From c308709d1086eda973660d5e95ffdd8b5d990ce5 Mon Sep 17 00:00:00 2001 From: Andrew Hughes Date: Sun, 17 Jul 2022 18:28:01 +0100 Subject: [PATCH] Update to jdk-17.0.3.0+7 Update release notes to 17.0.3.0+7 Need to include the '.S' suffix in debuginfo checks after JDK-8284661 Explicitly require crypto-policies during build and runtime for system security properties Make use of the vendor version string to store our version & release rather than an upstream release date Include a test in the RPM to check the build has the correct vendor information. Fix issue where CheckVendor.java test erroneously passes when it should fail. Add proper quoting so '&' is not treated as a special character by the shell. Resolves: rhbz#2084218 --- .gitignore | 1 + CheckVendor.java | 65 +++++++++++++++++++++++++++++++++ NEWS | 52 +++++++++++++++++++++++++++ java-17-openjdk.spec | 85 +++++++++++++++++++++++++++++--------------- sources | 2 +- 5 files changed, 175 insertions(+), 30 deletions(-) create mode 100644 CheckVendor.java diff --git a/.gitignore b/.gitignore index 1eb72d5..8f81d68 100644 --- a/.gitignore +++ b/.gitignore @@ -14,3 +14,4 @@ /openjdk-jdk17u-17usec.17.0.3+5-220408.tar.xz /openjdk-jdk17u-jdk-17.0.3+7.tar.xz /openjdk-jdk17u-jdk-17.0.4+1.tar.xz +/openjdk-jdk17u-jdk-17.0.4+7.tar.xz diff --git a/CheckVendor.java b/CheckVendor.java new file mode 100644 index 0000000..29b296b --- /dev/null +++ b/CheckVendor.java @@ -0,0 +1,65 @@ +/* CheckVendor -- Check the vendor properties match specified values. + Copyright (C) 2020 Red Hat, Inc. + +This program is free software: you can redistribute it and/or modify +it under the terms of the GNU Affero General Public License as +published by the Free Software Foundation, either version 3 of the +License, or (at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU Affero General Public License for more details. + +You should have received a copy of the GNU Affero General Public License +along with this program. If not, see . +*/ + +/** + * @test + */ +public class CheckVendor { + + public static void main(String[] args) { + if (args.length < 4) { + System.err.println("CheckVendor "); + System.exit(1); + } + + String vendor = System.getProperty("java.vendor"); + String expectedVendor = args[0]; + String vendorURL = System.getProperty("java.vendor.url"); + String expectedVendorURL = args[1]; + String vendorBugURL = System.getProperty("java.vendor.url.bug"); + String expectedVendorBugURL = args[2]; + String vendorVersionString = System.getProperty("java.vendor.version"); + String expectedVendorVersionString = args[3]; + + if (!expectedVendor.equals(vendor)) { + System.err.printf("Invalid vendor %s, expected %s\n", + vendor, expectedVendor); + System.exit(2); + } + + if (!expectedVendorURL.equals(vendorURL)) { + System.err.printf("Invalid vendor URL %s, expected %s\n", + vendorURL, expectedVendorURL); + System.exit(3); + } + + if (!expectedVendorBugURL.equals(vendorBugURL)) { + System.err.printf("Invalid vendor bug URL %s, expected %s\n", + vendorBugURL, expectedVendorBugURL); + System.exit(4); + } + + if (!expectedVendorVersionString.equals(vendorVersionString)) { + System.err.printf("Invalid vendor version string %s, expected %s\n", + vendorVersionString, expectedVendorVersionString); + System.exit(5); + } + + System.err.printf("Vendor information verified as %s, %s, %s, %s\n", + vendor, vendorURL, vendorBugURL, vendorVersionString); + } +} diff --git a/NEWS b/NEWS index 5d91d43..797c2d2 100644 --- a/NEWS +++ b/NEWS @@ -10,8 +10,14 @@ Live versions of these release notes can be found at: * https://builds.shipilev.net/backports-monitor/release-notes-17.0.4.txt * Other changes + - JDK-8139173: [macosx] JInternalFrame shadow is not properly drawn + - JDK-8181571: printing to CUPS fails on mac sandbox app - JDK-8193682: Infinite loop in ZipOutputStream.close() + - JDK-8206187: javax/management/remote/mandatory/connection/DefaultAgentFilterTest.java fails with Port already in use + - JDK-8209776: Refactor jdk/security/JavaDotSecurity/ifdefs.sh to plain java test - JDK-8214733: runtime/8176717/TestInheritFD.java timed out + - JDK-8236136: tests which use CompilationMode shouldn't be run w/ TieredStopAtLevel + - JDK-8240756: [macos] SwingSet2:TableDemo:Printed Japanese characters were garbled - JDK-8249592: Robot.mouseMove moves cursor to incorrect location when display scale varies and Java runs in DPI Unaware mode - JDK-8251904: vmTestbase/nsk/sysdict/vm/stress/btree/btree010/btree010.java fails with ClassNotFoundException: nsk.sysdict.share.BTree0LLRLRLRRLR - JDK-8255266: Update Public Suffix List to 3c213aa @@ -26,6 +32,7 @@ Live versions of these release notes can be found at: - JDK-8268231: Aarch64: Use Ldp in intrinsics for String.compareTo - JDK-8268558: [TESTBUG] Case 2 in TestP11KeyFactoryGetRSAKeySpec is skipped - JDK-8268595: java/io/Serializable/serialFilter/GlobalFilterTest.java#id1 failed in timeout + - JDK-8268773: Improvements related to: Failed to start thread - pthread_create failed (EAGAIN) - JDK-8268906: gc/g1/mixedgc/TestOldGenCollectionUsage.java assumes that GCs take 1ms minimum - JDK-8269077: TestSystemGC uses "require vm.gc.G1" for large pages subtest - JDK-8269129: Multiple tier1 tests in hotspot/jtreg/compiler are failing for client VMs @@ -60,6 +67,7 @@ Live versions of these release notes can be found at: - JDK-8274233: Minor cleanup for ToolBox - JDK-8274244: ReportOnImportedModuleAnnotation.java fails on rerun - JDK-8274561: sun/net/ftp/TestFtpTimeValue.java timed out on slow machines + - JDK-8274687: JDWP deadlocks if some Java thread reaches wait in blockOnDebuggerSuspend - JDK-8274735: javax.imageio.IIOException: Unsupported Image Type while processing a valid JPEG image - JDK-8274751: Drag And Drop hangs on Windows - JDK-8274855: vectorapi tests failing with assert(!vbox->is_Phi()) failed @@ -125,6 +133,7 @@ Live versions of these release notes can be found at: - JDK-8280401: [sspi] gss_accept_sec_context leaves output_token uninitialized - JDK-8280476: [macOS] : hotspot arm64 bug exposed by latest clang - JDK-8280543: Update the "java" and "jcmd" tool specification for CDS + - JDK-8280593: [PPC64, S390] redundant allocation of MacroAssembler in StubGenerator ctor - JDK-8280600: C2: assert(!had_error) failed: bad dominance - JDK-8280684: JfrRecorderService failes with guarantee(num_written > 0) when no space left on device. - JDK-8280799: ะก2: assert(false) failed: cyclic dependency prevents range check elimination @@ -150,8 +159,10 @@ Live versions of these release notes can be found at: - JDK-8281771: Crash in java_lang_invoke_MethodType::print_signature - JDK-8281811: assert(_base == Tuple) failed: Not a Tuple after JDK-8280799 - JDK-8281822: Test failures on non-DTrace builds due to incomplete DTrace* flags handling + - JDK-8282008: Incorrect handling of quoted arguments in ProcessBuilder - JDK-8282045: When loop strip mining fails, safepoints are removed from loop anyway - JDK-8282142: [TestCase] compiler/inlining/ResolvedClassTest.java will fail when --with-jvm-features=-compiler1 + - JDK-8282170: JVMTI SetBreakpoint metaspace allocation test - JDK-8282172: CompileBroker::log_metaspace_failure is called from non-Java/compiler threads - JDK-8282225: GHA: Allow one concurrent run per PR only - JDK-8282231: x86-32: runtime call to SharedRuntime::ldiv corrupts registers @@ -160,6 +171,7 @@ Live versions of these release notes can be found at: - JDK-8282312: Minor corrections to evbroadcasti32x4 intrinsic on x86 - JDK-8282345: handle latest VS2022 in abstract_vm_version - JDK-8282382: Report glibc malloc tunables in error reports + - JDK-8282422: JTable.print() failed with UnsupportedCharsetException on AIX ko_KR locale - JDK-8282444: Module finder incorrectly assumes default file system path-separator character - JDK-8282499: Bump update version for OpenJDK: jdk-17.0.4 - JDK-8282509: [exploded image] ResolvedClassTest fails with similar output @@ -170,31 +182,71 @@ Live versions of these release notes can be found at: - JDK-8282628: Potential memory leak in sun.font.FontConfigManager.getFontConfig() - JDK-8282874: Bad performance on gather/scatter API caused by different IntSpecies of indexMap - JDK-8282887: Potential memory leak in sun.util.locale.provider.HostLocaleProviderAdapterImpl.getNumberPattern() on Windows + - JDK-8282929: Localized monetary symbols are not reflected in `toLocalizedPattern` return value - JDK-8283017: GHA: Workflows break with update release versions - JDK-8283187: C2: loop candidate for superword not always unrolled fully if superword fails - JDK-8283217: Leak FcObjectSet in getFontConfigLocations() in fontpath.c - JDK-8283249: CompressedClassPointers.java fails on ppc with 'Narrow klass shift: 0' missing - JDK-8283279: [Testbug] Improve TestGetSwapSpaceSize + - JDK-8283315: jrt-fs.jar not always deterministically built + - JDK-8283323: libharfbuzz optimization level results in extreme build times - JDK-8283347: [macos] Bad JNI lookup accessibilityHitTest is shown when Screen magnifier is enabled - JDK-8283350: (tz) Update Timezone Data to 2022a - JDK-8283408: Fix a C2 crash when filling arrays with unsafe - JDK-8283422: Create a new test for JDK-8254790 - JDK-8283451: C2: assert(_base == Long) failed: Not a Long + - JDK-8283469: Don't use memset to initialize members in FileMapInfo and fix memory leak - JDK-8283497: [windows] print TMP and TEMP in hs_err and VM.info - JDK-8283641: Large value for CompileThresholdScaling causes assert - JDK-8283725: Launching java with "-Xlog:gc*=trace,safepoint*=trace,class*=trace" crashes the JVM - JDK-8283834: Unmappable character for US-ASCII encoding in TestPredicateInputBelowLoopPredicate + - JDK-8284023: java.sun.awt.X11GraphicsDevice.getDoubleBufferVisuals() leaks XdbeScreenVisualInfo - JDK-8284033: Leak XVisualInfo in getAllConfigs in awt_GraphicsEnv.c + - JDK-8284094: Memory leak in invoker_completeInvokeRequest() - JDK-8284369: TestFailedAllocationBadGraph fails with -XX:TieredStopAtLevel < 4 - JDK-8284389: Improve stability of GHA Pre-submit testing by caching cygwin installer + - JDK-8284437: Building from different users/workspace is not always deterministic - JDK-8284458: CodeHeapState::aggregate() leaks blob_name - JDK-8284507: GHA: Only check test results if testing was not skipped + - JDK-8284532: Memory leak in BitSet::BitMapFragmentTable in JFR leak profiler + - JDK-8284549: JFR: FieldTable leaks FieldInfoTable member - JDK-8284603: [17u] Update Boot JDK used in GHA to 17.0.2 + - JDK-8284620: CodeBuffer may leak _overflow_arena - JDK-8284622: Update versions of some Github Actions used in JDK workflow + - JDK-8284661: Reproducible assembly builds without relative linking + - JDK-8284754: print more interesting env variables in hs_err and VM.info + - JDK-8284758: [linux] improve print_container_info + - JDK-8284848: C2: Compiler blackhole arguments should be treated as globally escaping - JDK-8284866: Add test to JDK-8273056 - JDK-8284884: Replace polling with waiting in javax/swing/text/html/parser/Parser/8078268/bug8078268.java + - JDK-8284992: Fix misleading Vector API doc for LSHR operator - JDK-8285342: Zero build failure with clang due to values not handled in switch + - JDK-8285394: Compiler blackholes can be eliminated due to stale ciMethod::intrinsic_id() + - JDK-8285397: JNI exception pending in CUPSfuncs.c:250 - JDK-8285445: cannot open file "NUL:" + - JDK-8285515: (dc) DatagramChannel.disconnect fails with "Invalid argument" on macOS 12.4 + - JDK-8285523: Improve test java/io/FileOutputStream/OpenNUL.java + - JDK-8285686: Update FreeType to 2.12.0 + - JDK-8285726: [11u, 17u] Unify fix for JDK-8284548 with version from head + - JDK-8285727: [11u, 17u] Unify fix for JDK-8284920 with version from head + - JDK-8285728: Alpine Linux build fails with busybox tar + - JDK-8285828: runtime/execstack/TestCheckJDK.java fails with zipped debug symbols + - JDK-8285921: serviceability/dcmd/jvmti/AttachFailed/AttachReturnError.java fails on Alpine + - JDK-8285956: (fs) Excessive default poll interval in PollingWatchService + - JDK-8286013: Incorrect test configurations for compiler/stable/TestStableShort.java + - JDK-8286029: Add classpath exemption to globals_vectorApiSupport_***.S.inc + - JDK-8286198: [linux] Fix process-memory information + - JDK-8286293: Tests ShortResponseBody and ShortResponseBodyWithRetry should use less resources + - JDK-8286444: javac errors after JDK-8251329 are not helpful enough to find root cause + - JDK-8286594: (zipfs) Mention paths with dot elements in ZipException and cleanups + - JDK-8286601: Mac Aarch: Excessive warnings to be ignored for build jdk + - JDK-8286855: javac error on invalid jar should only print filename + - JDK-8287109: Distrust.java failed with CertificateExpiredException + - JDK-8287119: Add Distrust.java to ProblemList + - JDK-8287162: (zipfs) Performance regression related to support for POSIX file permissions + - JDK-8287336: GHA: Workflows break on patch versions + - JDK-8287362: FieldAccessWatch testcase failed on AIX platform + - JDK-8287378: GHA: Update cygwin to fix issues in langtools tests on Windows Notes on individual issues: =========================== diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec index df5a50e..5cb17c5 100644 --- a/java-17-openjdk.spec +++ b/java-17-openjdk.spec @@ -307,10 +307,6 @@ %global interimver 0 %global updatever 4 %global patchver 0 -# If you bump featurever, you must also bump vendor_version_string -# Used via new version scheme. JDK 17 was -# GA'ed in September 2021 => 21.9 -%global vendor_version_string 21.9 # buildjdkver is usually same as %%{featurever}, # but in time of bootstrap of next jdk, it is featurever-1, # and this it is better to change it here, on single place @@ -325,6 +321,27 @@ %global lts_designator_zip "" %endif +# Define vendor information used by OpenJDK +%global oj_vendor Red Hat, Inc. +%global oj_vendor_url https://www.redhat.com/ +# Define what url should JVM offer in case of a crash report +# order may be important, epel may have rhel declared +%if 0%{?epel} +%global oj_vendor_bug_url https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora%20EPEL&component=%{name}&version=epel%{epel} +%else +%if 0%{?fedora} +# Does not work for rawhide, keeps the version field empty +%global oj_vendor_bug_url https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora&component=%{name}&version=%{fedora} +%else +%if 0%{?rhel} +%global oj_vendor_bug_url https://bugzilla.redhat.com/enter_bug.cgi?product=Red%20Hat%20Enterprise%20Linux%20%{rhel}&component=%{name} +%else +%global oj_vendor_bug_url https://bugzilla.redhat.com/enter_bug.cgi +%endif +%endif +%endif +%global oj_vendor_version (Red_Hat-%{version}-%{release}) + # Define IcedTea version used for SystemTap tapsets and desktop file %global icedteaver 6.0.0pre00-c848b93a8598 # Define current Git revision for the FIPS support patches @@ -335,7 +352,7 @@ %global origin_nice OpenJDK %global top_level_dir_name %{origin} %global top_level_dir_name_backup %{top_level_dir_name}-backup -%global buildver 1 +%global buildver 7 %global rpmrelease 1 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit %if %is_system_jdk @@ -377,23 +394,6 @@ %global eaprefix 0. %endif -# Define what url should JVM offer in case of a crash report -# order may be important, epel may have rhel declared -%if 0%{?epel} -%global bugs https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora%20EPEL&component=%{name}&version=epel%{epel} -%else -%if 0%{?fedora} -# Does not work for rawhide, keeps the version field empty -%global bugs https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora&component=%{name}&version=%{fedora} -%else -%if 0%{?rhel} -%global bugs https://bugzilla.redhat.com/enter_bug.cgi?product=Red%20Hat%20Enterprise%20Linux%20%{rhel}&component=%{name} -%else -%global bugs https://bugzilla.redhat.com/enter_bug.cgi -%endif -%endif -%endif - # parametrized macros are order-sensitive %global compatiblename java-%{featurever}-%{origin} %global fullversion %{compatiblename}-%{version}-%{release} @@ -1119,6 +1119,8 @@ OrderWithRequires: copy-jdk-configs %endif # for printing support Requires: cups-libs +# for system security properties +Requires: crypto-policies # for FIPS PKCS11 provider Requires: nss # Post requires alternatives to install tool alternatives @@ -1293,6 +1295,9 @@ Source14: TestECDSA.java # Verify system crypto (policy) can be disabled via a property Source15: TestSecurityProperties.java +# Ensure vendor settings are correct +Source16: CheckVendor.java + # nss fips configuration file Source17: nss.fips.cfg.in @@ -1382,6 +1387,8 @@ BuildRequires: libXt-devel BuildRequires: libXtst-devel # Requirement for setting up nss.cfg and nss.fips.cfg BuildRequires: nss-devel +# Requirement for system security property test +BuildRequires: crypto-policies BuildRequires: pkgconfig BuildRequires: xorg-x11-proto-devel BuildRequires: zip @@ -1710,6 +1717,8 @@ The %{origin_nice} %{featurever} API documentation compressed in a single archiv %prep +echo "Preparing %{oj_vendor_version}" + # Using the echo macro breaks rpmdev-bumpspec, as it parses the first line of stdout :-( %if 0%{?stapinstall:1} echo "CPU: %{_target_cpu}, arch install directory: %{archinstall}, SystemTap install directory: %{stapinstall}" @@ -1905,11 +1914,11 @@ function buildjdk() { --with-version-build=%{buildver} \ --with-version-pre="%{ea_designator}" \ --with-version-opt=%{lts_designator} \ - --with-vendor-version-string="%{vendor_version_string}" \ - --with-vendor-name="Red Hat, Inc." \ - --with-vendor-url="https://www.redhat.com/" \ - --with-vendor-bug-url="%{bugs}" \ - --with-vendor-vm-bug-url="%{bugs}" \ + --with-vendor-version-string="%{oj_vendor_version}" \ + --with-vendor-name="%{oj_vendor}" \ + --with-vendor-url="%{oj_vendor_url}" \ + --with-vendor-bug-url="%{oj_vendor_bug_url}" \ + --with-vendor-vm-bug-url="%{oj_vendor_bug_url}" \ --with-boot-jdk=${buildjdk} \ --with-debug-level=${debuglevel} \ --with-native-debug-symbols="%{debug_symbols}" \ @@ -2014,9 +2023,9 @@ function debugcheckjdk() { IFS=$'\n' for line in $(eu-readelf -s "$lib" | grep "00000000 0 FILE LOCAL DEFAULT") do - # We expect to see .cpp files, except for architectures like aarch64 and + # We expect to see .cpp and .S files, except for architectures like aarch64 and # s390 where we expect .o and .oS files - echo "$line" | grep -E "ABS ((.*/)?[-_a-zA-Z0-9]+\.(c|cc|cpp|cxx|o|oS))?$" + echo "$line" | grep -E "ABS ((.*/)?[-_a-zA-Z0-9]+\.(c|cc|cpp|cxx|o|S|oS))?$" done IFS="$old_IFS" @@ -2294,6 +2303,10 @@ nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation if ! nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation ; then true ; else false; fi %endif +# Check correct vendor values have been set +$JAVA_HOME/bin/javac -d . %{SOURCE16} +$JAVA_HOME/bin/java $(echo $(basename %{SOURCE16})|sed "s|\.java||") "%{oj_vendor}" "%{oj_vendor_url}" "%{oj_vendor_bug_url}" "%{oj_vendor_version}" + %if %{include_staticlibs} # Check debug symbols in static libraries (smoke test) export STATIC_LIBS_HOME=${JAVA_HOME}/%{static_libs_install_dir} @@ -2561,6 +2574,20 @@ cjc.mainProgram(args) %endif %changelog +* Sat Jul 16 2022 Andrew Hughes - 1:17.0.4.0.7-0.1.ea +- Update to jdk-17.0.3.0+7 +- Update release notes to 17.0.3.0+7 +- Need to include the '.S' suffix in debuginfo checks after JDK-8284661 +- Explicitly require crypto-policies during build and runtime for system security properties +- Make use of the vendor version string to store our version & release rather than an upstream release date +- Include a test in the RPM to check the build has the correct vendor information. +- Resolves: rhbz#2084218 + +* Thu Jul 14 2022 Jayashree Huttanagoudar - 1:17.0.4.0.1-0.2.ea +- Fix issue where CheckVendor.java test erroneously passes when it should fail. +- Add proper quoting so '&' is not treated as a special character by the shell. +- Related: rhbz#2084218 + * Tue Jul 12 2022 Andrew Hughes - 1:17.0.4.0.1-0.1.ea - Update to jdk-17.0.4.0+1 - Update release notes to 17.0.4.0+1 diff --git a/sources b/sources index ded0ae9..865c6f2 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ SHA512 (tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz) = 97d026212363b3c83f6a04100ad7f6fdde833d16579717f8756e2b8c2eb70e144a41a330cb9ccde9c3badd37a2d54fdf4650a950ec21d8b686d545ecb2a64d30 -SHA512 (openjdk-jdk17u-jdk-17.0.4+1.tar.xz) = 4ec0d557f9b7bdee4987b4f19c90ea8b986f9d29c87f3a526021d144ab7d39eecddf1e926fedf31f4b0fb1936d689c76886bab08400badd50d035cb4ba38c3b1 +SHA512 (openjdk-jdk17u-jdk-17.0.4+7.tar.xz) = ddc6823a8c7a8fd0d3a126aa0180876f32e24ba7e6e900bd1103b19661467296dc828e564d9f63378a57f1e06922cb083f3ede78858eab33b3a2e43570a32419