s\n", + vendorBugURL, expectedVendorBugURL); + System.exit(4); + } + + System.err.printf("Vendor information verified as %s, %s, %s\n", + vendor, vendorURL, vendorBugURL); + } +} diff --git a/NEWS b/NEWS index 6a269f1..26c3f66 100644 --- a/NEWS +++ b/NEWS @@ -3,6 +3,1796 @@ Key: JDK-X - https://bugs.openjdk.java.net/browse/JDK-X CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY +New in release OpenJDK 11.0.12 (2021-07-20): +============================================= +Live versions of these release notes can be found at: + * https://bitly.com/openjdk11012 + * https://builds.shipilev.net/backports-monitor/release-notes-11.0.12.txt + +* Security fixes + - JDK-8256157: Improve bytecode assembly + - JDK-8256491: Better HTTP transport + - JDK-8258432, CVE-2021-2341: Improve file transfers + - JDK-8260453: Improve Font Bounding + - JDK-8260960: Signs of jarsigner signing + - JDK-8260967, CVE-2021-2369: Better jar file validation + - JDK-8262380: Enhance XML processing passes + - JDK-8262403: Enhanced data transfer + - JDK-8262410: Enhanced rules for zones + - JDK-8262477: Enhance String Conclusions + - JDK-8262967: Improve Zip file support + - JDK-8264066, CVE-2021-2388: Enhance compiler validation + - JDK-8264079: Improve abstractions + - JDK-8264460: Improve NTLM support +* Other changes + - JDK-6847157: java.lang.NullPointerException: HDC for component at sun.java2d.loops.Blit.Blit + - JDK-7106851: Test should not use System.exit + - JDK-8073446: TimeZone getOffset API does not return a dst offset between years 2038-2137 + - JDK-8076190: Customizing the generation of a PKCS12 keystore + - JDK-8153005: Upgrade the default PKCS12 encryption/MAC algorithms + - JDK-8171303: sun/java2d/pipe/InterpolationQualityTest.java fails on Windows & Linux + - JDK-8177068: incomplete classpath causes NPE in Flow + - JDK-8185734: [Windows] Structured Exception Catcher missing around gtest execution + - JDK-8187450: JNI local refs exceeds capacity warning in NetworkInterface::getAll + - JDK-8190763: Class cast exception on (CompoundEdit) UndoableEditEvent.getEdit() + - JDK-8195841: PNGImageReader.readNullTerminatedString() doesnt check for non-null terminated strings with length equal to maxLen + - JDK-8196100: javax/swing/text/JTextComponent/5074573/bug5074573.java fails + - JDK-8199646: JShell tests: jdk/jshell/FailOverDirectExecutionControlTest.java failed with java.lang.UnsupportedOperationException + - JDK-8206925: Support the certificate_authorities extension + - JDK-8207160: ClassReader::adjustMethodParams can potentially return null if the args list is empty + - JDK-8207247: AARCH64: Enable Minimal and Client VM builds + - JDK-8207404: MulticastSocket tests failing on AIX + - JDK-8207779: Method::is_valid_method() compares 'this' with NULL + - JDK-8208061: runtime/LoadClass/TestResize.java fails with "Load factor too high" when running in CDS mode. + - JDK-8209459: TestSHA512MultiBlockIntrinsics failed on AArch64 + - JDK-8210443: Migrate Locale matching tests to JDK Repo. + - JDK-8213231: ThreadSnapshot::_threadObj can become stale + - JDK-8213483: ARM32: runtime/ErrorHandling/ShowRegistersOnAssertTest.java jtreg test fail + - JDK-8213725: JShell NullPointerException due to class file with unexpected package + - JDK-8213794: ARM32: disable TypeProfiling, CriticalJNINatives, Serviceablity tests for ARM32 + - JDK-8213845: ARM32: Interpreter doesn't call result handler after native calls + - JDK-8214128: ARM32: wrong stack alignment on Deoptimization::unpack_frames + - JDK-8214512: ARM32: Jtreg test compiler/c2/Test8062950.java fails on ARM + - JDK-8214854: JDWP: Unforseen output truncation in logging + - JDK-8214922: Add vectorization support for fmin/fmax + - JDK-8215009: GCC 8 compilation error in libjli + - JDK-8216184: CDS/appCDS tests failed on Windows due to long path to a classlist file + - JDK-8216259: AArch64: Vectorize Adler32 intrinsics + - JDK-8216314: SIGILL in CodeHeapState::print_names() + - JDK-8217348: assert(thread->is_Java_thread()) failed: just checking + - JDK-8217465: [REDO] - Optimize CodeHeap Analytics + - JDK-8217561: X86: Add floating-point Math.min/max intrinsics + - JDK-8217918: C2: -XX:+AggressiveUnboxing is broken + - JDK-8218458: [TESTBUG] runtime/NMT/CheckForProperDetailStackTrace.java fails with Expected stack trace missing from output + - JDK-8219142: Remove unused JIMAGE_ResourcePath + - JDK-8219586: CodeHeap State Analytics processes dead nmethods + - JDK-8220074: Clean up GCC 8.3 errors in LittleCMS + - JDK-8220407: compiler/intrinsics/math/TestFpMinMaxIntrinsics.java timedout + - JDK-8222302: [TESTBUG]test/hotspot/jtreg/compiler/intrinsics/sha/cli/TestUseSHAOptionOnUnsupportedCPU.java fails on any other CPU + - JDK-8222412: AARCH64: multiple instructions encoding issues + - JDK-8223020: aarch64: expand minI_rReg and maxI_rReg patterns into separate instructions + - JDK-8223444: Improve CodeHeap Free Space Management + - JDK-8223504: Improve performance of forall loops by better inlining of "iterator()" methods + - JDK-8223667: ASAN build broken + - JDK-8225081: Remove Telia Company CA certificate expiring in April 2021 + - JDK-8225116: Test OwnedWindowsLeak.java intermittently fails + - JDK-8225438: javax/net/ssl/TLSCommon/TestSessionLocalPrincipal.java failed with Read timed out + - JDK-8225756: [testbug] compiler/loopstripmining/CheckLoopStripMining.java sets too short a SafepointTimeoutDelay + - JDK-8226374: Restrict TLS signature schemes and named groups + - JDK-8226627: assert(t->singleton()) failed: must be a constant + - JDK-8226721: Missing intrinsics for Math.ceil, floor, rint + - JDK-8227080: (fs) Files.newInputStream(...).skip(n) is slow + - JDK-8227222: vmTestbase/jit/FloatingPoint/gen_math/Loops04/Loops04.java failed XMM register should be 0-15 + - JDK-8227609: (fs) Files.newInputStream(...).skip(n) should allow skipping beyond file size + - JDK-8230428: Cleanup dead CastIP node code in formssel.cpp + - JDK-8231460: Performance issue (CodeHeap) with large free blocks + - JDK-8231713: x86_32 build failures after JDK-8226721 (Missing intrinsics for Math.ceil, floor, rint) + - JDK-8231841: AArch64: debug.cpp help() is missing an AArch64 line for pns + - JDK-8232084: HotSpot build failed with GCC 9.2.1 + - JDK-8232591: AArch64: Add missing match rules for smaddl, smsubl and smnegl + - JDK-8233185: HttpServer.stop() blocks indefinitely when called on dispatch thread + - JDK-8233787: Break cycle in vm_version* includes + - JDK-8233948: AArch64: Incorrect mapping between OptoReg and VMReg for high 64 bits of Vector Register + - JDK-8234355: Buffer overflow in jcmd GC.class_stats due to too many classes + - JDK-8235368: Update BCEL to Version 6.4.1 + - JDK-8236859: WebSocket over authenticating proxy fails with NPE + - JDK-8236992: AArch64: remove redundant load_klass in itable stub + - JDK-8237743: test/langtools/jdk/jshell/FailOverExecutionControlTest.java fails No ExecutionControlProvider with name 'nonExistent' and parameter keys: [] + - JDK-8237804: sun/security/mscapi tests fail with "Key pair not generated, alias already exists" + - JDK-8238175: CTW: Class.getDeclaredMethods fails with assert(k->is_subclass_of(SystemDictionary::Throwable_klass())) failed: invalid exception class + - JDK-8238567: SoftMainMixer.processAudioBuffers(): Wrong handling of stoppedMixers + - JDK-8238812: assert(false) failed: bad AD file + - JDK-8239312: [macos] javax/swing/JFrame/NSTexturedJFrame/NSTexturedJFrame.java + - JDK-8239386: handle ContendedPaddingWidth in vm_version_aarch64 + - JDK-8239536: Can't use `java.util.List` object after importing `java.awt.List` + - JDK-8240487: Cleanup whitespace in .cc, .hh, .m, and .mm files + - JDK-8240848: ArrayIndexOutOfBoundsException buf for TextCallbackHandler + - JDK-8241082: Upgrade IANA Language Subtag Registry data to 03-16-2020 version + - JDK-8241087: Build failure with VS 2019 (16.5.0) due to C2039 and C2873 + - JDK-8241101: [s390] jtreg test failure after JDK-8238696: not conformant features string + - JDK-8241248: NullPointerException in sun.security.ssl.HKDF.extract(HKDF.java:93) + - JDK-8241372: Several test failures due to javax.net.ssl.SSLException: Connection reset + - JDK-8241475: AArch64: Add missing support for PopCountVI node + - JDK-8241829: Cleanup the code for PrinterJob on windows + - JDK-8241960: The SHA3 message digests impl of SUN provider are not thread safe after cloned + - JDK-8242010: Upgrade IANA Language Subtag Registry to Version 2020-04-01 + - JDK-8242429: Better implementation for sign extract + - JDK-8242557: Add length limit for strings in PNGImageWriter + - JDK-8242919: Paste locks up jshell + - JDK-8243155: AArch64: Add support for SqrtVF + - JDK-8243240: AArch64: Add support for MulVB + - JDK-8243452: JFR: Could not create chunk in repository with over 200 recordings + - JDK-8243559: Remove root certificates with 1024-bit keys + - JDK-8243597: AArch64: Add support for integer vector abs + - JDK-8244031: HttpClient should have more tests for HEAD requests + - JDK-8244205: HTTP/2 tunnel connections through proxy may be reused regardless of which proxy is selected + - JDK-8244847: Linux/PPC: runtime/CompressedOops/CompressedClassPointers: smallHeapTest fails + - JDK-8245511: G1 adaptive IHOP does not account for reclamation of humongous objects by young GC + - JDK-8246274: G1 old gen allocation tracking is not in a separate class + - JDK-8247354: [aarch64] PopFrame causes assert(oopDesc::is_oop(obj)) failed: not an oop + - JDK-8247408: IdealGraph bit check expression canonicalization + - JDK-8247432: Update IANA Language Subtag Registry to Version 2020-09-29 + - JDK-8247438: JShell: When FailOverExecutionControlProvider fails the proximal cause is not shown + - JDK-8247753: UIManager.getSytemLookAndFeelClassName() returns wrong value on Fedora 32 + - JDK-8248043: Need to eliminate excessive i2l conversions + - JDK-8248411: [aarch64] Insufficient error handling when CodeBuffer is exhausted + - JDK-8248568: compiler/c2/TestBit.java failed: test missing from stdout/stderr + - JDK-8248870: AARCH64: I2L/L2I conversions can be skipped for masked positive values + - JDK-8249142: java/awt/FontClass/CreateFont/DeleteFont.sh is unstable + - JDK-8249189: AARCH64: more L2I conversions can be skipped + - JDK-8249719: MethodHandle performance suffers from bad ResolvedMethodTable hash function + - JDK-8249875: GCC 10 warnings -Wtype-limits with JFR code + - JDK-8250635: MethodArityHistogram should use Compile_lock in favour of fancy checks + - JDK-8250876: Fix issues with cross-compile on macos + - JDK-8251031: Some vmTestbase/nsk/monitoring/RuntimeMXBean tests fail with hostnames starting from digits + - JDK-8251525: AARCH64: Faster Math.signum(fp) + - JDK-8252259: AArch64: Adjust default value of FLOATPRESSURE + - JDK-8252311: AArch64: save two words in itable lookup stub + - JDK-8252779: compiler/graalunit/HotspotTest.java failed after 8251525 + - JDK-8252883: AccessDeniedException caused by delayed file deletion on Windows + - JDK-8253167: ARM32 builds fail after JDK-8247910 + - JDK-8253572: [windows] CDS archive may fail to open with long file names + - JDK-8253923: C2 doesn't always run loop opts for compilations that include loops + - JDK-8253948: Memory leak in ImageFileReader + - JDK-8254631: Better support ALPN byte wire values in SunJSSE + - JDK-8254717: isAssignableFrom checks in KeyFactorySpi.engineGetKeySpec appear to be backwards + - JDK-8255086: Update the root locale display names + - JDK-8255625: AArch64: Implement Base64.encodeBlock accelerator/intrinsic + - JDK-8255763: C2: OSR miscompilation caused by invalid memory instruction placement + - JDK-8255992: JFR EventWriter does not use first string from StringPool with id 0 + - JDK-8256037: [TESTBUG] com/sun/jndi/dns/ConfigTests/PortUnreachable.java fails due to the hard coded threshold is small + - JDK-8256244: java/lang/ProcessHandle/PermissionTest.java fails with TestNG 7.1 + - JDK-8256287: [windows] add loop fuse to map_or_reserve_memory_aligned + - JDK-8256523: Streamline Java SHA2 implementation + - JDK-8257414: Drag n Drop target area is wrong on high DPI systems + - JDK-8257569: Failure observed with JfrVirtualMemory::initialize + - JDK-8257574: C2: "failed: parsing found no loops but there are some" assert failure + - JDK-8257580: Bump update version for OpenJDK: jdk-11.0.12 + - JDK-8257604: JNI_ArgumentPusherVaArg leaks valist + - JDK-8257621: JFR StringPool misses cached items across consecutive recordings + - JDK-8257796: [TESTBUG] TestUseSHA512IntrinsicsOptionOnSupportedCPU.java fails on x86_32 + - JDK-8257822: C2 crashes with SIGFPE due to a division that floats above its zero check + - JDK-8257828: SafeFetch may crash if invoked in non-JavaThreads + - JDK-8257853: Remove dependencies on JNF's JNI utility functions in AWT and 2D code + - JDK-8257858: [macOS]: Remove JNF dependency from libosxsecurity/KeystoreImpl.m + - JDK-8257860: [macOS]: Remove JNF dependency from libosxkrb5/SCDynamicStoreConfig.m + - JDK-8257988: Remove JNF dependency from libsaproc/MacosxDebuggerLocal.m + - JDK-8258414: OldObjectSample events too expensive + - JDK-8258505: [TESTBUG] TestDivZeroWithSplitIf.java fails due to missing UnlockDiagnosticVMOptions + - JDK-8258753: StartTlsResponse.close() hangs due to synchronization issues + - JDK-8259061: C2: assert(found) failed: memory-writing node is not placed in its original loop or an ancestor of it + - JDK-8259227: C2 crashes with SIGFPE due to a division that floats above its zero check + - JDK-8259232: Bad JNI lookup during printing + - JDK-8259276: C2: Empty expression stack when reexecuting tableswitch/lookupswitch instructions after deoptimization + - JDK-8259343: [macOS] Update JNI error handling in Cocoa code. + - JDK-8259585: Accessible actions do not work on mac os x + - JDK-8259651: [macOS] Replace JNF_COCOA_ENTER/EXIT macros + - JDK-8259662: Don't wrap SocketExceptions into SSLExceptions in SSLSocketImpl + - JDK-8259710: Inlining trace leaks memory + - JDK-8259729: Missed JNFInstanceOf -> IsInstanceOf conversion + - JDK-8259777: Incorrect predication condition generated by ADLC + - JDK-8259786: initialize last parameter of getpwuid_r + - JDK-8259843: initialize dli_fname array before calling dll_address_to_library_name + - JDK-8259869: [macOS] Remove desktop module dependencies on JNF Reference APIs + - JDK-8259886: Improve SSL session cache performance and scalability + - JDK-8259983: do not use uninitialized expand_ms value in G1CollectedHeap::expand_heap_after_young_collection + - JDK-8260030: Improve stringStream buffer handling + - JDK-8260236: better init AnnotationCollector _contended_group + - JDK-8260255: C1: LoopInvariantCodeMotion constructor can leave some fields uninitialized + - JDK-8260284: C2: assert(_base == Int) failed: Not an Int + - JDK-8260380: Upgrade to LittleCMS 2.12 + - JDK-8260420: C2 compilation fails with assert(found_sfpt) failed: no node in loop that's not input to safepoint + - JDK-8260426: awt debug_mem.c DMem_AllocateBlock might leak memory + - JDK-8260432: allocateSpaceForGP in freetypeScaler.c might leak memory + - JDK-8260616: Removing remaining JNF dependencies in the java.desktop module + - JDK-8260653: Unreachable nodes keep speculative types alive + - JDK-8260707: java/lang/instrument/PremainClass/InheritAgent0100.java times out + - JDK-8260925: HttpsURLConnection does not work with other JSSE provider. + - JDK-8260926: Trace resource exhausted events unconditionally + - JDK-8261020: Wrong format parameter in create_emergency_chunk_path + - JDK-8261027: AArch64: Support for LSE atomics C++ HotSpot code + - JDK-8261167: print_process_memory_info add a close call after fopen + - JDK-8261170: Upgrade to freetype 2.10.4 + - JDK-8261198: [macOS] Incorrect JNI parameters in number conversion in A11Y code + - JDK-8261235: C1 compilation fails with assert(res->vreg_number() == index) failed: conversion check + - JDK-8261261: The version extra fields needs to be overridable in jib-profiles.js + - JDK-8261262: Kitchensink24HStress.java crashed with EXCEPTION_ACCESS_VIOLATION + - JDK-8261354: SIGSEGV at MethodIteratorHost + - JDK-8261355: No data buffering in SunPKCS11 Cipher encryption when the underlying mechanism has no padding + - JDK-8261397: try catch Method failing to work when dividing an integer by 0 + - JDK-8261422: Adjust problematic String.format calls in jdk/internal/util/Preconditions.java outOfBoundsMessage + - JDK-8261447: MethodInvocationCounters frequently run into overflow + - JDK-8261481: Cannot read Kerberos settings in dynamic store on macOS Big Sur + - JDK-8261505: Test test/hotspot/jtreg/gc/parallel/TestDynShrinkHeap.java killed by Linux OOM Killer + - JDK-8261601: free memory in early return in Java_sun_nio_ch_sctp_SctpChannelImpl_receive0 + - JDK-8261649: AArch64: Optimize LSE atomics in C++ code + - JDK-8261730: C2 compilation fails with assert(store->find_edge(load) != -1) failed: missing precedence edge + - JDK-8261752: Multiple GC test are missing memory requirements + - JDK-8261791: (sctp) handleSendFailed in SctpChannelImpl.c potential leaks + - JDK-8261812: C2 compilation fails with assert(!had_error) failed: bad dominance + - JDK-8261914: IfNode::fold_compares_helper faces non-canonicalized bool when running JRuby JSON workload + - JDK-8262093: java/util/concurrent/tck/JSR166TestCase.java failed "assert(false) failed: unexpected node" + - JDK-8262110: DST starts from incorrect time in 2038 + - JDK-8262121: [11u] Redo 8244287: JFR: Methods samples have line number 0 + - JDK-8262163: Extend settings printout in jcmd VM.metaspace + - JDK-8262295: C2: Out-of-Bounds Array Load from Clone Source + - JDK-8262298: G1BarrierSetC2::step_over_gc_barrier fails with assert "bad barrier shape" + - JDK-8262446: DragAndDrop hangs on Windows + - JDK-8262461: handle wcstombsdmp return value correctly in unix awt_InputMethod.c + - JDK-8262465: Very long compilation times and high memory consumption in C2 debug builds + - JDK-8262726: AArch64: C1 StubAssembler::call_RT can corrupt stack + - JDK-8262739: String inflation C2 intrinsic prevents insertion of anti-dependencies + - JDK-8262829: Native crash in Win32PrintServiceLookup.getAllPrinterNames() + - JDK-8262837: handle split_USE correctly + - JDK-8262900: ToolBasicTest fails to access HTTP server it starts + - JDK-8263260: [s390] Support latest hardware (z14 and z15) + - JDK-8263311: Watch registry changes for remote printers update instead of polling + - JDK-8263361: Incorrect arraycopy stub selected by C2 for SATB collectors + - JDK-8263404: RsaPrivateKeySpec is always recognized as RSAPrivateCrtKeySpec in RSAKeyFactory.engineGetKeySpec + - JDK-8263425: AArch64: two potential bugs in C1 LIRGenerator::generate_address() + - JDK-8263448: CTW: fatal error: meet not symmetric + - JDK-8263504: Some OutputMachOpcodes fields are uninitialized + - JDK-8263557: Possible NULL dereference in Arena::destruct_contents() + - JDK-8263558: Possible NULL dereference in fast path arena free if ZapResourceArea is true + - JDK-8263676: AArch64: one potential bug in C1 LIRGenerator::generate_address() + - JDK-8263729: [test] divert spurious output away from stream under test in ProcessBuilder Basic test + - JDK-8263846: Bad JNI lookup getFocusOwner in accessibility code on Mac OS X + - JDK-8264047: Duplicate global variable 'jvm' in libjavajpeg and libawt + - JDK-8264096: slowdebug jvm crashes when StrInflatedCopy match rule is not supported + - JDK-8264151: ciMethod::ensure_method_data() should return false is loading resulted in empty state + - JDK-8264173: [s390] Improve Hardware Feature Detection And Reporting + - JDK-8264190: Harden TLS interop tests + - JDK-8264223: CodeHeap::verify fails extra_hops assertion in fastdebug test + - JDK-8264328: Broken license in javax/swing/JComboBox/8072767/bug8072767.java + - JDK-8264360: Loop strip mining verification fails with "should be on the backedge" + - JDK-8264626: C1 should be able to inline excluded methods + - JDK-8264640: CMS ParScanClosure misses a barrier + - JDK-8264786: [macos] All Swing/AWT apps cause Allow Notifications prompt to appear when app is launched + - JDK-8264821: DirectIOTest fails on a system with large block size + - JDK-8264848: [macos] libjvm.dylib linker warning due to macOS version mismatch + - JDK-8264923: PNGImageWriter.write_zTXt throws Exception with a typo + - JDK-8264958: C2 compilation fails with assert "n is later than its clone" + - JDK-8265099: Revert backport to 11u of 8236859: WebSocket over authenticating proxy fails with NPE + - JDK-8265154: vinserti128 operand mix up for KNL platforms + - JDK-8265239: Shenandoah: Shenandoah heap region count could be off by 1 + - JDK-8265417: Backport of JDK-8249672 breaks Solaris x86 build + - JDK-8265421: java/lang/String/StringRepeat.java test is missing a memory requirement + - JDK-8265462: Handle multiple slots in the NSS Internal Module from SunPKCS11's Secmod + - JDK-8265537: x86 version string truncated after JDK-8249672 11u backport + - JDK-8265666: Enable AIX build platform to make external debug symbols + - JDK-8265677: CMS: CardTableBarrierSet::write_ref_array_work() lacks storestore barrier + - JDK-8265690: Use the latest Ubuntu base image version in Docker testing + - JDK-8265718: Build failure after JDK-8258414 11u backport + - JDK-8265750: Fatal error in safepoint.cpp after backport of 8258414 + - JDK-8265784: [C2] Hoisting of DecodeN leaves MachTemp inputs behind + - JDK-8265938: C2's conditional move optimization does not handle top Phi + - JDK-8266220: keytool still prompt for store password on a password-less pkcs12 file if -storetype pkcs12 is specified + - JDK-8266293: Key protection using PBEWithMD5AndDES fails with "java.security.InvalidAlgorithmParameterException: Salt must be 8 bytes long" + - JDK-8266713: [AIX] Build failure after 11u backport of JDK-8247753 + - JDK-8266802: Shenandoah: Round up region size to page size unconditionally + - JDK-8266892: avoid maybe-uninitialized gcc warnings on linux s390x + - JDK-8266929: Unable to use algorithms from 3p providers + - JDK-8267235: [macos_aarch64] InterpreterRuntime::throw_pending_exception messing up LR results in crash + - JDK-8267561: Shenandoah: Reference processing not properly setup for outside of cycle degenerated GC + - JDK-8267599: Revert the change to the default PKCS12 macAlgorithm and macIterationCount props for 11u/8u/7u + - JDK-8267641: [11u] 8227609 backport typo + - JDK-8267721: Enable sun/security/pkcs11 tests for Amazon Linux 2 AArch64 + - JDK-8268678: LetsEncryptCA.java test fails as Let’s Encrypt Authority X3 is retired + +Notes on individual issues: +=========================== + +security-libs/java.security: + +JDK-8215293: Customizing PKCS12 keystore Generation +=================================================== +New system and security properties have been added to enable users to +customize the generation of PKCS #12 keystores. This includes +algorithms and parameters for key protection, certificate protection, +and MacData. The detailed explanation and possible values for these +properties can be found in the "PKCS12 KeyStore properties" section of +the `java.security` file. + +Also, support for the following SHA-2 based HmacPBE algorithms has +been added to the SunJCE provider: + +* HmacPBESHA224 +* HmacPBESHA256 +* HmacPBESHA384 +* HmacPBESHA512 +* HmacPBESHA512/224 +* HmacPBESHA512/256 + +JDK-8256902: Removed Root Certificates with 1024-bit Keys +========================================================= +The following root certificates with weak 1024-bit RSA public keys +have been removed from the `cacerts` keystore: + +Alias Name: thawtepremiumserverca [jdk] +Distinguished Name: EMAILADDRESS=premium-server@thawte.com, CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA + +Alias Name: verisignclass2g2ca [jdk] +Distinguished Name: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 2 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US + +Alias Name: verisignclass3ca [jdk] +Distinguished Name: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US + +Alias Name: verisignclass3g2ca [jdk] +Distinguished Name: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 3 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US + +Alias Name: verisigntsaca [jdk] +Distinguished Name: CN=Thawte Timestamping CA, OU=Thawte Certification, O=Thawte, L=Durbanville, ST=Western Cape, C=ZA + +JDK-8261361: Removed Telia Company's Sonera Class2 CA certificate +================================================================= + +The following root certificate have been removed from the cacerts truststore: + +Alias Name: soneraclass2ca +Distinguished Name: CN=Sonera Class2 CA, O=Sonera, C=FI + +JDK-8242069: Upgraded the Default PKCS12 Encryption and MAC Algorithms +====================================================================== +The default encryption and MAC algorithms used in a PKCS #12 keystore +have been updated. The new algorithms are based on AES-256 and SHA-256 +and are stronger than the old algorithms that were based on RC2, +DESede, and SHA-1. See the security properties starting with +`keystore.pkcs12` in the `java.security` file for detailed +information. + +For compatibility, a new system property named +`keystore.pkcs12.legacy` is defined that will revert the algorithms to +use the older, weaker algorithms. There is no value defined for this +property. + +security-libs/javax.net.ssl: + +JDK-8257548: Improve Encoding of TLS Application-Layer Protocol Negotiation (ALPN) Values +========================================================================================= +Certain TLS ALPN values couldn't be properly read or written by the +SunJSSE provider. This is due to the choice of Strings as the API +interface and the undocumented internal use of the UTF-8 Character Set +which converts characters larger than U+00007F (7-bit ASCII) into +multi-byte arrays that may not be expected by a peer. + +ALPN values are now represented using the network byte representation +expected by the peer, which should require no modification for +standard 7-bit ASCII-based character Strings. However, SunJSSE now +encodes/decodes String characters as 8-bit ISO_8859_1/LATIN-1 +characters. This means applications that used characters above +U+000007F that were previously encoded using UTF-8 may need to either +be modified to perform the UTF-8 conversion, or set the Java security +property `jdk.tls.alpnCharset` to "UTF-8" revert the behavior. + +See the updated guide at +https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/alpn.html +for more information. + +JDK-8244460: Support for certificate_authorities Extension +========================================================== +The "certificate_authorities" extension is an optional extension +introduced in TLS 1.3. It is used to indicate the certificate +authorities (CAs) that an endpoint supports and should be used by the +receiving endpoint to guide certificate selection. + +With this JDK release, the "certificate_authorities" extension is +supported for TLS 1.3 in both the client and the server sides. This +extension is always present for client certificate selection, while it +is optional for server certificate selection. + +Applications can enable this extension for server certificate +selection by setting the `jdk.tls.client.enableCAExtension` system +property to `true`. The default value of the property is `false`. + +Note that if the client trusts more CAs than the size limit of the +extension (less than 2^16 bytes), the extension is not enabled. Also, +some server implementations do not allow handshake messages to exceed +2^14 bytes. Consequently, there may be interoperability issues when +`jdk.tls.client.enableCAExtension` is set to `true` and the client +trusts more CAs than the server implementation limit. + +New in release OpenJDK 11.0.11 (2021-04-20): +============================================= +Live versions of these release notes can be found at: + * https://bitly.com/openjdk11011 + * https://builds.shipilev.net/backports-monitor/release-notes-11.0.11.txt + +* Security fixes + - JDK-8244473: Contextualize registration for JNDI + - JDK-8244543: Enhanced handling of abstract classes + - JDK-8249906, CVE-2021-2163: Enhance opening JARs + - JDK-8250568, CVE-2021-2161: Less ambiguous processing + - JDK-8253799: Make lists of normal filenames + - JDK-8257001: Improve Http Client Support +* Other changes + - JDK-7107012: sun.jvm.hotspot.code.CompressedReadStream readDouble() conversion to long mishandled + - JDK-7146776: deadlock between URLStreamHandler.getHostAddress and file.Handler.openconnection + - JDK-8086003: Test fails on OSX with java.lang.RuntimeException 'Narrow klass base: 0x0000000000000000, Narrow klass shift: 3' missing + - JDK-8168869: jdeps: localized messages don't use proper line breaks + - JDK-8180837: SunPKCS11-NSS tests failing with CKR_ATTRIBUTE_READ_ONLY and CKR_MECHANISM_PARAM_INVALID + - JDK-8202343: Disable TLS 1.0 and 1.1 + - JDK-8205992: jhsdb cannot attach to Java processes running in Docker containers + - JDK-8209193: Fix aarch64-linux compilation after -Wreorder changes + - JDK-8210413: AArch64: Optimize div/rem by constant in C1 + - JDK-8210578: AArch64: Invalid encoding for fmlsvs instruction + - JDK-8211051: jdeps usage of --dot-output doesn't provide valid output for modular jar + - JDK-8211057: Gensrc step CompileProperties generates unstable CompilerProperties output + - JDK-8211150: G1 Full GC not purging code root memory and hence causing memory leak + - JDK-8211825: ModuleLayer.defineModulesWithXXX does not setup delegation when module reads automatic module + - JDK-8212043: Add floating-point Math.min/max intrinsics + - JDK-8212218: [TESTBUG] runtime/ErrorHandling/TestHeapDumpOnOutOfMemoryErrorInMetaspace.java timed out + - JDK-8213116: javax/swing/JComboBox/WindowsComboBoxSize/WindowsComboBoxSizeTest.java fails in Windows + - JDK-8213909: jdeps --print-module-deps should report missing dependences + - JDK-8214180: Need better granularity for sleeping + - JDK-8214223: tools/jdeps/listdeps/ListModuleDeps.java failed due to missing Lib2 file + - JDK-8214230: Classes generated by SystemModulesPlugin.java are not reproducable + - JDK-8214741: docs/index.html has no title or copyright + - JDK-8215687: [Graal] unit test CheckGraalIntrinsics failed after 8212043 + - JDK-8217848: [Graal] vmTestbase/nsk/jvmti/ResourceExhausted/resexhausted003/TestDescription.java fails + - JDK-8218482: sun/security/krb5/auto/ReplayCachePrecise.java failed - no KrbException thrown + - JDK-8218550: Add test omitted from JDK-8212043 + - JDK-8221584: SIGSEGV in os::PlatformEvent::unpark() in JvmtiRawMonitor::raw_exit while posting method exit event + - JDK-8221995: AARCH64: problems with CAS instructions encoding + - JDK-8222518: Remove unnecessary caching of Parker object in java.lang.Thread + - JDK-8222785: aarch64: add necessary masking for immediate shift counts + - JDK-8223186: HotSpot compile warnings from GCC 9 + - JDK-8225773: jdeps --check produces NPE if there are missing module dependences + - JDK-8225805: Java Access Bridge does not close the logger + - JDK-8226810: Failed to launch JVM because of NullPointerException occured on System.props + - JDK-8229396: jdeps ignores multi-release when generate-module-info used on command line + - JDK-8229474: Shenandoah: Cleanup CM::update_roots() + - JDK-8232225: Rework the fix for JDK-8071483 + - JDK-8232905: JFR fails with assertion: assert(t->unflushed_size() == 0) failed: invariant + - JDK-8233164: C2 fails with assert(phase->C->get_alias_index(t) == phase->C->get_alias_index(t_adr)) failed: correct memory chain + - JDK-8233910: java/awt/ColorClass/AlphaColorTest.java is failing intermittently in nightly lnux-x64 system + - JDK-8233912: aarch64: minor improvements of atomic operations + - JDK-8234508: VM_HeapWalkOperation::iterate_over_object reads non-strong fields with an on-strong load barrier + - JDK-8234742: Improve handshake logging + - JDK-8234796: Refactor Handshake::execute to take a more complex type than ThreadClosure + - JDK-8235324: Dying objects are published from users of CollectedHeap::object_iterate + - JDK-8235351: Lookup::unreflect should bind with the original caller independent of Method's accessible flag + - JDK-8237369: Shenandoah: failed vmTestbase/nsk/jvmti/AttachOnDemand/attach021/TestDescription.java test + - JDK-8237392: Shenandoah: Remove unreliable assertion + - JDK-8237483: AArch64 C1 OopMap inserted twice fatal error + - JDK-8237495: Java MIDI fails with a dereferenced memory error when asked to send a raw 0xF7 + - JDK-8239355: (dc) Initial value of SO_SNDBUF should allow sending large datagrams (macOS) + - JDK-8240353: AArch64: missing support for -XX:+ExtendedDTraceProbes in C1 + - JDK-8240704: CheckHandles.java failed "AssertionError: Handle use increased by more than 10 percent." + - JDK-8240751: Shenandoah: fold ShenandoahTracer definition + - JDK-8240795: [REDO] 8238384 CTW: C2 compilation fails with "assert(store != load->find_exact_control(load->in(0))) failed: dependence cycle found" + - JDK-8241598: Upgrade JLine to 3.14.0 + - JDK-8241649: Optimize Character.toString + - JDK-8241770: Module xxxAnnotation() methods throw NCDFE if module-info.class found as resource in unnamed module + - JDK-8241911: AArch64: Fix a potential register clash issue in reduce_add2I + - JDK-8242030: Wrong package declarations in jline classes after JDK-8241598 + - JDK-8242565: Policy initialization issues when the denyAfter constraint is enabled + - JDK-8243618: compiler/rtm/cli tests can be run w/o WhiteBox + - JDK-8243670: Unexpected test result caused by C2 MergeMemNode::Ideal + - JDK-8244088: [Regression] Switch of Gnome theme ends up in deadlocked UI + - JDK-8244154: Update SunPKCS11 provider with PKCS11 v3.0 header files + - JDK-8244340: Handshake processing thread lacks yielding + - JDK-8244573: java.lang.ArrayIndexOutOfBoundsException thrown for malformed class file + - JDK-8244683: A TSA server used by tests + - JDK-8245005: javax/net/ssl/compatibility/BasicConnectTest.java failed with No enum constant + - JDK-8245026: PsAdaptiveSizePolicy::_old_gen_policy_is_ready is unused + - JDK-8245283: JFR: Can't handle constant dynamic used by Jacoco agent + - JDK-8245512: CRC32 optimization using AVX512 instructions + - JDK-8245527: LDAP Channel Binding support for Java GSS/Kerberos + - JDK-8246707: (sc) SocketChannel.read/write throws AsynchronousCloseException on closed channel + - JDK-8246709: sun/security/tools/jarsigner/TsacertOptionTest.java compilation failed after JDK-8244683 + - JDK-8247200: assert((unsigned)fpargs < 32) + - JDK-8247766: [aarch64] guarantee(val < (1U << nbits)) failed: Field too big for insn. + - JDK-8248336: AArch64: C2: offset overflow in BoxLockNode::emit + - JDK-8248865: Document JNDI/LDAP timeout properties + - JDK-8248901: Signed immediate support in .../share/assembler.hpp is broken. + - JDK-8249543: Force DirectBufferAllocTest to run with -ExplicitGCInvokesConcurrent + - JDK-8249588: libwindowsaccessbridge issues on 64bit Windows + - JDK-8249749: modify a primitive array through a stream and a for cycle causes jre crash + - JDK-8249787: Make TestGCLocker more resilient with concurrent GCs + - JDK-8249867: xml declaration is not followed by a newline + - JDK-8250911: [windows] os::pd_map_memory() error detection broken + - JDK-8251255: [linux] Add process-memory information to hs-err and VM.info + - JDK-8251359: Shenandoah: filter null oops before calling enqueue/SATB barrier + - JDK-8251925: C2: RenaissanceStressTest fails with assert(!had_error): bad dominance + - JDK-8251944: Add Shenandoah test config to compiler/gcbarriers/UnsafeIntrinsicsTest.java + - JDK-8251992: VM crashed running TestComplexAddrExpr.java test with -XX:UseAVX=X + - JDK-8253220: Epsilon: clean up unused code/declarations + - JDK-8253274: The CycleDMImagetest brokes the system + - JDK-8253353: Crash in C2: guarantee(n != NULL) failed: No Node + - JDK-8253368: TLS connection always receives close_notify exception + - JDK-8255368: Math.exp() gives wrong result for large values on x86 32-bit platforms + - JDK-8255401: Shenandoah: Allow oldval and newval registers to overlap in cmpxchg_oop() + - JDK-8253404: C2: assert(C->live_nodes() <= C->max_node_limit()) failed: Live Node limit exceeded limit + - JDK-8253409: Double-rounding possibility in float fma + - JDK-8253476: TestUseContainerSupport.java fails on some Linux kernels w/o swap limit capabilities + - JDK-8253524: C2: Refactor code that clones predicates during loop unswitching + - JDK-8253644: C2: assert(skeleton_predicate_has_opaque(iff)) failed: unexpected + - JDK-8253681: closed java/awt/dnd/MouseEventAfterStartDragTest/MouseEventAfterStartDragTest.html test failed + - JDK-8253702: BigSur version number reported as 10.16, should be 11.nn + - JDK-8253756: C2 CompilerThread0 crash in Node::add_req(Node*) + - JDK-8254104: MethodCounters must exist before nmethod is installed + - JDK-8254734: "dead loop detected" assert failure with patch from 8223051 + - JDK-8254748: Bad Copyright header format after JDK-8212218 + - JDK-8254799: runtime/ErrorHandling/TestHeapDumpOnOutOfMemoryError.java fails with release VMs + - JDK-8255058: C1: assert(is_virtual()) failed: type check + - JDK-8255351: Add detection for Graviton 2 CPUs + - JDK-8255387: Japanese characters were printed upside down on AIX + - JDK-8255479: [aarch64] assert(src->section_index_of(target) == CodeBuffer::SECT_NONE) failed: sanity + - JDK-8255544: Create a checked cast + - JDK-8255559: Leak File Descriptors Because of ResolverLocalFilesystem#engineResolveURI() + - JDK-8255681: print callstack in error case in runAWTLoopWithApp + - JDK-8255734: VM should ignore SIGXFSZ on ppc64, s390 too + - JDK-8255742: PrintInlining as compiler directive doesn't print virtual calls + - JDK-8255845: Memory leak in imageFile.cpp + - JDK-8255880: UI of Swing components is not redrawn after their internal state changed + - JDK-8255908: ExceptionInInitializerError due to UncheckedIOException while initializing cgroupv1 subsystem + - JDK-8256025: AArch64: MachCallRuntimeNode::ret_addr_offset() is incorrect for stub calls + - JDK-8256056: Deoptimization stub doesn't save vector registers on x86 + - JDK-8256061: RegisterSaver::save_live_registers() omits upper halves of ZMM0-15 registers + - JDK-8256187: [TEST_BUG] Automate bug4275046.java test + - JDK-8256220: C1: x86_32 fails with -XX:UseSSE=1 after JDK-8210764 due to mishandled lir_neg + - JDK-8256258: some missing NULL checks or asserts after CodeCache::find_blob_unsafe + - JDK-8256264: Printed GlyphVector outline with low DPI has bad quality on Windows + - JDK-8256290: javac/lambda/T8031967.java fails with StackOverflowError on x86_32 + - JDK-8256359: AArch64: runtime/ReservedStack/ReservedStackTestCompiler.java fails + - JDK-8256387: Unexpected result if patching an entire instruction on AArch64 + - JDK-8256421: Add 2 HARICA roots to cacerts truststore + - JDK-8256488: [aarch64] Use ldpq/stpq instead of ld4/st4 for small copies in StubGenerator::copy_memory + - JDK-8256489: Make gtest for long path names on Windows more resilient in the presence of virus scanners + - JDK-8256501: libTestMainKeyWindow fails to build with Xcode 12.2 + - JDK-8256633: Fix product build on Windows+Arm64 + - JDK-8256682: JDK-8202343 is incomplete + - JDK-8256751: Incremental rebuild with precompiled header fails when touching a header file + - JDK-8256757: Incorrect MachCallRuntimeNode::ret_addr_offset() for CallLeafNoFP on x86_32 + - JDK-8256806: Shenandoah: optimize shenandoah/jni/TestPinnedGarbage.java test + - JDK-8256807: C2: Not marking stores correctly as mismatched in string opts + - JDK-8256810: Incremental rebuild broken on Macosx + - JDK-8256818: SSLSocket that is never bound or connected leaks socket resources + - JDK-8256888: Client manual test problem list update + - JDK-8257083: Security infra test failures caused by JDK-8202343 + - JDK-8257408: Bump update version for OpenJDK: jdk-11.0.11 + - JDK-8257423: [PPC64] Support -XX:-UseInlineCaches + - JDK-8257436: [aarch64] Regressions in ArrayCopyUnalignedDst.testByte/testChar for 65-78 bytes when UseSIMDForMemoryOps is on + - JDK-8257513: C2: assert((constant_addr - _masm.code()->consts()->start()) == con.offset()) + - JDK-8257547: Handle multiple prereqs on the same line in deps files + - JDK-8257561: Some code is not vectorized after 8251925 and 8250607 + - JDK-8257565: epsilonBarrierSet.hpp should not include barrierSetAssembler + - JDK-8257575: C2: "failed: only phis" assert failure in loop strip mining verification + - JDK-8257594: C2 compiled checkcast of non-null object triggers endless deoptimization/recompilation cycle + - JDK-8257633: Missing -mmacosx-version-min=X flag when linking libjvm + - JDK-8257670: sun/security/ssl/SSLSocketImpl/SSLSocketLeak.java reports leaks + - JDK-8257707: Fix incorrect format string in Http1HeaderParser + - JDK-8257746: Regression introduced with JDK-8250984 - memory might be null in some machines + - JDK-8257798: [PPC64] undefined reference to Klass::vtable_start_offset() + - JDK-8257884: Re-enable sun/security/ssl/SSLSocketImpl/SSLSocketLeak.java as automatic test + - JDK-8257910: [JVMCI] Set exception_seen accordingly in the runtime. + - JDK-8257997: sun/security/ssl/SSLSocketImpl/SSLSocketLeak.java again reports leaks after JDK-8257884 + - JDK-8257999: Parallel GC crash in gc/parallel/TestDynShrinkHeap.java: new region is not in covered_region + - JDK-8258077: Using -Xcheck:jni can lead to a double-free after JDK-8193234 + - JDK-8258247: Couple of issues in fix for JDK-8249906 + - JDK-8258373: Update the text handling in the JPasswordField + - JDK-8258396: SIGILL in jdk.jfr.internal.PlatformRecorder.rotateDisk() + - JDK-8258419: RSA cipher buffer cleanup + - JDK-8258471: "search codecache" clhsdb command does not work + - JDK-8258534: Epsilon: clean up unused includes + - JDK-8258805: Japanese characters not entered by mouse click on Windows 10 + - JDK-8258833: Cancel multi-part cipher operations in SunPKCS11 after failures + - JDK-8258836: JNI local refs exceed capacity getDiagnosticCommandInfo + - JDK-8258884: [TEST_BUG] Convert applet-based test open/test/jdk/javax/swing/JMenuItem/8031573/bug8031573.java to a regular java test + - JDK-8259007: This test printed a blank page + - JDK-8259049: Uninitialized variable after JDK-8257513 + - JDK-8259451: Zero: skip serviceability/sa tests, set vm.hasSA to false + - JDK-8259580: Shenandoah: uninitialized label in VerifyThreadGCState + - JDK-8259231: Epsilon: improve performance under contention during virtual space expansion + - JDK-8259271: gc/parallel/TestDynShrinkHeap.java still fails "assert(covered_region.contains(new_memregion)) failed: new region is not in covered_region" + - JDK-8259312: VerifyCACerts.java fails as soneraclass2ca cert will expire in 90 days + - JDK-8259319: Illegal package access when SunPKCS11 requires SunJCE's classes + - JDK-8259339: AllocateUninitializedArray C2 intrinsic fails with void.class input + - JDK-8259428: AlgorithmId.getEncodedParams() should return copy + - JDK-8259446: runtime/jni/checked/TestCheckedReleaseArrayElements.java fails with stderr not empty + - JDK-8259949: x86 32-bit build fails when -fcf-protection is passed in the compiler flags + - JDK-8259619: C1: 3-arg StubAssembler::call_RT stack-use condition is incorrect + - JDK-8259633: compiler/graalunit/CoreTest.java fails with NPE after JDK-8244543 + - JDK-8259706: C2 compilation fails with assert(vtable_index == Method::invalid_vtable_index) failed: correct sentinel value + - JDK-8259707: LDAP channel binding does not work with StartTLS extension + - JDK-8259773: Incorrect encoding of AVX-512 kmovq instruction + - JDK-8259849: Shenandoah: Rename store-val to IU-barrier + - JDK-8259954: gc/shenandoah/mxbeans tests fail with -Xcomp + - JDK-8260029: aarch64: fix typo in verify_oop_array + - JDK-8260308: Update LogCompilation junit to 4.13.1 + - JDK-8260338: Some fields in HaltNode is not cloned + - JDK-8260349: Cannot programmatically retrieve Metaspace max set via JAVA_TOOL_OPTIONS + - JDK-8260356: (tz) Upgrade time-zone data to tzdata2021a + - JDK-8260378: [TESTBUG] DcmdMBeanTestCheckJni.java reports false positive + - JDK-8260497: Shenandoah: Improve SATB flushing + - JDK-8260502: [s390] NativeMovRegMem::verify() fails because it's too strict + - JDK-8260632: Build failures after JDK-8253353 + - JDK-8260704: ParallelGC: oldgen expansion needs release-store for _end + - JDK-8261022: Fix incorrect result of Math.abs() with char type + - JDK-8261089: [TESTBUG] native library of test TestCheckedReleaseCriticalArray.java fails to compile with gcc 4.x + - JDK-8261183: Follow on to Make lists of normal filenames + - JDK-8261209: isStandalone property: remove dependency on pretty-print + - JDK-8261231: Windows IME was disabled after DnD operation + - JDK-8261251: Shenandoah: Use object size for full GC humongous compaction + - JDK-8261310: PPC64 Zero build fails with 'VMError::controlled_crash(int)::FunctionDescriptor functionDescriptor' has incomplete type and cannot be defined + - JDK-8261334: NMT: tuning statistic shows incorrect hash distribution + - JDK-8261413: Shenandoah: Disable class-unloading in I-U mode + - JDK-8261522: [PPC64] AES intrinsics write beyond the destination array + - JDK-8261534: Test sun/security/pkcs11/KeyAgreement/IllegalPackageAccess.java fails on platforms where no nsslib artifacts are defined + - JDK-8261585: Restore HandleArea used in Deoptimization::uncommon_trap + - JDK-8261753: Test java/lang/System/OsVersionTest.java still failing on BigSur patch versions after JDK-8253702 + - JDK-8261829: Exclude tools/jlink/JLinkReproducibleTest.java in 11u + - JDK-8261912: Code IfNode::fold_compares_helper more defensively + - JDK-8261920: [AIX] jshell command throws java.io.IOError on non English locales + - JDK-8262018: Wrong format in SAP copyright header of OsVersionTest + - JDK-8263069: Exclude some failing tests from security/infra/java/security/cert/CertPathValidator + +Notes on individual issues: +=========================== + +core-libs/javax.naming: + +JDK-8258824: LDAP Channel Binding Support for Java GSS/Kerberos +=============================================================== +A new JNDI environment property "com.sun.jndi.ldap.tls.cbtype" has +been added to enable TLS Channel Binding data in LDAP authentication +over SSL/TLS protocol to the Windows AD server. The only valid value +at present is "tls-server-end-point", where channel binding data is +created on the base of the TLS server certificate. See RFC-5929 [0] +and the module description of the `java.naming` module for further +details. + +[0] RFC-5929 "Channel Bindings for TLS": https://www.ietf.org/rfc/rfc5929.txt + +security-libs/java.security: + +JDK-8260597: Added 2 HARICA Root CA Certificates +================================================ +The following root certificates have been added to the cacerts truststore: + +Alias Name: haricarootca2015 +Distinguished Name: CN=Hellenic Academic and Research Institutions RootCA 2015, O=Hellenic Academic and Research Institutions Cert. Authority, L=Athens, C=GR + +Alias Name: haricaeccrootca2015 +Distinguished Name: CN=Hellenic Academic and Research Institutions ECC RootCA 2015, O=Hellenic Academic and Research Institutions Cert. Authority, L=Athens, C=GR + +security-libs/javax.net.ssl: + +JDK-8256490: Disable TLS 1.0 and 1.1 +==================================== +TLS 1.0 and 1.1 are versions of the TLS protocol that are no longer +considered secure and have been superseded by more secure and modern +versions (TLS 1.2 and 1.3). + +These versions have now been disabled by default. If you encounter +issues, you can, at your own risk, re-enable the versions by removing +"TLSv1" and/or "TLSv1.1" from the `jdk.tls.disabledAlgorithms` +security property in the `java.security` configuration file. + +tools: + +JDK-8214213: jdeps --print-module-deps Reports Transitive Dependencies +====================================================================== +`jdeps --print-module-deps`, `--list-deps`, and `--list-reduce-deps` +options have been enhanced as follows. + +1. By default, they perform transitive module dependence analysis on +libraries on the class path and module path, both directly and +indirectly, as required by the given input JAR files or +classes. Previously, they only reported the modules required by the +given input JAR files or classes. The `--no-recursive` option can be +used to request non-transitive dependence analysis. + +2. By default, they flag any missing dependency, i.e. not found from +class path and module path, as an error. The `--ignore-missing-deps` +option can be used to suppress missing dependence errors. Note that a +custom image is created with the list of modules output by jdeps when +using the `--ignore-missing-deps` option for a non-modular +application. Such an application, running on the custom image, might +fail at runtime when missing dependence errors are suppressed. + +xml/jaxp: + +JDK-8249867 XML declaration is not followed by a newline +======================================================== + +The DOM Load and Save `LSSerializer` does not have an explicit control +for whether or not the XML Declaration ends with a newline. In this +release, a JDK implementation specific property +`http://www.oracle.com/xml/jaxp/properties/isStandalone` and +corresponding System property `jdk.xml.isStandalone` are added to +control the addition of a newline and act independently without +having to set the pretty-print property. This property can be used to +reverse the incompatible change introduced in Java SE 7 Update 4 with +an update of Xalan 2.7.1 where a newline is omitted when pretty-print +is required. + +For details, please refer to the bug report and the java.xml module-summary. + +Usage: + +// to set the property, get an instance of LSSerializer and set it along with pretty-print +LSSerializer ser = impl.createLSSerializer(); +ser.getDomConfig().setParameter("format-pretty-print", true); +ser.getDomConfig().setParameter("http://www.oracle.com/xml/jaxp/properties/isStandalone", true); + +// to use the System property, set it before initializing a LSSerializer +System.setProperty("jdk.xml.isStandalone", “true”); + +// to clear the property, place the line anywhere after the LSSerializer is initialized +System.clearProperty("jdk.xml.isStandalone"); + +New in release OpenJDK 11.0.10 (2021-01-19): +============================================= +Live versions of these release notes can be found at: + * https://bitly.com/openjdk11010 + * https://builds.shipilev.net/backports-monitor/release-notes-11.0.10.txt + +* Security fixes + - JDK-8247619: Improve Direct Buffering of Characters +* Other changes + - JDK-6722928: Support SSPI as a native GSS-API provider + - JDK-7185258: [macosx] Deadlock in SunToolKit.realSync() + - JDK-8152332: [macosx] JFileChooser cannot be serialized on Mac OS X + - JDK-8161684: [testconf] Add VerifyOops' testing into compiler tiers + - JDK-8171279: Support X25519 and X448 in TLS + - JDK-8173361: various crashes in JvmtiExport::post_compiled_method_load + - JDK-8173658: JvmtiExport::post_class_unload() is broken for non-JavaThread initiators + - JDK-8191006: hsdis disassembler plugin does not compile with binutils 2.29+ + - JDK-8197981: Missing return statement in __sync_val_compare_and_swap_8 + - JDK-8198334: java/awt/FileDialog/8003399/bug8003399.java fails in headless mode + - JDK-8200151: Add 8 JNDI tests to com/sun/jndi/dns/ConfigTests/ + - JDK-8208279: Add 8 JNDI tests to com/sun/jndi/dns/EnvTests/ + - JDK-8208483: Add 5 JNDI tests to com/sun/jndi/dns/FactoryTests/ + - JDK-8208542: Add 4 JNDI tests to com/sun/jndi/dns/ListTests/ + - JDK-8208665: Amend cross-compilation docs with qemu-debootstrap recipe + - JDK-8210088: ProblemList gc/epsilon/TestMemoryMXBeans.java + - JDK-8210339: Add 10 JNDI tests to com/sun/jndi/dns/FedTests/ + - JDK-8211450: UndetVar::dup is not copying the kind field to the duplicated instance + - JDK-8212160: JVMTI agent crashes with "assert(_value != 0LL) failed: resolving NULL _value" + - JDK-8212226: SurfaceManager throws "Invalid Image variant" for MultiResolutionImage (Windows) + - JDK-8213400: Support choosing group name in keytool keypair generation + - JDK-8213535: Windows HiDPI html lightweight tooltips are truncated + - JDK-8213698: Improve devkit creation and add support for linux/ppc64/ppc64le/s390x + - JDK-8214025: assert(t->singleton()) failed: must be a constant when ScavengeRootsInCode < 2 + - JDK-8214242: compiler/arguments/TestScavengeRootsInCode.java fails because of missing UnlockDiagnosticVMOptions + - JDK-8214787: Zero builds fail with "undefined JavaThread::thread_state()" + - JDK-8215583: Exclude runtime/handshake/HandshakeWalkSuspendExitTest.java + - JDK-8216012: Infinite loop in RSA KeyPairGenerator + - JDK-8216324: GetClassMethods is confused by the presence of default methods in super interfaces + - JDK-8217429: WebSocket over authenticating proxy fails to send Upgrade headers + - JDK-8217976: test/jdk/java/net/httpclient/websocket/WebSocketProxyTest.java fails intermittently + - JDK-8218021: Have jarsigner preserve posix permission attributes + - JDK-8218287: jshell tool: input behavior unstable after 12-ea+24 on Windows + - JDK-8218851: JVM crash in custom classloader stress test, JDK 12 & 13 + - JDK-8220420: Cleanup c1_LinearScan + - JDK-8222072: JVMTI GenerateEvents() sends CompiledMethodLoad events to wrong jvmtiEnv + - JDK-8222286: Fix for JDK-8213419 is broken on s390 + - JDK-8222527: HttpClient doesn't send HOST header when tunelling HTTP/1.1 through http proxy + - JDK-8222533: jtreg test jdk/internal/platform/cgroup/TestCgroupMetrics.java fails on SLES12.3 linux ppc64le machine + - JDK-8224506: [TESTBUG] TestDockerMemoryMetrics.java fails with exitValue = 137 + - JDK-8224555: vmTestbase/nsk/jvmti/scenarios/contention/TC02/tc02t001/TestDescription.java failed + - JDK-8224650: Add tests to support X25519 and X448 in TLS + - JDK-8225072: Add LuxTrust certificate that is expiring in March 2021 to list of allowed but expired certs + - JDK-8225329: -XX:+PrintBiasedLockingStatistics causes crash during initialization on Windows platforms + - JDK-8225687: Newly added sspi.cpp in JDK-6722928 still contains some small errors + - JDK-8227006: [linux] Runtime.availableProcessors execution time increased by factor of 100 + - JDK-8227275: Within native OOM error handling, assertions may hang the process + - JDK-8227647: [Graal] Test8009761.java fails due to "RuntimeException: static java.lang.Object compiler.uncommontrap.Test8009761.m3(boolean,boolean) not compiled" + - JDK-8229495: SIGILL in C2 generated OSR compilation + - JDK-8230910: libsspi_bridge does not build on Windows 32bit + - JDK-8232114: JVM crashed at imjpapi.dll in native code + - JDK-8234147: Avoid looking up standard charsets in core libraries + - JDK-8234393: [macos] printing ignores printer tray + - JDK-8234863: Increase default value of MaxInlineLevel + - JDK-8235218: Minimal VM is broken after JDK-8173361 + - JDK-8235456: Minimal VM is broken after JDK-8212160 + - JDK-8235829: graal crashes with Zombie.java test + - JDK-8236124: Minimal VM slowdebug build failed after JDK-8212160 + - JDK-8236512: PKCS11 Connection closed after Cipher.doFinal and NoPadding + - JDK-8236944: The legVecZ operand should be limited to zmm0-zmm15 registers + - JDK-8237186: Fix typo in copyright header of java/io/Reader/TransferTo.java + - JDK-8237499: JFR: Include stack trace in the ThreadStart event + - JDK-8237512: AArch64: aarch64TestHook leaks a BufferBlob + - JDK-8237524: AArch64: String.compareTo() may return incorrect result + - JDK-8237950: C2 compilation fails with "Live Node limit exceeded limit" during ConvI2L::Ideal optimization + - JDK-8238579: HttpsURLConnection drops the timeout and hangs forever in read + - JDK-8239105: Add exception for expiring Digicert root certificates to VerifyCACerts test + - JDK-8239477: jdk/jfr/jcmd/TestJcmdStartStopDefault.java fails -XX:+VerifyOops with "verify_oop: rsi: broken oop" + - JDK-8239497: SEGV in EdgeUtils::field_name_symbol(Edge const&) + - JDK-8239886: Minimal VM build fails after JDK-8237499 + - JDK-8240633: Memory leaks in the implementations of FileChooserUI + - JDK-8240690: Race condition between EDT and BasicDirectoryModel.FilesLoader.run0() + - JDK-8241234: Unify monitor enter/exit runtime entries. + - JDK-8241311: Move some charset mapping tests from closed to open + - JDK-8241797: Add some tests to the problem list + - JDK-8242029: AArch64: skip G1 array copy pre-barrier if marking not active + - JDK-8242335: Additional Tests for RSASSA-PSS + - JDK-8242480: Negative value may be returned by getFreeSwapSpaceSize() in the docker + - JDK-8242614: cleanup duplicated test ldap server in some com/sun/jndi/ldap/ tests + - JDK-8242846: Bring back test/jdk/tools/jlink/plugins/OrderResourcesPluginTest.java + - JDK-8243114: Implement montgomery{Multiply,Square}intrinsics on Windows + - JDK-8243290: Improve diagnostic messages for class verification and redefinition failures + - JDK-8243488: Add tests for set/get SendBufferSize and getReceiveBufferSize in DatagramSocket + - JDK-8243549: sun/security/ssl/CipherSuite/NamedGroupsWithCipherSuite.java failed with Unsupported signature algorithm: DSA + - JDK-8243617: compiler/onSpinWait/TestOnSpinWaitC1.java test uses wrong class + - JDK-8243619: compiler/codecache/CheckSegmentedCodeCache.java test misses -version + - JDK-8244142: some hotspot/runtime tests don't check exit code of forked JVM + - JDK-8244278: Excessive code cache flushes and sweeps + - JDK-8244282: test/hotspot/jtreg/compiler/intrinsics/Test8237524.java fails with --illegal-access=deny + - JDK-8244621: [macos10.15] Garbled FX printing plus CoreText warnings on Catalina when building with Xcode 11 + - JDK-8244819: hsdis does not compile with binutils 2.34+ + - JDK-8245051: c1 is broken if it is compiled by gcc without -fno-lifetime-dse + - JDK-8245168: jlink should not be treated as a "small" tool + - JDK-8245400: Upgrade to LittleCMS 2.11 + - JDK-8246381: VM crashes with "Current BasicObjectLock* below than low_mark" + - JDK-8246434: Threads::print_on_error assumes that the heap has been set up + - JDK-8246648: issue with OperatingSystemImpl getFreeSwapSpaceSize in docker after 8242480 + - JDK-8247201: Print potential pointer value of readable stack memory in hs_err file + - JDK-8247763: assert(outer->outcnt() == 2) failed: 'only phis' failure in LoopNode::verify_strip_mined() + - JDK-8247867: Upgrade to freetype 2.10.2 + - JDK-8248190: Enable Power10 system and implement new byte-reverse instructions + - JDK-8248226: TestCloneAccessStressGCM fails with -XX:-ReduceBulkZeroing + - JDK-8248347: windows build broken by JDK-8243114 + - JDK-8248532: Every time I change keyboard language at my MacBook, Java crashes + - JDK-8248552: C2 crashes with SIGFPE due to division by zero + - JDK-8248596: [TESTBUG] compiler/loopopts/PartialPeelingUnswitch.java times out with Graal enabled + - JDK-8248745: Add jarsigner and keytool tests for restricted algorithms + - JDK-8248791: sun/util/resources/cldr/TimeZoneNamesTest.java fails with -XX:-ReduceInitialCardMarks -XX:-ReduceBulkZeroing + - JDK-8248845: AArch64: stack corruption after spilling vector register + - JDK-8249176: Update GlobalSignR6CA test certificates + - JDK-8249183: JVM crash in "AwtFrame::WmSize" method + - JDK-8249192: MonitorInfo stores raw oops across safepoints + - JDK-8249602: C2: assert(cnt == _outcnt) failed: no insertions allowed + - JDK-8249603: C1: assert(has_error == false) failed: register allocation invalid + - JDK-8249605: C2: assert(no_dead_loop) failed: dead loop detected + - JDK-8249607: C2: assert(!had_error) failed: bad dominance + - JDK-8249608: Vector register used by C2 compiled method corrupted at safepoint + - JDK-8249672: Include microcode revision in features_string on x86 + - JDK-8249748: gtest silently ignores bad jvm arguments + - JDK-8249821: Separate libharfbuzz from libfontmanager + - JDK-8250598: Hyper-V is detected in spite of running on host OS + - JDK-8250605: Linux x86_32 builds fail after JDK-8249821 + - JDK-8250636: iso8601_time returns incorrect offset part on MacOS + - JDK-8250665: Wrong translation for the month name of May in ar_JO,LB,SY + - JDK-8250772: Test com/sun/jndi/ldap/NamingExceptionMessageTest.java fails intermittently with javax.naming.ServiceUnavailableException + - JDK-8250825: C2 crashes with assert(field != __null) failed: missing field + - JDK-8250894: Provide a configure option to build and run against the platform libharfbuzz + - JDK-8250928: JFR: Improve hash algorithm for stack traces + - JDK-8250968: Symlinks attributes not preserved when using jarsigner on zip files + - JDK-8250984: Memory Docker tests fail on some Linux kernels w/o cgroupv1 swap limit capabilities + - JDK-8251118: BiasedLocking::preserve_marks should not have a HandleMark + - JDK-8251189: com/sun/jndi/ldap/LdapDnsProviderTest.java failed due to timeout + - JDK-8251257: NMT: jcmd VM.native_memory scale=1 crashes target VM + - JDK-8251365: Build failure on AIX after 8250636 + - JDK-8251397: NPE on ClassValue.ClassValueMap.cacheArray + - JDK-8251456: [TESTBUG] compiler/vectorization/TestVectorsNotSavedAtSafepoint.java failed OutOfMemoryError + - JDK-8251458: Parse::do_lookupswitch fails with "assert(_cnt >= 0) failed" + - JDK-8251535: Partial peeling at unsigned test adds incorrect loop exit check + - JDK-8251949: ZGC: Set explicit heap size for compiler/gcbarriers tests + - JDK-8252090: JFR: StreamWriterHost::write_unbuffered() stucks in an infinite loop OpenJDK (build 13.0.1+9) + - JDK-8252415: Bump update version for OpenJDK: jdk-11.0.10 + - JDK-8252470: java/awt/dnd/DisposeFrameOnDragCrash/DisposeFrameOnDragTest.java fails on Windows + - JDK-8252497: Incorrect numeric currency code for ROL + - JDK-8252660: Shenandoah: support manageable SoftMaxHeapSize option + - JDK-8252679: Two windows specific FileDIalog tests may fail on some Windows_Server_2016_Standard + - JDK-8252696: Loop unswitching may cause out of bound array load to be executed + - JDK-8252754: Hash code calculation of JfrStackTrace is inconsistent + - JDK-8253219: Epsilon: clean up unnecessary includes + - JDK-8253224: Shenandoah: ShenandoahStrDedupQueue destructor calls virtual num_queues() + - JDK-8253226: Shenandoah: remove unimplemented ShenandoahStrDedupQueue::verify + - JDK-8253269: The CheckCommonColors test should provide more info on failure + - JDK-8253284: Zero OrderAccess barrier mappings are incorrect + - JDK-8253375: OSX build fails with Xcode 12.0 (12A7209) + - JDK-8253778: ShenandoahSafepoint::is_at_shenandoah_safepoint should not access VMThread state from other threads + - JDK-8253791: Issue with useAppleColor check in CSystemColors.m + - JDK-8254016: Test8237524 fails with -XX:-CompactStrings option + - JDK-8254081: java/security/cert/PolicyNode/GetPolicyQualifiers.java fails due to an expired certificate + - JDK-8254144: Non-x86 Zero builds fail with return-type warning in os_linux_zero.cpp + - JDK-8254166: Zero: return-type warning in zeroInterpreter_zero.cpp + - JDK-8254177: (tz) Upgrade time-zone data to tzdata2020b + - JDK-8254185: Fix Code cache sweeper heuristics for JDK 11 + - JDK-8254190: [s390] interpreter misses exception check after calling monitorenter + - JDK-8254790: SIGSEGV in string_indexof_char and stringL_indexof_char intrinsics + - JDK-8254854: [cgroups v1] Metric limits not properly detected on some join controller combinations + - JDK-8254982: (tz) Upgrade time-zone data to tzdata2020c + - JDK-8255050: Add pkcs11/KeyStore/ClientAuth.sh to Problem list + - JDK-8255065: Zero: accessor_entry misses the IRIW case + - JDK-8255226: (tz) Upgrade time-zone data to tzdata2020d + - JDK-8255269: Unsigned overflow in g1Policy.cpp + - JDK-8255365: Problem list failing client manual tests + - JDK-8255457: Shenandoah: cleanup ShenandoahMarkTask + - JDK-8255466: C2 crashes at ciObject::get_oop() const+0x0 + - JDK-8255550: x86: Assembler::cmpq(Address dst, Register src) encoding is incorrect + - JDK-8255603: Memory/Performance regression after JDK-8210985 + - JDK-8255760: Shenandoah: match constants style in ShenandoahMarkTask fallback + - JDK-8255937: Better cleanup for test/jdk/javax/imageio/stream/StreamFlush.java + - JDK-8256427: Test com/sun/jndi/dns/ConfigTests/PortUnreachable.java does not work on AIX + - JDK-8256452: Integrate missing part of JDK-8232370 to 11u + - JDK-8256483: [TESTBUG] serviceability/jvmti/GetClassMethods/libOverpassMethods.c fails to compile on gcc 4.4.x + - JDK-8256557: libharfbuzz fails to link on gcc 4.4.x due to -Wl,-z,defs + - JDK-8256618: Zero: Linux x86_32 build still fails + - JDK-8256736: Zero: GTest tests fail with "unsuppported vm variant" + - JDK-8256809: Annotation processing causes NPE during flow analysis + - JDK-8257181: s390x builds are very noisy with gc-sections messages + - JDK-8257242: [macOS] Java app crashes while switching input methods + - JDK-8257545: SunJSSE FIPS regression in key exchange after JDK-8171279 11u backport + - JDK-8257641: Shenandoah: Query is_at_shenandoah_safepoint() from control thread should return false + - JDK-8257701: Shenandoah: objArrayKlass metadata is not marked with chunked arrays + - JDK-8258630: Add expiry exception for QuoVadis root certificate + +Notes on individual issues: +=========================== + +security-libs/java.security: + +JDK-8213821: -groupname Option Added to keytool Key Pair Generation +=================================================================== +A new `-groupname` option has been added to `keytool -genkeypair` so +that a user can specify a named group when generating a key pair. For +example, `keytool -genkeypair -keyalg EC -groupname secp384r1` will +generate an EC key pair by using the `secp384r1` curve. Because there +might be multiple curves with the same size, using the `-groupname` +option is preferred over the `-keysize` option. + +JDK-8248263: jarsigner Preserves POSIX File Permission and symlink Attributes +============================================================================= +When signing a file that contains POSIX file permission or symlink +attributes, `jarsigner` now preserves these attributes in the newly +signed file but warns that these attributes are unsigned and not +protected by the signature. The same warning is printed during the +`jarsigner -verify` operation for such files. + +Note that the `jar` tool does not read/write these attributes. This +change is more visible to tools like `unzip` where these attributes +are preserved. + +security-libs/javax.net.ssl: + +JDK-8225764: Support for X25519 and X448 in TLS +================================================ + +The named elliptic curve groups `x25519` and `x448` are now available +for JSSE key agreement in TLS versions 1.0 to 1.3, with `x25519` being +the most preferred of the default enabled named groups. The default +ordered list is now: + +* x25519 +* secp256r1 +* secp384r1 +* secp521r1 +* x448 +* secp256k1 +* ffdhe2048 +* ffdhe3072 +* ffdhe4096 +* ffdhe6144 +* ffdhe8192 + +The default list can be overridden using the system property *`jdk.tls.namedGroups`*. + +security-libs/org.ietf.jgss: + +JDK-8214079: Added a Default Native GSS-API Library on Windows +============================================================== +A native GSS-API library has been added to JDK on the Windows +platform. The library is client-side only and uses the default +credentials. It will be loaded when the `sun.security.jgss.native` +system property is set to "true". A user can still load a third-party +native GSS-API library by setting the system property +`sun.security.jgss.lib` to its path. + +New in release OpenJDK 11.0.9.1 (2020-10-20): +============================================= +Live versions of these release notes can be found at: + * https://bitly.com/openjdk11091 + * https://builds.shipilev.net/backports-monitor/release-notes-11.0.9.1.txt + +* Regression fixes + - JDK-8250861: Crash in MinINode::Ideal(PhaseGVN*, bool) + +New in release OpenJDK 11.0.9 (2020-10-20): +=========================================== +Live versions of these release notes can be found at: + * https://bitly.com/openjdk1109 + * https://builds.shipilev.net/backports-monitor/release-notes-11.0.9.txt + +* Security fixes + - JDK-8233624: Enhance JNI linkage + - JDK-8236196: Improve string pooling + - JDK-8236862, CVE-2020-14779: Enhance support of Proxy class + - JDK-8237990, CVE-2020-14781: Enhanced LDAP contexts + - JDK-8237995, CVE-2020-14782: Enhance certificate processing + - JDK-8240124: Better VM Interning + - JDK-8241114, CVE-2020-14792: Better range handling + - JDK-8242680, CVE-2020-14796: Improved URI Support + - JDK-8242685, CVE-2020-14797: Better Path Validation + - JDK-8242695, CVE-2020-14798: Enhanced buffer support + - JDK-8243302: Advanced class supports + - JDK-8244136, CVE-2020-14803: Improved Buffer supports + - JDK-8244479: Further constrain certificates + - JDK-8244955: Additional Fix for JDK-8240124 + - JDK-8245407: Enhance zoning of times + - JDK-8245412: Better class definitions + - JDK-8245417: Improve certificate chain handling + - JDK-8248574: Improve jpeg processing + - JDK-8249927: Specify limits of jdk.serialProxyInterfaceLimit + - JDK-8253019: Enhanced JPEG decoding +* Other changes + - JDK-6532025: GIF reader throws misleading exception with truncated images + - JDK-6949753: [TEST BUG]: java/awt/print/PageFormat/PDialogTest.java needs update by removing a infinite loop + - JDK-8022535: [TEST BUG] javax/swing/text/html/parser/Test8017492.java fails + - JDK-8062947: Fix exception message to correctly represent LDAP connection failure + - JDK-8067354: com/sun/jdi/GetLocalVariables4Test.sh failed + - JDK-8134599: TEST_BUG: java/rmi/transport/closeServerSocket/CloseServerSocket.java fails intermittently with Address already in use + - JDK-8151678: com/sun/jndi/ldap/LdapTimeoutTest.java failed due to timeout on DeadServerNoTimeoutTest is incorrect + - JDK-8160768: Add capability to custom resolve host/domain names within the default JNDI LDAP provider + - JDK-8172404: Tools should warn if weak algorithms are used before restricting them + - JDK-8193367: Annotated type variable bounds crash javac + - JDK-8202117: com/sun/jndi/ldap/RemoveNamingListenerTest.java fails intermittently: Connection reset + - JDK-8203026: java.rmi.NoSuchObjectException: no such object in table + - JDK-8203281: [Windows] JComboBox change in ui when editor.setBorder() is called + - JDK-8203382: Rename SystemDictionary::initialize_wk_klass to resolve_wk_klass + - JDK-8203393: com/sun/jdi/JdbMethodExitTest.sh and JdbExprTest.sh fail due to timeout + - JDK-8203928: [Test] Convert non-JDB scaffolding serviceability shell script tests to java + - JDK-8204963: javax.swing.border.TitledBorder has a memory leak + - JDK-8204994: SA might fail to attach to process with "Windbg Error: WaitForEvent failed" + - JDK-8205534: Remove SymbolTable dependency from serviceability agent + - JDK-8206309: Tier1 SA tests fail + - JDK-8208281: java/nio/channels/AsynchronousSocketChannel/Basic.java timed out + - JDK-8209109: [TEST] rewrite com/sun/jdi shell tests to java version - step1 + - JDK-8209332: [TEST] test/jdk/com/sun/jdi/CatchPatternTest.sh is incorrect + - JDK-8209342: Problemlist SA tests on Solaris due to Error attaching to process: Can't create thread_db agent! + - JDK-8209343: Test javax/swing/border/TestTitledBorderLeak.java should be marked as headful + - JDK-8209517: com/sun/jdi/BreakpointWithFullGC.java fails with timeout + - JDK-8209604: [TEST] rewrite com/sun/jdi shell tests to java version - step2 + - JDK-8209605: com/sun/jdi/BreakpointWithFullGC.java fails with ZGC + - JDK-8209608: Problem list com/sun/jdi/BreakpointWithFullGC.java + - JDK-8210131: vmTestbase/nsk/jvmti/scenarios/allocation/AP10/ap10t001/TestDescription.java failed with ObjectFree: GetCurrentThreadCpuTimerInfo returned unexpected error code + - JDK-8210243: [TEST] rewrite com/sun/jdi shell tests to java version - step3 + - JDK-8210527: JShell: NullPointerException in jdk.jshell.Eval.translateExceptionStack + - JDK-8210560: [TEST] convert com/sun/jdi redefineClass-related tests + - JDK-8210725: com/sun/jdi/RedefineClearBreakpoint.java fails with waitForPrompt timed out after 60 seconds + - JDK-8210748: [TESTBUG] lib.jdb.Jdb.waitForPrompt() should clarify which output is the pending reply after a timeout + - JDK-8210760: [TEST] rewrite com/sun/jdi shell tests to java version - step4 + - JDK-8210977: jdk/jfr/event/oldobject/TestThreadLocalLeak.java fails to find ThreadLocalObject + - JDK-8211292: [TEST] convert com/sun/jdi/DeferredStepTest.sh test + - JDK-8211694: JShell: Redeclared variable should be reset + - JDK-8212200: assert when shared java.lang.Object is redefined by JVMTI agent + - JDK-8212629: [TEST] wrong breakpoint in test/jdk/com/sun/jdi/DeferredStepTest + - JDK-8212665: com/sun/jdi/DeferredStepTest.java: jj1 (line 57) - unexpected. lastLine=52, minLine=52, maxLine=55 + - JDK-8212807: tools/jar/multiRelease/Basic.java times out + - JDK-8213182: Minimal VM build failure after JDK-8212200 (assert when shared java.lang.Object is redefined by JVMTI agent) + - JDK-8213214: Set -Djava.io.tmpdir= when running tests + - JDK-8213275: ReplaceCriticalClasses.java fails with jdk.internal.vm.PostVMInitHook not found + - JDK-8213574: Deadlock in string table expansion when dumping lots of CDS classes + - JDK-8213703: LambdaConversionException: Invalid receiver type not a subtype of implementation type interface + - JDK-8214074: Ghash optimization using AVX instructions + - JDK-8214491: Upgrade to JLine 3.9.0 + - JDK-8214797: TestJmapCoreMetaspace.java timed out + - JDK-8215243: JShell tests failing intermitently with \"Problem cleaning up the following threads:\" + - JDK-8215244: jdk/jshell/ToolBasicTest.java testHistoryReference failed + - JDK-8215354: x86_32 build failures after JDK-8214074 (Ghash optimization using AVX instructions) + - JDK-8215438: jshell tool: Ctrl-D causes EOF + - JDK-8216021: RunTest.gmk might set concurrency level to 1 on Windows + - JDK-8216974: HttpConnection not returned to the pool after 204 response + - JDK-8218948: SimpleDateFormat :: format - Zone Names are not reflected correctly during run time + - JDK-8219712: code_size2 (defined in stub_routines_x86.hpp) is too small on new Skylake CPUs + - JDK-8220150: macos10.14 Mojave returns anti-aliased glyphs instead of aliased B&W glyphs + - JDK-8221658: aarch64: add necessary predicate for ubfx patterns + - JDK-8221759: Crash when completing \"java.io.File.path\" + - JDK-8221918: runtime/SharedArchiveFile/serviceability/ReplaceCriticalClasses.java fails: Shared archive not found + - JDK-8222074: Enhance auto vectorization for x86 + - JDK-8222079: Don't use memset to initialize fields decode_env constructor in disassembler.cpp + - JDK-8222769: [TESTBUG] TestJFRNetworkEvents should not rely on hostname command + - JDK-8223688: JShell: crash on the instantiation of raw anonymous class + - JDK-8223777: In posix_spawn mode, failing to exec() jspawnhelper does not result in an error + - JDK-8223940: Private key not supported by chosen signature algorithm + - JDK-8224184: jshell got IOException at exiting with AIX + - JDK-8224234: compiler/codegen/TestCharVect2.java fails in test_mulc + - JDK-8225037: java.net.JarURLConnection::getJarEntry() throws NullPointerException + - JDK-8225625: AES Electronic Codebook (ECB) encryption and decryption optimization using AVX512 + VAES instructions + - JDK-8226536: Catch OOM from deopt that fails rematerializing objects + - JDK-8226575: OperatingSystemMXBean should be made container aware + - JDK-8226697: Several tests which need the @key headful keyword are missing it. + - JDK-8226809: Circular reference in printed stack trace is not correctly indented & ambiguous + - JDK-8227059: sun/security/tools/keytool/DefaultSignatureAlgorithm.java timed out + - JDK-8227269: Slow class loading when running with JDWP + - JDK-8227595: keytool/fakegen/DefaultSignatureAlgorithm.java fails due to "exitValue = 6" + - JDK-8228448: Jconsole can't connect to itself + - JDK-8228967: Trust/Key store and SSL context utilities for tests + - JDK-8229378: jdwp library loader in linker_md.c quietly truncates on buffer overflow + - JDK-8229815: Upgrade Jline to 3.12.1 + - JDK-8230000: some httpclients testng tests run zero test + - JDK-8230002: javax/xml/jaxp/unittest/transform/SecureProcessingTest.java runs zero test + - JDK-8230010: Remove jdk8037819/BasicTest1.java + - JDK-8230094: CCE in createXMLEventWriter(Result) over an arbitrary XMLStreamWriter + - JDK-8230402: Allocation of compile task fails with assert: "Leaking compilation tasks?" + - JDK-8230767: FlightRecorderListener returns null recording + - JDK-8230870: (zipfs) Add a ZIP FS test that is similar to test/jdk/java/util/zip/EntryCount64k.java + - JDK-8231209: [REDO] ThreadMXBean::getThreadAllocatedBytes() can be quicker for self thread + - JDK-8231586: enlarge encoding space for OopMapValue offsets + - JDK-8231953: Wrong assumption in assertion in oop::register_oop + - JDK-8231968: getCurrentThreadAllocatedBytes default implementation s/b getThreadAllocatedBytes + - JDK-8232083: Minimal VM is broken after JDK-8231586 + - JDK-8232161: Align some one-way conversion in MS950 charset with Windows + - JDK-8232855: jshell missing word in /help help + - JDK-8233027: OopMapSet::all_do does oms.next() twice during iteration + - JDK-8233228: Disable weak named curves by default in TLS, CertPath, and Signed JAR + - JDK-8233386: Initialize NULL fields for unused decorations + - JDK-8233452: java.math.BigDecimal.sqrt() with RoundingMode.FLOOR results in incorrect result + - JDK-8233686: XML transformer uses excessive amount of memory + - JDK-8233741: AES Countermode (AES-CTR) optimization using AVX512 + VAES instructions + - JDK-8233829: javac cannot find non-ASCII module name under non-UTF8 environment + - JDK-8233958: Memory retention due to HttpsURLConnection finalizer that serves no purpose + - JDK-8234011: (zipfs) Memory leak in ZipFileSystem.releaseDeflater() + - JDK-8234058: runtime/CompressedOops/CompressedClassPointers.java fails with 'Narrow klass base: 0x0000000000000000' missing from stdout/stderr + - JDK-8234149: Several regression tests do not dispose Frame at end + - JDK-8234347: "Turkey" meta time zone does not generate composed localized names + - JDK-8234385: [TESTBUG] java/awt/EventQueue/6980209/bug6980209.java fails in linux nightly + - JDK-8234535: Cross compilation fails due to missing CFLAGS for the BUILD_CC + - JDK-8234541: C1 emits an empty message when it inlines successfully + - JDK-8234687: change javap reporting on unknown attributes + - JDK-8236464: SO_LINGER option is ignored by SSLSocket in JDK 11 + - JDK-8236548: Localized time zone name inconsistency between English and other locales + - JDK-8236617: jtreg test containers/docker/TestMemoryAwareness.java fails after 8226575 + - JDK-8237182: Update copyright header for shenandoah and epsilon files + - JDK-8237888: security/infra/java/security/cert/CertPathValidator/certification/LuxTrustCA.java fails when checking validity interval + - JDK-8237977: Further update javax/net/ssl/compatibility/Compatibility.java + - JDK-8238270: java.net HTTP/2 client does not decrease stream count when receives 204 response + - JDK-8238284: [macos] Zero VM build fails due to an obvious typo + - JDK-8238380: java.base/unix/native/libjava/childproc.c "multiple definition" link errors with GCC10 + - JDK-8238386: (sctp) jdk.sctp/unix/native/libsctp/SctpNet.c "multiple definition" link errors with GCC10 + - JDK-8238388: libj2gss/NativeFunc.o "multiple definition" link errors with GCC10 + - JDK-8238448: RSASSA-PSS signature verification fail when using certain odd key sizes + - JDK-8238710: LingeredApp doesn't log stdout/stderr if exits with non-zero code + - JDK-8239083: C1 assert(known_holder == NULL || (known_holder->is_instance_klass() && (!known_holder->is_interface() || ((ciInstanceKlass*)known_holder)->has_nonstatic_concrete_methods())), "should be non-static concrete method"); + - JDK-8239385: KerberosTicket client name refers wrongly to sAMAccountName in AD + - JDK-8240169: javadoc fails to link to non-modular api docs + - JDK-8240295: hs_err elapsed time in seconds is not accurate enough + - JDK-8240360: NativeLibraryEvent has wrong library name on Linux + - JDK-8240676: Meet not symmetric failure when running lucene on jdk8 + - JDK-8241007: Shenandoah: remove ShenandoahCriticalControlThreadPriority support + - JDK-8241065: Shenandoah: remove leftover code after JDK-8231086 + - JDK-8241086: Test runtime/NMT/HugeArenaTracking.java is failing on 32bit Windows + - JDK-8241130: com.sun.jndi.ldap.EventSupport.removeDeadNotifier: java.lang.NullPointerException + - JDK-8241138: http.nonProxyHosts=* causes StringIndexOutOfBoundsException in DefaultProxySelector + - JDK-8241319: WB_GetCodeBlob doesn't have ResourceMark + - JDK-8241478: vmTestbase/gc/gctests/Steal/steal001/steal001.java fails with OOME + - JDK-8241574: Shenandoah: remove ShenandoahAssertToSpaceClosure + - JDK-8241750: x86_32 build failure after JDK-8227269 + - JDK-8242184: CRL generation error with RSASSA-PSS + - JDK-8242283: Can't start JVM when java home path includes non-ASCII character + - JDK-8242556: Cannot load RSASSA-PSS public key with non-null params from byte array + - JDK-8243029: Rewrite javax/net/ssl/compatibility/Compatibility.java with a flexible interop test framework + - JDK-8243138: Enhance BaseLdapServer to support starttls extended request + - JDK-8243320: Add SSL root certificates to Oracle Root CA program + - JDK-8243321: Add Entrust root CA - G4 to Oracle Root CA program + - JDK-8243389: enhance os::pd_print_cpu_info on linux + - JDK-8243453: java --describe-module failed with non-ASCII module name under non-UTF8 environment + - JDK-8243470: [macos] bring back O2 opt level for unsafe.cpp + - JDK-8243489: Thread CPU Load event may contain wrong data for CPU time under certain conditions + - JDK-8243925: Toolkit#getScreenInsets() returns wrong value on HiDPI screens (Windows) + - JDK-8244087: 2020-04-24 public suffix list update + - JDK-8244151: Update MUSCLE PC/SC-Lite headers to the latest release 1.8.26 + - JDK-8244164: AArch64: jaotc generates incorrect code for compressed OOPs with non-zero heap base + - JDK-8244196: adjust output in os_linux + - JDK-8244225: stringop-overflow warning on strncpy call from compile_the_world_in + - JDK-8244287: JFR: Methods samples have line number 0 + - JDK-8244703: "platform encoding not initialized" exceptions with debugger, JNI + - JDK-8244719: CTW: C2 compilation fails with "assert(!VerifyHashTableKeys || _hash_lock == 0) failed: remove node from hash table before modifying it" + - JDK-8244729: Shenandoah: remove resolve paths from SBSA::generate_shenandoah_lrb + - JDK-8244763: Update --release 8 symbol information after JSR 337 MR3 + - JDK-8244818: Java2D Queue Flusher crash while moving application window to external monitor + - JDK-8245151: jarsigner should not raise duplicate warnings on verification + - JDK-8245616: Bump update version for OpenJDK: jdk-11.0.9 + - JDK-8245714: "Bad graph detected in build_loop_late" when loads are pinned on loop limit check uncommon branch + - JDK-8245801: StressRecompilation triggers assert "redundunt OSR recompilation detected. memory leak in CodeCache!" + - JDK-8245832: JDK build make-static-libs should build all JDK libraries + - JDK-8245880: Shenandoah: check class unloading flag early in concurrent code root scan + - JDK-8245981: Upgrade to jQuery 3.5.1 + - JDK-8246027: Minimal fastdebug build broken after JDK-8245801 + - JDK-8246094: [macos] Sound Recording and playback is not working + - JDK-8246153: TestEliminateArrayCopy fails with -XX:+StressReflectiveCode + - JDK-8246193: Possible NPE in ENC-PA-REP search in AS-REQ + - JDK-8246196: javax/management/MBeanServer/OldMBeanServerTest fails with AssertionError + - JDK-8246203: Segmentation fault in verification due to stack overflow with -XX:+VerifyIterativeGVN + - JDK-8246330: Add TLS Tests for Legacy ECDSA curves + - JDK-8246453: TestClone crashes with "all collected exceptions must come from the same place" + - JDK-8247246: Add explicit ResolvedJavaType.link and expose presence of default methods + - JDK-8247350: [aarch64] assert(false) failed: wrong size of mach node + - JDK-8247502: PhaseStringOpts crashes while optimising effectively dead code + - JDK-8247615: Initialize the bytes left for the heap sampler + - JDK-8247824: CTW: C2 (Shenandoah) compilation fails with SEGV in SBC2Support::pin_and_expand + - JDK-8247874: Replacement in VersionProps.java.template not working when --with-vendor-bug-url contains '&' + - JDK-8247979: aarch64: missing side effect of killing flags for clearArray_reg_reg + - JDK-8248214: Add paddings for TaskQueueSuper to reduce false-sharing cache contention + - JDK-8248219: aarch64: missing memory barrier in fast_storefield and fast_accessfield + - JDK-8248348: Regression caused by the update to BCEL 6.0 + - JDK-8248385: [testbug][11u] Adapt TestInitiExceptions to jtreg 5.1 + - JDK-8248495: [macos] zerovm is broken due to libffi headers location + - JDK-8248851: CMS: Missing memory fences between free chunk check and klass read + - JDK-8248987: AOT's Linker.java seems to eagerly fail-fast on Windows + - JDK-8249159: Downport test rework for SSLSocketTemplate from 8224650 + - JDK-8249215: JFrame::setVisible crashed with -Dfile.encoding=UTF-8 on Japanese Windows. + - JDK-8249251: [dark_mode ubuntu 20.04] The selected menu is not highlighted in GTKLookAndFeel + - JDK-8249255: Build fails if source code in cygwin home dir + - JDK-8249277: TestVerifyIterativeGVN.java is failing with timeout in OpenJDK 11 + - JDK-8249278: Revert JDK-8226253 which breaks the spec of AccessibleState.SHOWING for JList + - JDK-8249560: Shenandoah: Fix racy GC request handling + - JDK-8249801: Shenandoah: Clear soft-refs on requested GC cycle + - JDK-8249953: Shenandoah: gc/shenandoah/mxbeans tests should account for corner cases + - JDK-8250582: Revert Principal Name type to NT-UNKNOWN when requesting TGS Kerberos tickets + - JDK-8250609: C2 crash in IfNode::fold_compares + - JDK-8250627: Use -XX:+/-UseContainerSupport for enabling/disabling Java container metrics + - JDK-8250755: Better cleanup for jdk/test/javax/imageio/plugins/shared/CanWriteSequence.java + - JDK-8250787: Provider.put no longer registering aliases in FIPS env + - JDK-8250826: jhsdb does not work with coredump which comes from Substrate VM + - JDK-8250827: Shenandoah: needs to reset/finish StringTable's dead count before/after parallel walk + - JDK-8250844: Make sure {type,obj}ArrayOopDesc accessors check the bounds + - JDK-8251117: Cannot check P11Key size in P11Cipher and P11AEADCipher + - JDK-8251354: Shenandoah: Fix jdk/jfr/tool/TestPrintJSON.java test failure + - JDK-8251451: Shenandoah: Remark ObjectSynchronizer roots with I-U + - JDK-8251469: Better cleanup for test/jdk/javax/imageio/SetOutput.java + - JDK-8251487: Shenandoah: missing detail timing tracking for final mark cleaning phase + - JDK-8252120: compiler/oracle/TestCompileCommand.java misspells "occured" + - JDK-8252157: JDK-8231209 11u backport breaks jmm binary compatibility + - JDK-8252258: [11u] JDK-8242154 changes the default vendor + - JDK-8252804: [test] Fix 'ReleaseDeflater.java' test after downport of 8234011 + - JDK-8253134: JMM_VERSION should remain at 0x20020000 (JDK 10) in JDK 11 + - JDK-8253283: [11u] Test build/translations/VerifyTranslations.java failing after JDK-8252258 + - JDK-8253813: Backout JDK-8244287 from 11u: it causes several crashes + +Notes on individual issues: +=========================== + +core-libs/java.nio.charsets: + +JDK-8240196: Modified the MS950 charset Encoder's Conversion Table +================================================================== +In this release, some of the one-way byte-to-char mappings have been +aligned with the preferred mappings provided by the Unicode Consortium +(https://unicode.org/Public/MAPPINGS/VENDORS/MICSFT/WindowsBestFit/bestfit950.txt). + +core-libs/java.util:i18n: + +JDK-8238914: Localized Time Zone Name Inconsistency Between English and Other Locales +===================================================================================== +English time zone names provided by the CLDR locale provider are now +correctly synthesized following the CLDR spec, rather than substituted +from the COMPAT provider. For example, SHORT style names are no longer +synthesized abbreviations of LONG style names, but instead produce GMT +offset formats. + +core-svc/java.lang.management: + +JDK-8236876: OperatingSystemMXBean Methods Inside a Container Return Container Specific Data +============================================================================================ +When executing in a container, or other virtualized operating +environment, the following `OperatingSystemMXBean` methods in this +release return container specific information, if +available. Otherwise, they return host specific data: + +* getFreePhysicalMemorySize() +* getTotalPhysicalMemorySize() +* getFreeSwapSpaceSize() +* getTotalSwapSpaceSize() +* getSystemCpuLoad() + +security-libs/java.security: + +JDK-8250756: Added Entrust Root Certification Authority - G4 certificate +======================================================================== +The Entrust root certificate has been added to the cacerts truststore: + +Alias Name: entrustrootcag4 +Distinguished Name: CN=Entrust Root Certification Authority - G4, OU="(c) 2015 Entrust, Inc. - for authorized use only", OU=See www.entrust.net/legal-terms, O="Entrust, Inc.", C=US + +JDK-8250860: Added 3 SSL Corporation Root CA Certificates +========================================================= +The following root certificates have been added to the cacerts truststore for the SSL Corporation: + +Alias Name: sslrootrsaca +Distinguished Name: CN=SSL.com Root Certification Authority RSA, O=SSL Corporation, L=Houston, ST=Texas, C=US + +Alias Name: sslrootevrsaca +Distinguished Name: CN=SSL.com EV Root Certification Authority RSA R2, O=SSL Corporation, L=Houston, ST=Texas, C=US + +Alias Name: sslrooteccca +Distinguished Name: CN=SSL.com Root Certification Authority ECC, O=SSL Corporation, L=Houston, ST=Texas, C=US + +JDK-8236730: Weak Named Curves in TLS, CertPath, and Signed JAR Disabled by Default +=================================================================================== +Weak named curves are disabled by default by adding them to the +following `disabledAlgorithms` security properties: + +* jdk.tls.disabledAlgorithms +* jdk.certpath.disabledAlgorithms +* jdk.jar.disabledAlgorithms + +Red Hat has always disabled many of the curves provided by upstream, +so the only addition in this release is: + +* secp256k1 + +The curves that remain enabled are: + +* secp256r1 +* secp384r1 +* secp521r1 +* X25519 +* X448 + +When large numbers of weak named curves need to be disabled, adding +individual named curves to each `disabledAlgorithms` property would be +overwhelming. To relieve this, a new security property, +`jdk.disabled.namedCurves`, is implemented that can list the named +curves common to all of the `disabledAlgorithms` properties. To use +the new property in the `disabledAlgorithms` properties, precede the +full property name with the keyword `include`. Users can still add +individual named curves to `disabledAlgorithms` properties separate +from this new property. No other properties can be included in the +`disabledAlgorithms` properties. + +To restore the named curves, remove the `include +jdk.disabled.namedCurves` either from specific or from all +`disabledAlgorithms` security properties. To restore one or more +curves, remove the specific named curve(s) from the +`jdk.disabled.namedCurves` property. + +JDK-8244286: Tools Warn If Weak Algorithms Are Used Before Restricting Them +=========================================================================== +The `keytool` and `jarsigner` tools have been updated to warn users +about weak cryptographic algorithms being used before they are +disabled. In this release, the tools issue warnings for the SHA-1 hash +algorithm and 1024-bit RSA/DSA keys. + +security-libs/javax.net.ssl: + +JDK-8242147: New System Properties to Configure the TLS Signature Schemes +========================================================================= +Two new system properties have been added to customize the TLS +signature schemes in JDK. `jdk.tls.client.SignatureSchemes` has been +added for the TLS client side, and `jdk.tls.server.SignatureSchemes` +has been added for the server side. + +Each system property contains a comma-separated list of supported +signature scheme names specifying the signature schemes that could be +used for the TLS connections. + +The names are described in the "Signature Schemes" section of the +*Java Security Standard Algorithm Names Specification*. + +security-libs/javax.security: + +JDK-8242059: Support for canonicalize in krb5.conf +================================================== + +The 'canonicalize' flag in the [krb5.conf file][0] is now supported by +the JDK Kerberos implementation. When set to *true*, RFC 6806 [1] name +canonicalization is requested by clients in TGT requests to KDC +services (AS protocol). Otherwise, and by default, it is not +requested. + +The new default behavior is different from previous releases where +name canonicalization was always requested by clients in TGT requests +to KDC services (provided that support for RFC 6806[1] was not +explicitly disabled with the *sun.security.krb5.disableReferrals* +system or security properties). + +[0]: https://web.mit.edu/kerberos/krb5-devel/doc/admin/conf_files/krb5_conf.html +[1]: https://tools.ietf.org/html/rfc6806 + +JDK-8254177: US/Pacific-New Zone name removed as part of tzdata2020b +==================================================================== +Following JDK's update to tzdata2020b, the long-obsolete files +pacificnew and systemv have been removed. As a result, the +"US/Pacific-New" zone name declared in the pacificnew data file is no +longer available for use. + +Information regarding the update can be viewed at +https://mm.icann.org/pipermail/tz-announce/2020-October/000059.html + +New in release OpenJDK 11.0.8 (2020-07-14): +=========================================== +Live versions of these release notes can be found at: + * https://bitly.com/oj1108 + * https://builds.shipilev.net/backports-monitor/release-notes-11.0.8.txt + +* Security fixes + - JDK-8230613: Better ASCII conversions + - JDK-8231800: Better listing of arrays + - JDK-8232014: Expand DTD support + - JDK-8233234: Better Zip Naming + - JDK-8233239, CVE-2020-14562: Enhance TIFF support + - JDK-8233255: Better Swing Buttons + - JDK-8234032: Improve basic calendar services + - JDK-8234042: Better factory production of certificates + - JDK-8234418: Better parsing with CertificateFactory + - JDK-8234836: Improve serialization handling + - JDK-8236191: Enhance OID processing + - JDK-8236867, CVE-2020-14573: Enhance Graal interface handling + - JDK-8237117, CVE-2020-14556: Better ForkJoinPool behavior + - JDK-8237592, CVE-2020-14577: Enhance certificate verification + - JDK-8238002, CVE-2020-14581: Better matrix operations + - JDK-8238013: Enhance String writing + - JDK-8238804: Enhance key handling process + - JDK-8238842: AIOOBE in GIFImageReader.initializeStringTable + - JDK-8238843: Enhanced font handing + - JDK-8238920, CVE-2020-14583: Better Buffer support + - JDK-8238925: Enhance WAV file playback + - JDK-8240119, CVE-2020-14593: Less Affine Transformations + - JDK-8240482: Improved WAV file playback + - JDK-8241379: Update JCEKS support + - JDK-8241522: Manifest improved jar headers redux + - JDK-8242136, CVE-2020-14621: Better XML namespace handling +* Other changes + - JDK-6933331: (d3d/ogl) java.lang.IllegalStateException: Buffers have not been created + - JDK-7124307: JSpinner and changing value by mouse + - JDK-8022574: remove HaltNode code after uncommon trap calls + - JDK-8039082: [TEST_BUG] Test java/awt/dnd/BadSerializationTest/BadSerializationTest.java fails + - JDK-8040630: Popup menus and tooltips flicker with previous popup contents when first shown + - JDK-8044365: (dc) MulticastSendReceiveTests.java failing with ENOMEM when joining group (OS X 10.9) + - JDK-8048215: [TESTBUG] java/lang/management/ManagementFactory/ThreadMXBeanProxy.java Expected non-null LockInfo + - JDK-8051349: nsk/jvmti/scenarios/sampling/SP06/sp06t003 fails in nightly + - JDK-8080353: JShell: Better error message on attempting to add default method + - JDK-8139876: Exclude hanging nsk/stress/stack from execution with deoptimization enabled + - JDK-8146090: java/lang/ref/ReachabilityFenceTest.java fails with -XX:+DeoptimizeALot + - JDK-8153430: jdk regression test MletParserLocaleTest, ParserInfiniteLoopTest reduce default timeout + - JDK-8156207: Resource allocated BitMaps are often cleared unnecessarily + - JDK-8159740: JShell: corralled declarations do not have correct source to wrapper mapping + - JDK-8175984: ICC_Profile has un-needed, not-empty finalize method + - JDK-8176359: Frame#setMaximizedbounds not working properly in multi screen environments + - JDK-8183369: RFC unconformity of HttpURLConnection with proxy + - JDK-8187078: -XX:+VerifyOops finds numerous problems when running JPRT + - JDK-8191169: java/net/Authenticator/B4769350.java failed intermittently + - JDK-8191930: [Graal] emits unparseable XML into compile log + - JDK-8193879: Java debugger hangs on method invocation + - JDK-8196019: java/awt/Window/Grab/GrabTest.java fails on Windows + - JDK-8196181: sun/java2d/GdiRendering/InsetClipping.java fails + - JDK-8198000: java/awt/List/EmptyListEventTest/EmptyListEventTest.java debug assert on Windows + - JDK-8198001: java/awt/Menu/WrongParentAfterRemoveMenu/WrongParentAfterRemoveMenu.java debug assert on Windows + - JDK-8198339: Test javax/swing/border/Test6981576.java is unstable + - JDK-8200701: jdk/jshell/ExceptionsTest.java fails on Windows, after JDK-8198801 + - JDK-8203264: JNI exception pending in PlainDatagramSocketImpl.c:740 + - JDK-8203672: JNI exception pending in PlainSocketImpl.c + - JDK-8203673: JNI exception pending in DualStackPlainDatagramSocketImpl.c:398 + - JDK-8204834: Fix confusing "allocate" naming in OopStorage + - JDK-8205399: Set node color on pinned HashMap.TreeNode deletion + - JDK-8205653: test/jdk/sun/management/jmxremote/bootstrap/RmiRegistrySslTest.java and RmiSslBootstrapTest.sh fail with handshake_failure + - JDK-8206179: com/sun/management/OperatingSystemMXBean/GetCommittedVirtualMemorySize.java fails with Committed virtual memory size illegal value + - JDK-8207334: VM times out in VM_HandshakeAllThreads::doit() with RunThese30M + - JDK-8208277: Code cache heap (-XX:ReservedCodeCacheSize) doesn't work with 1GB LargePages + - JDK-8209113: Use WeakReference for lastFontStrike for created Fonts + - JDK-8209333: Socket reset issue for TLS 1.3 socket close + - JDK-8209439: C2 library_call can potentially ignore Math.pow intrinsic or use null pointer + - JDK-8209534: [TESTBUG]runtime/appcds/cacheObject/ArchivedModuleCompareTest.java fails with EnableJVMCI. + - JDK-8210147: adjust some WSAGetLastError usages in windows network coding + - JDK-8210284: "assert((av & 0x00000001) == 0) failed: unsupported V8" on Solaris 11.4 + - JDK-8210303: VM_HandshakeAllThreads fails assert with "failed: blocked and not walkable" + - JDK-8210515: [TESTBUG]CheckArchivedModuleApp.java needs to check if EnableJVMCI is set. + - JDK-8210788: Javadoc for Thread.join(long, int) should specify that it waits forever when both arguments are zero + - JDK-8211301: [macos] support full window content options + - JDK-8211332: Space for stub routines (code_size2) is too small on new Skylake CPUs + - JDK-8211339: NPE during SSL handshake caused by HostnameChecker + - JDK-8211392: compiler/profiling/spectrapredefineclass_classloaders/Launcher.java times out in JDK12 CI + - JDK-8211743: [AOT] crash in ScopeDesc::decode_body() when JVMTI walks AOT frames + - JDK-8212154: [TESTBUG] CheckArchivedModuleApp fails with NPE when JVMCI is absent + - JDK-8212167: JShell : Stack trace of exception has wrong line number + - JDK-8212933: Thread-SMR: requesting a VM operation whilst holding a ThreadsListHandle can cause deadlocks + - JDK-8212986: Make Visual Studio compiler check less strict + - JDK-8213250: CDS archive creation aborts due to metaspace object allocation failure + - JDK-8213516: jck test api/javax_accessibility/AccessibleState/fields.html fails intermittent + - JDK-8213947: ARM32: failed check_simd should set UsePopCountInstruction to false + - JDK-8214418: half-closed SSLEngine status may cause application dead loop + - JDK-8214440: ldap over a TLS connection negotiate failed with "javax.net.ssl.SSLPeerUnverifiedException: hostname of the server '' does not match the hostname in the server's certificate" + - JDK-8214444: Wrong strncat limits in dfa.cpp + - JDK-8214481: freetype path does not disable TrueType hinting with AA+FM hints + - JDK-8214571: -Xdoclint of array serialField gives "error: array type not allowed here" + - JDK-8214856: Errors with JSZip in web console after upgrade to 3.1.5 + - JDK-8214862: assert(proj != __null) at compile.cpp:3251 + - JDK-8215369: Jcstress pollute /var/tmp with temporary files. + - JDK-8215551: Missing case label in nmethod::reloc_string_for() + - JDK-8215555: TieredCompilation C2 threads can excessively block handshakes + - JDK-8215711: Missing key_share extension for (EC)DHE key exchange should alert missing_extension + - JDK-8216151: [Graal] Module jdk.internal.vm.compiler.management has not been granted accessClassInPackage.org.graalvm.compiler.debug + - JDK-8216154: C4819 warnings at HotSpot sources on Windows + - JDK-8216541: CompiledICHolders of VM locked unloaded nmethods are released too late + - JDK-8217230: assert(t == t_no_spec) failure in NodeHash::check_no_speculative_types() + - JDK-8217404: --with-jvm-features doesn't work when multiple features are explicitly disabled + - JDK-8217447: Develop flag TraceICs is broken + - JDK-8217606: LdapContext#reconnect always opens a new connection + - JDK-8218807: Compilation database (compile_commands.json) may contain obsolete items + - JDK-8219214: Infinite Loop in CodeSection::dump() + - JDK-8219904: ClassCastException when calling FlightRecorderMXBean#getRecordings() + - JDK-8219991: New fix of the deadlock in sun.security.ssl.SSLSocketImpl + - JDK-8221121: applications/microbenchmarks are encountering crashes in tier5 + - JDK-8221445: FastSysexMessage constructor crashes MIDI receiption thread + - JDK-8221482: Initialize VMRegImpl::regName[] earlier to prevent assert during PrintStubCode + - JDK-8221741: ClassCastException can happen when fontconfig.properties is used + - JDK-8221823: Requested JDialog width is ignored + - JDK-8223108: Test java/awt/EventQueue/NonComponentSourcePost.java is unstable + - JDK-8223935: PIT: java/awt/font/WindowsIndicFonts.java fails on windows10 + - JDK-8224109: Text spaced incorrectly by drawString under rotation with fractional metric + - JDK-8224632: testbug: java/awt/dnd/RemoveDropTargetCrashTest/RemoveDropTargetCrashTest.java fails on MacOS + - JDK-8224793: os::die() does not honor CreateCoredumpOnCrash option + - JDK-8224847: gc/stress/TestReclaimStringsLeaksMemory.java fails with reserved greater than expected + - JDK-8224931: disable JAOTC invokedynamic support until 8223533 is fixed + - JDK-8224997: ChaCha20-Poly1305 TLS cipher suite decryption throws ShortBufferException + - JDK-8225068: Remove DocuSign root certificate that is expiring in May 2020 + - JDK-8225069: Remove Comodo root certificate that is expiring in May 2020 + - JDK-8225126: Test SetBoundsPaintTest.html faild on Windows when desktop is scaled + - JDK-8225325: Add tests for redefining a class' private method during resolution of the bootstrap specifier + - JDK-8225622: [AOT] runtime/SharedArchiveFile/TestInterpreterMethodEntries.java crashed with AOTed java.base + - JDK-8225653: Provide more information when hitting SIGILL from HaltNode + - JDK-8225783: Incorrect use of binary operators on booleans in type.cpp + - JDK-8225789: Empty method parameter type should generate ClassFormatError + - JDK-8226198: use of & instead of && in LibraryCallKit::arraycopy_restore_alloc_state + - JDK-8226253: JAWS reports wrong number of radio buttons when buttons are hidden. + - JDK-8226653: [accessibility] Can edit text cell correctly, but Accessibility Tool reads nothing about editor + - JDK-8226806: [macOS 10.14] Methods of Java Robot should be called from appropriate thread + - JDK-8226879: Memory leak in Type::hashcons + - JDK-8227632: Incorrect PrintCompilation message: made not compilable on levels 0 1 2 3 4 + - JDK-8228407: JVM crashes with shared archive file mismatch + - JDK-8228482: fix xlc16/xlclang comparison of distinct pointer types and string literal conversion warnings + - JDK-8228757: Fail fast if the handshake type is unknown + - JDK-8229158: make UseSwitchProfiling non-experimental or false by-default + - JDK-8229421: The logic of java/net/ipv6tests/TcpTest.java is flawed + - JDK-8229855: C2 fails with assert(false) failed: bad AD file + - JDK-8230591: AArch64: Missing intrinsics for Math.ceil, floor, rint + - JDK-8231118: ARM32: Math tests failures + - JDK-8231213: Migrate SimpleDateFormatConstTest to JDK Repo + - JDK-8231243: [TESTBUG] CustomFont.java cannot find font file + - JDK-8231438: [macOS] Dark mode for the desktop is not supported + - JDK-8231550: C2: ShouldNotReachHere() in verify_strip_mined_scheduling + - JDK-8231564: setMaximizedBounds is broken with large display scale and multiple monitors + - JDK-8231572: Use -lobjc instead of -fobjc-link-runtime in libosxsecurity + - JDK-8231631: sun/net/ftp/FtpURLConnectionLeak.java fails intermittently with NPE + - JDK-8231671: Fix copyright headers in hotspot (missing comma after year) + - JDK-8231720: Some perf regressions after 8225653 + - JDK-8231779: crash HeapWord*ParallelScavengeHeap::failed_mem_allocate + - JDK-8231863: Crash if classpath is read from @argument file and the main gets option argument + - JDK-8232080: jlink plugins for vendor information and run-time options + - JDK-8232106: [x86] C2: SIGILL due to usage of SSSE3 instructions on processors which don't support it + - JDK-8232134: Change to Visual Studio 2017 15.9.16 for building on Windows at Oracle + - JDK-8232226: [macos 10.15] test/jdk/java/awt/color/EqualityTest/EqualityTest.java may fail + - JDK-8232357: Compare version info of Santuario to legal notice + - JDK-8232572: Add hooks for custom output dir in Bundles.gmk + - JDK-8232634: Problem List ICMColorDataTest.java + - JDK-8232748: Build static versions of certain JDK libraries + - JDK-8232846: ProcessHandle.Info command with non-English shows question marks + - JDK-8233033: C2 produces wrong result while unswitching a loop due to lost control dependencies + - JDK-8233137: runtime/ErrorHandling/VeryEarlyAssertTest.java fails after 8232080 + - JDK-8233197: Invert JvmtiExport::post_vm_initialized() and Jfr:on_vm_start() start-up order for correct option parsing + - JDK-8233291: [TESTBUG] tools/jlink/plugins/VendorInfoPluginsTest.java fails with debug or non-server VMs + - JDK-8233364: Fix undefined behavior in Canonicalizer::do_ShiftOp + - JDK-8233573: Toolkit.getScreenInsets(GraphicsConfiguration) may throw ClassCastException + - JDK-8233608: Minimal build broken after JDK-8233494 + - JDK-8233621: Mismatch in jsse.enableMFLNExtension property name + - JDK-8233696: [TESTBUG]Some jtreg tests fail when CAPS_LOCK is ON + - JDK-8233707: systemScale.cpp could not compile with VS2019 + - JDK-8233801: GCMEmptyIv.java test fails on Solaris 11.4 + - JDK-8233880: Support compilers with multi-digit major version numbers + - JDK-8233920: MethodHandles::tryFinally generates illegal bytecode for long/double return type + - JDK-8234137: The "AutoTestOnTop.java" test may run external applications + - JDK-8234146: compiler/jsr292/ContinuousCallSiteTargetChange.java times out on SPARC + - JDK-8234184: [TESTBUG] java/awt/Mouse/EnterExitEvents/ModalDialogEnterExitEventsTest.java fails in Windows + - JDK-8234270: [REDO] JDK-8204128 NMT might report incorrect numbers for Compiler area + - JDK-8234332: [TESTBUG] java/awt/Focus/DisposedWindow/DisposeDialogNotActivateOwnerTest/DisposeDialogNotActivateOwnerTest.java fails on linux-x64 nightly + - JDK-8234398: Replace ID2D1Factory::GetDesktopDpi with GetDeviceCaps + - JDK-8234522: [macos] Crash with use of native file dialog + - JDK-8234691: Potential double-free in ParallelSPCleanupTask constructor + - JDK-8234696: tools/jlink/plugins/VendorInfoPluginsTest.java times out + - JDK-8234727: sun/security/ssl/X509TrustManagerImpl tests support TLSv1.3 + - JDK-8234728: Some security tests should support TLSv1.3 + - JDK-8234779: Provide idiom for declaring classes noncopyable + - JDK-8234968: check calloc rv in libinstrument InvocationAdapter + - JDK-8235153: [TESTBUG] [macos 10.15] java/awt/Graphics/DrawImageBG/SystemBgColorTest.java fails + - JDK-8235183: Remove the "HACK CODE" in comment + - JDK-8235263: Revert TLS 1.3 change that wrapped IOExceptions + - JDK-8235311: Tag mismatch may alert bad_record_mac + - JDK-8235332: TestInstanceCloneAsLoadsStores.java fails with -XX:+StressGCM + - JDK-8235452: Strip mined loop verification fails with assert(is_OuterStripMinedLoop()) failed: invalid node class + - JDK-8235584: UseProfiledLoopPredicate fails with assert(_phase->get_loop(c) == loop) failed: have to be in the same loop + - JDK-8235620: Broken merge between JDK-8006406 and JDK-8003559 + - JDK-8235638: NPE in LWWindowPeer.getOnscreenGraphics() + - JDK-8235686: Add more custom hooks in Bundles.gmk + - JDK-8235739: Rare NPE at WComponentPeer.getGraphics() + - JDK-8235762: JVM crash in SWPointer during C2 compilation + - JDK-8235834: IBM-943 charset encoder needs updating + - JDK-8235874: The ordering of Cipher Suites is not maintained provided through jdk.tls.client.cipherSuites and jdk.tls.server.cipherSuites system property. + - JDK-8235908: omit ThreadPriorityPolicy warning when value is set from image + - JDK-8235984: C2: assert(out->in(PhiNode::Region) == head || out->in(PhiNode::Region) == slow_head) failed: phi must be either part of the slow or the fast loop + - JDK-8236211: [Graal] compiler/graalunit/GraphTest.java is skipped in all testing + - JDK-8236470: Deal with ECDSA using ecdsa-with-SHA2 plus hash algorithm as AlgorithmId + - JDK-8236545: Compilation error in mach5 java/awt/FileDialog/MacOSGoToFolderCrash.java + - JDK-8236700: Upgrading JSZip from v3.1.5 to v3.2.2 + - JDK-8236759: ShouldNotReachHere in PhaseIdealLoop::verify_strip_mined_scheduling + - JDK-8236897: Fix the copyright header for pkcs11gcm2.h + - JDK-8236921: Add build target to produce a JDK image suitable for a Graal/SVM build + - JDK-8236953: [macos] JavaFX SwingNode is not rendered on macOS + - JDK-8236996: Incorrect Roboto font rendering on Windows with subpixel antialiasing + - JDK-8237045: JVM uses excessive memory with -XX:+EnableJVMCI -XX:JVMCICounterSize=2147483648 + - JDK-8237055: [TESTBUG] compiler/c2/TestJumpTable.java fails with release VMs + - JDK-8237086: assert(is_MachReturn()) running CTW with fix for JDK-8231291 + - JDK-8237192: Generate stripped/public pdbs on Windows for jdk images + - JDK-8237396: JvmtiTagMap::weak_oops_do() should not trigger barriers + - JDK-8237474: Default SSLEngine should create in server role + - JDK-8237859: C2: Crash when loads float above range check + - JDK-8237951: CTW: C2 compilation fails with "malformed control flow" + - JDK-8237962: give better error output for invalid OCSP response intervals in CertPathValidator checks + - JDK-8238190: [JVMCI] Fix single implementor speculation for diamond shapes. + - JDK-8238356: CodeHeap::blob_count() overestimates the number of blobs + - JDK-8238452: Keytool generates wrong expiration date if validity is set to 2050/01/01 + - JDK-8238555: Allow Initialization of SunPKCS11 with NSS when there are external FIPS modules in the NSSDB + - JDK-8238575: DragSourceEvent.getLocation() returns wrong value on HiDPI screens (Windows) + - JDK-8238676: jni crashes on accessing it from process exit hook + - JDK-8238721: Add failing client jtreg tests to the Problem List + - JDK-8238738: AudioSystem.getMixerInfo() takes about 30 sec to report a gone audio device + - JDK-8238756: C2: assert(((n) == __null || !VerifyIterativeGVN || !((n)->is_dead()))) failed: can not use dead node + - JDK-8238765: PhaseCFG::schedule_pinned_nodes cannot handle precedence edges from unmatched CFG nodes correctly + - JDK-8238898: Missing hash characters for header on license file + - JDK-8238942: Rendering artifacts with LCD text and fractional metrics + - JDK-8238985: [TESTBUG] The arrow image is blue instead of green + - JDK-8239000: handle ContendedPaddingWidth in vm_version_ppc + - JDK-8239055: Wrong implementation of VMState.hasListener + - JDK-8239091: Reversed arguments in call to strstr in freetype "debug" code. + - JDK-8239142: C2's UseUniqueSubclasses optimization is broken for array accesses + - JDK-8239224: libproc_impl.c previous_thr may be used uninitialized warning + - JDK-8239351: Give more meaningful InternalError messages in Deflater.c + - JDK-8239365: ProcessBuilder test modifications for AIX execution + - JDK-8239456: vtable stub generation: assert failure (code size estimate) + - JDK-8239457: call ReleaseStringUTFChars before early returns in Java_sun_security_pkcs11_wrapper_PKCS11_connect + - JDK-8239462: jdk.hotspot.agent misses some ReleaseStringUTFChars calls in case of early returns + - JDK-8239557: [TESTBUG] VeryEarlyAssertTest.java validating "END." marker at lastline is not always true + - JDK-8239787: AArch64: String.indexOf may incorrectly handle empty strings + - JDK-8239792: Bump update version for OpenJDK: jdk-11.0.8 + - JDK-8239798: SSLSocket closes socket both socket endpoints on a SocketTimeoutException + - JDK-8239819: XToolkit: Misread of screen information memory + - JDK-8239852: java/util/concurrent tests fail with -XX:+VerifyGraphEdges: assert(!VerifyGraphEdges) failed: verification should have failed + - JDK-8239893: Windows handle Leak when starting processes using ProcessBuilder + - JDK-8239915: Zero VM crashes when handling dynamic constant + - JDK-8239931: [win][x86] vtable stub generation: assert failure (code size estimate) follow-up + - JDK-8239976: Put JDK-8239965 on the ProblemList.txt + - JDK-8240073: Fix 'test-make' build target in 11u + - JDK-8240197: Cannot start JVM when $JAVA_HOME includes CJK characters + - JDK-8240202: A few client tests leave mouse buttons pressed + - JDK-8240220: IdealLoopTree::dump_head predicate printing is broken + - JDK-8240223: Use consistent predicate order in and with PhaseIdealLoop::find_predicate + - JDK-8240227: Loop predicates should be copied to unswitched loops + - JDK-8240286: [TESTBUG] Test command error in hotspot/jtreg/compiler/loopopts/superword/SumRedAbsNeg_Float.java + - JDK-8240518: Incorrect JNU_ReleaseStringPlatformChars in Windows Print + - JDK-8240529: CheckUnhandledOops breaks NULL check in Modules::define_module + - JDK-8240576: JVM crashes after transformation in C2 IdealLoopTree::merge_many_backedges + - JDK-8240603: Windows 32bit compile error after 8238676 + - JDK-8240629: argfiles parsing broken for argfiles with comment cross 4096 bytes chunk + - JDK-8240711: TestJstatdPort.java failed due to "ExportException: Port already in use:" + - JDK-8240786: [TESTBUG] The test java/awt/Window/GetScreenLocation/GetScreenLocationTest.java fails on HiDPI screen + - JDK-8240824: enhance print_full_memory_info on Linux by THP related information + - JDK-8240827: Downport SSLSocketImpl.java from "8221882: Use fiber-friendly java.util.concurrent.locks in JSSE" + - JDK-8240905: assert(mem == (Node*)1 || mem == mem2) failed: multiple Memories being matched at once? + - JDK-8240972: macOS codesign fail on macOS 10.13.5 or older + - JDK-8241445: Fix copyright in test/jdk/tools/launcher/ArgFileSyntax.java + - JDK-8241458: [JVMCI] add mark value to expose CodeOffsets::Frame_Complete + - JDK-8241464: [11u] Backport: make rehashing be a needed guaranteed safepoint cleanup action + - JDK-8241556: Memory leak if -XX:CompileCommand is set + - JDK-8241568: (fs) UserPrincipalLookupService.lookupXXX failure with IOE "Operation not permitted" + - JDK-8241586: compiler/cpuflags/TestAESIntrinsicsOnUnsupportedConfig.java fails on aarch64 + - JDK-8241638: launcher time metrics always report 1 on Linux when _JAVA_LAUNCHER_DEBUG set + - JDK-8241660: Add virtualization information output to hs_err file on macOS + - JDK-8241808: [TESTBUG] The JDK-8039467 bug appeared on macOS + - JDK-8241888: Mirror jdk.security.allowNonCaAnchor system property with a security one + - JDK-8241900: Loop unswitching may cause dependence on null check to be lost + - JDK-8241948: enhance list of environment variables printed in hs_err file + - JDK-8241996: on linux set full relro in the linker flags + - JDK-8242108: Performance regression after fix for JDK-8229496 + - JDK-8242141: New System Properties to configure the TLS signature schemes + - JDK-8242154: Backport parts of JDK-4947890 to OpenJDK 11u + - JDK-8242174: [macos] The NestedModelessDialogTest test make the macOS unstable + - JDK-8242239: [Graal] javax/management/generified/GenericTest.java fails: FAILED: queryMBeans sets same + - JDK-8242294: JSSE Client does not throw SSLException when an alert occurs during handshaking + - JDK-8242379: [TESTBUG] compiler/loopopts/TestLoopUnswitchingLostCastDependency.java fails with release VMs + - JDK-8242470: Update Xerces to Version 2.12.1 + - JDK-8242498: Invalid "sun.awt.TimedWindowEvent" object leads to JVM crash + - JDK-8242541: Small charset issues (ISO8859-16, x-eucJP-Open, x-IBM834 and x-IBM949C) + - JDK-8242626: enhance posix print_rlimit_info + - JDK-8243059: Build fails when --with-vendor-name contains a comma + - JDK-8243539: Copyright info (Year) should be updated for fix of 8241638 + - JDK-8243541: (tz) Upgrade time-zone data to tzdata2020a + - JDK-8244407: JVM crashes after transformation in C2 IdealLoopTree::split_fall_in + - JDK-8244520: problemlist java/awt/font/Rotate/RotatedFontTest.java on linux + - JDK-8244777: ClassLoaderStats VM Op uses constant hash value + - JDK-8244853: The static build of libextnet is missing the JNI_OnLoad_extnet function + - JDK-8244951: Missing entitlements for hardened runtime + - JDK-8245047: [PPC64] C2: ReverseBytes + Load always match to unordered Load (acquire semantics missing) + - JDK-8245649: Revert 8245397 backport of 8230591 + - JDK-8246031: SSLSocket.getSession() doesn't close connection for timeout/ interrupts + - JDK-8246613: Choose the default SecureRandom algo based on registration ordering + - JDK-8248505: Unexpected NoSuchAlgorithmException when using secure random impl from BCFIPS provider + +Notes on individual issues: +=========================== + +security-libs/java.security: + +JDK-8244167: Removal of Comodo Root CA Certificate +================================================== +The following expired Comodo root CA certificate was removed from the `cacerts` keystore: + +alias name "addtrustclass1ca [jdk]" + +Distinguished Name: CN=AddTrust Class 1 CA Root, OU=AddTrust TTP Network, O=AddTrust AB, C=SE + +JDK-8244166: Removal of DocuSign Root CA Certificate +==================================================== +The following expired DocuSign root CA certificate was removed from the `cacerts` keystore: + +alias name "keynectisrootca [jdk]" + +Distinguished Name: CN=KEYNECTIS ROOT CA, OU=ROOT, O=KEYNECTIS, C=FR + +security-libs/javax.crypto:pkcs11: + +JDK-8240191: Allow SunPKCS11 initialization with NSS when external FIPS modules are present in the Security Modules Database +============================================================================================================================ +The SunPKCS11 security provider can now be initialized with NSS when +FIPS-enabled external modules are configured in the Security Modules +Database (NSSDB). Prior to this change, the SunPKCS11 provider would +throw a RuntimeException with the message: "FIPS flag set for +non-internal module" when such a library was configured for NSS in +non-FIPS mode. + +This change allows the JDK to work properly with recent NSS releases +in GNU/Linux operating systems when the system-wide FIPS policy is +turned on. + +Further information can be found in JDK-8238555. + +security-libs/javax.net.ssl: + +JDK-8245077: Default SSLEngine Should Create in Server Role +=========================================================== +In JDK 11 and later, `javax.net.ssl.SSLEngine` by default used client +mode when handshaking. As a result, the set of default enabled +protocols may differ to what is expected. `SSLEngine` would usually be +used in server mode. From this JDK release onwards, `SSLEngine` will +default to server mode. The +`javax.net.ssl.SSLEngine.setUseClientMode(boolean mode)` method may +be used to configure the mode. + +JDK-8242147: New System Properties to Configure the TLS Signature Schemes +========================================================================= + +Two new System Properties are added to customize the TLS signature +schemes in JDK. `jdk.tls.client.SignatureSchemes` is added for TLS +client side, and `jdk.tls.server.SignatureSchemes` is added for server +side. + +Each System Property contains a comma-separated list of supported +signature scheme names specifying the signature schemes that could be +used for the TLS connections. + +The names are described in the "Signature Schemes" section of the +*Java Security Standard Algorithm Names Specification*. + New in release OpenJDK 11.0.7 (2020-04-14): =========================================== Live versions of these release notes can be found at: diff --git a/generate_source_tarball.sh b/generate_source_tarball.sh new file mode 100755 index 0000000..d8c729b --- /dev/null +++ b/generate_source_tarball.sh @@ -0,0 +1,172 @@ +#!/bin/bash +# Generates the 'source tarball' for JDK projects. +# +# Example: +# When used from local repo set REPO_ROOT pointing to file:// with your repo +# If your local repo follows upstream forests conventions, it may be enough to set OPENJDK_URL +# If you want to use a local copy of patch PRTBC01, set the path to it in the PRTBC01 variable +# +# In any case you have to set PROJECT_NAME REPO_NAME and VERSION. eg: +# PROJECT_NAME=jdk +# REPO_NAME=jdk +# VERSION=tip +# or to eg prepare systemtap: +# icedtea7's jstack and other tapsets +# VERSION=6327cf1cea9e +# REPO_NAME=icedtea7-2.6 +# PROJECT_NAME=release +# OPENJDK_URL=http://icedtea.classpath.org/hg/ +# TO_COMPRESS="*/tapset" +# +# They are used to create correct name and are used in construction of sources url (unless REPO_ROOT is set) + +# This script creates a single source tarball out of the repository +# based on the given tag and removes code not allowed in fedora/rhel. For +# consistency, the source tarball will always contain 'openjdk' as the top +# level folder, name is created, based on parameter +# + +if [ ! "x$PRTBC01" = "x" ] ; then + if [ ! -f "$PRTBC01" ] ; then + echo "You have specified PRTBC01 as $PRTBC01 but it does not exist. Exiting" + exit 1 + fi +fi + +set -e + +OPENJDK_URL_DEFAULT=http://hg.openjdk.java.net +COMPRESSION_DEFAULT=xz + +if [ "x$1" = "xhelp" ] ; then + echo -e "Behaviour may be specified by setting the following variables:\n" + echo "VERSION - the version of the specified OpenJDK project" + echo "PROJECT_NAME -- the name of the OpenJDK project being archived (optional; only needed by defaults)" + echo "REPO_NAME - the name of the OpenJDK repository (optional; only needed by defaults)" + echo "OPENJDK_URL - the URL to retrieve code from (optional; defaults to ${OPENJDK_URL_DEFAULT})" + echo "COMPRESSION - the compression type to use (optional; defaults to ${COMPRESSION_DEFAULT})" + echo "FILE_NAME_ROOT - name of the archive, minus extensions (optional; defaults to PROJECT_NAME-REPO_NAME-VERSION)" + echo "REPO_ROOT - the location of the Mercurial repository to archive (optional; defaults to OPENJDK_URL/PROJECT_NAME/REPO_NAME)" + echo "TO_COMPRESS - what part of clone to pack (default is openjdk)" + echo "PRTBC01 - the path to the PRTBC01 patch to apply (optional; downloaded if unavailable)" + exit 1; +fi + + +if [ "x$VERSION" = "x" ] ; then + echo "No VERSION specified" + exit -2 +fi +echo "Version: ${VERSION}" + +# REPO_NAME is only needed when we default on REPO_ROOT and FILE_NAME_ROOT +if [ "x$FILE_NAME_ROOT" = "x" -o "x$REPO_ROOT" = "x" ] ; then + if [ "x$PROJECT_NAME" = "x" ] ; then + echo "No PROJECT_NAME specified" + exit -1 + fi + echo "Project name: ${PROJECT_NAME}" + if [ "x$REPO_NAME" = "x" ] ; then + echo "No REPO_NAME specified" + exit -3 + fi + echo "Repository name: ${REPO_NAME}" +fi + +if [ "x$OPENJDK_URL" = "x" ] ; then + OPENJDK_URL=${OPENJDK_URL_DEFAULT} + echo "No OpenJDK URL specified; defaulting to ${OPENJDK_URL}" +else + echo "OpenJDK URL: ${OPENJDK_URL}" +fi + +if [ "x$COMPRESSION" = "x" ] ; then + # rhel 5 needs tar.gz + COMPRESSION=${COMPRESSION_DEFAULT} +fi +echo "Creating a tar.${COMPRESSION} archive" + +if [ "x$FILE_NAME_ROOT" = "x" ] ; then + FILE_NAME_ROOT=${PROJECT_NAME}-${REPO_NAME}-${VERSION} + echo "No file name root specified; default to ${FILE_NAME_ROOT}" +fi +if [ "x$REPO_ROOT" = "x" ] ; then + REPO_ROOT="${OPENJDK_URL}/${PROJECT_NAME}/${REPO_NAME}" + echo "No repository root specified; default to ${REPO_ROOT}" +fi; +if [ "x$TO_COMPRESS" = "x" ] ; then + TO_COMPRESS="openjdk" + echo "No to be compressed targets specified, ; default to ${TO_COMPRESS}" +fi; + +echo -e "Settings:" +echo -e "\tVERSION: ${VERSION}" +echo -e "\tPROJECT_NAME: ${PROJECT_NAME}" +echo -e "\tREPO_NAME: ${REPO_NAME}" +echo -e "\tOPENJDK_URL: ${OPENJDK_URL}" +echo -e "\tCOMPRESSION: ${COMPRESSION}" +echo -e "\tFILE_NAME_ROOT: ${FILE_NAME_ROOT}" +echo -e "\tREPO_ROOT: ${REPO_ROOT}" +echo -e "\tTO_COMPRESS: ${TO_COMPRESS}" +echo -e "\tPRTBC01: ${PRTBC01}" + +if [ -d ${FILE_NAME_ROOT} ] ; then + echo "exists exists exists exists exists exists exists " + echo "reusing reusing reusing reusing reusing reusing " + echo ${FILE_NAME_ROOT} +else + mkdir "${FILE_NAME_ROOT}" + pushd "${FILE_NAME_ROOT}" + echo "Cloning ${VERSION} root repository from ${REPO_ROOT}" + hg clone ${REPO_ROOT} openjdk -r ${VERSION} + popd +fi +pushd "${FILE_NAME_ROOT}" +# UnderlineTaglet.java has a BSD license with a field-of-use restriction, making it non-Free + if [ -d openjdk/test ] ; then + echo "Removing langtools test case with non-Free license" + rm -vf openjdk/test/langtools/tools/javadoc/api/basic/taglets/UnderlineTaglet.java + fi + if [ -d openjdk/src ]; then + pushd openjdk + echo "Removing EC source code we don't build" + CRYPTO_PATH=src/jdk.crypto.ec/share/native/libsunec/impl + rm -vf ${CRYPTO_PATH}/ec2.h + rm -vf ${CRYPTO_PATH}/ec2_163.c + rm -vf ${CRYPTO_PATH}/ec2_193.c + rm -vf ${CRYPTO_PATH}/ec2_233.c + rm -vf ${CRYPTO_PATH}/ec2_aff.c + rm -vf ${CRYPTO_PATH}/ec2_mont.c + rm -vf ${CRYPTO_PATH}/ecp_192.c + rm -vf ${CRYPTO_PATH}/ecp_224.c + + echo "Syncing EC list with NSS" + if [ "x$PRTBC01" = "x" ] ; then + # get prTBC01.patch (from http://icedtea.classpath.org/hg/icedtea11) from most correct tag + # Do not push it or publish it (see http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=3751) + echo "PRTBC01 not found. Downloading..." + wget http://icedtea.classpath.org/hg/icedtea11/raw-file/tip/patches/prtbc01-4curve.patch + echo "Applying ${PWD}/prTBC01.patch" + patch -Np1 < prtbc01.patch + rm prtbc01.patch + else + echo "Applying ${PRTBC01}" + patch -Np1 < $PRTBC01 + fi; + find . -name '*.orig' -exec rm -vf '{}' ';' + popd + fi + + echo "Compressing remaining forest" + if [ "X$COMPRESSION" = "Xxz" ] ; then + SWITCH=cJf + else + SWITCH=czf + fi + TARBALL_NAME=${FILE_NAME_ROOT}-4curve-clean.tar.${COMPRESSION} + tar --exclude-vcs -$SWITCH ${TARBALL_NAME} $TO_COMPRESS + mv ${TARBALL_NAME} .. +popd +echo "Done. You may want to remove the uncompressed version - $FILE_NAME_ROOT." + + diff --git a/java-11-openjdk.spec b/java-11-openjdk.spec index 989ab93..51519ef 100644 --- a/java-11-openjdk.spec +++ b/java-11-openjdk.spec @@ -4,30 +4,38 @@ # # Examples: # -# Produce release *and* slowdebug builds on x86_64 (default): -# $ rpmbuild -ba java-1.8.0-openjdk.spec +# Produce release, fastdebug *and* slowdebug builds on x86_64 (default): +# $ rpmbuild -ba java-11-openjdk.spec # # Produce only release builds (no slowdebug builds) on x86_64: -# $ rpmbuild -ba java-1.8.0-openjdk.spec --without slowdebug +# $ rpmbuild -ba java-11-openjdk.spec --without slowdebug --without fastdebug # # Only produce a release build on x86_64: -# $ fedpkg mockbuild --without slowdebug +# $ fedpkg mockbuild --without slowdebug --without fastdebug # # Only produce a debug build on x86_64: # $ fedpkg local --without release # + +# Enable fastdebug builds by default on relevant arches. +%bcond_without fastdebug + # Enable slowdebug builds by default on relevant arches. -%ifarch %{arm64} -%bcond_with slowdebug -%else %bcond_without slowdebug -%endif # Enable release builds by default on relevant arches. %bcond_without release +# Enable static library builds by default. +%bcond_without staticlibs + # Workaround for stripping of debug symbols from static libraries +%if %{with staticlibs} %define __brp_strip_static_archive %{nil} +%global include_staticlibs 1 +%else +%global include_staticlibs 0 +%endif #in rosa linux there is no tzdb.dat file #in the timezone package we will @@ -37,6 +45,9 @@ %bcond_without clang %bcond_with bootstrap +# avoid odd diff with spec from Fedora +%define fedora 36 + # The -g flag says to use strip -g instead of full strip on DSOs or EXEs. # This fixes detailed NMT and other tools which need minimal debug info. # See: https://bugzilla.redhat.com/show_bug.cgi?id=1520879 @@ -48,14 +59,22 @@ # See https://github.com/rpm-software-management/rpm/issues/127 to comments at "pmatilai commented on Aug 18, 2017" # (initiated in https://bugzilla.redhat.com/show_bug.cgi?id=1482192) %global debug_suffix_unquoted -slowdebug +%global fastdebug_suffix_unquoted -fastdebug +%global main_suffix_unquoted -main +%global staticlibs_suffix_unquoted -staticlibs # quoted one for shell operations %global debug_suffix "%{debug_suffix_unquoted}" +%global fastdebug_suffix "%{fastdebug_suffix_unquoted}" %global normal_suffix "" +%global main_suffix "%{main_suffix_unquoted}" +%global staticlibs_suffix "%{staticlibs_suffix_unquoted}" -# if you want only debug build but providing java build only normal build but set normalbuild_parameter -%global debug_warning This package has full debug on. Install only in need and remove asap. -%global debug_on with full debug on -%global for_debug for packages with debug on +%global debug_warning This package is unoptimised with full debugging. Install only as needed and remove ASAP. +%global fastdebug_warning This package is optimised with full debugging. Install only as needed and remove ASAP. +%global debug_on unoptimised with full debugging on +%global fastdebug_on optimised with full debugging on +%global for_fastdebug for packages with debugging on and optimisation +%global for_debug for packages with debugging on and no optimisation %if %{with release} %global include_normal_build 1 @@ -64,42 +83,64 @@ %endif %if %{include_normal_build} -%global build_loop1 %{normal_suffix} +%global normal_build %{normal_suffix} %else -%global build_loop1 %{nil} +%global normal_build %{nil} %endif # We have hardcoded list of files, which is appearing in alternatives, and in files # in alternatives those are slaves and master, very often triplicated by man pages # in files all masters and slaves are ghosted # the ghosts are here to allow installation via query like `dnf install /usr/bin/java` -# you can list those files, with appropriate sections: cat *.spec | grep -e --install -e --slave -e post_ +# you can list those files, with appropriate sections: cat *.spec | grep -e --install -e --slave -e post_ -e alternatives # TODO - fix those hardcoded lists via single list -# those files ,must *NOT* be ghosted for *slowdebug* packages -# FIXME - if you are moving jshell or jlink or simialr, always modify all three sections +# Those files must *NOT* be ghosted for *slowdebug* packages +# FIXME - if you are moving jshell or jlink or similar, always modify all three sections # you can check via headless and devels: # rpm -ql --noghost java-11-openjdk-headless-11.0.1.13-8.fc29.x86_64.rpm | grep bin # == rpm -ql java-11-openjdk-headless-slowdebug-11.0.1.13-8.fc29.x86_64.rpm | grep bin # != rpm -ql java-11-openjdk-headless-11.0.1.13-8.fc29.x86_64.rpm | grep bin # similarly for other %%{_jvmdir}/{jre,java} and %%{_javadocdir}/{java,java-zip} -%define is_release_build() %( if [ "%{?1}" == "%{debug_suffix_unquoted}" ]; then echo "0" ; else echo "1"; fi ) +%define is_release_build() %( if [ "%{?1}" == "%{debug_suffix_unquoted}" -o "%{?1}" == "%{fastdebug_suffix_unquoted}" ]; then echo "0" ; else echo "1"; fi ) # while JDK is a techpreview(is_system_jdk=0), some provides are turned off. Once jdk stops to be an techpreview, move it to 1 # as sytem JDK, we mean any JDK which can run whole system java stack without issues (like bytecode issues, module issues, dependencies...) -%global is_system_jdk 0 +%global is_system_jdk 1 %global aarch64 aarch64 arm64 armv8 # we need to distinguish between big and little endian PPC64 %global ppc64le ppc64le %global ppc64be ppc64 ppc64p7 +# Set of architectures which support multiple ABIs %global multilib_arches %{power64} sparc64 x86_64 -%global jit_arches %{ix86} x86_64 sparcv9 sparc64 %{aarch64} %{power64} %{arm} s390x +# Set of architectures for which we build slowdebug builds +%global debug_arches %{ix86} x86_64 sparcv9 sparc64 %{aarch64} %{power64} s390x +# Set of architectures for which we build fastdebug builds +%global fastdebug_arches x86_64 ppc64le aarch64 +# Set of architectures with a Just-In-Time (JIT) compiler +%global jit_arches %{debug_arches} %{arm} +# Set of architectures which run a full bootstrap cycle +%global bootstrap_arches %{jit_arches} +# Set of architectures which support SystemTap tapsets +%global systemtap_arches %{jit_arches} +# Set of architectures with a Ahead-Of-Time (AOT) compiler %global aot_arches x86_64 %{aarch64} +# Set of architectures which support the serviceability agent +%global sa_arches %{ix86} x86_64 sparcv9 sparc64 %{aarch64} %{power64} %{arm} +# Set of architectures which support class data sharing +# As of JDK-8005165 in OpenJDK 10, class sharing is not arch-specific +# However, it does segfault on the Zero assembler port, so currently JIT only +%global share_arches %{jit_arches} +# Set of architectures for which we build the Shenandoah garbage collector +%global shenandoah_arches x86_64 %{aarch64} +# Set of architectures for which we build the Z garbage collector +%global zgc_arches x86_64 +# Set of architectures for which alt-java has SSB mitigation +%global ssbd_arches x86_64 -# By default, we build a debug build during main build on JIT architectures +# By default, we build a slowdebug build during main build on JIT architectures %if %{with slowdebug} -%ifarch %{jit_arches} -%ifnarch %{arm} +%ifarch %{debug_arches} %global include_debug_build 1 %else %global include_debug_build 0 @@ -107,39 +148,72 @@ %else %global include_debug_build 0 %endif -%else -%global include_debug_build 0 -%endif -# On x86_64 and AArch64, we use the Shenandoah HotSpot -%ifarch x86_64 %{aarch64} +# On certain architectures, we compile the Shenandoah GC +%ifarch %{shenandoah_arches} %global use_shenandoah_hotspot 1 +%global shenandoah_feature shenandoahgc %else %global use_shenandoah_hotspot 0 +%global shenandoah_feature -shenandoahgc +%endif + +# On certain architectures, we compile the ZGC +%ifarch %{zgc_arches} +%global use_zgc_hotspot 1 +%global zgc_feature zgc +%else +%global use_zgc_hotspot 0 +%global zgc_feature -zgc +%endif + +# By default, we build a fastdebug build during main build only on fastdebug architectures +%if %{with fastdebug} +%ifarch %{fastdebug_arches} +%global include_fastdebug_build 1 +%else +%global include_fastdebug_build 0 +%endif +%else +%global include_fastdebug_build 0 %endif %if %{include_debug_build} -%global build_loop2 %{debug_suffix} +%global slowdebug_build %{debug_suffix} %else -%global build_loop2 %{nil} +%global slowdebug_build %{nil} %endif -# if you disable both builds, then the build fails -%global build_loop %{build_loop1} %{build_loop2} -# note: that order: normal_suffix debug_suffix, in case of both enabled -# is expected in one single case at the end of the build -%global rev_build_loop %{build_loop2} %{build_loop1} +%if %{include_fastdebug_build} +%global fastdebug_build %{fastdebug_suffix} +%else +%global fastdebug_build %{nil} +%endif + +# If you disable both builds, then the build fails +# Build and test slowdebug first as it provides the best diagnostics +%global build_loop %{slowdebug_build} %{fastdebug_build} %{normal_build} + +%if %{include_staticlibs} +%global staticlibs_loop %{staticlibs_suffix} +%else +%global staticlibs_loop %{nil} +%endif # http://openjdk.java.net/groups/build/doc/building.html +# unlike portables,the rpms have to use static_libs_target very dynamically #if %{without bootstrap} -#global release_targets bootcycle-images static-libs-image docs-zip +#global release_targets bootcycle-images docs-zip #else # XXX there are problems with building bootcycle-images, turn them off for now, not really needed -%global release_targets images docs-zip static-libs-image +%global release_targets images docs-zip #endif # No docs nor bootcycle for debug builds -%global debug_targets images static-libs-image +%global debug_targets images +# Disable LTO as this causes build failures at the moment. +# See RHBZ#1861401 +%define _lto_cflags %{nil} # Filter out flags from the optflags macro that cause problems with the OpenJDK build # We filter out -O flags so that the optimization of HotSpot is not lowered from O3 to O2 @@ -165,68 +239,82 @@ # In some cases, the arch used by the JDK does # not match _arch. # Also, in some cases, the machine name used by SystemTap -# does not match that given by _build_cpu +# does not match that given by _target_cpu %ifarch x86_64 %global archinstall amd64 +%global stapinstall x86_64 %endif %ifarch ppc %global archinstall ppc +%global stapinstall powerpc %endif %ifarch %{ppc64be} %global archinstall ppc64 +%global stapinstall powerpc %endif %ifarch %{ppc64le} %global archinstall ppc64le +%global stapinstall powerpc %endif %ifarch %{ix86} %global archinstall i686 +%global stapinstall i386 %endif %ifarch ia64 %global archinstall ia64 +%global stapinstall ia64 %endif %ifarch s390 %global archinstall s390 +%global stapinstall s390 %endif %ifarch s390x %global archinstall s390x +%global stapinstall s390 %endif %ifarch %{arm} %global archinstall arm +%global stapinstall arm %endif %ifarch %{aarch64} %global archinstall aarch64 +%global stapinstall arm64 %endif # 32 bit sparc, optimized for v9 %ifarch sparcv9 %global archinstall sparc +%global stapinstall %{_target_cpu} %endif # 64 bit sparc %ifarch sparc64 %global archinstall sparcv9 +%global stapinstall %{_target_cpu} %endif -%ifnarch %{jit_arches} -%global archinstall %{_arch} +# Need to support noarch for srpm build +%ifarch noarch +%global archinstall %{nil} +%global stapinstall %{nil} %endif - - -%ifarch %{jit_arches} +%ifarch %{systemtap_arches} %global with_systemtap 1 %else %global with_systemtap 0 %endif # New Version-String scheme-style defines -# If you bump majorver, you must bump also vendor_version_string -%global majorver 11 +%global featurever 11 +%global interimver 0 +%global updatever 12 +%global patchver 0 +# If you bump featurever, you must bump also vendor_version_string # Used via new version scheme. JDK 11 was # GA'ed in September 2018 => 18.9 %global vendor_version_string 18.9 -%global securityver 8 -# buildjdkver is usually same as %%{majorver}, -# but in time of bootstrap of next jdk, it is majorver-1, +# buildjdkver is usually same as %%{featurever}, +# but in time of bootstrap of next jdk, it is featurever-1, # and this it is better to change it here, on single place -%global buildjdkver %{majorver} +%global buildjdkver %{featurever} # Add LTS designator for RHEL builds %if 0%{?rhel} %global lts_designator "LTS" @@ -236,33 +324,50 @@ %global lts_designator_zip "" %endif +# Define vendor information used by OpenJDK +%global oj_vendor ROSA Linux +%global oj_vendor_url https://www.rosalinux.ru/ +%global oj_vendor_bug_url https://bugzilla.redhat.com/enter_bug.cgi + # Define IcedTea version used for SystemTap tapsets and desktop file -%global icedteaver 3.15.0 +%global icedteaver 6.0.0pre00-c848b93a8598 # Standard JPackage naming and versioning defines %global origin openjdk %global origin_nice OpenJDK %global top_level_dir_name %{origin} -%global minorver 0 -%global buildver 6 -%global rpmrelease 1 -#%%global tagsuffix "" -# priority must be 8 digits in total; untill openjdk 1.8 we were using 18..... so when moving to 11 we had to add another digit +%global top_level_dir_name_backup %{top_level_dir_name}-backup +%global buildver 7 +%global rpmrelease 7 +#%%global tagsuffix %%{nil} +# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit %if %is_system_jdk -%global priority %( printf '%02d%02d%02d%02d' %{majorver} %{minorver} %{securityver} %{buildver} ) +# Using 10 digits may overflow the int used for priority, so we combine the patch and build versions +# It is very unlikely we will ever have a patch version > 4 or a build version > 20, so we combine as (patch * 20) + build. +# This means 11.0.9.0+11 would have had a priority of 11000911 as before +# A 11.0.9.1+1 would have had a priority of 11000921 (20 * 1 + 1), thus ensuring it is bigger than 11.0.9.0+11 +%global combiver $( expr 20 '*' %{patchver} + %{buildver} ) +%global priority %( printf '%02d%02d%02d%02d' %{featurever} %{interimver} %{updatever} %{combiver} ) %else # for techpreview, using 1, so slowdebugs can have 0 %global priority %( printf '%08d' 1 ) %endif -%global newjavaver %{majorver}.%{minorver}.%{securityver} +%global newjavaver %{featurever}.%{interimver}.%{updatever}.%{patchver} -%global javaver %{majorver} +# Omit trailing 0 in filenames when the patch version is 0 +%if 0%{?patchver} > 0 +%global filever %{newjavaver} +%else +%global filever %{featurever}.%{interimver}.%{updatever} +%endif + +%global javaver %{featurever} # Define milestone (EA for pre-releases, GA for releases) # Release will be (where N is usually a number starting at 1): # - 0.N%%{?extraver}%%{?dist} for EA releases, # - N%%{?extraver}{?dist} for GA releases -%global is_ga 0 +%global is_ga 1 %if %{is_ga} %global ea_designator "" %global ea_designator_zip "" @@ -275,31 +380,14 @@ %global eaprefix 0. %endif -# Define what url should JVM offer in case of a crash report -# order may be important, epel may have rhel declared -%if 0%{?epel} -%global bugs https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora%20EPEL&component=%{name}&version=epel%{epel} -%else -%if 0%{?fedora} -# Does not work for rawhide, keeps the version field empty -%global bugs https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora&component=%{name}&version=%{fedora} -%else -%if 0%{?rhel} -%global bugs https://bugzilla.redhat.com/enter_bug.cgi?product=Red%20Hat%20Enterprise%20Linux%20%{rhel}&component=%{name} -%else -%global bugs https://bugzilla.redhat.com/enter_bug.cgi -%endif -%endif -%endif - # parametrized macros are order-sensitive -%global compatiblename java-%{majorver}-%{origin} +%global compatiblename java-%{featurever}-%{origin} %global fullversion %{compatiblename}-%{version}-%{release} # images directories from upstream build %global jdkimage jdk %global static_libs_image static-libs # output dir stub -%define buildoutputdir() %{expand:openjdk/build%{?1}} +%define buildoutputdir() %{expand:build/jdk11.build%{?1}} # we can copy the javadoc to not arched dir, or make it not noarch %define uniquejavadocdir() %{expand:%{fullversion}.%{_arch}%{?1}} # main id and dir of this jdk @@ -309,7 +397,7 @@ # fix for https://bugzilla.redhat.com/show_bug.cgi?id=1111349 # https://bugzilla.redhat.com/show_bug.cgi?id=1590796#c14 # https://bugzilla.redhat.com/show_bug.cgi?id=1655938 -%global _privatelibs libsplashscreen[.]so.*|libawt_xawt[.]so.*|libjli[.]so.*|libattach[.]so.*|libawt[.]so.*|libextnet[.]so.*|libawt_headless[.]so.*|libdt_socket[.]so.*|libfontmanager[.]so.*|libinstrument[.]so.*|libj2gss[.]so.*|libj2pcsc[.]so.*|libj2pkcs11[.]so.*|libjaas[.]so.*|libjavajpeg[.]so.*|libjdwp[.]so.*|libjimage[.]so.*|libjsound[.]so.*|liblcms[.]so.*|libmanagement[.]so.*|libmanagement_agent[.]so.*|libmanagement_ext[.]so.*|libmlib_image[.]so.*|libnet[.]so.*|libnio[.]so.*|libprefs[.]so.*|librmi[.]so.*|libsaproc[.]so.*|libsctp[.]so.*|libsunec[.]so.*|libunpack[.]so.*|libzip[.]so.* +%global _privatelibs libsplashscreen[.]so.*|libawt_xawt[.]so.*|libjli[.]so.*|libattach[.]so.*|libawt[.]so.*|libextnet[.]so.*|libawt_headless[.]so.*|libdt_socket[.]so.*|libfontmanager[.]so.*|libinstrument[.]so.*|libj2gss[.]so.*|libj2pcsc[.]so.*|libj2pkcs11[.]so.*|libjaas[.]so.*|libjavajpeg[.]so.*|libjdwp[.]so.*|libjimage[.]so.*|libjsound[.]so.*|liblcms[.]so.*|libmanagement[.]so.*|libmanagement_agent[.]so.*|libmanagement_ext[.]so.*|libmlib_image[.]so.*|libnet[.]so.*|libnio[.]so.*|libprefs[.]so.*|librmi[.]so.*|libsaproc[.]so.*|libsctp[.]so.*|libsunec[.]so.*|libsystemconf[.]so.*|libunpack[.]so.*|libzip[.]so.* %global _publiclibs libjawt[.]so.*|libjava[.]so.*|libjvm[.]so.*|libverify[.]so.*|libjsig[.]so.* %if %is_system_jdk %global __provides_exclude ^(%{_privatelibs})$ @@ -317,6 +405,8 @@ # Never generate lib-style provides/requires for slowdebug packages %global __provides_exclude_from ^.*/%{uniquesuffix -- %{debug_suffix_unquoted}}/.*$ %global __requires_exclude_from ^.*/%{uniquesuffix -- %{debug_suffix_unquoted}}/.*$ +%global __provides_exclude_from ^.*/%{uniquesuffix -- %{fastdebug_suffix_unquoted}}/.*$ +%global __requires_exclude_from ^.*/%{uniquesuffix -- %{fastdebug_suffix_unquoted}}/.*$ %else # Don't generate provides/requires for JDK provided shared libraries at all. %global __provides_exclude ^(%{_privatelibs}|%{_publiclibs})$ @@ -333,8 +423,18 @@ %define sdkbindir() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/bin} %define jrebindir() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/bin} +%global alt_java_name alt-java + %global rpm_state_dir %{_localstatedir}/lib/rpm-state/ +# For flatpack builds hard-code /usr/sbin/alternatives, +# otherwise use %%{_sbindir} relative path. +%if 0%{?flatpak} +%global alternatives_requires /usr/sbin/alternatives +%else +%global alternatives_requires %{_sbindir}/alternatives +%endif + %if %{with_systemtap} # Where to install systemtap tapset (links) # We would like these to be in a package specific sub-dir, @@ -343,10 +443,10 @@ # and 32 bit architectures we place the tapsets under the arch # specific dir (note that systemtap will only pickup the tapset # for the primary arch for now). Systemtap uses the machine name -# aka build_cpu as architecture specific directory name. +# aka target_cpu as architecture specific directory name. %global tapsetroot /usr/share/systemtap %global tapsetdirttapset %{tapsetroot}/tapset/ -%global tapsetdir %{tapsetdirttapset}/%{_build_cpu} +%global tapsetdir %{tapsetdirttapset}/%{stapinstall} %endif # not-duplicated scriptlets for normal/debug packages @@ -359,16 +459,7 @@ update-desktop-database %{_datadir}/applications &> /dev/null || : exit 0 } - -%define post_headless() %{expand: -%ifarch %{jit_arches} -# MetaspaceShared::generate_vtable_methods not implemented for PPC JIT -%ifnarch %{ppc64le} -# see https://bugzilla.redhat.com/show_bug.cgi?id=513605 -%{jrebindir -- %{?1}}/java -Xshare:dump >/dev/null 2>/dev/null -%endif -%endif - +%define alternatives_java_install() %{expand: PRIORITY=%{priority} if [ "%{?1}" == %{debug_suffix} ]; then let PRIORITY=PRIORITY-1 @@ -378,6 +469,7 @@ ext=%{_extension} alternatives \\ --install %{_bindir}/java java %{jrebindir -- %{?1}}/java $PRIORITY --family %{name}.%{_arch} \\ --slave %{_jvmdir}/jre jre %{_jvmdir}/%{sdkdir -- %{?1}} \\ + --slave %{_bindir}/%{alt_java_name} %{alt_java_name} %{jrebindir -- %{?1}}/%{alt_java_name} \\ --slave %{_bindir}/jjs jjs %{jrebindir -- %{?1}}/jjs \\ --slave %{_bindir}/keytool keytool %{jrebindir -- %{?1}}/keytool \\ --slave %{_bindir}/pack200 pack200 %{jrebindir -- %{?1}}/pack200 \\ @@ -386,6 +478,8 @@ alternatives \\ --slave %{_bindir}/unpack200 unpack200 %{jrebindir -- %{?1}}/unpack200 \\ --slave %{_mandir}/man1/java.1$ext java.1$ext \\ %{_mandir}/man1/java-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/%{alt_java_name}.1$ext %{alt_java_name}.1$ext \\ + %{_mandir}/man1/%{alt_java_name}-%{uniquesuffix -- %{?1}}.1$ext \\ --slave %{_mandir}/man1/jjs.1$ext jjs.1$ext \\ %{_mandir}/man1/jjs-%{uniquesuffix -- %{?1}}.1$ext \\ --slave %{_mandir}/man1/keytool.1$ext keytool.1$ext \\ @@ -403,8 +497,13 @@ for X in %{origin} %{javaver} ; do alternatives --install %{_jvmdir}/jre-"$X" jre_"$X" %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY --family %{name}.%{_arch} done -update-alternatives --install %{_jvmdir}/jre-%{javaver}-%{origin} jre_%{javaver}_%{origin} %{_jvmdir}/%{jrelnk -- %{?1}} $PRIORITY --family %{name}.%{_arch} +alternatives --install %{_jvmdir}/jre-%{javaver}-%{origin} jre_%{javaver}_%{origin} %{_jvmdir}/%{jrelnk -- %{?1}} $PRIORITY --family %{name}.%{_arch} +} +%define post_headless() %{expand: +%ifarch %{share_arches} +%{jrebindir -- %{?1}}/java -Xshare:dump >/dev/null 2>/dev/null +%endif update-desktop-database %{_datadir}/applications &> /dev/null || : /bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null || : @@ -441,8 +540,8 @@ exit 0 %{update_desktop_icons} } -%define post_devel() %{expand: +%define alternatives_javac_install() %{expand: PRIORITY=%{priority} if [ "%{?1}" == %{debug_suffix} ]; then let PRIORITY=PRIORITY-1 @@ -457,10 +556,8 @@ alternatives \\ %endif --slave %{_bindir}/jlink jlink %{sdkbindir -- %{?1}}/jlink \\ --slave %{_bindir}/jmod jmod %{sdkbindir -- %{?1}}/jmod \\ -%ifarch %{jit_arches} -%ifnarch s390x +%ifarch %{sa_arches} --slave %{_bindir}/jhsdb jhsdb %{sdkbindir -- %{?1}}/jhsdb \\ -%endif %endif --slave %{_bindir}/jar jar %{sdkbindir -- %{?1}}/jar \\ --slave %{_bindir}/jarsigner jarsigner %{sdkbindir -- %{?1}}/jarsigner \\ @@ -526,7 +623,9 @@ for X in %{origin} %{javaver} ; do done update-alternatives --install %{_jvmdir}/java-%{javaver}-%{origin} java_sdk_%{javaver}_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY --family %{name}.%{_arch} +} +%define post_devel() %{expand: update-desktop-database %{_datadir}/applications &> /dev/null || : /bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null || : @@ -549,11 +648,11 @@ exit 0 } %define posttrans_devel() %{expand: +%{alternatives_javac_install -- %{?1}} %{update_desktop_icons} } -%define post_javadoc() %{expand: - +%define alternatives_javadoc_install() %{expand: PRIORITY=%{priority} if [ "%{?1}" == %{debug_suffix} ]; then let PRIORITY=PRIORITY-1 @@ -570,8 +669,7 @@ exit 0 exit 0 } -%define post_javadoc_zip() %{expand: - +%define alternatives_javadoczip_install() %{expand: PRIORITY=%{priority} if [ "%{?1}" == %{debug_suffix} ]; then let PRIORITY=PRIORITY-1 @@ -606,6 +704,7 @@ exit 0 %{_jvmdir}/%{jrelnk -- %{?1}} %dir %{_jvmdir}/%{sdkdir -- %{?1}}/bin %{_jvmdir}/%{sdkdir -- %{?1}}/bin/java +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/%{alt_java_name} %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jjs %{_jvmdir}/%{sdkdir -- %{?1}}/bin/keytool %{_jvmdir}/%{sdkdir -- %{?1}}/bin/pack200 @@ -652,14 +751,13 @@ exit 0 %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libnio.so %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libprefs.so %{_jvmdir}/%{sdkdir -- %{?1}}/lib/librmi.so -# Zero and S390x don't have SA -%ifarch %{jit_arches} -%ifnarch s390x +# Some architectures don't have the serviceability agent +%ifarch %{sa_arches} %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsaproc.so %endif -%endif %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsctp.so %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsunec.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsystemconf.so %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libunpack.so %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libverify.so %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libzip.so @@ -667,6 +765,7 @@ exit 0 %{_jvmdir}/%{sdkdir -- %{?1}}/lib/jfr/default.jfc %{_jvmdir}/%{sdkdir -- %{?1}}/lib/jfr/profile.jfc %{_mandir}/man1/java-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/%{alt_java_name}-%{uniquesuffix -- %{?1}}.1* %{_mandir}/man1/jjs-%{uniquesuffix -- %{?1}}.1* %{_mandir}/man1/keytool-%{uniquesuffix -- %{?1}}.1* %{_mandir}/man1/pack200-%{uniquesuffix -- %{?1}}.1* @@ -674,11 +773,9 @@ exit 0 %{_mandir}/man1/rmiregistry-%{uniquesuffix -- %{?1}}.1* %{_mandir}/man1/unpack200-%{uniquesuffix -- %{?1}}.1* %{_jvmdir}/%{sdkdir -- %{?1}}/lib/server/ -%ifarch %{jit_arches} -%ifnarch %{power64} +%ifarch %{share_arches} %attr(444, root, root) %ghost %{_jvmdir}/%{sdkdir -- %{?1}}/lib/server/classes.jsa %endif -%endif %dir %{etcjavasubdir} %dir %{etcjavadir -- %{?1}} %dir %{etcjavadir -- %{?1}}/lib @@ -703,6 +800,7 @@ exit 0 %config(noreplace) %{etcjavadir -- %{?1}}/conf/security/java.security %config(noreplace) %{etcjavadir -- %{?1}}/conf/logging.properties %config(noreplace) %{etcjavadir -- %{?1}}/conf/security/nss.cfg +%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/nss.fips.cfg %config(noreplace) %{etcjavadir -- %{?1}}/conf/management/jmxremote.access # this is conifg template, thus not config-noreplace %config %{etcjavadir -- %{?1}}/conf/management/jmxremote.password.template @@ -714,6 +812,7 @@ exit 0 %if %is_system_jdk %if %{is_release_build -- %{?1}} %ghost %{_bindir}/java +%ghost %{_bindir}/%{alt_java_name} %ghost %{_jvmdir}/jre # https://bugzilla.redhat.com/show_bug.cgi?id=1312019 %ghost %{_bindir}/jjs @@ -727,6 +826,10 @@ exit 0 %ghost %{_jvmdir}/jre-%{javaver}-%{origin} %endif %endif +# https://bugzilla.redhat.com/show_bug.cgi?id=1820172 +# https://docs.fedoraproject.org/en-US/packaging-guidelines/Directory_Replacement/ +%ghost %{_jvmdir}/%{sdkdir -- %{?1}}/conf.rpmmoved +%ghost %{_jvmdir}/%{sdkdir -- %{?1}}/lib/security.rpmmoved } %define files_devel() %{expand: @@ -743,12 +846,10 @@ exit 0 %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jdeprscan %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jfr %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jimage -# Zero and S390x don't have SA -%ifarch %{jit_arches} -%ifnarch s390x +# Some architectures don't have the serviceability agent +%ifarch %{sa_arches} %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jhsdb %endif -%endif %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jinfo %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jlink %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jmap @@ -799,6 +900,7 @@ exit 0 %if %{is_release_build -- %{?1}} %ghost %{_bindir}/javac %ghost %{_jvmdir}/java +%ghost %{_jvmdir}/%{alt_java_name} %ghost %{_bindir}/jaotc %ghost %{_bindir}/jlink %ghost %{_bindir}/jmod @@ -846,27 +948,15 @@ exit 0 } %define files_static_libs() %{expand: -%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libj2pkcs11.a -%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libj2pcsc.a -%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libnio.a -%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libprefs.a -%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjava.a -%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjli.a -%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libnet.a -%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjimage.a -%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjaas.a -%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libfdlibm.a -%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libj2gss.a -%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsunec.a -%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjsig.a -%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libextnet.a -%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libverify.a -%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libzip.a +%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/static +%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/static/linux-%{archinstall} +%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/static/linux-%{archinstall}/glibc +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/static/linux-%{archinstall}/glibc/lib*.a } %define files_javadoc() %{expand: %doc %{_javadocdir}/%{uniquejavadocdir -- %{?1}} -%license %{buildoutputdir -- %{?1}}/images/%{jdkimage}/legal +%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal %if %is_system_jdk %if %{is_release_build -- %{?1}} %ghost %{_javadocdir}/java @@ -876,7 +966,7 @@ exit 0 %define files_javadoc_zip() %{expand: %doc %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip -%license %{buildoutputdir -- %{?1}}/images/%{jdkimage}/legal +%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal %if %is_system_jdk %if %{is_release_build -- %{?1}} %ghost %{_javadocdir}/java-zip @@ -895,7 +985,9 @@ Requires: libXcomposite%{?_isa} Requires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release} OrderWithRequires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release} # for java-X-openjdk package's desktop binding +%if 0%{?rhel} >= 8 Recommends: gtk3%{?_isa} +%endif Provides: java-%{javaver}-%{origin}%{?1} = %{epoch}:%{version}-%{release} @@ -956,9 +1048,9 @@ Provides: java-headless%{?1} = %{epoch}:%{version}-%{release} Requires: %{name}%{?1}%{?_isa} = %{epoch}:%{version}-%{release} OrderWithRequires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release} # Post requires alternatives to install tool alternatives -Requires(post): %{_sbindir}/alternatives +Requires(post): %{alternatives_requires} # Postun requires alternatives to uninstall tool alternatives -Requires(postun): %{_sbindir}/alternatives +Requires(postun): %{alternatives_requires} # Standard JPackage devel provides Provides: java-sdk-%{javaver}-%{origin}%{?1} = %{epoch}:%{version}-%{release} @@ -999,15 +1091,16 @@ Provides: java-%{javaver}-demo%{?1} = %{epoch}:%{version}-%{release} Provides: java-%{javaver}-%{origin}-demo%{?1} = %{epoch}:%{version}-%{release} %if %is_system_jdk Provides: java-demo%{?1} = %{epoch}:%{version}-%{release} +Provides: java-%{origin}-demo%{?1} = %{epoch}:%{version}-%{release} %endif } %define java_javadoc_rpo() %{expand: OrderWithRequires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release} # Post requires alternatives to install javadoc alternative -Requires(post): %{_sbindir}/alternatives +Requires(post): %{alternatives_requires} # Postun requires alternatives to uninstall javadoc alternative -Requires(postun): %{_sbindir}/alternatives +Requires(postun): %{alternatives_requires} # Standard JPackage javadoc provides Provides: java-%{javaver}-javadoc%{?1} = %{epoch}:%{version}-%{release} @@ -1025,6 +1118,7 @@ Provides: java-%{javaver}-src%{?1} = %{epoch}:%{version}-%{release} Provides: java-%{javaver}-%{origin}-src%{?1} = %{epoch}:%{version}-%{release} %if %is_system_jdk Provides: java-src%{?1} = %{epoch}:%{version}-%{release} +Provides: java-%{origin}-src%{?1} = %{epoch}:%{version}-%{release} %endif } @@ -1045,7 +1139,7 @@ Release: %{?eaprefix}%{rpmrelease}%{?extraver}%{?dist} # provides >= 1.6.0 must specify the epoch, "java >= 1:1.6.0". Epoch: 1 -Summary: %{origin_nice} Runtime Environment %{majorver} +Summary: %{origin_nice} %{featurever} Runtime Environment Group: Development/Java # HotSpot code is licensed under GPLv2 @@ -1068,10 +1162,10 @@ URL: http://openjdk.java.net/ # to regenerate source0 (jdk) run update_package.sh # update_package.sh contains hard-coded repos, revisions, tags, and projects to regenerate the source archives -Source0: shenandoah-jdk%{majorver}-shenandoah-jdk-%{newjavaver}+%{buildver}%{?tagsuffix:-%{tagsuffix}}-4curve.tar.xz +Source0: jdk-updates-jdk%{featurever}u-jdk-%{filever}+%{buildver}%{?tagsuffix:-%{tagsuffix}}-4curve-clean.tar.xz # Use 'icedtea_sync.sh' to update the following -# They are based on code contained in the IcedTea project (3.x). +# They are based on code contained in the IcedTea project (6.x). # Systemtap tapsets. Zipped up to keep it small. Source8: tapsets-icedtea-%{icedteaver}.tar.xz @@ -1121,20 +1215,43 @@ Source303: https://download.bell-sw.com/java/11.0.10+9/bellsoft-jdk11.0.10+9-lin %endif +# Ensure vendor settings are correct +Source16: CheckVendor.java + +# nss fips configuration file +Source17: nss.fips.cfg.in + ############################################ # # RPM/distribution specific patches # ############################################ -# NSS via SunPKCS11 Provider (disabled comment -# due to memory leak). -Patch1000: rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch - # Ignore AWTError when assistive technologies are loaded Patch1: rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch # Restrict access to java-atk-wrapper classes Patch2: rh1648644-java_access_bridge_privileged_security.patch +# NSS via SunPKCS11 Provider (disabled due to memory leak). +Patch1000: rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch +# RH1750419: enable build of speculative store bypass hardened alt-java (CVE-2018-3639) +Patch600: rh1750419-redhat_alt_java.patch +# RH1582504: Use RSA as default for keytool, as DSA is disabled in all crypto policies except LEGACY +Patch1003: rh1842572-rsa_default_for_keytool.patch + +# FIPS support patches +# RH1655466: Support RHEL FIPS mode using SunPKCS11 provider +Patch1001: rh1655466-global_crypto_and_fips.patch +# RH1818909: No ciphersuites availale for SSLSocket in FIPS mode +Patch1002: rh1818909-fips_default_keystore_type.patch +# RH1860986: Disable TLSv1.3 with the NSS-FIPS provider until PKCS#11 v3.0 support is available +Patch1004: rh1860986-disable_tlsv1.3_in_fips_mode.patch +# RH1915071: Always initialise JavaSecuritySystemConfiguratorAccess +Patch1007: rh1915071-always_initialise_configurator_access.patch +# RH1929465: Improve system FIPS detection +Patch1008: rh1929465-improve_system_FIPS_detection.patch +# RH1996182: Login to the NSS software token in FIPS mode +Patch1009: rh1996182-login_to_nss_software_token.patch +Patch1010: rh1996182-extend_security_policy.patch ############################################# # @@ -1146,48 +1263,34 @@ Patch2: rh1648644-java_access_bridge_privileged_security.patch ############################################# # -# OpenJDK specific patches +# Upstreamable patches # +# This section includes patches which need to +# be reviewed & pushed to the current development +# tree of OpenJDK. ############################################# Patch3: rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch # PR3694, RH1340845: Add security.useSystemPropertiesFile option to java.security to use system crypto policy Patch4: pr3694-rh1340845-support_fedora_rhel_system_crypto_policy.patch -# RH1566890: CVE-2018-3639 -Patch6: rh1566890-CVE_2018_3639-speculative_store_bypass.patch # PR3695: Allow use of system crypto policy to be disabled by the user Patch7: pr3695-toggle_system_crypto_policy.patch -# S390 ambiguous log2_intptr call -Patch8: s390-8214206_fix.patch ############################################# # -# Patches appearing in 11.0.8 +# Patches appearing in 11.0.13 # # This section includes patches which are present # in the listed OpenJDK 11u release and should be # able to be removed once that release is out # and used by this RPM. ############################################# +# JDK-8269668, RH1977671: [aarch64] java.library.path not including /usr/lib64 +Patch8: jdk8269668-rh1977671-aarch64_lib_path_fix.patch -############################################# -# -# Patches appearing in 11.0.9 -# -# This section includes patches which are present -# in the listed OpenJDK 11u release and should be -# able to be removed once that release is out -# and used by this RPM. -############################################# -# JDK-8247874: Replacement in VersionProps.java.template not working when --with-vendor-bug-url contains '&' -Patch9: jdk8247874-fix_ampersand_in_vm_bug_url.patch +# ROSA patch Patch10: clang_stack.patch -Patch11: 0001-8263557-Possible-NULL-dereference-in-Arena-destruct_.patch -############################################# -# -# JDK 9+ only patches -# -############################################# + %if %{with clang} BuildRequires: clang %endif @@ -1202,6 +1305,7 @@ BuildRequires: freetype2-devel BuildRequires: gcc BuildRequires: gcc-c++ BuildRequires: gdb +BuildRequires: harfbuzz-devel BuildRequires: giflib-devel BuildRequires: jpeg-devel BuildRequires: libxslt-devel @@ -1231,10 +1335,11 @@ BuildRequires: java-%{buildjdkver}-openjdk-devel BuildRequires: pkgconfig(libffi) %endif %if %{with timezonejava} -# 2020a required as of JDK-8243541 in 11.0.8+4 -BuildRequires: tzdata-java >= 2020a +# 2021a required as of JDK-8260356 in April 2021 CPU +BuildRequires: tzdata-java >= 2021a %endif BuildRequires: gcc +BuildRequires: make %if %{with_systemtap} BuildRequires: systemtap-devel @@ -1245,11 +1350,11 @@ BuildRequires: systemtap-devel %{java_rpo %{nil}} %description -The %{origin_nice} runtime environment. +The %{origin_nice} %{featurever} runtime environment. %if %{include_debug_build} %package slowdebug -Summary: %{origin_nice} Runtime Environment %{majorver} %{debug_on} +Summary: %{origin_nice} %{featurever} Runtime Environment %{debug_on} Group: Development/Java %{java_rpo -- %{debug_suffix_unquoted}} @@ -1258,147 +1363,235 @@ The %{origin_nice} runtime environment. %{debug_warning} %endif +%if %{include_fastdebug_build} +%package fastdebug +Summary: %{origin_nice} %{featurever} Runtime Environment %{fastdebug_on} +Group: Development/Java +%{java_rpo -- %{fastdebug_suffix_unquoted}} + +%description fastdebug +The %{origin_nice} %{featurever} runtime environment. +%{fastdebug_warning} +%endif + %if %{include_normal_build} %package headless -Summary: %{origin_nice} Headless Runtime Environment %{majorver} +Summary: %{origin_nice} %{featurever} Headless Runtime Environment Group: Development/Java %{java_headless_rpo %{nil}} %description headless -The %{origin_nice} runtime environment %{majorver} without audio and video support. +The %{origin_nice} %{featurever} runtime environment without audio and video support. %endif %if %{include_debug_build} %package headless-slowdebug -Summary: %{origin_nice} Runtime Environment %{debug_on} +Summary: %{origin_nice} %{featurever} Runtime Environment %{debug_on} %{java_headless_rpo -- %{debug_suffix_unquoted}} %description headless-slowdebug -The %{origin_nice} runtime environment %{majorver} without audio and video support. +The %{origin_nice} %{featurever} runtime environment without audio and video support. %{debug_warning} %endif +%if %{include_fastdebug_build} +%package headless-fastdebug +Summary: %{origin_nice} %{featurever} Runtime Environment %{fastdebug_on} +Group: Development/Java + +%{java_headless_rpo -- %{fastdebug_suffix_unquoted}} + +%description headless-fastdebug +The %{origin_nice} %{featurever} runtime environment without audio and video support. +%{fastdebug_warning} +%endif + %if %{include_normal_build} %package devel -Summary: %{origin_nice} Development Environment %{majorver} +Summary: %{origin_nice} %{featurever} Development Environment Group: Development/Java %{java_devel_rpo %{nil}} %description devel -The %{origin_nice} development tools %{majorver}. +The %{origin_nice} %{featurever} development tools. %endif %if %{include_debug_build} %package devel-slowdebug -Summary: %{origin_nice} Development Environment %{majorver} %{debug_on} +Summary: %{origin_nice} %{featurever} Development Environment %{debug_on} Group: Development/Java %{java_devel_rpo -- %{debug_suffix_unquoted}} %description devel-slowdebug -The %{origin_nice} development tools %{majorver}. +The %{origin_nice} %{featurever} development tools. %{debug_warning} %endif +%if %{include_fastdebug_build} +%package devel-fastdebug +Summary: %{origin_nice} %{featurever} Development Environment %{fastdebug_on} +Group: Development/Java + +%{java_devel_rpo -- %{fastdebug_suffix_unquoted}} + +%description devel-fastdebug +The %{origin_nice} %{featurever} development tools. +%{fastdebug_warning} +%endif + +%if %{include_staticlibs} + %if %{include_normal_build} %package static-libs -Summary: %{origin_nice} libraries for static linking %{majorver} +Summary: %{origin_nice} %{featurever} libraries for static linking Group: Development/Java %{java_static_libs_rpo %{nil}} %description static-libs -The %{origin_nice} libraries for static linking %{majorver}. +The %{origin_nice} %{featurever} libraries for static linking %endif %if %{include_debug_build} %package static-libs-slowdebug -Summary: %{origin_nice} libraries for static linking %{majorver} %{debug_on} +Summary: %{origin_nice} %{featurever} libraries for static linking %{debug_on} Group: Development/Java %{java_static_libs_rpo -- %{debug_suffix_unquoted}} %description static-libs-slowdebug -The %{origin_nice} libraries for static linking %{majorver}. +The %{origin_nice} %{featurever} libraries for static linking %{debug_warning} %endif +%if %{include_fastdebug_build} +%package static-libs-fastdebug +Summary: %{origin_nice} %{featurever} libraries for static linking %{fastdebug_on} +Group: Development/Java + +%{java_static_libs_rpo -- %{fastdebug_suffix_unquoted}} + +%description static-libs-fastdebug +The %{origin_nice} %{featurever} libraries for static linking. +%{fastdebug_warning} +%endif + +# staticlibs +%endif + %if %{include_normal_build} %package jmods -Summary: JMods for %{origin_nice} %{majorver} +Summary: JMods for %{origin_nice} %{featurever} Group: Development/Java %{java_jmods_rpo %{nil}} %description jmods -The JMods for %{origin_nice}. +The JMods for %{origin_nice} %{featurever}. +%endif + +%if %{include_fastdebug_build} +%package jmods-fastdebug +Summary: JMods for %{origin_nice} %{featurever} %{fastdebug_on} +Group: Development/Java + +%{java_jmods_rpo -- %{fastdebug_suffix_unquoted}} + +%description jmods-fastdebug +The JMods for %{origin_nice} %{featurever}. +%{fastdebug_warning} %endif %if %{include_debug_build} %package jmods-slowdebug -Summary: JMods for %{origin_nice} %{majorver} %{debug_on} +Summary: JMods for %{origin_nice} %{debug_on} Group: Development/Java %{java_jmods_rpo -- %{debug_suffix_unquoted}} %description jmods-slowdebug -The JMods for %{origin_nice} %{majorver}. +The JMods for %{origin_nice} %{featurever}. %{debug_warning} %endif %if %{include_normal_build} %package demo -Summary: %{origin_nice} Demos %{majorver} +Summary: %{origin_nice} %{featurever} Demos\ Group: Development/Java %{java_demo_rpo %{nil}} %description demo -The %{origin_nice} demos %{majorver}. +The %{origin_nice} %{featurever} demos. %endif %if %{include_debug_build} %package demo-slowdebug -Summary: %{origin_nice} Demos %{majorver} %{debug_on} +Summary: %{origin_nice} %{featurever} Demos %{debug_on} Group: Development/Java %{java_demo_rpo -- %{debug_suffix_unquoted}} %description demo-slowdebug -The %{origin_nice} demos %{majorver}. +The %{origin_nice} %{featurever} demos. %{debug_warning} %endif +%if %{include_fastdebug_build} +%package demo-fastdebug +Summary: %{origin_nice} %{featurever} Demos %{fastdebug_on} +Group: Development/Java + +%{java_demo_rpo -- %{fastdebug_suffix_unquoted}} + +%description demo-fastdebug +The %{origin_nice} %{featurever} demos. +%{fastdebug_warning} +%endif + %if %{include_normal_build} %package src -Summary: %{origin_nice} Source Bundle %{majorver} +Summary: %{origin_nice} %{featurever} Source Bundle Group: Development/Java %{java_src_rpo %{nil}} %description src -The java-%{origin}-src sub-package contains the complete %{origin_nice} %{majorver} +The %{compatiblename}-src sub-package contains the complete %{origin_nice} %{featurever} class library source code for use by IDE indexers and debuggers. %endif %if %{include_debug_build} %package src-slowdebug -Summary: %{origin_nice} Source Bundle %{majorver} %{for_debug} +Summary: %{origin_nice} %{featurever} Source Bundle %{for_debug} Group: Development/Java %{java_src_rpo -- %{debug_suffix_unquoted}} %description src-slowdebug -The java-%{origin}-src-slowdebug sub-package contains the complete %{origin_nice} %{majorver} - class library source code for use by IDE indexers and debuggers. Debugging %{for_debug}. +The %{compatiblename}-src-slowdebug sub-package contains the complete %{origin_nice} %{featurever} + class library source code for use by IDE indexers and debuggers, %{for_debug}. +%endif + +%if %{include_fastdebug_build} +%package src-fastdebug +Summary: %{origin_nice} %{featurever} Source Bundle %{for_fastdebug} +Group: Development/Java + +%{java_src_rpo -- %{fastdebug_suffix_unquoted}} + +%description src-fastdebug +The %{compatiblename}-src-fastdebug sub-package contains the complete %{origin_nice} %{featurever} + class library source code for use by IDE indexers and debuggers, %{for_fastdebug}. %endif %if %{include_normal_build} %package javadoc -Summary: %{origin_nice} %{majorver} API documentation +Summary: %{origin_nice} %{featurever}API documentation Group: Development/Java Requires: javapackages-filesystem Obsoletes: javadoc-slowdebug < 1:11.0.3.7-4 @@ -1406,12 +1599,12 @@ Obsoletes: javadoc-slowdebug < 1:11.0.3.7-4 %{java_javadoc_rpo %{nil}} %description javadoc -The %{origin_nice} %{majorver} API documentation. +The %{origin_nice} %{featurever} API documentation. %endif %if %{include_normal_build} %package javadoc-zip -Summary: %{origin_nice} %{majorver} API documentation compressed in a single archive +Summary: %{origin_nice} %{featurever} API documentation compressed in a single archive Group: Development/Java Requires: javapackages-filesystem Obsoletes: javadoc-zip-slowdebug < 1:11.0.3.7-4 @@ -1419,26 +1612,40 @@ Obsoletes: javadoc-zip-slowdebug < 1:11.0.3.7-4 %{java_javadoc_rpo %{nil}} %description javadoc-zip -The %{origin_nice} %{majorver} API documentation compressed in a single archive. +The %{origin_nice} %{featurever} API documentation compressed in a single archive. %endif %prep + +# Using the echo macro breaks rpmdev-bumpspec, as it parses the first line of stdout :-( +%if 0%{?stapinstall:1} + echo "CPU: %{_target_cpu}, arch install directory: %{archinstall}, SystemTap install directory: %{stapinstall}" +%else + %{error:Unrecognised architecture %{_target_cpu}} +%endif + if [ %{include_normal_build} -eq 0 -o %{include_normal_build} -eq 1 ] ; then echo "include_normal_build is %{include_normal_build}" else - echo "include_normal_build is %{include_normal_build}, thats invalid. Use 1 for yes or 0 for no" + echo "include_normal_build is %{include_normal_build}, that is invalid. Use 1 for yes or 0 for no" exit 11 fi if [ %{include_debug_build} -eq 0 -o %{include_debug_build} -eq 1 ] ; then echo "include_debug_build is %{include_debug_build}" else - echo "include_debug_build is %{include_debug_build}, thats invalid. Use 1 for yes or 0 for no" + echo "include_debug_build is %{include_debug_build}, that is invalid. Use 1 for yes or 0 for no" exit 12 fi -if [ %{include_debug_build} -eq 0 -a %{include_normal_build} -eq 0 ] ; then - echo "You have disabled both include_debug_build and include_normal_build. That is a no go." +if [ %{include_fastdebug_build} -eq 0 -o %{include_fastdebug_build} -eq 1 ] ; then + echo "include_fastdebug_build is %{include_fastdebug_build}" +else + echo "include_fastdebug_build is %{include_fastdebug_build}, that is invalid. Use 1 for yes or 0 for no" exit 13 fi +if [ %{include_debug_build} -eq 0 -a %{include_normal_build} -eq 0 -a %{include_fastdebug_build} -eq 0 ] ; then + echo "You have disabled all builds (normal,fastdebug,slowdebug). That is a no go." + exit 14 +fi %setup -q -c -n %{uniquesuffix ""} -T -a 0 %{?with_bootstrap:-b %{bootstrap_jdk_source_num}} # https://bugzilla.redhat.com/show_bug.cgi?id=1189084 prioritylength=`expr length %{priority}` @@ -1449,22 +1656,30 @@ fi # OpenJDK patches -# Remove libraries that are linked -sh %{SOURCE12} +# Remove libraries that are linked by both static and dynamic builds +sh %{SOURCE12} %{top_level_dir_name} + +# Patch the JDK pushd %{top_level_dir_name} %patch1 -p1 %patch2 -p1 %patch3 -p1 %patch4 -p1 -%patch6 -p1 %patch7 -p1 %patch8 -p1 -%patch9 -p1 %patch10 -p1 -%patch11 -p1 popd # openjdk %patch1000 +%patch600 +%patch1001 +%patch1002 +%patch1003 +%patch1004 +%patch1007 +%patch1008 +%patch1009 +%patch1010 # Extract systemtap tapsets %if %{with_systemtap} @@ -1472,17 +1687,20 @@ tar --strip-components=1 -x -I xz -f %{SOURCE8} %if %{include_debug_build} cp -r tapset tapset%{debug_suffix} %endif - +%if %{include_fastdebug_build} +cp -r tapset tapset%{fastdebug_suffix} +%endif for suffix in %{build_loop} ; do for file in "tapset"$suffix/*.in; do OUTPUT_FILE=`echo $file | sed -e "s:\.stp\.in$:-%{version}-%{release}.%{_arch}.stp:g"` sed -e "s:@ABS_SERVER_LIBJVM_SO@:%{_jvmdir}/%{sdkdir -- $suffix}/lib/server/libjvm.so:g" $file > $file.1 + sed -e "s:@JAVA_SPEC_VER@:%{javaver}:g" $file.1 > $file.2 # TODO find out which architectures other than i686 have a client vm %ifarch %{ix86} - sed -e "s:@ABS_CLIENT_LIBJVM_SO@:%{_jvmdir}/%{sdkdir -- $suffix}/lib/client/libjvm.so:g" $file.1 > $OUTPUT_FILE + sed -e "s:@ABS_CLIENT_LIBJVM_SO@:%{_jvmdir}/%{sdkdir -- $suffix}/lib/client/libjvm.so:g" $file.2 > $OUTPUT_FILE %else - sed -e "/@ABS_CLIENT_LIBJVM_SO@/d" $file.1 > $OUTPUT_FILE + sed -e "/@ABS_CLIENT_LIBJVM_SO@/d" $file.2 > $OUTPUT_FILE %endif sed -i -e "s:@ABS_JAVA_HOME_DIR@:%{_jvmdir}/%{sdkdir -- $suffix}:g" $OUTPUT_FILE sed -i -e "s:@INSTALL_ARCH_DIR@:%{archinstall}:g" $OUTPUT_FILE @@ -1512,6 +1730,9 @@ done # Setup nss.cfg sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE11} > nss.cfg +# Setup nss.fips.cfg +sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE17} > nss.fips.cfg +sed -i -e "s:@NSS_SECMOD@:/etc/pki/nssdb:g" nss.fips.cfg %build %if %{with clang} @@ -1535,9 +1756,8 @@ export CFLAGS="$CFLAGS -mieee" # We use ourcppflags because the OpenJDK build seems to # pass EXTRA_CFLAGS to the HotSpot C++ compiler... -# Explicitly set -fcommon as GCC 10+ defaults to -fno-common -EXTRA_CFLAGS="%ourcppflags -Wno-error -fcommon" -EXTRA_CPP_FLAGS="%ourcppflags -fcommon" +EXTRA_CFLAGS="%ourcppflags -Wno-error" +EXTRA_CPP_FLAGS="%ourcppflags" %ifarch %{power64} ppc # fix rpmlint warnings @@ -1553,18 +1773,41 @@ export EXTRA_CFLAGS EXTRA_ASFLAGS for suffix in %{build_loop} ; do if [ "x$suffix" = "x" ] ; then debugbuild=release + debug_symbols=internal else # change --something to something debugbuild=`echo $suffix | sed "s/-//g"` + debug_symbols=internal fi -# Variable used in hs_err hook on build failures -top_dir_abs_path=$(pwd)/%{top_level_dir_name} +for loop in %{main_suffix} %{staticlibs_loop} ; do -mkdir -p %{buildoutputdir -- $suffix} -pushd %{buildoutputdir -- $suffix} +if test "x${loop}" = "x%{main_suffix}" ; then + # Copy the source tree so we can remove all in-tree libraries + cp -a %{top_level_dir_name} %{top_level_dir_name_backup} + # Remove all libraries that are linked + sh %{SOURCE12} %{top_level_dir_name} full + # Variable used by configure and hs_err hook on build failures + link_opt="system" + # Debug builds don't need same targets as release for + # build speed-up + maketargets="%{release_targets}" + if echo $debugbuild | grep -q "debug" ; then + maketargets="%{debug_targets}" + fi +else + # Variable used by configure and hs_err hook on build failures + link_opt="bundled" + # Static library cycle only builds the static libraries + maketargets="%{static_libs_target}" +fi -bash ../configure \ +top_dir_abs_src_path=$(pwd)/%{top_level_dir_name} +top_dir_abs_build_path=$(pwd)/%{buildoutputdir -- ${suffix}${loop}} +mkdir -p ${top_dir_abs_build_path} +pushd ${top_dir_abs_build_path} + +bash ${top_dir_abs_src_path}/configure \ %ifnarch %{jit_arches} --with-jvm-variants=zero \ %endif @@ -1575,23 +1818,25 @@ bash ../configure \ --with-version-pre="%{ea_designator}" \ --with-version-opt=%{lts_designator} \ --with-vendor-version-string="%{vendor_version_string}" \ - --with-vendor-name="Red Hat, Inc." \ - --with-vendor-url="https://www.redhat.com/" \ - --with-vendor-bug-url="%{bugs}" \ - --with-vendor-vm-bug-url="%{bugs}" \ + --with-vendor-name="%{oj_vendor}" \ + --with-vendor-url="%{oj_vendor_url}" \ + --with-vendor-bug-url="%{oj_vendor_bug_url}" \ + --with-vendor-vm-bug-url="%{oj_vendor_bug_url}" \ %if ! %{with bootstrap} --with-boot-jdk=/usr/lib/jvm/java-%{buildjdkver}-openjdk \ %else --with-boot-jdk="%{_builddir}/jdk-11.0.10" \ %endif --with-debug-level=$debugbuild \ - --with-native-debug-symbols=internal \ + --with-native-debug-symbols=$debug_symbols \ + --disable-sysconf-nss \ --enable-unlimited-crypto \ - --with-zlib=system \ - --with-libjpeg=system \ - --with-giflib=system \ - --with-libpng=system \ - --with-lcms=system \ + --with-zlib=${link_opt} \ + --with-libjpeg=${link_opt} \ + --with-giflib=${link_opt} \ + --with-libpng=${link_opt} \ + --with-lcms=${link_opt} \ + --with-harfbuzz=${link_opt} \ --with-stdc++lib=dynamic \ --with-extra-cxxflags="$EXTRA_CPP_FLAGS" \ --with-extra-cflags="$EXTRA_CFLAGS" \ @@ -1599,42 +1844,48 @@ bash ../configure \ --with-extra-ldflags="%{ourldflags}" \ --with-num-cores="$NUM_PROC" \ --disable-javac-server \ -%ifarch x86_64 - --with-jvm-features=zgc \ -%endif + --with-jvm-features="%{shenandoah_feature},%{zgc_feature}" \ --disable-warnings-as-errors \ %if %{with clang} --with-toolchain-type="clang" \ %endif -- -# Debug builds don't need same targets as release for -# build speed-up -maketargets="%{release_targets}" -if echo $debugbuild | grep -q "debug" ; then - maketargets="%{debug_targets}" -fi make \ JAVAC_FLAGS=-g \ LOG=trace \ WARNINGS_ARE_ERRORS="-Wno-error" \ CFLAGS_WARNINGS_ARE_ERRORS="-Wno-error" \ - $maketargets || ( pwd; find $top_dir_abs_path -name "hs_err_pid*.log" | xargs cat && false ) + $maketargets || ( pwd; find ${top_dir_abs_src_path} ${top_dir_abs_build_path} -name "hs_err_pid*.log" | xargs cat && false ) + +popd + +# Restore original source tree if we modified it by removing full in-tree sources +if [ -d %{top_level_dir_name_backup} ] ; then + rm -rf %{top_level_dir_name} + mv %{top_level_dir_name_backup} %{top_level_dir_name} +fi + +done # end of main / staticlibs loop + +top_dir_abs_main_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{main_suffix}} # the build (erroneously) removes read permissions from some jars # this is a regression in OpenJDK 7 (our compiler): # http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1437 -find images/%{jdkimage} -iname '*.jar' -exec chmod ugo+r {} \; +find ${top_dir_abs_main_build_path}/images/%{jdkimage} -iname '*.jar' -exec chmod ugo+r {} \; # Build screws up permissions on binaries # https://bugs.openjdk.java.net/browse/JDK-8173610 -find images/%{jdkimage} -iname '*.so' -exec chmod +x {} \; -find images/%{jdkimage}/bin/ -exec chmod +x {} \; - -popd >& /dev/null +find ${top_dir_abs_main_build_path}/images/%{jdkimage} -iname '*.so' -exec chmod +x {} \; +find ${top_dir_abs_main_build_path}/images/%{jdkimage}/bin/ -exec chmod +x {} \; # Install nss.cfg right away as we will be using the JRE above -export JAVA_HOME=$(pwd)/%{buildoutputdir -- $suffix}/images/%{jdkimage} +export JAVA_HOME=${top_dir_abs_main_build_path}/images/%{jdkimage} + +# Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies) +# FIPS does not make sense in ROSA, we also use --disable-sysconf-nss +#install -m 644 nss.fips.cfg $JAVA_HOME/conf/security/ # Install nss.cfg right away as we will be using the JRE above install -m 644 nss.cfg $JAVA_HOME/conf/security/ @@ -1645,15 +1896,27 @@ rm $JAVA_HOME/lib/tzdb.dat ln -s %{_datadir}/javazi-1.8/tzdb.dat $JAVA_HOME/lib/tzdb.dat %endif +# Create fake alt-java as a placeholder for future alt-java +pushd ${JAVA_HOME} +# add alt-java man page +echo "Hardened java binary recommended for launching untrusted code from the Web e.g. javaws" > man/man1/%{alt_java_name}.1 +cat man/man1/java.1 >> man/man1/%{alt_java_name}.1 +popd + # build cycles -done +done # end of release / debug cycle loop %check # We test debug first as it will give better diagnostics on a crash -for suffix in %{rev_build_loop} ; do +for suffix in %{build_loop} ; do -export JAVA_HOME=$(pwd)/%{buildoutputdir -- $suffix}/images/%{jdkimage} +top_dir_abs_main_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{main_suffix}} +%if %{include_staticlibs} +top_dir_abs_staticlibs_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{staticlibs_loop}} +%endif + +export JAVA_HOME=${top_dir_abs_main_build_path}/images/%{jdkimage} #check Shenandoah is enabled %if %{use_shenandoah_hotspot} @@ -1672,13 +1935,30 @@ $JAVA_HOME/bin/java $(echo $(basename %{SOURCE14})|sed "s|\.java||") $JAVA_HOME/bin/javac -d . %{SOURCE15} $JAVA_HOME/bin/java -Djava.security.disableSystemPropertiesFile=true $(echo $(basename %{SOURCE15})|sed "s|\.java||") +# Check correct vendor values have been set +$JAVA_HOME/bin/javac -d . %{SOURCE16} +$JAVA_HOME/bin/java $(echo $(basename %{SOURCE16})|sed "s|\.java||") "%{oj_vendor}" "%{oj_vendor_url}" "%{oj_vendor_bug_url}" + +# Check java launcher has no SSB mitigation +if ! nm $JAVA_HOME/bin/java | grep set_speculation ; then true ; else false; fi + +# Check alt-java launcher has SSB mitigation on supported architectures +%ifarch %{ssbd_arches} +nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation +%else +if ! nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation ; then true ; else false; fi +%endif + +%if %{include_staticlibs} # Check debug symbols in static libraries (smoke test) -export STATIC_LIBS_HOME=$(pwd)/%{buildoutputdir -- $suffix}/images/%{static_libs_image} +export STATIC_LIBS_HOME=${top_dir_abs_staticlibs_build_path}/images/%{static_libs_image} readelf --debug-dump $STATIC_LIBS_HOME/lib/libfdlibm.a | grep w_remainder.c readelf --debug-dump $STATIC_LIBS_HOME/lib/libfdlibm.a | grep e_remainder.c +%endif +so_suffix="so" # Check debug symbols are present and can identify code -find "$JAVA_HOME" -iname '*.so' -print0 | while read -d $'\0' lib +find "$JAVA_HOME" -iname "*.$so_suffix" -print0 | while read -d $'\0' lib do if [ -f "$lib" ] ; then echo "Testing $lib for debug symbols" @@ -1738,11 +2018,13 @@ quit end run -version EOF +%if 0%{?fedora} > 0 # This fails on s390x for some reason. Disable for now. See: # https://koji.fedoraproject.org/koji/taskinfo?taskID=41499227 %ifnarch s390x grep 'JavaCallWrapper::JavaCallWrapper' gdb.out %endif +%endif # Check src.zip has all sources. See RHBZ#1130490 $JAVA_HOME/bin/jar -tf $JAVA_HOME/lib/src.zip | grep 'sun.misc.Unsafe' @@ -1765,12 +2047,17 @@ STRIP_KEEP_SYMTAB=libjvm* for suffix in %{build_loop} ; do +top_dir_abs_main_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{main_suffix}} +%if %{include_staticlibs} +top_dir_abs_staticlibs_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{staticlibs_loop}} +%endif +jdk_image=${top_dir_abs_main_build_path}/images/%{jdkimage} + # Install the jdk mkdir -p $RPM_BUILD_ROOT%{_jvmdir} -cp -a %{buildoutputdir -- $suffix}/images/%{jdkimage} \ - $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix} +cp -a ${jdk_image} $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix} -pushd %{buildoutputdir $suffix}/images/%{jdkimage} +pushd ${jdk_image} %if %{with_systemtap} # Install systemtap support files @@ -1799,7 +2086,6 @@ pushd %{buildoutputdir $suffix}/images/%{jdkimage} ln -sf %{sdkdir -- $suffix} %{jrelnk -- $suffix} popd - # Install man pages install -d -m 755 $RPM_BUILD_ROOT%{_mandir}/man1 for manpage in man/man1/* @@ -1815,15 +2101,19 @@ pushd %{buildoutputdir $suffix}/images/%{jdkimage} popd # Install static libs artefacts -cp -a %{buildoutputdir -- $suffix}/images/%{static_libs_image}/lib/*.a \ - $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/lib - +%if %{include_staticlibs} +mkdir -p $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/lib/static/linux-%{archinstall}/glibc +cp -a ${top_dir_abs_staticlibs_build_path}/images/%{static_libs_image}/lib/*.a \ + $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/lib/static/linux-%{archinstall}/glibc +%endif if ! echo $suffix | grep -q "debug" ; then # Install Javadoc documentation install -d -m 755 $RPM_BUILD_ROOT%{_javadocdir} - cp -a %{buildoutputdir -- $suffix}/images/docs $RPM_BUILD_ROOT%{_javadocdir}/%{uniquejavadocdir -- $suffix} - cp -a %{buildoutputdir -- $suffix}/bundles/jdk-%{newjavaver}%{ea_designator_zip}+%{buildver}%{lts_designator_zip}-docs.zip $RPM_BUILD_ROOT%{_javadocdir}/%{uniquejavadocdir -- $suffix}.zip + cp -a ${top_dir_abs_main_build_path}/images/docs $RPM_BUILD_ROOT%{_javadocdir}/%{uniquejavadocdir -- $suffix} + built_doc_archive=jdk-%{filever}%{ea_designator_zip}+%{buildver}%{lts_designator_zip}-docs.zip + cp -a ${top_dir_abs_main_build_path}/bundles/${built_doc_archive} \ + $RPM_BUILD_ROOT%{_javadocdir}/%{uniquejavadocdir -- $suffix}.zip || ls -l ${top_dir_abs_main_build_path}/bundles/ fi # Install release notes @@ -1939,6 +2229,9 @@ cjc.mainProgram(args) %posttrans %{posttrans_script %{nil}} +%posttrans headless +%{alternatives_java_install %{nil}} + %post devel %{post_devel %{nil}} @@ -1948,14 +2241,14 @@ cjc.mainProgram(args) %posttrans devel %{posttrans_devel %{nil}} -%post javadoc -%{post_javadoc %{nil}} +%posttrans javadoc +%{alternatives_javadoc_install %{nil}} %postun javadoc %{postun_javadoc %{nil}} -%post javadoc-zip -%{post_javadoc_zip %{nil}} +%posttrans javadoc-zip +%{alternatives_javadoczip_install %{nil}} %postun javadoc-zip %{postun_javadoc_zip %{nil}} @@ -1968,6 +2261,9 @@ cjc.mainProgram(args) %post headless-slowdebug %{post_headless -- %{debug_suffix_unquoted}} +%posttrans headless-slowdebug +%{alternatives_java_install -- %{debug_suffix_unquoted}} + %postun slowdebug %{postun_script -- %{debug_suffix_unquoted}} @@ -1987,6 +2283,36 @@ cjc.mainProgram(args) %{posttrans_devel -- %{debug_suffix_unquoted}} %endif +%if %{include_fastdebug_build} +%post fastdebug +%{post_script -- %{fastdebug_suffix_unquoted}} + +%post headless-fastdebug +%{post_headless -- %{fastdebug_suffix_unquoted}} + +%postun fastdebug +%{postun_script -- %{fastdebug_suffix_unquoted}} + +%postun headless-fastdebug +%{postun_headless -- %{fastdebug_suffix_unquoted}} + +%posttrans fastdebug +%{posttrans_script -- %{fastdebug_suffix_unquoted}} + +%posttrans headless-fastdebug +%{alternatives_java_install -- %{fastdebug_suffix_unquoted}} + +%post devel-fastdebug +%{post_devel -- %{fastdebug_suffix_unquoted}} + +%postun devel-fastdebug +%{postun_devel -- %{fastdebug_suffix_unquoted}} + +%posttrans devel-fastdebug +%{posttrans_devel -- %{fastdebug_suffix_unquoted}} + +%endif + %if %{include_normal_build} %files # main package builds always @@ -2006,8 +2332,10 @@ cjc.mainProgram(args) %files devel %{files_devel %{nil}} +%if %{include_staticlibs} %files static-libs %{files_static_libs %{nil}} +%endif %files jmods %{files_jmods %{nil}} @@ -2021,9 +2349,8 @@ cjc.mainProgram(args) %files javadoc %{files_javadoc %{nil}} -# this puts huge file to /usr/share -# unluckily ti is really a documentation file -# and unluckily it really is architecture-dependent, as eg. aot and grail are now x86_64 only +# This puts a huge documentation file in /usr/share +# It is now architecture-dependent, as eg. AOT and Graal are now x86_64 only # same for debug variant %files javadoc-zip %{files_javadoc_zip %{nil}} @@ -2039,8 +2366,10 @@ cjc.mainProgram(args) %files devel-slowdebug %{files_devel -- %{debug_suffix_unquoted}} +%if %{include_staticlibs} %files static-libs-slowdebug %{files_static_libs -- %{debug_suffix_unquoted}} +%endif %files jmods-slowdebug %{files_jmods -- %{debug_suffix_unquoted}} @@ -2051,3 +2380,29 @@ cjc.mainProgram(args) %files src-slowdebug %{files_src -- %{debug_suffix_unquoted}} %endif + +%if %{include_fastdebug_build} +%files fastdebug +%{files_jre -- %{fastdebug_suffix_unquoted}} + +%files headless-fastdebug +%{files_jre_headless -- %{fastdebug_suffix_unquoted}} + +%files devel-fastdebug +%{files_devel -- %{fastdebug_suffix_unquoted}} + +%if %{include_staticlibs} +%files static-libs-fastdebug +%{files_static_libs -- %{fastdebug_suffix_unquoted}} +%endif + +%files jmods-fastdebug +%{files_jmods -- %{fastdebug_suffix_unquoted}} + +%files demo-fastdebug +%{files_demo -- %{fastdebug_suffix_unquoted}} + +%files src-fastdebug +%{files_src -- %{fastdebug_suffix_unquoted}} + +%endif diff --git a/java-11-openjdk.spec.orig b/java-11-openjdk.spec.orig new file mode 100644 index 0000000..8df2956 --- /dev/null +++ b/java-11-openjdk.spec.orig @@ -0,0 +1,2051 @@ +# RPM conditionals so as to be able to dynamically produce +# slowdebug/release builds. See: +# http://rpm.org/user_doc/conditional_builds.html +# +# Examples: +# +# Produce release *and* slowdebug builds on x86_64 (default): +# $ rpmbuild -ba java-1.8.0-openjdk.spec +# +# Produce only release builds (no slowdebug builds) on x86_64: +# $ rpmbuild -ba java-1.8.0-openjdk.spec --without slowdebug +# +# Only produce a release build on x86_64: +# $ fedpkg mockbuild --without slowdebug +# +# Only produce a debug build on x86_64: +# $ fedpkg local --without release +# +# Enable slowdebug builds by default on relevant arches. +%ifarch %{arm64} +%bcond_with slowdebug +%else +%bcond_without slowdebug +%endif + +# Enable release builds by default on relevant arches. +%bcond_without release + +# Workaround for stripping of debug symbols from static libraries +%define __brp_strip_static_archive %{nil} + +#in rosa linux there is no tzdb.dat file +#in the timezone package we will +#use the standard one from java (temporarily) +%bcond_with timezonejava + +%bcond_without clang +%bcond_with bootstrap + +# The -g flag says to use strip -g instead of full strip on DSOs or EXEs. +# This fixes detailed NMT and other tools which need minimal debug info. +# See: https://bugzilla.redhat.com/show_bug.cgi?id=1520879 +%global _find_debuginfo_opts -g + +# note: parametrized macros are order-sensitive (unlike not-parametrized) even with normal macros +# also necessary when passing it as parameter to other macros. If not macro, then it is considered a switch +# see the difference between global and define: +# See https://github.com/rpm-software-management/rpm/issues/127 to comments at "pmatilai commented on Aug 18, 2017" +# (initiated in https://bugzilla.redhat.com/show_bug.cgi?id=1482192) +%global debug_suffix_unquoted -slowdebug +# quoted one for shell operations +%global debug_suffix "%{debug_suffix_unquoted}" +%global normal_suffix "" + +# if you want only debug build but providing java build only normal build but set normalbuild_parameter +%global debug_warning This package has full debug on. Install only in need and remove asap. +%global debug_on with full debug on +%global for_debug for packages with debug on + +%if %{with release} +%global include_normal_build 1 +%else +%global include_normal_build 0 +%endif + +%if %{include_normal_build} +%global build_loop1 %{normal_suffix} +%else +%global build_loop1 %{nil} +%endif + +# We have hardcoded list of files, which is appearing in alternatives, and in files +# in alternatives those are slaves and master, very often triplicated by man pages +# in files all masters and slaves are ghosted +# the ghosts are here to allow installation via query like `dnf install /usr/bin/java` +# you can list those files, with appropriate sections: cat *.spec | grep -e --install -e --slave -e post_ +# TODO - fix those hardcoded lists via single list +# those files ,must *NOT* be ghosted for *slowdebug* packages +# FIXME - if you are moving jshell or jlink or simialr, always modify all three sections +# you can check via headless and devels: +# rpm -ql --noghost java-11-openjdk-headless-11.0.1.13-8.fc29.x86_64.rpm | grep bin +# == rpm -ql java-11-openjdk-headless-slowdebug-11.0.1.13-8.fc29.x86_64.rpm | grep bin +# != rpm -ql java-11-openjdk-headless-11.0.1.13-8.fc29.x86_64.rpm | grep bin +# similarly for other %%{_jvmdir}/{jre,java} and %%{_javadocdir}/{java,java-zip} +%define is_release_build() %( if [ "%{?1}" == "%{debug_suffix_unquoted}" ]; then echo "0" ; else echo "1"; fi ) + +# while JDK is a techpreview(is_system_jdk=0), some provides are turned off. Once jdk stops to be an techpreview, move it to 1 +# as sytem JDK, we mean any JDK which can run whole system java stack without issues (like bytecode issues, module issues, dependencies...) +%global is_system_jdk 0 + +%global aarch64 aarch64 arm64 armv8 +# we need to distinguish between big and little endian PPC64 +%global ppc64le ppc64le +%global ppc64be ppc64 ppc64p7 +%global multilib_arches %{power64} sparc64 x86_64 +%global jit_arches %{ix86} x86_64 sparcv9 sparc64 %{aarch64} %{power64} %{arm} s390x +%global aot_arches x86_64 %{aarch64} + +# By default, we build a debug build during main build on JIT architectures +%if %{with slowdebug} +%ifarch %{jit_arches} +%ifnarch %{arm} +%global include_debug_build 1 +%else +%global include_debug_build 0 +%endif +%else +%global include_debug_build 0 +%endif +%else +%global include_debug_build 0 +%endif + +# On x86_64 and AArch64, we use the Shenandoah HotSpot +%ifarch x86_64 %{aarch64} +%global use_shenandoah_hotspot 1 +%else +%global use_shenandoah_hotspot 0 +%endif + +%if %{include_debug_build} +%global build_loop2 %{debug_suffix} +%else +%global build_loop2 %{nil} +%endif + +# if you disable both builds, then the build fails +%global build_loop %{build_loop1} %{build_loop2} +# note: that order: normal_suffix debug_suffix, in case of both enabled +# is expected in one single case at the end of the build +%global rev_build_loop %{build_loop2} %{build_loop1} + +# http://openjdk.java.net/groups/build/doc/building.html +#if %{without bootstrap} +#global release_targets bootcycle-images static-libs-image docs-zip +#else +# XXX there are problems with building bootcycle-images, turn them off for now, not really needed +%global release_targets images docs-zip static-libs-image +#endif +# No docs nor bootcycle for debug builds +%global debug_targets images static-libs-image + + +# Filter out flags from the optflags macro that cause problems with the OpenJDK build +# We filter out -O flags so that the optimization of HotSpot is not lowered from O3 to O2 +# We filter out -Wall which will otherwise cause HotSpot to produce hundreds of thousands of warnings (100+mb logs) +# We replace it with -Wformat (required by -Werror=format-security) and -Wno-cpp to avoid FORTIFY_SOURCE warnings +# We filter out -fexceptions as the HotSpot build explicitly does -fno-exceptions and it's otherwise the default for C++ +%ifarch %{ix86} +%global optflags %optflags -fno-PIC +%endif +%global ourflags %(echo %optflags | sed -e 's|-Wall|-Wformat -Wno-cpp|' | sed -r -e 's|-O[0-9]*||') +%global ourcppflags %(echo %ourflags | sed -e 's|-fexceptions||') + +# As discussed with bero@, optflags are duplicated in ldflags for e.g. LTO, but it consuses OpenJDK build scripts +#%%global ourldflags %{__global_ldflags} +%global ourldflags -Wl,-z,relro -Wl,--as-needed -Wl,-z,now + +# With disabled nss is NSS deactivated, so NSS_LIBDIR can contain the wrong path +# the initialization must be here. Later the pkg-config have buggy behavior +# looks like openjdk RPM specific bug +# Always set this so the nss.cfg file is not broken +%global NSS_LIBDIR %(pkg-config --variable=libdir nss) + +# In some cases, the arch used by the JDK does +# not match _arch. +# Also, in some cases, the machine name used by SystemTap +# does not match that given by _build_cpu +%ifarch x86_64 +%global archinstall amd64 +%endif +%ifarch ppc +%global archinstall ppc +%endif +%ifarch %{ppc64be} +%global archinstall ppc64 +%endif +%ifarch %{ppc64le} +%global archinstall ppc64le +%endif +%ifarch %{ix86} +%global archinstall i686 +%endif +%ifarch ia64 +%global archinstall ia64 +%endif +%ifarch s390 +%global archinstall s390 +%endif +%ifarch s390x +%global archinstall s390x +%endif +%ifarch %{arm} +%global archinstall arm +%endif +%ifarch %{aarch64} +%global archinstall aarch64 +%endif +# 32 bit sparc, optimized for v9 +%ifarch sparcv9 +%global archinstall sparc +%endif +# 64 bit sparc +%ifarch sparc64 +%global archinstall sparcv9 +%endif +%ifnarch %{jit_arches} +%global archinstall %{_arch} +%endif + + + +%ifarch %{jit_arches} +%global with_systemtap 1 +%else +%global with_systemtap 0 +%endif + +# New Version-String scheme-style defines +# If you bump majorver, you must bump also vendor_version_string +%global majorver 11 +# Used via new version scheme. JDK 11 was +# GA'ed in September 2018 => 18.9 +%global vendor_version_string 18.9 +%global securityver 8 +# buildjdkver is usually same as %%{majorver}, +# but in time of bootstrap of next jdk, it is majorver-1, +# and this it is better to change it here, on single place +%global buildjdkver %{majorver} +# Add LTS designator for RHEL builds +%if 0%{?rhel} + %global lts_designator "LTS" + %global lts_designator_zip -%{lts_designator} +%else + %global lts_designator "" + %global lts_designator_zip "" +%endif + +# Define IcedTea version used for SystemTap tapsets and desktop file +%global icedteaver 3.15.0 + +# Standard JPackage naming and versioning defines +%global origin openjdk +%global origin_nice OpenJDK +%global top_level_dir_name %{origin} +%global minorver 0 +%global buildver 6 +%global rpmrelease 1 +#%%global tagsuffix "" +# priority must be 8 digits in total; untill openjdk 1.8 we were using 18..... so when moving to 11 we had to add another digit +%if %is_system_jdk +%global priority %( printf '%02d%02d%02d%02d' %{majorver} %{minorver} %{securityver} %{buildver} ) +%else +# for techpreview, using 1, so slowdebugs can have 0 +%global priority %( printf '%08d' 1 ) +%endif +%global newjavaver %{majorver}.%{minorver}.%{securityver} + +%global javaver %{majorver} + +# Define milestone (EA for pre-releases, GA for releases) +# Release will be (where N is usually a number starting at 1): +# - 0.N%%{?extraver}%%{?dist} for EA releases, +# - N%%{?extraver}{?dist} for GA releases +%global is_ga 0 +%if %{is_ga} +%global ea_designator "" +%global ea_designator_zip "" +%global extraver %{nil} +%global eaprefix %{nil} +%else +%global ea_designator ea +%global ea_designator_zip -%{ea_designator} +%global extraver .%{ea_designator} +%global eaprefix 0. +%endif + +# Define what url should JVM offer in case of a crash report +# order may be important, epel may have rhel declared +%if 0%{?epel} +%global bugs https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora%20EPEL&component=%{name}&version=epel%{epel} +%else +%if 0%{?fedora} +# Does not work for rawhide, keeps the version field empty +%global bugs https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora&component=%{name}&version=%{fedora} +%else +%if 0%{?rhel} +%global bugs https://bugzilla.redhat.com/enter_bug.cgi?product=Red%20Hat%20Enterprise%20Linux%20%{rhel}&component=%{name} +%else +%global bugs https://bugzilla.redhat.com/enter_bug.cgi +%endif +%endif +%endif + +# parametrized macros are order-sensitive +%global compatiblename java-%{majorver}-%{origin} +%global fullversion %{compatiblename}-%{version}-%{release} +# images directories from upstream build +%global jdkimage jdk +%global static_libs_image static-libs +# output dir stub +%define buildoutputdir() %{expand:openjdk/build%{?1}} +# we can copy the javadoc to not arched dir, or make it not noarch +%define uniquejavadocdir() %{expand:%{fullversion}.%{_arch}%{?1}} +# main id and dir of this jdk +%define uniquesuffix() %{expand:%{fullversion}.%{_arch}%{?1}} + +################################################################# +# fix for https://bugzilla.redhat.com/show_bug.cgi?id=1111349 +# https://bugzilla.redhat.com/show_bug.cgi?id=1590796#c14 +# https://bugzilla.redhat.com/show_bug.cgi?id=1655938 +%global _privatelibs libsplashscreen[.]so.*|libawt_xawt[.]so.*|libjli[.]so.*|libattach[.]so.*|libawt[.]so.*|libextnet[.]so.*|libawt_headless[.]so.*|libdt_socket[.]so.*|libfontmanager[.]so.*|libinstrument[.]so.*|libj2gss[.]so.*|libj2pcsc[.]so.*|libj2pkcs11[.]so.*|libjaas[.]so.*|libjavajpeg[.]so.*|libjdwp[.]so.*|libjimage[.]so.*|libjsound[.]so.*|liblcms[.]so.*|libmanagement[.]so.*|libmanagement_agent[.]so.*|libmanagement_ext[.]so.*|libmlib_image[.]so.*|libnet[.]so.*|libnio[.]so.*|libprefs[.]so.*|librmi[.]so.*|libsaproc[.]so.*|libsctp[.]so.*|libsunec[.]so.*|libunpack[.]so.*|libzip[.]so.* +%global _publiclibs libjawt[.]so.*|libjava[.]so.*|libjvm[.]so.*|libverify[.]so.*|libjsig[.]so.* +%if %is_system_jdk +%global __provides_exclude ^(%{_privatelibs})$ +%global __requires_exclude ^(%{_privatelibs})$ +# Never generate lib-style provides/requires for slowdebug packages +%global __provides_exclude_from ^.*/%{uniquesuffix -- %{debug_suffix_unquoted}}/.*$ +%global __requires_exclude_from ^.*/%{uniquesuffix -- %{debug_suffix_unquoted}}/.*$ +%else +# Don't generate provides/requires for JDK provided shared libraries at all. +%global __provides_exclude ^(%{_privatelibs}|%{_publiclibs})$ +%global __requires_exclude ^(%{_privatelibs}|%{_publiclibs})$ +%endif + + +%global etcjavasubdir %{_sysconfdir}/java/java-%{javaver}-%{origin} +%define etcjavadir() %{expand:%{etcjavasubdir}/%{uniquesuffix -- %{?1}}} +# Standard JPackage directories and symbolic links. +%define sdkdir() %{expand:%{uniquesuffix -- %{?1}}} +%define jrelnk() %{expand:jre-%{javaver}-%{origin}-%{version}-%{release}.%{_arch}%{?1}} + +%define sdkbindir() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/bin} +%define jrebindir() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/bin} + +%global rpm_state_dir %{_localstatedir}/lib/rpm-state/ + +%if %{with_systemtap} +# Where to install systemtap tapset (links) +# We would like these to be in a package specific sub-dir, +# but currently systemtap doesn't support that, so we have to +# use the root tapset dir for now. To distinguish between 64 +# and 32 bit architectures we place the tapsets under the arch +# specific dir (note that systemtap will only pickup the tapset +# for the primary arch for now). Systemtap uses the machine name +# aka build_cpu as architecture specific directory name. +%global tapsetroot /usr/share/systemtap +%global tapsetdirttapset %{tapsetroot}/tapset/ +%global tapsetdir %{tapsetdirttapset}/%{_build_cpu} +%endif + +# not-duplicated scriptlets for normal/debug packages +%global update_desktop_icons /usr/bin/gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || : + + +%define post_script() %{expand: +update-desktop-database %{_datadir}/applications &> /dev/null || : +/bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null || : +exit 0 +} + + +%define post_headless() %{expand: +%ifarch %{jit_arches} +# MetaspaceShared::generate_vtable_methods not implemented for PPC JIT +%ifnarch %{ppc64le} +# see https://bugzilla.redhat.com/show_bug.cgi?id=513605 +%{jrebindir -- %{?1}}/java -Xshare:dump >/dev/null 2>/dev/null +%endif +%endif + +PRIORITY=%{priority} +if [ "%{?1}" == %{debug_suffix} ]; then + let PRIORITY=PRIORITY-1 +fi + +ext=%{_extension} +alternatives \\ + --install %{_bindir}/java java %{jrebindir -- %{?1}}/java $PRIORITY --family %{name}.%{_arch} \\ + --slave %{_jvmdir}/jre jre %{_jvmdir}/%{sdkdir -- %{?1}} \\ + --slave %{_bindir}/jjs jjs %{jrebindir -- %{?1}}/jjs \\ + --slave %{_bindir}/keytool keytool %{jrebindir -- %{?1}}/keytool \\ + --slave %{_bindir}/pack200 pack200 %{jrebindir -- %{?1}}/pack200 \\ + --slave %{_bindir}/rmid rmid %{jrebindir -- %{?1}}/rmid \\ + --slave %{_bindir}/rmiregistry rmiregistry %{jrebindir -- %{?1}}/rmiregistry \\ + --slave %{_bindir}/unpack200 unpack200 %{jrebindir -- %{?1}}/unpack200 \\ + --slave %{_mandir}/man1/java.1$ext java.1$ext \\ + %{_mandir}/man1/java-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/jjs.1$ext jjs.1$ext \\ + %{_mandir}/man1/jjs-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/keytool.1$ext keytool.1$ext \\ + %{_mandir}/man1/keytool-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/pack200.1$ext pack200.1$ext \\ + %{_mandir}/man1/pack200-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/rmid.1$ext rmid.1$ext \\ + %{_mandir}/man1/rmid-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/rmiregistry.1$ext rmiregistry.1$ext \\ + %{_mandir}/man1/rmiregistry-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/unpack200.1$ext unpack200.1$ext \\ + %{_mandir}/man1/unpack200-%{uniquesuffix -- %{?1}}.1$ext + +for X in %{origin} %{javaver} ; do + alternatives --install %{_jvmdir}/jre-"$X" jre_"$X" %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY --family %{name}.%{_arch} +done + +update-alternatives --install %{_jvmdir}/jre-%{javaver}-%{origin} jre_%{javaver}_%{origin} %{_jvmdir}/%{jrelnk -- %{?1}} $PRIORITY --family %{name}.%{_arch} + + +update-desktop-database %{_datadir}/applications &> /dev/null || : +/bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null || : + +# see pretrans where this file is declared +# also see that pretrans is only for non-debug +if [ ! "%{?1}" == %{debug_suffix} ]; then + if [ -f %{_libexecdir}/copy_jdk_configs_fixFiles.sh ] ; then + sh %{_libexecdir}/copy_jdk_configs_fixFiles.sh %{rpm_state_dir}/%{name}.%{_arch} %{_jvmdir}/%{sdkdir -- %{?1}} + fi +fi + +exit 0 +} + +%define postun_script() %{expand: +update-desktop-database %{_datadir}/applications &> /dev/null || : +if [ $1 -eq 0 ] ; then + /bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null + %{update_desktop_icons} +fi +exit 0 +} + + +%define postun_headless() %{expand: + alternatives --remove java %{jrebindir -- %{?1}}/java + alternatives --remove jre_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} + alternatives --remove jre_%{javaver} %{_jvmdir}/%{sdkdir -- %{?1}} + alternatives --remove jre_%{javaver}_%{origin} %{_jvmdir}/%{jrelnk -- %{?1}} +} + +%define posttrans_script() %{expand: +%{update_desktop_icons} +} + +%define post_devel() %{expand: + +PRIORITY=%{priority} +if [ "%{?1}" == %{debug_suffix} ]; then + let PRIORITY=PRIORITY-1 +fi + +ext=.gz +alternatives \\ + --install %{_bindir}/javac javac %{sdkbindir -- %{?1}}/javac $PRIORITY --family %{name}.%{_arch} \\ + --slave %{_jvmdir}/java java_sdk %{_jvmdir}/%{sdkdir -- %{?1}} \\ +%ifarch %{aot_arches} + --slave %{_bindir}/jaotc jaotc %{sdkbindir -- %{?1}}/jaotc \\ +%endif + --slave %{_bindir}/jlink jlink %{sdkbindir -- %{?1}}/jlink \\ + --slave %{_bindir}/jmod jmod %{sdkbindir -- %{?1}}/jmod \\ +%ifarch %{jit_arches} +%ifnarch s390x + --slave %{_bindir}/jhsdb jhsdb %{sdkbindir -- %{?1}}/jhsdb \\ +%endif +%endif + --slave %{_bindir}/jar jar %{sdkbindir -- %{?1}}/jar \\ + --slave %{_bindir}/jarsigner jarsigner %{sdkbindir -- %{?1}}/jarsigner \\ + --slave %{_bindir}/javadoc javadoc %{sdkbindir -- %{?1}}/javadoc \\ + --slave %{_bindir}/javap javap %{sdkbindir -- %{?1}}/javap \\ + --slave %{_bindir}/jcmd jcmd %{sdkbindir -- %{?1}}/jcmd \\ + --slave %{_bindir}/jconsole jconsole %{sdkbindir -- %{?1}}/jconsole \\ + --slave %{_bindir}/jdb jdb %{sdkbindir -- %{?1}}/jdb \\ + --slave %{_bindir}/jdeps jdeps %{sdkbindir -- %{?1}}/jdeps \\ + --slave %{_bindir}/jdeprscan jdeprscan %{sdkbindir -- %{?1}}/jdeprscan \\ + --slave %{_bindir}/jfr jfr %{sdkbindir -- %{?1}}/jfr \\ + --slave %{_bindir}/jimage jimage %{sdkbindir -- %{?1}}/jimage \\ + --slave %{_bindir}/jinfo jinfo %{sdkbindir -- %{?1}}/jinfo \\ + --slave %{_bindir}/jmap jmap %{sdkbindir -- %{?1}}/jmap \\ + --slave %{_bindir}/jps jps %{sdkbindir -- %{?1}}/jps \\ + --slave %{_bindir}/jrunscript jrunscript %{sdkbindir -- %{?1}}/jrunscript \\ + --slave %{_bindir}/jshell jshell %{sdkbindir -- %{?1}}/jshell \\ + --slave %{_bindir}/jstack jstack %{sdkbindir -- %{?1}}/jstack \\ + --slave %{_bindir}/jstat jstat %{sdkbindir -- %{?1}}/jstat \\ + --slave %{_bindir}/jstatd jstatd %{sdkbindir -- %{?1}}/jstatd \\ + --slave %{_bindir}/rmic rmic %{sdkbindir -- %{?1}}/rmic \\ + --slave %{_bindir}/serialver serialver %{sdkbindir -- %{?1}}/serialver \\ + --slave %{_mandir}/man1/jar.1$ext jar.1$ext \\ + %{_mandir}/man1/jar-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/jarsigner.1$ext jarsigner.1$ext \\ + %{_mandir}/man1/jarsigner-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/javac.1$ext javac.1$ext \\ + %{_mandir}/man1/javac-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/javadoc.1$ext javadoc.1$ext \\ + %{_mandir}/man1/javadoc-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/javap.1$ext javap.1$ext \\ + %{_mandir}/man1/javap-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/jcmd.1$ext jcmd.1$ext \\ + %{_mandir}/man1/jcmd-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/jconsole.1$ext jconsole.1$ext \\ + %{_mandir}/man1/jconsole-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/jdb.1$ext jdb.1$ext \\ + %{_mandir}/man1/jdb-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/jdeps.1$ext jdeps.1$ext \\ + %{_mandir}/man1/jdeps-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/jinfo.1$ext jinfo.1$ext \\ + %{_mandir}/man1/jinfo-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/jmap.1$ext jmap.1$ext \\ + %{_mandir}/man1/jmap-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/jps.1$ext jps.1$ext \\ + %{_mandir}/man1/jps-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/jrunscript.1$ext jrunscript.1$ext \\ + %{_mandir}/man1/jrunscript-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/jstack.1$ext jstack.1$ext \\ + %{_mandir}/man1/jstack-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/jstat.1$ext jstat.1$ext \\ + %{_mandir}/man1/jstat-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/jstatd.1$ext jstatd.1$ext \\ + %{_mandir}/man1/jstatd-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/rmic.1$ext rmic.1$ext \\ + %{_mandir}/man1/rmic-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/serialver.1$ext serialver.1$ext \\ + %{_mandir}/man1/serialver-%{uniquesuffix -- %{?1}}.1$ext \\ + +for X in %{origin} %{javaver} ; do + alternatives \\ + --install %{_jvmdir}/java-"$X" java_sdk_"$X" %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY --family %{name}.%{_arch} +done + +update-alternatives --install %{_jvmdir}/java-%{javaver}-%{origin} java_sdk_%{javaver}_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY --family %{name}.%{_arch} + +update-desktop-database %{_datadir}/applications &> /dev/null || : +/bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null || : + +exit 0 +} + +%define postun_devel() %{expand: + alternatives --remove javac %{sdkbindir -- %{?1}}/javac + alternatives --remove java_sdk_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} + alternatives --remove java_sdk_%{javaver} %{_jvmdir}/%{sdkdir -- %{?1}} + alternatives --remove java_sdk_%{javaver}_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} + +update-desktop-database %{_datadir}/applications &> /dev/null || : + +if [ $1 -eq 0 ] ; then + /bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null + %{update_desktop_icons} +fi +exit 0 +} + +%define posttrans_devel() %{expand: +%{update_desktop_icons} +} + +%define post_javadoc() %{expand: + +PRIORITY=%{priority} +if [ "%{?1}" == %{debug_suffix} ]; then + let PRIORITY=PRIORITY-1 +fi + +alternatives \\ + --install %{_javadocdir}/java javadocdir %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api \\ + $PRIORITY --family %{name} +exit 0 +} + +%define postun_javadoc() %{expand: + alternatives --remove javadocdir %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api +exit 0 +} + +%define post_javadoc_zip() %{expand: + +PRIORITY=%{priority} +if [ "%{?1}" == %{debug_suffix} ]; then + let PRIORITY=PRIORITY-1 +fi + +alternatives \\ + --install %{_javadocdir}/java-zip javadoczip %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip \\ + $PRIORITY --family %{name} +exit 0 +} + +%define postun_javadoc_zip() %{expand: + alternatives --remove javadoczip %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip +exit 0 +} + +%define files_jre() %{expand: +%{_datadir}/icons/hicolor/*x*/apps/java-%{javaver}-%{origin}.png +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsplashscreen.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libawt_xawt.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjawt.so +} + + +%define files_jre_headless() %{expand: +%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal +%doc %{_defaultdocdir}/%{uniquejavadocdir -- %{?1}}/NEWS +%dir %{_sysconfdir}/.java/.systemPrefs +%dir %{_sysconfdir}/.java +%dir %{_jvmdir}/%{sdkdir -- %{?1}} +%{_jvmdir}/%{sdkdir -- %{?1}}/release +%{_jvmdir}/%{jrelnk -- %{?1}} +%dir %{_jvmdir}/%{sdkdir -- %{?1}}/bin +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/java +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jjs +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/keytool +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/pack200 +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/rmid +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/rmiregistry +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/unpack200 +%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib +%ifarch %{jit_arches} +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/classlist +%endif +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/jexec +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/jspawnhelper +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/jrt-fs.jar +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/modules +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/psfont.properties.ja +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/psfontj2d.properties +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/tzdb.dat +%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/jli +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/jli/libjli.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/jvm.cfg +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libattach.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libawt.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libextnet.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjsig.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libawt_headless.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libdt_socket.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libfontmanager.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libinstrument.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libj2gss.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libj2pcsc.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libj2pkcs11.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjaas.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjava.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjavajpeg.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjdwp.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjimage.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjsound.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/liblcms.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libmanagement.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libmanagement_agent.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libmanagement_ext.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libmlib_image.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libnet.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libnio.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libprefs.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/librmi.so +# Zero and S390x don't have SA +%ifarch %{jit_arches} +%ifnarch s390x +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsaproc.so +%endif +%endif +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsctp.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsunec.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libunpack.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libverify.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libzip.so +%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/jfr +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/jfr/default.jfc +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/jfr/profile.jfc +%{_mandir}/man1/java-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jjs-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/keytool-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/pack200-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/rmid-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/rmiregistry-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/unpack200-%{uniquesuffix -- %{?1}}.1* +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/server/ +%ifarch %{jit_arches} +%ifnarch %{power64} +%attr(444, root, root) %ghost %{_jvmdir}/%{sdkdir -- %{?1}}/lib/server/classes.jsa +%endif +%endif +%dir %{etcjavasubdir} +%dir %{etcjavadir -- %{?1}} +%dir %{etcjavadir -- %{?1}}/lib +%dir %{etcjavadir -- %{?1}}/lib/security +%{etcjavadir -- %{?1}}/lib/security/cacerts +%dir %{etcjavadir -- %{?1}}/conf +%dir %{etcjavadir -- %{?1}}/conf/management +%dir %{etcjavadir -- %{?1}}/conf/security +%dir %{etcjavadir -- %{?1}}/conf/security/policy +%dir %{etcjavadir -- %{?1}}/conf/security/policy/limited +%dir %{etcjavadir -- %{?1}}/conf/security/policy/unlimited +%config(noreplace) %{etcjavadir -- %{?1}}/lib/security/default.policy +%config(noreplace) %{etcjavadir -- %{?1}}/lib/security/blacklisted.certs +%config(noreplace) %{etcjavadir -- %{?1}}/lib/security/public_suffix_list.dat +%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/policy/limited/exempt_local.policy +%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/policy/limited/default_local.policy +%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/policy/limited/default_US_export.policy +%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/policy/unlimited/default_local.policy +%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/policy/unlimited/default_US_export.policy + %{etcjavadir -- %{?1}}/conf/security/policy/README.txt +%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/java.policy +%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/java.security +%config(noreplace) %{etcjavadir -- %{?1}}/conf/logging.properties +%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/nss.cfg +%config(noreplace) %{etcjavadir -- %{?1}}/conf/management/jmxremote.access +# this is conifg template, thus not config-noreplace +%config %{etcjavadir -- %{?1}}/conf/management/jmxremote.password.template +%config(noreplace) %{etcjavadir -- %{?1}}/conf/management/management.properties +%config(noreplace) %{etcjavadir -- %{?1}}/conf/net.properties +%config(noreplace) %{etcjavadir -- %{?1}}/conf/sound.properties +%{_jvmdir}/%{sdkdir -- %{?1}}/conf +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/security +%if %is_system_jdk +%if %{is_release_build -- %{?1}} +%ghost %{_bindir}/java +%ghost %{_jvmdir}/jre +# https://bugzilla.redhat.com/show_bug.cgi?id=1312019 +%ghost %{_bindir}/jjs +%ghost %{_bindir}/keytool +%ghost %{_bindir}/pack200 +%ghost %{_bindir}/rmid +%ghost %{_bindir}/rmiregistry +%ghost %{_bindir}/unpack200 +%ghost %{_jvmdir}/jre-%{origin} +%ghost %{_jvmdir}/jre-%{javaver} +%ghost %{_jvmdir}/jre-%{javaver}-%{origin} +%endif +%endif +} + +%define files_devel() %{expand: +%dir %{_jvmdir}/%{sdkdir -- %{?1}}/bin +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jar +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jarsigner +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/javac +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/javadoc +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/javap +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jconsole +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jcmd +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jdb +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jdeps +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jdeprscan +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jfr +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jimage +# Zero and S390x don't have SA +%ifarch %{jit_arches} +%ifnarch s390x +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jhsdb +%endif +%endif +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jinfo +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jlink +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jmap +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jmod +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jps +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jrunscript +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jshell +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jstack +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jstat +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jstatd +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/rmic +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/serialver +%ifarch %{aot_arches} +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jaotc +%endif +%{_jvmdir}/%{sdkdir -- %{?1}}/include +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/ct.sym +%if %{with_systemtap} +%{_jvmdir}/%{sdkdir -- %{?1}}/tapset +%endif +%{_datadir}/applications/*jconsole%{?1}.desktop +%{_mandir}/man1/jar-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jarsigner-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/javac-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/javadoc-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/javap-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jconsole-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jcmd-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jdb-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jdeps-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jinfo-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jmap-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jps-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jrunscript-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jstack-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jstat-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jstatd-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/rmic-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/serialver-%{uniquesuffix -- %{?1}}.1* +%if %{with_systemtap} +# /usr/share/systemtap belongs to systemtap +#dir %{tapsetroot} +#dir %{tapsetdirttapset} +#dir %{tapsetdir} +%{tapsetdir}/*%{_arch}%{?1}.stp +%endif +%if %is_system_jdk +%if %{is_release_build -- %{?1}} +%ghost %{_bindir}/javac +%ghost %{_jvmdir}/java +%ghost %{_bindir}/jaotc +%ghost %{_bindir}/jlink +%ghost %{_bindir}/jmod +%ghost %{_bindir}/jhsdb +%ghost %{_bindir}/jar +%ghost %{_bindir}/jarsigner +%ghost %{_bindir}/javadoc +%ghost %{_bindir}/javap +%ghost %{_bindir}/jcmd +%ghost %{_bindir}/jconsole +%ghost %{_bindir}/jdb +%ghost %{_bindir}/jdeps +%ghost %{_bindir}/jdeprscan +%ghost %{_bindir}/jimage +%ghost %{_bindir}/jinfo +%ghost %{_bindir}/jmap +%ghost %{_bindir}/jps +%ghost %{_bindir}/jrunscript +%ghost %{_bindir}/jshell +%ghost %{_bindir}/jstack +%ghost %{_bindir}/jstat +%ghost %{_bindir}/jstatd +%ghost %{_bindir}/rmic +%ghost %{_bindir}/serialver +%ghost %{_jvmdir}/java-%{origin} +%ghost %{_jvmdir}/java-%{javaver} +%ghost %{_jvmdir}/java-%{javaver}-%{origin} +%endif +%endif +} + +%define files_jmods() %{expand: +%{_jvmdir}/%{sdkdir -- %{?1}}/jmods +} + +%define files_demo() %{expand: +%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal +%{_jvmdir}/%{sdkdir -- %{?1}}/demo +%{_jvmdir}/%{sdkdir -- %{?1}}/sample +} + +%define files_src() %{expand: +%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/src.zip +} + +%define files_static_libs() %{expand: +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libj2pkcs11.a +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libj2pcsc.a +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libnio.a +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libprefs.a +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjava.a +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjli.a +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libnet.a +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjimage.a +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjaas.a +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libfdlibm.a +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libj2gss.a +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsunec.a +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjsig.a +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libextnet.a +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libverify.a +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libzip.a +} + +%define files_javadoc() %{expand: +%doc %{_javadocdir}/%{uniquejavadocdir -- %{?1}} +%license %{buildoutputdir -- %{?1}}/images/%{jdkimage}/legal +%if %is_system_jdk +%if %{is_release_build -- %{?1}} +%ghost %{_javadocdir}/java +%endif +%endif +} + +%define files_javadoc_zip() %{expand: +%doc %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip +%license %{buildoutputdir -- %{?1}}/images/%{jdkimage}/legal +%if %is_system_jdk +%if %{is_release_build -- %{?1}} +%ghost %{_javadocdir}/java-zip +%endif +%endif +} + +# not-duplicated requires/provides/obsoletes for normal/debug packages +%define java_rpo() %{expand: +Requires: fontconfig%{?_isa} +Requires: xorg-x11-fonts-Type1 +# Require libXcomposite explicitly since it's only dynamically loaded +# at runtime. Fixes screenshot issues. See JDK-8150954. +Requires: libXcomposite%{?_isa} +# Requires rest of java +Requires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release} +OrderWithRequires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release} +# for java-X-openjdk package's desktop binding +Recommends: gtk3%{?_isa} + +Provides: java-%{javaver}-%{origin}%{?1} = %{epoch}:%{version}-%{release} + +# Standard JPackage base provides +Provides: jre-%{javaver}%{?1} = %{epoch}:%{version}-%{release} +Provides: jre-%{javaver}-%{origin}%{?1} = %{epoch}:%{version}-%{release} +Provides: java-%{javaver}%{?1} = %{epoch}:%{version}-%{release} +%if %is_system_jdk +Provides: java-%{origin}%{?1} = %{epoch}:%{version}-%{release} +Provides: jre-%{origin}%{?1} = %{epoch}:%{version}-%{release} +Provides: java%{?1} = %{epoch}:%{version}-%{release} +Provides: jre%{?1} = %{epoch}:%{version}-%{release} +%endif +} + +%define java_headless_rpo() %{expand: +# Require /etc/pki/java/cacerts +Requires: ca-certificates +# Require javapackages-filesystem for ownership of /usr/lib/jvm/ and macros +Requires: javapackages-filesystem +%if %{with timezonejava} +# Require zone-info data provided by tzdata-java sub-package +# 2020a required as of JDK-8243541 in 11.0.8+4 +Requires: tzdata-java >= 2020a +%endif +# for support of kernel stream control +# libsctp.so.1 is being `dlopen`ed on demand +Requires: lksctp-tools%{?_isa} +# tool to copy jdk's configs - should be Recommends only, but then only dnf/yum enforce it, +# not rpm transaction and so no configs are persisted when pure rpm -u is run. It may be +# considered as regression +Requires: copy-jdk-configs >= 4.0 +OrderWithRequires: copy-jdk-configs +# for printing support +Requires: cups-libs +# Post requires alternatives to install tool alternatives +Requires(post): %{_sbindir}/alternatives +# Postun requires alternatives to uninstall tool alternatives +Requires(postun): %{_sbindir}/alternatives +# for optional support of kernel stream control, card reader and printing bindings +Suggests: lksctp-tools%{?_isa}, pcsc-lite-devel%{?_isa} + +# Standard JPackage base provides +Provides: jre-%{javaver}-%{origin}-headless%{?1} = %{epoch}:%{version}-%{release} +Provides: jre-%{javaver}-headless%{?1} = %{epoch}:%{version}-%{release} +Provides: java-%{javaver}-%{origin}-headless%{?1} = %{epoch}:%{version}-%{release} +Provides: java-%{javaver}-headless%{?1} = %{epoch}:%{version}-%{release} +%if %is_system_jdk +Provides: java-%{origin}-headless%{?1} = %{epoch}:%{version}-%{release} +Provides: jre-%{origin}-headless%{?1} = %{epoch}:%{version}-%{release} +Provides: jre-headless%{?1} = %{epoch}:%{version}-%{release} +Provides: java-headless%{?1} = %{epoch}:%{version}-%{release} +%endif +} + +%define java_devel_rpo() %{expand: +# Requires base package +Requires: %{name}%{?1}%{?_isa} = %{epoch}:%{version}-%{release} +OrderWithRequires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release} +# Post requires alternatives to install tool alternatives +Requires(post): %{_sbindir}/alternatives +# Postun requires alternatives to uninstall tool alternatives +Requires(postun): %{_sbindir}/alternatives + +# Standard JPackage devel provides +Provides: java-sdk-%{javaver}-%{origin}%{?1} = %{epoch}:%{version}-%{release} +Provides: java-sdk-%{javaver}%{?1} = %{epoch}:%{version}-%{release} +Provides: java-%{javaver}-devel%{?1} = %{epoch}:%{version}-%{release} +Provides: java-%{javaver}-%{origin}-devel%{?1} = %{epoch}:%{version}-%{release} +%if %is_system_jdk +Provides: java-devel-%{origin}%{?1} = %{epoch}:%{version}-%{release} +Provides: java-sdk-%{origin}%{?1} = %{epoch}:%{version}-%{release} +Provides: java-devel%{?1} = %{epoch}:%{version}-%{release} +Provides: java-sdk%{?1} = %{epoch}:%{version}-%{release} +%endif +} + +%define java_static_libs_rpo() %{expand: +Requires: %{name}-devel%{?1}%{?_isa} = %{epoch}:%{version}-%{release} +OrderWithRequires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release} +} + +%define java_jmods_rpo() %{expand: +# Requires devel package +# as jmods are bytecode, they should be OK without any _isa +Requires: %{name}-devel%{?1} = %{epoch}:%{version}-%{release} +OrderWithRequires: %{name}-headless%{?1} = %{epoch}:%{version}-%{release} + +Provides: java-%{javaver}-jmods%{?1} = %{epoch}:%{version}-%{release} +Provides: java-%{javaver}-%{origin}-jmods%{?1} = %{epoch}:%{version}-%{release} +%if %is_system_jdk +Provides: java-jmods%{?1} = %{epoch}:%{version}-%{release} +%endif +} + +%define java_demo_rpo() %{expand: +Requires: %{name}%{?1}%{?_isa} = %{epoch}:%{version}-%{release} +OrderWithRequires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release} + +Provides: java-%{javaver}-demo%{?1} = %{epoch}:%{version}-%{release} +Provides: java-%{javaver}-%{origin}-demo%{?1} = %{epoch}:%{version}-%{release} +%if %is_system_jdk +Provides: java-demo%{?1} = %{epoch}:%{version}-%{release} +%endif +} + +%define java_javadoc_rpo() %{expand: +OrderWithRequires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release} +# Post requires alternatives to install javadoc alternative +Requires(post): %{_sbindir}/alternatives +# Postun requires alternatives to uninstall javadoc alternative +Requires(postun): %{_sbindir}/alternatives + +# Standard JPackage javadoc provides +Provides: java-%{javaver}-javadoc%{?1} = %{epoch}:%{version}-%{release} +Provides: java-%{javaver}-%{origin}-javadoc%{?1} = %{epoch}:%{version}-%{release} +%if %is_system_jdk +Provides: java-javadoc%{?1} = %{epoch}:%{version}-%{release} +%endif +} + +%define java_src_rpo() %{expand: +Requires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release} + +# Standard JPackage sources provides +Provides: java-%{javaver}-src%{?1} = %{epoch}:%{version}-%{release} +Provides: java-%{javaver}-%{origin}-src%{?1} = %{epoch}:%{version}-%{release} +%if %is_system_jdk +Provides: java-src%{?1} = %{epoch}:%{version}-%{release} +%endif +} + +# Prevent brp-java-repack-jars from being run +%global __jar_repack 0 + +Name: java-%{javaver}-%{origin} +Version: %{newjavaver}.%{buildver} +Release: %{?eaprefix}%{rpmrelease}%{?extraver}%{?dist} +# java-1.5.0-ibm from jpackage.org set Epoch to 1 for unknown reasons +# and this change was brought into RHEL-4. java-1.5.0-ibm packages +# also included the epoch in their virtual provides. This created a +# situation where in-the-wild java-1.5.0-ibm packages provided "java = +# 1:1.5.0". In RPM terms, "1.6.0 < 1:1.5.0" since 1.6.0 is +# interpreted as 0:1.6.0. So the "java >= 1.6.0" requirement would be +# satisfied by the 1:1.5.0 packages. Thus we need to set the epoch in +# JDK package >= 1.6.0 to 1, and packages referring to JDK virtual +# provides >= 1.6.0 must specify the epoch, "java >= 1:1.6.0". + +Epoch: 1 +Summary: %{origin_nice} Runtime Environment %{majorver} +Group: Development/Java + +# HotSpot code is licensed under GPLv2 +# JDK library code is licensed under GPLv2 with the Classpath exception +# The Apache license is used in code taken from Apache projects (primarily xalan & xerces) +# DOM levels 2 & 3 and the XML digital signature schemas are licensed under the W3C Software License +# The JSR166 concurrency code is in the public domain +# The BSD and MIT licenses are used for a number of third-party libraries (see ADDITIONAL_LICENSE_INFO) +# The OpenJDK source tree includes: +# - JPEG library (IJG), zlib & libpng (zlib), giflib (MIT), harfbuzz (ISC), +# - freetype (FTL), jline (BSD) and LCMS (MIT) +# - jquery (MIT), jdk.crypto.cryptoki PKCS 11 wrapper (RSA) +# - public_suffix_list.dat from publicsuffix.org (MPLv2.0) +# The test code includes copies of NSS under the Mozilla Public License v2.0 +# The PCSClite headers are under a BSD with advertising license +# The elliptic curve cryptography (ECC) source code is licensed under the LGPLv2.1 or any later version +License: ASL 1.1 and ASL 2.0 and BSD and BSD with advertising and GPL+ and GPLv2 and GPLv2 with exceptions and IJG and LGPLv2+ and MIT and MPLv2.0 and Public Domain and W3C and zlib and ISC and FTL and RSA +URL: http://openjdk.java.net/ + + +# to regenerate source0 (jdk) run update_package.sh +# update_package.sh contains hard-coded repos, revisions, tags, and projects to regenerate the source archives +Source0: shenandoah-jdk%{majorver}-shenandoah-jdk-%{newjavaver}+%{buildver}%{?tagsuffix:-%{tagsuffix}}-4curve.tar.xz + +# Use 'icedtea_sync.sh' to update the following +# They are based on code contained in the IcedTea project (3.x). +# Systemtap tapsets. Zipped up to keep it small. +Source8: tapsets-icedtea-%{icedteaver}.tar.xz + +# Desktop files. Adapted from IcedTea +Source9: jconsole.desktop.in + +# Release notes +Source10: NEWS + +# nss configuration file +Source11: nss.cfg.in + +# Removed libraries that we link instead +Source12: remove-intree-libraries.sh + +# Ensure we aren't using the limited crypto policy +Source13: TestCryptoLevel.java + +# Ensure ECDSA is working +Source14: TestECDSA.java + +# Verify system crypto (policy) can be disabled via a property +Source15: TestSecurityProperties.java + +# ROSA-specific +Source300: %{name}.rpmlintrc + +# Binary JDK for buolding with_bootstrap +# Only Liberica JDK provides binaries for x86_32 +# Gentoo uses https://github.com/AdoptOpenJDK/openjdk11-upstream-binaries/releases, there is no x86_32 there +# Using https://libericajdk.ru/pages/downloads/#/java-11-lts -> "Standard JDK" +# x86_32 +Source301: https://download.bell-sw.com/java/11.0.10+9/bellsoft-jdk11.0.10+9-linux-i586.tar.gz +# x86_64 +Source302: https://download.bell-sw.com/java/11.0.10+9/bellsoft-jdk11.0.10+9-linux-amd64.tar.gz +# aarch64 +Source303: https://download.bell-sw.com/java/11.0.10+9/bellsoft-jdk11.0.10+9-linux-aarch64.tar.gz + +%ifarch %{ix86} +%define bootstrap_jdk_source_num 301 +%endif +%ifarch %{x86_64} +%define bootstrap_jdk_source_num 302 +%endif +%ifarch aarch64 +%define bootstrap_jdk_source_num 303 +%endif + + +############################################ +# +# RPM/distribution specific patches +# +############################################ + +# NSS via SunPKCS11 Provider (disabled comment +# due to memory leak). +Patch1000: rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch + +# Ignore AWTError when assistive technologies are loaded +Patch1: rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch +# Restrict access to java-atk-wrapper classes +Patch2: rh1648644-java_access_bridge_privileged_security.patch + +############################################# +# +# Shenandoah specific patches +# +############################################# + +# Currently empty + +############################################# +# +# OpenJDK specific patches +# +############################################# + +Patch3: rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch +# PR3694, RH1340845: Add security.useSystemPropertiesFile option to java.security to use system crypto policy +Patch4: pr3694-rh1340845-support_fedora_rhel_system_crypto_policy.patch +# RH1566890: CVE-2018-3639 +Patch6: rh1566890-CVE_2018_3639-speculative_store_bypass.patch +# PR3695: Allow use of system crypto policy to be disabled by the user +Patch7: pr3695-toggle_system_crypto_policy.patch +# S390 ambiguous log2_intptr call +Patch8: s390-8214206_fix.patch + +############################################# +# +# Patches appearing in 11.0.8 +# +# This section includes patches which are present +# in the listed OpenJDK 11u release and should be +# able to be removed once that release is out +# and used by this RPM. +############################################# + +############################################# +# +# Patches appearing in 11.0.9 +# +# This section includes patches which are present +# in the listed OpenJDK 11u release and should be +# able to be removed once that release is out +# and used by this RPM. +############################################# +# JDK-8247874: Replacement in VersionProps.java.template not working when --with-vendor-bug-url contains '&' +Patch9: jdk8247874-fix_ampersand_in_vm_bug_url.patch +Patch10: clang_stack.patch +############################################# +# +# JDK 9+ only patches +# +############################################# +%if %{with clang} +BuildRequires: clang +%endif +BuildRequires: autoconf +BuildRequires: automake +BuildRequires: binutils +BuildRequires: cups-devel +BuildRequires: elfutils +BuildRequires: elfutils-devel +BuildRequires: fontconfig +BuildRequires: freetype2-devel +BuildRequires: gcc +BuildRequires: gcc-c++ +BuildRequires: gdb +BuildRequires: giflib-devel +BuildRequires: jpeg-devel +BuildRequires: libxslt-devel +BuildRequires: nss-devel +BuildRequires: openssl +BuildRequires: pkgconfig +BuildRequires: pkgconfig(alsa) +BuildRequires: pkgconfig(gtk+-2.0) +BuildRequires: pkgconfig(lcms2) +BuildRequires: pkgconfig(libpng) +BuildRequires: pkgconfig(x11) +BuildRequires: pkgconfig(xi) +BuildRequires: pkgconfig(xinerama) +BuildRequires: pkgconfig(xproto) +BuildRequires: pkgconfig(xt) +BuildRequires: pkgconfig(xtst) +BuildRequires: unzip +BuildRequires: xsltproc +BuildRequires: zip +BuildRequires: nss-softokn-freebl-devel +BuildRequires: javapackages-filesystem +%if ! %{with bootstrap} +BuildRequires: java-%{buildjdkver}-openjdk-devel +%endif +# Zero-assembler build requirement +%ifnarch %{jit_arches} +BuildRequires: pkgconfig(libffi) +%endif +%if %{with timezonejava} +# 2020a required as of JDK-8243541 in 11.0.8+4 +BuildRequires: tzdata-java >= 2020a +%endif +BuildRequires: gcc + +%if %{with_systemtap} +BuildRequires: systemtap-devel +%endif + +# this is always built, also during debug-only build +# when it is built in debug-only this package is just placeholder +%{java_rpo %{nil}} + +%description +The %{origin_nice} runtime environment. + +%if %{include_debug_build} +%package slowdebug +Summary: %{origin_nice} Runtime Environment %{majorver} %{debug_on} +Group: Development/Java + +%{java_rpo -- %{debug_suffix_unquoted}} +%description slowdebug +The %{origin_nice} runtime environment. +%{debug_warning} +%endif + +%if %{include_normal_build} +%package headless +Summary: %{origin_nice} Headless Runtime Environment %{majorver} +Group: Development/Java + +%{java_headless_rpo %{nil}} + +%description headless +The %{origin_nice} runtime environment %{majorver} without audio and video support. +%endif + +%if %{include_debug_build} +%package headless-slowdebug +Summary: %{origin_nice} Runtime Environment %{debug_on} + +%{java_headless_rpo -- %{debug_suffix_unquoted}} + +%description headless-slowdebug +The %{origin_nice} runtime environment %{majorver} without audio and video support. +%{debug_warning} +%endif + +%if %{include_normal_build} +%package devel +Summary: %{origin_nice} Development Environment %{majorver} +Group: Development/Java + +%{java_devel_rpo %{nil}} + +%description devel +The %{origin_nice} development tools %{majorver}. +%endif + +%if %{include_debug_build} +%package devel-slowdebug +Summary: %{origin_nice} Development Environment %{majorver} %{debug_on} +Group: Development/Java + +%{java_devel_rpo -- %{debug_suffix_unquoted}} + +%description devel-slowdebug +The %{origin_nice} development tools %{majorver}. +%{debug_warning} +%endif + +%if %{include_normal_build} +%package static-libs +Summary: %{origin_nice} libraries for static linking %{majorver} +Group: Development/Java + +%{java_static_libs_rpo %{nil}} + +%description static-libs +The %{origin_nice} libraries for static linking %{majorver}. +%endif + +%if %{include_debug_build} +%package static-libs-slowdebug +Summary: %{origin_nice} libraries for static linking %{majorver} %{debug_on} +Group: Development/Java + +%{java_static_libs_rpo -- %{debug_suffix_unquoted}} + +%description static-libs-slowdebug +The %{origin_nice} libraries for static linking %{majorver}. +%{debug_warning} +%endif + +%if %{include_normal_build} +%package jmods +Summary: JMods for %{origin_nice} %{majorver} +Group: Development/Java + +%{java_jmods_rpo %{nil}} + +%description jmods +The JMods for %{origin_nice}. +%endif + +%if %{include_debug_build} +%package jmods-slowdebug +Summary: JMods for %{origin_nice} %{majorver} %{debug_on} +Group: Development/Java + +%{java_jmods_rpo -- %{debug_suffix_unquoted}} + +%description jmods-slowdebug +The JMods for %{origin_nice} %{majorver}. +%{debug_warning} +%endif + +%if %{include_normal_build} +%package demo +Summary: %{origin_nice} Demos %{majorver} +Group: Development/Java + +%{java_demo_rpo %{nil}} + +%description demo +The %{origin_nice} demos %{majorver}. +%endif + +%if %{include_debug_build} +%package demo-slowdebug +Summary: %{origin_nice} Demos %{majorver} %{debug_on} +Group: Development/Java + +%{java_demo_rpo -- %{debug_suffix_unquoted}} + +%description demo-slowdebug +The %{origin_nice} demos %{majorver}. +%{debug_warning} +%endif + +%if %{include_normal_build} +%package src +Summary: %{origin_nice} Source Bundle %{majorver} +Group: Development/Java + +%{java_src_rpo %{nil}} + +%description src +The java-%{origin}-src sub-package contains the complete %{origin_nice} %{majorver} +class library source code for use by IDE indexers and debuggers. +%endif + +%if %{include_debug_build} +%package src-slowdebug +Summary: %{origin_nice} Source Bundle %{majorver} %{for_debug} +Group: Development/Java + +%{java_src_rpo -- %{debug_suffix_unquoted}} + +%description src-slowdebug +The java-%{origin}-src-slowdebug sub-package contains the complete %{origin_nice} %{majorver} + class library source code for use by IDE indexers and debuggers. Debugging %{for_debug}. +%endif + +%if %{include_normal_build} +%package javadoc +Summary: %{origin_nice} %{majorver} API documentation +Group: Development/Java +Requires: javapackages-filesystem +Obsoletes: javadoc-slowdebug < 1:11.0.3.7-4 + +%{java_javadoc_rpo %{nil}} + +%description javadoc +The %{origin_nice} %{majorver} API documentation. +%endif + +%if %{include_normal_build} +%package javadoc-zip +Summary: %{origin_nice} %{majorver} API documentation compressed in a single archive +Group: Development/Java +Requires: javapackages-filesystem +Obsoletes: javadoc-zip-slowdebug < 1:11.0.3.7-4 + +%{java_javadoc_rpo %{nil}} + +%description javadoc-zip +The %{origin_nice} %{majorver} API documentation compressed in a single archive. +%endif + +%prep +if [ %{include_normal_build} -eq 0 -o %{include_normal_build} -eq 1 ] ; then + echo "include_normal_build is %{include_normal_build}" +else + echo "include_normal_build is %{include_normal_build}, thats invalid. Use 1 for yes or 0 for no" + exit 11 +fi +if [ %{include_debug_build} -eq 0 -o %{include_debug_build} -eq 1 ] ; then + echo "include_debug_build is %{include_debug_build}" +else + echo "include_debug_build is %{include_debug_build}, thats invalid. Use 1 for yes or 0 for no" + exit 12 +fi +if [ %{include_debug_build} -eq 0 -a %{include_normal_build} -eq 0 ] ; then + echo "You have disabled both include_debug_build and include_normal_build. That is a no go." + exit 13 +fi +%setup -q -c -n %{uniquesuffix ""} -T -a 0 %{?with_bootstrap:-b %{bootstrap_jdk_source_num}} +# https://bugzilla.redhat.com/show_bug.cgi?id=1189084 +prioritylength=`expr length %{priority}` +if [ $prioritylength -ne 8 ] ; then + echo "priority must be 8 digits in total, violated" + exit 14 +fi + +# OpenJDK patches + +# Remove libraries that are linked +sh %{SOURCE12} +pushd %{top_level_dir_name} +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 +%patch6 -p1 +%patch7 -p1 +%patch8 -p1 +%patch9 -p1 +%patch10 -p1 +popd # openjdk + +%patch1000 + +# Extract systemtap tapsets +%if %{with_systemtap} +tar --strip-components=1 -x -I xz -f %{SOURCE8} +%if %{include_debug_build} +cp -r tapset tapset%{debug_suffix} +%endif + + +for suffix in %{build_loop} ; do + for file in "tapset"$suffix/*.in; do + OUTPUT_FILE=`echo $file | sed -e "s:\.stp\.in$:-%{version}-%{release}.%{_arch}.stp:g"` + sed -e "s:@ABS_SERVER_LIBJVM_SO@:%{_jvmdir}/%{sdkdir -- $suffix}/lib/server/libjvm.so:g" $file > $file.1 +# TODO find out which architectures other than i686 have a client vm +%ifarch %{ix86} + sed -e "s:@ABS_CLIENT_LIBJVM_SO@:%{_jvmdir}/%{sdkdir -- $suffix}/lib/client/libjvm.so:g" $file.1 > $OUTPUT_FILE +%else + sed -e "/@ABS_CLIENT_LIBJVM_SO@/d" $file.1 > $OUTPUT_FILE +%endif + sed -i -e "s:@ABS_JAVA_HOME_DIR@:%{_jvmdir}/%{sdkdir -- $suffix}:g" $OUTPUT_FILE + sed -i -e "s:@INSTALL_ARCH_DIR@:%{archinstall}:g" $OUTPUT_FILE + sed -i -e "s:@prefix@:%{_jvmdir}/%{sdkdir -- $suffix}/:g" $OUTPUT_FILE + done +done +# systemtap tapsets ends +%endif + +# Prepare desktop files +# The _X_ syntax indicates variables that are replaced by make upstream +# The @X@ syntax indicates variables that are replaced by configure upstream +for suffix in %{build_loop} ; do +for file in %{SOURCE9}; do + FILE=`basename $file | sed -e s:\.in$::g` + EXT="${FILE##*.}" + NAME="${FILE%.*}" + OUTPUT_FILE=$NAME$suffix.$EXT + sed -e "s:_SDKBINDIR_:%{sdkbindir -- $suffix}:g" $file > $OUTPUT_FILE + sed -i -e "s:@target_cpu@:%{_arch}:g" $OUTPUT_FILE + sed -i -e "s:@OPENJDK_VER@:%{version}-%{release}.%{_arch}$suffix:g" $OUTPUT_FILE + sed -i -e "s:@JAVA_VER@:%{javaver}:g" $OUTPUT_FILE + sed -i -e "s:@JAVA_VENDOR@:%{origin}:g" $OUTPUT_FILE +done +done + +# Setup nss.cfg +sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE11} > nss.cfg + + +%build +%if %{with clang} +export CC="clang" +export CXX="clang++" +%endif +# How many CPU's do we have? +export NUM_PROC=%(/usr/bin/getconf _NPROCESSORS_ONLN 2> /dev/null || :) +export NUM_PROC=${NUM_PROC:-1} +%if 0%{?_smp_ncpus_max} +# Honor %%_smp_ncpus_max +[ ${NUM_PROC} -gt %{?_smp_ncpus_max} ] && export NUM_PROC=%{?_smp_ncpus_max} +%endif + +%ifarch s390x sparc64 alpha %{power64} %{aarch64} +export ARCH_DATA_MODEL=64 +%endif +%ifarch alpha +export CFLAGS="$CFLAGS -mieee" +%endif + +# We use ourcppflags because the OpenJDK build seems to +# pass EXTRA_CFLAGS to the HotSpot C++ compiler... +# Explicitly set -fcommon as GCC 10+ defaults to -fno-common +EXTRA_CFLAGS="%ourcppflags -Wno-error -fcommon" +EXTRA_CPP_FLAGS="%ourcppflags -fcommon" + +%ifarch %{power64} ppc +# fix rpmlint warnings +EXTRA_CFLAGS="$EXTRA_CFLAGS -fno-strict-aliasing" +%endif +# Fixes annocheck warnings in assembler files due to missing build notes +%if 0 +EXTRA_ASFLAGS="${EXTRA_CFLAGS} -Wa,--generate-missing-build-notes=yes" +%endif +EXTRA_ASFLAGS="${EXTRA_CFLAGS} -Wa" +export EXTRA_CFLAGS EXTRA_ASFLAGS + +for suffix in %{build_loop} ; do +if [ "x$suffix" = "x" ] ; then + debugbuild=release +else + # change --something to something + debugbuild=`echo $suffix | sed "s/-//g"` +fi + +# Variable used in hs_err hook on build failures +top_dir_abs_path=$(pwd)/%{top_level_dir_name} + +mkdir -p %{buildoutputdir -- $suffix} +pushd %{buildoutputdir -- $suffix} + +bash ../configure \ +%ifnarch %{jit_arches} + --with-jvm-variants=zero \ +%endif +%ifarch %{ppc64le} + --with-jobs=1 \ +%endif + --with-version-build=%{buildver} \ + --with-version-pre="%{ea_designator}" \ + --with-version-opt=%{lts_designator} \ + --with-vendor-version-string="%{vendor_version_string}" \ + --with-vendor-name="Red Hat, Inc." \ + --with-vendor-url="https://www.redhat.com/" \ + --with-vendor-bug-url="%{bugs}" \ + --with-vendor-vm-bug-url="%{bugs}" \ +%if ! %{with bootstrap} + --with-boot-jdk=/usr/lib/jvm/java-%{buildjdkver}-openjdk \ +%else + --with-boot-jdk="%{_builddir}/jdk-11.0.10" \ +%endif + --with-debug-level=$debugbuild \ + --with-native-debug-symbols=internal \ + --enable-unlimited-crypto \ + --with-zlib=system \ + --with-libjpeg=system \ + --with-giflib=system \ + --with-libpng=system \ + --with-lcms=system \ + --with-stdc++lib=dynamic \ + --with-extra-cxxflags="$EXTRA_CPP_FLAGS" \ + --with-extra-cflags="$EXTRA_CFLAGS" \ + --with-extra-asflags="$EXTRA_ASFLAGS" \ + --with-extra-ldflags="%{ourldflags}" \ + --with-num-cores="$NUM_PROC" \ + --disable-javac-server \ +%ifarch x86_64 + --with-jvm-features=zgc \ +%endif + --disable-warnings-as-errors \ +%if %{with clang} + --with-toolchain-type="clang" \ +%endif + -- + +# Debug builds don't need same targets as release for +# build speed-up +maketargets="%{release_targets}" +if echo $debugbuild | grep -q "debug" ; then + maketargets="%{debug_targets}" +fi +make \ + JAVAC_FLAGS=-g \ + LOG=trace \ + WARNINGS_ARE_ERRORS="-Wno-error" \ + CFLAGS_WARNINGS_ARE_ERRORS="-Wno-error" \ + $maketargets || ( pwd; find $top_dir_abs_path -name "hs_err_pid*.log" | xargs cat && false ) + +# the build (erroneously) removes read permissions from some jars +# this is a regression in OpenJDK 7 (our compiler): +# http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1437 +find images/%{jdkimage} -iname '*.jar' -exec chmod ugo+r {} \; + +# Build screws up permissions on binaries +# https://bugs.openjdk.java.net/browse/JDK-8173610 +find images/%{jdkimage} -iname '*.so' -exec chmod +x {} \; +find images/%{jdkimage}/bin/ -exec chmod +x {} \; + +popd >& /dev/null + +# Install nss.cfg right away as we will be using the JRE above +export JAVA_HOME=$(pwd)/%{buildoutputdir -- $suffix}/images/%{jdkimage} + +# Install nss.cfg right away as we will be using the JRE above +install -m 644 nss.cfg $JAVA_HOME/conf/security/ + +%if %{with timezonejava} +# Use system-wide tzdata +rm $JAVA_HOME/lib/tzdb.dat +ln -s %{_datadir}/javazi-1.8/tzdb.dat $JAVA_HOME/lib/tzdb.dat +%endif + +# build cycles +done + +%check + +# We test debug first as it will give better diagnostics on a crash +for suffix in %{rev_build_loop} ; do + +export JAVA_HOME=$(pwd)/%{buildoutputdir -- $suffix}/images/%{jdkimage} + +#check Shenandoah is enabled +%if %{use_shenandoah_hotspot} +$JAVA_HOME//bin/java -XX:+UseShenandoahGC -version +%endif + +# Check unlimited policy has been used +$JAVA_HOME/bin/javac -d . %{SOURCE13} +$JAVA_HOME/bin/java --add-opens java.base/javax.crypto=ALL-UNNAMED TestCryptoLevel + +# Check ECC is working +$JAVA_HOME/bin/javac -d . %{SOURCE14} +$JAVA_HOME/bin/java $(echo $(basename %{SOURCE14})|sed "s|\.java||") + +# Check system crypto (policy) can be disabled +$JAVA_HOME/bin/javac -d . %{SOURCE15} +$JAVA_HOME/bin/java -Djava.security.disableSystemPropertiesFile=true $(echo $(basename %{SOURCE15})|sed "s|\.java||") + +# Check debug symbols in static libraries (smoke test) +export STATIC_LIBS_HOME=$(pwd)/%{buildoutputdir -- $suffix}/images/%{static_libs_image} +readelf --debug-dump $STATIC_LIBS_HOME/lib/libfdlibm.a | grep w_remainder.c +readelf --debug-dump $STATIC_LIBS_HOME/lib/libfdlibm.a | grep e_remainder.c + +# Check debug symbols are present and can identify code +find "$JAVA_HOME" -iname '*.so' -print0 | while read -d $'\0' lib +do + if [ -f "$lib" ] ; then + echo "Testing $lib for debug symbols" + # All these tests rely on RPM failing the build if the exit code of any set + # of piped commands is non-zero. + + # Test for .debug_* sections in the shared object. This is the main test + # Stripped objects will not contain these + eu-readelf -S "$lib" | grep "] .debug_" + test $(eu-readelf -S "$lib" | grep -E "\]\ .debug_(info|abbrev)" | wc --lines) == 2 + + # Test FILE symbols. These will most likely be removed by anything that + # manipulates symbol tables because it's generally useless. So a nice test + # that nothing has messed with symbols + old_IFS="$IFS" + IFS=$'\n' + for line in $(eu-readelf -s "$lib" | grep "00000000 0 FILE LOCAL DEFAULT") + do + # We expect to see .cpp files, except for architectures like aarch64 and + # s390 where we expect .o and .oS files + echo "$line" | grep -E "ABS ((.*/)?[-_a-zA-Z0-9]+\.(c|cc|cpp|cxx|o|oS))?$" + done + IFS="$old_IFS" + + # If this is the JVM, look for javaCalls.(cpp|o) in FILEs, for extra sanity checking + if [ "`basename $lib`" = "libjvm.so" ]; then + eu-readelf -s "$lib" | \ + grep -E "00000000 0 FILE LOCAL DEFAULT ABS javaCalls.(cpp|o)$" + fi + + # Test that there are no .gnu_debuglink sections pointing to another + # debuginfo file. There shouldn't be any debuginfo files, so the link makes + # no sense either + eu-readelf -S "$lib" | grep 'gnu' + if eu-readelf -S "$lib" | grep '] .gnu_debuglink' | grep PROGBITS; then + echo "bad .gnu_debuglink section." + eu-readelf -x .gnu_debuglink "$lib" + false + fi + fi +done + +# Make sure gdb can do a backtrace based on line numbers on libjvm.so +# javaCalls.cpp:58 should map to: +# http://hg.openjdk.java.net/jdk8u/jdk8u/hotspot/file/ff3b27e6bcc2/src/share/vm/runtime/javaCalls.cpp#l58 +# Using line number 1 might cause build problems. See: +# https://bugzilla.redhat.com/show_bug.cgi?id=1539664 +# https://bugzilla.redhat.com/show_bug.cgi?id=1538767 +gdb -q "$JAVA_HOME/bin/java" < +-- see https://bugzilla.redhat.com/show_bug.cgi?id=1038092 for whole issue +-- see https://bugzilla.redhat.com/show_bug.cgi?id=1290388 for pretrans over pre +-- if copy-jdk-configs is in transaction, it installs in pretrans to temp +-- if copy_jdk_configs is in temp, then it means that copy-jdk-configs is in transaction and so is +-- preferred over one in %%{_libexecdir}. If it is not in transaction, then depends +-- whether copy-jdk-configs is installed or not. If so, then configs are copied +-- (copy_jdk_configs from %%{_libexecdir} used) or not copied at all +local posix = require "posix" + +if (os.getenv("debug") == "true") then + debug = true; + print("cjc: in spec debug is on") +else + debug = false; +end + +SOURCE1 = "%{rpm_state_dir}/copy_jdk_configs.lua" +SOURCE2 = "%{_libexecdir}/copy_jdk_configs.lua" + +local stat1 = posix.stat(SOURCE1, "type"); +local stat2 = posix.stat(SOURCE2, "type"); + + if (stat1 ~= nil) then + if (debug) then + print(SOURCE1 .." exists - copy-jdk-configs in transaction, using this one.") + end; + package.path = package.path .. ";" .. SOURCE1 +else + if (stat2 ~= nil) then + if (debug) then + print(SOURCE2 .." exists - copy-jdk-configs already installed and NOT in transaction. Using.") + end; + package.path = package.path .. ";" .. SOURCE2 + else + if (debug) then + print(SOURCE1 .." does NOT exists") + print(SOURCE2 .." does NOT exists") + print("No config files will be copied") + end + return + end +end +arg = nil ; -- it is better to null the arg up, no meter if they exists or not, and use cjc as module in unified way, instead of relaying on "main" method during require "copy_jdk_configs.lua" +cjc = require "copy_jdk_configs.lua" +args = {"--currentjvm", "%{uniquesuffix %{nil}}", "--jvmdir", "%{_jvmdir %{nil}}", "--origname", "%{name}", "--origjavaver", "%{javaver}", "--arch", "%{_arch}", "--temp", "%{rpm_state_dir}/%{name}.%{_arch}"} +cjc.mainProgram(args) + +%post +%{post_script %{nil}} + +%post headless +%{post_headless %{nil}} + +%postun +%{postun_script %{nil}} + +%postun headless +%{postun_headless %{nil}} + +%posttrans +%{posttrans_script %{nil}} + +%post devel +%{post_devel %{nil}} + +%postun devel +%{postun_devel %{nil}} + +%posttrans devel +%{posttrans_devel %{nil}} + +%post javadoc +%{post_javadoc %{nil}} + +%postun javadoc +%{postun_javadoc %{nil}} + +%post javadoc-zip +%{post_javadoc_zip %{nil}} + +%postun javadoc-zip +%{postun_javadoc_zip %{nil}} +%endif + +%if %{include_debug_build} +%post slowdebug +%{post_script -- %{debug_suffix_unquoted}} + +%post headless-slowdebug +%{post_headless -- %{debug_suffix_unquoted}} + +%postun slowdebug +%{postun_script -- %{debug_suffix_unquoted}} + +%postun headless-slowdebug +%{postun_headless -- %{debug_suffix_unquoted}} + +%posttrans slowdebug +%{posttrans_script -- %{debug_suffix_unquoted}} + +%post devel-slowdebug +%{post_devel -- %{debug_suffix_unquoted}} + +%postun devel-slowdebug +%{postun_devel -- %{debug_suffix_unquoted}} + +%posttrans devel-slowdebug +%{posttrans_devel -- %{debug_suffix_unquoted}} +%endif + +%if %{include_normal_build} +%files +# main package builds always +%{files_jre %{nil}} +%else +%files +# placeholder +%endif + + +%if %{include_normal_build} +%files headless +# important note, see https://bugzilla.redhat.com/show_bug.cgi?id=1038092 for whole issue +# all config/noreplace files (and more) have to be declared in pretrans. See pretrans +%{files_jre_headless %{nil}} + +%files devel +%{files_devel %{nil}} + +%files static-libs +%{files_static_libs %{nil}} + +%files jmods +%{files_jmods %{nil}} + +%files demo +%{files_demo %{nil}} + +%files src +%{files_src %{nil}} + +%files javadoc +%{files_javadoc %{nil}} + +# this puts huge file to /usr/share +# unluckily ti is really a documentation file +# and unluckily it really is architecture-dependent, as eg. aot and grail are now x86_64 only +# same for debug variant +%files javadoc-zip +%{files_javadoc_zip %{nil}} +%endif + +%if %{include_debug_build} +%files slowdebug +%{files_jre -- %{debug_suffix_unquoted}} + +%files headless-slowdebug +%{files_jre_headless -- %{debug_suffix_unquoted}} + +%files devel-slowdebug +%{files_devel -- %{debug_suffix_unquoted}} + +%files static-libs-slowdebug +%{files_static_libs -- %{debug_suffix_unquoted}} + +%files jmods-slowdebug +%{files_jmods -- %{debug_suffix_unquoted}} + +%files demo-slowdebug +%{files_demo -- %{debug_suffix_unquoted}} + +%files src-slowdebug +%{files_src -- %{debug_suffix_unquoted}} +%endif diff --git a/jdk8247874-fix_ampersand_in_vm_bug_url.patch b/jdk8247874-fix_ampersand_in_vm_bug_url.patch deleted file mode 100644 index c2d746b..0000000 --- a/jdk8247874-fix_ampersand_in_vm_bug_url.patch +++ /dev/null @@ -1,25 +0,0 @@ -# HG changeset patch -# User sgehwolf -# Date 1592560575 -7200 -# Fri Jun 19 11:56:15 2020 +0200 -# Node ID c523ff594ec50a45cb157cffc93c17e0414c066a -# Parent c17f1a4da248acfe3c1285fe332aea245eb84bb4 -8247874: Replacement in VersionProps.java.template not working when --with-vendor-bug-url contains '&' -Summary: Backports parts of 8223319: Add copyright footer to specs and man pages -Reviewed-by: andrew, phh - -diff --git openjdk.orig/make/common/TextFileProcessing.gmk openjdk/make/common/TextFileProcessing.gmk ---- openjdk.orig/make/common/TextFileProcessing.gmk -+++ openjdk/make/common/TextFileProcessing.gmk -@@ -155,9 +155,10 @@ - # Convert the REPLACEMENTS syntax ( A => B ; C => D ; ...) to a sed command - # line (-e "s/A/B/g" -e "s/C/D/g" ...), basically by replacing '=>' with '/' - # and ';' with '/g" -e "s/', and adjusting for edge cases. -+ # '&' has special meaning in sed so needs to be escaped. - $1_REPLACEMENTS_COMMAND_LINE := $(SED) -e 's$$($1_SEP)$$(subst $$(SPACE);$$(SPACE),$$($1_SEP)g' \ - -e 's$$($1_SEP),$$(subst $$(SPACE)=>$$(SPACE),$$($1_SEP),$$(subst $$(SPACE)=>$$(SPACE);$$(SPACE),$$($1_SEP)$$($1_SEP)g' \ -- -e 's$$($1_SEP),$$(strip $$($1_REPLACEMENTS)))))$$($1_SEP)g' -+ -e 's$$($1_SEP),$$(subst &,\&,$$(strip $$($1_REPLACEMENTS))))))$$($1_SEP)g' - else - # We don't have any replacements, just pipe the file through cat. - $1_REPLACEMENTS_COMMAND_LINE := $(CAT) diff --git a/jdk8269668-rh1977671-aarch64_lib_path_fix.patch b/jdk8269668-rh1977671-aarch64_lib_path_fix.patch new file mode 100644 index 0000000..ddf686c --- /dev/null +++ b/jdk8269668-rh1977671-aarch64_lib_path_fix.patch @@ -0,0 +1,32 @@ +From ec03fdb752f2dc0833784a6877a4c232a8cdd9d2 Mon Sep 17 00:00:00 2001 +From: Severin Gehwolf +Date: Wed, 14 Jul 2021 12:06:39 +0200 +Subject: [PATCH] Backport e14801cdd9b108aa4ca47d0bc1dc67fca575764c + +--- + src/hotspot/os/linux/os_linux.cpp | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/src/hotspot/os/linux/os_linux.cpp b/src/hotspot/os/linux/os_linux.cpp +index e8baf704e3a..12b75b733b5 100644 +--- a/src/hotspot/os/linux/os_linux.cpp ++++ b/src/hotspot/os/linux/os_linux.cpp +@@ -413,8 +413,15 @@ void os::init_system_properties_values() { + // 7: The default directories, normally /lib and /usr/lib. + #if defined(AMD64) || (defined(_LP64) && defined(SPARC)) || defined(PPC64) || defined(S390) + #define DEFAULT_LIBPATH "/usr/lib64:/lib64:/lib:/usr/lib" ++#else ++#if defined(AARCH64) ++ // Use 32-bit locations first for AARCH64 (a 64-bit architecture), since some systems ++ // might not adhere to the FHS and it would be a change in behaviour if we used ++ // DEFAULT_LIBPATH of other 64-bit architectures which prefer the 64-bit paths. ++ #define DEFAULT_LIBPATH "/lib:/usr/lib:/usr/lib64:/lib64" + #else + #define DEFAULT_LIBPATH "/lib:/usr/lib" ++#endif // AARCH64 + #endif + + // Base path of extensions installed on the system. +-- +2.31.1 + diff --git a/nss.fips.cfg.in b/nss.fips.cfg.in new file mode 100644 index 0000000..ead27be --- /dev/null +++ b/nss.fips.cfg.in @@ -0,0 +1,6 @@ +name = NSS-FIPS +nssLibraryDirectory = @NSS_LIBDIR@ +nssSecmodDirectory = @NSS_SECMOD@ +nssDbMode = readOnly +nssModule = fips + diff --git a/remove-intree-libraries.sh b/remove-intree-libraries.sh index f3be341..d475909 100644 --- a/remove-intree-libraries.sh +++ b/remove-intree-libraries.sh @@ -1,24 +1,52 @@ #!/bin/sh +# Arguments: +TREE=${1} +TYPE=${2} + ZIP_SRC=src/java.base/share/native/libzip/zlib/ JPEG_SRC=src/java.desktop/share/native/libjavajpeg/ GIF_SRC=src/java.desktop/share/native/libsplashscreen/giflib/ PNG_SRC=src/java.desktop/share/native/libsplashscreen/libpng/ LCMS_SRC=src/java.desktop/share/native/liblcms/ -cd openjdk +if test "x${TREE}" = "x"; then + echo "$0 (MINIMAL|FULL)"; + exit 1; +fi + +if test "x${TYPE}" = "x"; then + TYPE=minimal; +fi + +if test "x${TYPE}" != "xminimal" -a "x${TYPE}" != "xfull"; then + echo "Type must be minimal or full"; + exit 2; +fi + +echo "Removing in-tree libraries from ${TREE}" +echo "Cleansing operation: ${TYPE}"; + +cd ${TREE} echo "Removing built-in libs (they will be linked)" +# On full runs, allow for zlib having already been deleted by minimal echo "Removing zlib" -if [ ! -d ${ZIP_SRC} ]; then +if [ "x${TYPE}" = "xminimal" -a ! -d ${ZIP_SRC} ]; then echo "${ZIP_SRC} does not exist. Refusing to proceed." exit 1 fi rm -rvf ${ZIP_SRC} +# Minimal is limited to just zlib so finish here +if test "x${TYPE}" = "xminimal"; then + echo "Finished."; + exit 0; +fi + echo "Removing libjpeg" -if [ ! -f ${JPEG_SRC}/jdhuff.c ]; then # some file that sound definitely exist +if [ ! -f ${JPEG_SRC}/jdhuff.c ]; then # some file that should definitely exist echo "${JPEG_SRC} does not contain jpeg sources. Refusing to proceed." exit 1 fi diff --git a/rh1566890-CVE_2018_3639-speculative_store_bypass.patch b/rh1566890-CVE_2018_3639-speculative_store_bypass.patch deleted file mode 100644 index bd52828..0000000 --- a/rh1566890-CVE_2018_3639-speculative_store_bypass.patch +++ /dev/null @@ -1,61 +0,0 @@ -diff --git openjdk/src/hotspot/os/linux/os_linux.cpp openjdk/src/hotspot/os/linux/os_linux.cpp ---- openjdk/src/hotspot/os/linux/os_linux.cpp -+++ openjdk/src/hotspot/os/linux/os_linux.cpp -@@ -107,6 +107,8 @@ - # include - # include - -+#include -+ - #ifndef _GNU_SOURCE - #define _GNU_SOURCE - #include -@@ -4984,6 +4986,48 @@ - extern void report_error(char* file_name, int line_no, char* title, - char* format, ...); - -+/* Per task speculation control */ -+#ifndef PR_GET_SPECULATION_CTRL -+# define PR_GET_SPECULATION_CTRL 52 -+#endif -+#ifndef PR_SET_SPECULATION_CTRL -+# define PR_SET_SPECULATION_CTRL 53 -+#endif -+/* Speculation control variants */ -+#ifndef PR_SPEC_STORE_BYPASS -+# define PR_SPEC_STORE_BYPASS 0 -+#endif -+/* Return and control values for PR_SET/GET_SPECULATION_CTRL */ -+ -+#ifndef PR_SPEC_NOT_AFFECTED -+# define PR_SPEC_NOT_AFFECTED 0 -+#endif -+#ifndef PR_SPEC_PRCTL -+# define PR_SPEC_PRCTL (1UL << 0) -+#endif -+#ifndef PR_SPEC_ENABLE -+# define PR_SPEC_ENABLE (1UL << 1) -+#endif -+#ifndef PR_SPEC_DISABLE -+# define PR_SPEC_DISABLE (1UL << 2) -+#endif -+#ifndef PR_SPEC_FORCE_DISABLE -+# define PR_SPEC_FORCE_DISABLE (1UL << 3) -+#endif -+#ifndef PR_SPEC_DISABLE_NOEXEC -+# define PR_SPEC_DISABLE_NOEXEC (1UL << 4) -+#endif -+ -+static void set_speculation() __attribute__((constructor)); -+static void set_speculation() { -+ if ( prctl(PR_SET_SPECULATION_CTRL, -+ PR_SPEC_STORE_BYPASS, -+ PR_SPEC_DISABLE_NOEXEC, 0, 0) == 0 ) { -+ return; -+ } -+ prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_DISABLE, 0, 0); -+} -+ - // this is called _before_ most of the global arguments have been parsed - void os::init(void) { - char dummy; // used to get a guess on initial stack address diff --git a/rh1655466-global_crypto_and_fips.patch b/rh1655466-global_crypto_and_fips.patch new file mode 100644 index 0000000..8bf1ced --- /dev/null +++ b/rh1655466-global_crypto_and_fips.patch @@ -0,0 +1,205 @@ +diff --git a/src/java.base/share/classes/javopenjdk.orig///security/Security.java openjdk///src/java.base/share/classes/java/security/Security.java +--- openjdk.orig/src/java.base/share/classes/java/security/Security.java ++++ openjdk/src/java.base/share/classes/java/security/Security.java +@@ -196,26 +196,8 @@ + if (disableSystemProps == null && + "true".equalsIgnoreCase(props.getProperty + ("security.useSystemPropertiesFile"))) { +- +- // now load the system file, if it exists, so its values +- // will win if they conflict with the earlier values +- try (BufferedInputStream bis = +- new BufferedInputStream(new FileInputStream(SYSTEM_PROPERTIES))) { +- props.load(bis); ++ if (SystemConfigurator.configure(props)) { + loadedProps = true; +- +- if (sdebug != null) { +- sdebug.println("reading system security properties file " + +- SYSTEM_PROPERTIES); +- sdebug.println(props.toString()); +- } +- } catch (IOException e) { +- if (sdebug != null) { +- sdebug.println +- ("unable to load security properties from " + +- SYSTEM_PROPERTIES); +- e.printStackTrace(); +- } + } + } + +diff --git a/src/java.base/share/classes/javopenjdk.orig///security/SystemConfigurator.java openjdk///src/java.base/share/classes/java/security/SystemConfigurator.java +new file mode 100644 +--- /dev/null ++++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java +@@ -0,0 +1,151 @@ ++/* ++ * Copyright (c) 2019, Red Hat, Inc. ++ * ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++package java.security; ++ ++import java.io.BufferedInputStream; ++import java.io.FileInputStream; ++import java.io.IOException; ++ ++import java.nio.file.Files; ++import java.nio.file.Path; ++ ++import java.util.Iterator; ++import java.util.Map.Entry; ++import java.util.Properties; ++import java.util.function.Consumer; ++import java.util.regex.Matcher; ++import java.util.regex.Pattern; ++ ++import sun.security.util.Debug; ++ ++/** ++ * Internal class to align OpenJDK with global crypto-policies. ++ * Called from java.security.Security class initialization, ++ * during startup. ++ * ++ */ ++ ++class SystemConfigurator { ++ ++ private static final Debug sdebug = ++ Debug.getInstance("properties"); ++ ++ private static final String CRYPTO_POLICIES_BASE_DIR = ++ "/etc/crypto-policies"; ++ ++ private static final String CRYPTO_POLICIES_JAVA_CONFIG = ++ CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config"; ++ ++ private static final String CRYPTO_POLICIES_CONFIG = ++ CRYPTO_POLICIES_BASE_DIR + "/config"; ++ ++ private static final class SecurityProviderInfo { ++ int number; ++ String key; ++ String value; ++ SecurityProviderInfo(int number, String key, String value) { ++ this.number = number; ++ this.key = key; ++ this.value = value; ++ } ++ } ++ ++ /* ++ * Invoked when java.security.Security class is initialized, if ++ * java.security.disableSystemPropertiesFile property is not set and ++ * security.useSystemPropertiesFile is true. ++ */ ++ static boolean configure(Properties props) { ++ boolean loadedProps = false; ++ ++ try (BufferedInputStream bis = ++ new BufferedInputStream( ++ new FileInputStream(CRYPTO_POLICIES_JAVA_CONFIG))) { ++ props.load(bis); ++ loadedProps = true; ++ if (sdebug != null) { ++ sdebug.println("reading system security properties file " + ++ CRYPTO_POLICIES_JAVA_CONFIG); ++ sdebug.println(props.toString()); ++ } ++ } catch (IOException e) { ++ if (sdebug != null) { ++ sdebug.println("unable to load security properties from " + ++ CRYPTO_POLICIES_JAVA_CONFIG); ++ e.printStackTrace(); ++ } ++ } ++ ++ try { ++ if (enableFips()) { ++ if (sdebug != null) { sdebug.println("FIPS mode detected"); } ++ loadedProps = false; ++ // Remove all security providers ++ Iterator> i = props.entrySet().iterator(); ++ while (i.hasNext()) { ++ Entry e = i.next(); ++ if (((String) e.getKey()).startsWith("security.provider")) { ++ if (sdebug != null) { sdebug.println("Removing provider: " + e); } ++ i.remove(); ++ } ++ } ++ // Add FIPS security providers ++ String fipsProviderValue = null; ++ for (int n = 1; ++ (fipsProviderValue = (String) props.get("fips.provider." + n)) != null; n++) { ++ String fipsProviderKey = "security.provider." + n; ++ if (sdebug != null) { ++ sdebug.println("Adding provider " + n + ": " + ++ fipsProviderKey + "=" + fipsProviderValue); ++ } ++ props.put(fipsProviderKey, fipsProviderValue); ++ } ++ loadedProps = true; ++ } ++ } catch (Exception e) { ++ if (sdebug != null) { ++ sdebug.println("unable to load FIPS configuration"); ++ e.printStackTrace(); ++ } ++ } ++ return loadedProps; ++ } ++ ++ /* ++ * FIPS is enabled only if crypto-policies are set to "FIPS" ++ * and the com.redhat.fips property is true. ++ */ ++ private static boolean enableFips() throws Exception { ++ boolean fipsEnabled = Boolean.valueOf(System.getProperty("com.redhat.fips", "true")); ++ if (fipsEnabled) { ++ String cryptoPoliciesConfig = new String(Files.readAllBytes(Path.of(CRYPTO_POLICIES_CONFIG))); ++ if (sdebug != null) { sdebug.println("Crypto config:\n" + cryptoPoliciesConfig); } ++ Pattern pattern = Pattern.compile("^FIPS$", Pattern.MULTILINE); ++ return pattern.matcher(cryptoPoliciesConfig).find(); ++ } else { ++ return false; ++ } ++ } ++} +diff --git openjdk.orig///src/java.base/share/conf/security/java.security openjdk///src/java.base/share/conf/security/java.security +--- openjdk.orig/src/java.base/share/conf/security/java.security ++++ openjdk/src/java.base/share/conf/security/java.security +@@ -87,6 +87,14 @@ + #security.provider.tbd=SunPKCS11 ${java.home}/lib/security/nss.cfg + + # ++# Security providers used when global crypto-policies are set to FIPS. ++# ++fips.provider.1=SunPKCS11 ${java.home}/conf/security/nss.fips.cfg ++fips.provider.2=SUN ++fips.provider.3=SunEC ++fips.provider.4=com.sun.net.ssl.internal.ssl.Provider SunPKCS11-NSS-FIPS ++ ++# + # A list of preferred providers for specific algorithms. These providers will + # be searched for matching algorithms before the list of registered providers. + # Entries containing errors (parsing, etc) will be ignored. Use the diff --git a/rh1750419-redhat_alt_java.patch b/rh1750419-redhat_alt_java.patch new file mode 100644 index 0000000..e6355f2 --- /dev/null +++ b/rh1750419-redhat_alt_java.patch @@ -0,0 +1,116 @@ +diff -r 1356affa5e44 make/launcher/Launcher-java.base.gmk +--- openjdk/make/launcher/Launcher-java.base.gmk Wed Nov 25 08:27:15 2020 +0100 ++++ openjdk/make/launcher/Launcher-java.base.gmk Tue Dec 01 12:29:30 2020 +0100 +@@ -41,6 +41,16 @@ + OPTIMIZATION := HIGH, \ + )) + ++#Wno-error=cpp is present to allow commented warning in ifdef part of main.c ++$(eval $(call SetupBuildLauncher, alt-java, \ ++ CFLAGS := -DEXPAND_CLASSPATH_WILDCARDS -DENABLE_ARG_FILES -DREDHAT_ALT_JAVA -Wno-error=cpp, \ ++ LDFLAGS_solaris := -R$(OPENWIN_HOME)/lib$(OPENJDK_TARGET_CPU_ISADIR), \ ++ LIBS_windows := user32.lib comctl32.lib, \ ++ EXTRA_RC_FLAGS := $(JAVA_RC_FLAGS), \ ++ VERSION_INFO_RESOURCE := $(JAVA_VERSION_INFO_RESOURCE), \ ++ OPTIMIZATION := HIGH, \ ++)) ++ + ifeq ($(OPENJDK_TARGET_OS), windows) + $(eval $(call SetupBuildLauncher, javaw, \ + CFLAGS := -DJAVAW -DEXPAND_CLASSPATH_WILDCARDS -DENABLE_ARG_FILES, \ + +diff -r 25e94aa812b2 src/share/bin/alt_main.h +--- /dev/null Thu Jan 01 00:00:00 1970 +0000 ++++ openjdk/src/java.base/share/native/launcher/alt_main.h Tue Jun 02 17:15:28 2020 +0100 +@@ -0,0 +1,73 @@ ++/* ++ * Copyright (c) 2019, Red Hat, Inc. All rights reserved. ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. Oracle designates this ++ * particular file as subject to the "Classpath" exception as provided ++ * by Oracle in the LICENSE file that accompanied this code. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++#ifdef REDHAT_ALT_JAVA ++ ++#include ++ ++ ++/* Per task speculation control */ ++#ifndef PR_GET_SPECULATION_CTRL ++# define PR_GET_SPECULATION_CTRL 52 ++#endif ++#ifndef PR_SET_SPECULATION_CTRL ++# define PR_SET_SPECULATION_CTRL 53 ++#endif ++/* Speculation control variants */ ++#ifndef PR_SPEC_STORE_BYPASS ++# define PR_SPEC_STORE_BYPASS 0 ++#endif ++/* Return and control values for PR_SET/GET_SPECULATION_CTRL */ ++ ++#ifndef PR_SPEC_NOT_AFFECTED ++# define PR_SPEC_NOT_AFFECTED 0 ++#endif ++#ifndef PR_SPEC_PRCTL ++# define PR_SPEC_PRCTL (1UL << 0) ++#endif ++#ifndef PR_SPEC_ENABLE ++# define PR_SPEC_ENABLE (1UL << 1) ++#endif ++#ifndef PR_SPEC_DISABLE ++# define PR_SPEC_DISABLE (1UL << 2) ++#endif ++#ifndef PR_SPEC_FORCE_DISABLE ++# define PR_SPEC_FORCE_DISABLE (1UL << 3) ++#endif ++#ifndef PR_SPEC_DISABLE_NOEXEC ++# define PR_SPEC_DISABLE_NOEXEC (1UL << 4) ++#endif ++ ++static void set_speculation() __attribute__((constructor)); ++static void set_speculation() { ++ if ( prctl(PR_SET_SPECULATION_CTRL, ++ PR_SPEC_STORE_BYPASS, ++ PR_SPEC_DISABLE_NOEXEC, 0, 0) == 0 ) { ++ return; ++ } ++ prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_DISABLE, 0, 0); ++} ++ ++#endif // REDHAT_ALT_JAVA +diff -r 25e94aa812b2 src/share/bin/main.c +--- openjdk/src/java.base/share/native/launcher/main.c Wed Feb 05 12:20:36 2020 -0300 ++++ openjdk/src/java.base/share/native/launcher/main.c Tue Jun 02 17:15:28 2020 +0100 +@@ -34,6 +34,14 @@ + #include "jli_util.h" + #include "jni.h" + ++#ifdef REDHAT_ALT_JAVA ++#if defined(__linux__) && defined(__x86_64__) ++#include "alt_main.h" ++#else ++#warning alt-java requested but SSB mitigation not available on this platform. ++#endif ++#endif ++ + #ifdef _MSC_VER + #if _MSC_VER > 1400 && _MSC_VER < 1600 + diff --git a/rh1818909-fips_default_keystore_type.patch b/rh1818909-fips_default_keystore_type.patch new file mode 100644 index 0000000..ff34f3e --- /dev/null +++ b/rh1818909-fips_default_keystore_type.patch @@ -0,0 +1,52 @@ +diff -r 6efbd7b35a10 src/share/classes/java/security/SystemConfigurator.java +--- openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java Thu Jan 23 18:22:31 2020 -0300 ++++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java Mon Mar 02 19:20:17 2020 -0300 +@@ -123,6 +123,33 @@ + } + props.put(fipsProviderKey, fipsProviderValue); + } ++ // Add other security properties ++ String keystoreTypeValue = (String) props.get("fips.keystore.type"); ++ if (keystoreTypeValue != null) { ++ String nonFipsKeystoreType = props.getProperty("keystore.type"); ++ props.put("keystore.type", keystoreTypeValue); ++ if (keystoreTypeValue.equals("PKCS11")) { ++ // If keystore.type is PKCS11, javax.net.ssl.keyStore ++ // must be "NONE". See JDK-8238264. ++ System.setProperty("javax.net.ssl.keyStore", "NONE"); ++ } ++ if (System.getProperty("javax.net.ssl.trustStoreType") == null) { ++ // If no trustStoreType has been set, use the ++ // previous keystore.type under FIPS mode. In ++ // a default configuration, the Trust Store will ++ // be 'cacerts' (JKS type). ++ System.setProperty("javax.net.ssl.trustStoreType", ++ nonFipsKeystoreType); ++ } ++ if (sdebug != null) { ++ sdebug.println("FIPS mode default keystore.type = " + ++ keystoreTypeValue); ++ sdebug.println("FIPS mode javax.net.ssl.keyStore = " + ++ System.getProperty("javax.net.ssl.keyStore", "")); ++ sdebug.println("FIPS mode javax.net.ssl.trustStoreType = " + ++ System.getProperty("javax.net.ssl.trustStoreType", "")); ++ } ++ } + loadedProps = true; + } + } catch (Exception e) { +diff -r 6efbd7b35a10 src/share/lib/security/java.security-linux +--- openjdk.orig/src/java.base/share/conf/security/java.security Thu Jan 23 18:22:31 2020 -0300 ++++ openjdk/src/java.base/share/conf/security/java.security Mon Mar 02 19:20:17 2020 -0300 +@@ -299,6 +299,11 @@ + keystore.type=pkcs12 + + # ++# Default keystore type used when global crypto-policies are set to FIPS. ++# ++fips.keystore.type=PKCS11 ++ ++# + # Controls compatibility mode for JKS and PKCS12 keystore types. + # + # When set to 'true', both JKS and PKCS12 keystore types support loading diff --git a/rh1842572-rsa_default_for_keytool.patch b/rh1842572-rsa_default_for_keytool.patch new file mode 100644 index 0000000..9f1dabc --- /dev/null +++ b/rh1842572-rsa_default_for_keytool.patch @@ -0,0 +1,12 @@ +diff --git openjdk.orig/src/java.base/share/classes/sun/security/tools/keytool/Main.java openjdk/src/java.base/share/classes/sun/security/tools/keytool/Main.java +--- openjdk.orig/src/java.base/share/classes/sun/security/tools/keytool/Main.java ++++ openjdk/src/java.base/share/classes/sun/security/tools/keytool/Main.java +@@ -1135,7 +1135,7 @@ + } + } else if (command == GENKEYPAIR) { + if (keyAlgName == null) { +- keyAlgName = "DSA"; ++ keyAlgName = "RSA"; + } + doGenKeyPair(alias, dname, keyAlgName, keysize, groupName, sigAlgName); + kssave = true; diff --git a/rh1860986-disable_tlsv1.3_in_fips_mode.patch b/rh1860986-disable_tlsv1.3_in_fips_mode.patch new file mode 100644 index 0000000..0a76cad --- /dev/null +++ b/rh1860986-disable_tlsv1.3_in_fips_mode.patch @@ -0,0 +1,311 @@ +diff -r bbc65dfa59d1 src/java.base/share/classes/java/security/SystemConfigurator.java +--- openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java Thu Jan 23 18:22:31 2020 -0300 ++++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java Sat Aug 01 23:16:51 2020 -0300 +@@ -1,11 +1,13 @@ + /* +- * Copyright (c) 2019, Red Hat, Inc. ++ * Copyright (c) 2019, 2020, Red Hat, Inc. + * + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as +- * published by the Free Software Foundation. ++ * published by the Free Software Foundation. Oracle designates this ++ * particular file as subject to the "Classpath" exception as provided ++ * by Oracle in the LICENSE file that accompanied this code. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +@@ -34,10 +36,10 @@ + import java.util.Iterator; + import java.util.Map.Entry; + import java.util.Properties; +-import java.util.function.Consumer; +-import java.util.regex.Matcher; + import java.util.regex.Pattern; + ++import jdk.internal.misc.SharedSecrets; ++import jdk.internal.misc.JavaSecuritySystemConfiguratorAccess; + import sun.security.util.Debug; + + /** +@@ -47,7 +49,7 @@ + * + */ + +-class SystemConfigurator { ++final class SystemConfigurator { + + private static final Debug sdebug = + Debug.getInstance("properties"); +@@ -61,15 +63,16 @@ + private static final String CRYPTO_POLICIES_CONFIG = + CRYPTO_POLICIES_BASE_DIR + "/config"; + +- private static final class SecurityProviderInfo { +- int number; +- String key; +- String value; +- SecurityProviderInfo(int number, String key, String value) { +- this.number = number; +- this.key = key; +- this.value = value; +- } ++ private static boolean systemFipsEnabled = false; ++ ++ static { ++ SharedSecrets.setJavaSecuritySystemConfiguratorAccess( ++ new JavaSecuritySystemConfiguratorAccess() { ++ @Override ++ public boolean isSystemFipsEnabled() { ++ return SystemConfigurator.isSystemFipsEnabled(); ++ } ++ }); + } + + /* +@@ -128,9 +131,9 @@ + String nonFipsKeystoreType = props.getProperty("keystore.type"); + props.put("keystore.type", keystoreTypeValue); + if (keystoreTypeValue.equals("PKCS11")) { +- // If keystore.type is PKCS11, javax.net.ssl.keyStore +- // must be "NONE". See JDK-8238264. +- System.setProperty("javax.net.ssl.keyStore", "NONE"); ++ // If keystore.type is PKCS11, javax.net.ssl.keyStore ++ // must be "NONE". See JDK-8238264. ++ System.setProperty("javax.net.ssl.keyStore", "NONE"); + } + if (System.getProperty("javax.net.ssl.trustStoreType") == null) { + // If no trustStoreType has been set, use the +@@ -144,12 +147,13 @@ + sdebug.println("FIPS mode default keystore.type = " + + keystoreTypeValue); + sdebug.println("FIPS mode javax.net.ssl.keyStore = " + +- System.getProperty("javax.net.ssl.keyStore", "")); ++ System.getProperty("javax.net.ssl.keyStore", "")); + sdebug.println("FIPS mode javax.net.ssl.trustStoreType = " + + System.getProperty("javax.net.ssl.trustStoreType", "")); + } + } + loadedProps = true; ++ systemFipsEnabled = true; + } + } catch (Exception e) { + if (sdebug != null) { +@@ -160,13 +164,30 @@ + return loadedProps; + } + ++ /** ++ * Returns whether or not global system FIPS alignment is enabled. ++ * ++ * Value is always 'false' before java.security.Security class is ++ * initialized. ++ * ++ * Call from out of this package through SharedSecrets: ++ * SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ * .isSystemFipsEnabled(); ++ * ++ * @return a boolean value indicating whether or not global ++ * system FIPS alignment is enabled. ++ */ ++ static boolean isSystemFipsEnabled() { ++ return systemFipsEnabled; ++ } ++ + /* + * FIPS is enabled only if crypto-policies are set to "FIPS" + * and the com.redhat.fips property is true. + */ + private static boolean enableFips() throws Exception { +- boolean fipsEnabled = Boolean.valueOf(System.getProperty("com.redhat.fips", "true")); +- if (fipsEnabled) { ++ boolean shouldEnable = Boolean.valueOf(System.getProperty("com.redhat.fips", "true")); ++ if (shouldEnable) { + String cryptoPoliciesConfig = new String(Files.readAllBytes(Path.of(CRYPTO_POLICIES_CONFIG))); + if (sdebug != null) { sdebug.println("Crypto config:\n" + cryptoPoliciesConfig); } + Pattern pattern = Pattern.compile("^FIPS$", Pattern.MULTILINE); +diff -r bbc65dfa59d1 src/java.base/share/classes/jdk/internal/misc/JavaSecuritySystemConfiguratorAccess.java +--- /dev/null Thu Jan 01 00:00:00 1970 +0000 ++++ openjdk/src/java.base/share/classes/jdk/internal/misc/JavaSecuritySystemConfiguratorAccess.java Sat Aug 01 23:16:51 2020 -0300 +@@ -0,0 +1,30 @@ ++/* ++ * Copyright (c) 2020, Red Hat, Inc. ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. Oracle designates this ++ * particular file as subject to the "Classpath" exception as provided ++ * by Oracle in the LICENSE file that accompanied this code. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++package jdk.internal.misc; ++ ++public interface JavaSecuritySystemConfiguratorAccess { ++ boolean isSystemFipsEnabled(); ++} +diff -r bbc65dfa59d1 src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java +--- openjdk/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java Thu Jan 23 18:22:31 2020 -0300 ++++ openjdk/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java Sat Aug 01 23:16:51 2020 -0300 +@@ -76,6 +76,7 @@ + private static JavaIORandomAccessFileAccess javaIORandomAccessFileAccess; + private static JavaSecuritySignatureAccess javaSecuritySignatureAccess; + private static JavaxCryptoSealedObjectAccess javaxCryptoSealedObjectAccess; ++ private static JavaSecuritySystemConfiguratorAccess javaSecuritySystemConfiguratorAccess; + + public static JavaUtilJarAccess javaUtilJarAccess() { + if (javaUtilJarAccess == null) { +@@ -361,4 +362,12 @@ + } + return javaxCryptoSealedObjectAccess; + } ++ ++ public static void setJavaSecuritySystemConfiguratorAccess(JavaSecuritySystemConfiguratorAccess jssca) { ++ javaSecuritySystemConfiguratorAccess = jssca; ++ } ++ ++ public static JavaSecuritySystemConfiguratorAccess getJavaSecuritySystemConfiguratorAccess() { ++ return javaSecuritySystemConfiguratorAccess; ++ } + } +diff -r bbc65dfa59d1 src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java +--- openjdk/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java Thu Jan 23 18:22:31 2020 -0300 ++++ openjdk/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java Sat Aug 01 23:16:51 2020 -0300 +@@ -31,6 +31,7 @@ + import java.security.cert.*; + import java.util.*; + import javax.net.ssl.*; ++import jdk.internal.misc.SharedSecrets; + import sun.security.action.GetPropertyAction; + import sun.security.provider.certpath.AlgorithmChecker; + import sun.security.validator.Validator; +@@ -542,20 +543,38 @@ + + static { + if (SunJSSE.isFIPS()) { +- supportedProtocols = Arrays.asList( +- ProtocolVersion.TLS13, +- ProtocolVersion.TLS12, +- ProtocolVersion.TLS11, +- ProtocolVersion.TLS10 +- ); ++ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ .isSystemFipsEnabled()) { ++ // RH1860986: TLSv1.3 key derivation not supported with ++ // the Security Providers available in system FIPS mode. ++ supportedProtocols = Arrays.asList( ++ ProtocolVersion.TLS12, ++ ProtocolVersion.TLS11, ++ ProtocolVersion.TLS10 ++ ); + +- serverDefaultProtocols = getAvailableProtocols( +- new ProtocolVersion[] { +- ProtocolVersion.TLS13, +- ProtocolVersion.TLS12, +- ProtocolVersion.TLS11, +- ProtocolVersion.TLS10 +- }); ++ serverDefaultProtocols = getAvailableProtocols( ++ new ProtocolVersion[] { ++ ProtocolVersion.TLS12, ++ ProtocolVersion.TLS11, ++ ProtocolVersion.TLS10 ++ }); ++ } else { ++ supportedProtocols = Arrays.asList( ++ ProtocolVersion.TLS13, ++ ProtocolVersion.TLS12, ++ ProtocolVersion.TLS11, ++ ProtocolVersion.TLS10 ++ ); ++ ++ serverDefaultProtocols = getAvailableProtocols( ++ new ProtocolVersion[] { ++ ProtocolVersion.TLS13, ++ ProtocolVersion.TLS12, ++ ProtocolVersion.TLS11, ++ ProtocolVersion.TLS10 ++ }); ++ } + } else { + supportedProtocols = Arrays.asList( + ProtocolVersion.TLS13, +@@ -620,6 +639,16 @@ + + static ProtocolVersion[] getSupportedProtocols() { + if (SunJSSE.isFIPS()) { ++ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ .isSystemFipsEnabled()) { ++ // RH1860986: TLSv1.3 key derivation not supported with ++ // the Security Providers available in system FIPS mode. ++ return new ProtocolVersion[] { ++ ProtocolVersion.TLS12, ++ ProtocolVersion.TLS11, ++ ProtocolVersion.TLS10 ++ }; ++ } + return new ProtocolVersion[] { + ProtocolVersion.TLS13, + ProtocolVersion.TLS12, +@@ -949,6 +978,16 @@ + + static ProtocolVersion[] getProtocols() { + if (SunJSSE.isFIPS()) { ++ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ .isSystemFipsEnabled()) { ++ // RH1860986: TLSv1.3 key derivation not supported with ++ // the Security Providers available in system FIPS mode. ++ return new ProtocolVersion[] { ++ ProtocolVersion.TLS12, ++ ProtocolVersion.TLS11, ++ ProtocolVersion.TLS10 ++ }; ++ } + return new ProtocolVersion[]{ + ProtocolVersion.TLS13, + ProtocolVersion.TLS12, +diff -r bbc65dfa59d1 src/java.base/share/classes/sun/security/ssl/SunJSSE.java +--- openjdk/src/java.base/share/classes/sun/security/ssl/SunJSSE.java Thu Jan 23 18:22:31 2020 -0300 ++++ openjdk/src/java.base/share/classes/sun/security/ssl/SunJSSE.java Sat Aug 01 23:16:51 2020 -0300 +@@ -27,6 +27,8 @@ + + import java.security.*; + import java.util.*; ++ ++import jdk.internal.misc.SharedSecrets; + import sun.security.rsa.SunRsaSignEntries; + import static sun.security.util.SecurityConstants.PROVIDER_VER; + import static sun.security.provider.SunEntries.createAliases; +@@ -195,8 +197,13 @@ + "sun.security.ssl.SSLContextImpl$TLS11Context", null, null); + ps("SSLContext", "TLSv1.2", + "sun.security.ssl.SSLContextImpl$TLS12Context", null, null); +- ps("SSLContext", "TLSv1.3", +- "sun.security.ssl.SSLContextImpl$TLS13Context", null, null); ++ if (!SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ .isSystemFipsEnabled()) { ++ // RH1860986: TLSv1.3 key derivation not supported with ++ // the Security Providers available in system FIPS mode. ++ ps("SSLContext", "TLSv1.3", ++ "sun.security.ssl.SSLContextImpl$TLS13Context", null, null); ++ } + ps("SSLContext", "TLS", + "sun.security.ssl.SSLContextImpl$TLSContext", + (isfips? null : createAliases("SSL")), null); diff --git a/rh1915071-always_initialise_configurator_access.patch b/rh1915071-always_initialise_configurator_access.patch new file mode 100644 index 0000000..21ced06 --- /dev/null +++ b/rh1915071-always_initialise_configurator_access.patch @@ -0,0 +1,68 @@ +diff --git openjdk.orig/src/java.base/share/classes/java/security/Security.java openjdk/src/java.base/share/classes/java/security/Security.java +--- openjdk.orig/src/java.base/share/classes/java/security/Security.java ++++ openjdk/src/java.base/share/classes/java/security/Security.java +@@ -32,6 +32,7 @@ + + import jdk.internal.event.EventHelper; + import jdk.internal.event.SecurityPropertyModificationEvent; ++import jdk.internal.misc.JavaSecuritySystemConfiguratorAccess; + import jdk.internal.misc.SharedSecrets; + import jdk.internal.util.StaticProperty; + import sun.security.util.Debug; +@@ -74,6 +75,15 @@ + } + + static { ++ // Initialise here as used by code with system properties disabled ++ SharedSecrets.setJavaSecuritySystemConfiguratorAccess( ++ new JavaSecuritySystemConfiguratorAccess() { ++ @Override ++ public boolean isSystemFipsEnabled() { ++ return SystemConfigurator.isSystemFipsEnabled(); ++ } ++ }); ++ + // doPrivileged here because there are multiple + // things in initialize that might require privs. + // (the FileInputStream call and the File.exists call, +@@ -193,9 +203,8 @@ + } + + String disableSystemProps = System.getProperty("java.security.disableSystemPropertiesFile"); +- if (disableSystemProps == null && +- "true".equalsIgnoreCase(props.getProperty +- ("security.useSystemPropertiesFile"))) { ++ if ((disableSystemProps == null || "false".equalsIgnoreCase(disableSystemProps)) && ++ "true".equalsIgnoreCase(props.getProperty("security.useSystemPropertiesFile"))) { + if (SystemConfigurator.configure(props)) { + loadedProps = true; + } +diff --git openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java +--- openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java ++++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java +@@ -38,8 +38,6 @@ + import java.util.Properties; + import java.util.regex.Pattern; + +-import jdk.internal.misc.SharedSecrets; +-import jdk.internal.misc.JavaSecuritySystemConfiguratorAccess; + import sun.security.util.Debug; + + /** +@@ -65,16 +63,6 @@ + + private static boolean systemFipsEnabled = false; + +- static { +- SharedSecrets.setJavaSecuritySystemConfiguratorAccess( +- new JavaSecuritySystemConfiguratorAccess() { +- @Override +- public boolean isSystemFipsEnabled() { +- return SystemConfigurator.isSystemFipsEnabled(); +- } +- }); +- } +- + /* + * Invoked when java.security.Security class is initialized, if + * java.security.disableSystemPropertiesFile property is not set and diff --git a/rh1929465-improve_system_FIPS_detection.patch b/rh1929465-improve_system_FIPS_detection.patch new file mode 100644 index 0000000..2cdf6f7 --- /dev/null +++ b/rh1929465-improve_system_FIPS_detection.patch @@ -0,0 +1,430 @@ +diff --git openjdk.orig/make/autoconf/libraries.m4 openjdk/make/autoconf/libraries.m4 +--- openjdk.orig/make/autoconf/libraries.m4 ++++ openjdk/make/autoconf/libraries.m4 +@@ -101,6 +101,7 @@ + LIB_SETUP_LIBFFI + LIB_SETUP_BUNDLED_LIBS + LIB_SETUP_MISC_LIBS ++ LIB_SETUP_SYSCONF_LIBS + LIB_SETUP_SOLARIS_STLPORT + LIB_TESTS_SETUP_GRAALUNIT + +@@ -223,3 +224,62 @@ + fi + ]) + ++################################################################################ ++# Setup system configuration libraries ++################################################################################ ++AC_DEFUN_ONCE([LIB_SETUP_SYSCONF_LIBS], ++[ ++ ############################################################################### ++ # ++ # Check for the NSS library ++ # ++ ++ AC_MSG_CHECKING([whether to use the system NSS library with the System Configurator (libsysconf)]) ++ ++ # default is not available ++ DEFAULT_SYSCONF_NSS=no ++ ++ AC_ARG_ENABLE([sysconf-nss], [AS_HELP_STRING([--enable-sysconf-nss], ++ [build the System Configurator (libsysconf) using the system NSS library if available @<:@disabled@:>@])], ++ [ ++ case "${enableval}" in ++ yes) ++ sysconf_nss=yes ++ ;; ++ *) ++ sysconf_nss=no ++ ;; ++ esac ++ ], ++ [ ++ sysconf_nss=${DEFAULT_SYSCONF_NSS} ++ ]) ++ AC_MSG_RESULT([$sysconf_nss]) ++ ++ USE_SYSCONF_NSS=false ++ if test "x${sysconf_nss}" = "xyes"; then ++ PKG_CHECK_MODULES(NSS, nss >= 3.53, [NSS_FOUND=yes], [NSS_FOUND=no]) ++ if test "x${NSS_FOUND}" = "xyes"; then ++ AC_MSG_CHECKING([for system FIPS support in NSS]) ++ saved_libs="${LIBS}" ++ saved_cflags="${CFLAGS}" ++ CFLAGS="${CFLAGS} ${NSS_CFLAGS}" ++ LIBS="${LIBS} ${NSS_LIBS}" ++ AC_LANG_PUSH([C]) ++ AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include ]], ++ [[SECMOD_GetSystemFIPSEnabled()]])], ++ [AC_MSG_RESULT([yes])], ++ [AC_MSG_RESULT([no]) ++ AC_MSG_ERROR([System NSS FIPS detection unavailable])]) ++ AC_LANG_POP([C]) ++ CFLAGS="${saved_cflags}" ++ LIBS="${saved_libs}" ++ USE_SYSCONF_NSS=true ++ else ++ dnl NSS 3.53 is the one that introduces the SECMOD_GetSystemFIPSEnabled API ++ dnl in nss3/pk11pub.h. ++ AC_MSG_ERROR([--enable-sysconf-nss specified, but NSS 3.53 or above not found.]) ++ fi ++ fi ++ AC_SUBST(USE_SYSCONF_NSS) ++]) +diff --git openjdk.orig/make/autoconf/spec.gmk.in openjdk/make/autoconf/spec.gmk.in +--- openjdk.orig/make/autoconf/spec.gmk.in ++++ openjdk/make/autoconf/spec.gmk.in +@@ -828,6 +828,10 @@ + # Libraries + # + ++USE_SYSCONF_NSS:=@USE_SYSCONF_NSS@ ++NSS_LIBS:=@NSS_LIBS@ ++NSS_CFLAGS:=@NSS_CFLAGS@ ++ + USE_EXTERNAL_LCMS:=@USE_EXTERNAL_LCMS@ + LCMS_CFLAGS:=@LCMS_CFLAGS@ + LCMS_LIBS:=@LCMS_LIBS@ +diff --git openjdk.orig/make/lib/Lib-java.base.gmk openjdk/make/lib/Lib-java.base.gmk +--- openjdk.orig/make/lib/Lib-java.base.gmk ++++ openjdk/make/lib/Lib-java.base.gmk +@@ -179,6 +179,31 @@ + endif + + ################################################################################ ++# Create the systemconf library ++ ++LIBSYSTEMCONF_CFLAGS := ++LIBSYSTEMCONF_CXXFLAGS := ++ ++ifeq ($(USE_SYSCONF_NSS), true) ++ LIBSYSTEMCONF_CFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS ++ LIBSYSTEMCONF_CXXFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS ++endif ++ ++ifeq ($(OPENJDK_BUILD_OS), linux) ++ $(eval $(call SetupJdkLibrary, BUILD_LIBSYSTEMCONF, \ ++ NAME := systemconf, \ ++ OPTIMIZATION := LOW, \ ++ CFLAGS := $(CFLAGS_JDKLIB) $(LIBSYSTEMCONF_CFLAGS), \ ++ CXXFLAGS := $(CXXFLAGS_JDKLIB) $(LIBSYSTEMCONF_CXXFLAGS), \ ++ LDFLAGS := $(LDFLAGS_JDKLIB) \ ++ $(call SET_SHARED_LIBRARY_ORIGIN), \ ++ LIBS_unix := $(LIBDL) $(NSS_LIBS), \ ++ )) ++ ++ TARGETS += $(BUILD_LIBSYSTEMCONF) ++endif ++ ++################################################################################ + # Create the symbols file for static builds. + + ifeq ($(STATIC_BUILD), true) +diff --git openjdk.orig/make/nb_native/nbproject/configurations.xml openjdk/make/nb_native/nbproject/configurations.xml +--- openjdk.orig/make/nb_native/nbproject/configurations.xml ++++ openjdk/make/nb_native/nbproject/configurations.xml +@@ -2950,6 +2950,9 @@ + LinuxWatchService.c + + ++ ++ systemconf.c ++ + + + +@@ -29301,6 +29304,11 @@ + tool="0" + flavor2="0"> + ++ ++ + ++#include ++#include ++#include ++ ++#ifdef SYSCONF_NSS ++#include ++#endif //SYSCONF_NSS ++ ++#include "java_security_SystemConfigurator.h" ++ ++#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled" ++#define MSG_MAX_SIZE 96 ++ ++static jmethodID debugPrintlnMethodID = NULL; ++static jobject debugObj = NULL; ++ ++static void throwIOException(JNIEnv *env, const char *msg); ++static void dbgPrint(JNIEnv *env, const char* msg); ++ ++/* ++ * Class: java_security_SystemConfigurator ++ * Method: JNI_OnLoad ++ */ ++JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved) ++{ ++ JNIEnv *env; ++ jclass sysConfCls, debugCls; ++ jfieldID sdebugFld; ++ ++ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) { ++ return JNI_EVERSION; /* JNI version not supported */ ++ } ++ ++ sysConfCls = (*env)->FindClass(env,"java/security/SystemConfigurator"); ++ if (sysConfCls == NULL) { ++ printf("libsystemconf: SystemConfigurator class not found\n"); ++ return JNI_ERR; ++ } ++ sdebugFld = (*env)->GetStaticFieldID(env, sysConfCls, ++ "sdebug", "Lsun/security/util/Debug;"); ++ if (sdebugFld == NULL) { ++ printf("libsystemconf: SystemConfigurator::sdebug field not found\n"); ++ return JNI_ERR; ++ } ++ debugObj = (*env)->GetStaticObjectField(env, sysConfCls, sdebugFld); ++ if (debugObj != NULL) { ++ debugCls = (*env)->FindClass(env,"sun/security/util/Debug"); ++ if (debugCls == NULL) { ++ printf("libsystemconf: Debug class not found\n"); ++ return JNI_ERR; ++ } ++ debugPrintlnMethodID = (*env)->GetMethodID(env, debugCls, ++ "println", "(Ljava/lang/String;)V"); ++ if (debugPrintlnMethodID == NULL) { ++ printf("libsystemconf: Debug::println(String) method not found\n"); ++ return JNI_ERR; ++ } ++ debugObj = (*env)->NewGlobalRef(env, debugObj); ++ } ++ ++ return (*env)->GetVersion(env); ++} ++ ++/* ++ * Class: java_security_SystemConfigurator ++ * Method: JNI_OnUnload ++ */ ++JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *vm, void *reserved) ++{ ++ JNIEnv *env; ++ ++ if (debugObj != NULL) { ++ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) { ++ return; /* Should not happen */ ++ } ++ (*env)->DeleteGlobalRef(env, debugObj); ++ } ++} ++ ++JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEnabled ++ (JNIEnv *env, jclass cls) ++{ ++ int fips_enabled; ++ char msg[MSG_MAX_SIZE]; ++ int msg_bytes; ++ ++#ifdef SYSCONF_NSS ++ ++ dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled"); ++ fips_enabled = SECMOD_GetSystemFIPSEnabled(); ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ ++ " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled); ++ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) { ++ dbgPrint(env, msg); ++ } else { ++ dbgPrint(env, "getSystemFIPSEnabled: cannot render" \ ++ " SECMOD_GetSystemFIPSEnabled return value"); ++ } ++ return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE); ++ ++#else // SYSCONF_NSS ++ ++ FILE *fe; ++ ++ dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH); ++ if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) { ++ throwIOException(env, "Cannot open " FIPS_ENABLED_PATH); ++ } ++ fips_enabled = fgetc(fe); ++ fclose(fe); ++ if (fips_enabled == EOF) { ++ throwIOException(env, "Cannot read " FIPS_ENABLED_PATH); ++ } ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ ++ " read character is '%c'", fips_enabled); ++ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) { ++ dbgPrint(env, msg); ++ } else { ++ dbgPrint(env, "getSystemFIPSEnabled: cannot render" \ ++ " read character"); ++ } ++ return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE); ++ ++#endif // SYSCONF_NSS ++} ++ ++static void throwIOException(JNIEnv *env, const char *msg) ++{ ++ jclass cls = (*env)->FindClass(env, "java/io/IOException"); ++ if (cls != 0) ++ (*env)->ThrowNew(env, cls, msg); ++} ++ ++static void dbgPrint(JNIEnv *env, const char* msg) ++{ ++ jstring jMsg; ++ if (debugObj != NULL) { ++ jMsg = (*env)->NewStringUTF(env, msg); ++ CHECK_NULL(jMsg); ++ (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg); ++ } ++} +diff --git openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java +--- openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java ++++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2019, 2020, Red Hat, Inc. ++ * Copyright (c) 2019, 2021, Red Hat, Inc. + * + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * +@@ -30,13 +30,9 @@ + import java.io.FileInputStream; + import java.io.IOException; + +-import java.nio.file.Files; +-import java.nio.file.Path; +- + import java.util.Iterator; + import java.util.Map.Entry; + import java.util.Properties; +-import java.util.regex.Pattern; + + import sun.security.util.Debug; + +@@ -58,10 +54,21 @@ + private static final String CRYPTO_POLICIES_JAVA_CONFIG = + CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config"; + +- private static final String CRYPTO_POLICIES_CONFIG = +- CRYPTO_POLICIES_BASE_DIR + "/config"; ++ private static boolean systemFipsEnabled = false; ++ ++ private static final String SYSTEMCONF_NATIVE_LIB = "systemconf"; ++ ++ private static native boolean getSystemFIPSEnabled() ++ throws IOException; + +- private static boolean systemFipsEnabled = false; ++ static { ++ AccessController.doPrivileged(new PrivilegedAction() { ++ public Void run() { ++ System.loadLibrary(SYSTEMCONF_NATIVE_LIB); ++ return null; ++ } ++ }); ++ } + + /* + * Invoked when java.security.Security class is initialized, if +@@ -170,16 +177,34 @@ + } + + /* +- * FIPS is enabled only if crypto-policies are set to "FIPS" +- * and the com.redhat.fips property is true. ++ * OpenJDK FIPS mode will be enabled only if the com.redhat.fips ++ * system property is true (default) and the system is in FIPS mode. ++ * ++ * There are 2 possible ways in which OpenJDK detects that the system ++ * is in FIPS mode: 1) if the NSS SECMOD_GetSystemFIPSEnabled API is ++ * available at OpenJDK's built-time, it is called; 2) otherwise, the ++ * /proc/sys/crypto/fips_enabled file is read. + */ + private static boolean enableFips() throws Exception { + boolean shouldEnable = Boolean.valueOf(System.getProperty("com.redhat.fips", "true")); + if (shouldEnable) { +- String cryptoPoliciesConfig = new String(Files.readAllBytes(Path.of(CRYPTO_POLICIES_CONFIG))); +- if (sdebug != null) { sdebug.println("Crypto config:\n" + cryptoPoliciesConfig); } +- Pattern pattern = Pattern.compile("^FIPS$", Pattern.MULTILINE); +- return pattern.matcher(cryptoPoliciesConfig).find(); ++ if (sdebug != null) { ++ sdebug.println("Calling getSystemFIPSEnabled (libsystemconf)..."); ++ } ++ try { ++ shouldEnable = getSystemFIPSEnabled(); ++ if (sdebug != null) { ++ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) returned: " ++ + shouldEnable); ++ } ++ return shouldEnable; ++ } catch (IOException e) { ++ if (sdebug != null) { ++ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) failed:"); ++ sdebug.println(e.getMessage()); ++ } ++ throw e; ++ } + } else { + return false; + } diff --git a/rh1996182-extend_security_policy.patch b/rh1996182-extend_security_policy.patch new file mode 100644 index 0000000..78552c3 --- /dev/null +++ b/rh1996182-extend_security_policy.patch @@ -0,0 +1,18 @@ +commit 598fe421216b0a437fa36ee91a29966599867aa3 +Author: Andrew Hughes +Date: Mon Aug 30 16:12:52 2021 +0100 + + RH1996182: Extend default security policy to allow SunPKCS11 access to jdk.internal.misc + +diff --git openjdk.orig/src/java.base/share/lib/security/default.policy openjdk/src/java.base/share/lib/security/default.policy +index ab59a334cd..5db744ff17 100644 +--- openjdk.orig/src/java.base/share/lib/security/default.policy ++++ openjdk/src/java.base/share/lib/security/default.policy +@@ -124,6 +124,7 @@ grant codeBase "jrt:/jdk.crypto.ec" { + grant codeBase "jrt:/jdk.crypto.cryptoki" { + permission java.lang.RuntimePermission + "accessClassInPackage.com.sun.crypto.provider"; ++ permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.misc"; + permission java.lang.RuntimePermission + "accessClassInPackage.sun.security.*"; + permission java.lang.RuntimePermission "accessClassInPackage.sun.nio.ch"; diff --git a/rh1996182-login_to_nss_software_token.patch b/rh1996182-login_to_nss_software_token.patch new file mode 100644 index 0000000..d3a1dde --- /dev/null +++ b/rh1996182-login_to_nss_software_token.patch @@ -0,0 +1,66 @@ +commit 53bda6adfacc02b8dddd8f10350c9569bca4eb1e +Author: Martin Balao +Date: Fri Aug 27 19:42:07 2021 +0100 + + RH1996182: Login to the NSS Software Token in FIPS Mode + +diff --git openjdk.orig/src/java.base/share/classes/module-info.java openjdk/src/java.base/share/classes/module-info.java +index 0cf61732d7..2cd851587c 100644 +--- openjdk.orig/src/java.base/share/classes/module-info.java ++++ openjdk/src/java.base/share/classes/module-info.java +@@ -182,6 +182,7 @@ module java.base { + java.security.jgss, + java.sql, + java.xml, ++ jdk.crypto.cryptoki, + jdk.jartool, + jdk.attach, + jdk.charsets, +diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java +index b00b738b85..1eca1f8f0a 100644 +--- openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java ++++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java +@@ -42,6 +42,8 @@ import javax.security.auth.callback.ConfirmationCallback; + import javax.security.auth.callback.PasswordCallback; + import javax.security.auth.callback.TextOutputCallback; + ++import jdk.internal.misc.SharedSecrets; ++ + import sun.security.util.Debug; + import sun.security.util.ResourcesMgr; + import static sun.security.util.SecurityConstants.PROVIDER_VER; +@@ -59,6 +61,9 @@ import static sun.security.pkcs11.wrapper.PKCS11Constants.*; + */ + public final class SunPKCS11 extends AuthProvider { + ++ private static final boolean systemFipsEnabled = SharedSecrets ++ .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled(); ++ + private static final long serialVersionUID = -1354835039035306505L; + + static final Debug debug = Debug.getInstance("sunpkcs11"); +@@ -373,6 +378,24 @@ public final class SunPKCS11 extends AuthProvider { + if (nssModule != null) { + nssModule.setProvider(this); + } ++ if (systemFipsEnabled) { ++ // The NSS Software Token in FIPS 140-2 mode requires a user ++ // login for most operations. See sftk_fipsCheck. The NSS DB ++ // (/etc/pki/nssdb) PIN is empty. ++ Session session = null; ++ try { ++ session = token.getOpSession(); ++ p11.C_Login(session.id(), CKU_USER, new char[] {}); ++ } catch (PKCS11Exception p11e) { ++ if (debug != null) { ++ debug.println("Error during token login: " + ++ p11e.getMessage()); ++ } ++ throw p11e; ++ } finally { ++ token.releaseSession(session); ++ } ++ } + } catch (Exception e) { + if (config.getHandleStartupErrors() == Config.ERR_IGNORE_ALL) { + throw new UnsupportedOperationException diff --git a/s390-8214206_fix.patch b/s390-8214206_fix.patch deleted file mode 100644 index 1d0c686..0000000 --- a/s390-8214206_fix.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff --git openjdk.orig/jdk/src/hotspot/share/runtime/os.cpp openjdk/jdk/src/hotspot/share/runtime/os.cpp ---- openjdk.orig/src/hotspot/share/runtime/os.cpp -+++ openjdk/src/hotspot/share/runtime/os.cpp -@@ -1368,7 +1368,7 @@ - } - - void os::set_memory_serialize_page(address page) { -- int count = log2_intptr(sizeof(class JavaThread)) - log2_int(64); -+ int count = log2_intptr((uintptr_t) sizeof(class JavaThread)) - log2_int(64); - _mem_serialize_page = (volatile int32_t *)page; - // We initialize the serialization page shift count here - // We assume a cache line size of 64 bytes From df83518f1126e6222d64fdc959ca816e95a43b98 Mon Sep 17 00:00:00 2001 From: Mikhail Novosyolov Date: Sun, 3 Oct 2021 03:26:58 +0300 Subject: [PATCH 05/10] Remove invalid -Wa flag Fixes: 4961ba1e1a ("clang no flags") --- java-11-openjdk.spec | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/java-11-openjdk.spec b/java-11-openjdk.spec index 51519ef..afe4a52 100644 --- a/java-11-openjdk.spec +++ b/java-11-openjdk.spec @@ -1763,11 +1763,12 @@ EXTRA_CPP_FLAGS="%ourcppflags" # fix rpmlint warnings EXTRA_CFLAGS="$EXTRA_CFLAGS -fno-strict-aliasing" %endif +%if %{without clang} # Fixes annocheck warnings in assembler files due to missing build notes -%if 0 EXTRA_ASFLAGS="${EXTRA_CFLAGS} -Wa,--generate-missing-build-notes=yes" +%else +EXTRA_ASFLAGS="${EXTRA_CFLAGS}" %endif -EXTRA_ASFLAGS="${EXTRA_CFLAGS} -Wa" export EXTRA_CFLAGS EXTRA_ASFLAGS for suffix in %{build_loop} ; do From 65ced012b258c087fa90446ac654f58e6ff67404 Mon Sep 17 00:00:00 2001 From: Mikhail Novosyolov Date: Sun, 3 Oct 2021 03:37:49 +0300 Subject: [PATCH 06/10] Fix mis-copypaste Fixes: 6dab1797207 ("Update to 11.0.12.0.7") --- java-11-openjdk.spec | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/java-11-openjdk.spec b/java-11-openjdk.spec index afe4a52..828b073 100644 --- a/java-11-openjdk.spec +++ b/java-11-openjdk.spec @@ -200,6 +200,16 @@ %global staticlibs_loop %{nil} %endif +%if %{include_staticlibs} +# Extra target for producing the static-libraries. Separate from +# other targets since this target is configured to use in-tree +# AWT dependencies: lcms, libjpeg, libpng, libharfbuzz, giflib +# and possibly others +%global static_libs_target static-libs-image +%else +%global static_libs_target %{nil} +%endif + # http://openjdk.java.net/groups/build/doc/building.html # unlike portables,the rpms have to use static_libs_target very dynamically #if %{without bootstrap} From da776f8d67d124f442264b58b7babde194ba98e1 Mon Sep 17 00:00:00 2001 From: Mikhail Novosyolov Date: Mon, 4 Oct 2021 14:39:48 +0300 Subject: [PATCH 07/10] fix more missyncs --- java-11-openjdk.spec | 26 +++++++++++++++++++++++--- 1 file changed, 23 insertions(+), 3 deletions(-) diff --git a/java-11-openjdk.spec b/java-11-openjdk.spec index 828b073..2959235 100644 --- a/java-11-openjdk.spec +++ b/java-11-openjdk.spec @@ -1601,7 +1601,7 @@ The %{compatiblename}-src-fastdebug sub-package contains the complete %{origin_n %if %{include_normal_build} %package javadoc -Summary: %{origin_nice} %{featurever}API documentation +Summary: %{origin_nice} %{featurever} API documentation Group: Development/Java Requires: javapackages-filesystem Obsoletes: javadoc-slowdebug < 1:11.0.3.7-4 @@ -1610,9 +1610,7 @@ Obsoletes: javadoc-slowdebug < 1:11.0.3.7-4 %description javadoc The %{origin_nice} %{featurever} API documentation. -%endif -%if %{include_normal_build} %package javadoc-zip Summary: %{origin_nice} %{featurever} API documentation compressed in a single archive Group: Development/Java @@ -2224,6 +2222,28 @@ arg = nil ; -- it is better to null the arg up, no meter if they exists or not, cjc = require "copy_jdk_configs.lua" args = {"--currentjvm", "%{uniquesuffix %{nil}}", "--jvmdir", "%{_jvmdir %{nil}}", "--origname", "%{name}", "--origjavaver", "%{javaver}", "--arch", "%{_arch}", "--temp", "%{rpm_state_dir}/%{name}.%{_arch}"} cjc.mainProgram(args) +-- the returns from copy_jdk_configs.lua should not affect this 'main', so it shodl run under all circumstances, except fatal error +-- https://bugzilla.redhat.com/show_bug.cgi?id=1820172 +-- https://docs.fedoraproject.org/en-US/packaging-guidelines/Directory_Replacement/ +-- Define the path to directory being replaced below. +-- DO NOT add a trailing slash at the end. +path1 = "%{_jvmdir}/%{sdkdir -- %{nil}}/conf" +path2 = "%{_jvmdir}/%{sdkdir -- %{nil}}/lib/security" +array = {path1, path2} +for index, path in pairs(array) do + st = posix.stat(path) + if st and st.type == "directory" then + status = os.rename(path, path .. ".rpmmoved") + if not status then + suffix = 0 + while not status do + suffix = suffix + 1 + status = os.rename(path .. ".rpmmoved", path .. ".rpmmoved." .. suffix) + end + os.rename(path, path .. ".rpmmoved") + end + end +end %post %{post_script %{nil}} From 8ae2557baa539178636680e78f5565b7ab3d1fea Mon Sep 17 00:00:00 2001 From: slava86 Date: Thu, 7 Oct 2021 14:41:54 +0300 Subject: [PATCH 08/10] adapt files for rosalinux build, remove unnecessary patches and configuration files --- JDK-8186780.patch | 19 ++++++++ JDK-8211029.patch | 40 ++++++++++++++++ JDK-8211170.patch | 66 ++++++++++++++++++++++++++ java-11-openjdk.rpmlintrc | 3 ++ java-11-openjdk.spec | 99 ++++++++++----------------------------- 5 files changed, 153 insertions(+), 74 deletions(-) create mode 100644 JDK-8186780.patch create mode 100644 JDK-8211029.patch create mode 100644 JDK-8211170.patch diff --git a/JDK-8186780.patch b/JDK-8186780.patch new file mode 100644 index 0000000..1463527 --- /dev/null +++ b/JDK-8186780.patch @@ -0,0 +1,19 @@ +diff --git a/src/hotspot/os_cpu/linux_x86/os_linux_x86.cpp b/src/hotspot/os_cpu/linux_x86/os_linux_x86.cpp +index c97d918..b949bfa 100644 +--- a/src/hotspot/os_cpu/linux_x86/os_linux_x86.cpp ++++ b/src/hotspot/os_cpu/linux_x86/os_linux_x86.cpp +@@ -98,13 +98,8 @@ address os::current_stack_pointer() { + register void *esp; + __asm__("mov %%" SPELL_REG_SP ", %0":"=r"(esp)); + return (address) ((char*)esp + sizeof(long)*2); +-#elif defined(__clang__) +- intptr_t* esp; +- __asm__ __volatile__ ("mov %%" SPELL_REG_SP ", %0":"=r"(esp):); +- return (address) esp; + #else +- register void *esp __asm__ (SPELL_REG_SP); +- return (address) esp; ++ return (address)__builtin_frame_address(0); + #endif + } + diff --git a/JDK-8211029.patch b/JDK-8211029.patch new file mode 100644 index 0000000..6848fd8 --- /dev/null +++ b/JDK-8211029.patch @@ -0,0 +1,40 @@ +# HG changeset patch +# User aph +# Date 1538411387 14400 +# Node ID 7cbb77546f87eaa3d9b96e1bcccbddebafbde1e4 +# Parent 5bdf60cd0ed01c9d57111be3e72d6383fdd60d74 +8211333: AArch64: Fix another build failure after JDK-8211029 +Reviewed-by: shade, aph +Contributed-by: pengfei.li@arm.com + +diff -r 5bdf60cd0ed0 -r 7cbb77546f87 src/hotspot/cpu/aarch64/macroAssembler_aarch64.cpp +--- a/src/hotspot/cpu/aarch64/macroAssembler_aarch64.cpp Mon Oct 01 16:41:10 2018 +0200 ++++ b/src/hotspot/cpu/aarch64/macroAssembler_aarch64.cpp Mon Oct 01 12:29:47 2018 -0400 +@@ -1505,7 +1505,7 @@ + #ifndef PRODUCT + { + char buffer[64]; +- snprintf(buffer, sizeof(buffer), "0x%"PRIX64, imm64); ++ snprintf(buffer, sizeof(buffer), "0x%" PRIX64, imm64); + block_comment(buffer); + } + #endif +@@ -1568,7 +1568,7 @@ + #ifndef PRODUCT + { + char buffer[64]; +- snprintf(buffer, sizeof(buffer), "0x%"PRIX64, imm64); ++ snprintf(buffer, sizeof(buffer), "0x%" PRIX64, imm64); + block_comment(buffer); + } + #endif +@@ -1681,7 +1681,7 @@ + #ifndef PRODUCT + { + char buffer[64]; +- snprintf(buffer, sizeof(buffer), "0x%"PRIX32, imm32); ++ snprintf(buffer, sizeof(buffer), "0x%" PRIX32, imm32); + block_comment(buffer); + } + #endif + diff --git a/JDK-8211170.patch b/JDK-8211170.patch new file mode 100644 index 0000000..aca9dc6 --- /dev/null +++ b/JDK-8211170.patch @@ -0,0 +1,66 @@ +# HG changeset patch +# User aph +# Date 1537981860 -3600 +# Node ID 8f0f7f2ae20bf68a114da6a6fdb09aa8a6c5d1de +# Parent ec4c3c287ca718e279be0d4c0956b375cea16afe +8211170: AArch64: Warnings in C1 and template interpreter +Reviewed-by: adinn + +diff -r ec4c3c287ca7 -r 8f0f7f2ae20b src/hotspot/cpu/aarch64/c1_LIRAssembler_aarch64.cpp +--- a/src/hotspot/cpu/aarch64/c1_LIRAssembler_aarch64.cpp Tue Sep 18 20:49:44 2018 +0200 ++++ b/src/hotspot/cpu/aarch64/c1_LIRAssembler_aarch64.cpp Wed Sep 26 18:11:00 2018 +0100 +@@ -1709,6 +1709,7 @@ + default: ShouldNotReachHere(); + } + break; ++ default: + ShouldNotReachHere(); + } + } else { +diff -r ec4c3c287ca7 -r 8f0f7f2ae20b src/hotspot/cpu/aarch64/c1_LIRGenerator_aarch64.cpp +--- a/src/hotspot/cpu/aarch64/c1_LIRGenerator_aarch64.cpp Tue Sep 18 20:49:44 2018 +0200 ++++ b/src/hotspot/cpu/aarch64/c1_LIRGenerator_aarch64.cpp Wed Sep 26 18:11:00 2018 +0100 +@@ -584,8 +584,8 @@ + case doubleTag: do_ArithmeticOp_FPU(x); return; + case longTag: do_ArithmeticOp_Long(x); return; + case intTag: do_ArithmeticOp_Int(x); return; ++ default: ShouldNotReachHere(); return; + } +- ShouldNotReachHere(); + } + + // _ishl, _lshl, _ishr, _lshr, _iushr, _lushr +@@ -792,9 +792,13 @@ + __ abs(value.result(), dst, LIR_OprFact::illegalOpr); + break; + } ++ default: ++ ShouldNotReachHere(); + } + break; + } ++ default: ++ ShouldNotReachHere(); + } + } + +diff -r ec4c3c287ca7 -r 8f0f7f2ae20b src/hotspot/cpu/aarch64/templateTable_aarch64.cpp +--- a/src/hotspot/cpu/aarch64/templateTable_aarch64.cpp Tue Sep 18 20:49:44 2018 +0200 ++++ b/src/hotspot/cpu/aarch64/templateTable_aarch64.cpp Wed Sep 26 18:11:00 2018 +0100 +@@ -2329,6 +2329,7 @@ + switch (code) { + case Bytecodes::_nofast_getfield: code = Bytecodes::_getfield; break; + case Bytecodes::_nofast_putfield: code = Bytecodes::_putfield; break; ++ default: break; + } + + assert(byte_no == f1_byte || byte_no == f2_byte, "byte_no out of range"); +@@ -2953,6 +2954,7 @@ + case Bytecodes::_fast_dputfield: __ pop_d(); break; + case Bytecodes::_fast_fputfield: __ pop_f(); break; + case Bytecodes::_fast_lputfield: __ pop_l(r0); break; ++ default: break; + } + __ bind(L2); + } + diff --git a/java-11-openjdk.rpmlintrc b/java-11-openjdk.rpmlintrc index 814cb51..704d2ff 100644 --- a/java-11-openjdk.rpmlintrc +++ b/java-11-openjdk.rpmlintrc @@ -8,3 +8,6 @@ addFilter("W: binary-or-shlib-defines-rpath .*/usr/lib/jvm/.*") addFilter("W: devel-file-in-non-devel-package .*/usr/lib/jvm/.*-slowdebug/.*") # allow long summaries to avoid odd diffs with Fedora addFilter("E: summary-too-long") +# add an exception as written in +# http://wiki.rosalab.ru/ru/index.php/Rpmlint_Errors#non-readable +addFilter("E: non-readable") diff --git a/java-11-openjdk.spec b/java-11-openjdk.spec index 2959235..279395a 100644 --- a/java-11-openjdk.spec +++ b/java-11-openjdk.spec @@ -18,16 +18,24 @@ # # Enable fastdebug builds by default on relevant arches. +%ifarch %{ix86} +%bcond_with fastdebug +%else %bcond_without fastdebug +%endif # Enable slowdebug builds by default on relevant arches. +%ifarch %{ix86} +%bcond_with slowdebug +%else %bcond_without slowdebug +%endif # Enable release builds by default on relevant arches. %bcond_without release # Enable static library builds by default. -%bcond_without staticlibs +%bcond_with staticlibs # Workaround for stripping of debug symbols from static libraries %if %{with staticlibs} @@ -135,8 +143,6 @@ %global shenandoah_arches x86_64 %{aarch64} # Set of architectures for which we build the Z garbage collector %global zgc_arches x86_64 -# Set of architectures for which alt-java has SSB mitigation -%global ssbd_arches x86_64 # By default, we build a slowdebug build during main build on JIT architectures %if %{with slowdebug} @@ -225,13 +231,13 @@ # See RHBZ#1861401 %define _lto_cflags %{nil} -# Filter out flags from the optflags macro that cause problems with the OpenJDK build +# Filter out flags from the macro that cause problems with the OpenJDK build # We filter out -O flags so that the optimization of HotSpot is not lowered from O3 to O2 # We filter out -Wall which will otherwise cause HotSpot to produce hundreds of thousands of warnings (100+mb logs) # We replace it with -Wformat (required by -Werror=format-security) and -Wno-cpp to avoid FORTIFY_SOURCE warnings # We filter out -fexceptions as the HotSpot build explicitly does -fno-exceptions and it's otherwise the default for C++ %ifarch %{ix86} -%global optflags %optflags -fno-PIC +%global optflags %optflags -fno-PIC -mstackrealign %endif %global ourflags %(echo %optflags | sed -e 's|-Wall|-Wformat -Wno-cpp|' | sed -r -e 's|-O[0-9]*||') %global ourcppflags %(echo %ourflags | sed -e 's|-fexceptions||') @@ -433,8 +439,6 @@ %define sdkbindir() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/bin} %define jrebindir() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/bin} -%global alt_java_name alt-java - %global rpm_state_dir %{_localstatedir}/lib/rpm-state/ # For flatpack builds hard-code /usr/sbin/alternatives, @@ -479,7 +483,6 @@ ext=%{_extension} alternatives \\ --install %{_bindir}/java java %{jrebindir -- %{?1}}/java $PRIORITY --family %{name}.%{_arch} \\ --slave %{_jvmdir}/jre jre %{_jvmdir}/%{sdkdir -- %{?1}} \\ - --slave %{_bindir}/%{alt_java_name} %{alt_java_name} %{jrebindir -- %{?1}}/%{alt_java_name} \\ --slave %{_bindir}/jjs jjs %{jrebindir -- %{?1}}/jjs \\ --slave %{_bindir}/keytool keytool %{jrebindir -- %{?1}}/keytool \\ --slave %{_bindir}/pack200 pack200 %{jrebindir -- %{?1}}/pack200 \\ @@ -488,8 +491,6 @@ alternatives \\ --slave %{_bindir}/unpack200 unpack200 %{jrebindir -- %{?1}}/unpack200 \\ --slave %{_mandir}/man1/java.1$ext java.1$ext \\ %{_mandir}/man1/java-%{uniquesuffix -- %{?1}}.1$ext \\ - --slave %{_mandir}/man1/%{alt_java_name}.1$ext %{alt_java_name}.1$ext \\ - %{_mandir}/man1/%{alt_java_name}-%{uniquesuffix -- %{?1}}.1$ext \\ --slave %{_mandir}/man1/jjs.1$ext jjs.1$ext \\ %{_mandir}/man1/jjs-%{uniquesuffix -- %{?1}}.1$ext \\ --slave %{_mandir}/man1/keytool.1$ext keytool.1$ext \\ @@ -557,7 +558,7 @@ if [ "%{?1}" == %{debug_suffix} ]; then let PRIORITY=PRIORITY-1 fi -ext=.gz +ext=.xz alternatives \\ --install %{_bindir}/javac javac %{sdkbindir -- %{?1}}/javac $PRIORITY --family %{name}.%{_arch} \\ --slave %{_jvmdir}/java java_sdk %{_jvmdir}/%{sdkdir -- %{?1}} \\ @@ -714,7 +715,6 @@ exit 0 %{_jvmdir}/%{jrelnk -- %{?1}} %dir %{_jvmdir}/%{sdkdir -- %{?1}}/bin %{_jvmdir}/%{sdkdir -- %{?1}}/bin/java -%{_jvmdir}/%{sdkdir -- %{?1}}/bin/%{alt_java_name} %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jjs %{_jvmdir}/%{sdkdir -- %{?1}}/bin/keytool %{_jvmdir}/%{sdkdir -- %{?1}}/bin/pack200 @@ -767,7 +767,6 @@ exit 0 %endif %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsctp.so %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsunec.so -%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsystemconf.so %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libunpack.so %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libverify.so %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libzip.so @@ -775,7 +774,6 @@ exit 0 %{_jvmdir}/%{sdkdir -- %{?1}}/lib/jfr/default.jfc %{_jvmdir}/%{sdkdir -- %{?1}}/lib/jfr/profile.jfc %{_mandir}/man1/java-%{uniquesuffix -- %{?1}}.1* -%{_mandir}/man1/%{alt_java_name}-%{uniquesuffix -- %{?1}}.1* %{_mandir}/man1/jjs-%{uniquesuffix -- %{?1}}.1* %{_mandir}/man1/keytool-%{uniquesuffix -- %{?1}}.1* %{_mandir}/man1/pack200-%{uniquesuffix -- %{?1}}.1* @@ -810,7 +808,6 @@ exit 0 %config(noreplace) %{etcjavadir -- %{?1}}/conf/security/java.security %config(noreplace) %{etcjavadir -- %{?1}}/conf/logging.properties %config(noreplace) %{etcjavadir -- %{?1}}/conf/security/nss.cfg -%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/nss.fips.cfg %config(noreplace) %{etcjavadir -- %{?1}}/conf/management/jmxremote.access # this is conifg template, thus not config-noreplace %config %{etcjavadir -- %{?1}}/conf/management/jmxremote.password.template @@ -822,7 +819,6 @@ exit 0 %if %is_system_jdk %if %{is_release_build -- %{?1}} %ghost %{_bindir}/java -%ghost %{_bindir}/%{alt_java_name} %ghost %{_jvmdir}/jre # https://bugzilla.redhat.com/show_bug.cgi?id=1312019 %ghost %{_bindir}/jjs @@ -910,7 +906,6 @@ exit 0 %if %{is_release_build -- %{?1}} %ghost %{_bindir}/javac %ghost %{_jvmdir}/java -%ghost %{_jvmdir}/%{alt_java_name} %ghost %{_bindir}/jaotc %ghost %{_bindir}/jlink %ghost %{_bindir}/jmod @@ -1228,9 +1223,6 @@ Source303: https://download.bell-sw.com/java/11.0.10+9/bellsoft-jdk11.0.10+9-lin # Ensure vendor settings are correct Source16: CheckVendor.java -# nss fips configuration file -Source17: nss.fips.cfg.in - ############################################ # # RPM/distribution specific patches @@ -1243,25 +1235,7 @@ Patch1: rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch Patch2: rh1648644-java_access_bridge_privileged_security.patch # NSS via SunPKCS11 Provider (disabled due to memory leak). Patch1000: rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch -# RH1750419: enable build of speculative store bypass hardened alt-java (CVE-2018-3639) -Patch600: rh1750419-redhat_alt_java.patch -# RH1582504: Use RSA as default for keytool, as DSA is disabled in all crypto policies except LEGACY -Patch1003: rh1842572-rsa_default_for_keytool.patch -# FIPS support patches -# RH1655466: Support RHEL FIPS mode using SunPKCS11 provider -Patch1001: rh1655466-global_crypto_and_fips.patch -# RH1818909: No ciphersuites availale for SSLSocket in FIPS mode -Patch1002: rh1818909-fips_default_keystore_type.patch -# RH1860986: Disable TLSv1.3 with the NSS-FIPS provider until PKCS#11 v3.0 support is available -Patch1004: rh1860986-disable_tlsv1.3_in_fips_mode.patch -# RH1915071: Always initialise JavaSecuritySystemConfiguratorAccess -Patch1007: rh1915071-always_initialise_configurator_access.patch -# RH1929465: Improve system FIPS detection -Patch1008: rh1929465-improve_system_FIPS_detection.patch -# RH1996182: Login to the NSS software token in FIPS mode -Patch1009: rh1996182-login_to_nss_software_token.patch -Patch1010: rh1996182-extend_security_policy.patch ############################################# # @@ -1283,8 +1257,6 @@ Patch1010: rh1996182-extend_security_policy.patch Patch3: rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch # PR3694, RH1340845: Add security.useSystemPropertiesFile option to java.security to use system crypto policy Patch4: pr3694-rh1340845-support_fedora_rhel_system_crypto_policy.patch -# PR3695: Allow use of system crypto policy to be disabled by the user -Patch7: pr3695-toggle_system_crypto_policy.patch ############################################# # @@ -1300,6 +1272,11 @@ Patch8: jdk8269668-rh1977671-aarch64_lib_path_fix.patch # ROSA patch Patch10: clang_stack.patch +Patch11: JDK-8186780.patch + +# aarch64 +Patch12: JDK-8211029.patch +Patch13: JDK-8211170.patch %if %{with clang} BuildRequires: clang @@ -1673,21 +1650,18 @@ pushd %{top_level_dir_name} %patch2 -p1 %patch3 -p1 %patch4 -p1 -%patch7 -p1 %patch8 -p1 +%if %{with clang} %patch10 -p1 +%patch11 -p1 +%endif +%ifarch aarch64 +%patch12 -p1 +%patch13 -p1 +%endif popd # openjdk %patch1000 -%patch600 -%patch1001 -%patch1002 -%patch1003 -%patch1004 -%patch1007 -%patch1008 -%patch1009 -%patch1010 # Extract systemtap tapsets %if %{with_systemtap} @@ -1738,10 +1712,6 @@ done # Setup nss.cfg sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE11} > nss.cfg -# Setup nss.fips.cfg -sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE17} > nss.fips.cfg -sed -i -e "s:@NSS_SECMOD@:/etc/pki/nssdb:g" nss.fips.cfg - %build %if %{with clang} export CC="clang" @@ -1838,7 +1808,6 @@ bash ${top_dir_abs_src_path}/configure \ %endif --with-debug-level=$debugbuild \ --with-native-debug-symbols=$debug_symbols \ - --disable-sysconf-nss \ --enable-unlimited-crypto \ --with-zlib=${link_opt} \ --with-libjpeg=${link_opt} \ @@ -1858,7 +1827,7 @@ bash ${top_dir_abs_src_path}/configure \ %if %{with clang} --with-toolchain-type="clang" \ %endif - -- + %{nil} make \ JAVAC_FLAGS=-g \ @@ -1892,10 +1861,6 @@ find ${top_dir_abs_main_build_path}/images/%{jdkimage}/bin/ -exec chmod +x {} \; # Install nss.cfg right away as we will be using the JRE above export JAVA_HOME=${top_dir_abs_main_build_path}/images/%{jdkimage} -# Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies) -# FIPS does not make sense in ROSA, we also use --disable-sysconf-nss -#install -m 644 nss.fips.cfg $JAVA_HOME/conf/security/ - # Install nss.cfg right away as we will be using the JRE above install -m 644 nss.cfg $JAVA_HOME/conf/security/ @@ -1905,13 +1870,6 @@ rm $JAVA_HOME/lib/tzdb.dat ln -s %{_datadir}/javazi-1.8/tzdb.dat $JAVA_HOME/lib/tzdb.dat %endif -# Create fake alt-java as a placeholder for future alt-java -pushd ${JAVA_HOME} -# add alt-java man page -echo "Hardened java binary recommended for launching untrusted code from the Web e.g. javaws" > man/man1/%{alt_java_name}.1 -cat man/man1/java.1 >> man/man1/%{alt_java_name}.1 -popd - # build cycles done # end of release / debug cycle loop @@ -1951,13 +1909,6 @@ $JAVA_HOME/bin/java $(echo $(basename %{SOURCE16})|sed "s|\.java||") "%{oj_vendo # Check java launcher has no SSB mitigation if ! nm $JAVA_HOME/bin/java | grep set_speculation ; then true ; else false; fi -# Check alt-java launcher has SSB mitigation on supported architectures -%ifarch %{ssbd_arches} -nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation -%else -if ! nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation ; then true ; else false; fi -%endif - %if %{include_staticlibs} # Check debug symbols in static libraries (smoke test) export STATIC_LIBS_HOME=${top_dir_abs_staticlibs_build_path}/images/%{static_libs_image} From 53ab1acbdcbf0540a784559e510753646dc67ae5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=D0=A1=D0=B2=D1=8F=D1=82=D0=BE=D1=81=D0=BB=D0=B0=D0=B2?= Date: Thu, 7 Oct 2021 13:04:07 +0000 Subject: [PATCH 09/10] exclude i686 architecture --- java-11-openjdk.spec | 2 ++ 1 file changed, 2 insertions(+) diff --git a/java-11-openjdk.spec b/java-11-openjdk.spec index 279395a..3b2f2a4 100644 --- a/java-11-openjdk.spec +++ b/java-11-openjdk.spec @@ -1332,6 +1332,8 @@ BuildRequires: make BuildRequires: systemtap-devel %endif +ExcludeArch: i686 + # this is always built, also during debug-only build # when it is built in debug-only this package is just placeholder %{java_rpo %{nil}} From 64aaadf6753271824cfa996dd241a5f9163ce30e Mon Sep 17 00:00:00 2001 From: Mikhail Novosyolov Date: Sat, 5 Feb 2022 08:51:42 +0300 Subject: [PATCH 10/10] Pull java 1.8 as java-devel, not java 11 All Java stack in ROSA requires java 1.8 as a BR --- java-11-openjdk.spec | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/java-11-openjdk.spec b/java-11-openjdk.spec index 3b2f2a4..228ee52 100644 --- a/java-11-openjdk.spec +++ b/java-11-openjdk.spec @@ -114,6 +114,9 @@ # while JDK is a techpreview(is_system_jdk=0), some provides are turned off. Once jdk stops to be an techpreview, move it to 1 # as sytem JDK, we mean any JDK which can run whole system java stack without issues (like bytecode issues, module issues, dependencies...) %global is_system_jdk 1 +# XXX ROSA-specific: commit 6dab1797 accidently put is_system_jdk=1 instead of 0, +# now leaving java 11 with this, but exclude devel provides to restore java 1.8 as default JDK and leave java 11 as default JRE +%global devel_provides 0 %global aarch64 aarch64 arm64 armv8 # we need to distinguish between big and little endian PPC64 @@ -354,7 +357,7 @@ %global top_level_dir_name %{origin} %global top_level_dir_name_backup %{top_level_dir_name}-backup %global buildver 7 -%global rpmrelease 7 +%global rpmrelease 8 #%%global tagsuffix %%{nil} # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit %if %is_system_jdk @@ -1062,7 +1065,7 @@ Provides: java-sdk-%{javaver}-%{origin}%{?1} = %{epoch}:%{version}-%{release} Provides: java-sdk-%{javaver}%{?1} = %{epoch}:%{version}-%{release} Provides: java-%{javaver}-devel%{?1} = %{epoch}:%{version}-%{release} Provides: java-%{javaver}-%{origin}-devel%{?1} = %{epoch}:%{version}-%{release} -%if %is_system_jdk +%if %{is_system_jdk} && %{devel_provides} Provides: java-devel-%{origin}%{?1} = %{epoch}:%{version}-%{release} Provides: java-sdk-%{origin}%{?1} = %{epoch}:%{version}-%{release} Provides: java-devel%{?1} = %{epoch}:%{version}-%{release}