17 changed files with 1596 additions and 11238 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,2 +1,2 @@
-SOURCES/shenandoah8u442-b06.tar.xz
+SOURCES/openjdk-shenandoah-jdk8u-shenandoah-jdk8u372-b07-4curve.tar.xz
 SOURCES/tapsets-icedtea-3.15.0.tar.xz
--- a/.java-1.8.0-openjdk.metadata
+++ b/.java-1.8.0-openjdk.metadata
@ -1,2 +1,2 @@
-f5c84eb1dd6c8dba50a2ae89e01ec1d1b4f26fde SOURCES/shenandoah8u442-b06.tar.xz
+3f015b60e085b0e1f0fd9ea13abf775a890c2b1b SOURCES/openjdk-shenandoah-jdk8u-shenandoah-jdk8u372-b07-4curve.tar.xz
 7ae2cba67467825b2c2a5fec7aea041865023002 SOURCES/tapsets-icedtea-3.15.0.tar.xz
--- a/SOURCES/NEWS
+++ b/SOURCES/NEWS
@ -3,938 +3,6 @@ Key:
 JDK-X  - https://bugs.openjdk.java.net/browse/JDK-X
 CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY
 New in release OpenJDK 8u442 (2025-01-21):
 ===========================================
 Live versions of these release notes can be found at:
  * https://bit.ly/openjdk8u442
 * Changes
  - JDK-8048003: test/compiler/8009761/Test8009761.java failed with: java.lang.RuntimeException: static java.lang.Object Test8009761.m3(boolean,boolean) not compiled
  - JDK-8058322: Zero name_index item of MethodParameters attribute cause MalformedParameterException.
  - JDK-8066708: JMXStartStopTest fails to connect to port 38112
  - JDK-8133287: (fs) java/nio/file/Files/probeContentType/ParallelProbes.java should use othervm mode
  - JDK-8189687: Swing: Invalid position of candidate pop-up of InputMethod in Hi-DPI on Windows
  - JDK-8209023: fix 2 compiler tests to avoid JDK-8208690
  - JDK-8239312: [macOS] javax/swing/JFrame/NSTexturedJFrame/NSTexturedJFrame.java
  - JDK-8260380: Upgrade to LittleCMS 2.12
  - JDK-8315731: Open source several Swing Text related tests
  - JDK-8335428: Enhanced Building of Processes
  - JDK-8335912, JDK-8337499: Add an operation mode to the jar command when extracting to not overwriting existing files
  - JDK-8336564: Enhance mask blit functionality redux
  - JDK-8338402: GHA: some of bundles may not get removed
  - JDK-8339133: [8u] Profiler crashes at guarantee(is_result_safe || is_in_asgct()): unsafe access to zombie method
  - JDK-8339180: Enhanced Building of Processes: Follow-on Issue
  - JDK-8339394: Bump update version of OpenJDK: 8u442
  - JDK-8339882: Replace ThreadLocalStorage::thread with Thread::current_or_null in jdk8 backport of JDK-8183925
  - JDK-8340815: Add SECURITY.md file
  - JDK-8342822: jdk8u432-b06 does not compile on AIX
  - JDK-8342841: [8u] Separate jdk_security_infra tests from jdk_tier1
 Notes on individual issues:
 ===========================
 core-libs/java.util.jar:
 JDK-8335912/JDK-8337499: Add an operation mode to the jar command when extracting to not overwriting existing files
 ===================================================================================================================
 In previous OpenJDK releases, when the jar tool extracted files from
 an archive, it would overwrite any existing files with the same name
 in the target directory. With this release, a new option ('-k' or
 '--keep-old-files') may be specified so that existing files are not
 overwritten.
 The option may be specified in short or long option form, as in the
 following examples:
 * jar xkf foo.jar
 * jar --extract --keep-old-files --file foo.jar
 By default, the old behaviour remains in place and files will be
 overwritten.
 New in release OpenJDK 8u432 (2024-10-15):
 ===========================================
 Live versions of these release notes can be found at:
  * https://bit.ly/openjdk8u432
 * CVEs
  - CVE-2024-21208
  - CVE-2024-21210
  - CVE-2024-21217
  - CVE-2024-21235
 * Security fixes
  - JDK-8290367, JDK-8332643: Update default value and extend the scope of com.sun.jndi.ldap.object.trustSerialData system property
  - JDK-8313626, JDK-8307769: C2 crash due to unexpected exception control flow
  - JDK-8328286: Enhance HTTP client
  - JDK-8328544: Improve handling of vectorization
  - JDK-8328726: Better Kerberos support
  - JDK-8331446: Improve deserialization support
  - JDK-8332644: Improve graph optimizations
  - JDK-8335713: Enhance vectorization analysis
 * Other changes
  - JDK-4660158: TTY: NumberFormatException while trying to set values by 'set' command
  - JDK-6544871: java/awt/event/KeyEvent/KeyTyped/CtrlASCII.html fails from jdk b09 on windows.
  - JDK-7188098: TEST_BUG: closed/javax/sound/midi/Synthesizer/Receiver/bug6186488.java fails
  - JDK-8021775: compiler/8009761/Test8009761.java  "Failed: init recursive calls: 51. After deopt 50"
  - JDK-8030204: com/sun/jdi/JdbExprTest.sh: Required output "Can\\'t convert 2147483648 to int" not found
  - JDK-8030795: java/nio/file/Files/probeContentType/ForceLoad.java failing with ServiceConfigurationError without jtreg -agentvm option
  - JDK-8035395: sun/management/jmxremote/startstop/JMXStartStopTest.java fails intermittently: Port already in use
  - JDK-8075511: Enable -Woverloaded-virtual C++ warning for HotSpot build
  - JDK-8137329: [windows] Build broken on VS2010 after  "8046148: JEP 158: Unified JVM Logging"
  - JDK-8145919: sun/management/jmxremote/bootstrap/RmiSslBootstrapTest failed with Connection failed for no credentials
  - JDK-8152207: Perform array bound checks while getting a length of bytecode instructions
  - JDK-8193682: Infinite loop in ZipOutputStream.close()
  - JDK-8196770: Add JNDI test com/sun/jndi/ldap/blits/AddTests/AddNewEntry.java
  - JDK-8221903: PIT: javax/swing/RepaintManager/IconifyTest/IconifyTest.java fails on ubuntu18.04
  - JDK-8233364: Fix undefined behavior in Canonicalizer::do_ShiftOp
  - JDK-8238274: (sctp) JDK-7118373 is not fixed for SctpChannel
  - JDK-8251188: Update LDAP tests not to use wildcard addresses
  - JDK-8264328: Broken license in javax/swing/JComboBox/8072767/bug8072767.java
  - JDK-8266248: Compilation failure in PLATFORM_API_MacOSX_MidiUtils.c with Xcode 12.5
  - JDK-8278794: Infinite loop in DeflaterOutputStream.finish()
  - JDK-8279164: Disable TLS_ECDH_* cipher suites
  - JDK-8281096: Flags introduced by configure script are not passed to ADLC build
  - JDK-8284771: java/util/zip/CloseInflaterDeflaterTest.java failed with "AssertionError: Expected IOException to be thrown, but nothing was thrown"
  - JDK-8298887: On the latest macOS+XCode the Robot API may report wrong colors
  - JDK-8299677: Formatter.format might take a long time to format an integer or floating-point
  - JDK-8305400: ISO 4217 Amendment 175 Update
  - JDK-8305931: jdk/jfr/jcmd/TestJcmdDumpPathToGCRoots.java failed with "Expected chains but found none"
  - JDK-8307779: Relax the java.awt.Robot specification
  - JDK-8309138: Fix container tests for jdks with symlinked conf dir
  - JDK-8311666: Disabled tests in test/jdk/sun/java2d/marlin
  - JDK-8315117: Update Zlib Data Compression Library to Version 1.3
  - JDK-8315863: [GHA] Update checkout action to use v4
  - JDK-8316328: Test jdk/jfr/event/oldobject/TestSanityDefault.java times out for some heap sizes
  - JDK-8318039: GHA: Bump macOS and Xcode versions
  - JDK-8318951: Additional negative value check in JPEG decoding
  - JDK-8320964: sun/tools/native2ascii/Native2AsciiTests.sh fails on Japanese
  - JDK-8321480: ISO 4217 Amendment 176 Update
  - JDK-8324632: Update Zlib Data Compression Library to Version 1.3.1
  - JDK-8324723: GHA: Upgrade some actions to avoid deprecated Node 16
  - JDK-8326351: Update the Zlib version in open/src/java.base/share/legal/zlib.md to 1.3.1
  - JDK-8326521: JFR: CompilerPhase event test fails on windows 32 bit
  - JDK-8326529: JFR: Test for CompilerCompile events fails due to time out
  - JDK-8327007: javax/swing/JSpinner/8008657/bug8008657.java fails
  - JDK-8330415: Update system property for Java SE specification maintenance version
  - JDK-8331730: [8u] GHA: update sysroot for cross builds to Debian bullseye
  - JDK-8333126: Bump update version of OpenJDK: 8u432
  - JDK-8333669: [8u] GHA: Dead VS2010 download link
  - JDK-8333724: Problem list security/infra/java/security/cert/CertPathValidator/certification/CAInterop.java#teliasonerarootcav1
  - JDK-8334653: ISO 4217 Amendment 177 Update
  - JDK-8334905: [8u] The test java/awt/Mixing/AWT_Mixing/JButtonOverlapping.java started to fail after 8159690
  - JDK-8335851: [8u] Test JMXStartStopTest.java fails after JDK-8334415
  - JDK-8335894: [8u] Fix SupplementalJapaneseEraTest.java for jdks with symlinked conf dir
  - JDK-8336928: GHA: Bundle artifacts removal broken
  - JDK-8337110: [8u] TestNoEagerReclaimOfHumongousRegions.java should be in gc/g1 directory
  - JDK-8337312: [8u] Windows x86 VS2010 build broken by JDK-8320097
  - JDK-8337664: Distrust TLS server certificates issued after Oct 2024 and anchored by Entrust Root CAs
  - JDK-8338144: [8u] Remove duplicate license files
  - JDK-8341057: Add 2 SSL.com TLS roots
  - JDK-8341059: Change Entrust TLS distrust date to November 12, 2024
 Notes on individual issues:
 ===========================
 security-libs/javax.net.ssl:
 JDK-8279164: Disable TLS_ECDH_* cipher suites
 =============================================
 The TLS_ECDH cipher suites do not preserve forward secrecy and are
 rarely used in practice. With this release, they are disabled by
 adding "ECDH" to the `jdk.tls.disabledAlgorithms` security property in
 the `java.security` configuration file. Attempts to use these suites
 with this release will result in a `SSLHandshakeException` being
 thrown. Note that ECDH cipher suites which use RC4 were already
 disabled prior to this change.
 Users can, *at their own risk*, remove this restriction by modifying
 the `java.security` configuration file (or override it by using the
 `java.security.properties` system property) so "ECDH" is no longer
 listed in the `jdk.tls.disabledAlgorithms` security property.
 This change has no effect on TLS_ECDHE cipher suites, which remain
 enabled by default.
 JDK-8337664: Distrust TLS server certificates issued after Oct 2024 and anchored by Entrust Root CAs
 JDK-8341059: Change Entrust TLS distrust date to November 12, 2024
 ====================================================================================================
 In accordance with similar plans recently announced by Google and
 Mozilla, the JDK will not trust Transport Layer Security (TLS)
 certificates issued after the 11th of November 2024 which are anchored
 by Entrust root certificates.  This includes certificates branded as
 AffirmTrust, which are managed by Entrust.
 Certificates issued on or before November 11th, 2024 will continue to
 be trusted until they expire.
 If a server's certificate chain is anchored by an affected
 certificate, attempts to negotiate a TLS session will fail with an
 Exception that indicates the trust anchor is not trusted. For example,
 "TLS server certificate issued after 2024-11-11 and anchored by a
 distrusted legacy Entrust root CA: CN=Entrust.net Certification
 Authority (2048), OU=(c) 1999 Entrust.net Limited,
 OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.),
 O=Entrust.net"
 To check whether a certificate in a JDK keystore is affected by this
 change, you can the `keytool` utility:
 keytool -v -list -alias <your_server_alias> -keystore <your_keystore_filename>
 If any of the certificates in the chain are affected by this change,
 then you will need to update the certificate or contact the
 organisation responsible for managing the certificate.
 These restrictions apply to the following Entrust root certificates
 included in the JDK:
 Alias name: entrustevca [jdk]
 CN=Entrust Root Certification Authority
 OU=(c) 2006 Entrust, Inc.
 OU=www.entrust.net/CPS is incorporated by reference
 O=Entrust, Inc.
 C=US
 SHA256: 73:C1:76:43:4F:1B:C6:D5:AD:F4:5B:0E:76:E7:27:28:7C:8D:E5:76:16:C1:E6:E6:14:1A:2B:2C:BC:7D:8E:4C
 Alias name: entrustrootcaec1 [jdk]
 CN=Entrust Root Certification Authority - EC1
 OU=(c) 2012 Entrust, Inc. - for authorized use only
 OU=See www.entrust.net/legal-terms
 O=Entrust, Inc.
 C=US
 SHA256: 02:ED:0E:B2:8C:14:DA:45:16:5C:56:67:91:70:0D:64:51:D7:FB:56:F0:B2:AB:1D:3B:8E:B0:70:E5:6E:DF:F5
 Alias name: entrustrootcag2 [jdk]
 CN=Entrust Root Certification Authority - G2
 OU=(c) 2009 Entrust, Inc. - for authorized use only
 OU=See www.entrust.net/legal-terms
 O=Entrust, Inc.
 C=US
 SHA256: 43:DF:57:74:B0:3E:7F:EF:5F:E4:0D:93:1A:7B:ED:F1:BB:2E:6B:42:73:8C:4E:6D:38:41:10:3D:3A:A7:F3:39
 Alias name: entrustrootcag4 [jdk]
 CN=Entrust Root Certification Authority - G4
 OU=(c) 2015 Entrust, Inc. - for authorized use only
 OU=See www.entrust.net/legal-terms
 O=Entrust, Inc.
 C=US
 SHA256: DB:35:17:D1:F6:73:2A:2D:5A:B9:7C:53:3E:C7:07:79:EE:32:70:A6:2F:B4:AC:42:38:37:24:60:E6:F0:1E:88
 Alias name: entrust2048ca [jdk]
 CN=Entrust.net Certification Authority (2048)
 OU=(c) 1999 Entrust.net Limited
 OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.)
 O=Entrust.net
 SHA256: 6D:C4:71:72:E0:1C:BC:B0:BF:62:58:0D:89:5F:E2:B8:AC:9A:D4:F8:73:80:1E:0C:10:B9:C8:37:D2:1E:B1:77
 Alias name: affirmtrustcommercialca [jdk]
 CN=AffirmTrust Commercial
 O=AffirmTrust
 C=US
 SHA256: 03:76:AB:1D:54:C5:F9:80:3C:E4:B2:E2:01:A0:EE:7E:EF:7B:57:B6:36:E8:A9:3C:9B:8D:48:60:C9:6F:5F:A7
 Alias name: affirmtrustnetworkingca [jdk]
 CN=AffirmTrust Networking
 O=AffirmTrust
 C=US
 SHA256: 0A:81:EC:5A:92:97:77:F1:45:90:4A:F3:8D:5D:50:9F:66:B5:E2:C5:8F:CD:B5:31:05:8B:0E:17:F3:F0B4:1B
 Alias name: affirmtrustpremiumca [jdk]
 CN=AffirmTrust Premium
 O=AffirmTrust
 C=US
 SHA256: 70:A7:3F:7F:37:6B:60:07:42:48:90:45:34:B1:14:82:D5:BF:0E:69:8E:CC:49:8D:F5:25:77:EB:F2:E9:3B:9A
 Alias name: affirmtrustpremiumeccca [jdk]
 CN=AffirmTrust Premium ECC
 O=AffirmTrust
 C=US
 SHA256: BD:71:FD:F6:DA:97:E4:CF:62:D1:64:7A:DD:25:81:B0:7D:79:AD:F8:39:7E:B4:EC:BA:9C:5E:84:88:82:14:23
 Users can, *at their own risk*, remove this restriction by modifying
 the `java.security` configuration file (or override it by using the
 `java.security.properties` system property) so "ENTRUST_TLS" is no
 longer listed in the `jdk.security.caDistrustPolicies` security
 property.
 security-libs/java.security:
 JDK-8341057: Add 2 SSL.com TLS roots
 ====================================
 The following root certificates have been added to the cacerts
 truststore:
 Name: SSL.com
 Alias Name: ssltlsrootecc2022
 Distinguished Name: CN=SSL.com TLS ECC Root CA 2022, O=SSL Corporation, C=US
 Name: SSL.com
 Alias Name: ssltlsrootrsa2022
 Distinguished Name: CN=SSL.com TLS RSA Root CA 2022, O=SSL Corporation, C=US
 client-libs:
 JDK-8307779: Relax the java.awt.Robot specification
 ===================================================
 This release of OpenJDK 8 updates to the latest maintenance release of
 the Java 8 specification. This relaxes the specification of three
 methods in the `java.awt.Robot` class - `mouseMove(int,int)`,
 `getPixelColor(int,int)` and `createScreenCapture(Rectangle)` - to
 allow these methods to fail when the desktop environment does not
 permit moving the mouse pointer or capturing screen content.
 core-libs/javax.naming:
 JDK-8290367, JDK-8332643: Update default value and extend the scope of com.sun.jndi.ldap.object.trustSerialData system property
 ===============================================================================================================================
 With this OpenJDK release, the JDK implementation of the LDAP provider
 no longer supports the deserialisation of Java objects by
 default. This is achieved by the system property
 `com.sun.jndi.ldap.object.trustSerialData` being set to `false` by
 default.
 Note that this release also increases the scope of the
 `com.sun.jndi.ldap.object.trustSerialData` to cover the reconstruction
 of RMI remote objects from the `javaRemoteLocation` LDAP attribute.
 The result of this change is that transparent deserialisation of Java
 objects will require an explicit opt-in. Applications that wish to
 reconstruct Java objects and RMI stubs from LDAP attributes will need
 to set the `com.sun.jndi.ldap.object.trustSerialData` to `true`.
 core-libs/java.net:
 JDK-8328286: Enhance HTTP client
 ================================
 This OpenJDK release limits the maximum header field size accepted by
 the HTTP client within the JDK for all supported versions of the HTTP
 protocol. The header field size is computed as the sum of the size of
 the uncompressed header name, the size of the uncompressed header
 value and a overhead of 32 bytes for each field section line. If a
 peer sends a field section that exceeds this limit, a
 `java.net.ProtocolException` will be raised.
 This release also introduces a new system property,
 `jdk.http.maxHeaderSize`. This property can be used to alter the
 maximum header field size (in bytes) or disable it by setting the
 value to zero or a negative value. The default value is 393,216 bytes
 or 384kB.
 core-libs/java.util.jar:
 JDK-8193682: Infinite loop in ZipOutputStream.close()
 =====================================================
 In previous releases, the `DeflaterOutputStream.close()`,
 `GZIPOutputStream.finish()` and `ZipOutputStream.closeEntry()` methods
 did not close the associated default JDK compressor when an exception
 was thrown during closure.  With this release, the default compressor
 is closed before propogating the Throwable up the stack. In the case
 of `ZipOutputStream`, this only happens when the exception is not a
 `ZipException`.
 New in release OpenJDK 8u422 (2024-07-16):
 ===========================================
 Live versions of these release notes can be found at:
  * https://bit.ly/openjdk8u422
 * CVEs
  - CVE-2024-21131
  - CVE-2024-21138
  - CVE-2024-21140
  - CVE-2024-21144
  - CVE-2024-21145
  - CVE-2024-21147
 * Security fixes
  - JDK-8314794: Improve UTF8 String supports
  - JDK-8319859: Better symbol storage
  - JDK-8320097: Improve Image transformations
  - JDK-8320548: Improved loop handling
  - JDK-8322106: Enhance Pack 200 loading
  - JDK-8323231: Improve array management
  - JDK-8323390: Enhance mask blit functionality
  - JDK-8324559: Improve 2D image handling
  - JDK-8325600: Better symbol storage
 * Other changes
  - JDK-8025439: [TEST BUG] [macosx] PrintServiceLookup.lookupPrintServices doesn't work properly since jdk8b105
  - JDK-8069389: CompilerOracle prefix wildcarding is broken for long strings
  - JDK-8159454: [TEST_BUG] javax/swing/ToolTipManager/7123767/bug7123767.java: number of checked graphics configurations should be limited
  - JDK-8159690: [TESTBUG] Mark headful tests with @key headful.
  - JDK-8198321: javax/swing/JEditorPane/5076514/bug5076514.java fails
  - JDK-8203691: [TESTBUG] Test /runtime/containers/cgroup/PlainRead.java fails
  - JDK-8205407: [windows, vs<2017] C4800 after 8203197
  - JDK-8235834: IBM-943 charset encoder needs updating
  - JDK-8239965: XMLEncoder/Test4625418.java fails due to "Error: Cp943 - can't read properly"
  - JDK-8240756: [macos] SwingSet2:TableDemo:Printed Japanese characters were garbled
  - JDK-8256152: tests fail because of ambiguous method resolution
  - JDK-8258855: Two tests sun/security/krb5/auto/ReplayCacheTestProc.java and ReplayCacheTestProcWithMD5.java failed on OL8.3
  - JDK-8262017: C2: assert(n != __null) failed: Bad immediate dominator info.
  - JDK-8268916: Tests for AffirmTrust roots
  - JDK-8278067: Make HttpURLConnection default keep alive timeout configurable
  - JDK-8291226: Create Test Cases to cover scenarios for JDK-8278067
  - JDK-8291637: HttpClient default keep alive timeout not followed if server sends invalid value
  - JDK-8291638: Keep-Alive timeout of 0 should close connection immediately
  - JDK-8293562: KeepAliveCache Blocks Threads while Closing Connections
  - JDK-8303466: C2: failed: malformed control flow. Limit type made precise with MaxL/MinL
  - JDK-8304074: [JMX] Add an approximation of total bytes allocated on the Java heap by the JVM
  - JDK-8313081: MonitoringSupport_lock should be unconditionally initialized after 8304074
  - JDK-8315020: The macro definition for LoongArch64 zero build is not accurate.
  - JDK-8316138: Add GlobalSign 2 TLS root certificates
  - JDK-8318410: jdk/java/lang/instrument/BootClassPath/BootClassPathTest.sh fails on Japanese Windows
  - JDK-8320005: Allow loading of shared objects with .a extension on AIX
  - JDK-8324185: [8u] Accept Xcode 12+ builds on macOS
  - JDK-8325096: Test java/security/cert/CertPathBuilder/akiExt/AKISerialNumber.java is failing
  - JDK-8325927: [8u] Backport of JDK-8170552 missed part of the test
  - JDK-8326686: Bump update version of OpenJDK: 8u422
  - JDK-8327440: Fix "bad source file" error during beaninfo generation
  - JDK-8328809: [8u] Problem list some CA tests
  - JDK-8328825: Google CAInterop test failures
  - JDK-8329544: [8u] sun/security/krb5/auto/ReplayCacheTestProc.java cannot find the testlibrary
  - JDK-8331791: [8u] AIX build break from JDK-8320005 backport
  - JDK-8331980: [8u] Problem list CAInterop.java#certignarootca test
  - JDK-8335552: [8u] JDK-8303466 backport to 8u requires 3 ::Identity signature fixes
 Notes on individual issues:
 ===========================
 core-libs/java.net:
 JDK-8278067: Make HttpURLConnection Default Keep Alive Timeout Configurable
 ===========================================================================
 Two system properties have been added which control the keep alive
 behavior of HttpURLConnection in the case where the server does not
 specify a keep alive time. These are:
 * `http.keepAlive.time.server`
 * `http.keepAlive.time.proxy`
 which control the number of seconds before an idle connection to a
 server or proxy will be closed, respectively. If the server or proxy
 specifies a keep alive time in a "Keep-Alive" response header, this
 will take precedence over the values of these properties.
 security-libs/java.security:
 JDK-8316138: Add GlobalSign 2 TLS root certificates
 ===================================================
 The following root certificates have been added to the cacerts
 truststore:
 Name: GlobalSign
 Alias Name: globalsignr46
 Distinguished Name: CN=GlobalSign Root R46, O=GlobalSign nv-sa, C=BE
 Name: GlobalSign
 Alias Name: globalsigne46
 Distinguished Name: CN=GlobalSign Root E46, O=GlobalSign nv-sa, C=BE
 New in release OpenJDK 8u412 (2024-04-16):
 ===========================================
 Live versions of these release notes can be found at:
  * https://bit.ly/openjdk8u412
 * CVEs
  - CVE-2024-21011
  - CVE-2024-21085
  - CVE-2024-21068
  - CVE-2024-21094
 * Security fixes
  - JDK-8317507, JDK-8325348: C2 compilation fails with "Exceeded _node_regs array"
  - JDK-8318340: Improve RSA key implementations
  - JDK-8319851: Improve exception logging
  - JDK-8322114: Improve Pack 200 handling
  - JDK-8322122: Enhance generation of addresses
 * Other changes
  - JDK-8011180: Delete obsolete scripts
  - JDK-8016451: Scary messages emitted by build.tools.generatenimbus.PainterGenerator during build
  - JDK-8021961: setAlwaysOnTop doesn't behave correctly in Linux/Solaris under certain scenarios
  - JDK-8023735: [TESTBUG][macosx] runtime/XCheckJniJsig/XCheckJSig.java fails on MacOS X
  - JDK-8074860: Structured Exception Catcher missing around CreateJavaVM on Windows
  - JDK-8079441: Intermittent failures on Windows with "Unexpected exit from test [exit code: 1080890248]" (0x406d1388)
  - JDK-8155590: Dubious collection management in sun.net.www.http.KeepAliveCache
  - JDK-8168518: rcache interop with krb5-1.15
  - JDK-8183503: Update hotspot tests to allow for unique test classes directory
  - JDK-8186095: upgrade to jtreg 4.2 b08
  - JDK-8186199: [windows] JNI_DestroyJavaVM not covered by SEH
  - JDK-8192931: Regression test java/awt/font/TextLayout/CombiningPerf.java fails
  - JDK-8208655: use JTreg skipped status in hotspot tests
  - JDK-8208701: Fix for JDK-8208655 causes test failures in CI tier1
  - JDK-8208706: compiler/tiered/ConstantGettersTransitionsTest.java fails to compile
  - JDK-8213410: UseCompressedOops requirement check fails fails on 32-bit system
  - JDK-8222323: ChildAlwaysOnTopTest.java fails with "RuntimeException: Failed to unset alwaysOnTop"
  - JDK-8224768: Test ActalisCA.java fails
  - JDK-8251155: HostIdentifier fails to canonicalize hostnames starting with digits
  - JDK-8251551: Use .md filename extension for README
  - JDK-8268678: LetsEncryptCA.java test fails as Let’s Encrypt Authority X3 is retired
  - JDK-8270280: security/infra/java/security/cert/CertPathValidator/certification/LetsEncryptCA.java  OCSP response error
  - JDK-8270517: Add Zero support for LoongArch
  - JDK-8272708: [Test]: Cleanup: test/jdk/security/infra/java/security/cert/CertPathValidator/certification/BuypassCA.java no longer needs ocspEnabled
  - JDK-8276139: TestJpsHostName.java not reliable, better to expand HostIdentifierCreate.java test
  - JDK-8288132: Update test artifacts in QuoVadis CA interop tests
  - JDK-8297955: LDAP CertStore should use LdapName and not String for DNs
  - JDK-8301310: The SendRawSysexMessage test may cause a JVM crash
  - JDK-8308592: Framework for CA interoperability testing
  - JDK-8312126: NullPointerException in CertStore.getCRLs after 8297955
  - JDK-8315042: NPE in PKCS7.parseOldSignedData
  - JDK-8315757: [8u] Add cacerts JTREG tests to GHA tier1 test set
  - JDK-8320713: Bump update version of OpenJDK: 8u412
  - JDK-8321060: [8u] hotspot needs to recognise VS2022
  - JDK-8321408: Add Certainly roots R1 and E1
  - JDK-8322725: (tz) Update Timezone Data to 2023d
  - JDK-8322750: Test "api/java_awt/interactive/SystemTrayTests.html" failed because A blue ball icon is added outside of the system tray
  - JDK-8323202: [8u] Remove get_source.sh and hgforest.sh
  - JDK-8323640: [TESTBUG]testMemoryFailCount in jdk/internal/platform/docker/TestDockerMemoryMetrics.java always fail because OOM killed
  - JDK-8324184: Windows VS2010 build failed with "error C2275: 'int64_t'"
  - JDK-8324530: Build error with gcc 10
  - JDK-8325150: (tz) Update Timezone Data to 2024a
 Notes on individual issues:
 ===========================
 security-libs/org.ietf.jgss:krb5:
 JDK-8168518: rcache interop with krb5-1.15
 ==========================================
 The hash algorithm used in the Kerberos 5 replay cache file (rcache)
 has been changed from MD5 to SHA256. This is the same algorithm used
 by MIT krb5-1.15 and is interoperable with earlier releases of MIT
 krb5.
 The MD5 algorithm can still be used by setting the new
 jdk.krb5.rcache.useMD5 property to 'true':
 java -Djdk.krb5.rcache.useMD5=true ...
 This is useful where either the system has a coarse clock and has to
 depend on hash values in replay attack detection, or interoperability
 with the rcache files in older versions of OpenJDK is required.
 client-libs/java.awt:
 JDK-8322750: AWT SystemTray API Is Not Supported on Most Linux Desktops
 =======================================================================
 The java.awt.SystemTray API is used to interact with the system's
 desktop taskbar to provide notifications and may include an icon
 representing an application. The GNOME desktop's support for taskbar
 icons has not worked properly for several years, due to a platform
 bug. This bug, in turn, affects the JDK's SystemTray support on GNOME
 desktops.
 Therefore, in accordance with the SystemTray API specification,
 java.awt.SystemTray.isSupported() will now return false on systems
 that exhibit this bug, which is assumed to be those running a version
 of GNOME Shell below 45.
 The impact of this change is likely to be minimal, as users of the
 SystemTray API should already be able to handle isSupported()
 returning false and the system tray on such platforms has already been
 unsupported for a number of years for all applications.
 security-libs/java.security:
 JDK-8321408: Added Certainly R1 and E1 Root Certificates
 ========================================================
 The following root certificate has been added to the cacerts
 truststore:
 Name: Certainly
 Alias Name: certainlyrootr1
 Distinguished Name: CN=Certainly Root R1, O=Certainly, C=US
 Name: Certainly
 Alias Name: certainlyroote1
 Distinguished Name: CN=Certainly Root E1, O=Certainly, C=US
 New in release OpenJDK 8u402 (2024-01-16):
 ===========================================
 Live versions of these release notes can be found at:
  * https://bit.ly/openjdk8u402
 * CVEs
  - CVE-2024-20918
  - CVE-2024-20919
  - CVE-2024-20921
  - CVE-2024-20926
  - CVE-2024-20945
  - CVE-2024-20952
 * Security fixes
  - JDK-8308204: Enhanced certificate processing
  - JDK-8314284: Enhance Nashorn performance
  - JDK-8314295: Enhance verification of verifier
  - JDK-8314307: Improve loop handling
  - JDK-8314468: Improve Compiler loops
  - JDK-8316976: Improve signature handling
  - JDK-8317547: Enhance TLS connection support
 * Other changes
  - JDK-6528710: sRGB-ColorSpace to sRGB-ColorSpace Conversion
  - JDK-8029995: accept yes/no for boolean krb5.conf settings
  - JDK-8159156: [TESTBUG] ReserveMemory test is not useful on Aix.
  - JDK-8176509: Use pandoc for converting build readme to html
  - JDK-8206179: com/sun/management/OperatingSystemMXBean/GetCommittedVirtualMemorySize.java fails with Committed virtual memory size illegal value
  - JDK-8207404: MulticastSocket tests failing on AIX
  - JDK-8212677: X11 default visual support for IM status window on VNC
  - JDK-8239365: ProcessBuilder test modifications for AIX execution
  - JDK-8271838: AmazonCA.java interop test fails
  - JDK-8285398: Cache the results of constraint checks
  - JDK-8285696: AlgorithmConstraints:permits not throwing IllegalArgumentException when 'alg'  is null
  - JDK-8302017: Allocate BadPaddingException only if it will be thrown
  - JDK-8305329: [8u] Unify test libraries into single test library - step 1
  - JDK-8307837: [8u] Check step in GHA should also print errors
  - JDK-8309088: security/infra/java/security/cert/CertPathValidator/certification/AmazonCA.java fails
  - JDK-8311813: C1: Uninitialized PhiResolver::_loop field
  - JDK-8312489: Increase jdk.jar.maxSignatureFileSize default which is too low for JARs such as WhiteSource/Mend unified agent jar
  - JDK-8312535: MidiSystem.getSoundbank() throws unexpected SecurityException
  - JDK-8315280: Bump update version of OpenJDK: 8u402
  - JDK-8315506: C99 compatibility issue in LinuxNativeDispatcher
  - JDK-8317291: Missing null check for nmethod::is_native_method()
  - JDK-8317373: Add Telia Root CA v2
  - JDK-8317374: Add Let's Encrypt ISRG Root X2
  - JDK-8318759: Add four DigiCert root certificates
  - JDK-8319187: Add three eMudhra emSign roots
  - JDK-8319405: [s390] [jdk8] Increase javac default stack size for s390x zero
  - JDK-8320597: RSA signature verification fails on signed data that does not encode params correctly
 Notes on individual issues:
 ===========================
 security-libs/org.ietf.jgss:krb5:
 JDK-8029995: accept yes/no for boolean krb5.conf settings
 =========================================================
 The krb5.conf configuration file now also accepts "yes" and "no", as
 alternatives to the existing "true" and "false" support, when using
 settings that take boolean values.
 security-libs/java.security:
 JDK-8312489: Increase jdk.jar.maxSignatureFileSize default which is too low for JARs such as WhiteSource/Mend unified agent jar
 ===============================================================================================================================
 A maximum signature file size property, jdk.jar.maxSignatureFileSize,
 was introduced in the 8u382 release of OpenJDK by JDK-8300596, with a
 default of 8MB. This default proved to be too small for some JAR
 files. This release, 8u402, increases it to 16MB.
 JDK-8317374: Added ISRG Root X2 CA Certificate from Let's Encrypt
 =================================================================
 The following root certificate has been added to the cacerts
 truststore:
 Name: Let's Encrypt
 Alias Name: letsencryptisrgx2
 Distinguished Name: CN=ISRG Root X2, O=Internet Security Research Group, C=US
 JDK-8318759: Added Four Root Certificates from DigiCert, Inc.
 =============================================================
 The following root certificates have been added to the cacerts
 truststore:
 Name: DigiCert, Inc.
 Alias Name: digicertcseccrootg5
 Distinguished Name: CN=DigiCert CS ECC P384 Root G5, O="DigiCert, Inc.", C=US
 Name: DigiCert, Inc.
 Alias Name: digicertcsrsarootg5
 Distinguished Name: CN=DigiCert CS RSA4096 Root G5, O="DigiCert, Inc.", C=US
 Name: DigiCert, Inc.
 Alias Name: digicerttlseccrootg5
 Distinguished Name: CN=DigiCert TLS ECC P384 Root G5, O="DigiCert, Inc.", C=US
 Name: DigiCert, Inc.
 Alias Name: digicerttlsrsarootg5
 Distinguished Name: CN=DigiCert TLS RSA4096 Root G5, O="DigiCert, Inc.", C=US
 JDK-8319187: Added Three Root Certificates from eMudhra Technologies Limited
 ============================================================================
 The following root certificates have been added to the cacerts
 truststore:
 Name: eMudhra Technologies Limited
 Alias Name: emsignrootcag1
 Distinguished Name: CN=emSign Root CA - G1, O=eMudhra Technologies Limited, OU=emSign PKI, C=IN
 Name: eMudhra Technologies Limited
 Alias Name: emsigneccrootcag3
 Distinguished Name: CN=emSign ECC Root CA - G3, O=eMudhra Technologies Limited, OU=emSign PKI, C=IN
 Name: eMudhra Technologies Limited
 Alias Name: emsignrootcag2
 Distinguished Name: CN=emSign Root CA - G2, O=eMudhra Technologies Limited, OU=emSign PKI, C=IN
 JDK-8317373: Added Telia Root CA v2 Certificate
 ===============================================
 The following root certificate has been added to the cacerts
 truststore:
 Name: Telia Root CA v2
 Alias Name: teliarootcav2
 Distinguished Name: CN=Telia Root CA v2, O=Telia Finland Oyj, C=FI ```
 New in release OpenJDK 8u392 (2023-10-17):
 ===========================================
 Live versions of these release notes can be found at:
  * https://bit.ly/openjdk8u392
 * CVEs
  - CVE-2023-22067
  - CVE-2023-22081
 * Security fixes
  - JDK-8286503, JDK-8312367: Enhance security classes
  - JDK-8297856: Improve handling of Bidi characters
  - JDK-8303384: Improved communication in CORBA
  - JDK-8305815, JDK-8307278: Update Libpng to 1.6.39
  - JDK-8309966: Enhanced TLS connections
 * Other changes
  - JDK-6722928: Provide a default native GSS-API library on Windows
  - JDK-8040887: [TESTBUG] Remove test/runtime/6925573/SortMethodsTest.java
  - JDK-8042726: [TESTBUG] TEST.groups file was not updated after runtime/6925573/SortMethodsTest.java removal
  - JDK-8139348: Deprecate 3DES and RC4 in Kerberos
  - JDK-8173072: zipfs fails to handle incorrect info-zip "extended timestamp extra field"
  - JDK-8200468: Port the native GSS-API bridge to Windows
  - JDK-8202952: C2: Unexpected dead nodes after matching
  - JDK-8205399: Set node color on pinned HashMap.TreeNode deletion
  - JDK-8209115: adjust libsplashscreen linux ppc64le builds for easier libpng update
  - JDK-8214046: [macosx] Undecorated Frame does not Iconify when set to
  - JDK-8219804: java/net/MulticastSocket/Promiscuous.java fails intermittently due to NumberFormatException
  - JDK-8225687: Newly added sspi.cpp in JDK-6722928 still contains some small errors
  - JDK-8232225: Rework the fix for JDK-8071483
  - JDK-8242330: Arrays should be cloned in several JAAS Callback classes
  - JDK-8253269: The CheckCommonColors test should provide more info on failure
  - JDK-8283441: C2: segmentation fault in ciMethodBlocks::make_block_at(int)
  - JDK-8284910: Buffer clean in PasswordCallback
  - JDK-8287073: NPE from CgroupV2Subsystem.getInstance()
  - JDK-8287663: Add a regression test for JDK-8287073
  - JDK-8295685: Update Libpng to 1.6.38
  - JDK-8295894: Remove SECOM certificate that is expiring in September 2023
  - JDK-8308788: [8u] Remove duplicate HaricaCA.java test
  - JDK-8309122: Bump update version of OpenJDK: 8u392
  - JDK-8309143: [8u] fix archiving inconsistencies in GHA
  - JDK-8310026: [8u] make java_lang_String::hash_code consistent across platforms
  - JDK-8314960: Add Certigna Root CA - 2
  - JDK-8315135: Memory leak in the native implementation of Pack200.Unpacker.unpack()
  - JDK-8317040: Exclude cleaner test failing on older releases
 Notes on individual issues:
 ===========================
 other-libs/corba:idl:
 JDK-8303384: Improved communication in CORBA
 ============================================
 The JDK's CORBA implementation now provides the option to limit
 serialisation in stub objects to those with the "IOR:" prefix.  For
 ORB constrained stub classes:
 * _DynArrayStub
 * _DynEnumStub
 * _DynFixedStub
 * _DynSequenceStub
 * _DynStructStub
 * _DynUnionStub
 * _DynValueStub
 * _DynAnyStub
 * _DynAnyFactoryStub
 this is enabled by default and may be disabled by setting the system
 property org.omg.DynamicAny.disableIORCheck to 'true'.
 For remote service stub classes:
 * _NamingContextStub
 * _BindingIteratorStub
 * _NamingContextExtStub
 * _ServantActivatorStub
 * _ServantLocatorStub
 * _ServerManagerStub
 * _ActivatorStub
 * _RepositoryStub
 * _InitialNameServiceStub
 * _LocatorStub
 * _ServerStub
 it is disabled by default and may be enabled by setting the system
 property org.omg.CORBA.IDL.Stubs.enableIORCheck to 'true'.
 security-libs/org.ietf.jgss:
 JDK-6722928: Added a Default Native GSS-API Library on Windows
 ==============================================================
 A native GSS-API library named `sspi_bridge.dll` has been added to the
 JDK on the Windows platform.  As with native GSS-API library provision
 on other operating systems, it will only be loaded when the
 `sun.security.jgss.native` system property is set to "true". A user
 can still load a third-party native GSS-API library instead by setting
 the `sun.security.jgss.lib` system property to the appropriate path.
 The library is client-side only and uses the default credentials.
 Native GSS support automatically uses cached credentials from the
 underlying operating system, so the
 `javax.security.auth.useSubjectCredsOnly` system property should be
 set to false.
 The `com.sun.security.auth.module.Krb5LoginModule` does not call
 native JGSS and so its use in your JAAS config should be avoided.
 security-libs/org.ietf.jgss:krb5:
 JDK-8139348: Deprecate 3DES and RC4 in Kerberos
 ===============================================
 The `des3-hmac-sha1` and `rc4-hmac` Kerberos encryption types (etypes)
 are now deprecated and disabled by default.  To re-enable them, you
 can either enable all weak crypto (which also includes `des-cbc-crc`
 and `des-cbc-md5`) by setting `allow_weak_crypto = true` in the
 `krb5.conf` configuration file or explicitly list all the preferred
 encryption types using the `default_tkt_enctypes`,
 `default_tgs_enctypes`, or `permitted_enctypes` settings.
 security-libs/java.security:
 JDK-8295894: Removed SECOM Trust System's RootCA1 Root Certificate
 ==================================================================
 The following root certificate from SECOM Trust System has been
 removed from the `cacerts` keystore:
 Alias Name: secomscrootca1 [jdk]
 Distinguished Name: OU=Security Communication RootCA1, O=SECOM Trust.net, C=JP
 JDK-8314960: Added Certigna Root CA Certificate
 ===============================================
 The following root certificate has been added to the cacerts
 truststore:
 Name: Certigna (Dhimyotis)
 Alias Name: certignarootca
 Distinguished Name: CN=Certigna Root CA, OU=0002 48146308100036, O=Dhimyotis, C=FR
 security-libs/javax.security:
 JDK-8242330: Arrays should be cloned in several JAAS Callback classes
 =====================================================================
 In the JAAS classes, ChoiceCallback and ConfirmationCallback, arrays
 were not cloned when passed into a constructor or returned. This
 allowed an external program to get access to the internal fields of
 these classes. The classes have been updated to return cloned arrays.
 New in release OpenJDK 8u382 (2023-07-18):
 ===========================================
 Live versions of these release notes can be found at:
  * https://bit.ly/openjdk8u382
 * CVEs
  - CVE-2023-22045
  - CVE-2023-22049
 * Security fixes
  - JDK-8298676: Enhanced Look and Feel
  - JDK-8300596: Enhance Jar Signature validation
  - JDK-8304468: Better array usages
  - JDK-8305312: Enhanced path handling
 * Other changes
  - JDK-8072678: Wrong exception messages in java.awt.color.ICC_ColorSpace
  - JDK-8151460: Metaspace counters can have inconsistent values
  - JDK-8152432: Implement setting jtreg @requires properties vm.flavor, vm.bits, vm.compMode
  - JDK-8185736: missing default exception handler in calls to rethrow_Stub
  - JDK-8186801: Add regression test to test mapping based charsets (generated at build time)
  - JDK-8215105: java/awt/Robot/HiDPIScreenCapture/ScreenCaptureTest.java: Wrong Pixel Color
  - JDK-8241311: Move some charset mapping tests from closed to open
  - JDK-8263059: security/infra/java/security/cert/CertPathValidator/certification/ComodoCA.java fails due to revoked cert
  - JDK-8268558: [TESTBUG] Case 2 in TestP11KeyFactoryGetRSAKeySpec is skipped
  - JDK-8271199: Mutual TLS handshake fails signing client certificate with custom sensitive PKCS11 key
  - JDK-8276841: Add support for Visual Studio 2022
  - JDK-8277881: Missing SessionID in TLS1.3 resumption in compatibility mode
  - JDK-8278851: Correct signer logic for jars signed with multiple digest algorithms
  - JDK-8282345: handle latest VS2022 in abstract_vm_version
  - JDK-8282600: SSLSocketImpl should not use user_canceled workaround when not necessary
  - JDK-8285515: (dc) DatagramChannel.disconnect fails with "Invalid argument" on macOS 12.4
  - JDK-8289301: P11Cipher should not throw out of bounds exception during padding
  - JDK-8293232: Fix race condition in pkcs11 SessionManager
  - JDK-8293815: P11PSSSignature.engineUpdate should not print debug messages during normal operation
  - JDK-8295530: Update Zlib Data Compression Library to Version 1.2.13
  - JDK-8298108: Add a regression test for JDK-8297684
  - JDK-8298271: java/security/SignedJar/spi-calendar-provider/TestSPISigned.java failing on Windows
  - JDK-8301119: Support for GB18030-2022
  - JDK-8301400: Allow additional characters for GB18030-2022 support
  - JDK-8302791: Add specific ClassLoader object to Proxy IllegalArgumentException message
  - JDK-8303028: Update system property for Java SE specification maintenance version
  - JDK-8303462: Bump update version of OpenJDK: 8u382
  - JDK-8304760: Add 2 Microsoft TLS roots
  - JDK-8305165: [8u] ServiceThread::nmethods_do is not called to keep nmethods from being zombied while in the queue
  - JDK-8305681: Allow additional characters for GB18030-2022 (Level 2) support
  - JDK-8305975: Add TWCA Global Root CA
  - JDK-8307134: Add GTS root CAs
  - JDK-8307310: Backport the tests for JDK-8058969 and JDK-8039271 to the OpenJDK8
  - JDK-8307531: [aarch64] JDK8 single-step debugging is extremely slow
  - JDK-8310947: gb18030-2000 not selectable with LANG=zh_CN.GB18030 after JDK-8301119
 Notes on individual issues:
 ===========================
 core-libs/java.lang:
 JDK-8305681: Allow additional characters for GB18030-2022 (Level 2) support
 ===========================================================================
 In order to support "Implementation Level 2" of the GB18030-2022
 standard, the JDK must be able to use characters from the CJK Unified
 Ideographs Extension E block of Unicode 8.0.  The addition of these
 characters forms Maintenance Release 5 of the Java SE 8 specification,
 which is implemented in this release of OpenJDK via the addition of a
 new UnicodeBlock instance,
 Character.CJK_UNIFIED_IDEOGRAPHS_EXTENSION_E.
 core-libs/java.util.jar:
 8300596: Enhance Jar Signature validation
 =========================================
 A System property "jdk.jar.maxSignatureFileSize" is introduced to
 configure the maximum number of bytes allowed for the
 signature-related files in a JAR file during verification. The default
 value is 8000000 bytes (8 MB).
 security-libs/java.security:
 JDK-8307134: Added 4 GTS Root CA Certificates
 =============================================
 The following root certificates have been added to the cacerts
 truststore:
 Name: Google Trust Services LLC
 Alias Name: gtsrootcar1
 Distinguished Name: CN=GTS Root R1, O=Google Trust Services LLC, C=US
 Name: Google Trust Services LLC
 Alias Name: gtsrootcar2
 Distinguished Name: CN=GTS Root R2, O=Google Trust Services LLC, C=US
 Name: Google Trust Services LLC
 Alias Name: gtsrootcar3
 Distinguished Name: CN=GTS Root R3, O=Google Trust Services LLC, C=US
 Name: Google Trust Services LLC
 Alias Name: gtsrootcar4
 Distinguished Name: CN=GTS Root R4, O=Google Trust Services LLC, C=US
 JDK-8304760: Added Microsoft Corporation's 2 TLS Root CA Certificates
 =====================================================================
 The following root certificates has been added to the cacerts
 truststore:
 Name: Microsoft Corporation
 Alias Name: microsoftecc2017
 Distinguished Name: CN=Microsoft ECC Root Certificate Authority 2017, O=Microsoft Corporation, C=US
 Name: Microsoft Corporation
 Alias Name: microsoftrsa2017
 Distinguished Name: CN=Microsoft RSA Root Certificate Authority 2017, O=Microsoft Corporation, C=US
 JDK-8305975: Added TWCA Root CA Certificate
 ===========================================
 The following root certificate has been added to the cacerts
 truststore:
 Name: TWCA
 Alias Name: twcaglobalrootca
 Distinguished Name: CN=TWCA Global Root CA, OU=Root CA, O=TAIWAN-CA, C=TW
 New in release OpenJDK 8u372 (2023-04-18):
 ===========================================
 Live versions of these release notes can be found at:
@ -1429,6 +497,19 @@ the current count of established connections and, if the configured
 limit has been reached, then the newly accepted connection will be
 closed immediately.
 core-libs/java.net:
 JDK-8286918: Better HttpServer service
 ======================================
 The HttpServer can be optionally configured with a maximum connection
 limit by setting the jdk.httpserver.maxConnections system property. A
 value of 0 or a negative integer is ignored and considered to
 represent no connection limit. In the case of a positive integer
 value, any newly accepted connections will be first checked against
 the current count of established connections and, if the configured
 limit has been reached, then the newly accepted connection will be
 closed immediately.
 security-libs/javax.net.ssl:
 JDK-8282859: Enable TLSv1.3 by Default on JDK 8 for Client Roles
@ -1626,7 +707,7 @@ device paths such as `NUL:` are *not* used.
 New in release OpenJDK 8u332 (2022-04-22):
 ===========================================
 Live versions of these release notes can be found at:
-  * https://bitly.com/openjdk8u332
+  * https://bit.ly/openjdk8u332
  * https://builds.shipilev.net/backports-monitor/release-notes-openjdk8u332.txt
 * Security fixes
--- a/SOURCES/fips-8u-6d1aade0648.patch
+++ b/SOURCES/fips-8u-6d1aade0648.patch
@ -1,5 +1,5 @@
 diff --git a/common/autoconf/configure.ac b/common/autoconf/configure.ac
-index 151e5a109f..a8761b500e 100644
+index 151e5a109f8..a8761b500e0 100644
 --- a/common/autoconf/configure.ac
 +++ b/common/autoconf/configure.ac
@@ -212,6 +212,7 @@ LIB_SETUP_FREETYPE
@ -11,10 +11,10 @@ index 151e5a109f..a8761b500e 100644
 LIB_SETUP_ON_WINDOWS
 diff --git a/common/autoconf/generated-configure.sh b/common/autoconf/generated-configure.sh
-index c6144b1968..9ac55d20d3 100644
+index 71fabf4dbb3..17f4f50673d 100644
 --- a/common/autoconf/generated-configure.sh
 +++ b/common/autoconf/generated-configure.sh
-@@ -655,6 +655,9 @@ ENABLE_LIBFFI_BUNDLING
+@@ -651,6 +651,9 @@ LLVM_CONFIG
 LIBFFI_LIBS
 LIBFFI_CFLAGS
 STATIC_CXX_SETTING
@ -24,15 +24,15 @@ index c6144b1968..9ac55d20d3 100644
 LIBDL
 LIBM
 LIBZIP_CAN_USE_MMAP
-@@ -1119,6 +1122,7 @@ with_fontconfig
+@@ -1111,6 +1114,7 @@ with_fontconfig
 with_fontconfig_include
 with_giflib
 with_zlib
 +enable_sysconf_nss
 with_stdc__lib
- with_libffi
+ with_msvcr_dll
- with_libffi_include
+ with_msvcp_dll
-@@ -1232,6 +1236,8 @@ FREETYPE_CFLAGS
+@@ -1218,6 +1222,8 @@ FREETYPE_CFLAGS
 FREETYPE_LIBS
 ALSA_CFLAGS
 ALSA_LIBS
@ -41,16 +41,16 @@ index c6144b1968..9ac55d20d3 100644
 LIBFFI_CFLAGS
 LIBFFI_LIBS
 CCACHE'
-@@ -1874,6 +1880,8 @@ Optional Features:
+@@ -1871,6 +1877,8 @@ Optional Features:
                           disable bundling of the freetype library with the
                           build result [enabled on Windows or when using
                           --with-freetype, disabled otherwise]
 +  --enable-sysconf-nss    build the System Configurator (libsysconf) using the
 +                          system NSS library if available [disabled]
-   --enable-libffi-bundling
+   --enable-sjavac         use sjavac to do fast incremental compiles
-                           enable bundling of libffi.so to make the built JDK
+                           [disabled]
-                           runnable on more systems
+   --disable-precompiled-headers
-@@ -2129,6 +2137,8 @@ Some influential environment variables:
+@@ -2115,6 +2123,8 @@ Some influential environment variables:
               linker flags for FREETYPE, overriding pkg-config
   ALSA_CFLAGS C compiler flags for ALSA, overriding pkg-config
   ALSA_LIBS   linker flags for ALSA, overriding pkg-config
@ -59,7 +59,60 @@ index c6144b1968..9ac55d20d3 100644
   LIBFFI_CFLAGS
               C compiler flags for LIBFFI, overriding pkg-config
   LIBFFI_LIBS linker flags for LIBFFI, overriding pkg-config
-@@ -4109,6 +4119,11 @@ fi
+@@ -2879,6 +2889,52 @@ $as_echo "$ac_res" >&6; }
   eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno
 } # ac_fn_c_check_header_compile
 +
 +# ac_fn_c_try_link LINENO
 +# -----------------------
 +# Try to link conftest.$ac_ext, and return whether this succeeded.
 +ac_fn_c_try_link ()
 +{
 +  as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
 +  rm -f conftest.$ac_objext conftest$ac_exeext
 +  if { { ac_try="$ac_link"
 +case "(($ac_try" in
 +  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
 +  *) ac_try_echo=$ac_try;;
 +esac
 +eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
 +$as_echo "$ac_try_echo"; } >&5
 +  (eval "$ac_link") 2>conftest.err
 +  ac_status=$?
 +  if test -s conftest.err; then
 +    grep -v '^ *+' conftest.err >conftest.er1
 +    cat conftest.er1 >&5
 +    mv -f conftest.er1 conftest.err
 +  fi
 +  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
 +  test $ac_status = 0; } && {
 +	 test -z "$ac_c_werror_flag" ||
 +	 test ! -s conftest.err
 +       } && test -s conftest$ac_exeext && {
 +	 test "$cross_compiling" = yes ||
 +	 test -x conftest$ac_exeext
 +       }; then :
 +  ac_retval=0
 +else
 +  $as_echo "$as_me: failed program was:" >&5
 +sed 's/^/| /' conftest.$ac_ext >&5
 +
 +	ac_retval=1
 +fi
 +  # Delete the IPA/IPO (Inter Procedural Analysis/Optimization) information
 +  # created by the PGI compiler (conftest_ipa8_conftest.oo), as it would
 +  # interfere with the next link command; also delete a directory that is
 +  # left behind by Apple's compiler.  We do this before executing the actions.
 +  rm -rf conftest.dSYM conftest_ipa8_conftest.oo
 +  eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno
 +  as_fn_set_status $ac_retval
 +
 +} # ac_fn_c_try_link
 cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
@@ -4049,6 +4105,11 @@ fi
@ -71,7 +124,7 @@ index c6144b1968..9ac55d20d3 100644
 #
 # Copyright (c) 2011, 2015, Oracle and/or its affiliates. All rights reserved.
 # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-@@ -50141,6 +50156,157 @@ fi
+@@ -49304,6 +49365,157 @@ fi
   LIBS="$save_LIBS"
@ -193,7 +246,7 @@ index c6144b1968..9ac55d20d3 100644
 +/* end confdefs.h.  */
 +#include <nss3/pk11pub.h>
 +int
-+main (void)
+main ()
 +{
 +SECMOD_GetSystemFIPSEnabled()
 +  ;
@ -230,10 +283,10 @@ index c6144b1968..9ac55d20d3 100644
   #
   # statically link libstdc++ before C++ ABI is stablized on Linux unless
 diff --git a/common/autoconf/libraries.m4 b/common/autoconf/libraries.m4
-index 4ed8b4fdd6..caf293be72 100644
+index 6efae578ea9..0080846255b 100644
 --- a/common/autoconf/libraries.m4
 +++ b/common/autoconf/libraries.m4
-@@ -1216,3 +1216,63 @@ AC_DEFUN_ONCE([LIB_SETUP_ON_WINDOWS],
+@@ -1067,3 +1067,63 @@ AC_DEFUN_ONCE([LIB_SETUP_ON_WINDOWS],
     BASIC_DEPRECATED_ARG_WITH([dxsdk-include])
   fi
 ])
@ -298,12 +351,12 @@ index 4ed8b4fdd6..caf293be72 100644
 +  AC_SUBST(USE_SYSCONF_NSS)
 +])
 diff --git a/common/autoconf/spec.gmk.in b/common/autoconf/spec.gmk.in
-index 8da3ac32a0..4d081d1b84 100644
+index 506cf617087..7241593b1a4 100644
 --- a/common/autoconf/spec.gmk.in
 +++ b/common/autoconf/spec.gmk.in
-@@ -317,6 +317,10 @@ ENABLE_LIBFFI_BUNDLING:=@ENABLE_LIBFFI_BUNDLING@
+@@ -312,6 +312,10 @@ CUPS_CFLAGS:=@CUPS_CFLAGS@
- LIBFFI_LIB_DIR:=@LIBFFI_LIB_DIR@
+ ALSA_LIBS:=@ALSA_LIBS@
- LIBFFI_LIB_FILE:=@LIBFFI_LIB_FILE@
+ ALSA_CFLAGS:=@ALSA_CFLAGS@
 +USE_SYSCONF_NSS:=@USE_SYSCONF_NSS@
 +NSS_LIBS:=@NSS_LIBS@
@ -313,7 +366,7 @@ index 8da3ac32a0..4d081d1b84 100644
 # Source file for cacerts
 diff --git a/common/bin/compare_exceptions.sh.incl b/common/bin/compare_exceptions.sh.incl
-index 3b79a526f5..d2a0e39b20 100644
+index 3b79a526f56..d2a0e39b206 100644
 --- a/common/bin/compare_exceptions.sh.incl
 +++ b/common/bin/compare_exceptions.sh.incl
@@ -280,6 +280,7 @@ ACCEPTED_SMALL_SIZE_DIFF="
@ -349,7 +402,7 @@ index 3b79a526f5..d2a0e39b20 100644
 ./jre/lib/sparcv9/libunpack.so
 ./jre/lib/sparcv9/libverify.so
 diff --git a/common/nb_native/nbproject/configurations.xml b/common/nb_native/nbproject/configurations.xml
-index d2beed0b93..3b6aef98d9 100644
+index d2beed0b93a..3b6aef98d9a 100644
 --- a/common/nb_native/nbproject/configurations.xml
 +++ b/common/nb_native/nbproject/configurations.xml
@@ -53,6 +53,9 @@
@ -375,10 +428,10 @@ index d2beed0b93..3b6aef98d9 100644
             ex="false"
             tool="0"
 diff --git a/jdk/make/lib/SecurityLibraries.gmk b/jdk/make/lib/SecurityLibraries.gmk
-index 84abb7e76b..cb4531b880 100644
+index b0b85d80448..47a41d7518d 100644
 --- a/jdk/make/lib/SecurityLibraries.gmk
 +++ b/jdk/make/lib/SecurityLibraries.gmk
-@@ -303,3 +303,34 @@ ifeq ($(OPENJDK_TARGET_OS), solaris)
+@@ -289,3 +289,34 @@ ifeq ($(OPENJDK_TARGET_OS), solaris)
   endif
 endif
@ -415,7 +468,7 @@ index 84abb7e76b..cb4531b880 100644
 +
 diff --git a/jdk/make/mapfiles/libsystemconf/mapfile-vers b/jdk/make/mapfiles/libsystemconf/mapfile-vers
 new file mode 100644
-index 0000000000..a65ceb3b78
+index 00000000000..a65ceb3b78c
 --- /dev/null
 +++ b/jdk/make/mapfiles/libsystemconf/mapfile-vers
@@ -0,0 +1,35 @@
@ -455,7 +508,7 @@ index 0000000000..a65ceb3b78
 +		*;
 +};
 diff --git a/jdk/src/share/classes/java/security/Security.java b/jdk/src/share/classes/java/security/Security.java
-index 0db09da706..813b907db3 100644
+index 0db09da7061..813b907db3e 100644
 --- a/jdk/src/share/classes/java/security/Security.java
 +++ b/jdk/src/share/classes/java/security/Security.java
@@ -30,6 +30,8 @@ import java.util.*;
@ -587,7 +640,7 @@ index 0db09da706..813b907db3 100644
     /*
 diff --git a/jdk/src/share/classes/java/security/SystemConfigurator.java b/jdk/src/share/classes/java/security/SystemConfigurator.java
 new file mode 100644
-index 0000000000..a24a0445db
+index 00000000000..a24a0445db2
 --- /dev/null
 +++ b/jdk/src/share/classes/java/security/SystemConfigurator.java
@@ -0,0 +1,248 @@
@ -841,7 +894,7 @@ index 0000000000..a24a0445db
 +}
 diff --git a/jdk/src/share/classes/sun/misc/JavaSecuritySystemConfiguratorAccess.java b/jdk/src/share/classes/sun/misc/JavaSecuritySystemConfiguratorAccess.java
 new file mode 100644
-index 0000000000..5c30a8b29c
+index 00000000000..5c30a8b29c7
 --- /dev/null
 +++ b/jdk/src/share/classes/sun/misc/JavaSecuritySystemConfiguratorAccess.java
@@ -0,0 +1,31 @@
@ -877,7 +930,7 @@ index 0000000000..5c30a8b29c
 +    boolean isPlainKeySupportEnabled();
 +}
 diff --git a/jdk/src/share/classes/sun/misc/SharedSecrets.java b/jdk/src/share/classes/sun/misc/SharedSecrets.java
-index f065a2c685..0dafe6f59c 100644
+index f065a2c685d..0dafe6f59cf 100644
 --- a/jdk/src/share/classes/sun/misc/SharedSecrets.java
 +++ b/jdk/src/share/classes/sun/misc/SharedSecrets.java
@@ -31,6 +31,7 @@ import java.io.Console;
@ -914,7 +967,7 @@ index f065a2c685..0dafe6f59c 100644
 }
 diff --git a/jdk/src/share/classes/sun/security/pkcs11/FIPSKeyImporter.java b/jdk/src/share/classes/sun/security/pkcs11/FIPSKeyImporter.java
 new file mode 100644
-index 0000000000..14d1945039
+index 00000000000..14d19450390
 --- /dev/null
 +++ b/jdk/src/share/classes/sun/security/pkcs11/FIPSKeyImporter.java
@@ -0,0 +1,290 @@
@ -1209,7 +1262,7 @@ index 0000000000..14d1945039
 +    }
 +}
 diff --git a/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java b/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java
-index fedcd7743e..f9d70863bd 100644
+index fedcd7743ef..f9d70863bd1 100644
 --- a/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java
 +++ b/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java
@@ -26,6 +26,9 @@
@ -1313,7 +1366,7 @@ index fedcd7743e..f9d70863bd 100644
             if (config.getHandleStartupErrors() == Config.ERR_IGNORE_ALL) {
                 throw new UnsupportedOperationException
 diff --git a/jdk/src/share/classes/sun/security/pkcs11/wrapper/PKCS11.java b/jdk/src/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
-index 2e42d1d9fb..1b7eed1c65 100644
+index 2e42d1d9fb0..1b7eed1c656 100644
 --- a/jdk/src/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
 +++ b/jdk/src/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
@@ -49,6 +49,7 @@ package sun.security.pkcs11.wrapper;
@ -1440,7 +1493,7 @@ index 2e42d1d9fb..1b7eed1c65 100644
 +}
 }
 diff --git a/jdk/src/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java b/jdk/src/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java
-index ffee2c1603..9811947982 100644
+index ffee2c1603b..98119479823 100644
 --- a/jdk/src/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java
 +++ b/jdk/src/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java
@@ -33,8 +33,13 @@ import java.security.KeyStore.*;
@ -1479,7 +1532,7 @@ index ffee2c1603..9811947982 100644
                         "FIPS mode: KeyStore must be " +
                         "from provider " + SunJSSE.cryptoProvider.getName());
 diff --git a/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java b/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java
-index 820e10164f..6fe2c29389 100644
+index 820e10164fc..6fe2c29389f 100644
 --- a/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java
 +++ b/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java
@@ -31,6 +31,7 @@ import java.security.*;
@ -1577,7 +1630,7 @@ index 820e10164f..6fe2c29389 100644
                         ProtocolVersion.TLS13,
                         ProtocolVersion.TLS12,
 diff --git a/jdk/src/share/classes/sun/security/ssl/SunJSSE.java b/jdk/src/share/classes/sun/security/ssl/SunJSSE.java
-index 2845dc3793..52337a7b6c 100644
+index 2845dc37938..52337a7b6cf 100644
 --- a/jdk/src/share/classes/sun/security/ssl/SunJSSE.java
 +++ b/jdk/src/share/classes/sun/security/ssl/SunJSSE.java
@@ -30,6 +30,8 @@ import static sun.security.util.SecurityConstants.PROVIDER_VER;
@ -1606,7 +1659,7 @@ index 2845dc3793..52337a7b6c 100644
             "sun.security.ssl.SSLContextImpl$TLSContext");
         if (isfips == false) {
 diff --git a/jdk/src/share/lib/security/java.security-aix b/jdk/src/share/lib/security/java.security-aix
-index 37bca2df46..730212b601 100644
+index 7a93d4e6b59..681a24b905d 100644
 --- a/jdk/src/share/lib/security/java.security-aix
 +++ b/jdk/src/share/lib/security/java.security-aix
@@ -287,6 +287,13 @@ package.definition=sun.,\
@ -1624,7 +1677,7 @@ index 37bca2df46..730212b601 100644
 # Determines the default key and trust manager factory algorithms for
 # the javax.net.ssl package.
 diff --git a/jdk/src/share/lib/security/java.security-linux b/jdk/src/share/lib/security/java.security-linux
-index 9bb8e992fb..a1b3943b11 100644
+index 145a84f94cf..789c19a8cba 100644
 --- a/jdk/src/share/lib/security/java.security-linux
 +++ b/jdk/src/share/lib/security/java.security-linux
@@ -75,6 +75,14 @@ security.provider.7=com.sun.security.sasl.Provider
@ -1669,7 +1722,7 @@ index 9bb8e992fb..a1b3943b11 100644
 # Determines the default key and trust manager factory algorithms for
 # the javax.net.ssl package.
 diff --git a/jdk/src/share/lib/security/java.security-macosx b/jdk/src/share/lib/security/java.security-macosx
-index 7a765742e6..5abd95fff8 100644
+index 35fa140d7a5..d4da666af3b 100644
 --- a/jdk/src/share/lib/security/java.security-macosx
 +++ b/jdk/src/share/lib/security/java.security-macosx
@@ -290,6 +290,13 @@ package.definition=sun.,\
@ -1687,7 +1740,7 @@ index 7a765742e6..5abd95fff8 100644
 # Determines the default key and trust manager factory algorithms for
 # the javax.net.ssl package.
 diff --git a/jdk/src/share/lib/security/java.security-solaris b/jdk/src/share/lib/security/java.security-solaris
-index f0100336f5..2f4c6c2fd6 100644
+index f79ba37ddb9..300132384a1 100644
 --- a/jdk/src/share/lib/security/java.security-solaris
 +++ b/jdk/src/share/lib/security/java.security-solaris
@@ -288,6 +288,13 @@ package.definition=sun.,\
@ -1705,7 +1758,7 @@ index f0100336f5..2f4c6c2fd6 100644
 # Determines the default key and trust manager factory algorithms for
 # the javax.net.ssl package.
 diff --git a/jdk/src/share/lib/security/java.security-windows b/jdk/src/share/lib/security/java.security-windows
-index e51bdece13..b4a509753b 100644
+index d70503ce95f..64db5a5cd1e 100644
 --- a/jdk/src/share/lib/security/java.security-windows
 +++ b/jdk/src/share/lib/security/java.security-windows
@@ -290,6 +290,13 @@ package.definition=sun.,\
@ -1724,7 +1777,7 @@ index e51bdece13..b4a509753b 100644
 # the javax.net.ssl package.
 diff --git a/jdk/src/solaris/native/java/security/systemconf.c b/jdk/src/solaris/native/java/security/systemconf.c
 new file mode 100644
-index 0000000000..8dcb7d9073
+index 00000000000..8dcb7d9073f
 --- /dev/null
 +++ b/jdk/src/solaris/native/java/security/systemconf.c
@@ -0,0 +1,224 @@
--- a/SOURCES/java-1.8.0-openjdk-portable.specfile
+++ b/SOURCES/java-1.8.0-openjdk-portable.specfile
--- a/SOURCES/java-1.8.0-openjdk-remove-intree-libraries.sh
+++ b/SOURCES/java-1.8.0-openjdk-remove-intree-libraries.sh
@ -0,0 +1,131 @@
 #!/bin/sh
 ZIP_SRC=openjdk/jdk/src/share/native/java/util/zip/zlib
 JPEG_SRC=openjdk/jdk/src/share/native/sun/awt/image/jpeg
 GIF_SRC=openjdk/jdk/src/share/native/sun/awt/giflib
 PNG_SRC=openjdk/jdk/src/share/native/sun/awt/libpng
 LCMS_SRC=openjdk/jdk/src/share/native/sun/java2d/cmm/lcms
 echo "Removing built-in libs (they will be linked)"
 echo "Removing zlib"
 if [ ! -d ${ZIP_SRC} ]; then
 	echo "${ZIP_SRC} does not exist. Refusing to proceed."
 	exit 1
 fi	
 rm -rvf ${ZIP_SRC}
 echo "Removing libjpeg"
 if [ ! -f ${JPEG_SRC}/jdhuff.c ]; then # some file that sound definitely exist
 	echo "${JPEG_SRC} does not contain jpeg sources. Refusing to proceed."
 	exit 1
 fi	
 rm -vf ${JPEG_SRC}/jcomapi.c
 rm -vf ${JPEG_SRC}/jdapimin.c
 rm -vf ${JPEG_SRC}/jdapistd.c
 rm -vf ${JPEG_SRC}/jdcoefct.c
 rm -vf ${JPEG_SRC}/jdcolor.c
 rm -vf ${JPEG_SRC}/jdct.h
 rm -vf ${JPEG_SRC}/jddctmgr.c
 rm -vf ${JPEG_SRC}/jdhuff.c
 rm -vf ${JPEG_SRC}/jdhuff.h
 rm -vf ${JPEG_SRC}/jdinput.c
 rm -vf ${JPEG_SRC}/jdmainct.c
 rm -vf ${JPEG_SRC}/jdmarker.c
 rm -vf ${JPEG_SRC}/jdmaster.c
 rm -vf ${JPEG_SRC}/jdmerge.c
 rm -vf ${JPEG_SRC}/jdphuff.c
 rm -vf ${JPEG_SRC}/jdpostct.c
 rm -vf ${JPEG_SRC}/jdsample.c
 rm -vf ${JPEG_SRC}/jerror.c
 rm -vf ${JPEG_SRC}/jerror.h
 rm -vf ${JPEG_SRC}/jidctflt.c
 rm -vf ${JPEG_SRC}/jidctfst.c
 rm -vf ${JPEG_SRC}/jidctint.c
 rm -vf ${JPEG_SRC}/jidctred.c
 rm -vf ${JPEG_SRC}/jinclude.h
 rm -vf ${JPEG_SRC}/jmemmgr.c
 rm -vf ${JPEG_SRC}/jmemsys.h
 rm -vf ${JPEG_SRC}/jmemnobs.c
 rm -vf ${JPEG_SRC}/jmorecfg.h
 rm -vf ${JPEG_SRC}/jpegint.h
 rm -vf ${JPEG_SRC}/jpeglib.h
 rm -vf ${JPEG_SRC}/jquant1.c
 rm -vf ${JPEG_SRC}/jquant2.c
 rm -vf ${JPEG_SRC}/jutils.c
 rm -vf ${JPEG_SRC}/jcapimin.c
 rm -vf ${JPEG_SRC}/jcapistd.c
 rm -vf ${JPEG_SRC}/jccoefct.c
 rm -vf ${JPEG_SRC}/jccolor.c
 rm -vf ${JPEG_SRC}/jcdctmgr.c
 rm -vf ${JPEG_SRC}/jchuff.c
 rm -vf ${JPEG_SRC}/jchuff.h
 rm -vf ${JPEG_SRC}/jcinit.c
 rm -vf ${JPEG_SRC}/jconfig.h
 rm -vf ${JPEG_SRC}/jcmainct.c
 rm -vf ${JPEG_SRC}/jcmarker.c
 rm -vf ${JPEG_SRC}/jcmaster.c
 rm -vf ${JPEG_SRC}/jcparam.c
 rm -vf ${JPEG_SRC}/jcphuff.c
 rm -vf ${JPEG_SRC}/jcprepct.c
 rm -vf ${JPEG_SRC}/jcsample.c
 rm -vf ${JPEG_SRC}/jctrans.c
 rm -vf ${JPEG_SRC}/jdtrans.c
 rm -vf ${JPEG_SRC}/jfdctflt.c
 rm -vf ${JPEG_SRC}/jfdctfst.c
 rm -vf ${JPEG_SRC}/jfdctint.c
 rm -vf ${JPEG_SRC}/jversion.h
 rm -vf ${JPEG_SRC}/README
 echo "Removing giflib"
 if [ ! -d ${GIF_SRC} ]; then
 	echo "${GIF_SRC} does not exist. Refusing to proceed."
 	exit 1
 fi	
 rm -rvf ${GIF_SRC}
 echo "Removing libpng"
 if [ ! -d ${PNG_SRC} ]; then
 	echo "${PNG_SRC} does not exist. Refusing to proceed."
 	exit 1
 fi	
 rm -rvf ${PNG_SRC}
 echo "Removing lcms"
 if [ ! -d ${LCMS_SRC} ]; then
 	echo "${LCMS_SRC} does not exist. Refusing to proceed."
 	exit 1
 fi
 # temporary change to move bundled LCMS
 if [ ! true ]; then
 rm -vf ${LCMS_SRC}/cmsalpha.c
 rm -vf ${LCMS_SRC}/cmscam02.c
 rm -vf ${LCMS_SRC}/cmscgats.c
 rm -vf ${LCMS_SRC}/cmscnvrt.c
 rm -vf ${LCMS_SRC}/cmserr.c
 rm -vf ${LCMS_SRC}/cmsgamma.c
 rm -vf ${LCMS_SRC}/cmsgmt.c
 rm -vf ${LCMS_SRC}/cmshalf.c
 rm -vf ${LCMS_SRC}/cmsintrp.c
 rm -vf ${LCMS_SRC}/cmsio0.c
 rm -vf ${LCMS_SRC}/cmsio1.c
 rm -vf ${LCMS_SRC}/cmslut.c
 rm -vf ${LCMS_SRC}/cmsmd5.c
 rm -vf ${LCMS_SRC}/cmsmtrx.c
 rm -vf ${LCMS_SRC}/cmsnamed.c
 rm -vf ${LCMS_SRC}/cmsopt.c
 rm -vf ${LCMS_SRC}/cmspack.c
 rm -vf ${LCMS_SRC}/cmspcs.c
 rm -vf ${LCMS_SRC}/cmsplugin.c
 rm -vf ${LCMS_SRC}/cmsps2.c
 rm -vf ${LCMS_SRC}/cmssamp.c
 rm -vf ${LCMS_SRC}/cmssm.c
 rm -vf ${LCMS_SRC}/cmstypes.c
 rm -vf ${LCMS_SRC}/cmsvirt.c
 rm -vf ${LCMS_SRC}/cmswtpnt.c
 rm -vf ${LCMS_SRC}/cmsxform.c
 rm -vf ${LCMS_SRC}/lcms2.h
 rm -vf ${LCMS_SRC}/lcms2_internal.h
 rm -vf ${LCMS_SRC}/lcms2_plugin.h
 fi
--- a/SOURCES/jdk8141590-bundle_libffi-followup.patch
+++ b/SOURCES/jdk8141590-bundle_libffi-followup.patch
@ -1,51 +0,0 @@
 commit 928f3bf4a3017931ecc7012688e62d8a03264e61
 Author:     Andrew Hughes <gnu.andrew@redhat.com>
 AuthorDate: Thu Jan 16 17:40:36 2025 +0000
 Commit:     Andrew Hughes <gnu.andrew@redhat.com>
 CommitDate: Thu Jan 16 22:50:24 2025 +0000
    Search /usr/lib64 on architectures other than x86_64
 diff --git a/common/autoconf/generated-configure.sh b/common/autoconf/generated-configure.sh
 index 587b4c2657..5aeebe49a3 100644
 --- a/common/autoconf/generated-configure.sh
 +++ b/common/autoconf/generated-configure.sh
@@ -4493,7 +4493,7 @@ VS_TOOLSET_SUPPORTED_2022=true
 #CUSTOM_AUTOCONF_INCLUDE
 # Do not change or remove the following line, it is needed for consistency checks:
 -DATE_WHEN_GENERATED=1737049912
 +DATE_WHEN_GENERATED=1737067804
 ###############################################################################
 #
@@ -50590,9 +50590,11 @@ $as_echo_n "checking for libffi lib file location... " >&6; }
             as_fn_error $? "Could not locate libffi.so.? for bundling" "$LINENO" 5
           fi
         else
 -          # Fallback on the default /usr/lib dir
 +          # Fallback on the default /usr/lib and /usr/lib64 dirs
           if test -e ${SYSROOT}/usr/lib/libffi.so.? ; then
             LIBFFI_LIB_FILE="${SYSROOT}/usr/lib/libffi.so.?"
 +          elif test -e ${SYSROOT}/usr/lib64/libffi.so.? ; then
 +            LIBFFI_LIB_FILE="${SYSROOT}/usr/lib64/libffi.so.?"
           else
             as_fn_error $? "Could not locate libffi.so.? for bundling" "$LINENO" 5
           fi
 diff --git a/common/autoconf/libraries.m4 b/common/autoconf/libraries.m4
 index 4ed8b4fdd6..6ab6dbc075 100644
 --- a/common/autoconf/libraries.m4
 +++ b/common/autoconf/libraries.m4
@@ -1121,9 +1121,11 @@ AC_DEFUN_ONCE([LIB_SETUP_STATIC_LINK_LIBSTDCPP],
             AC_MSG_ERROR([Could not locate libffi.so.? for bundling])
           fi
         else
 -          # Fallback on the default /usr/lib dir
 +          # Fallback on the default /usr/lib and /usr/lib64 dirs
           if test -e ${SYSROOT}/usr/lib/libffi.so.? ; then
             LIBFFI_LIB_FILE="${SYSROOT}/usr/lib/libffi.so.?"
 +          elif test -e ${SYSROOT}/usr/lib64/libffi.so.? ; then
 +            LIBFFI_LIB_FILE="${SYSROOT}/usr/lib64/libffi.so.?"
           else
             AC_MSG_ERROR([Could not locate libffi.so.? for bundling])
           fi
--- a/SOURCES/jdk8141590-bundle_libffi.patch
+++ b/SOURCES/jdk8141590-bundle_libffi.patch
@ -1,763 +0,0 @@
 diff --git a/common/autoconf/generated-configure.sh b/common/autoconf/generated-configure.sh
 index ad3f7f232e..587b4c2657 100644
 --- a/common/autoconf/generated-configure.sh
 +++ b/common/autoconf/generated-configure.sh
@@ -649,6 +649,9 @@ LLVM_LIBS
 LLVM_LDFLAGS
 LLVM_CFLAGS
 LLVM_CONFIG
 +LIBFFI_LIB_FILE
 +LIBFFI_LIB_DIR
 +ENABLE_LIBFFI_BUNDLING
 LIBFFI_LIBS
 LIBFFI_CFLAGS
 STATIC_CXX_SETTING
@@ -1117,6 +1120,10 @@ with_fontconfig_include
 with_giflib
 with_zlib
 with_stdc__lib
 +with_libffi
 +with_libffi_include
 +with_libffi_lib
 +enable_libffi_bundling
 with_msvcr_dll
 with_msvcp_dll
 with_vcruntime_1_dll
@@ -1867,6 +1874,9 @@ Optional Features:
                           disable bundling of the freetype library with the
                           build result [enabled on Windows or when using
                           --with-freetype, disabled otherwise]
 +  --enable-libffi-bundling
 +                          enable bundling of libffi.so to make the built JDK
 +                          runnable on more systems
   --enable-sjavac         use sjavac to do fast incremental compiles
                           [disabled]
   --disable-precompiled-headers
@@ -1996,6 +2006,11 @@ Optional Packages:
                           force linking of the C++ runtime on Linux to either
                           static or dynamic, default is static with dynamic as
                           fallback
 +  --with-libffi           specify prefix directory for the libffi package
 +                          (expecting the libraries under PATH/lib and the
 +                          headers under PATH/include)
 +  --with-libffi-include   specify directory for the libffi include files
 +  --with-libffi-lib       specify directory for the libffi library
   --with-msvcr-dll        path to microsoft C runtime dll (msvcr*.dll)
                           (Windows only) [probed]
   --with-msvcp-dll        path to microsoft C++ runtime dll (msvcp*.dll)
@@ -2878,6 +2893,52 @@ $as_echo "$ac_res" >&6; }
   eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno
 } # ac_fn_c_check_header_compile
 +
 +# ac_fn_c_try_link LINENO
 +# -----------------------
 +# Try to link conftest.$ac_ext, and return whether this succeeded.
 +ac_fn_c_try_link ()
 +{
 +  as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
 +  rm -f conftest.$ac_objext conftest$ac_exeext
 +  if { { ac_try="$ac_link"
 +case "(($ac_try" in
 +  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
 +  *) ac_try_echo=$ac_try;;
 +esac
 +eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
 +$as_echo "$ac_try_echo"; } >&5
 +  (eval "$ac_link") 2>conftest.err
 +  ac_status=$?
 +  if test -s conftest.err; then
 +    grep -v '^ *+' conftest.err >conftest.er1
 +    cat conftest.er1 >&5
 +    mv -f conftest.er1 conftest.err
 +  fi
 +  $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
 +  test $ac_status = 0; } && {
 +	 test -z "$ac_c_werror_flag" ||
 +	 test ! -s conftest.err
 +       } && test -s conftest$ac_exeext && {
 +	 test "$cross_compiling" = yes ||
 +	 test -x conftest$ac_exeext
 +       }; then :
 +  ac_retval=0
 +else
 +  $as_echo "$as_me: failed program was:" >&5
 +sed 's/^/| /' conftest.$ac_ext >&5
 +
 +	ac_retval=1
 +fi
 +  # Delete the IPA/IPO (Inter Procedural Analysis/Optimization) information
 +  # created by the PGI compiler (conftest_ipa8_conftest.oo), as it would
 +  # interfere with the next link command; also delete a directory that is
 +  # left behind by Apple's compiler.  We do this before executing the actions.
 +  rm -rf conftest.dSYM conftest_ipa8_conftest.oo
 +  eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno
 +  as_fn_set_status $ac_retval
 +
 +} # ac_fn_c_try_link
 cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
@@ -4432,7 +4493,7 @@ VS_TOOLSET_SUPPORTED_2022=true
 #CUSTOM_AUTOCONF_INCLUDE
 # Do not change or remove the following line, it is needed for consistency checks:
 -DATE_WHEN_GENERATED=1716396030
 +DATE_WHEN_GENERATED=1737049912
 ###############################################################################
 #
@@ -50215,8 +50276,70 @@ $as_echo "static" >&6; }
   fi
 +
 +# Check whether --with-libffi was given.
 +if test "${with_libffi+set}" = set; then :
 +  withval=$with_libffi;
 +fi
 +
 +
 +# Check whether --with-libffi-include was given.
 +if test "${with_libffi_include+set}" = set; then :
 +  withval=$with_libffi_include;
 +fi
 +
 +
 +# Check whether --with-libffi-lib was given.
 +if test "${with_libffi_lib+set}" = set; then :
 +  withval=$with_libffi_lib;
 +fi
 +
 +  # Check whether --enable-libffi-bundling was given.
 +if test "${enable_libffi_bundling+set}" = set; then :
 +  enableval=$enable_libffi_bundling;
 +fi
 +
 +
 +  # Check if ffi is needed
   if test "x$JVM_VARIANT_ZERO" = xtrue || test "x$JVM_VARIANT_ZEROSHARK" = xtrue; then
 -    # Figure out LIBFFI_CFLAGS and LIBFFI_LIBS
 +    NEEDS_LIB_FFI=true
 +  else
 +    NEEDS_LIB_FFI=false
 +  fi
 +
 +  if test "x$NEEDS_LIB_FFI" = xfalse; then
 +    if test "x${with_libffi}" != x || test "x${with_libffi_include}" != x || test "x${with_libffi_lib}" != x; then
 +      { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: libffi not used, so --with-libffi is ignored" >&5
 +$as_echo "$as_me: WARNING: libffi not used, so --with-libffi is ignored" >&2;}
 +    fi
 +    LIBFFI_CFLAGS=
 +    LIBFFI_LIBS=
 +  else
 +    LIBFFI_FOUND=no
 +
 +    if test "x${with_libffi}" = xno || test "x${with_libffi_include}" = xno || test "x${with_libffi_lib}" = xno; then
 +      as_fn_error $? "It is not possible to disable the use of libffi. Remove the --without-libffi option." "$LINENO" 5
 +    fi
 +
 +    if test "x${with_libffi}" != x; then
 +      LIBFFI_LIB_PATH="${with_libffi}/lib"
 +      LIBFFI_LIBS="-L${with_libffi}/lib -lffi"
 +      LIBFFI_CFLAGS="-I${with_libffi}/include"
 +      LIBFFI_FOUND=yes
 +    fi
 +    if test "x${with_libffi_include}" != x; then
 +      LIBFFI_CFLAGS="-I${with_libffi_include}"
 +      LIBFFI_FOUND=yes
 +    fi
 +    if test "x${with_libffi_lib}" != x; then
 +      LIBFFI_LIB_PATH="${with_libffi_lib}"
 +      LIBFFI_LIBS="-L${with_libffi_lib} -lffi"
 +      LIBFFI_FOUND=yes
 +    fi
 +    # Do not try pkg-config if we have a sysroot set.
 +    if test "x$SYSROOT" = x; then
 +      if test "x$LIBFFI_FOUND" = xno; then
 +        # Figure out LIBFFI_CFLAGS and LIBFFI_LIBS
 pkg_failed=no
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for LIBFFI" >&5
@@ -50272,40 +50395,224 @@ fi
 	# Put the nasty error message in config.log where it belongs
 	echo "$LIBFFI_PKG_ERRORS" >&5
 -	as_fn_error $? "Package requirements (libffi) were not met:
 -
 -$LIBFFI_PKG_ERRORS
 -
 -Consider adjusting the PKG_CONFIG_PATH environment variable if you
 -installed software in a non-standard prefix.
 -
 -Alternatively, you may set the environment variables LIBFFI_CFLAGS
 -and LIBFFI_LIBS to avoid the need to call pkg-config.
 -See the pkg-config man page for more details.
 -" "$LINENO" 5
 +	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
 +$as_echo "no" >&6; }
 +                LIBFFI_FOUND=no
 elif test $pkg_failed = untried; then
 -	{ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
 -$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
 -as_fn_error $? "The pkg-config script could not be found or is too old.  Make sure it
 -is in your PATH or set the PKG_CONFIG environment variable to the full
 -path to pkg-config.
 -
 -Alternatively, you may set the environment variables LIBFFI_CFLAGS
 -and LIBFFI_LIBS to avoid the need to call pkg-config.
 -See the pkg-config man page for more details.
 -
 -To get pkg-config, see <http://pkg-config.freedesktop.org/>.
 -See \`config.log' for more details" "$LINENO" 5; }
 +	LIBFFI_FOUND=no
 else
 	LIBFFI_CFLAGS=$pkg_cv_LIBFFI_CFLAGS
 	LIBFFI_LIBS=$pkg_cv_LIBFFI_LIBS
         { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
 $as_echo "yes" >&6; }
 -	:
 +	LIBFFI_FOUND=yes
 +fi
 +      fi
 +    fi
 +    if test "x$LIBFFI_FOUND" = xno; then
 +      for ac_header in ffi.h
 +do :
 +  ac_fn_cxx_check_header_mongrel "$LINENO" "ffi.h" "ac_cv_header_ffi_h" "$ac_includes_default"
 +if test "x$ac_cv_header_ffi_h" = xyes; then :
 +  cat >>confdefs.h <<_ACEOF
 +#define HAVE_FFI_H 1
 +_ACEOF
 +
 +            LIBFFI_FOUND=yes
 +            LIBFFI_CFLAGS=
 +            LIBFFI_LIBS=-lffi
 +
 +else
 +  LIBFFI_FOUND=no
 +
 +fi
 +
 +done
 +
 +    fi
 +    if test "x$LIBFFI_FOUND" = xno; then
 +
 +  # Print a helpful message on how to acquire the necessary build dependency.
 +  # ffi is the help tag: freetype, cups, pulse, alsa etc
 +  MISSING_DEPENDENCY=ffi
 +
 +  if test "x$OPENJDK_BUILD_OS_ENV" = "xwindows.cygwin"; then
 +    cygwin_help $MISSING_DEPENDENCY
 +  elif test "x$OPENJDK_BUILD_OS_ENV" = "xwindows.msys"; then
 +    msys_help $MISSING_DEPENDENCY
 +  else
 +    PKGHANDLER_COMMAND=
 +
 +    case $PKGHANDLER in
 +      apt-get)
 +        apt_help     $MISSING_DEPENDENCY ;;
 +      yum)
 +        yum_help     $MISSING_DEPENDENCY ;;
 +      port)
 +        port_help    $MISSING_DEPENDENCY ;;
 +      pkgutil)
 +        pkgutil_help $MISSING_DEPENDENCY ;;
 +      pkgadd)
 +        pkgadd_help  $MISSING_DEPENDENCY ;;
 +    esac
 +
 +    if test "x$PKGHANDLER_COMMAND" != x; then
 +      HELP_MSG="You might be able to fix this by running '$PKGHANDLER_COMMAND'."
 +    fi
 +  fi
 +
 +      as_fn_error $? "Could not find libffi! $HELP_MSG" "$LINENO" 5
 +    fi
 +
 +    { $as_echo "$as_me:${as_lineno-$LINENO}: checking if libffi works" >&5
 +$as_echo_n "checking if libffi works... " >&6; }
 +    ac_ext=c
 +ac_cpp='$CPP $CPPFLAGS'
 +ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
 +ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
 +ac_compiler_gnu=$ac_cv_c_compiler_gnu
 +
 +    OLD_CFLAGS="$CFLAGS"
 +    CFLAGS="$CFLAGS $LIBFFI_CFLAGS"
 +    OLD_LIBS="$LIBS"
 +    LIBS="$LIBS $LIBFFI_LIBS"
 +    cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 +/* end confdefs.h.  */
 +#include <ffi.h>
 +int
 +main (void)
 +{
 +
 +          ffi_call(NULL, NULL, NULL, NULL);
 +          return 0;
 +
 +  ;
 +  return 0;
 +}
 +_ACEOF
 +if ac_fn_c_try_link "$LINENO"; then :
 +  LIBFFI_WORKS=yes
 +else
 +  LIBFFI_WORKS=no
 +
 fi
 +rm -f core conftest.err conftest.$ac_objext \
 +    conftest$ac_exeext conftest.$ac_ext
 +    CFLAGS="$OLD_CFLAGS"
 +    LIBS="$OLD_LIBS"
 +    ac_ext=cpp
 +ac_cpp='$CXXCPP $CPPFLAGS'
 +ac_compile='$CXX -c $CXXFLAGS $CPPFLAGS conftest.$ac_ext >&5'
 +ac_link='$CXX -o conftest$ac_exeext $CXXFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
 +ac_compiler_gnu=$ac_cv_cxx_compiler_gnu
 +
 +    { $as_echo "$as_me:${as_lineno-$LINENO}: result: $LIBFFI_WORKS" >&5
 +$as_echo "$LIBFFI_WORKS" >&6; }
 +    if test "x$LIBFFI_WORKS" = xno; then
 +
 +  # Print a helpful message on how to acquire the necessary build dependency.
 +  # ffi is the help tag: freetype, cups, pulse, alsa etc
 +  MISSING_DEPENDENCY=ffi
 +
 +  if test "x$OPENJDK_BUILD_OS_ENV" = "xwindows.cygwin"; then
 +    cygwin_help $MISSING_DEPENDENCY
 +  elif test "x$OPENJDK_BUILD_OS_ENV" = "xwindows.msys"; then
 +    msys_help $MISSING_DEPENDENCY
 +  else
 +    PKGHANDLER_COMMAND=
 +
 +    case $PKGHANDLER in
 +      apt-get)
 +        apt_help     $MISSING_DEPENDENCY ;;
 +      yum)
 +        yum_help     $MISSING_DEPENDENCY ;;
 +      port)
 +        port_help    $MISSING_DEPENDENCY ;;
 +      pkgutil)
 +        pkgutil_help $MISSING_DEPENDENCY ;;
 +      pkgadd)
 +        pkgadd_help  $MISSING_DEPENDENCY ;;
 +    esac
 +
 +    if test "x$PKGHANDLER_COMMAND" != x; then
 +      HELP_MSG="You might be able to fix this by running '$PKGHANDLER_COMMAND'."
 +    fi
   fi
 +      as_fn_error $? "Found libffi but could not link and compile with it. $HELP_MSG" "$LINENO" 5
 +    fi
 +
 +    { $as_echo "$as_me:${as_lineno-$LINENO}: checking if libffi should be bundled" >&5
 +$as_echo_n "checking if libffi should be bundled... " >&6; }
 +    if test "x$enable_libffi_bundling" = "x"; then
 +      { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
 +$as_echo "no" >&6; }
 +      ENABLE_LIBFFI_BUNDLING=false
 +    elif  test "x$enable_libffi_bundling" = "xno"; then
 +      { $as_echo "$as_me:${as_lineno-$LINENO}: result: no, forced" >&5
 +$as_echo "no, forced" >&6; }
 +      ENABLE_LIBFFI_BUNDLING=false
 +    elif  test "x$enable_libffi_bundling" = "xyes"; then
 +      { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes, forced" >&5
 +$as_echo "yes, forced" >&6; }
 +      ENABLE_LIBFFI_BUNDLING=true
 +    else
 +      as_fn_error $? "Invalid value for --enable-libffi-bundling" "$LINENO" 5
 +    fi
 +
 +    # Find the libffi.so.X to bundle
 +    if test "x${ENABLE_LIBFFI_BUNDLING}" = "xtrue"; then
 +      { $as_echo "$as_me:${as_lineno-$LINENO}: checking for libffi lib file location" >&5
 +$as_echo_n "checking for libffi lib file location... " >&6; }
 +      if test "x${LIBFFI_LIB_PATH}" != x; then
 +        if test -e ${LIBFFI_LIB_PATH}/libffi.so.?; then
 +          LIBFFI_LIB_FILE="${LIBFFI_LIB_PATH}/libffi.so.?"
 +        else
 +          as_fn_error $? "Could not locate libffi.so.? for bundling in ${LIBFFI_LIB_PATH}" "$LINENO" 5
 +        fi
 +      else
 +        # If we don't have an explicit path, look in a few obvious places
 +        if test "x${OPENJDK_TARGET_CPU}" = "xx86"; then
 +          if test -e ${SYSROOT}/usr/lib/libffi.so.? ; then
 +            LIBFFI_LIB_FILE="${SYSROOT}/usr/lib/libffi.so.?"
 +          elif test -e ${SYSROOT}/usr/lib/i386-linux-gnu/libffi.so.? ; then
 +            LIBFFI_LIB_FILE="${SYSROOT}/usr/lib/i386-linux-gnu/libffi.so.?"
 +          else
 +            as_fn_error $? "Could not locate libffi.so.? for bundling" "$LINENO" 5
 +          fi
 +        elif test "x${OPENJDK_TARGET_CPU}" = "xx86_64"; then
 +          if test -e ${SYSROOT}/usr/lib64/libffi.so.? ; then
 +            LIBFFI_LIB_FILE="${SYSROOT}/usr/lib64/libffi.so.?"
 +          elif test -e ${SYSROOT}/usr/lib/x86_64-linux-gnu/libffi.so.? ; then
 +            LIBFFI_LIB_FILE="${SYSROOT}/usr/lib/x86_64-linux-gnu/libffi.so.?"
 +          else
 +            as_fn_error $? "Could not locate libffi.so.? for bundling" "$LINENO" 5
 +          fi
 +        else
 +          # Fallback on the default /usr/lib dir
 +          if test -e ${SYSROOT}/usr/lib/libffi.so.? ; then
 +            LIBFFI_LIB_FILE="${SYSROOT}/usr/lib/libffi.so.?"
 +          else
 +            as_fn_error $? "Could not locate libffi.so.? for bundling" "$LINENO" 5
 +          fi
 +        fi
 +      fi
 +      # Make sure the wildcard is evaluated
 +      LIBFFI_LIB_FILE="$(ls ${LIBFFI_LIB_FILE})"
 +      LIBFFI_LIB_DIR="$(dirname ${LIBFFI_LIB_FILE})"
 +      LIBFFI_LIB_FILE="$(basename ${LIBFFI_LIB_FILE})"
 +      { $as_echo "$as_me:${as_lineno-$LINENO}: result: ${LIBFFI_LIB_FILE} in ${LIBFFI_LIB_DIR}" >&5
 +$as_echo "${LIBFFI_LIB_FILE} in ${LIBFFI_LIB_DIR}" >&6; }
 +    fi
 +  fi
 +
 +
 +
 +
 +
 +
 +
   if test "x$JVM_VARIANT_ZEROSHARK" = xtrue; then
     # Extract the first word of "llvm-config", so it can be a program name with args.
 set dummy llvm-config; ac_word=$2
 diff --git a/common/autoconf/libraries.m4 b/common/autoconf/libraries.m4
 index 6efae578ea..4ed8b4fdd6 100644
 --- a/common/autoconf/libraries.m4
 +++ b/common/autoconf/libraries.m4
@@ -988,12 +988,161 @@ AC_DEFUN_ONCE([LIB_SETUP_STATIC_LINK_LIBSTDCPP],
   fi
   AC_SUBST(STATIC_CXX_SETTING)
 +  AC_ARG_WITH(libffi, [AS_HELP_STRING([--with-libffi],
 +      [specify prefix directory for the libffi package
 +      (expecting the libraries under PATH/lib and the headers under PATH/include)])])
 +  AC_ARG_WITH(libffi-include, [AS_HELP_STRING([--with-libffi-include],
 +      [specify directory for the libffi include files])])
 +  AC_ARG_WITH(libffi-lib, [AS_HELP_STRING([--with-libffi-lib],
 +      [specify directory for the libffi library])])
 +  AC_ARG_ENABLE(libffi-bundling, [AS_HELP_STRING([--enable-libffi-bundling],
 +      [enable bundling of libffi.so to make the built JDK runnable on more systems])])
 +
 +  # Check if ffi is needed
   if test "x$JVM_VARIANT_ZERO" = xtrue || test "x$JVM_VARIANT_ZEROSHARK" = xtrue; then
 -    # Figure out LIBFFI_CFLAGS and LIBFFI_LIBS
 -    PKG_CHECK_MODULES([LIBFFI], [libffi])
 +    NEEDS_LIB_FFI=true
 +  else
 +    NEEDS_LIB_FFI=false
 +  fi
 +
 +  if test "x$NEEDS_LIB_FFI" = xfalse; then
 +    if test "x${with_libffi}" != x || test "x${with_libffi_include}" != x || test "x${with_libffi_lib}" != x; then
 +      AC_MSG_WARN([libffi not used, so --with-libffi is ignored])
 +    fi
 +    LIBFFI_CFLAGS=
 +    LIBFFI_LIBS=
 +  else
 +    LIBFFI_FOUND=no
 +    if test "x${with_libffi}" = xno || test "x${with_libffi_include}" = xno || test "x${with_libffi_lib}" = xno; then
 +      AC_MSG_ERROR([It is not possible to disable the use of libffi. Remove the --without-libffi option.])
 +    fi
 +
 +    if test "x${with_libffi}" != x; then
 +      LIBFFI_LIB_PATH="${with_libffi}/lib"
 +      LIBFFI_LIBS="-L${with_libffi}/lib -lffi"
 +      LIBFFI_CFLAGS="-I${with_libffi}/include"
 +      LIBFFI_FOUND=yes
 +    fi
 +    if test "x${with_libffi_include}" != x; then
 +      LIBFFI_CFLAGS="-I${with_libffi_include}"
 +      LIBFFI_FOUND=yes
 +    fi
 +    if test "x${with_libffi_lib}" != x; then
 +      LIBFFI_LIB_PATH="${with_libffi_lib}"
 +      LIBFFI_LIBS="-L${with_libffi_lib} -lffi"
 +      LIBFFI_FOUND=yes
 +    fi
 +    # Do not try pkg-config if we have a sysroot set.
 +    if test "x$SYSROOT" = x; then
 +      if test "x$LIBFFI_FOUND" = xno; then
 +        # Figure out LIBFFI_CFLAGS and LIBFFI_LIBS
 +        PKG_CHECK_MODULES([LIBFFI], [libffi], [LIBFFI_FOUND=yes], [LIBFFI_FOUND=no])
 +      fi
 +    fi
 +    if test "x$LIBFFI_FOUND" = xno; then
 +      AC_CHECK_HEADERS([ffi.h],
 +          [
 +            LIBFFI_FOUND=yes
 +            LIBFFI_CFLAGS=
 +            LIBFFI_LIBS=-lffi
 +          ],
 +          [LIBFFI_FOUND=no]
 +      )
 +    fi
 +    if test "x$LIBFFI_FOUND" = xno; then
 +      HELP_MSG_MISSING_DEPENDENCY([ffi])
 +      AC_MSG_ERROR([Could not find libffi! $HELP_MSG])
 +    fi
 +
 +    AC_MSG_CHECKING([if libffi works])
 +    AC_LANG_PUSH(C)
 +    OLD_CFLAGS="$CFLAGS"
 +    CFLAGS="$CFLAGS $LIBFFI_CFLAGS"
 +    OLD_LIBS="$LIBS"
 +    LIBS="$LIBS $LIBFFI_LIBS"
 +    AC_LINK_IFELSE([AC_LANG_PROGRAM([#include <ffi.h>],
 +        [
 +          ffi_call(NULL, NULL, NULL, NULL);
 +          return 0;
 +        ])],
 +        [LIBFFI_WORKS=yes],
 +        [LIBFFI_WORKS=no]
 +    )
 +    CFLAGS="$OLD_CFLAGS"
 +    LIBS="$OLD_LIBS"
 +    AC_LANG_POP(C)
 +    AC_MSG_RESULT([$LIBFFI_WORKS])
 +
 +    if test "x$LIBFFI_WORKS" = xno; then
 +      HELP_MSG_MISSING_DEPENDENCY([ffi])
 +      AC_MSG_ERROR([Found libffi but could not link and compile with it. $HELP_MSG])
 +    fi
 +
 +    AC_MSG_CHECKING([if libffi should be bundled])
 +    if test "x$enable_libffi_bundling" = "x"; then
 +      AC_MSG_RESULT([no])
 +      ENABLE_LIBFFI_BUNDLING=false
 +    elif  test "x$enable_libffi_bundling" = "xno"; then
 +      AC_MSG_RESULT([no, forced])
 +      ENABLE_LIBFFI_BUNDLING=false
 +    elif  test "x$enable_libffi_bundling" = "xyes"; then
 +      AC_MSG_RESULT([yes, forced])
 +      ENABLE_LIBFFI_BUNDLING=true
 +    else
 +      AC_MSG_ERROR([Invalid value for --enable-libffi-bundling])
 +    fi
 +
 +    # Find the libffi.so.X to bundle
 +    if test "x${ENABLE_LIBFFI_BUNDLING}" = "xtrue"; then
 +      AC_MSG_CHECKING([for libffi lib file location])
 +      if test "x${LIBFFI_LIB_PATH}" != x; then
 +        if test -e ${LIBFFI_LIB_PATH}/libffi.so.?; then
 +          LIBFFI_LIB_FILE="${LIBFFI_LIB_PATH}/libffi.so.?"
 +        else
 +          AC_MSG_ERROR([Could not locate libffi.so.? for bundling in ${LIBFFI_LIB_PATH}])
 +        fi
 +      else
 +        # If we don't have an explicit path, look in a few obvious places
 +        if test "x${OPENJDK_TARGET_CPU}" = "xx86"; then
 +          if test -e ${SYSROOT}/usr/lib/libffi.so.? ; then
 +            LIBFFI_LIB_FILE="${SYSROOT}/usr/lib/libffi.so.?"
 +          elif test -e ${SYSROOT}/usr/lib/i386-linux-gnu/libffi.so.? ; then
 +            LIBFFI_LIB_FILE="${SYSROOT}/usr/lib/i386-linux-gnu/libffi.so.?"
 +          else
 +            AC_MSG_ERROR([Could not locate libffi.so.? for bundling])
 +          fi
 +        elif test "x${OPENJDK_TARGET_CPU}" = "xx86_64"; then
 +          if test -e ${SYSROOT}/usr/lib64/libffi.so.? ; then
 +            LIBFFI_LIB_FILE="${SYSROOT}/usr/lib64/libffi.so.?"
 +          elif test -e ${SYSROOT}/usr/lib/x86_64-linux-gnu/libffi.so.? ; then
 +            LIBFFI_LIB_FILE="${SYSROOT}/usr/lib/x86_64-linux-gnu/libffi.so.?"
 +          else
 +            AC_MSG_ERROR([Could not locate libffi.so.? for bundling])
 +          fi
 +        else
 +          # Fallback on the default /usr/lib dir
 +          if test -e ${SYSROOT}/usr/lib/libffi.so.? ; then
 +            LIBFFI_LIB_FILE="${SYSROOT}/usr/lib/libffi.so.?"
 +          else
 +            AC_MSG_ERROR([Could not locate libffi.so.? for bundling])
 +          fi
 +        fi
 +      fi
 +      # Make sure the wildcard is evaluated
 +      LIBFFI_LIB_FILE="$(ls ${LIBFFI_LIB_FILE})"
 +      LIBFFI_LIB_DIR="$(dirname ${LIBFFI_LIB_FILE})"
 +      LIBFFI_LIB_FILE="$(basename ${LIBFFI_LIB_FILE})"
 +      AC_MSG_RESULT([${LIBFFI_LIB_FILE} in ${LIBFFI_LIB_DIR}])
 +    fi
   fi
 +  AC_SUBST(LIBFFI_CFLAGS)
 +  AC_SUBST(LIBFFI_LIBS)
 +  AC_SUBST(ENABLE_LIBFFI_BUNDLING)
 +  AC_SUBST(LIBFFI_LIB_DIR)
 +  AC_SUBST(LIBFFI_LIB_FILE)
 +
   if test "x$JVM_VARIANT_ZEROSHARK" = xtrue; then
     AC_CHECK_PROG([LLVM_CONFIG], [llvm-config], [llvm-config])
 diff --git a/common/autoconf/spec.gmk.in b/common/autoconf/spec.gmk.in
 index 9573bb2cbd..8da3ac32a0 100644
 --- a/common/autoconf/spec.gmk.in
 +++ b/common/autoconf/spec.gmk.in
@@ -311,6 +311,11 @@ FONTCONFIG_CFLAGS:=@FONTCONFIG_CFLAGS@
 CUPS_CFLAGS:=@CUPS_CFLAGS@
 ALSA_LIBS:=@ALSA_LIBS@
 ALSA_CFLAGS:=@ALSA_CFLAGS@
 +LIBFFI_LIBS:=@LIBFFI_LIBS@
 +LIBFFI_CFLAGS:=@LIBFFI_CFLAGS@
 +ENABLE_LIBFFI_BUNDLING:=@ENABLE_LIBFFI_BUNDLING@
 +LIBFFI_LIB_DIR:=@LIBFFI_LIB_DIR@
 +LIBFFI_LIB_FILE:=@LIBFFI_LIB_FILE@
 PACKAGE_PATH=@PACKAGE_PATH@
 diff --git a/hotspot/make/Makefile b/hotspot/make/Makefile
 index ad195763be..b9114cb99a 100644
 --- a/hotspot/make/Makefile
 +++ b/hotspot/make/Makefile
@@ -476,6 +476,8 @@ $(EXPORT_INCLUDE_DIR)/%:			$(ZERO_BUILD_DIR)/../generated/jvmtifiles/%
 # Unix
 $(EXPORT_JRE_LIB_ARCH_DIR)/%.$(LIBRARY_SUFFIX): $(ZERO_BUILD_DIR)/%.$(LIBRARY_SUFFIX)
 	$(install-file)
 +$(EXPORT_JRE_LIB_ARCH_DIR)/$(LIBFFI_LIB_FILE):  $(LIBFFI_LIB_DIR)/$(LIBFFI_LIB_FILE)
 +	$(install-file)
 $(EXPORT_JRE_LIB_ARCH_DIR)/%.debuginfo:		$(ZERO_BUILD_DIR)/%.debuginfo
 	$(install-file)
 $(EXPORT_JRE_LIB_ARCH_DIR)/%.diz:		$(ZERO_BUILD_DIR)/%.diz
 diff --git a/hotspot/make/aix/makefiles/defs.make b/hotspot/make/aix/makefiles/defs.make
 index b12c9c8df2..db10f6a68f 100644
 --- a/hotspot/make/aix/makefiles/defs.make
 +++ b/hotspot/make/aix/makefiles/defs.make
@@ -220,4 +220,7 @@ ADD_SA_BINARIES/zero  =
 EXPORT_LIST += $(ADD_SA_BINARIES/$(HS_ARCH))
 +ifeq ($(ENABLE_LIBFFI_BUNDLING), true)
 +  EXPORT_LIST += $(EXPORT_JRE_LIB_ARCH_DIR)/$(LIBFFI_LIB_FILE)
 +endif
 diff --git a/hotspot/make/bsd/makefiles/defs.make b/hotspot/make/bsd/makefiles/defs.make
 index 7cd21cc175..23436f12d8 100644
 --- a/hotspot/make/bsd/makefiles/defs.make
 +++ b/hotspot/make/bsd/makefiles/defs.make
@@ -364,6 +364,10 @@ ADD_SA_BINARIES/zero  =
 EXPORT_LIST += $(ADD_SA_BINARIES/$(HS_ARCH))
 +ifeq ($(ENABLE_LIBFFI_BUNDLING), true)
 +  EXPORT_LIST += $(EXPORT_JRE_LIB_ARCH_DIR)/$(LIBFFI_LIB_FILE)
 +endif
 +
 # Universal build settings
 ifeq ($(OS_VENDOR), Darwin)
   # Build universal binaries by default on Mac OS X
 diff --git a/hotspot/make/linux/makefiles/defs.make b/hotspot/make/linux/makefiles/defs.make
 index ec414639d2..0baa4f068d 100644
 --- a/hotspot/make/linux/makefiles/defs.make
 +++ b/hotspot/make/linux/makefiles/defs.make
@@ -333,4 +333,6 @@ ADD_SA_BINARIES/zero  =
 EXPORT_LIST += $(ADD_SA_BINARIES/$(HS_ARCH))
 -
 +ifeq ($(ENABLE_LIBFFI_BUNDLING), true)
 +  EXPORT_LIST += $(EXPORT_JRE_LIB_ARCH_DIR)/$(LIBFFI_LIB_FILE)
 +endif
 diff --git a/hotspot/make/solaris/makefiles/defs.make b/hotspot/make/solaris/makefiles/defs.make
 index c88351c82b..cb838e854d 100644
 --- a/hotspot/make/solaris/makefiles/defs.make
 +++ b/hotspot/make/solaris/makefiles/defs.make
@@ -304,3 +304,7 @@ ifeq ($(ENABLE_FULL_DEBUG_SYMBOLS),1)
   endif
 endif
 EXPORT_LIST += $(EXPORT_LIB_DIR)/sa-jdi.jar
 +
 +ifeq ($(ENABLE_LIBFFI_BUNDLING), true)
 +  EXPORT_LIST += $(EXPORT_JRE_LIB_ARCH_DIR)/$(LIBFFI_LIB_FILE)
 +endif
 diff --git a/hotspot/make/windows/makefiles/defs.make b/hotspot/make/windows/makefiles/defs.make
 index 6b36f0e2bc..6f42c7ad37 100644
 --- a/hotspot/make/windows/makefiles/defs.make
 +++ b/hotspot/make/windows/makefiles/defs.make
@@ -300,6 +300,10 @@ ifeq ($(BUILD_WIN_SA), 1)
   MAKE_ARGS += BUILD_WIN_SA=1
 endif
 +ifeq ($(ENABLE_LIBFFI_BUNDLING), true)
 +  EXPORT_LIST += $(EXPORT_JRE_LIB_ARCH_DIR)/$(LIBFFI_LIB_FILE)
 +endif
 +
 # Propagate compiler and tools paths from configure to nmake.
 # Need to make sure they contain \\ and not /.
 ifneq ($(SPEC),)
 diff --git a/jdk/make/Images.gmk b/jdk/make/Images.gmk
 index 2e378c9134..0edefd7b5c 100644
 --- a/jdk/make/Images.gmk
 +++ b/jdk/make/Images.gmk
@@ -249,7 +249,8 @@ endif
 ifneq ($(findstring $(OPENJDK_TARGET_OS), linux solaris),) # If Linux or Solaris
     JDK_LIB_FILES += $(LIBRARY_PREFIX)jli$(SHARED_LIBRARY_SUFFIX) \
 -		     $(LIBRARY_PREFIX)jawt$(SHARED_LIBRARY_SUFFIX)
 +		     $(LIBRARY_PREFIX)jawt$(SHARED_LIBRARY_SUFFIX) \
 +		     $(LIBFFI_LIB_FILE)
 endif
 # Find all files to copy from $(JDK_OUTPUTDIR)/lib
 diff --git a/jdk/make/Import.gmk b/jdk/make/Import.gmk
 index b115fa7f86..29fa2662a6 100644
 --- a/jdk/make/Import.gmk
 +++ b/jdk/make/Import.gmk
@@ -114,7 +114,7 @@ endef
 #
 # Import hotspot
 #
 -HOTSPOT_IMPORT_FILES := $(addprefix $(LIBRARY_PREFIX), jvm.* saproc.* jsig.* sawindbg.* jvm_db.* jvm_dtrace.*) \
 +HOTSPOT_IMPORT_FILES := $(addprefix $(LIBRARY_PREFIX), jvm.* saproc.* jsig.* sawindbg.* jvm_db.* jvm_dtrace.* ffi.*) \
     Xusage.txt sa-jdi.jar
 ifeq ($(OPENJDK_TARGET_OS), macosx)
 diff --git a/make/devkit/Tools.gmk b/make/devkit/Tools.gmk
 index c2460105b7..cf2ef251ac 100644
 --- a/make/devkit/Tools.gmk
 +++ b/make/devkit/Tools.gmk
@@ -82,8 +82,8 @@ RPM_LIST := \
     libXi libXi-devel \
     libXdmcp libXdmcp-devel \
     libXau libXau-devel \
 -    libgcc
 -
 +    libgcc \
 +    libffi libffi-devel
 ifeq ($(ARCH),x86_64)
   RPM_DIR ?= $(RPM_DIR_x86_64)
@@ -203,6 +203,18 @@ $(libs) : $(rpms)
 	@mkdir -p $(SYSROOT)/usr/lib
 	@touch $@
 +##########################################################################################
 +# Create links for ffi header files so that they become visible by default when using the
 +# devkit.
 +
 +$(SYSROOT)/usr/include/ffi.h: $(rpms)
 +	cd $(@D) && rm $(@F) && ln -s ../lib/libffi-*/include/$(@F) .
 +
 +$(SYSROOT)/usr/include/ffitarget.h: $(rpms)
 +	cd $(@D) && rm $(@F) && ln -s ../lib/libffi-*/include/$(@F) .
 +
 +SYSROOT_LINKS += $(SYSROOT)/usr/include/ffi.h $(SYSROOT)/usr/include/ffitarget.h
 +
 ##########################################################################################
 # Define marker files for each source package to be compiled
@@ -479,7 +491,7 @@ rpms : $(rpms)
 libs : $(libs)
 sysroot : rpms libs
 gcc : sysroot $(gcc) $(gccpatch)
 -all : binutils gcc bfdlib $(PREFIX)/devkit.info
 +all : binutils gcc bfdlib $(PREFIX)/devkit.info $(SYSROOT_LINKS)
 # this is only built for host. so separate.
 ccache : $(ccache)
--- a/SOURCES/jdk8199936-pr3533-enable_mstackrealign_on_x86_linux_as_well_as_x86_mac_os_x.patch
+++ b/SOURCES/jdk8199936-pr3533-enable_mstackrealign_on_x86_linux_as_well_as_x86_mac_os_x.patch
@ -7,11 +7,10 @@
 PR3533: HotSpot generates code with unaligned stack, crashes on SSE operations
 Summary: Enable -mstackrealign on x86 Linux as well as x86 Mac OS X
-diff --git a/common/autoconf/flags.m4 b/common/autoconf/flags.m4
+diff --git openjdk.orig///common/autoconf/flags.m4 openjdk///common/autoconf/flags.m4
-index 113bf367e2..bed030e8d1 100644
+--- openjdk.orig///common/autoconf/flags.m4
--- a/common/autoconf/flags.m4
+++ openjdk///common/autoconf/flags.m4
-+++ b/common/autoconf/flags.m4
+@@ -402,6 +402,21 @@
@@ -451,6 +451,21 @@ AC_DEFUN_ONCE([FLAGS_SETUP_COMPILER_FLAGS_FOR_JDK],
     AC_SUBST($2CXXSTD_CXXFLAG)
   fi
@ -23,7 +22,7 @@ index 113bf367e2..bed030e8d1 100644
 +    # On 32-bit MacOSX the OS requires C-entry points to be 16 byte aligned.
 +    # While waiting for a better solution, the current workaround is to use -mstackrealign
 +    # This is also required on Linux systems which use libraries compiled with SSE instructions
-+    REALIGN_CFLAG="-mincoming-stack-boundary=2 -mpreferred-stack-boundary=4"
+    REALIGN_CFLAG="-mstackrealign"
 +    FLAGS_COMPILER_CHECK_ARGUMENTS([$REALIGN_CFLAG -Werror], [],
 +      AC_MSG_ERROR([The selected compiler $CXX does not support -mstackrealign! Try to put another compiler in the path.])
 +    )
@ -33,32 +32,23 @@ index 113bf367e2..bed030e8d1 100644
   if test "x$CFLAGS" != "x${ADDED_CFLAGS}"; then
     AC_MSG_WARN([Ignoring CFLAGS($CFLAGS) found in environment. Use --with-extra-cflags])
   fi
-diff --git a/common/autoconf/hotspot-spec.gmk.in b/common/autoconf/hotspot-spec.gmk.in
+diff --git openjdk.orig///common/autoconf/hotspot-spec.gmk.in openjdk///common/autoconf/hotspot-spec.gmk.in
-index 3f86751d2b..f8a271383f 100644
+--- openjdk.orig///common/autoconf/hotspot-spec.gmk.in
--- a/common/autoconf/hotspot-spec.gmk.in
+++ openjdk///common/autoconf/hotspot-spec.gmk.in
-+++ b/common/autoconf/hotspot-spec.gmk.in
+@@ -112,7 +112,8 @@
-@@ -114,13 +114,14 @@ RC:=@HOTSPOT_RC@
+ RC:=@HOTSPOT_RC@
- # Retain EXTRA_{CFLAGS,CXXFLAGS,LDFLAGS,ASFLAGS} for the target flags to
+ 
- # maintain compatibility with the existing Makefiles
+ EXTRA_CFLAGS=@LEGACY_EXTRA_CFLAGS@ $(NO_DELETE_NULL_POINTER_CHECKS_CFLAG) \
- EXTRA_CFLAGS=@LEGACY_TARGET_CFLAGS@ $(NO_DELETE_NULL_POINTER_CHECKS_CFLAG) \
+-				   $(NO_LIFETIME_DSE_CFLAG) $(CXXSTD_CXXFLAG)
-				    $(NO_LIFETIME_DSE_CFLAG) $(CXXSTD_CXXFLAG)
+				   $(NO_LIFETIME_DSE_CFLAG) $(CXXSTD_CXXFLAG) \
-+                                   $(NO_LIFETIME_DSE_CFLAG) $(CXXSTD_CXXFLAG) \
+				   $(REALIGN_CFLAG)
-+                                   $(REALIGN_CFLAG)
+ EXTRA_CXXFLAGS=@LEGACY_EXTRA_CXXFLAGS@
- EXTRA_CXXFLAGS=@LEGACY_TARGET_CXXFLAGS@
+ EXTRA_LDFLAGS=@LEGACY_EXTRA_LDFLAGS@
- EXTRA_LDFLAGS=@LEGACY_TARGET_LDFLAGS@
+ EXTRA_ASFLAGS=@LEGACY_EXTRA_ASFLAGS@
- EXTRA_ASFLAGS=@LEGACY_TARGET_ASFLAGS@
+diff --git openjdk.orig///common/autoconf/spec.gmk.in openjdk///common/autoconf/spec.gmk.in
- # Define an equivalent set for the host flags (i.e. without sysroot options)
+--- openjdk.orig///common/autoconf/spec.gmk.in
- HOST_CFLAGS=@LEGACY_HOST_CFLAGS@ $(NO_DELETE_NULL_POINTER_CHECKS_CFLAG) \
+++ openjdk///common/autoconf/spec.gmk.in
-				 $(NO_LIFETIME_DSE_CFLAG) $(CXXSTD_CXXFLAG)
+@@ -366,6 +366,7 @@
 +                                 $(NO_LIFETIME_DSE_CFLAG) $(CXXSTD_CXXFLAG)
 HOST_CXXFLAGS=@LEGACY_HOST_CXXFLAGS@
 HOST_LDFLAGS=@LEGACY_HOST_LDFLAGS@
 HOST_ASFLAGS=@LEGACY_HOST_ASFLAGS@
 diff --git a/common/autoconf/spec.gmk.in b/common/autoconf/spec.gmk.in
 index 9573bb2cbd..fe7efc130c 100644
 --- a/common/autoconf/spec.gmk.in
 +++ b/common/autoconf/spec.gmk.in
@@ -366,6 +366,7 @@ CXXFLAGS_JDKEXE:=@CXXFLAGS_JDKEXE@
 NO_DELETE_NULL_POINTER_CHECKS_CFLAG=@NO_DELETE_NULL_POINTER_CHECKS_CFLAG@
 NO_LIFETIME_DSE_CFLAG=@NO_LIFETIME_DSE_CFLAG@
--- a/SOURCES/jdk8218811-perfMemory_linux.patch
+++ b/SOURCES/jdk8218811-perfMemory_linux.patch
@ -0,0 +1,12 @@
 diff --git openjdk.orig/hotspot/src/os/linux/vm/perfMemory_linux.cpp openjdk/hotspot/src/os/linux/vm/perfMemory_linux.cpp
 --- openjdk.orig/hotspot/src/os/linux/vm/perfMemory_linux.cpp
 +++ openjdk/hotspot/src/os/linux/vm/perfMemory_linux.cpp
@@ -878,7 +878,7 @@
   // open the file
   int result;
 -  RESTARTABLE(::open(filename, oflags), result);
 +  RESTARTABLE(::open(filename, oflags, 0), result);
   if (result == OS_ERR) {
     if (errno == ENOENT) {
       THROW_MSG_(vmSymbols::java_lang_IllegalArgumentException(),
--- a/SOURCES/jdk8271199-rh2175317-custom_pkcs11_provider_support.patch
+++ b/SOURCES/jdk8271199-rh2175317-custom_pkcs11_provider_support.patch
@ -0,0 +1,167 @@
 commit d41618f34f1d2f5416ec3c035f33dcb15cf5ab99
 Author: Alexey Bakhtin <abakhtin@openjdk.org>
 Date:   Tue Apr 4 10:29:11 2023 +0000
    8271199: Mutual TLS handshake fails signing client certificate with custom sensitive PKCS11 key
    Reviewed-by: andrew, mbalao
    Backport-of: f6232982b91cb2314e96ddbde3984836a810a556
 diff --git a/jdk/src/share/classes/sun/security/rsa/RSAPSSSignature.java b/jdk/src/share/classes/sun/security/rsa/RSAPSSSignature.java
 index a79e97d7c74..5378446b97b 100644
 --- a/jdk/src/share/classes/sun/security/rsa/RSAPSSSignature.java
 +++ b/jdk/src/share/classes/sun/security/rsa/RSAPSSSignature.java
@@ -127,12 +127,15 @@ public class RSAPSSSignature extends SignatureSpi {
     @Override
     protected void engineInitVerify(PublicKey publicKey)
             throws InvalidKeyException {
 -        if (!(publicKey instanceof RSAPublicKey)) {
 +        if (publicKey instanceof RSAPublicKey) {
 +            RSAPublicKey rsaPubKey = (RSAPublicKey)publicKey;
 +            isPublicKeyValid(rsaPubKey);
 +            this.pubKey = rsaPubKey;
 +            this.privKey = null;
 +            resetDigest();
 +        } else {
             throw new InvalidKeyException("key must be RSAPublicKey");
         }
 -        this.pubKey = (RSAPublicKey) isValid((RSAKey)publicKey);
 -        this.privKey = null;
 -        resetDigest();
     }
     // initialize for signing. See JCA doc
@@ -146,14 +149,17 @@ public class RSAPSSSignature extends SignatureSpi {
     @Override
     protected void engineInitSign(PrivateKey privateKey, SecureRandom random)
             throws InvalidKeyException {
 -        if (!(privateKey instanceof RSAPrivateKey)) {
 +        if (privateKey instanceof RSAPrivateKey) {
 +            RSAPrivateKey rsaPrivateKey = (RSAPrivateKey)privateKey;
 +            isPrivateKeyValid(rsaPrivateKey);
 +            this.privKey = rsaPrivateKey;
 +            this.pubKey = null;
 +            this.random =
 +                    (random == null ? JCAUtil.getSecureRandom() : random);
 +            resetDigest();
 +        } else {
             throw new InvalidKeyException("key must be RSAPrivateKey");
         }
 -        this.privKey = (RSAPrivateKey) isValid((RSAKey)privateKey);
 -        this.pubKey = null;
 -        this.random =
 -            (random == null? JCAUtil.getSecureRandom() : random);
 -        resetDigest();
     }
     /**
@@ -205,11 +211,57 @@ public class RSAPSSSignature extends SignatureSpi {
         }
     }
 +    /**
 +     * Validate the specified RSAPrivateKey
 +     */
 +    private void isPrivateKeyValid(RSAPrivateKey prKey)  throws InvalidKeyException {
 +        try {
 +            if (prKey instanceof RSAPrivateCrtKey) {
 +                RSAPrivateCrtKey crtKey = (RSAPrivateCrtKey)prKey;
 +                if (RSAPrivateCrtKeyImpl.checkComponents(crtKey)) {
 +                    RSAKeyFactory.checkRSAProviderKeyLengths(
 +                            crtKey.getModulus().bitLength(),
 +                            crtKey.getPublicExponent());
 +                } else {
 +                    throw new InvalidKeyException(
 +                            "Some of the CRT-specific components are not available");
 +                }
 +            } else {
 +                RSAKeyFactory.checkRSAProviderKeyLengths(
 +                        prKey.getModulus().bitLength(),
 +                        null);
 +            }
 +        } catch (InvalidKeyException ikEx) {
 +            throw ikEx;
 +        } catch (Exception e) {
 +            throw new InvalidKeyException(
 +                    "Can not access private key components", e);
 +        }
 +        isValid(prKey);
 +    }
 +
 +    /**
 +     * Validate the specified RSAPublicKey
 +     */
 +    private void isPublicKeyValid(RSAPublicKey pKey)  throws InvalidKeyException {
 +        try {
 +            RSAKeyFactory.checkRSAProviderKeyLengths(
 +                    pKey.getModulus().bitLength(),
 +                    pKey.getPublicExponent());
 +        } catch (InvalidKeyException ikEx) {
 +            throw ikEx;
 +        } catch (Exception e) {
 +            throw new InvalidKeyException(
 +                    "Can not access public key components", e);
 +        }
 +        isValid(pKey);
 +    }
 +
     /**
      * Validate the specified RSAKey and its associated parameters against
      * internal signature parameters.
      */
 -    private RSAKey isValid(RSAKey rsaKey) throws InvalidKeyException {
 +    private void isValid(RSAKey rsaKey) throws InvalidKeyException {
         try {
             AlgorithmParameterSpec keyParams = rsaKey.getParams();
             // validate key parameters
@@ -227,7 +279,6 @@ public class RSAPSSSignature extends SignatureSpi {
                 }
                 checkKeyLength(rsaKey, hLen, this.sigParams.getSaltLength());
             }
 -            return rsaKey;
         } catch (SignatureException e) {
             throw new InvalidKeyException(e);
         }
 diff --git a/jdk/src/share/classes/sun/security/rsa/RSAPrivateCrtKeyImpl.java b/jdk/src/share/classes/sun/security/rsa/RSAPrivateCrtKeyImpl.java
 index 6b219937981..b3c1fae9672 100644
 --- a/jdk/src/share/classes/sun/security/rsa/RSAPrivateCrtKeyImpl.java
 +++ b/jdk/src/share/classes/sun/security/rsa/RSAPrivateCrtKeyImpl.java
@@ -80,22 +80,28 @@ public final class RSAPrivateCrtKeyImpl
         RSAPrivateCrtKeyImpl key = new RSAPrivateCrtKeyImpl(encoded);
         // check all CRT-specific components are available, if any one
         // missing, return a non-CRT key instead
 -        if ((key.getPublicExponent().signum() == 0) ||
 -            (key.getPrimeExponentP().signum() == 0) ||
 -            (key.getPrimeExponentQ().signum() == 0) ||
 -            (key.getPrimeP().signum() == 0) ||
 -            (key.getPrimeQ().signum() == 0) ||
 -            (key.getCrtCoefficient().signum() == 0)) {
 +        if (checkComponents(key)) {
 +            return key;
 +        } else {
             return new RSAPrivateKeyImpl(
                 key.algid,
                 key.getModulus(),
 -                key.getPrivateExponent()
 -            );
 -        } else {
 -            return key;
 +                key.getPrivateExponent());
         }
     }
 +    /**
 +     * Validate if all CRT-specific components are available.
 +     */
 +    static boolean checkComponents(RSAPrivateCrtKey key) {
 +        return !((key.getPublicExponent().signum() == 0) ||
 +            (key.getPrimeExponentP().signum() == 0) ||
 +            (key.getPrimeExponentQ().signum() == 0) ||
 +            (key.getPrimeP().signum() == 0) ||
 +            (key.getPrimeQ().signum() == 0) ||
 +            (key.getCrtCoefficient().signum() == 0));
 +    }
 +
     /**
      * Generate a new key from the specified type and components.
      * Returns a CRT key if possible and a non-CRT key otherwise.
--- a/SOURCES/jdk8281098-pr3836-pass_compiler_flags_to_adlc.patch
+++ b/SOURCES/jdk8281098-pr3836-pass_compiler_flags_to_adlc.patch
@ -0,0 +1,67 @@
 # HG changeset patch
 # User Andrew John Hughes <gnu_andrew@member.fsf.org>
 # Date 1620365804 -3600
 #      Fri May 07 06:36:44 2021 +0100
 # Node ID 39b62f35eca823b4c9a98bc1dc0cb9acb87360f8
 # Parent  723b59ed1afe878c5cd35f080399c8ceec4f776b
 PR3836: Extra compiler flags not passed to adlc build
 diff --git openjdk.orig/hotspot/make/aix/makefiles/adlc.make openjdk/hotspot/make/aix/makefiles/adlc.make
 --- openjdk.orig/hotspot/make/aix/makefiles/adlc.make
 +++ openjdk/hotspot/make/aix/makefiles/adlc.make
@@ -69,6 +69,11 @@
 CFLAGS_WARN = -w
 CFLAGS += $(CFLAGS_WARN)
 +# Extra flags from gnumake's invocation or environment
 +CFLAGS += $(EXTRA_CFLAGS)
 +LFLAGS += $(EXTRA_CFLAGS) $(EXTRA_LDFLAGS)
 +ASFLAGS += $(EXTRA_ASFLAGS)
 +
 OBJECTNAMES = \
 	adlparse.o \
 	archDesc.o \
 diff --git openjdk.orig/hotspot/make/bsd/makefiles/adlc.make openjdk/hotspot/make/bsd/makefiles/adlc.make
 --- openjdk.orig/hotspot/make/bsd/makefiles/adlc.make
 +++ openjdk/hotspot/make/bsd/makefiles/adlc.make
@@ -71,6 +71,11 @@
 endif
 CFLAGS += $(CFLAGS_WARN)
 +# Extra flags from gnumake's invocation or environment
 +CFLAGS += $(EXTRA_CFLAGS)
 +LFLAGS += $(EXTRA_CFLAGS) $(EXTRA_LDFLAGS)
 +ASFLAGS += $(EXTRA_ASFLAGS)
 +
 OBJECTNAMES = \
 	adlparse.o \
 	archDesc.o \
 diff --git openjdk.orig/hotspot/make/linux/makefiles/adlc.make openjdk/hotspot/make/linux/makefiles/adlc.make
 --- openjdk.orig/hotspot/make/linux/makefiles/adlc.make
 +++ openjdk/hotspot/make/linux/makefiles/adlc.make
@@ -69,6 +69,11 @@
 CFLAGS_WARN = $(WARNINGS_ARE_ERRORS)
 CFLAGS += $(CFLAGS_WARN)
 +# Extra flags from gnumake's invocation or environment
 +CFLAGS += $(EXTRA_CFLAGS)
 +LFLAGS += $(EXTRA_CFLAGS) $(EXTRA_LDFLAGS)
 +ASFLAGS += $(EXTRA_ASFLAGS)
 +
 OBJECTNAMES = \
 	adlparse.o \
 	archDesc.o \
 diff --git openjdk.orig/hotspot/make/solaris/makefiles/adlc.make openjdk/hotspot/make/solaris/makefiles/adlc.make
 --- openjdk.orig/hotspot/make/solaris/makefiles/adlc.make
 +++ openjdk/hotspot/make/solaris/makefiles/adlc.make
@@ -85,6 +85,10 @@
 endif
 CFLAGS += $(CFLAGS_WARN)
 +# Extra flags from gnumake's invocation or environment
 +CFLAGS += $(EXTRA_CFLAGS)
 +ASFLAGS += $(EXTRA_ASFLAGS)
 +
 ifeq ("${Platform_compiler}", "sparcWorks")
 # Enable the following CFLAGS addition if you need to compare the
 # built ELF objects.
--- a/SOURCES/jdk8328999-update_giflib_5.2.2.patch
+++ b/SOURCES/jdk8328999-update_giflib_5.2.2.patch
--- a/SOURCES/pr2462-resolve_disabled_warnings_for_libunpack_and_the_unpack200_binary.patch
+++ b/SOURCES/pr2462-resolve_disabled_warnings_for_libunpack_and_the_unpack200_binary.patch
@ -7,11 +7,10 @@
 8074839: Resolve disabled warnings for libunpack and the unpack200 binary
 Reviewed-by: dholmes, ksrini
-diff --git a/jdk/src/share/native/com/sun/java/util/jar/pack/bytes.h b/jdk/src/share/native/com/sun/java/util/jar/pack/bytes.h
+diff --git openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/bytes.h openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/bytes.h
-index bdaf95a2f6a..60c5b4f2a69 100644
+--- openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/bytes.h
--- a/jdk/src/share/native/com/sun/java/util/jar/pack/bytes.h
+++ openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/bytes.h
-+++ b/jdk/src/share/native/com/sun/java/util/jar/pack/bytes.h
+@@ -63,7 +63,7 @@
@@ -63,7 +63,7 @@ struct bytes {
     bytes res;
     res.ptr = ptr + beg;
     res.len = end - beg;
@ -20,11 +19,10 @@ index bdaf95a2f6a..60c5b4f2a69 100644
     return res;
   }
   // building C strings inside byte buffers:
-diff --git a/jdk/src/share/native/com/sun/java/util/jar/pack/jni.cpp b/jdk/src/share/native/com/sun/java/util/jar/pack/jni.cpp
+diff --git openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/jni.cpp openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/jni.cpp
-index 5fbc7261fb3..4c002e779d8 100644
+--- openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/jni.cpp
--- a/jdk/src/share/native/com/sun/java/util/jar/pack/jni.cpp
+++ openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/jni.cpp
-+++ b/jdk/src/share/native/com/sun/java/util/jar/pack/jni.cpp
+@@ -292,7 +292,7 @@
@@ -292,7 +292,7 @@ Java_com_sun_java_util_jar_pack_NativeUnpack_getUnusedInput(JNIEnv *env, jobject
   if (uPtr->aborting()) {
     THROW_IOE(uPtr->get_abort_message());
@ -33,16 +31,16 @@ index 5fbc7261fb3..4c002e779d8 100644
   }
   // We have fetched all the files.
-@@ -312,7 +312,7 @@ Java_com_sun_java_util_jar_pack_NativeUnpack_finish(JNIEnv *env, jobject pObj) {
+@@ -310,7 +310,7 @@
-   // There's no need to create a new unpacker here if we don't already have one
+ JNIEXPORT jlong JNICALL
-   // just to immediatly free it afterwards.
+ Java_com_sun_java_util_jar_pack_NativeUnpack_finish(JNIEnv *env, jobject pObj) {
-   unpacker* uPtr = get_unpacker(env, pObj, /* noCreate= */ true);
+   unpacker* uPtr = get_unpacker(env, pObj, false);
 -  CHECK_EXCEPTION_RETURN_VALUE(uPtr, NULL);
 +  CHECK_EXCEPTION_RETURN_VALUE(uPtr, 0);
   size_t consumed = uPtr->input_consumed();
   // free_unpacker() will set the unpacker field on 'pObj' to null
   free_unpacker(env, pObj, uPtr);
-@@ -323,6 +323,7 @@ JNIEXPORT jboolean JNICALL
+   return consumed;
@@ -320,6 +320,7 @@
 Java_com_sun_java_util_jar_pack_NativeUnpack_setOption(JNIEnv *env, jobject pObj,
                                        jstring pProp, jstring pValue) {
   unpacker*   uPtr  = get_unpacker(env, pObj);
@ -50,11 +48,10 @@ index 5fbc7261fb3..4c002e779d8 100644
   const char* prop  = env->GetStringUTFChars(pProp, JNI_FALSE);
   CHECK_EXCEPTION_RETURN_VALUE(prop, false);
   const char* value = env->GetStringUTFChars(pValue, JNI_FALSE);
-diff --git a/jdk/src/share/native/com/sun/java/util/jar/pack/main.cpp b/jdk/src/share/native/com/sun/java/util/jar/pack/main.cpp
+diff --git openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/main.cpp openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/main.cpp
-index 6fbc43a18ae..722c8baaff0 100644
+--- openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/main.cpp
--- a/jdk/src/share/native/com/sun/java/util/jar/pack/main.cpp
+++ openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/main.cpp
-+++ b/jdk/src/share/native/com/sun/java/util/jar/pack/main.cpp
+@@ -142,31 +142,28 @@
@@ -142,31 +142,28 @@ static const char* nbasename(const char* progname) {
   return progname;
 }
@ -104,11 +101,10 @@ index 6fbc43a18ae..722c8baaff0 100644
   }
 }
-diff --git a/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.cpp b/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.cpp
+diff --git openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.cpp openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.cpp
-index a585535c513..8df3fade499 100644
+--- openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.cpp
--- a/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.cpp
+++ openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.cpp
-+++ b/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.cpp
+@@ -222,9 +222,9 @@
@@ -225,9 +225,9 @@ struct entry {
   }
 #ifdef PRODUCT
@ -120,7 +116,7 @@ index a585535c513..8df3fade499 100644
 #endif
 };
-@@ -719,13 +719,13 @@ void unpacker::read_file_header() {
+@@ -715,13 +715,13 @@
   // Now we can size the whole archive.
   // Read everything else into a mega-buffer.
   rp = hdr.rp;
@ -138,7 +134,7 @@ index a585535c513..8df3fade499 100644
       abort("EOF reading fixed input buffer");
       return;
     }
-@@ -739,7 +739,7 @@ void unpacker::read_file_header() {
+@@ -735,7 +735,7 @@
       return;
     }
     input.set(U_NEW(byte, add_size(header_size_0, archive_size, C_SLOP)),
@ -147,7 +143,7 @@ index a585535c513..8df3fade499 100644
     CHECK;
     assert(input.limit()[0] == 0);
     // Move all the bytes we read initially into the real buffer.
-@@ -962,13 +962,13 @@ void cpool::init(unpacker* u_, int counts[CONSTANT_Limit]) {
+@@ -958,13 +958,13 @@
   nentries = next_entry;
   // place a limit on future CP growth:
@ -163,7 +159,18 @@ index a585535c513..8df3fade499 100644
   // Note that this CP does not include "empty" entries
   // for longs and doubles.  Those are introduced when
-@@ -3694,21 +3694,22 @@ void cpool::computeOutputIndexes() {
+@@ -982,8 +982,9 @@
   }
   // Initialize *all* our entries once
 -  for (int i = 0 ; i < maxentries ; i++)
 +  for (uint i = 0 ; i < maxentries ; i++) {
     entries[i].outputIndex = REQUESTED_NONE;
 +  }
   initGroupIndexes();
   // Initialize hashTab to a generous power-of-two size.
@@ -3677,21 +3678,22 @@
 unpacker* debug_u;
@ -190,7 +197,7 @@ index a585535c513..8df3fade499 100644
   case CONSTANT_Signature:
     if (value.b.ptr == null)
       return ref(0)->string();
-@@ -3728,26 +3729,28 @@ char* entry::string() {
+@@ -3711,26 +3713,28 @@
     break;
   default:
     if (nrefs == 0) {
@ -228,11 +235,10 @@ index a585535c513..8df3fade499 100644
 }
 void print_cp_entries(int beg, int end) {
-diff --git a/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.h b/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.h
+diff --git openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.h openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.h
-index 4ec595333c4..aad0c971ef2 100644
+--- openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.h
--- a/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.h
+++ openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.h
-+++ b/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.h
+@@ -209,7 +209,7 @@
@@ -209,7 +209,7 @@ struct unpacker {
   byte*     rp;          // read pointer (< rplimit <= input.limit())
   byte*     rplimit;     // how much of the input block has been read?
   julong    bytes_read;
@ -241,11 +247,10 @@ index 4ec595333c4..aad0c971ef2 100644
   // callback to read at least one byte, up to available input
   typedef jlong (*read_input_fn_t)(unpacker* self, void* buf, jlong minlen, jlong maxlen);
-diff --git a/jdk/src/share/native/com/sun/java/util/jar/pack/utils.cpp b/jdk/src/share/native/com/sun/java/util/jar/pack/utils.cpp
+diff --git openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/utils.cpp openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/utils.cpp
-index da39a589545..1281d8b25c8 100644
+--- openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/utils.cpp
--- a/jdk/src/share/native/com/sun/java/util/jar/pack/utils.cpp
+++ openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/utils.cpp
-+++ b/jdk/src/share/native/com/sun/java/util/jar/pack/utils.cpp
+@@ -81,7 +81,7 @@
@@ -81,7 +81,7 @@ void breakpoint() { }  // hook for debugger
 int assert_failed(const char* p) {
   char message[1<<12];
   sprintf(message, "@assert failed: %s\n", p);
@ -254,11 +259,10 @@ index da39a589545..1281d8b25c8 100644
   breakpoint();
   unpack_abort(message);
   return 0;
-diff --git a/jdk/src/share/native/com/sun/java/util/jar/pack/zip.cpp b/jdk/src/share/native/com/sun/java/util/jar/pack/zip.cpp
+diff --git openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/zip.cpp openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/zip.cpp
-index f58c94956c0..343da3e183b 100644
+--- openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/zip.cpp
--- a/jdk/src/share/native/com/sun/java/util/jar/pack/zip.cpp
+++ openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/zip.cpp
-+++ b/jdk/src/share/native/com/sun/java/util/jar/pack/zip.cpp
+@@ -84,7 +84,7 @@
@@ -84,7 +84,7 @@ void jar::init(unpacker* u_) {
 }
 // Write data to the ZIP output stream.
@ -267,7 +271,7 @@ index f58c94956c0..343da3e183b 100644
   while (len > 0) {
     int rc = (int)fwrite(buff, 1, len, jarfp);
     if (rc <= 0) {
-@@ -323,12 +323,12 @@ void jar::write_central_directory() {
+@@ -323,12 +323,12 @@
     // Total number of disks (int)
     header64[36] = (ushort)SWAP_BYTES(1);
     header64[37] = 0;
@ -282,11 +286,10 @@ index f58c94956c0..343da3e183b 100644
   PRINTCR((2, "writing zip comment\n"));
   // Write the comment.
-diff --git a/jdk/src/share/native/com/sun/java/util/jar/pack/zip.h b/jdk/src/share/native/com/sun/java/util/jar/pack/zip.h
+diff --git openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/zip.h openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/zip.h
-index 14ffc9d65bd..9877f6f68ca 100644
+--- openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/zip.h
--- a/jdk/src/share/native/com/sun/java/util/jar/pack/zip.h
+++ openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/zip.h
-+++ b/jdk/src/share/native/com/sun/java/util/jar/pack/zip.h
+@@ -68,8 +68,8 @@
@@ -68,8 +68,8 @@ struct jar {
   }
   // Private Methods
--- a/SOURCES/repack_reproducible_policies.sh
+++ b/SOURCES/repack_reproducible_policies.sh
--- a/SOURCES/s390-8214206_fix.patch
+++ b/SOURCES/s390-8214206_fix.patch
@ -16,7 +16,7 @@ diff --git openjdk.orig/hotspot/src/share/vm/gc_implementation/shenandoah/shenan
   Atomic::add(val, &_sum);
 -  int mag = log2_intptr(val) + 1;
-+  int mag = log2_long(val) + 1;
+  int mag = log2_intptr((uintptr_t)val) + 1;
   // Defensively saturate for product bits:
   if (mag < 0) {
--- a/SPECS/java-1.8.0-openjdk.spec
+++ b/SPECS/java-1.8.0-openjdk.spec
`@ -1,2 +1,2 @@`
	`SOURCES/shenandoah8u442-b06.tar.xz`	`SOURCES/openjdk-shenandoah-jdk8u-shenandoah-jdk8u372-b07-4curve.tar.xz`
	`SOURCES/tapsets-icedtea-3.15.0.tar.xz`	`SOURCES/tapsets-icedtea-3.15.0.tar.xz`
`@ -1,2 +1,2 @@`
	`f5c84eb1dd6c8dba50a2ae89e01ec1d1b4f26fde SOURCES/shenandoah8u442-b06.tar.xz`	`3f015b60e085b0e1f0fd9ea13abf775a890c2b1b SOURCES/openjdk-shenandoah-jdk8u-shenandoah-jdk8u372-b07-4curve.tar.xz`
	`7ae2cba67467825b2c2a5fec7aea041865023002 SOURCES/tapsets-icedtea-3.15.0.tar.xz`	`7ae2cba67467825b2c2a5fec7aea041865023002 SOURCES/tapsets-icedtea-3.15.0.tar.xz`