diff --git a/.gitignore b/.gitignore
index 28181b7..022af8b 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,2 @@
-SOURCES/aarch64-port-jdk8u-shenandoah-aarch64-shenandoah-jdk8u282-b08-4curve.tar.xz
+SOURCES/aarch64-port-jdk8u-shenandoah-aarch64-shenandoah-jdk8u302-b08-4curve.tar.xz
SOURCES/tapsets-icedtea-3.15.0.tar.xz
diff --git a/.java-1.8.0-openjdk.metadata b/.java-1.8.0-openjdk.metadata
index 9832ba2..35ed263 100644
--- a/.java-1.8.0-openjdk.metadata
+++ b/.java-1.8.0-openjdk.metadata
@@ -1,2 +1,2 @@
-de58a4f646ca65cafbd2166d7d08eb330adaf4e6 SOURCES/aarch64-port-jdk8u-shenandoah-aarch64-shenandoah-jdk8u282-b08-4curve.tar.xz
+72250f55a8932ac5b53e4d2dba0d7c5644201ef0 SOURCES/aarch64-port-jdk8u-shenandoah-aarch64-shenandoah-jdk8u302-b08-4curve.tar.xz
7ae2cba67467825b2c2a5fec7aea041865023002 SOURCES/tapsets-icedtea-3.15.0.tar.xz
diff --git a/SOURCES/NEWS b/SOURCES/NEWS
index ee1e724..1cb973a 100644
--- a/SOURCES/NEWS
+++ b/SOURCES/NEWS
@@ -3,6 +3,543 @@ Key:
JDK-X - https://bugs.openjdk.java.net/browse/JDK-X
CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY
+New in release OpenJDK 8u302 (2021-07-20):
+===========================================
+Live versions of these release notes can be found at:
+ * https://bitly.com/openjdk8u302
+ * https://builds.shipilev.net/backports-monitor/release-notes-openjdk8u302.txt
+
+* Security fixes
+ - JDK-8256157: Improve bytecode assembly
+ - JDK-8256491: Better HTTP transport
+ - JDK-8258432, CVE-2021-2341: Improve file transfers
+ - JDK-8260453: Improve Font Bounding
+ - JDK-8260960: Signs of jarsigner signing
+ - JDK-8260967, CVE-2021-2369: Better jar file validation
+ - JDK-8262380: Enhance XML processing passes
+ - JDK-8262403: Enhanced data transfer
+ - JDK-8262410: Enhanced rules for zones
+ - JDK-8262477: Enhance String Conclusions
+ - JDK-8262967: Improve Zip file support
+ - JDK-8264066, CVE-2021-2388: Enhance compiler validation
+ - JDK-8264079: Improve abstractions
+ - JDK-8264460: Improve NTLM support
+* Other changes
+ - JDK-6878250: (so) IllegalBlockingModeException thrown when reading from a closed SocketChannel's InputStream
+ - JDK-6990210: [TEST_BUG] EventDispatchThread/HandleExceptionOnEDT/HandleExceptionOnEDT.java fails on gnome
+ - JDK-7059970: Test case: javax/imageio/plugins/png/ITXtTest.java is not closing a file
+ - JDK-7106851: Test should not use System.exit
+ - JDK-8019470: Changes needed to compile JDK 8 on MacOS with clang compiler
+ - JDK-8028618: [TEST BUG] javax/swing/JScrollBar/bug4202954/bug4202954.java fails
+ - JDK-8030123: java/beans/Introspector/Test8027648.java fails
+ - JDK-8032050: Clean up for java/rmi/activation/Activatable/shutdownGracefully/ShutdownGracefully.java
+ - JDK-8033289: clang: clean up unused function warning
+ - JDK-8034856: gcc warnings compiling src/solaris/native/sun/security/pkcs11
+ - JDK-8034857: gcc warnings compiling src/solaris/native/sun/management
+ - JDK-8035000: clean up ActivationLibrary.DestroyThread
+ - JDK-8035054: JarFacade.c should not include ctype.h
+ - JDK-8035287: gcc warnings compiling various libraries files
+ - JDK-8036095: RMI tests using testlibrary.RMID and testlibrary.JavaVM do not pass through vmoptions
+ - JDK-8037825: Fix warnings and enable "warnings as errors" in serviceability native libraries
+ - JDK-8042891: Format issues embedded in macros for two g1 source files
+ - JDK-8043264: hsdis library not picked up correctly on expected paths
+ - JDK-8043646: libosxapp.dylib fails to build on Mac OS 10.9 with clang
+ - JDK-8047939: [TESTBUG] Rewrite test/runtime/8001071/Test8001071.sh
+ - JDK-8055754: filemap.cpp does not compile with clang
+ - JDK-8064909: FragmentMetaspace.java got OutOfMemoryError
+ - JDK-8066508: JTReg tests timeout on slow devices when run using JPRT
+ - JDK-8066807: langtools/test/Makefile should use -agentvm not -samevm
+ - JDK-8071374: -XX:+PrintAssembly -XX:+PrintSignatureHandlers crash fastdebug VM with assert(limit == __null || limit <= nm->code_end()) in RelocIterator::initialize
+ - JDK-8073446: TimeZone getOffset API does not return a dst offset between years 2038-2137
+ - JDK-8074835: Resolve disabled warnings for libj2gss
+ - JDK-8074836: Resolve disabled warnings for libosxkrb5
+ - JDK-8075071: [TEST_BUG] TimSortStackSize2.java: OOME: Java heap space: MaxHeap shrinked by MaxRAMFraction
+ - JDK-8077364: "if( !this )" construct prevents build on Xcode 6.3
+ - JDK-8078855: [TEST_BUG] javax/swing/JComboBox/8032878/bug8032878.java fails in WindowsClassicLookAndFeel
+ - JDK-8081764: [TEST_BUG] Test javax/swing/plaf/aqua/CustomComboBoxFocusTest.java fails on Windows, Solaris Sparcv9 and Linux but passes on MacOSX
+ - JDK-8129511: PlatformMidi.c:83 uses malloc without malloc header
+ - JDK-8130308: Too low memory usage in TestPromotionFromSurvivorToTenuredAfterMinorGC.java
+ - JDK-8130430: [TEST_BUG] remove unnecessary internal calls from javax/swing/JRadioButton/8075609/bug8075609.java
+ - JDK-8132148: G1 hs_err region dump legend out of sync with region values
+ - JDK-8132709: [TESTBUG] gc/g1/TestHumongousShrinkHeap.java might fail on embedded
+ - JDK-8134672: [TEST_BUG] Some tests should check isDisplayChangeSupported
+ - JDK-8134883: C1 hard crash in range check elimination in Nashorn test262parallel
+ - JDK-8136592: [TEST_BUG] Fix 2 platform-specific closed regtests for jigsaw
+ - JDK-8138820: JDK Hotspot build fails with Xcode 7.0.1
+ - JDK-8151786: [TESTBUG] java/beans/XMLEncoder/Test4625418.java timed out intermittently
+ - JDK-8159898: Negative array size in java/beans/Introspector/Test8027905.java
+ - JDK-8166046: [TESTBUG] compiler/stringopts/TestStringObjectInitialization.java fails with OOME
+ - JDK-8166724: gc/g1/TestHumongousShrinkHeap.java fails with OOME
+ - JDK-8172188: JDI tests fail due to "permission denied" when creating temp file
+ - JDK-8177809: File.lastModified() is losing milliseconds (always ends in 000)
+ - JDK-8178403: DirectAudio in JavaSound may hang and leak
+ - JDK-8180478: tools/launcher/MultipleJRE.sh fails on Windows because of extra-''
+ - JDK-8183910: gc/arguments/TestAggressiveHeap.java fails intermittently
+ - JDK-8190332: PngReader throws NegativeArraySizeException/OOM error when IHDR width is very large
+ - JDK-8190679: java/util/Arrays/TimSortStackSize2.java fails with "Initial heap size set to a larger value than the maximum heap size"
+ - JDK-8191955: AArch64: incorrect prefetch distance causes an internal error
+ - JDK-8196092: javax/swing/JComboBox/8032878/bug8032878.java fails
+ - JDK-8199265: java/util/Arrays/TimSortStackSize2.java fails with OOM
+ - JDK-8200550: Xcode 9.3 produce warning -Wexpansion-to-defined
+ - JDK-8202299: Java Keystore fails to load PKCS12/PFX certificates created in WindowsServer2016
+ - JDK-8203196: C1 emits incorrect code due to integer overflow in _tableswitch keys
+ - JDK-8205014: com/sun/jndi/ldap/DeadSSLLdapTimeoutTest.java failed with "Read timed out"
+ - JDK-8206243: java -XshowSettings fails if memory.limit_in_bytes overflows LONG.max
+ - JDK-8206925: Support the certificate_authorities extension
+ - JDK-8209996: [PPC64] Fix JFR profiling
+ - JDK-8214345: infinite recursion while checking super class
+ - JDK-8217230: assert(t == t_no_spec) failure in NodeHash::check_no_speculative_types()
+ - JDK-8217348: assert(thread->is_Java_thread()) failed: just checking
+ - JDK-8225081: Remove Telia Company CA certificate expiring in April 2021
+ - JDK-8225116: Test OwnedWindowsLeak.java intermittently fails
+ - JDK-8228757: Fail fast if the handshake type is unknown
+ - JDK-8230428: Cleanup dead CastIP node code in formssel.cpp
+ - JDK-8231631: sun/net/ftp/FtpURLConnectionLeak.java fails intermittently with NPE
+ - JDK-8231841: AArch64: debug.cpp help() is missing an AArch64 line for pns
+ - JDK-8231949: [PPC64, s390]: Make async profiling more reliable
+ - JDK-8234011: (zipfs) Memory leak in ZipFileSystem.releaseDeflater()
+ - JDK-8239053: [8u] clean up undefined-var-template warnings
+ - JDK-8239400: [8u] clean up undefined-var-template warnings
+ - JDK-8241649: Optimize Character.toString
+ - JDK-8241829: Cleanup the code for PrinterJob on windows
+ - JDK-8242565: Policy initialization issues when the denyAfter constraint is enabled
+ - JDK-8243559: Remove root certificates with 1024-bit keys
+ - JDK-8247350: [aarch64] assert(false) failed: wrong size of mach node
+ - JDK-8249142: java/awt/FontClass/CreateFont/DeleteFont.sh is unstable
+ - JDK-8249278: Revert JDK-8226253 which breaks the spec of AccessibleState.SHOWING for JList
+ - JDK-8250876: Fix issues with cross-compile on macos
+ - JDK-8252883: AccessDeniedException caused by delayed file deletion on Windows
+ - JDK-8253375: OSX build fails with Xcode 12.0 (12A7209)
+ - JDK-8254631: Better support ALPN byte wire values in SunJSSE
+ - JDK-8255086: Update the root locale display names
+ - JDK-8255734: VM should ignore SIGXFSZ on ppc64, s390 too
+ - JDK-8256818: SSLSocket that is never bound or connected leaks socket resources
+ - JDK-8257039: [8u] GenericTaskQueue destructor is incorrect
+ - JDK-8257670: sun/security/ssl/SSLSocketImpl/SSLSocketLeak.java reports leaks
+ - JDK-8257884: Re-enable sun/security/ssl/SSLSocketImpl/SSLSocketLeak.java as automatic test
+ - JDK-8257997: sun/security/ssl/SSLSocketImpl/SSLSocketLeak.java again reports leaks after JDK-8257884
+ - JDK-8257999: Parallel GC crash in gc/parallel/TestDynShrinkHeap.java: new region is not in covered_region
+ - JDK-8258419: RSA cipher buffer cleanup
+ - JDK-8258669: fastdebug jvm crashes when do event based tracing for monitor inflation
+ - JDK-8258753: StartTlsResponse.close() hangs due to synchronization issues
+ - JDK-8259271: gc/parallel/TestDynShrinkHeap.java still fails "assert(covered_region.contains(new_memregion)) failed: new region is not in covered_region"
+ - JDK-8259619: C1: 3-arg StubAssembler::call_RT stack-use condition is incorrect
+ - JDK-8259886: Improve SSL session cache performance and scalability
+ - JDK-8260029: aarch64: fix typo in verify_oop_array
+ - JDK-8260236: better init AnnotationCollector _contended_group
+ - JDK-8260255: C1: LoopInvariantCodeMotion constructor can leave some fields uninitialized
+ - JDK-8260484: CheckExamples.java / NoJavaLangTest.java fail with jtreg 4.2
+ - JDK-8260704: ParallelGC: oldgen expansion needs release-store for _end
+ - JDK-8261355: No data buffering in SunPKCS11 Cipher encryption when the underlying mechanism has no padding
+ - JDK-8261867: Backport relevant test changes & additions from JDK-8130125
+ - JDK-8262110: DST starts from incorrect time in 2038
+ - JDK-8262446: DragAndDrop hangs on Windows
+ - JDK-8262726: AArch64: C1 StubAssembler::call_RT can corrupt stack
+ - JDK-8262730: Enable jdk8u MacOS external debug symbols
+ - JDK-8262864: No debug symbols in image for Windows --with-native-debug-symbols=external
+ - JDK-8263061: copy wrong unpack200 debuginfo to bin directory after 8252395
+ - JDK-8263504: Some OutputMachOpcodes fields are uninitialized
+ - JDK-8263600: change rmidRunning to a simple lookup
+ - JDK-8264509: jdk8u MacOS zipped debug symbols won't build
+ - JDK-8264562: assert(verify_field_bit(1)) failed: Attempting to write an uninitialized event field: type
+ - JDK-8264640: CMS ParScanClosure misses a barrier
+ - JDK-8264816: Weak handles leak causes GC to take longer
+ - JDK-8265462: Handle multiple slots in the NSS Internal Module from SunPKCS11's Secmod
+ - JDK-8265666: Enable AIX build platform to make external debug symbols
+ - JDK-8265832: runtime/StackGap/testme.sh fails to compile in 8u
+ - JDK-8265988: Fix sun/text/IntHashtable/Bug4170614 for JDK 8u
+ - JDK-8266191: Missing aarch64 parts of JDK-8181872 (C1: possible overflow when strength reducing integer multiply by constant)
+ - JDK-8266723: JFR periodic events are causing extra allocations
+ - JDK-8266929: Unable to use algorithms from 3p providers
+ - JDK-8267235: [macos_aarch64] InterpreterRuntime::throw_pending_exception messing up LR results in crash
+ - JDK-8267426: MonitorVmStartTerminate test timed out on Embedded VM
+ - JDK-8267545: [8u] Enable Xcode 12 builds on macOS
+ - JDK-8267689: [aarch64] Crash due to bad shift in indirect addressing mode
+ - JDK-8268444: keytool -v -list print is incorrect after backport JDK-8141457
+ - JDK-8269388: Default build of OpenJDK 8 fails on newer GCCs with warnings as errors on format-overflow
+ - JDK-8269468: JDK-8269388 breaks the build on older GCCs
+ - JDK-8270533: AArch64: size_fits_all_mem_uses should return false if its output is a CAS
+* Shenandoah
+ - [backport] JDK-8259580: Shenandoah: uninitialized label in VerifyThreadGCState
+ - [backport] JDK-8259954: gc/shenandoah/mxbeans tests fail with -Xcomp
+ - [backport] JDK-8261251: Shenandoah: Use object size for full GC humongous
+ - [backport] JDK-8261413: Shenandoah: Disable class-unloading in I-U mode
+ - [backport] JDK-8265239: Shenandoah: Shenandoah heap region count could be off by 1
+ - [backport] JDK-8266802: Shenandoah: Round up region size to page size unconditionally
+ - [backport] JDK-8267561: Shenandoah: Reference processing not properly setup for outside of cycle degenerated GC
+ - [backport] JDK-8268127: Shenandoah: Heap size may be too small for region to align to large page size
+ - [backport] JDK-8268699: Shenandoah: Add test for JDK-8268127
+ - Shenandoah: Process weak roots during class unloading cycle
+
+Notes on individual issues:
+===========================
+
+security-libs/java.security:
+
+JDK-8256902: Removed Root Certificates with 1024-bit Keys
+=========================================================
+The following root certificates with weak 1024-bit RSA public keys
+have been removed from the `cacerts` keystore:
+
+Alias Name: thawtepremiumserverca [jdk]
+Distinguished Name: EMAILADDRESS=premium-server@thawte.com, CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA
+
+Alias Name: verisignclass2g2ca [jdk]
+Distinguished Name: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 2 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US
+
+Alias Name: verisignclass3ca [jdk]
+Distinguished Name: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
+
+Alias Name: verisignclass3g2ca [jdk]
+Distinguished Name: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 3 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US
+
+Alias Name: verisigntsaca [jdk]
+Distinguished Name: CN=Thawte Timestamping CA, OU=Thawte Certification, O=Thawte, L=Durbanville, ST=Western Cape, C=ZA
+
+JDK-8261361: Removed Telia Company's Sonera Class2 CA certificate
+=================================================================
+
+The following root certificate have been removed from the cacerts truststore:
+
+Alias Name: soneraclass2ca
+Distinguished Name: CN=Sonera Class2 CA, O=Sonera, C=FI
+
+security-libs/javax.net.ssl:
+
+JDK-8257548: Improve Encoding of TLS Application-Layer Protocol Negotiation (ALPN) Values
+=========================================================================================
+Certain TLS ALPN values couldn't be properly read or written by the
+SunJSSE provider. This is due to the choice of Strings as the API
+interface and the undocumented internal use of the UTF-8 Character Set
+which converts characters larger than U+00007F (7-bit ASCII) into
+multi-byte arrays that may not be expected by a peer.
+
+ALPN values are now represented using the network byte representation
+expected by the peer, which should require no modification for
+standard 7-bit ASCII-based character Strings. However, SunJSSE now
+encodes/decodes String characters as 8-bit ISO_8859_1/LATIN-1
+characters. This means applications that used characters above
+U+000007F that were previously encoded using UTF-8 may need to either
+be modified to perform the UTF-8 conversion, or set the Java security
+property `jdk.tls.alpnCharset` to "UTF-8" revert the behavior.
+
+See the updated guide at
+https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/alpn.html
+for more information.
+
+JDK-8244460: Support for certificate_authorities Extension
+==========================================================
+The "certificate_authorities" extension is an optional extension
+introduced in TLS 1.3. It is used to indicate the certificate
+authorities (CAs) that an endpoint supports and should be used by the
+receiving endpoint to guide certificate selection.
+
+With this JDK release, the "certificate_authorities" extension is
+supported for TLS 1.3 in both the client and the server sides. This
+extension is always present for client certificate selection, while it
+is optional for server certificate selection.
+
+Applications can enable this extension for server certificate
+selection by setting the `jdk.tls.client.enableCAExtension` system
+property to `true`. The default value of the property is `false`.
+
+Note that if the client trusts more CAs than the size limit of the
+extension (less than 2^16 bytes), the extension is not enabled. Also,
+some server implementations do not allow handshake messages to exceed
+2^14 bytes. Consequently, there may be interoperability issues when
+`jdk.tls.client.enableCAExtension` is set to `true` and the client
+trusts more CAs than the server implementation limit.
+
+New in release OpenJDK 8u292 (2021-04-20):
+===========================================
+Live versions of these release notes can be found at:
+ * https://bitly.com/openjdk8u292
+ * https://builds.shipilev.net/backports-monitor/release-notes-openjdk8u292.txt
+
+* Security fixes
+ - JDK-8227467: Better class method invocations
+ - JDK-8244473: Contextualize registration for JNDI
+ - JDK-8244543: Enhanced handling of abstract classes
+ - JDK-8249906, CVE-2021-2163: Enhance opening JARs
+ - JDK-8250568, CVE-2021-2161: Less ambiguous processing
+ - JDK-8253799: Make lists of normal filenames
+* Other changes
+ - JDK-6345095: regression test EmptyClipRenderingTest fails
+ - JDK-6896810: TEST_BUG: java/lang/ref/SoftReference/Pin.java fails with OOME during System.out.println
+ - JDK-6949753: [TEST BUG]: java/awt/print/PageFormat/PDialogTest.java needs update by removing a infinite loop
+ - JDK-7107012: sun.jvm.hotspot.code.CompressedReadStream readDouble() conversion to long mishandled
+ - JDK-7112454: TEST_BUG: java/awt/Choice/PopdownGeneratesMouseEvents/PopdownGeneratesMouseEvents.html failed
+ - JDK-7131835: [TEST_BUG] Test does not consider that the rounded edges of the window in Mac OS 10.7
+ - JDK-7185221: [macosx] Regtest should not throw exception if a suitable display mode found
+ - JDK-8031126: java/lang/management/ThreadMXBean/ThreadUserTime.java fails intermittently
+ - JDK-8035166: Remove dependency on EC classes from pkcs11 provider
+ - JDK-8035186: j2se_jdk/jdk/test/java/lang/invoke/lambda/LogGeneratedClassesTest.java - assertion error
+ - JDK-8038723: Openup some PrinterJob tests
+ - JDK-8041464: [TEST_BUG] CustomClassLoaderTransferTest does not support OS X
+ - JDK-8041561: Inconsistent opacity behaviour between JCheckBox and JRadioButton
+ - JDK-8061777: (zipfs) IllegalArgumentException in ZipCoder.toString when using Shitft_JIS
+ - JDK-8078024: javac, several incorporation steps are silently failing when an error should be reported
+ - JDK-8078450: Implement consistent process for quarantine of tests
+ - JDK-8078614: WindowsClassicLookAndFeel MetalComboBoxUI.getbaseLine fails with IllegalArgumentException
+ - JDK-8080953: [TEST_BUG]Test java/awt/FontClass/DebugFonts.java fails due to wrongly typed bugid
+ - JDK-8081547: Prepare client libs regression tests for running in a concurrent, headless jtreg environment
+ - JDK-8129626: G1: set_in_progress() and clear_started() needs a barrier on non-TSO platforms
+ - JDK-8141457: keytool default cert fingerprint algorithm should be SHA-256
+ - JDK-8145051: Wrong parameter name in synthetic lambda method leads to verifier error
+ - JDK-8150204: (fs) Enhance java/nio/file/Files/probeContentType/Basic.java debugging output
+ - JDK-8158525: Update a few java/net tests to use the loopback address instead of the host address
+ - JDK-8160217: JavaSound should clean up resources better
+ - JDK-8167281: IIOMetadataNode bugs in getElementsByTagName and NodeList.item methods
+ - JDK-8168996: C2 crash at postaloc.cpp:140 : assert(false) failed: unexpected yanked node
+ - JDK-8171410: aarch64: long multiplyExact shifts by 31 instead of 63
+ - JDK-8172404: Tools should warn if weak algorithms are used before restricting them
+ - JDK-8185934: keytool shows "Signature algorithm: SHA1withECDSA, -1-bit key"
+ - JDK-8191915: JCK tests produce incorrect results with C2
+ - JDK-8198334: java/awt/FileDialog/8003399/bug8003399.java fails in headless mode
+ - JDK-8202343: Disable TLS 1.0 and 1.1
+ - JDK-8209333: Socket reset issue for TLS 1.3 socket close
+ - JDK-8211301: [macos] support full window content options
+ - JDK-8211339: NPE during SSL handshake caused by HostnameChecker
+ - JDK-8216987: ciMethodData::load_data() unpacks MDOs with non-atomic copy
+ - JDK-8217338: [Containers] Improve systemd slice memory limit support
+ - JDK-8219991: New fix of the deadlock in sun.security.ssl.SSLSocketImpl
+ - JDK-8221408: Windows 32bit build build errors/warnings in hotspot
+ - JDK-8223186: HotSpot compile warnings from GCC 9
+ - JDK-8225435: Upgrade IANA Language Subtag Registry to the latest for JDK14
+ - JDK-8225805: Java Access Bridge does not close the logger
+ - JDK-8226899: Problemlist compiler/rtm tests
+ - JDK-8227642: [TESTBUG] Make docker tests podman compatible
+ - JDK-8228434: jdk/net/Sockets/Test.java fails after JDK-8227642
+ - JDK-8229284: jdk/internal/platform/cgroup/TestCgroupMetrics.java fails for - memory:getMemoryUsage
+ - JDK-8230388: Problemlist additional compiler/rtm tests
+ - JDK-8233228: Disable weak named curves by default in TLS, CertPath, and Signed JAR
+ - JDK-8234727: sun/security/ssl/X509TrustManagerImpl tests support TLSv1.3
+ - JDK-8234728: Some security tests should support TLSv1.3
+ - JDK-8235263: Revert TLS 1.3 change that wrapped IOExceptions
+ - JDK-8235311: Tag mismatch may alert bad_record_mac
+ - JDK-8235874: The ordering of Cipher Suites is not maintained provided through jdk.tls.client.cipherSuites and jdk.tls.server.cipherSuites system property.
+ - JDK-8236500: Windows ucrt.dll should be looked up in versioned WINSDK subdirectory
+ - JDK-8238579: HttpsURLConnection drops the timeout and hangs forever in read
+ - JDK-8239091: Reversed arguments in call to strstr in freetype "debug" code.
+ - JDK-8240353: AArch64: missing support for -XX:+ExtendedDTraceProbes in C1
+ - JDK-8240827: Downport SSLSocketImpl.java from "8221882: Use fiber-friendly java.util.concurrent.locks in JSSE"
+ - JDK-8242141: New System Properties to configure the TLS signature schemes
+ - JDK-8244621: [macos10.15] Garbled FX printing plus CoreText warnings on Catalina when building with Xcode 11
+ - JDK-8248336: AArch64: C2: offset overflow in BoxLockNode::emit
+ - JDK-8249183: JVM crash in "AwtFrame::WmSize" method
+ - JDK-8249251: [dark_mode ubuntu 20.04] The selected menu is not highlighted in GTKLookAndFeel
+ - JDK-8249588: libwindowsaccessbridge issues on 64bit Windows
+ - JDK-8250582: Revert Principal Name type to NT-UNKNOWN when requesting TGS Kerberos tickets
+ - JDK-8250984: Memory Docker tests fail on some Linux kernels w/o cgroupv1 swap limit capabilities
+ - JDK-8251397: NPE on ClassValue.ClassValueMap.cacheArray
+ - JDK-8252470: java/awt/dnd/DisposeFrameOnDragCrash/DisposeFrameOnDragTest.java fails on Windows
+ - JDK-8253368: TLS connection always receives close_notify exception
+ - JDK-8253476: TestUseContainerSupport.java fails on some Linux kernels w/o swap limit capabilities
+ - JDK-8253932: SSL debug log prints incorrect caller info
+ - JDK-8254854: [cgroups v1] Metric limits not properly detected on some join controller combinations
+ - JDK-8255880: UI of Swing components is not redrawn after their internal state changed
+ - JDK-8255908: ExceptionInInitializerError due to UncheckedIOException while initializing cgroupv1 subsystem
+ - JDK-8255937: Better cleanup for test/jdk/javax/imageio/stream/StreamFlush.java
+ - JDK-8256421: Add 2 HARICA roots to cacerts truststore
+ - JDK-8256642: [TEST_BUG] jdk/test/javax/sound/midi/MidiSystem/DefaultProperties.java failed
+ - JDK-8258079: Eliminate ParNew's use of klass_or_null()
+ - JDK-8256682: JDK-8202343 is incomplete
+ - JDK-8257746: Regression introduced with JDK-8250984 - memory might be null in some machines
+ - JDK-8258241: [8u] Missing doPrivileged() hunks from JDK-8226575
+ - JDK-8258247: Couple of issues in fix for JDK-8249906
+ - JDK-8258396: SIGILL in jdk.jfr.internal.PlatformRecorder.rotateDisk()
+ - JDK-8258430: 8u backport of JDK-8063107 missing test/javax/swing/JRadioButton/8041561/bug8041561.java changes
+ - JDK-8258833: Cancel multi-part cipher operations in SunPKCS11 after failures
+ - JDK-8258933: G1 needs klass_or_null_acquire
+ - JDK-8259048: (tz) Upgrade time-zone data to tzdata2020f
+ - JDK-8259312: VerifyCACerts.java fails as soneraclass2ca cert will
+ - JDK-8259384: CUP version wrong in THIRD_PARTY_README after JDK-8233548
+ - JDK-8259428: AlgorithmId.getEncodedParams() should return copy
+ - JDK-8259568: PPC64 builds broken after JDK-8221408 8u backport
+ - JDK-8260349: Cannot programmatically retrieve Metaspace max set via JAVA_TOOL_OPTIONS
+ - JDK-8260356: (tz) Upgrade time-zone data to tzdata2021a
+ - JDK-8260930: AARCH64: Invalid value passed to critical JNI function
+ - JDK-8261183: Follow on to Make lists of normal filenames
+ - JDK-8261231: Windows IME was disabled after DnD operation
+ - JDK-8261766: [8u] hotspot needs to recognise cl.exe 19.16 to build with VS2017
+ - JDK-8262073: assert(allocates2(pc)) failed: not in CodeBuffer memory
+ - JDK-8262075: sun/security/krb5/auto/UseCacheAndStoreKey.java timed out intermittently
+ - JDK-8263008: AARCH64: Add debug info for libsaproc.so
+ - JDK-8264171: Missing aarch64 parts of JDK-8236179 (C1 register allocation failure with T_ADDRESS)
+* Shenandoah
+ - Normalise whitespace in AArch64 sources prior to merge of upstreamed version in 8u292-b01.
+ - Revert differences against upstream 8u
+ - [backport] 8202976: Add C1 lea patching support for x86
+ - [backport] 8221507: Implement JFR Events for Shenandoah
+ - [backport] 8224573: Fix windows build after JDK-8221507
+ - [backport] 8228369: Shenandoah: Refactor LRB C1 stubs
+ - [backport] 8229474: Shenandoah: Cleanup CM::update_roots()
+ - [backport] 8229709: x86_32 build and test failures after JDK-8228369 (Shenandoah: Refactor LRB C1 stubs)
+ - [backport] 8231087: Shenandoah: Self-fixing load reference barriers for C1/C2
+ - [backport] 8232747: Shenandoah: Concurrent GC should deactivate SATB before processing weak roots
+ - [backport] 8232992: Shenandoah: Implement self-fixing interpreter LRB
+ - [backport] 8233021: Shenandoah: SBSC2::is_shenandoah_lrb_call should match all LRB shapes
+ - [backport] 8233165: Shenandoah:SBSA::gen_load_reference_barrier_stub() should use pointer register for address on aarch64
+ - [backport] 8233574: Shenandoah: build is broken without jfr
+ - [backport] 8237837: Shenandoah: assert(mem == __null) failed: only one safepoint
+ - [backport] 8238153: CTW: C2 (Shenandoah) compilation fails with "Unknown node in get_load_addr: CreateEx"
+ - [backport] 8238851: Shenandoah: C1: Resolve into registers of correct type
+ - [backport] 8240315: Shenandoah: Rename ShLBN::get_barrier_strength()
+ - [backport] 8240751: Shenandoah: fold ShenandoahTracer definition
+ - [backport] 8241765: Shenandoah: AARCH64 need to save/restore call clobbered registers before calling keepalive barrier
+ - [backport] 8244510: Shenandoah: invert SHC2Support::is_in_cset condition
+ - [backport] 8244663: Shenandoah: C2 assertion fails in Matcher::collect_null_checks
+ - [backport] 8244721: CTW: C2 (Shenandoah) compilation fails with "unexpected infinite loop graph shape"
+ - [backport] 8251451: Shenandoah: Remark ObjectSynchronizer roots with I-U
+ - [backport] 8252660: Shenandoah: support manageable SoftMaxHeapSize option
+ - [backport] 8253224: Shenandoah: ShenandoahStrDedupQueue destructor calls virtual num_queues()
+ - [backport] 8253778: ShenandoahSafepoint::is_at_shenandoah_safepoint should not access VMThread state from other threads
+ - [backport] 8255457: Shenandoah: cleanup ShenandoahMarkTask
+ - [backport] 8255760: Shenandoah: match constants style in ShenandoahMarkTask fallback
+ - [backport] 8256806: Shenandoah: optimize shenandoah/jni/TestPinnedGarbage.java test
+ - [backport] 8257641: Shenandoah: Query is_at_shenandoah_safepoint() from control thread should return false
+ - Fix register allocation for thread register is 32bit LRB
+ - Fix Shenandoah bindings in ADLC formssel
+ - Shenandoah: Backed out weak roots cleaning during full gc
+
+Notes on individual issues:
+===========================
+
+security-libs/java.security:
+
+JDK-8260597: Added 2 HARICA Root CA Certificates
+================================================
+
+The following root certificates have been added to the cacerts truststore:
+
+Alias Name: haricarootca2015
+Distinguished Name: CN=Hellenic Academic and Research Institutions RootCA 2015, O=Hellenic Academic and Research Institutions Cert. Authority, L=Athens, C=GR
+
+Alias Name: haricaeccrootca2015
+Distinguished Name: CN=Hellenic Academic and Research Institutions ECC RootCA 2015, O=Hellenic Academic and Research Institutions Cert. Authority, L=Athens, C=GR
+
+JDK-8236730: Weak Named Curves in TLS, CertPath, and Signed JAR Disabled by Default
+===================================================================================
+Weak named curves are disabled by default by adding them to the
+following `disabledAlgorithms` security properties:
+
+* jdk.tls.disabledAlgorithms
+* jdk.certpath.disabledAlgorithms
+* jdk.jar.disabledAlgorithms
+
+Red Hat has always disabled many of the curves provided by upstream,
+so the only addition in this release is:
+
+* secp256k1
+
+The curves that remain enabled are:
+
+* secp256r1
+* secp384r1
+* secp521r1
+* X25519
+* X448
+
+When large numbers of weak named curves need to be disabled, adding
+individual named curves to each `disabledAlgorithms` property would be
+overwhelming. To relieve this, a new security property,
+`jdk.disabled.namedCurves`, is implemented that can list the named
+curves common to all of the `disabledAlgorithms` properties. To use
+the new property in the `disabledAlgorithms` properties, precede the
+full property name with the keyword `include`. Users can still add
+individual named curves to `disabledAlgorithms` properties separate
+from this new property. No other properties can be included in the
+`disabledAlgorithms` properties.
+
+To restore the named curves, remove the `include
+jdk.disabled.namedCurves` either from specific or from all
+`disabledAlgorithms` security properties. To restore one or more
+curves, remove the specific named curve(s) from the
+`jdk.disabled.namedCurves` property.
+
+JDK-8244286: Tools Warn If Weak Algorithms Are Used
+===================================================
+The `keytool` and `jarsigner` tools have been updated to warn users
+when weak cryptographic algorithms are used in keys, certificates, and
+signed JARs before they are disabled. The weak algorithms are set in
+the `jdk.security.legacyAlgorithms` security property in the
+`java.security` configuration file. In this release, the tools issue
+warnings for the SHA-1 hash algorithm and 1024-bit RSA/DSA keys.
+
+security-libs/javax.net.ssl:
+
+JDK-8256490: Disable TLS 1.0 and 1.1
+====================================
+TLS 1.0 and 1.1 are versions of the TLS protocol that are no longer
+considered secure and have been superseded by more secure and modern
+versions (TLS 1.2 and 1.3).
+
+These versions have now been disabled by default. If you encounter
+issues, you can, at your own risk, re-enable the versions by removing
+"TLSv1" and/or "TLSv1.1" from the `jdk.tls.disabledAlgorithms`
+security property in the `java.security` configuration file.
+
+JDK-8242147: New System Properties to Configure the TLS Signature Schemes
+=========================================================================
+Two new system properties have been added to customize the TLS
+signature schemes in JDK. `jdk.tls.client.SignatureSchemes` has been
+added for the TLS client side, and `jdk.tls.server.SignatureSchemes`
+has been added for the server side.
+
+Each system property contains a comma-separated list of supported
+signature scheme names specifying the signature schemes that could be
+used for the TLS connections.
+
+The names are described in the "Signature Schemes" section of the
+*Java Security Standard Algorithm Names Specification*.
+
+tools/javac:
+
+JDK-8177368: Several incorporation steps are silently failing when an error should be reported
+==============================================================================================
+Reporting previously silent errors found during incorporation, JLS
+8ยง18.3, was supposed to be a clean-up with performance only
+implications. But consider the test case:
+
+import java.util.Arrays;
+import java.util.List;
+
+class Klass {
+ public static <A> List<List<A>> foo(List<? extends A>... lists) {
+ return foo(Arrays.asList(lists));
+ }
+
+ public static <B> List<List<B>> foo(List<? extends List<? extends B>> lists) {
+ return null;
+ }
+}
+
+This code was not accepted before the patch for [1], but after this
+patch the compiler is accepting it. Accepting this code is the right
+behavior as not reporting incorporation errors was a bug in the
+compiler. While determining the applicability of method: <B>
+List<List<B>> foo(List<? extends List<? extends B>> lists) for which
+we have the constraints: b <: Object t <: List<? extends B> t<:Object
+List<? extends A> <: t first, inference variable b is selected for
+instantiation: b = CAP1 of ? extends A so this implies that: t <:
+List<? extends CAP1 of ? extends A> t<: Object List<? extends A> <: t
+
+Now all the bounds are checked for consistency. While checking if
+List<? extends A> is a subtype of List<? extends CAP1 of ? extends A>
+a bound error is reported. Before the compiler was just swallowing
+it. As now the error is reported while inference variable b is being
+instantiated, the bound set is rolled back to it's initial state, 'b'
+is instantiated to Object, and with this instantiation the constraint
+set is solvable, the method is applicable, it's the only applicable
+one and the code is accepted as correct. The compiler behavior in this
+case is defined at JLS 8 ยง18.4
+
+This fix has source compatibility impact, right now code that wasn't
+being accepted is now being accepted by the javac compiler. Currently
+there are no reports of any other kind of incompatibility.
+
+[1] https://bugs.openjdk.java.net/browse/JDK-8078024
+
New in release OpenJDK 8u282 (2021-01-19):
===========================================
Live versions of these release notes can be found at:
diff --git a/SOURCES/TestSecurityProperties.java b/SOURCES/TestSecurityProperties.java
new file mode 100644
index 0000000..06a0b07
--- /dev/null
+++ b/SOURCES/TestSecurityProperties.java
@@ -0,0 +1,43 @@
+import java.io.File;
+import java.io.FileInputStream;
+import java.security.Security;
+import java.util.Properties;
+
+public class TestSecurityProperties {
+ // JDK 11
+ private static final String JDK_PROPS_FILE_JDK_11 = System.getProperty("java.home") + "/conf/security/java.security";
+ // JDK 8
+ private static final String JDK_PROPS_FILE_JDK_8 = System.getProperty("java.home") + "/lib/security/java.security";
+
+ public static void main(String[] args) {
+ Properties jdkProps = new Properties();
+ loadProperties(jdkProps);
+ for (Object key: jdkProps.keySet()) {
+ String sKey = (String)key;
+ String securityVal = Security.getProperty(sKey);
+ String jdkSecVal = jdkProps.getProperty(sKey);
+ if (!securityVal.equals(jdkSecVal)) {
+ String msg = "Expected value '" + jdkSecVal + "' for key '" +
+ sKey + "'" + " but got value '" + securityVal + "'";
+ throw new RuntimeException("Test failed! " + msg);
+ } else {
+ System.out.println("DEBUG: " + sKey + " = " + jdkSecVal + " as expected.");
+ }
+ }
+ System.out.println("TestSecurityProperties PASSED!");
+ }
+
+ private static void loadProperties(Properties props) {
+ String javaVersion = System.getProperty("java.version");
+ System.out.println("Debug: Java version is " + javaVersion);
+ String propsFile = JDK_PROPS_FILE_JDK_11;
+ if (javaVersion.startsWith("1.8.0")) {
+ propsFile = JDK_PROPS_FILE_JDK_8;
+ }
+ try (FileInputStream fin = new FileInputStream(new File(propsFile))) {
+ props.load(fin);
+ } catch (Exception e) {
+ throw new RuntimeException("Test failed!", e);
+ }
+ }
+}
diff --git a/SOURCES/jdk8203030-zero_s390_31_bit_size_t_type_conflicts_in_shared_code.patch b/SOURCES/jdk8203030-zero_s390_31_bit_size_t_type_conflicts_in_shared_code.patch
index 53bceec..4098bdc 100644
--- a/SOURCES/jdk8203030-zero_s390_31_bit_size_t_type_conflicts_in_shared_code.patch
+++ b/SOURCES/jdk8203030-zero_s390_31_bit_size_t_type_conflicts_in_shared_code.patch
@@ -1,7 +1,7 @@
-diff --git openjdk.orig/hotspot/src/share/vm/gc_implementation/concurrentMarkSweep/compactibleFreeListSpace.cpp openjdk/hotspot/src/share/vm/gc_implementation/concurrentMarkSweep/compactibleFreeListSpace.cpp
---- openjdk.orig/hotspot/src/share/vm/gc_implementation/concurrentMarkSweep/compactibleFreeListSpace.cpp
-+++ openjdk/hotspot/src/share/vm/gc_implementation/concurrentMarkSweep/compactibleFreeListSpace.cpp
-@@ -2659,7 +2659,7 @@
+diff -r 4689eaf1a5c9 src/share/vm/gc_implementation/concurrentMarkSweep/compactibleFreeListSpace.cpp
+--- openjdk.orig/hotspot/src/share/vm/gc_implementation/concurrentMarkSweep/compactibleFreeListSpace.cpp Mon Aug 31 07:09:56 2020 +0100
++++ openjdk/hotspot/src/share/vm/gc_implementation/concurrentMarkSweep/compactibleFreeListSpace.cpp Tue Sep 08 22:20:44 2020 -0400
+@@ -2689,7 +2689,7 @@
if (ResizeOldPLAB && CMSOldPLABResizeQuicker) {
size_t multiple = _num_blocks[word_sz]/(CMSOldPLABToleranceFactor*CMSOldPLABNumRefills*n_blks);
n_blks += CMSOldPLABReactivityFactor*multiple*n_blks;
@@ -10,10 +10,10 @@ diff --git openjdk.orig/hotspot/src/share/vm/gc_implementation/concurrentMarkSwe
}
assert(n_blks > 0, "Error");
_cfls->par_get_chunk_of_blocks(word_sz, n_blks, fl);
-diff --git openjdk.orig/hotspot/src/share/vm/gc_implementation/concurrentMarkSweep/concurrentMarkSweepGeneration.cpp openjdk/hotspot/src/share/vm/gc_implementation/concurrentMarkSweep/concurrentMarkSweepGeneration.cpp
---- openjdk.orig/hotspot/src/share/vm/gc_implementation/concurrentMarkSweep/concurrentMarkSweepGeneration.cpp
-+++ openjdk/hotspot/src/share/vm/gc_implementation/concurrentMarkSweep/concurrentMarkSweepGeneration.cpp
-@@ -957,7 +957,7 @@
+diff -r 4689eaf1a5c9 src/share/vm/gc_implementation/concurrentMarkSweep/concurrentMarkSweepGeneration.cpp
+--- openjdk.orig/hotspot/src/share/vm/gc_implementation/concurrentMarkSweep/concurrentMarkSweepGeneration.cpp Mon Aug 31 07:09:56 2020 +0100
++++ openjdk/hotspot/src/share/vm/gc_implementation/concurrentMarkSweep/concurrentMarkSweepGeneration.cpp Tue Sep 08 22:20:44 2020 -0400
+@@ -961,7 +961,7 @@
if (free_percentage < desired_free_percentage) {
size_t desired_capacity = (size_t)(used() / ((double) 1 - desired_free_percentage));
assert(desired_capacity >= capacity(), "invalid expansion size");
@@ -22,7 +22,7 @@ diff --git openjdk.orig/hotspot/src/share/vm/gc_implementation/concurrentMarkSwe
if (PrintGCDetails && Verbose) {
size_t desired_capacity = (size_t)(used() / ((double) 1 - desired_free_percentage));
gclog_or_tty->print_cr("\nFrom compute_new_size: ");
-@@ -6577,7 +6577,7 @@
+@@ -6591,7 +6591,7 @@
HeapWord* curAddr = _markBitMap.startWord();
while (curAddr < _markBitMap.endWord()) {
size_t remaining = pointer_delta(_markBitMap.endWord(), curAddr);
@@ -31,7 +31,7 @@ diff --git openjdk.orig/hotspot/src/share/vm/gc_implementation/concurrentMarkSwe
_markBitMap.clear_large_range(chunk);
if (ConcurrentMarkSweepThread::should_yield() &&
!foregroundGCIsActive() &&
-@@ -6875,7 +6875,7 @@
+@@ -6889,7 +6889,7 @@
return;
}
// Double capacity if possible
@@ -40,30 +40,34 @@ diff --git openjdk.orig/hotspot/src/share/vm/gc_implementation/concurrentMarkSwe
// Do not give up existing stack until we have managed to
// get the double capacity that we desired.
ReservedSpace rs(ReservedSpace::allocation_align_size_up(
-diff --git openjdk.orig/hotspot/src/share/vm/gc_implementation/g1/concurrentMark.cpp openjdk/hotspot/src/share/vm/gc_implementation/g1/concurrentMark.cpp
---- openjdk.orig/hotspot/src/share/vm/gc_implementation/g1/concurrentMark.cpp
-+++ openjdk/hotspot/src/share/vm/gc_implementation/g1/concurrentMark.cpp
-@@ -3902,7 +3902,7 @@
+diff -r 4689eaf1a5c9 src/share/vm/gc_implementation/g1/concurrentMark.cpp
+--- openjdk.orig/hotspot/src/share/vm/gc_implementation/g1/concurrentMark.cpp Mon Aug 31 07:09:56 2020 +0100
++++ openjdk/hotspot/src/share/vm/gc_implementation/g1/concurrentMark.cpp Tue Sep 08 22:20:44 2020 -0400
+@@ -3916,7 +3916,7 @@
// of things to do) or totally (at the very end).
size_t target_size;
if (partially) {
- target_size = MIN2((size_t)_task_queue->max_elems()/3, GCDrainStackTargetSize);
-+ target_size = MIN2((size_t)(_task_queue->max_elems()/3), (size_t) GCDrainStackTargetSize);
++ target_size = MIN2((size_t)_task_queue->max_elems()/3, (size_t)GCDrainStackTargetSize);
} else {
target_size = 0;
}
-@@ -4706,7 +4706,7 @@
- // The > 0 check is to deal with the prev and next live bytes which
- // could be 0.
- if (*hum_bytes > 0) {
-- bytes = MIN2(HeapRegion::GrainBytes, *hum_bytes);
-+ bytes = MIN2(HeapRegion::GrainBytes, (size_t)*hum_bytes);
- *hum_bytes -= bytes;
+diff -r 4689eaf1a5c9 src/share/vm/gc_implementation/g1/g1BiasedArray.hpp
+--- openjdk.orig/hotspot/src/share/vm/gc_implementation/g1/g1BiasedArray.hpp Mon Aug 31 07:09:56 2020 +0100
++++ openjdk/hotspot/src/share/vm/gc_implementation/g1/g1BiasedArray.hpp Tue Sep 08 22:20:44 2020 -0400
+@@ -78,7 +78,8 @@
+ size_t num_target_elems = pointer_delta(end, bottom, mapping_granularity_in_bytes);
+ idx_t bias = (uintptr_t)bottom / mapping_granularity_in_bytes;
+ address base = create_new_base_array(num_target_elems, target_elem_size_in_bytes);
+- initialize_base(base, num_target_elems, bias, target_elem_size_in_bytes, log2_intptr(mapping_granularity_in_bytes));
++ initialize_base(base, num_target_elems, bias, target_elem_size_in_bytes,
++ log2_intptr((uintptr_t)mapping_granularity_in_bytes));
}
- return bytes;
-diff --git openjdk.orig/hotspot/src/share/vm/gc_implementation/g1/g1CollectedHeap.cpp openjdk/hotspot/src/share/vm/gc_implementation/g1/g1CollectedHeap.cpp
---- openjdk.orig/hotspot/src/share/vm/gc_implementation/g1/g1CollectedHeap.cpp
-+++ openjdk/hotspot/src/share/vm/gc_implementation/g1/g1CollectedHeap.cpp
+
+ size_t bias() const { return _bias; }
+diff -r 4689eaf1a5c9 src/share/vm/gc_implementation/g1/g1CollectedHeap.cpp
+--- openjdk.orig/hotspot/src/share/vm/gc_implementation/g1/g1CollectedHeap.cpp Mon Aug 31 07:09:56 2020 +0100
++++ openjdk/hotspot/src/share/vm/gc_implementation/g1/g1CollectedHeap.cpp Tue Sep 08 22:20:44 2020 -0400
@@ -1729,7 +1729,7 @@
verify_region_sets_optional();
@@ -73,21 +77,33 @@ diff --git openjdk.orig/hotspot/src/share/vm/gc_implementation/g1/g1CollectedHea
ergo_verbose1(ErgoHeapSizing,
"attempt heap expansion",
ergo_format_reason("allocation request failed")
-diff --git openjdk.orig/hotspot/src/share/vm/gc_implementation/g1/g1PageBasedVirtualSpace.cpp openjdk/hotspot/src/share/vm/gc_implementation/g1/g1PageBasedVirtualSpace.cpp
---- openjdk.orig/hotspot/src/share/vm/gc_implementation/g1/g1PageBasedVirtualSpace.cpp
-+++ openjdk/hotspot/src/share/vm/gc_implementation/g1/g1PageBasedVirtualSpace.cpp
-@@ -117,7 +117,7 @@
- return reserved_size() - committed_size();
+diff -r 4689eaf1a5c9 src/share/vm/gc_implementation/g1/g1ConcurrentMarkObjArrayProcessor.cpp
+--- openjdk.orig/hotspot/src/share/vm/gc_implementation/g1/g1ConcurrentMarkObjArrayProcessor.cpp Mon Aug 31 07:09:56 2020 +0100
++++ openjdk/hotspot/src/share/vm/gc_implementation/g1/g1ConcurrentMarkObjArrayProcessor.cpp Tue Sep 08 22:20:44 2020 -0400
+@@ -41,7 +41,7 @@
}
--size_t G1PageBasedVirtualSpace::addr_to_page_index(char* addr) const {
-+uintptr_t G1PageBasedVirtualSpace::addr_to_page_index(char* addr) const {
- return (addr - _low_boundary) / _page_size;
- }
+ size_t G1CMObjArrayProcessor::process_array_slice(objArrayOop obj, HeapWord* start_from, size_t remaining) {
+- size_t words_to_scan = MIN2(remaining, ObjArrayMarkingStride);
++ size_t words_to_scan = MIN2(remaining, (size_t)ObjArrayMarkingStride);
+
+ if (remaining > ObjArrayMarkingStride) {
+ push_array_slice(start_from + ObjArrayMarkingStride);
+diff -r 4689eaf1a5c9 src/share/vm/gc_implementation/g1/g1PageBasedVirtualSpace.hpp
+--- openjdk.orig/hotspot/src/share/vm/gc_implementation/g1/g1PageBasedVirtualSpace.hpp Mon Aug 31 07:09:56 2020 +0100
++++ openjdk/hotspot/src/share/vm/gc_implementation/g1/g1PageBasedVirtualSpace.hpp Tue Sep 08 22:20:44 2020 -0400
+@@ -89,7 +89,7 @@
+ void pretouch_internal(size_t start_page, size_t end_page);
+
+ // Returns the index of the page which contains the given address.
+- uintptr_t addr_to_page_index(char* addr) const;
++ size_t addr_to_page_index(char* addr) const;
+ // Returns the address of the given page index.
+ char* page_start(size_t index) const;
-diff --git openjdk.orig/hotspot/src/share/vm/gc_implementation/g1/g1StringDedupQueue.cpp openjdk/hotspot/src/share/vm/gc_implementation/g1/g1StringDedupQueue.cpp
---- openjdk.orig/hotspot/src/share/vm/gc_implementation/g1/g1StringDedupQueue.cpp
-+++ openjdk/hotspot/src/share/vm/gc_implementation/g1/g1StringDedupQueue.cpp
+diff -r 4689eaf1a5c9 src/share/vm/gc_implementation/g1/g1StringDedupQueue.cpp
+--- openjdk.orig/hotspot/src/share/vm/gc_implementation/g1/g1StringDedupQueue.cpp Mon Aug 31 07:09:56 2020 +0100
++++ openjdk/hotspot/src/share/vm/gc_implementation/g1/g1StringDedupQueue.cpp Tue Sep 08 22:20:44 2020 -0400
@@ -38,7 +38,7 @@
_cancel(false),
_empty(true),
@@ -97,9 +113,9 @@ diff --git openjdk.orig/hotspot/src/share/vm/gc_implementation/g1/g1StringDedupQ
_queues = NEW_C_HEAP_ARRAY(G1StringDedupWorkerQueue, _nqueues, mtGC);
for (size_t i = 0; i < _nqueues; i++) {
new (_queues + i) G1StringDedupWorkerQueue(G1StringDedupWorkerQueue::default_segment_size(), _max_cache_size, _max_size);
-diff --git openjdk.orig/hotspot/src/share/vm/gc_implementation/g1/g1StringDedupTable.cpp openjdk/hotspot/src/share/vm/gc_implementation/g1/g1StringDedupTable.cpp
---- openjdk.orig/hotspot/src/share/vm/gc_implementation/g1/g1StringDedupTable.cpp
-+++ openjdk/hotspot/src/share/vm/gc_implementation/g1/g1StringDedupTable.cpp
+diff -r 4689eaf1a5c9 src/share/vm/gc_implementation/g1/g1StringDedupTable.cpp
+--- openjdk.orig/hotspot/src/share/vm/gc_implementation/g1/g1StringDedupTable.cpp Mon Aug 31 07:09:56 2020 +0100
++++ openjdk/hotspot/src/share/vm/gc_implementation/g1/g1StringDedupTable.cpp Tue Sep 08 22:20:44 2020 -0400
@@ -120,7 +120,7 @@
};
@@ -109,10 +125,10 @@ diff --git openjdk.orig/hotspot/src/share/vm/gc_implementation/g1/g1StringDedupT
_max_list_length(0),
_cached(PaddedArray<G1StringDedupEntryList, mtGC>::create_unfreeable((uint)_nlists)),
_overflowed(PaddedArray<G1StringDedupEntryList, mtGC>::create_unfreeable((uint)_nlists)) {
-diff --git openjdk.orig/hotspot/src/share/vm/gc_implementation/g1/heapRegion.cpp openjdk/hotspot/src/share/vm/gc_implementation/g1/heapRegion.cpp
---- openjdk.orig/hotspot/src/share/vm/gc_implementation/g1/heapRegion.cpp
-+++ openjdk/hotspot/src/share/vm/gc_implementation/g1/heapRegion.cpp
-@@ -109,7 +109,7 @@
+diff -r 4689eaf1a5c9 src/share/vm/gc_implementation/g1/heapRegion.cpp
+--- openjdk.orig/hotspot/src/share/vm/gc_implementation/g1/heapRegion.cpp Mon Aug 31 07:09:56 2020 +0100
++++ openjdk/hotspot/src/share/vm/gc_implementation/g1/heapRegion.cpp Tue Sep 08 22:20:44 2020 -0400
+@@ -110,7 +110,7 @@
if (FLAG_IS_DEFAULT(G1HeapRegionSize)) {
size_t average_heap_size = (initial_heap_size + max_heap_size) / 2;
region_size = MAX2(average_heap_size / HeapRegionBounds::target_number(),
@@ -121,9 +137,9 @@ diff --git openjdk.orig/hotspot/src/share/vm/gc_implementation/g1/heapRegion.cpp
}
int region_size_log = log2_long((jlong) region_size);
-diff --git openjdk.orig/hotspot/src/share/vm/gc_implementation/parNew/parNewGeneration.cpp openjdk/hotspot/src/share/vm/gc_implementation/parNew/parNewGeneration.cpp
---- openjdk.orig/hotspot/src/share/vm/gc_implementation/parNew/parNewGeneration.cpp
-+++ openjdk/hotspot/src/share/vm/gc_implementation/parNew/parNewGeneration.cpp
+diff -r 4689eaf1a5c9 src/share/vm/gc_implementation/parNew/parNewGeneration.cpp
+--- openjdk.orig/hotspot/src/share/vm/gc_implementation/parNew/parNewGeneration.cpp Mon Aug 31 07:09:56 2020 +0100
++++ openjdk/hotspot/src/share/vm/gc_implementation/parNew/parNewGeneration.cpp Tue Sep 08 22:20:44 2020 -0400
@@ -194,7 +194,7 @@
const size_t num_overflow_elems = of_stack->size();
const size_t space_available = queue->max_elems() - queue->size();
@@ -133,29 +149,27 @@ diff --git openjdk.orig/hotspot/src/share/vm/gc_implementation/parNew/parNewGene
num_overflow_elems);
// Transfer the most recent num_take_elems from the overflow
// stack to our work queue.
-diff --git openjdk.orig/hotspot/src/share/vm/gc_implementation/parallelScavenge/psParallelCompact.cpp openjdk/hotspot/src/share/vm/gc_implementation/parallelScavenge/psParallelCompact.cpp
---- openjdk.orig/hotspot/src/share/vm/gc_implementation/parallelScavenge/psParallelCompact.cpp
-+++ openjdk/hotspot/src/share/vm/gc_implementation/parallelScavenge/psParallelCompact.cpp
-@@ -910,8 +910,8 @@
+diff -r 4689eaf1a5c9 src/share/vm/gc_implementation/parallelScavenge/psParallelCompact.cpp
+--- openjdk.orig/hotspot/src/share/vm/gc_implementation/parallelScavenge/psParallelCompact.cpp Mon Aug 31 07:09:56 2020 +0100
++++ openjdk/hotspot/src/share/vm/gc_implementation/parallelScavenge/psParallelCompact.cpp Tue Sep 08 22:20:44 2020 -0400
+@@ -912,7 +912,7 @@
+
void PSParallelCompact::initialize_dead_wood_limiter()
{
- const size_t max = 100;
-- _dwl_mean = double(MIN2(ParallelOldDeadWoodLimiterMean, max)) / 100.0;
-- _dwl_std_dev = double(MIN2(ParallelOldDeadWoodLimiterStdDev, max)) / 100.0;
-+ _dwl_mean = double(MIN2((size_t)ParallelOldDeadWoodLimiterMean, max)) / 100.0;
-+ _dwl_std_dev = double(MIN2((size_t)ParallelOldDeadWoodLimiterStdDev, max)) / 100.0;
+- const size_t max = 100;
++ const uintx max = 100;
+ _dwl_mean = double(MIN2(ParallelOldDeadWoodLimiterMean, max)) / 100.0;
+ _dwl_std_dev = double(MIN2(ParallelOldDeadWoodLimiterStdDev, max)) / 100.0;
_dwl_first_term = 1.0 / (sqrt(2.0 * M_PI) * _dwl_std_dev);
- DEBUG_ONLY(_dwl_initialized = true;)
- _dwl_adjustment = normal_distribution(1.0);
-diff --git openjdk.orig/hotspot/src/share/vm/memory/collectorPolicy.cpp openjdk/hotspot/src/share/vm/memory/collectorPolicy.cpp
---- openjdk.orig/hotspot/src/share/vm/memory/collectorPolicy.cpp
-+++ openjdk/hotspot/src/share/vm/memory/collectorPolicy.cpp
+diff -r 4689eaf1a5c9 src/share/vm/memory/collectorPolicy.cpp
+--- openjdk.orig/hotspot/src/share/vm/memory/collectorPolicy.cpp Mon Aug 31 07:09:56 2020 +0100
++++ openjdk/hotspot/src/share/vm/memory/collectorPolicy.cpp Tue Sep 08 22:20:44 2020 -0400
@@ -385,7 +385,7 @@
uintx calculated_size = NewSize + OldSize;
double shrink_factor = (double) MaxHeapSize / calculated_size;
uintx smaller_new_size = align_size_down((uintx)(NewSize * shrink_factor), _gen_alignment);
- FLAG_SET_ERGO(uintx, NewSize, MAX2(young_gen_size_lower_bound(), smaller_new_size));
-+ FLAG_SET_ERGO(uintx, NewSize, MAX2(young_gen_size_lower_bound(), (size_t)smaller_new_size));
++ FLAG_SET_ERGO(uintx, NewSize, MAX2((uintx)young_gen_size_lower_bound(), smaller_new_size));
_initial_gen0_size = NewSize;
// OldSize is already aligned because above we aligned MaxHeapSize to
@@ -168,7 +182,7 @@ diff --git openjdk.orig/hotspot/src/share/vm/memory/collectorPolicy.cpp openjdk/
}
assert(max_new_size > 0, "All paths should set max_new_size");
-@@ -455,24 +455,23 @@
+@@ -455,23 +455,25 @@
// lower limit.
_min_gen0_size = NewSize;
desired_new_size = NewSize;
@@ -190,15 +204,16 @@ diff --git openjdk.orig/hotspot/src/share/vm/memory/collectorPolicy.cpp openjdk/
// NewRatio is overly large, the resulting sizes can be too
// small.
- _min_gen0_size = MAX2(scale_by_NewRatio_aligned(_min_heap_byte_size), NewSize);
-+ _min_gen0_size = MAX2(scale_by_NewRatio_aligned(_min_heap_byte_size), (size_t)NewSize);
++ _min_gen0_size = MAX2(scale_by_NewRatio_aligned(_min_heap_byte_size),
++ (size_t)NewSize);
desired_new_size =
- MAX2(scale_by_NewRatio_aligned(_initial_heap_byte_size), NewSize);
-- }
-+ MAX2(scale_by_NewRatio_aligned(_initial_heap_byte_size), (size_t)NewSize); }
++ MAX2(scale_by_NewRatio_aligned(_initial_heap_byte_size),
++ (size_t)NewSize);
+ }
assert(_min_gen0_size > 0, "Sanity check");
- _initial_gen0_size = desired_new_size;
-@@ -573,7 +572,7 @@
+@@ -573,7 +575,7 @@
} else {
// It's been explicitly set on the command line. Use the
// OldSize and then determine the consequences.
@@ -207,9 +222,9 @@ diff --git openjdk.orig/hotspot/src/share/vm/memory/collectorPolicy.cpp openjdk/
_initial_gen1_size = OldSize;
// If the user has explicitly set an OldSize that is inconsistent
-diff --git openjdk.orig/hotspot/src/share/vm/memory/metaspace.cpp openjdk/hotspot/src/share/vm/memory/metaspace.cpp
---- openjdk.orig/hotspot/src/share/vm/memory/metaspace.cpp
-+++ openjdk/hotspot/src/share/vm/memory/metaspace.cpp
+diff -r 4689eaf1a5c9 src/share/vm/memory/metaspace.cpp
+--- openjdk.orig/hotspot/src/share/vm/memory/metaspace.cpp Mon Aug 31 07:09:56 2020 +0100
++++ openjdk/hotspot/src/share/vm/memory/metaspace.cpp Tue Sep 08 22:20:44 2020 -0400
@@ -1482,7 +1482,7 @@
void MetaspaceGC::post_initialize() {
@@ -237,38 +252,18 @@ diff --git openjdk.orig/hotspot/src/share/vm/memory/metaspace.cpp openjdk/hotspo
if (PrintGCDetails && Verbose) {
gclog_or_tty->print_cr(" "
" maximum_free_percentage: %6.2f"
-@@ -3361,7 +3361,7 @@
+@@ -3320,7 +3320,7 @@
+ // Make the first class chunk bigger than a medium chunk so it's not put
// on the medium chunk list. The next chunk will be small and progress
// from there. This size calculated by -version.
- _first_class_chunk_word_size = MIN2((size_t)MediumChunk*6,
-- (CompressedClassSpaceSize/BytesPerWord)*2);
-+ (size_t)(CompressedClassSpaceSize/BytesPerWord)*2);
+- _first_class_chunk_word_size = MIN2((size_t)MediumChunk*6,
++ _first_class_chunk_word_size = MIN2((uintx)MediumChunk*6,
+ (CompressedClassSpaceSize/BytesPerWord)*2);
_first_class_chunk_word_size = align_word_size_up(_first_class_chunk_word_size);
// Arbitrarily set the initial virtual space to a multiple
- // of the boot class loader size.
-diff --git openjdk.orig/hotspot/src/share/vm/memory/threadLocalAllocBuffer.cpp openjdk/hotspot/src/share/vm/memory/threadLocalAllocBuffer.cpp
---- openjdk.orig/hotspot/src/share/vm/memory/threadLocalAllocBuffer.cpp
-+++ openjdk/hotspot/src/share/vm/memory/threadLocalAllocBuffer.cpp
-@@ -250,13 +250,13 @@
- size_t init_sz = 0;
-
- if (TLABSize > 0) {
-- init_sz = TLABSize / HeapWordSize;
-+ init_sz = (size_t)(TLABSize / HeapWordSize);
- } else if (global_stats() != NULL) {
- // Initial size is a function of the average number of allocating threads.
- unsigned nof_threads = global_stats()->allocating_threads_avg();
-
-- init_sz = (Universe::heap()->tlab_capacity(myThread()) / HeapWordSize) /
-- (nof_threads * target_refills());
-+ init_sz = (size_t)((Universe::heap()->tlab_capacity(myThread()) / HeapWordSize) /
-+ (nof_threads * target_refills()));
- init_sz = align_object_size(init_sz);
- }
- init_sz = MIN2(MAX2(init_sz, min_size()), max_size());
-diff --git openjdk.orig/hotspot/src/share/vm/oops/objArrayKlass.inline.hpp openjdk/hotspot/src/share/vm/oops/objArrayKlass.inline.hpp
---- openjdk.orig/hotspot/src/share/vm/oops/objArrayKlass.inline.hpp
-+++ openjdk/hotspot/src/share/vm/oops/objArrayKlass.inline.hpp
+diff -r 4689eaf1a5c9 src/share/vm/oops/objArrayKlass.inline.hpp
+--- openjdk.orig/hotspot/src/share/vm/oops/objArrayKlass.inline.hpp Mon Aug 31 07:09:56 2020 +0100
++++ openjdk/hotspot/src/share/vm/oops/objArrayKlass.inline.hpp Tue Sep 08 22:20:44 2020 -0400
@@ -48,7 +48,7 @@
const size_t beg_index = size_t(index);
assert(beg_index < len || len == 0, "index too large");
@@ -287,10 +282,10 @@ diff --git openjdk.orig/hotspot/src/share/vm/oops/objArrayKlass.inline.hpp openj
const size_t end_index = beg_index + stride;
T* const base = (T*)a->base();
T* const beg = base + beg_index;
-diff --git openjdk.orig/hotspot/src/share/vm/runtime/arguments.cpp openjdk/hotspot/src/share/vm/runtime/arguments.cpp
---- openjdk.orig/hotspot/src/share/vm/runtime/arguments.cpp
-+++ openjdk/hotspot/src/share/vm/runtime/arguments.cpp
-@@ -1289,7 +1289,7 @@
+diff -r 4689eaf1a5c9 src/share/vm/runtime/arguments.cpp
+--- openjdk.orig/hotspot/src/share/vm/runtime/arguments.cpp Mon Aug 31 07:09:56 2020 +0100
++++ openjdk/hotspot/src/share/vm/runtime/arguments.cpp Tue Sep 08 22:20:44 2020 -0400
+@@ -1301,7 +1301,7 @@
// NewSize was set on the command line and it is larger than
// preferred_max_new_size.
if (!FLAG_IS_DEFAULT(NewSize)) { // NewSize explicitly set at command-line
@@ -299,7 +294,7 @@ diff --git openjdk.orig/hotspot/src/share/vm/runtime/arguments.cpp openjdk/hotsp
} else {
FLAG_SET_ERGO(uintx, MaxNewSize, preferred_max_new_size);
}
-@@ -1314,8 +1314,8 @@
+@@ -1326,8 +1326,8 @@
// Unless explicitly requested otherwise, make young gen
// at least min_new, and at most preferred_max_new_size.
if (FLAG_IS_DEFAULT(NewSize)) {
@@ -310,7 +305,7 @@ diff --git openjdk.orig/hotspot/src/share/vm/runtime/arguments.cpp openjdk/hotsp
if (PrintGCDetails && Verbose) {
// Too early to use gclog_or_tty
tty->print_cr("CMS ergo set NewSize: " SIZE_FORMAT, NewSize);
-@@ -1325,7 +1325,7 @@
+@@ -1337,7 +1337,7 @@
// so it's NewRatio x of NewSize.
if (FLAG_IS_DEFAULT(OldSize)) {
if (max_heap > NewSize) {
@@ -319,25 +314,15 @@ diff --git openjdk.orig/hotspot/src/share/vm/runtime/arguments.cpp openjdk/hotsp
if (PrintGCDetails && Verbose) {
// Too early to use gclog_or_tty
tty->print_cr("CMS ergo set OldSize: " SIZE_FORMAT, OldSize);
-diff --git openjdk.orig/hotspot/src/share/vm/gc_implementation/g1/g1ConcurrentMarkObjArrayProcessor.cpp openjdk/hotspot/src/share/vm/gc_implementation/g1/g1ConcurrentMarkObjArrayProcessor.cpp
---- openjdk.orig/hotspot/src/share/vm/gc_implementation/g1/g1ConcurrentMarkObjArrayProcessor.cpp
-+++ openjdk/hotspot/src/share/vm/gc_implementation/g1/g1ConcurrentMarkObjArrayProcessor.cpp
-@@ -41,7 +41,7 @@
+diff -r 4689eaf1a5c9 src/share/vm/runtime/os.cpp
+--- openjdk.orig/hotspot/src/share/vm/runtime/os.cpp Mon Aug 31 07:09:56 2020 +0100
++++ openjdk/hotspot/src/share/vm/runtime/os.cpp Tue Sep 08 22:20:44 2020 -0400
+@@ -1272,7 +1272,7 @@
}
- size_t G1CMObjArrayProcessor::process_array_slice(objArrayOop obj, HeapWord* start_from, size_t remaining) {
-- size_t words_to_scan = MIN2(remaining, ObjArrayMarkingStride);
-+ size_t words_to_scan = MIN2(remaining, (size_t) ObjArrayMarkingStride);
-
- if (remaining > ObjArrayMarkingStride) {
- push_array_slice(start_from + ObjArrayMarkingStride);
-diff --git openjdk.orig/hotspot/src/share/vm/gc_implementation/shenandoah/shenandoahUtils.cpp openjdk/hotspot/src/share/vm/gc_implementation/shenandoah/shenandoahUtils.cpp
---- openjdk.orig/hotspot/src/share/vm/gc_implementation/shenandoah/shenandoahUtils.cpp
-+++ openjdk/hotspot/src/share/vm/gc_implementation/shenandoah/shenandoahUtils.cpp
-@@ -150,5 +150,5 @@
- return value;
- }
-
-- return (size_t)1 << (log2_intptr(value) + 1);
-+ return (size_t)1 << (log2_intptr((uintptr_t) value) + 1);
- }
+ void os::set_memory_serialize_page(address page) {
+- int count = log2_intptr(sizeof(class JavaThread)) - log2_int(64);
++ int count = log2_intptr((uintptr_t)sizeof(class JavaThread)) - log2_int(64);
+ _mem_serialize_page = (volatile int32_t *)page;
+ // We initialize the serialization page shift count here
+ // We assume a cache line size of 64 bytes
diff --git a/SOURCES/pr3593-s390_use_z_format_specifier_for_size_t_arguments_as_size_t_not_equals_to_int.patch b/SOURCES/pr3593-s390_use_z_format_specifier_for_size_t_arguments_as_size_t_not_equals_to_int.patch
index e1e7214..a980895 100644
--- a/SOURCES/pr3593-s390_use_z_format_specifier_for_size_t_arguments_as_size_t_not_equals_to_int.patch
+++ b/SOURCES/pr3593-s390_use_z_format_specifier_for_size_t_arguments_as_size_t_not_equals_to_int.patch
@@ -141,3 +141,26 @@ diff --git openjdk.orig/hotspot/src/share/vm/utilities/globalDefinitions.hpp ope
#define INTX_FORMAT "%" PRIdPTR
#define UINTX_FORMAT "%" PRIuPTR
+diff --git openjdk.orig/hotspot/src/share/vm/runtime/memprofiler.cpp openjdk/hotspot/src/share/vm/runtime/memprofiler.cpp
+--- openjdk.orig/hotspot/src/share/vm/runtime/memprofiler.cpp
++++ openjdk/hotspot/src/share/vm/runtime/memprofiler.cpp
+@@ -117,16 +117,16 @@
+ }
+
+ // Print trace line in log
+- fprintf(_log_fp, "%6.1f,%5d,%5d," UINTX_FORMAT_W(6) "," UINTX_FORMAT_W(6) ",",
++ fprintf(_log_fp, "%6.1f,%5d,%5d," SIZE_FORMAT_W(6) "," SIZE_FORMAT_W(6) ",",
+ os::elapsedTime(),
+ Threads::number_of_threads(),
+ SystemDictionary::number_of_classes(),
+ Universe::heap()->used() / K,
+ Universe::heap()->capacity() / K);
+
+- fprintf(_log_fp, UINTX_FORMAT_W(6) ",", CodeCache::capacity() / K);
++ fprintf(_log_fp, SIZE_FORMAT_W(6) ",", CodeCache::capacity() / K);
+
+- fprintf(_log_fp, UINTX_FORMAT_W(6) "," UINTX_FORMAT_W(6) "," UINTX_FORMAT_W(6) "\n",
++ fprintf(_log_fp, SIZE_FORMAT_W(6) "," SIZE_FORMAT_W(6) "," SIZE_FORMAT_W(6) "\n",
+ handles_memory_usage / K,
+ resource_memory_usage / K,
+ OopMapCache::memory_usage() / K);
diff --git a/SOURCES/rh1750419-redhat_alt_java.patch b/SOURCES/rh1750419-redhat_alt_java.patch
index bdb67b3..4789f0b 100644
--- a/SOURCES/rh1750419-redhat_alt_java.patch
+++ b/SOURCES/rh1750419-redhat_alt_java.patch
@@ -1,12 +1,13 @@
diff --git openjdk.orig/jdk/make/CompileLaunchers.gmk openjdk/jdk/make/CompileLaunchers.gmk
--- openjdk.orig/jdk/make/CompileLaunchers.gmk
+++ openjdk/jdk/make/CompileLaunchers.gmk
-@@ -255,6 +255,32 @@
+@@ -255,6 +255,33 @@
endif
endif
++# -Wno-error=cpp is present to allow commented warning in ifdef part of main.c
+$(eval $(call SetupLauncher,alt-java, \
-+ -DEXPAND_CLASSPATH_WILDCARDS -DREDHAT_ALT_JAVA,,,user32.lib comctl32.lib, \
++ -DEXPAND_CLASSPATH_WILDCARDS -DREDHAT_ALT_JAVA -Wno-error=cpp,,,user32.lib comctl32.lib, \
+ $(JDK_OUTPUTDIR)/objs/jli_static.lib, $(JAVA_RC_FLAGS), \
+ $(JDK_TOPDIR)/src/windows/resource/java.rc, $(JDK_OUTPUTDIR)/objs/java_objs,true))
+
@@ -115,12 +116,16 @@ new file mode 100644
diff --git openjdk.orig/jdk/src/share/bin/main.c openjdk/jdk/src/share/bin/main.c
--- openjdk.orig/jdk/src/share/bin/main.c
+++ openjdk/jdk/src/share/bin/main.c
-@@ -32,6 +32,10 @@
+@@ -32,6 +32,14 @@
#include "defines.h"
-+#if defined(linux) && defined(__x86_64)
++#ifdef REDHAT_ALT_JAVA
++#if defined(__linux__) && defined(__x86_64__)
+#include "alt_main.h"
++#else
++#warning alt-java requested but SSB mitigation not available on this platform.
++#endif
+#endif
+
#ifdef _MSC_VER
diff --git a/SOURCES/rh1868759-pkcs11_cancel_on_failure.patch b/SOURCES/rh1868759-pkcs11_cancel_on_failure.patch
deleted file mode 100644
index e578e00..0000000
--- a/SOURCES/rh1868759-pkcs11_cancel_on_failure.patch
+++ /dev/null
@@ -1,20 +0,0 @@
---- openjdk/jdk/src/share/classes/sun/security/pkcs11/P11Cipher.java Mon Aug 31 06:57:19 2020 +0100
-+++ openjdk/jdk/src/share/classes/sun/security/pkcs11/P11Cipher.java Mon Aug 31 15:56:48 2020 -0300
-@@ -627,7 +627,7 @@
- throw (ShortBufferException)
- (new ShortBufferException().initCause(e));
- }
-- reset(false);
-+ reset(true);
- throw new ProviderException("update() failed", e);
- }
- }
-@@ -745,7 +745,7 @@
- throw (ShortBufferException)
- (new ShortBufferException().initCause(e));
- }
-- reset(false);
-+ reset(true);
- throw new ProviderException("update() failed", e);
- }
- }
diff --git a/SOURCES/rh1929465-improve_system_FIPS_detection-jdk.patch b/SOURCES/rh1929465-improve_system_FIPS_detection-jdk.patch
new file mode 100644
index 0000000..1461be8
--- /dev/null
+++ b/SOURCES/rh1929465-improve_system_FIPS_detection-jdk.patch
@@ -0,0 +1,344 @@
+diff --git openjdk.orig/jdk/make/lib/SecurityLibraries.gmk openjdk/jdk/make/lib/SecurityLibraries.gmk
+--- openjdk.orig/jdk/make/lib/SecurityLibraries.gmk
++++ openjdk/jdk/make/lib/SecurityLibraries.gmk
+@@ -289,3 +289,34 @@
+
+ endif
+ endif
++
++################################################################################
++# Create the systemconf library
++
++LIBSYSTEMCONF_CFLAGS :=
++LIBSYSTEMCONF_CXXFLAGS :=
++
++ifeq ($(USE_SYSCONF_NSS), true)
++ LIBSYSTEMCONF_CFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS
++ LIBSYSTEMCONF_CXXFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS
++endif
++
++ifeq ($(OPENJDK_BUILD_OS), linux)
++ $(eval $(call SetupNativeCompilation,BUILD_LIBSYSTEMCONF, \
++ LIBRARY := systemconf, \
++ OUTPUT_DIR := $(INSTALL_LIBRARIES_HERE), \
++ SRC := $(JDK_TOPDIR)/src/$(OPENJDK_TARGET_OS_API_DIR)/native/java/security, \
++ LANG := C, \
++ OPTIMIZATION := LOW, \
++ CFLAGS := $(CFLAGS_JDKLIB) $(LIBSYSTEMCONF_CFLAGS), \
++ CXXFLAGS := $(CXXFLAGS_JDKLIB) $(LIBSYSTEMCONF_CXXFLAGS), \
++ MAPFILE := $(JDK_TOPDIR)/make/mapfiles/libsystemconf/mapfile-vers, \
++ LDFLAGS := $(LDFLAGS_JDKLIB) \
++ $(call SET_SHARED_LIBRARY_ORIGIN), \
++ LDFLAGS_SUFFIX := $(LIBDL) $(NSS_LIBS), \
++ OBJECT_DIR := $(JDK_OUTPUTDIR)/objs/libsystemconf, \
++ DEBUG_SYMBOLS := $(DEBUG_ALL_BINARIES)))
++
++ BUILD_LIBRARIES += $(BUILD_LIBSYSTEMCONF)
++endif
++
+diff --git openjdk.orig/jdk/make/mapfiles/libsystemconf/mapfile-vers openjdk/jdk/make/mapfiles/libsystemconf/mapfile-vers
+new file mode 100644
+--- /dev/null
++++ openjdk/jdk/make/mapfiles/libsystemconf/mapfile-vers
+@@ -0,0 +1,35 @@
++#
++# Copyright (c) 2021, Red Hat, Inc.
++# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
++#
++# This code is free software; you can redistribute it and/or modify it
++# under the terms of the GNU General Public License version 2 only, as
++# published by the Free Software Foundation. Oracle designates this
++# particular file as subject to the "Classpath" exception as provided
++# by Oracle in the LICENSE file that accompanied this code.
++#
++# This code is distributed in the hope that it will be useful, but WITHOUT
++# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
++# version 2 for more details (a copy is included in the LICENSE file that
++# accompanied this code).
++#
++# You should have received a copy of the GNU General Public License version
++# 2 along with this work; if not, write to the Free Software Foundation,
++# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
++#
++# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
++# or visit www.oracle.com if you need additional information or have any
++# questions.
++#
++
++# Define public interface.
++
++SUNWprivate_1.1 {
++ global:
++ DEF_JNI_OnLoad;
++ DEF_JNI_OnUnLoad;
++ Java_java_security_SystemConfigurator_getSystemFIPSEnabled;
++ local:
++ *;
++};
+diff --git openjdk.orig/jdk/src/share/classes/java/security/SystemConfigurator.java openjdk/jdk/src/share/classes/java/security/SystemConfigurator.java
+--- openjdk.orig/jdk/src/share/classes/java/security/SystemConfigurator.java
++++ openjdk/jdk/src/share/classes/java/security/SystemConfigurator.java
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2019, 2020, Red Hat, Inc.
++ * Copyright (c) 2019, 2021, Red Hat, Inc.
+ *
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+@@ -30,14 +30,9 @@
+ import java.io.FileInputStream;
+ import java.io.IOException;
+
+-import java.nio.file.Files;
+-import java.nio.file.FileSystems;
+-import java.nio.file.Path;
+-
+ import java.util.Iterator;
+ import java.util.Map.Entry;
+ import java.util.Properties;
+-import java.util.regex.Pattern;
+
+ import sun.security.util.Debug;
+
+@@ -59,10 +54,21 @@
+ private static final String CRYPTO_POLICIES_JAVA_CONFIG =
+ CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config";
+
+- private static final String CRYPTO_POLICIES_CONFIG =
+- CRYPTO_POLICIES_BASE_DIR + "/config";
++ private static boolean systemFipsEnabled = false;
++
++ private static final String SYSTEMCONF_NATIVE_LIB = "systemconf";
++
++ private static native boolean getSystemFIPSEnabled()
++ throws IOException;
+
+- private static boolean systemFipsEnabled = false;
++ static {
++ AccessController.doPrivileged(new PrivilegedAction<Void>() {
++ public Void run() {
++ System.loadLibrary(SYSTEMCONF_NATIVE_LIB);
++ return null;
++ }
++ });
++ }
+
+ /*
+ * Invoked when java.security.Security class is initialized, if
+@@ -171,17 +177,34 @@
+ }
+
+ /*
+- * FIPS is enabled only if crypto-policies are set to "FIPS"
+- * and the com.redhat.fips property is true.
++ * OpenJDK FIPS mode will be enabled only if the com.redhat.fips
++ * system property is true (default) and the system is in FIPS mode.
++ *
++ * There are 2 possible ways in which OpenJDK detects that the system
++ * is in FIPS mode: 1) if the NSS SECMOD_GetSystemFIPSEnabled API is
++ * available at OpenJDK's built-time, it is called; 2) otherwise, the
++ * /proc/sys/crypto/fips_enabled file is read.
+ */
+- private static boolean enableFips() throws Exception {
++ private static boolean enableFips() throws IOException {
+ boolean shouldEnable = Boolean.valueOf(System.getProperty("com.redhat.fips", "true"));
+ if (shouldEnable) {
+- Path configPath = FileSystems.getDefault().getPath(CRYPTO_POLICIES_CONFIG);
+- String cryptoPoliciesConfig = new String(Files.readAllBytes(configPath));
+- if (sdebug != null) { sdebug.println("Crypto config:\n" + cryptoPoliciesConfig); }
+- Pattern pattern = Pattern.compile("^FIPS$", Pattern.MULTILINE);
+- return pattern.matcher(cryptoPoliciesConfig).find();
++ if (sdebug != null) {
++ sdebug.println("Calling getSystemFIPSEnabled (libsystemconf)...");
++ }
++ try {
++ shouldEnable = getSystemFIPSEnabled();
++ if (sdebug != null) {
++ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) returned: "
++ + shouldEnable);
++ }
++ return shouldEnable;
++ } catch (IOException e) {
++ if (sdebug != null) {
++ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) failed:");
++ sdebug.println(e.getMessage());
++ }
++ throw e;
++ }
+ } else {
+ return false;
+ }
+diff --git openjdk.orig/jdk/src/solaris/native/java/security/systemconf.c openjdk/jdk/src/solaris/native/java/security/systemconf.c
+new file mode 100644
+--- /dev/null
++++ openjdk/jdk/src/solaris/native/java/security/systemconf.c
+@@ -0,0 +1,168 @@
++/*
++ * Copyright (c) 2021, Red Hat, Inc.
++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
++ *
++ * This code is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 2 only, as
++ * published by the Free Software Foundation. Oracle designates this
++ * particular file as subject to the "Classpath" exception as provided
++ * by Oracle in the LICENSE file that accompanied this code.
++ *
++ * This code is distributed in the hope that it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
++ * version 2 for more details (a copy is included in the LICENSE file that
++ * accompanied this code).
++ *
++ * You should have received a copy of the GNU General Public License version
++ * 2 along with this work; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
++ *
++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
++ * or visit www.oracle.com if you need additional information or have any
++ * questions.
++ */
++
++#include <dlfcn.h>
++#include <jni.h>
++#include <jni_util.h>
++#include <stdio.h>
++
++#ifdef SYSCONF_NSS
++#include <nss3/pk11pub.h>
++#endif //SYSCONF_NSS
++
++#include "java_security_SystemConfigurator.h"
++
++#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled"
++#define MSG_MAX_SIZE 96
++
++static jmethodID debugPrintlnMethodID = NULL;
++static jobject debugObj = NULL;
++
++static void throwIOException(JNIEnv *env, const char *msg);
++static void dbgPrint(JNIEnv *env, const char* msg);
++
++/*
++ * Class: java_security_SystemConfigurator
++ * Method: JNI_OnLoad
++ */
++JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved)
++{
++ JNIEnv *env;
++ jclass sysConfCls, debugCls;
++ jfieldID sdebugFld;
++
++ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) {
++ return JNI_EVERSION; /* JNI version not supported */
++ }
++
++ sysConfCls = (*env)->FindClass(env,"java/security/SystemConfigurator");
++ if (sysConfCls == NULL) {
++ printf("libsystemconf: SystemConfigurator class not found\n");
++ return JNI_ERR;
++ }
++ sdebugFld = (*env)->GetStaticFieldID(env, sysConfCls,
++ "sdebug", "Lsun/security/util/Debug;");
++ if (sdebugFld == NULL) {
++ printf("libsystemconf: SystemConfigurator::sdebug field not found\n");
++ return JNI_ERR;
++ }
++ debugObj = (*env)->GetStaticObjectField(env, sysConfCls, sdebugFld);
++ if (debugObj != NULL) {
++ debugCls = (*env)->FindClass(env,"sun/security/util/Debug");
++ if (debugCls == NULL) {
++ printf("libsystemconf: Debug class not found\n");
++ return JNI_ERR;
++ }
++ debugPrintlnMethodID = (*env)->GetMethodID(env, debugCls,
++ "println", "(Ljava/lang/String;)V");
++ if (debugPrintlnMethodID == NULL) {
++ printf("libsystemconf: Debug::println(String) method not found\n");
++ return JNI_ERR;
++ }
++ debugObj = (*env)->NewGlobalRef(env, debugObj);
++ }
++
++ return (*env)->GetVersion(env);
++}
++
++/*
++ * Class: java_security_SystemConfigurator
++ * Method: JNI_OnUnload
++ */
++JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *vm, void *reserved)
++{
++ JNIEnv *env;
++
++ if (debugObj != NULL) {
++ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) {
++ return; /* Should not happen */
++ }
++ (*env)->DeleteGlobalRef(env, debugObj);
++ }
++}
++
++JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEnabled
++ (JNIEnv *env, jclass cls)
++{
++ int fips_enabled;
++ char msg[MSG_MAX_SIZE];
++ int msg_bytes;
++
++#ifdef SYSCONF_NSS
++
++ dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled");
++ fips_enabled = SECMOD_GetSystemFIPSEnabled();
++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
++ " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled);
++ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
++ dbgPrint(env, msg);
++ } else {
++ dbgPrint(env, "getSystemFIPSEnabled: cannot render" \
++ " SECMOD_GetSystemFIPSEnabled return value");
++ }
++ return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE);
++
++#else // SYSCONF_NSS
++
++ FILE *fe;
++
++ dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
++ if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
++ throwIOException(env, "Cannot open " FIPS_ENABLED_PATH);
++ }
++ fips_enabled = fgetc(fe);
++ fclose(fe);
++ if (fips_enabled == EOF) {
++ throwIOException(env, "Cannot read " FIPS_ENABLED_PATH);
++ }
++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
++ " read character is '%c'", fips_enabled);
++ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
++ dbgPrint(env, msg);
++ } else {
++ dbgPrint(env, "getSystemFIPSEnabled: cannot render" \
++ " read character");
++ }
++ return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE);
++
++#endif // SYSCONF_NSS
++}
++
++static void throwIOException(JNIEnv *env, const char *msg)
++{
++ jclass cls = (*env)->FindClass(env, "java/io/IOException");
++ if (cls != 0)
++ (*env)->ThrowNew(env, cls, msg);
++}
++
++static void dbgPrint(JNIEnv *env, const char* msg)
++{
++ jstring jMsg;
++ if (debugObj != NULL) {
++ jMsg = (*env)->NewStringUTF(env, msg);
++ CHECK_NULL(jMsg);
++ (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg);
++ }
++}
diff --git a/SOURCES/rh1929465-improve_system_FIPS_detection-root.patch b/SOURCES/rh1929465-improve_system_FIPS_detection-root.patch
new file mode 100644
index 0000000..64d8ac0
--- /dev/null
+++ b/SOURCES/rh1929465-improve_system_FIPS_detection-root.patch
@@ -0,0 +1,152 @@
+diff --git openjdk.orig/common/autoconf/configure.ac openjdk/common/autoconf/configure.ac
+--- openjdk.orig/common/autoconf/configure.ac
++++ openjdk/common/autoconf/configure.ac
+@@ -212,6 +212,7 @@
+ LIB_SETUP_ALSA
+ LIB_SETUP_FONTCONFIG
+ LIB_SETUP_MISC_LIBS
++LIB_SETUP_SYSCONF_LIBS
+ LIB_SETUP_STATIC_LINK_LIBSTDCPP
+ LIB_SETUP_ON_WINDOWS
+
+diff --git openjdk.orig/common/autoconf/libraries.m4 openjdk/common/autoconf/libraries.m4
+--- openjdk.orig/common/autoconf/libraries.m4
++++ openjdk/common/autoconf/libraries.m4
+@@ -1067,3 +1067,63 @@
+ BASIC_DEPRECATED_ARG_WITH([dxsdk-include])
+ fi
+ ])
++
++################################################################################
++# Setup system configuration libraries
++################################################################################
++AC_DEFUN_ONCE([LIB_SETUP_SYSCONF_LIBS],
++[
++ ###############################################################################
++ #
++ # Check for the NSS library
++ #
++
++ AC_MSG_CHECKING([whether to use the system NSS library with the System Configurator (libsysconf)])
++
++ # default is not available
++ DEFAULT_SYSCONF_NSS=no
++
++ AC_ARG_ENABLE([sysconf-nss], [AS_HELP_STRING([--enable-sysconf-nss],
++ [build the System Configurator (libsysconf) using the system NSS library if available @<:@disabled@:>@])],
++ [
++ case "${enableval}" in
++ yes)
++ sysconf_nss=yes
++ ;;
++ *)
++ sysconf_nss=no
++ ;;
++ esac
++ ],
++ [
++ sysconf_nss=${DEFAULT_SYSCONF_NSS}
++ ])
++ AC_MSG_RESULT([$sysconf_nss])
++
++ USE_SYSCONF_NSS=false
++ if test "x${sysconf_nss}" = "xyes"; then
++ PKG_CHECK_MODULES(NSS, nss >= 3.53, [NSS_FOUND=yes], [NSS_FOUND=no])
++ if test "x${NSS_FOUND}" = "xyes"; then
++ AC_MSG_CHECKING([for system FIPS support in NSS])
++ saved_libs="${LIBS}"
++ saved_cflags="${CFLAGS}"
++ CFLAGS="${CFLAGS} ${NSS_CFLAGS}"
++ LIBS="${LIBS} ${NSS_LIBS}"
++ AC_LANG_PUSH([C])
++ AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <nss3/pk11pub.h>]],
++ [[SECMOD_GetSystemFIPSEnabled()]])],
++ [AC_MSG_RESULT([yes])],
++ [AC_MSG_RESULT([no])
++ AC_MSG_ERROR([System NSS FIPS detection unavailable])])
++ AC_LANG_POP([C])
++ CFLAGS="${saved_cflags}"
++ LIBS="${saved_libs}"
++ USE_SYSCONF_NSS=true
++ else
++ dnl NSS 3.53 is the one that introduces the SECMOD_GetSystemFIPSEnabled API
++ dnl in nss3/pk11pub.h.
++ AC_MSG_ERROR([--enable-sysconf-nss specified, but NSS 3.53 or above not found.])
++ fi
++ fi
++ AC_SUBST(USE_SYSCONF_NSS)
++])
+diff --git openjdk.orig/common/autoconf/spec.gmk.in openjdk/common/autoconf/spec.gmk.in
+--- openjdk.orig/common/autoconf/spec.gmk.in
++++ openjdk/common/autoconf/spec.gmk.in
+@@ -312,6 +312,10 @@
+ ALSA_LIBS:=@ALSA_LIBS@
+ ALSA_CFLAGS:=@ALSA_CFLAGS@
+
++USE_SYSCONF_NSS:=@USE_SYSCONF_NSS@
++NSS_LIBS:=@NSS_LIBS@
++NSS_CFLAGS:=@NSS_CFLAGS@
++
+ PACKAGE_PATH=@PACKAGE_PATH@
+
+ # Source file for cacerts
+diff --git openjdk.orig/common/bin/compare_exceptions.sh.incl openjdk/common/bin/compare_exceptions.sh.incl
+--- openjdk.orig/common/bin/compare_exceptions.sh.incl
++++ openjdk/common/bin/compare_exceptions.sh.incl
+@@ -280,6 +280,7 @@
+ ./jre/lib/i386/libsplashscreen.so
+ ./jre/lib/i386/libsunec.so
+ ./jre/lib/i386/libsunwjdga.so
++./jre/lib/i386/libsystemconf.so
+ ./jre/lib/i386/libt2k.so
+ ./jre/lib/i386/libunpack.so
+ ./jre/lib/i386/libverify.so
+@@ -433,6 +434,7 @@
+ ./jre/lib/amd64/libsplashscreen.so
+ ./jre/lib/amd64/libsunec.so
+ ./jre/lib/amd64/libsunwjdga.so
++//jre/lib/amd64/libsystemconf.so
+ ./jre/lib/amd64/libt2k.so
+ ./jre/lib/amd64/libunpack.so
+ ./jre/lib/amd64/libverify.so
+@@ -587,6 +589,7 @@
+ ./jre/lib/sparc/libsplashscreen.so
+ ./jre/lib/sparc/libsunec.so
+ ./jre/lib/sparc/libsunwjdga.so
++./jre/lib/sparc/libsystemconf.so
+ ./jre/lib/sparc/libt2k.so
+ ./jre/lib/sparc/libunpack.so
+ ./jre/lib/sparc/libverify.so
+@@ -741,6 +744,7 @@
+ ./jre/lib/sparcv9/libsplashscreen.so
+ ./jre/lib/sparcv9/libsunec.so
+ ./jre/lib/sparcv9/libsunwjdga.so
++./jre/lib/sparcv9/libsystemconf.so
+ ./jre/lib/sparcv9/libt2k.so
+ ./jre/lib/sparcv9/libunpack.so
+ ./jre/lib/sparcv9/libverify.so
+diff --git openjdk.orig/common/nb_native/nbproject/configurations.xml openjdk/common/nb_native/nbproject/configurations.xml
+--- openjdk.orig/common/nb_native/nbproject/configurations.xml
++++ openjdk/common/nb_native/nbproject/configurations.xml
+@@ -53,6 +53,9 @@
+ <in>jvmtiEnterTrace.cpp</in>
+ </df>
+ </df>
++ <df name="libsystemconf">
++ <in>systemconf.c</in>
++ </df>
+ </df>
+ </df>
+ <df name="jdk">
+@@ -12772,6 +12775,11 @@
+ tool="0"
+ flavor2="0">
+ </item>
++ <item path="../../jdk/src/solaris/native/java/security/systemconf.c"
++ ex="false"
++ tool="0"
++ flavor2="0">
++ </item>
+ <item path="../../jdk/src/share/native/java/util/TimeZone.c"
+ ex="false"
+ tool="0"
diff --git a/SOURCES/rh1996182-login_to_nss_software_token.patch b/SOURCES/rh1996182-login_to_nss_software_token.patch
new file mode 100644
index 0000000..341e092
--- /dev/null
+++ b/SOURCES/rh1996182-login_to_nss_software_token.patch
@@ -0,0 +1,55 @@
+# HG changeset patch
+# User mbalao
+# Date 1630103180 -3600
+# Fri Aug 27 23:26:20 2021 +0100
+# Node ID b3bd3119fab9bc5adfd7073377aca12bb1af80b3
+# Parent c90394a76ee02a689f95199559d5724824b4b25e
+RH1996182: Login to the NSS Software Token in FIPS Mode
+
+diff --git openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java openjdk/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java
+--- openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java
++++ openjdk/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java
+@@ -42,6 +42,8 @@
+ import javax.security.auth.callback.PasswordCallback;
+ import javax.security.auth.callback.TextOutputCallback;
+
++import sun.misc.SharedSecrets;
++
+ import sun.security.util.Debug;
+ import sun.security.util.ResourcesMgr;
+
+@@ -58,6 +60,9 @@
+ */
+ public final class SunPKCS11 extends AuthProvider {
+
++ private static final boolean systemFipsEnabled = SharedSecrets
++ .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled();
++
+ private static final long serialVersionUID = -1354835039035306505L;
+
+ static final Debug debug = Debug.getInstance("sunpkcs11");
+@@ -368,6 +373,24 @@
+ if (nssModule != null) {
+ nssModule.setProvider(this);
+ }
++ if (systemFipsEnabled) {
++ // The NSS Software Token in FIPS 140-2 mode requires a user
++ // login for most operations. See sftk_fipsCheck. The NSS DB
++ // (/etc/pki/nssdb) PIN is empty.
++ Session session = null;
++ try {
++ session = token.getOpSession();
++ p11.C_Login(session.id(), CKU_USER, new char[] {});
++ } catch (PKCS11Exception p11e) {
++ if (debug != null) {
++ debug.println("Error during token login: " +
++ p11e.getMessage());
++ }
++ throw p11e;
++ } finally {
++ token.releaseSession(session);
++ }
++ }
+ } catch (Exception e) {
+ if (config.getHandleStartupErrors() == Config.ERR_IGNORE_ALL) {
+ throw new UnsupportedOperationException
diff --git a/SOURCES/s390-8214206_fix.patch b/SOURCES/s390-8214206_fix.patch
index 42902cf..190109c 100644
--- a/SOURCES/s390-8214206_fix.patch
+++ b/SOURCES/s390-8214206_fix.patch
@@ -1,16 +1,13 @@
-diff --git openjdk.orig/hotspot/src/share/vm/gc_implementation/g1/g1BiasedArray.hpp openjdk/hotspot/src/share/vm/gc_implementation/g1/g1BiasedArray.hpp
---- openjdk.orig/hotspot/src/share/vm/gc_implementation/g1/g1BiasedArray.hpp
-+++ openjdk/hotspot/src/share/vm/gc_implementation/g1/g1BiasedArray.hpp
-@@ -78,7 +78,8 @@
- size_t num_target_elems = pointer_delta(end, bottom, mapping_granularity_in_bytes);
- idx_t bias = (uintptr_t)bottom / mapping_granularity_in_bytes;
- address base = create_new_base_array(num_target_elems, target_elem_size_in_bytes);
-- initialize_base(base, num_target_elems, bias, target_elem_size_in_bytes, log2_intptr(mapping_granularity_in_bytes));
-+ initialize_base(base, num_target_elems, bias, target_elem_size_in_bytes,
-+ log2_long(mapping_granularity_in_bytes));
+diff --git openjdk.orig/hotspot/src/share/vm/gc_implementation/shenandoah/shenandoahUtils.cpp openjdk/hotspot/src/share/vm/gc_implementation/shenandoah/shenandoahUtils.cpp
+--- openjdk.orig/hotspot/src/share/vm/gc_implementation/shenandoah/shenandoahUtils.cpp
++++ openjdk/hotspot/src/share/vm/gc_implementation/shenandoah/shenandoahUtils.cpp
+@@ -150,5 +150,5 @@
+ return value;
}
- size_t bias() const { return _bias; }
+- return (size_t)1 << (log2_intptr(value) + 1);
++ return (size_t)1 << (log2_intptr((uintptr_t) value) + 1);
+ }
diff --git openjdk.orig/hotspot/src/share/vm/gc_implementation/shenandoah/shenandoahNumberSeq.cpp openjdk/hotspot/src/share/vm/gc_implementation/shenandoah/shenandoahNumberSeq.cpp
--- openjdk.orig/hotspot/src/share/vm/gc_implementation/shenandoah/shenandoahNumberSeq.cpp
+++ openjdk/hotspot/src/share/vm/gc_implementation/shenandoah/shenandoahNumberSeq.cpp
@@ -23,15 +20,27 @@ diff --git openjdk.orig/hotspot/src/share/vm/gc_implementation/shenandoah/shenan
// Defensively saturate for product bits:
if (mag < 0) {
-diff --git openjdk.orig/hotspot/src/share/vm/runtime/os.cpp openjdk/hotspot/src/share/vm/runtime/os.cpp
---- openjdk.orig/hotspot/src/share/vm/runtime/os.cpp
-+++ openjdk/hotspot/src/share/vm/runtime/os.cpp
-@@ -1284,7 +1284,7 @@
+diff --git openjdk.orig/hotspot/src/share/vm/gc_implementation/shenandoah/shenandoahHeap.cpp openjdk/hotspot/src/share/vm/gc_implementation/shenandoah/shenandoahHeap.cpp
+--- openjdk.orig/hotspot/src/share/vm/gc_implementation/shenandoah/shenandoahHeap.cpp
++++ openjdk/hotspot/src/share/vm/gc_implementation/shenandoah/shenandoahHeap.cpp
+@@ -659,7 +659,7 @@
}
- void os::set_memory_serialize_page(address page) {
-- int count = log2_intptr(sizeof(class JavaThread)) - log2_int(64);
-+ int count = log2_long(sizeof(class JavaThread)) - log2_int(64);
- _mem_serialize_page = (volatile int32_t *)page;
- // We initialize the serialization page shift count here
- // We assume a cache line size of 64 bytes
+ size_t ShenandoahHeap::soft_max_capacity() const {
+- size_t v = OrderAccess::load_acquire((volatile size_t*)&_soft_max_size);
++ size_t v = OrderAccess::load_acquire((volatile jlong*)&_soft_max_size);
+ assert(min_capacity() <= v && v <= max_capacity(),
+ err_msg("Should be in bounds: " SIZE_FORMAT " <= " SIZE_FORMAT " <= " SIZE_FORMAT,
+ min_capacity(), v, max_capacity()));
+diff --git openjdk.orig/hotspot/src/share/vm/gc_implementation/shenandoah/shenandoahHeap.hpp openjdk/hotspot/src/share/vm/gc_implementation/shenandoah/shenandoahHeap.hpp
+--- openjdk.orig/hotspot/src/share/vm/gc_implementation/shenandoah/shenandoahHeap.hpp
++++ openjdk/hotspot/src/share/vm/gc_implementation/shenandoah/shenandoahHeap.hpp
+@@ -155,7 +155,7 @@
+ private:
+ size_t _initial_size;
+ size_t _minimum_size;
+- volatile size_t _soft_max_size;
++ volatile jlong _soft_max_size;
+ shenandoah_padding(0);
+ volatile jlong _used;
+ volatile size_t _committed;
diff --git a/SPECS/java-1.8.0-openjdk.spec b/SPECS/java-1.8.0-openjdk.spec
index 02d2f7d..dd6e641 100644
--- a/SPECS/java-1.8.0-openjdk.spec
+++ b/SPECS/java-1.8.0-openjdk.spec
@@ -60,16 +60,32 @@
# we need to distinguish between big and little endian PPC64
%global ppc64le ppc64le
%global ppc64be ppc64 ppc64p7
+# Set of architectures which support multiple ABIs
%global multilib_arches %{power64} sparc64 x86_64
-%global jit_arches %{ix86} x86_64 sparcv9 sparc64 %{aarch64} %{power64}
+# Set of architectures for which we build slowdebug builds
+%global debug_arches %{ix86} x86_64 sparcv9 sparc64 %{aarch64} %{power64}
+# Set of architectures for which we build fastdebug builds
+%global fastdebug_arches x86_64 ppc64le aarch64
+# Set of architectures with a Just-In-Time (JIT) compiler
+%global jit_arches %{debug_arches}
+# Set of architectures which run a full bootstrap cycle
+%global bootstrap_arches %{jit_arches}
+# Set of architectures which support SystemTap tapsets
+%global systemtap_arches %{jit_arches}
+# Set of architectures which support the serviceability agent
%global sa_arches %{ix86} x86_64 sparcv9 sparc64 %{aarch64}
+# Set of architectures which support class data sharing
+# See https://bugzilla.redhat.com/show_bug.cgi?id=513605
+# MetaspaceShared::generate_vtable_methods is not implemented for the PPC JIT
+%global share_arches %{ix86} x86_64 sparcv9 sparc64 %{aarch64}
+# Set of architectures which support Java Flight Recorder (JFR)
%global jfr_arches %{jit_arches}
-%global fastdebug_arches x86_64
+# Set of architectures for which alt-java has SSB mitigation
+%global ssbd_arches x86_64
# By default, we build a debug build during main build on JIT architectures
%if %{with slowdebug}
-%ifarch %{jit_arches}
-%ifnarch %{arm}
+%ifarch %{debug_arches}
%global include_debug_build 1
%else
%global include_debug_build 0
@@ -77,9 +93,6 @@
%else
%global include_debug_build 0
%endif
-%else
-%global include_debug_build 0
-%endif
# By default, we build a fastdebug build during main build only on fastdebug architectures
%if %{with fastdebug}
@@ -88,6 +101,8 @@
%else
%global include_fastdebug_build 0
%endif
+%else
+%global include_fastdebug_build 0
%endif
%if %{include_debug_build}
@@ -103,12 +118,10 @@
%endif
# If you disable both builds, then the build fails
-# Note that the debug build requires the normal build for docs
-%global build_loop %{normal_build} %{fastdebug_build} %{slowdebug_build}
-# Test slowdebug first as it provides the best diagnostics
-%global rev_build_loop %{slowdebug_build} %{fastdebug_build} %{normal_build}
+# Build and test slowdebug first as it provides the best diagnostics
+%global build_loop %{slowdebug_build} %{fastdebug_build} %{normal_build}
-%ifarch %{jit_arches}
+%ifarch %{bootstrap_arches}
%global bootstrap_build 1
%else
%global bootstrap_build 1
@@ -148,7 +161,7 @@
# as to why some libraries *cannot* be excluded. In particular,
# these are:
# libjsig.so, libjava.so, libjawt.so, libjvm.so and libverify.so
-%global _privatelibs libatk-wrapper[.]so.*|libattach[.]so.*|libawt_headless[.]so.*|libawt[.]so.*|libawt_xawt[.]so.*|libdt_socket[.]so.*|libfontmanager[.]so.*|libhprof[.]so.*|libinstrument[.]so.*|libj2gss[.]so.*|libj2pcsc[.]so.*|libj2pkcs11[.]so.*|libjaas_unix[.]so.*|libjava_crw_demo[.]so.*|libjavajpeg[.]so.*|libjdwp[.]so.*|libjli[.]so.*|libjsdt[.]so.*|libjsoundalsa[.]so.*|libjsound[.]so.*|liblcms[.]so.*|libmanagement[.]so.*|libmlib_image[.]so.*|libnet[.]so.*|libnio[.]so.*|libnpt[.]so.*|libsaproc[.]so.*|libsctp[.]so.*|libsplashscreen[.]so.*|libsunec[.]so.*|libunpack[.]so.*|libzip[.]so.*|lib[.]so\\(SUNWprivate_.*
+%global _privatelibs libatk-wrapper[.]so.*|libattach[.]so.*|libawt_headless[.]so.*|libawt[.]so.*|libawt_xawt[.]so.*|libdt_socket[.]so.*|libfontmanager[.]so.*|libhprof[.]so.*|libinstrument[.]so.*|libj2gss[.]so.*|libj2pcsc[.]so.*|libj2pkcs11[.]so.*|libjaas_unix[.]so.*|libjava_crw_demo[.]so.*|libjavajpeg[.]so.*|libjdwp[.]so.*|libjli[.]so.*|libjsdt[.]so.*|libjsoundalsa[.]so.*|libjsound[.]so.*|liblcms[.]so.*|libmanagement[.]so.*|libmlib_image[.]so.*|libnet[.]so.*|libnio[.]so.*|libnpt[.]so.*|libsaproc[.]so.*|libsctp[.]so.*|libsplashscreen[.]so.*|libsunec[.]so.*|libsystemconf[.]so.*|libunpack[.]so.*|libzip[.]so.*|lib[.]so\\(SUNWprivate_.*
%global __provides_exclude ^(%{_privatelibs})$
%global __requires_exclude ^(%{_privatelibs})$
@@ -213,7 +226,7 @@
%global stapinstall %{nil}
%endif
-%ifarch %{jit_arches}
+%ifarch %{systemtap_arches}
%global with_systemtap 1
%else
%global with_systemtap 0
@@ -250,7 +263,7 @@
# note, following three variables are sedded from update_sources if used correctly. Hardcode them rather there.
%global shenandoah_project aarch64-port
%global shenandoah_repo jdk8u-shenandoah
-%global shenandoah_revision aarch64-shenandoah-jdk8u282-b08
+%global shenandoah_revision aarch64-shenandoah-jdk8u302-b08
# Define old aarch64/jdk8u tree variables for compatibility
%global project %{shenandoah_project}
%global repo %{shenandoah_repo}
@@ -266,7 +279,7 @@
%global updatever %(VERSION=%{whole_update}; echo ${VERSION##*u})
# eg jdk8u60-b27 -> b27
%global buildver %(VERSION=%{version_tag}; echo ${VERSION##*-})
-%global rpmrelease 4
+%global rpmrelease 3
# Define milestone (EA for pre-releases, GA ("fcs") for releases)
# Release will be (where N is usually a number starting at 1):
# - 0.N%%{?extraver}%%{?dist} for EA releases,
@@ -347,13 +360,9 @@ exit 0
%define post_headless() %{expand:
-%ifarch %{jit_arches}
-# MetaspaceShared::generate_vtable_methods not implemented for PPC JIT
-%ifnarch %{power64}
-# see https://bugzilla.redhat.com/show_bug.cgi?id=513605
+%ifarch %{share_arches}
%{jrebindir -- %{?1}}/java -Xshare:dump >/dev/null 2>/dev/null
%endif
-%endif
PRIORITY=%{priority}
if [ "%{?1}" == %{debug_suffix} ]; then
@@ -687,12 +696,10 @@ exit 0
%{_jvmdir}/%{jredir -- %{?1}}/lib/security/nss.fips.cfg
%config(noreplace) %{etcjavadir -- %{?1}}/lib/security/nss.cfg
%config(noreplace) %{etcjavadir -- %{?1}}/lib/security/nss.fips.cfg
-%ifarch %{jit_arches}
-%ifnarch %{power64}
+%ifarch %{share_arches}
%attr(444, root, root) %ghost %{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/server/classes.jsa
%attr(444, root, root) %ghost %{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/client/classes.jsa
%endif
-%endif
%dir %{etcjavasubdir}
%dir %{etcjavadir -- %{?1}}
%dir %{etcjavadir -- %{?1}}/lib
@@ -736,6 +743,7 @@ exit 0
%endif
%{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libsctp.so
%{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libsunec.so
+%{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libsystemconf.so
%{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libunpack.so
%{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libverify.so
%{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libzip.so
@@ -957,19 +965,19 @@ Requires: ca-certificates
# Require javapackages-filesystem for ownership of /usr/lib/jvm/
Requires: javapackages-filesystem
# Require zoneinfo data provided by tzdata-java subpackage.
-# 2020b required as of JDK-8254177 in October CPU
-Requires: tzdata-java >= 2020b
+# 2021a required as of JDK-8260356 in April CPU
+Requires: tzdata-java >= 2021a
# libsctp.so.1 is being `dlopen`ed on demand
Requires: lksctp-tools%{?_isa}
+%if ! 0%{?flatpak}
# tool to copy jdk's configs - should be Recommends only, but then only dnf/yum enforce it,
# not rpm transaction and so no configs are persisted when pure rpm -u is run. It may be
# considered as regression
-Requires: copy-jdk-configs >= 3.3
+Requires: copy-jdk-configs >= 4.0
OrderWithRequires: copy-jdk-configs
+%endif
# for printing support
Requires: cups-libs
-# for FIPS PKCS11 provider
-Requires: nss
# Post requires alternatives to install tool alternatives
Requires(post): %{alternatives_requires}
# in version 1.7 and higher for --family switch
@@ -1141,8 +1149,14 @@ Source13: TestCryptoLevel.java
# Ensure ECDSA is working
Source14: TestECDSA.java
+# Verify system crypto (policy) can be disabled via a property
+Source15: TestSecurityProperties.java
+
+# Ensure vendor settings are correct
+Source16: CheckVendor.java
+
# nss fips configuration file
-Source15: nss.fips.cfg.in
+Source17: nss.fips.cfg.in
Source20: repackReproduciblePolycies.sh
@@ -1150,9 +1164,6 @@ Source20: repackReproduciblePolycies.sh
Source100: config.guess
Source101: config.sub
-# Ensure vendor settings are correct
-Source16: CheckVendor.java
-
############################################
#
# RPM/distribution specific patches
@@ -1183,6 +1194,11 @@ Patch1002: rh1760838-fips_default_keystore_type.patch
Patch1004: rh1860986-disable_tlsv1.3_in_fips_mode.patch
# RH1906862: Always initialise JavaSecuritySystemConfiguratorAccess
Patch1005: rh1906862-always_initialise_configurator_access.patch
+# RH1929465: Improve system FIPS detection
+Patch1006: rh1929465-improve_system_FIPS_detection-root.patch
+Patch1007: rh1929465-improve_system_FIPS_detection-jdk.patch
+# RH1996182: Login to the NSS software token in FIPS mode
+Patch1008: rh1996182-login_to_nss_software_token.patch
#############################################
#
@@ -1209,8 +1225,6 @@ Patch539: pr2888-openjdk_should_check_for_system_cacerts_database_eg_etc_pki_jav
Patch400: pr3183-rh1340845-support_fedora_rhel_system_crypto_policy.patch
# PR3655: Allow use of system crypto policy to be disabled by the user
Patch401: pr3655-toggle_system_crypto_policy.patch
-# RH1868759: FIPS: Ciphers remain in broken state (unusable), after being supplied with wrongly sized buffer
-Patch540: rh1868759-pkcs11_cancel_on_failure.patch
# enable build of speculative store bypass hardened alt-java
Patch600: rh1750419-redhat_alt_java.patch
@@ -1325,8 +1339,8 @@ BuildRequires: libXinerama-devel
BuildRequires: libXrender-devel
BuildRequires: libXt-devel
BuildRequires: libXtst-devel
-# Requirements for setting up the nss.cfg
-BuildRequires: nss-devel
+# Requirements for setting up the nss.cfg and FIPS support
+BuildRequires: nss-devel >= 3.53
BuildRequires: pkgconfig
BuildRequires: xorg-x11-proto-devel
BuildRequires: zip
@@ -1343,8 +1357,8 @@ BuildRequires: java-1.8.0-openjdk-devel
%ifnarch %{jit_arches}
BuildRequires: libffi-devel
%endif
-# 2020b required as of JDK-8254177 in October CPU
-BuildRequires: tzdata-java >= 2020b
+# 2021a required as of JDK-8260356 in April CPU
+BuildRequires: tzdata-java >= 2021a
# Earlier versions have a bug in tree vectorization on PPC
BuildRequires: gcc >= 4.8.3-8
@@ -1527,7 +1541,7 @@ The %{compatiblename}-src-fastdebug sub-package contains the complete %{origin_n
Summary: %{origin_nice} %{majorver} API documentation
Group: Documentation
Requires: javapackages-filesystem
-Obsoletes: javadoc-debug
+Obsoletes: javadoc-slowdebug < 1:1.8.0.212.b04-4
BuildArch: noarch
%{java_javadoc_rpo %{nil}}
@@ -1539,7 +1553,7 @@ The %{origin_nice} %{majorver} API documentation.
Summary: %{origin_nice} %{majorver} API documentation compressed in a single archive
Group: Documentation
Requires: javapackages-filesystem
-Obsoletes: javadoc-zip-debug
+Obsoletes: javadoc-zip-slowdebug < 1:1.8.0.212.b04-4
BuildArch: noarch
%{java_javadoc_rpo %{nil}}
@@ -1614,10 +1628,6 @@ if [ %{include_debug_build} -eq 0 -a %{include_normal_build} -eq 0 -a %{includ
echo "You have disabled all builds (normal,fastdebug,debug). That is a no go."
exit 14
fi
-if [ %{include_normal_build} -eq 0 ] ; then
- echo "You have disabled the normal build, but this is required to provide docs for the debug build."
- exit 15
-fi
echo "Update version: %{updatever}"
echo "Build number: %{buildver}"
@@ -1680,7 +1690,6 @@ sh %{SOURCE12}
%patch574
%patch580
%patch539
-%patch540
# RPM-only fixes
%patch600
@@ -1690,6 +1699,9 @@ sh %{SOURCE12}
%patch1003
%patch1004
%patch1005
+%patch1006
+%patch1007
+%patch1008
# RHEL-only patches
%if ! 0%{?fedora} && 0%{?rhel} <= 7
@@ -1749,7 +1761,7 @@ done
sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE11} > nss.cfg
# Setup nss.fips.cfg
-sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE15} > nss.fips.cfg
+sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE17} > nss.fips.cfg
sed -i -e "s:@NSS_SECMOD@:/etc/pki/nssdb:g" nss.fips.cfg
%build
@@ -1824,6 +1836,7 @@ function buildjdk() {
--with-vendor-vm-bug-url="%{oj_vendor_bug_url}" \
--with-boot-jdk=${buildjdk} \
--with-debug-level=${debuglevel} \
+ --enable-sysconf-nss \
--enable-unlimited-crypto \
--with-zlib=system \
--with-libjpeg=system \
@@ -1916,7 +1929,7 @@ done
%check
# We test debug first as it will give better diagnostics on a crash
-for suffix in %{rev_build_loop} ; do
+for suffix in %{build_loop} ; do
export JAVA_HOME=$(pwd)/%{buildoutputdir -- $suffix}/images/%{jdkimage}
@@ -1928,10 +1941,25 @@ $JAVA_HOME/bin/java TestCryptoLevel
$JAVA_HOME/bin/javac -d . %{SOURCE14}
$JAVA_HOME/bin/java $(echo $(basename %{SOURCE14})|sed "s|\.java||")
+# Check system crypto (policy) can be disabled
+$JAVA_HOME/bin/javac -d . %{SOURCE15}
+$JAVA_HOME/bin/java -Djava.security.disableSystemPropertiesFile=true $(echo $(basename %{SOURCE15})|sed "s|\.java||")
+
# Check correct vendor values have been set
$JAVA_HOME/bin/javac -d . %{SOURCE16}
$JAVA_HOME/bin/java $(echo $(basename %{SOURCE16})|sed "s|\.java||") "%{oj_vendor}" %{oj_vendor_url} %{oj_vendor_bug_url}
+# Check java launcher has no SSB mitigation
+if ! nm $JAVA_HOME/bin/java | grep set_speculation ; then true ; else false; fi
+
+# Check alt-java launcher has SSB mitigation on supported architectures
+%ifarch %{ssbd_arches}
+nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation
+%else
+if ! nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation ; then true ; else false; fi
+%endif
+
+
# Check debug symbols are present and can identify code
find "$JAVA_HOME" -iname '*.so' -print0 | while read -d $'\0' lib
do
@@ -2187,7 +2215,13 @@ done
-- whether copy-jdk-configs is installed or not. If so, then configs are copied
-- (copy_jdk_configs from %%{_libexecdir} used) or not copied at all
local posix = require "posix"
-local debug = false
+
+if (os.getenv("debug") == "true") then
+ debug = true;
+ print("cjc: in spec debug is on")
+else
+ debug = false;
+end
SOURCE1 = "%{rpm_state_dir}/copy_jdk_configs.lua"
SOURCE2 = "%{_libexecdir}/copy_jdk_configs.lua"
@@ -2215,9 +2249,10 @@ else
return
end
end
--- run content of included file with fake args
-arg = {"--currentjvm", "%{uniquesuffix %{nil}}", "--jvmdir", "%{_jvmdir %{nil}}", "--origname", "%{name}", "--origjavaver", "%{javaver}", "--arch", "%{_arch}", "--temp", "%{rpm_state_dir}/%{name}.%{_arch}"}
-require "copy_jdk_configs.lua"
+arg = nil ; -- it is better to null the arg up, no meter if they exists or not, and use cjc as module in unified way, instead of relaying on "main" method during require "copy_jdk_configs.lua"
+cjc = require "copy_jdk_configs.lua"
+args = {"--currentjvm", "%{uniquesuffix %{nil}}", "--jvmdir", "%{_jvmdir %{nil}}", "--origname", "%{name}", "--origjavaver", "%{javaver}", "--arch", "%{_arch}", "--temp", "%{rpm_state_dir}/%{name}.%{_arch}"}
+cjc.mainProgram(args)
%post
%{post_script %{nil}}
@@ -2389,6 +2424,176 @@ require "copy_jdk_configs.lua"
%endif
%changelog
+* Fri Aug 27 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.302.b08-3
+- Add patch to login to the NSS software token when in FIPS mode.
+- Resolves: rhbz#1997358
+
+* Fri Aug 27 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.302.b08-2
+- Fix path to libsystemconf.so on 8u.
+- Resolves: rhbz#1971679
+
+* Fri Aug 27 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.302.b08-2
+- Port FIPS system detection support to OpenJDK 8u
+- Minor code cleanups on FIPS detection patch and check for SECMOD_GetSystemFIPSEnabled in configure.
+- Remove unneeded Requires on NSS as it will now be dynamically linked and detected by RPM.
+- Resolves: rhbz#1971679
+
+* Fri Aug 27 2021 Martin Balao <mbalao@redhat.com> - 1:1.8.0.302.b08-2
+- Detect FIPS using SECMOD_GetSystemFIPSEnabled in the new libsystemconf JDK library.
+- Resolves: rhbz#1971679
+
+* Fri Jul 16 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.302.b08-1
+- Update to aarch64-shenandoah-jdk8u302-b08 (EA)
+- Update release notes for 8u302-b08.
+- Switch to GA mode for final release.
+- This tarball is embargoed until 2021-07-20 @ 1pm PT.
+- Resolves: rhbz#1972395
+
+* Thu Jul 08 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.302.b07-0.0.ea
+- Update to aarch64-shenandoah-jdk8u302-b07 (EA)
+- Update release notes for 8u302-b07.
+- Resolves: rhbz#1967812
+
+* Tue Jul 06 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.302.b06-0.0.ea
+- Update to aarch64-shenandoah-jdk8u302-b06 (EA)
+- Update release notes for 8u302-b06.
+- Resolves: rhbz#1967812
+
+* Tue Jul 06 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.302.b05-0.2.ea
+- Remove restriction on disabling product build, as debug packages no longer have javadoc packages.
+- Fix name of javadoc debug packages in Obsoletes declarations and add version where it was removed.
+- Resolves: rhbz#1966233
+
+* Mon Jul 05 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.302.b05-0.1.ea
+- Use the "reverse" build loop (debug first) as the main and only build loop to get more diagnostics.
+- Resolves: rhbz#1966233
+
+* Fri Jul 02 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.302.b05-0.0.ea
+- Update to aarch64-shenandoah-jdk8u302-b05 (EA)
+- Update release notes for 8u302-b05.
+- Resolves: rhbz#1967812
+
+* Wed Jun 30 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.302.b04-0.0.ea
+- Update to aarch64-shenandoah-jdk8u302-b04 (EA)
+- Update release notes for 8u302-b04.
+- Resolves: rhbz#1967812
+
+* Tue Jun 29 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.302.b03-0.3.ea
+- Introduced nm based check to verify alt-java on x86_64 is patched, and no other alt-java or java is patched
+- Patch600, rh1750419-redhat_alt_java.patch, amended to die, if it is used wrongly
+- Introduced ssbd_arches with currently only valid arch of x86_64 to separate real alt-java architectures
+- Resolves: rhbz#1966233
+
+* Mon Jun 28 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.302.b03-0.2.ea
+- Re-order source files to sync with Fedora.
+- Resolves: rhbz#1966233
+
+* Mon Jun 28 2021 Severin Gehwolf <sgehwolf@redhat.com> - 1:1.8.0.302.b03-0.2.ea
+- Add a test verifying system crypto policies can be disabled
+- Resolves: rhbz#1966233
+
+* Mon Jun 28 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.302.b03-0.1.ea
+- Update to aarch64-shenandoah-jdk8u302-b03-shenandoah-merge-2021-06-23 (EA)
+- Update release notes for 8u302-b03-shenandoah-merge-2021-06-23.
+- Resolves: rhbz#1967812
+
+* Sun Jun 27 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.302.b03-0.0.ea
+- Update to aarch64-shenandoah-jdk8u302-b03 (EA)
+- Update release notes for 8u302-b03.
+- Resolves: rhbz#1967812
+
+* Sat Jun 26 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.302.b02-0.0.ea
+- Update to aarch64-shenandoah-jdk8u302-b02 (EA)
+- Update release notes for 8u302-b02.
+- Resolves: rhbz#1967812
+
+* Mon Jun 21 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.302.b01-0.3.ea
+- Add ppc64le and aarch64 to fastdebug_arches
+- Resolves: rhbz#1969254
+
+* Fri Jun 18 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.302.b01-0.2.ea
+- Cleanup architecture handling in preparation for extending set of fastdebug architectures
+- Fixed not-including fastdebug build in case of --without fastdebug
+- Resolves: rhbz#1969254
+
+* Wed Jun 16 2021 Jiri Vanek <jvanek@redhat.com> - 1:1.8.0.302.b01-0.1.ea
+- adapted to newst cjc to fix issue with rpm 4.17
+- Disable copy-jdk-configs for Flatpak builds
+- removed cjc backward comaptiblity, to fix when both rpm 4.16 and 4.17 are in transaction
+- Resolves: rhbz#1953923
+
+* Sat May 22 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.302.b01-0.0.ea
+- Update to aarch64-shenandoah-jdk8u302-b01 (EA)
+- Update release notes for 8u302-b01.
+- Switch to EA mode.
+- Resolves: rhbz#1967812
+
+* Tue Apr 13 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.292.b10-2
+- Update to aarch64-shenandoah-jdk8u292-b10 (GA)
+- Update release notes for 8u292-b10.
+- This tarball is embargoed until 2021-04-20 @ 1pm PT.
+- Resolves: rhbz#1938201
+
+* Tue Apr 13 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.292.b09-0.2.ea
+- Update to aarch64-shenandoah-jdk8u292-b09 (EA)
+- Update release notes for 8u292-b09.
+- Resolves: rhbz#1942306
+
+* Mon Apr 12 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.292.b08-0.2.ea
+- Update to aarch64-shenandoah-jdk8u292-b08 (EA)
+- Update release notes for 8u292-b08.
+- Require tzdata 2021a due to JDK-8260356
+- Resolves: rhbz#1942306
+
+* Mon Apr 12 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.292.b07-0.2.ea
+- Update to aarch64-shenandoah-jdk8u292-b07 (EA)
+- Update release notes for 8u292-b07.
+- Resolves: rhbz#1942306
+
+* Sun Apr 11 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.292.b06-0.2.ea
+- Update to aarch64-shenandoah-jdk8u292-b06 (EA)
+- Update release notes for 8u292-b06.
+- Require tzdata 2020f due to JDK-8259048
+- Resolves: rhbz#1942306
+
+* Sat Apr 10 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.292.b05-0.3.ea
+- Update to aarch64-shenandoah-jdk8u292-b05-shenandoah-merge-2021-03-11 (EA)
+- Update release notes for 8u292-b05-shenandoah-merge-2021-03-11.
+- Re-organise S/390 patches for upstream submission, separating 8u upstream from Shenandoah fixes.
+- Add new formatting case found in memprofiler.cpp on debug builds to PR3593 patch.
+- Extend s390 patch to fix issue caused by JDK-8252660 backport and lack of JDK-8188813 in 8u.
+- Revise JDK-8252660 s390 failure to make _soft_max_size a jlong so pointer types are accurate.
+- Resolves: rhbz#1942306
+
+* Fri Apr 09 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.292.b05-0.2.ea
+- Update to aarch64-shenandoah-jdk8u292-b05 (EA)
+- Update release notes for 8u292-b05.
+- Resolves: rhbz#1942306
+
+* Fri Apr 09 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.292.b04-0.2.ea
+- Update to aarch64-shenandoah-jdk8u292-b04 (EA)
+- Update release notes for 8u292-b04.
+- Resolves: rhbz#1942306
+
+* Fri Apr 09 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.292.b03-0.2.ea
+- Update to aarch64-shenandoah-jdk8u292-b03 (EA)
+- Update release notes for 8u292-b03.
+- Resolves: rhbz#1942306
+
+* Sat Mar 27 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.292.b02-0.2.ea
+- Update to aarch64-shenandoah-jdk8u292-b02 (EA)
+- Update release notes for 8u292-b02.
+- Remove RH1868759 patch as this is now resolved upstream by JDK-8258833.
+- Resolves: rhbz#1942306
+
+* Thu Mar 25 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.292.b01-0.2.ea
+- Update to aarch64-shenandoah-jdk8u292-b01 (EA)
+- Update release notes for 8u292-b01.
+- Switch to EA mode.
+- Update tarball generation script to use PR3822 which handles
+ JDK-8233228 & JDK-8035166 changes
+- Resolves: rhbz#1942306
+
* Wed Feb 17 2021 Stephan Bergmann <sbergman@redhat.com> - 1:1.8.0.282.b08-4
- Resolves: rhbz#1896014 Hardcode /usr/sbin/alternatives for Flatpak builds