- Revert the following changes until copy-java-configs has adapted to relative symlinks:
* Move cacerts replacement to install section and retain original of this and tzdb.dat * Run tests on the installed image, rather than the build image * Introduce variables to refer to the static library installation directories * Use relative symlinks so they work within the image * Run debug symbols check during build stage, before the install strips them The move of turning on system security properties is retained so we don't ship with them off Related: rhbz#2084218
This commit is contained in:
parent
c308709d10
commit
cef4d307f5
@ -353,7 +353,7 @@
|
|||||||
%global top_level_dir_name %{origin}
|
%global top_level_dir_name %{origin}
|
||||||
%global top_level_dir_name_backup %{top_level_dir_name}-backup
|
%global top_level_dir_name_backup %{top_level_dir_name}-backup
|
||||||
%global buildver 7
|
%global buildver 7
|
||||||
%global rpmrelease 1
|
%global rpmrelease 2
|
||||||
# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
|
# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
|
||||||
%if %is_system_jdk
|
%if %is_system_jdk
|
||||||
# Using 10 digits may overflow the int used for priority, so we combine the patch and build versions
|
# Using 10 digits may overflow the int used for priority, so we combine the patch and build versions
|
||||||
@ -400,10 +400,6 @@
|
|||||||
# images directories from upstream build
|
# images directories from upstream build
|
||||||
%global jdkimage jdk
|
%global jdkimage jdk
|
||||||
%global static_libs_image static-libs
|
%global static_libs_image static-libs
|
||||||
# installation directory for static libraries
|
|
||||||
%global static_libs_root lib/static
|
|
||||||
%global static_libs_arch_dir %{static_libs_root}/linux-%{archinstall}
|
|
||||||
%global static_libs_install_dir %{static_libs_arch_dir}/glibc
|
|
||||||
# output dir stub
|
# output dir stub
|
||||||
%define buildoutputdir() %{expand:build/jdk%{featurever}.build%{?1}}
|
%define buildoutputdir() %{expand:build/jdk%{featurever}.build%{?1}}
|
||||||
# we can copy the javadoc to not arched dir, or make it not noarch
|
# we can copy the javadoc to not arched dir, or make it not noarch
|
||||||
@ -810,7 +806,6 @@ exit 0
|
|||||||
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/psfont.properties.ja
|
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/psfont.properties.ja
|
||||||
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/psfontj2d.properties
|
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/psfontj2d.properties
|
||||||
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/tzdb.dat
|
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/tzdb.dat
|
||||||
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/tzdb.dat.upstream
|
|
||||||
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjli.so
|
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjli.so
|
||||||
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/jvm.cfg
|
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/jvm.cfg
|
||||||
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libattach.so
|
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libattach.so
|
||||||
@ -869,7 +864,6 @@ exit 0
|
|||||||
%dir %{etcjavadir -- %{?1}}/lib
|
%dir %{etcjavadir -- %{?1}}/lib
|
||||||
%dir %{etcjavadir -- %{?1}}/lib/security
|
%dir %{etcjavadir -- %{?1}}/lib/security
|
||||||
%{etcjavadir -- %{?1}}/lib/security/cacerts
|
%{etcjavadir -- %{?1}}/lib/security/cacerts
|
||||||
%{etcjavadir -- %{?1}}/lib/security/cacerts.upstream
|
|
||||||
%dir %{etcjavadir -- %{?1}}/conf
|
%dir %{etcjavadir -- %{?1}}/conf
|
||||||
%dir %{etcjavadir -- %{?1}}/conf/sdp
|
%dir %{etcjavadir -- %{?1}}/conf/sdp
|
||||||
%dir %{etcjavadir -- %{?1}}/conf/management
|
%dir %{etcjavadir -- %{?1}}/conf/management
|
||||||
@ -1040,10 +1034,10 @@ exit 0
|
|||||||
}
|
}
|
||||||
|
|
||||||
%define files_static_libs() %{expand:
|
%define files_static_libs() %{expand:
|
||||||
%dir %{_jvmdir}/%{sdkdir -- %{?1}}/%{static_libs_root}
|
%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/static
|
||||||
%dir %{_jvmdir}/%{sdkdir -- %{?1}}/%{static_libs_arch_dir}
|
%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/static/linux-%{archinstall}
|
||||||
%dir %{_jvmdir}/%{sdkdir -- %{?1}}/%{static_libs_install_dir}
|
%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/static/linux-%{archinstall}/glibc
|
||||||
%{_jvmdir}/%{sdkdir -- %{?1}}/%{static_libs_install_dir}/lib*.a
|
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/static/linux-%{archinstall}/glibc/lib*.a
|
||||||
}
|
}
|
||||||
|
|
||||||
%define files_javadoc() %{expand:
|
%define files_javadoc() %{expand:
|
||||||
@ -1850,7 +1844,6 @@ sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE11} > nss.cfg
|
|||||||
sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE17} > nss.fips.cfg
|
sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE17} > nss.fips.cfg
|
||||||
|
|
||||||
%build
|
%build
|
||||||
|
|
||||||
# How many CPU's do we have?
|
# How many CPU's do we have?
|
||||||
export NUM_PROC=%(/usr/bin/getconf _NPROCESSORS_ONLN 2> /dev/null || :)
|
export NUM_PROC=%(/usr/bin/getconf _NPROCESSORS_ONLN 2> /dev/null || :)
|
||||||
export NUM_PROC=${NUM_PROC:-1}
|
export NUM_PROC=${NUM_PROC:-1}
|
||||||
@ -1957,117 +1950,36 @@ function installjdk() {
|
|||||||
local imagepath=${1}
|
local imagepath=${1}
|
||||||
|
|
||||||
if [ -d ${imagepath} ] ; then
|
if [ -d ${imagepath} ] ; then
|
||||||
# the build (erroneously) removes read permissions from some jars
|
# the build (erroneously) removes read permissions from some jars
|
||||||
# this is a regression in OpenJDK 7 (our compiler):
|
# this is a regression in OpenJDK 7 (our compiler):
|
||||||
# http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1437
|
# http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1437
|
||||||
find ${imagepath} -iname '*.jar' -exec chmod ugo+r {} \;
|
find ${imagepath} -iname '*.jar' -exec chmod ugo+r {} \;
|
||||||
|
|
||||||
# Build screws up permissions on binaries
|
# Build screws up permissions on binaries
|
||||||
# https://bugs.openjdk.java.net/browse/JDK-8173610
|
# https://bugs.openjdk.java.net/browse/JDK-8173610
|
||||||
find ${imagepath} -iname '*.so' -exec chmod +x {} \;
|
find ${imagepath} -iname '*.so' -exec chmod +x {} \;
|
||||||
find ${imagepath}/bin/ -exec chmod +x {} \;
|
find ${imagepath}/bin/ -exec chmod +x {} \;
|
||||||
|
|
||||||
# Install nss.cfg right away as we will be using the JRE above
|
# Install nss.cfg right away as we will be using the JRE above
|
||||||
install -m 644 nss.cfg ${imagepath}/conf/security/
|
install -m 644 nss.cfg ${imagepath}/conf/security/
|
||||||
|
|
||||||
# Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies)
|
# Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies)
|
||||||
install -m 644 nss.fips.cfg ${imagepath}/conf/security/
|
install -m 644 nss.fips.cfg ${imagepath}/conf/security/
|
||||||
|
|
||||||
# Turn on system security properties
|
# Turn on system security properties
|
||||||
sed -i -e "s:^security.useSystemPropertiesFile=.*:security.useSystemPropertiesFile=true:" \
|
sed -i -e "s:^security.useSystemPropertiesFile=.*:security.useSystemPropertiesFile=true:" \
|
||||||
${imagepath}/conf/security/java.security
|
${imagepath}/conf/security/java.security
|
||||||
|
|
||||||
# Use system-wide tzdata
|
# Use system-wide tzdata
|
||||||
mv ${imagepath}/lib/tzdb.dat{,.upstream}
|
rm ${imagepath}/lib/tzdb.dat
|
||||||
ln -sv %{_datadir}/javazi-1.8/tzdb.dat ${imagepath}/lib/tzdb.dat
|
ln -s %{_datadir}/javazi-1.8/tzdb.dat ${imagepath}/lib/tzdb.dat
|
||||||
|
|
||||||
# Rename OpenJDK cacerts database
|
|
||||||
mv ${imagepath}/lib/security/cacerts{,.upstream}
|
|
||||||
# Install cacerts symlink needed by some apps which hard-code the path
|
|
||||||
ln -sv /etc/pki/java/cacerts ${imagepath}/lib/security
|
|
||||||
|
|
||||||
# Create fake alt-java as a placeholder for future alt-java
|
|
||||||
pushd ${imagepath}
|
|
||||||
# add alt-java man page
|
|
||||||
echo "Hardened java binary recommended for launching untrusted code from the Web e.g. javaws" > man/man1/%{alt_java_name}.1
|
|
||||||
cat man/man1/java.1 >> man/man1/%{alt_java_name}.1
|
|
||||||
popd
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
# Checks on debuginfo must be performed before the files are stripped
|
|
||||||
# by the RPM installation stage
|
|
||||||
function debugcheckjdk() {
|
|
||||||
local imagepath=${1}
|
|
||||||
|
|
||||||
if [ -d ${imagepath} ] ; then
|
|
||||||
|
|
||||||
so_suffix="so"
|
|
||||||
# Check debug symbols are present and can identify code
|
|
||||||
find "${imagepath}" -iname "*.$so_suffix" -print0 | while read -d $'\0' lib
|
|
||||||
do
|
|
||||||
if [ -f "$lib" ] ; then
|
|
||||||
echo "Testing $lib for debug symbols"
|
|
||||||
# All these tests rely on RPM failing the build if the exit code of any set
|
|
||||||
# of piped commands is non-zero.
|
|
||||||
|
|
||||||
# Test for .debug_* sections in the shared object. This is the main test
|
|
||||||
# Stripped objects will not contain these
|
|
||||||
eu-readelf -S "$lib" | grep "] .debug_"
|
|
||||||
test $(eu-readelf -S "$lib" | grep -E "\]\ .debug_(info|abbrev)" | wc --lines) == 2
|
|
||||||
|
|
||||||
# Test FILE symbols. These will most likely be removed by anything that
|
|
||||||
# manipulates symbol tables because it's generally useless. So a nice test
|
|
||||||
# that nothing has messed with symbols
|
|
||||||
old_IFS="$IFS"
|
|
||||||
IFS=$'\n'
|
|
||||||
for line in $(eu-readelf -s "$lib" | grep "00000000 0 FILE LOCAL DEFAULT")
|
|
||||||
do
|
|
||||||
# We expect to see .cpp and .S files, except for architectures like aarch64 and
|
|
||||||
# s390 where we expect .o and .oS files
|
|
||||||
echo "$line" | grep -E "ABS ((.*/)?[-_a-zA-Z0-9]+\.(c|cc|cpp|cxx|o|S|oS))?$"
|
|
||||||
done
|
|
||||||
IFS="$old_IFS"
|
|
||||||
|
|
||||||
# If this is the JVM, look for javaCalls.(cpp|o) in FILEs, for extra sanity checking
|
|
||||||
if [ "`basename $lib`" = "libjvm.so" ]; then
|
|
||||||
eu-readelf -s "$lib" | \
|
|
||||||
grep -E "00000000 0 FILE LOCAL DEFAULT ABS javaCalls.(cpp|o)$"
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Test that there are no .gnu_debuglink sections pointing to another
|
|
||||||
# debuginfo file. There shouldn't be any debuginfo files, so the link makes
|
|
||||||
# no sense either
|
|
||||||
eu-readelf -S "$lib" | grep 'gnu'
|
|
||||||
if eu-readelf -S "$lib" | grep "\] .gnu_debuglink" | grep PROGBITS; then
|
|
||||||
echo "bad .gnu_debuglink section."
|
|
||||||
eu-readelf -x .gnu_debuglink "$lib"
|
|
||||||
false
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
done
|
|
||||||
|
|
||||||
# Make sure gdb can do a backtrace based on line numbers on libjvm.so
|
|
||||||
# javaCalls.cpp:58 should map to:
|
|
||||||
# http://hg.openjdk.java.net/jdk8u/jdk8u/hotspot/file/ff3b27e6bcc2/src/share/vm/runtime/javaCalls.cpp#l58
|
|
||||||
# Using line number 1 might cause build problems. See:
|
|
||||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1539664
|
|
||||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1538767
|
|
||||||
gdb -q "${imagepath}/bin/java" <<EOF | tee gdb.out
|
|
||||||
handle SIGSEGV pass nostop noprint
|
|
||||||
handle SIGILL pass nostop noprint
|
|
||||||
set breakpoint pending on
|
|
||||||
break javaCalls.cpp:58
|
|
||||||
commands 1
|
|
||||||
backtrace
|
|
||||||
quit
|
|
||||||
end
|
|
||||||
run -version
|
|
||||||
EOF
|
|
||||||
%ifarch %{gdb_arches}
|
|
||||||
grep 'JavaCallWrapper::JavaCallWrapper' gdb.out
|
|
||||||
%endif
|
|
||||||
|
|
||||||
|
# Create fake alt-java as a placeholder for future alt-java
|
||||||
|
pushd ${imagepath}
|
||||||
|
# add alt-java man page
|
||||||
|
echo "Hardened java binary recommended for launching untrusted code from the Web e.g. javaws" > man/man1/%{alt_java_name}.1
|
||||||
|
cat man/man1/java.1 >> man/man1/%{alt_java_name}.1
|
||||||
|
popd
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -2137,8 +2049,6 @@ for suffix in %{build_loop} ; do
|
|||||||
# Final setup on the main image
|
# Final setup on the main image
|
||||||
top_dir_abs_main_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{main_suffix}}
|
top_dir_abs_main_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{main_suffix}}
|
||||||
installjdk ${top_dir_abs_main_build_path}/images/%{jdkimage}
|
installjdk ${top_dir_abs_main_build_path}/images/%{jdkimage}
|
||||||
# Check debug symbols were built into the dynamic libraries
|
|
||||||
debugcheckjdk ${top_dir_abs_main_build_path}/images/%{jdkimage}
|
|
||||||
|
|
||||||
# Print release information
|
# Print release information
|
||||||
cat ${top_dir_abs_main_build_path}/images/%{jdkimage}/release
|
cat ${top_dir_abs_main_build_path}/images/%{jdkimage}/release
|
||||||
@ -2146,6 +2056,142 @@ for suffix in %{build_loop} ; do
|
|||||||
# build cycles
|
# build cycles
|
||||||
done # end of release / debug cycle loop
|
done # end of release / debug cycle loop
|
||||||
|
|
||||||
|
%check
|
||||||
|
|
||||||
|
# We test debug first as it will give better diagnostics on a crash
|
||||||
|
for suffix in %{build_loop} ; do
|
||||||
|
|
||||||
|
top_dir_abs_main_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{main_suffix}}
|
||||||
|
%if %{include_staticlibs}
|
||||||
|
top_dir_abs_staticlibs_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{staticlibs_loop}}
|
||||||
|
%endif
|
||||||
|
|
||||||
|
export JAVA_HOME=${top_dir_abs_main_build_path}/images/%{jdkimage}
|
||||||
|
|
||||||
|
# Pre-test setup
|
||||||
|
|
||||||
|
#check Shenandoah is enabled
|
||||||
|
%if %{use_shenandoah_hotspot}
|
||||||
|
$JAVA_HOME//bin/java -XX:+UnlockExperimentalVMOptions -XX:+UseShenandoahGC -version
|
||||||
|
%endif
|
||||||
|
|
||||||
|
# Check unlimited policy has been used
|
||||||
|
$JAVA_HOME/bin/javac -d . %{SOURCE13}
|
||||||
|
$JAVA_HOME/bin/java --add-opens java.base/javax.crypto=ALL-UNNAMED TestCryptoLevel
|
||||||
|
|
||||||
|
# Check ECC is working
|
||||||
|
$JAVA_HOME/bin/javac -d . %{SOURCE14}
|
||||||
|
$JAVA_HOME/bin/java $(echo $(basename %{SOURCE14})|sed "s|\.java||")
|
||||||
|
|
||||||
|
# Check system crypto (policy) is active and can be disabled
|
||||||
|
# Test takes a single argument - true or false - to state whether system
|
||||||
|
# security properties are enabled or not.
|
||||||
|
$JAVA_HOME/bin/javac -d . %{SOURCE15}
|
||||||
|
export PROG=$(echo $(basename %{SOURCE15})|sed "s|\.java||")
|
||||||
|
export SEC_DEBUG="-Djava.security.debug=properties"
|
||||||
|
$JAVA_HOME/bin/java ${SEC_DEBUG} ${PROG} true
|
||||||
|
$JAVA_HOME/bin/java ${SEC_DEBUG} -Djava.security.disableSystemPropertiesFile=true ${PROG} false
|
||||||
|
|
||||||
|
# Check java launcher has no SSB mitigation
|
||||||
|
if ! nm $JAVA_HOME/bin/java | grep set_speculation ; then true ; else false; fi
|
||||||
|
|
||||||
|
# Check alt-java launcher has SSB mitigation on supported architectures
|
||||||
|
%ifarch %{ssbd_arches}
|
||||||
|
nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation
|
||||||
|
%else
|
||||||
|
if ! nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation ; then true ; else false; fi
|
||||||
|
%endif
|
||||||
|
|
||||||
|
%if %{include_staticlibs}
|
||||||
|
# Check debug symbols in static libraries (smoke test)
|
||||||
|
export STATIC_LIBS_HOME=${top_dir_abs_staticlibs_build_path}/images/%{static_libs_image}
|
||||||
|
readelf --debug-dump $STATIC_LIBS_HOME/lib/libfdlibm.a | grep w_remainder.c
|
||||||
|
readelf --debug-dump $STATIC_LIBS_HOME/lib/libfdlibm.a | grep e_remainder.c
|
||||||
|
%endif
|
||||||
|
|
||||||
|
so_suffix="so"
|
||||||
|
# Check debug symbols are present and can identify code
|
||||||
|
find "$JAVA_HOME" -iname "*.$so_suffix" -print0 | while read -d $'\0' lib
|
||||||
|
do
|
||||||
|
if [ -f "$lib" ] ; then
|
||||||
|
echo "Testing $lib for debug symbols"
|
||||||
|
# All these tests rely on RPM failing the build if the exit code of any set
|
||||||
|
# of piped commands is non-zero.
|
||||||
|
|
||||||
|
# Test for .debug_* sections in the shared object. This is the main test
|
||||||
|
# Stripped objects will not contain these
|
||||||
|
eu-readelf -S "$lib" | grep "] .debug_"
|
||||||
|
test $(eu-readelf -S "$lib" | grep -E "\]\ .debug_(info|abbrev)" | wc --lines) == 2
|
||||||
|
|
||||||
|
# Test FILE symbols. These will most likely be removed by anything that
|
||||||
|
# manipulates symbol tables because it's generally useless. So a nice test
|
||||||
|
# that nothing has messed with symbols
|
||||||
|
old_IFS="$IFS"
|
||||||
|
IFS=$'\n'
|
||||||
|
for line in $(eu-readelf -s "$lib" | grep "00000000 0 FILE LOCAL DEFAULT")
|
||||||
|
do
|
||||||
|
# We expect to see .cpp files, except for architectures like aarch64 and
|
||||||
|
# s390 where we expect .o and .oS files
|
||||||
|
echo "$line" | grep -E "ABS ((.*/)?[-_a-zA-Z0-9]+\.(c|cc|cpp|cxx|o|S|oS))?$"
|
||||||
|
done
|
||||||
|
IFS="$old_IFS"
|
||||||
|
|
||||||
|
# If this is the JVM, look for javaCalls.(cpp|o) in FILEs, for extra sanity checking
|
||||||
|
if [ "`basename $lib`" = "libjvm.so" ]; then
|
||||||
|
eu-readelf -s "$lib" | \
|
||||||
|
grep -E "00000000 0 FILE LOCAL DEFAULT ABS javaCalls.(cpp|o)$"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Test that there are no .gnu_debuglink sections pointing to another
|
||||||
|
# debuginfo file. There shouldn't be any debuginfo files, so the link makes
|
||||||
|
# no sense either
|
||||||
|
eu-readelf -S "$lib" | grep 'gnu'
|
||||||
|
if eu-readelf -S "$lib" | grep '] .gnu_debuglink' | grep PROGBITS; then
|
||||||
|
echo "bad .gnu_debuglink section."
|
||||||
|
eu-readelf -x .gnu_debuglink "$lib"
|
||||||
|
false
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
|
# Make sure gdb can do a backtrace based on line numbers on libjvm.so
|
||||||
|
# javaCalls.cpp:58 should map to:
|
||||||
|
# http://hg.openjdk.java.net/jdk8u/jdk8u/hotspot/file/ff3b27e6bcc2/src/share/vm/runtime/javaCalls.cpp#l58
|
||||||
|
# Using line number 1 might cause build problems. See:
|
||||||
|
# https://bugzilla.redhat.com/show_bug.cgi?id=1539664
|
||||||
|
# https://bugzilla.redhat.com/show_bug.cgi?id=1538767
|
||||||
|
gdb -q "$JAVA_HOME/bin/java" <<EOF | tee gdb.out
|
||||||
|
handle SIGSEGV pass nostop noprint
|
||||||
|
handle SIGILL pass nostop noprint
|
||||||
|
set breakpoint pending on
|
||||||
|
break javaCalls.cpp:58
|
||||||
|
commands 1
|
||||||
|
backtrace
|
||||||
|
quit
|
||||||
|
end
|
||||||
|
run -version
|
||||||
|
EOF
|
||||||
|
|
||||||
|
%ifarch %{gdb_arches}
|
||||||
|
grep 'JavaCallWrapper::JavaCallWrapper' gdb.out
|
||||||
|
%endif
|
||||||
|
|
||||||
|
# Check src.zip has all sources. See RHBZ#1130490
|
||||||
|
unzip -l $JAVA_HOME/lib/src.zip | grep 'sun.misc.Unsafe'
|
||||||
|
|
||||||
|
# Check class files include useful debugging information
|
||||||
|
$JAVA_HOME/bin/javap -l java.lang.Object | grep "Compiled from"
|
||||||
|
$JAVA_HOME/bin/javap -l java.lang.Object | grep LineNumberTable
|
||||||
|
$JAVA_HOME/bin/javap -l java.lang.Object | grep LocalVariableTable
|
||||||
|
|
||||||
|
# Check generated class files include useful debugging information
|
||||||
|
$JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep "Compiled from"
|
||||||
|
$JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep LineNumberTable
|
||||||
|
$JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep LocalVariableTable
|
||||||
|
|
||||||
|
# build cycles check
|
||||||
|
done
|
||||||
|
|
||||||
%install
|
%install
|
||||||
STRIP_KEEP_SYMTAB=libjvm*
|
STRIP_KEEP_SYMTAB=libjvm*
|
||||||
|
|
||||||
@ -2174,10 +2220,17 @@ pushd ${jdk_image}
|
|||||||
install -d -m 755 $RPM_BUILD_ROOT%{tapsetdir}
|
install -d -m 755 $RPM_BUILD_ROOT%{tapsetdir}
|
||||||
for name in $tapsetFiles ; do
|
for name in $tapsetFiles ; do
|
||||||
targetName=`echo $name | sed "s/.stp/$suffix.stp/"`
|
targetName=`echo $name | sed "s/.stp/$suffix.stp/"`
|
||||||
ln -srvf $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/tapset/$name $RPM_BUILD_ROOT%{tapsetdir}/$targetName
|
ln -sf %{_jvmdir}/%{sdkdir -- $suffix}/tapset/$name $RPM_BUILD_ROOT%{tapsetdir}/$targetName
|
||||||
done
|
done
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
|
# Remove empty cacerts database
|
||||||
|
rm -f $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/lib/security/cacerts
|
||||||
|
# Install cacerts symlink needed by some apps which hard-code the path
|
||||||
|
pushd $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/lib/security
|
||||||
|
ln -sf /etc/pki/java/cacerts .
|
||||||
|
popd
|
||||||
|
|
||||||
# Install version-ed symlinks
|
# Install version-ed symlinks
|
||||||
pushd $RPM_BUILD_ROOT%{_jvmdir}
|
pushd $RPM_BUILD_ROOT%{_jvmdir}
|
||||||
ln -sf %{sdkdir -- $suffix} %{jrelnk -- $suffix}
|
ln -sf %{sdkdir -- $suffix} %{jrelnk -- $suffix}
|
||||||
@ -2197,12 +2250,11 @@ pushd ${jdk_image}
|
|||||||
rm -rf $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/man
|
rm -rf $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/man
|
||||||
|
|
||||||
popd
|
popd
|
||||||
|
|
||||||
# Install static libs artefacts
|
# Install static libs artefacts
|
||||||
%if %{include_staticlibs}
|
%if %{include_staticlibs}
|
||||||
mkdir -p $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/%{static_libs_install_dir}
|
mkdir -p $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/lib/static/linux-%{archinstall}/glibc
|
||||||
cp -a ${top_dir_abs_staticlibs_build_path}/images/%{static_libs_image}/lib/*.a \
|
cp -a ${top_dir_abs_staticlibs_build_path}/images/%{static_libs_image}/lib/*.a \
|
||||||
$RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/%{static_libs_install_dir}
|
$RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/lib/static/linux-%{archinstall}/glibc
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
if ! echo $suffix | grep -q "debug" ; then
|
if ! echo $suffix | grep -q "debug" ; then
|
||||||
@ -2247,10 +2299,10 @@ mkdir -p $RPM_BUILD_ROOT/%{etcjavadir -- $suffix}/lib
|
|||||||
mv $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/conf/ $RPM_BUILD_ROOT/%{etcjavadir -- $suffix}
|
mv $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/conf/ $RPM_BUILD_ROOT/%{etcjavadir -- $suffix}
|
||||||
mv $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/lib/security $RPM_BUILD_ROOT/%{etcjavadir -- $suffix}/lib
|
mv $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/lib/security $RPM_BUILD_ROOT/%{etcjavadir -- $suffix}/lib
|
||||||
pushd $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}
|
pushd $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}
|
||||||
ln -srv $RPM_BUILD_ROOT%{etcjavadir -- $suffix}/conf ./conf
|
ln -s %{etcjavadir -- $suffix}/conf ./conf
|
||||||
popd
|
popd
|
||||||
pushd $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/lib
|
pushd $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/lib
|
||||||
ln -srv $RPM_BUILD_ROOT%{etcjavadir -- $suffix}/lib/security ./security
|
ln -s %{etcjavadir -- $suffix}/lib/security ./security
|
||||||
popd
|
popd
|
||||||
# end moving files to /etc
|
# end moving files to /etc
|
||||||
|
|
||||||
@ -2262,74 +2314,6 @@ find $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/legal -type f -exec chmod 6
|
|||||||
# end, dual install
|
# end, dual install
|
||||||
done
|
done
|
||||||
|
|
||||||
%check
|
|
||||||
|
|
||||||
# We test debug first as it will give better diagnostics on a crash
|
|
||||||
for suffix in %{build_loop} ; do
|
|
||||||
|
|
||||||
# Tests in the check stage are performed on the installed image
|
|
||||||
# rpmbuild operates as follows: build -> install -> test
|
|
||||||
export JAVA_HOME=${RPM_BUILD_ROOT}%{_jvmdir}/%{sdkdir -- $suffix}
|
|
||||||
|
|
||||||
#check Shenandoah is enabled
|
|
||||||
%if %{use_shenandoah_hotspot}
|
|
||||||
$JAVA_HOME/bin/java -XX:+UnlockExperimentalVMOptions -XX:+UseShenandoahGC -version
|
|
||||||
%endif
|
|
||||||
|
|
||||||
# Check unlimited policy has been used
|
|
||||||
$JAVA_HOME/bin/javac -d . %{SOURCE13}
|
|
||||||
$JAVA_HOME/bin/java --add-opens java.base/javax.crypto=ALL-UNNAMED TestCryptoLevel
|
|
||||||
|
|
||||||
# Check ECC is working
|
|
||||||
$JAVA_HOME/bin/javac -d . %{SOURCE14}
|
|
||||||
$JAVA_HOME/bin/java $(echo $(basename %{SOURCE14})|sed "s|\.java||")
|
|
||||||
|
|
||||||
# Check system crypto (policy) is active and can be disabled
|
|
||||||
# Test takes a single argument - true or false - to state whether system
|
|
||||||
# security properties are enabled or not.
|
|
||||||
$JAVA_HOME/bin/javac -d . %{SOURCE15}
|
|
||||||
export PROG=$(echo $(basename %{SOURCE15})|sed "s|\.java||")
|
|
||||||
export SEC_DEBUG="-Djava.security.debug=properties"
|
|
||||||
$JAVA_HOME/bin/java ${SEC_DEBUG} ${PROG} true
|
|
||||||
$JAVA_HOME/bin/java ${SEC_DEBUG} -Djava.security.disableSystemPropertiesFile=true ${PROG} false
|
|
||||||
|
|
||||||
# Check java launcher has no SSB mitigation
|
|
||||||
if ! nm $JAVA_HOME/bin/java | grep set_speculation ; then true ; else false; fi
|
|
||||||
|
|
||||||
# Check alt-java launcher has SSB mitigation on supported architectures
|
|
||||||
%ifarch %{ssbd_arches}
|
|
||||||
nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation
|
|
||||||
%else
|
|
||||||
if ! nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation ; then true ; else false; fi
|
|
||||||
%endif
|
|
||||||
|
|
||||||
# Check correct vendor values have been set
|
|
||||||
$JAVA_HOME/bin/javac -d . %{SOURCE16}
|
|
||||||
$JAVA_HOME/bin/java $(echo $(basename %{SOURCE16})|sed "s|\.java||") "%{oj_vendor}" "%{oj_vendor_url}" "%{oj_vendor_bug_url}" "%{oj_vendor_version}"
|
|
||||||
|
|
||||||
%if %{include_staticlibs}
|
|
||||||
# Check debug symbols in static libraries (smoke test)
|
|
||||||
export STATIC_LIBS_HOME=${JAVA_HOME}/%{static_libs_install_dir}
|
|
||||||
readelf --debug-dump $STATIC_LIBS_HOME/libfdlibm.a | grep w_remainder.c
|
|
||||||
readelf --debug-dump $STATIC_LIBS_HOME/libfdlibm.a | grep e_remainder.c
|
|
||||||
%endif
|
|
||||||
|
|
||||||
# Check src.zip has all sources. See RHBZ#1130490
|
|
||||||
unzip -l $JAVA_HOME/lib/src.zip | grep 'sun.misc.Unsafe'
|
|
||||||
|
|
||||||
# Check class files include useful debugging information
|
|
||||||
$JAVA_HOME/bin/javap -l java.lang.Object | grep "Compiled from"
|
|
||||||
$JAVA_HOME/bin/javap -l java.lang.Object | grep LineNumberTable
|
|
||||||
$JAVA_HOME/bin/javap -l java.lang.Object | grep LocalVariableTable
|
|
||||||
|
|
||||||
# Check generated class files include useful debugging information
|
|
||||||
$JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep "Compiled from"
|
|
||||||
$JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep LineNumberTable
|
|
||||||
$JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep LocalVariableTable
|
|
||||||
|
|
||||||
# build cycles check
|
|
||||||
done
|
|
||||||
|
|
||||||
%if %{include_normal_build}
|
%if %{include_normal_build}
|
||||||
# intentionally only for non-debug
|
# intentionally only for non-debug
|
||||||
%pretrans headless -p <lua>
|
%pretrans headless -p <lua>
|
||||||
@ -2574,6 +2558,16 @@ cjc.mainProgram(args)
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Jul 20 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.4.0.7-0.2.ea
|
||||||
|
- Revert the following changes until copy-java-configs has adapted to relative symlinks:
|
||||||
|
- * Move cacerts replacement to install section and retain original of this and tzdb.dat
|
||||||
|
- * Run tests on the installed image, rather than the build image
|
||||||
|
- * Introduce variables to refer to the static library installation directories
|
||||||
|
- * Use relative symlinks so they work within the image
|
||||||
|
- * Run debug symbols check during build stage, before the install strips them
|
||||||
|
- The move of turning on system security properties is retained so we don't ship with them off
|
||||||
|
- Related: rhbz#2084218
|
||||||
|
|
||||||
* Sat Jul 16 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.4.0.7-0.1.ea
|
* Sat Jul 16 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.4.0.7-0.1.ea
|
||||||
- Update to jdk-17.0.3.0+7
|
- Update to jdk-17.0.3.0+7
|
||||||
- Update release notes to 17.0.3.0+7
|
- Update release notes to 17.0.3.0+7
|
||||||
|
Loading…
Reference in New Issue
Block a user