- Revert the following changes until copy-java-configs has adapted to relative symlinks:
* Move cacerts replacement to install section and retain original of this and tzdb.dat * Run tests on the installed image, rather than the build image * Introduce variables to refer to the static library installation directories * Use relative symlinks so they work within the image * Run debug symbols check during build stage, before the install strips them The move of turning on system security properties is retained so we don't ship with them off Related: RHEL-45216
This commit is contained in:
parent
7bbc863a62
commit
ec138c6d2c
@ -353,7 +353,7 @@
|
||||
%global top_level_dir_name %{origin}
|
||||
%global top_level_dir_name_backup %{top_level_dir_name}-backup
|
||||
%global buildver 7
|
||||
%global rpmrelease 1
|
||||
%global rpmrelease 2
|
||||
# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
|
||||
%if %is_system_jdk
|
||||
# Using 10 digits may overflow the int used for priority, so we combine the patch and build versions
|
||||
@ -400,10 +400,6 @@
|
||||
# images directories from upstream build
|
||||
%global jdkimage jdk
|
||||
%global static_libs_image static-libs
|
||||
# installation directory for static libraries
|
||||
%global static_libs_root lib/static
|
||||
%global static_libs_arch_dir %{static_libs_root}/linux-%{archinstall}
|
||||
%global static_libs_install_dir %{static_libs_arch_dir}/glibc
|
||||
# output dir stub
|
||||
%define buildoutputdir() %{expand:build/jdk%{featurever}.build%{?1}}
|
||||
# we can copy the javadoc to not arched dir, or make it not noarch
|
||||
@ -810,7 +806,6 @@ exit 0
|
||||
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/psfont.properties.ja
|
||||
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/psfontj2d.properties
|
||||
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/tzdb.dat
|
||||
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/tzdb.dat.upstream
|
||||
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjli.so
|
||||
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/jvm.cfg
|
||||
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libattach.so
|
||||
@ -869,7 +864,6 @@ exit 0
|
||||
%dir %{etcjavadir -- %{?1}}/lib
|
||||
%dir %{etcjavadir -- %{?1}}/lib/security
|
||||
%{etcjavadir -- %{?1}}/lib/security/cacerts
|
||||
%{etcjavadir -- %{?1}}/lib/security/cacerts.upstream
|
||||
%dir %{etcjavadir -- %{?1}}/conf
|
||||
%dir %{etcjavadir -- %{?1}}/conf/sdp
|
||||
%dir %{etcjavadir -- %{?1}}/conf/management
|
||||
@ -1040,10 +1034,10 @@ exit 0
|
||||
}
|
||||
|
||||
%define files_static_libs() %{expand:
|
||||
%dir %{_jvmdir}/%{sdkdir -- %{?1}}/%{static_libs_root}
|
||||
%dir %{_jvmdir}/%{sdkdir -- %{?1}}/%{static_libs_arch_dir}
|
||||
%dir %{_jvmdir}/%{sdkdir -- %{?1}}/%{static_libs_install_dir}
|
||||
%{_jvmdir}/%{sdkdir -- %{?1}}/%{static_libs_install_dir}/lib*.a
|
||||
%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/static
|
||||
%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/static/linux-%{archinstall}
|
||||
%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/static/linux-%{archinstall}/glibc
|
||||
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/static/linux-%{archinstall}/glibc/lib*.a
|
||||
}
|
||||
|
||||
%define files_javadoc() %{expand:
|
||||
@ -1850,7 +1844,6 @@ sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE11} > nss.cfg
|
||||
sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE17} > nss.fips.cfg
|
||||
|
||||
%build
|
||||
|
||||
# How many CPU's do we have?
|
||||
export NUM_PROC=%(/usr/bin/getconf _NPROCESSORS_ONLN 2> /dev/null || :)
|
||||
export NUM_PROC=${NUM_PROC:-1}
|
||||
@ -1957,117 +1950,36 @@ function installjdk() {
|
||||
local imagepath=${1}
|
||||
|
||||
if [ -d ${imagepath} ] ; then
|
||||
# the build (erroneously) removes read permissions from some jars
|
||||
# this is a regression in OpenJDK 7 (our compiler):
|
||||
# http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1437
|
||||
find ${imagepath} -iname '*.jar' -exec chmod ugo+r {} \;
|
||||
# the build (erroneously) removes read permissions from some jars
|
||||
# this is a regression in OpenJDK 7 (our compiler):
|
||||
# http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1437
|
||||
find ${imagepath} -iname '*.jar' -exec chmod ugo+r {} \;
|
||||
|
||||
# Build screws up permissions on binaries
|
||||
# https://bugs.openjdk.java.net/browse/JDK-8173610
|
||||
find ${imagepath} -iname '*.so' -exec chmod +x {} \;
|
||||
find ${imagepath}/bin/ -exec chmod +x {} \;
|
||||
# Build screws up permissions on binaries
|
||||
# https://bugs.openjdk.java.net/browse/JDK-8173610
|
||||
find ${imagepath} -iname '*.so' -exec chmod +x {} \;
|
||||
find ${imagepath}/bin/ -exec chmod +x {} \;
|
||||
|
||||
# Install nss.cfg right away as we will be using the JRE above
|
||||
install -m 644 nss.cfg ${imagepath}/conf/security/
|
||||
# Install nss.cfg right away as we will be using the JRE above
|
||||
install -m 644 nss.cfg ${imagepath}/conf/security/
|
||||
|
||||
# Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies)
|
||||
install -m 644 nss.fips.cfg ${imagepath}/conf/security/
|
||||
# Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies)
|
||||
install -m 644 nss.fips.cfg ${imagepath}/conf/security/
|
||||
|
||||
# Turn on system security properties
|
||||
sed -i -e "s:^security.useSystemPropertiesFile=.*:security.useSystemPropertiesFile=true:" \
|
||||
${imagepath}/conf/security/java.security
|
||||
# Turn on system security properties
|
||||
sed -i -e "s:^security.useSystemPropertiesFile=.*:security.useSystemPropertiesFile=true:" \
|
||||
${imagepath}/conf/security/java.security
|
||||
|
||||
# Use system-wide tzdata
|
||||
mv ${imagepath}/lib/tzdb.dat{,.upstream}
|
||||
ln -sv %{_datadir}/javazi-1.8/tzdb.dat ${imagepath}/lib/tzdb.dat
|
||||
|
||||
# Rename OpenJDK cacerts database
|
||||
mv ${imagepath}/lib/security/cacerts{,.upstream}
|
||||
# Install cacerts symlink needed by some apps which hard-code the path
|
||||
ln -sv /etc/pki/java/cacerts ${imagepath}/lib/security
|
||||
|
||||
# Create fake alt-java as a placeholder for future alt-java
|
||||
pushd ${imagepath}
|
||||
# add alt-java man page
|
||||
echo "Hardened java binary recommended for launching untrusted code from the Web e.g. javaws" > man/man1/%{alt_java_name}.1
|
||||
cat man/man1/java.1 >> man/man1/%{alt_java_name}.1
|
||||
popd
|
||||
fi
|
||||
}
|
||||
|
||||
# Checks on debuginfo must be performed before the files are stripped
|
||||
# by the RPM installation stage
|
||||
function debugcheckjdk() {
|
||||
local imagepath=${1}
|
||||
|
||||
if [ -d ${imagepath} ] ; then
|
||||
|
||||
so_suffix="so"
|
||||
# Check debug symbols are present and can identify code
|
||||
find "${imagepath}" -iname "*.$so_suffix" -print0 | while read -d $'\0' lib
|
||||
do
|
||||
if [ -f "$lib" ] ; then
|
||||
echo "Testing $lib for debug symbols"
|
||||
# All these tests rely on RPM failing the build if the exit code of any set
|
||||
# of piped commands is non-zero.
|
||||
|
||||
# Test for .debug_* sections in the shared object. This is the main test
|
||||
# Stripped objects will not contain these
|
||||
eu-readelf -S "$lib" | grep "] .debug_"
|
||||
test $(eu-readelf -S "$lib" | grep -E "\]\ .debug_(info|abbrev)" | wc --lines) == 2
|
||||
|
||||
# Test FILE symbols. These will most likely be removed by anything that
|
||||
# manipulates symbol tables because it's generally useless. So a nice test
|
||||
# that nothing has messed with symbols
|
||||
old_IFS="$IFS"
|
||||
IFS=$'\n'
|
||||
for line in $(eu-readelf -s "$lib" | grep "00000000 0 FILE LOCAL DEFAULT")
|
||||
do
|
||||
# We expect to see .cpp and .S files, except for architectures like aarch64 and
|
||||
# s390 where we expect .o and .oS files
|
||||
echo "$line" | grep -E "ABS ((.*/)?[-_a-zA-Z0-9]+\.(c|cc|cpp|cxx|o|S|oS))?$"
|
||||
done
|
||||
IFS="$old_IFS"
|
||||
|
||||
# If this is the JVM, look for javaCalls.(cpp|o) in FILEs, for extra sanity checking
|
||||
if [ "`basename $lib`" = "libjvm.so" ]; then
|
||||
eu-readelf -s "$lib" | \
|
||||
grep -E "00000000 0 FILE LOCAL DEFAULT ABS javaCalls.(cpp|o)$"
|
||||
fi
|
||||
|
||||
# Test that there are no .gnu_debuglink sections pointing to another
|
||||
# debuginfo file. There shouldn't be any debuginfo files, so the link makes
|
||||
# no sense either
|
||||
eu-readelf -S "$lib" | grep 'gnu'
|
||||
if eu-readelf -S "$lib" | grep "\] .gnu_debuglink" | grep PROGBITS; then
|
||||
echo "bad .gnu_debuglink section."
|
||||
eu-readelf -x .gnu_debuglink "$lib"
|
||||
false
|
||||
fi
|
||||
fi
|
||||
done
|
||||
|
||||
# Make sure gdb can do a backtrace based on line numbers on libjvm.so
|
||||
# javaCalls.cpp:58 should map to:
|
||||
# http://hg.openjdk.java.net/jdk8u/jdk8u/hotspot/file/ff3b27e6bcc2/src/share/vm/runtime/javaCalls.cpp#l58
|
||||
# Using line number 1 might cause build problems. See:
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1539664
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1538767
|
||||
gdb -q "${imagepath}/bin/java" <<EOF | tee gdb.out
|
||||
handle SIGSEGV pass nostop noprint
|
||||
handle SIGILL pass nostop noprint
|
||||
set breakpoint pending on
|
||||
break javaCalls.cpp:58
|
||||
commands 1
|
||||
backtrace
|
||||
quit
|
||||
end
|
||||
run -version
|
||||
EOF
|
||||
%ifarch %{gdb_arches}
|
||||
grep 'JavaCallWrapper::JavaCallWrapper' gdb.out
|
||||
%endif
|
||||
# Use system-wide tzdata
|
||||
rm ${imagepath}/lib/tzdb.dat
|
||||
ln -s %{_datadir}/javazi-1.8/tzdb.dat ${imagepath}/lib/tzdb.dat
|
||||
|
||||
# Create fake alt-java as a placeholder for future alt-java
|
||||
pushd ${imagepath}
|
||||
# add alt-java man page
|
||||
echo "Hardened java binary recommended for launching untrusted code from the Web e.g. javaws" > man/man1/%{alt_java_name}.1
|
||||
cat man/man1/java.1 >> man/man1/%{alt_java_name}.1
|
||||
popd
|
||||
fi
|
||||
}
|
||||
|
||||
@ -2137,8 +2049,6 @@ for suffix in %{build_loop} ; do
|
||||
# Final setup on the main image
|
||||
top_dir_abs_main_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{main_suffix}}
|
||||
installjdk ${top_dir_abs_main_build_path}/images/%{jdkimage}
|
||||
# Check debug symbols were built into the dynamic libraries
|
||||
debugcheckjdk ${top_dir_abs_main_build_path}/images/%{jdkimage}
|
||||
|
||||
# Print release information
|
||||
cat ${top_dir_abs_main_build_path}/images/%{jdkimage}/release
|
||||
@ -2146,6 +2056,142 @@ for suffix in %{build_loop} ; do
|
||||
# build cycles
|
||||
done # end of release / debug cycle loop
|
||||
|
||||
%check
|
||||
|
||||
# We test debug first as it will give better diagnostics on a crash
|
||||
for suffix in %{build_loop} ; do
|
||||
|
||||
top_dir_abs_main_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{main_suffix}}
|
||||
%if %{include_staticlibs}
|
||||
top_dir_abs_staticlibs_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{staticlibs_loop}}
|
||||
%endif
|
||||
|
||||
export JAVA_HOME=${top_dir_abs_main_build_path}/images/%{jdkimage}
|
||||
|
||||
# Pre-test setup
|
||||
|
||||
#check Shenandoah is enabled
|
||||
%if %{use_shenandoah_hotspot}
|
||||
$JAVA_HOME//bin/java -XX:+UnlockExperimentalVMOptions -XX:+UseShenandoahGC -version
|
||||
%endif
|
||||
|
||||
# Check unlimited policy has been used
|
||||
$JAVA_HOME/bin/javac -d . %{SOURCE13}
|
||||
$JAVA_HOME/bin/java --add-opens java.base/javax.crypto=ALL-UNNAMED TestCryptoLevel
|
||||
|
||||
# Check ECC is working
|
||||
$JAVA_HOME/bin/javac -d . %{SOURCE14}
|
||||
$JAVA_HOME/bin/java $(echo $(basename %{SOURCE14})|sed "s|\.java||")
|
||||
|
||||
# Check system crypto (policy) is active and can be disabled
|
||||
# Test takes a single argument - true or false - to state whether system
|
||||
# security properties are enabled or not.
|
||||
$JAVA_HOME/bin/javac -d . %{SOURCE15}
|
||||
export PROG=$(echo $(basename %{SOURCE15})|sed "s|\.java||")
|
||||
export SEC_DEBUG="-Djava.security.debug=properties"
|
||||
$JAVA_HOME/bin/java ${SEC_DEBUG} ${PROG} true
|
||||
$JAVA_HOME/bin/java ${SEC_DEBUG} -Djava.security.disableSystemPropertiesFile=true ${PROG} false
|
||||
|
||||
# Check java launcher has no SSB mitigation
|
||||
if ! nm $JAVA_HOME/bin/java | grep set_speculation ; then true ; else false; fi
|
||||
|
||||
# Check alt-java launcher has SSB mitigation on supported architectures
|
||||
%ifarch %{ssbd_arches}
|
||||
nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation
|
||||
%else
|
||||
if ! nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation ; then true ; else false; fi
|
||||
%endif
|
||||
|
||||
%if %{include_staticlibs}
|
||||
# Check debug symbols in static libraries (smoke test)
|
||||
export STATIC_LIBS_HOME=${top_dir_abs_staticlibs_build_path}/images/%{static_libs_image}
|
||||
readelf --debug-dump $STATIC_LIBS_HOME/lib/libfdlibm.a | grep w_remainder.c
|
||||
readelf --debug-dump $STATIC_LIBS_HOME/lib/libfdlibm.a | grep e_remainder.c
|
||||
%endif
|
||||
|
||||
so_suffix="so"
|
||||
# Check debug symbols are present and can identify code
|
||||
find "$JAVA_HOME" -iname "*.$so_suffix" -print0 | while read -d $'\0' lib
|
||||
do
|
||||
if [ -f "$lib" ] ; then
|
||||
echo "Testing $lib for debug symbols"
|
||||
# All these tests rely on RPM failing the build if the exit code of any set
|
||||
# of piped commands is non-zero.
|
||||
|
||||
# Test for .debug_* sections in the shared object. This is the main test
|
||||
# Stripped objects will not contain these
|
||||
eu-readelf -S "$lib" | grep "] .debug_"
|
||||
test $(eu-readelf -S "$lib" | grep -E "\]\ .debug_(info|abbrev)" | wc --lines) == 2
|
||||
|
||||
# Test FILE symbols. These will most likely be removed by anything that
|
||||
# manipulates symbol tables because it's generally useless. So a nice test
|
||||
# that nothing has messed with symbols
|
||||
old_IFS="$IFS"
|
||||
IFS=$'\n'
|
||||
for line in $(eu-readelf -s "$lib" | grep "00000000 0 FILE LOCAL DEFAULT")
|
||||
do
|
||||
# We expect to see .cpp files, except for architectures like aarch64 and
|
||||
# s390 where we expect .o and .oS files
|
||||
echo "$line" | grep -E "ABS ((.*/)?[-_a-zA-Z0-9]+\.(c|cc|cpp|cxx|o|S|oS))?$"
|
||||
done
|
||||
IFS="$old_IFS"
|
||||
|
||||
# If this is the JVM, look for javaCalls.(cpp|o) in FILEs, for extra sanity checking
|
||||
if [ "`basename $lib`" = "libjvm.so" ]; then
|
||||
eu-readelf -s "$lib" | \
|
||||
grep -E "00000000 0 FILE LOCAL DEFAULT ABS javaCalls.(cpp|o)$"
|
||||
fi
|
||||
|
||||
# Test that there are no .gnu_debuglink sections pointing to another
|
||||
# debuginfo file. There shouldn't be any debuginfo files, so the link makes
|
||||
# no sense either
|
||||
eu-readelf -S "$lib" | grep 'gnu'
|
||||
if eu-readelf -S "$lib" | grep '] .gnu_debuglink' | grep PROGBITS; then
|
||||
echo "bad .gnu_debuglink section."
|
||||
eu-readelf -x .gnu_debuglink "$lib"
|
||||
false
|
||||
fi
|
||||
fi
|
||||
done
|
||||
|
||||
# Make sure gdb can do a backtrace based on line numbers on libjvm.so
|
||||
# javaCalls.cpp:58 should map to:
|
||||
# http://hg.openjdk.java.net/jdk8u/jdk8u/hotspot/file/ff3b27e6bcc2/src/share/vm/runtime/javaCalls.cpp#l58
|
||||
# Using line number 1 might cause build problems. See:
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1539664
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1538767
|
||||
gdb -q "$JAVA_HOME/bin/java" <<EOF | tee gdb.out
|
||||
handle SIGSEGV pass nostop noprint
|
||||
handle SIGILL pass nostop noprint
|
||||
set breakpoint pending on
|
||||
break javaCalls.cpp:58
|
||||
commands 1
|
||||
backtrace
|
||||
quit
|
||||
end
|
||||
run -version
|
||||
EOF
|
||||
|
||||
%ifarch %{gdb_arches}
|
||||
grep 'JavaCallWrapper::JavaCallWrapper' gdb.out
|
||||
%endif
|
||||
|
||||
# Check src.zip has all sources. See RHBZ#1130490
|
||||
unzip -l $JAVA_HOME/lib/src.zip | grep 'sun.misc.Unsafe'
|
||||
|
||||
# Check class files include useful debugging information
|
||||
$JAVA_HOME/bin/javap -l java.lang.Object | grep "Compiled from"
|
||||
$JAVA_HOME/bin/javap -l java.lang.Object | grep LineNumberTable
|
||||
$JAVA_HOME/bin/javap -l java.lang.Object | grep LocalVariableTable
|
||||
|
||||
# Check generated class files include useful debugging information
|
||||
$JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep "Compiled from"
|
||||
$JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep LineNumberTable
|
||||
$JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep LocalVariableTable
|
||||
|
||||
# build cycles check
|
||||
done
|
||||
|
||||
%install
|
||||
STRIP_KEEP_SYMTAB=libjvm*
|
||||
|
||||
@ -2174,10 +2220,17 @@ pushd ${jdk_image}
|
||||
install -d -m 755 $RPM_BUILD_ROOT%{tapsetdir}
|
||||
for name in $tapsetFiles ; do
|
||||
targetName=`echo $name | sed "s/.stp/$suffix.stp/"`
|
||||
ln -srvf $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/tapset/$name $RPM_BUILD_ROOT%{tapsetdir}/$targetName
|
||||
ln -sf %{_jvmdir}/%{sdkdir -- $suffix}/tapset/$name $RPM_BUILD_ROOT%{tapsetdir}/$targetName
|
||||
done
|
||||
%endif
|
||||
|
||||
# Remove empty cacerts database
|
||||
rm -f $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/lib/security/cacerts
|
||||
# Install cacerts symlink needed by some apps which hard-code the path
|
||||
pushd $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/lib/security
|
||||
ln -sf /etc/pki/java/cacerts .
|
||||
popd
|
||||
|
||||
# Install version-ed symlinks
|
||||
pushd $RPM_BUILD_ROOT%{_jvmdir}
|
||||
ln -sf %{sdkdir -- $suffix} %{jrelnk -- $suffix}
|
||||
@ -2197,12 +2250,11 @@ pushd ${jdk_image}
|
||||
rm -rf $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/man
|
||||
|
||||
popd
|
||||
|
||||
# Install static libs artefacts
|
||||
%if %{include_staticlibs}
|
||||
mkdir -p $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/%{static_libs_install_dir}
|
||||
mkdir -p $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/lib/static/linux-%{archinstall}/glibc
|
||||
cp -a ${top_dir_abs_staticlibs_build_path}/images/%{static_libs_image}/lib/*.a \
|
||||
$RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/%{static_libs_install_dir}
|
||||
$RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/lib/static/linux-%{archinstall}/glibc
|
||||
%endif
|
||||
|
||||
if ! echo $suffix | grep -q "debug" ; then
|
||||
@ -2247,10 +2299,10 @@ mkdir -p $RPM_BUILD_ROOT/%{etcjavadir -- $suffix}/lib
|
||||
mv $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/conf/ $RPM_BUILD_ROOT/%{etcjavadir -- $suffix}
|
||||
mv $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/lib/security $RPM_BUILD_ROOT/%{etcjavadir -- $suffix}/lib
|
||||
pushd $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}
|
||||
ln -srv $RPM_BUILD_ROOT%{etcjavadir -- $suffix}/conf ./conf
|
||||
ln -s %{etcjavadir -- $suffix}/conf ./conf
|
||||
popd
|
||||
pushd $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/lib
|
||||
ln -srv $RPM_BUILD_ROOT%{etcjavadir -- $suffix}/lib/security ./security
|
||||
ln -s %{etcjavadir -- $suffix}/lib/security ./security
|
||||
popd
|
||||
# end moving files to /etc
|
||||
|
||||
@ -2262,74 +2314,6 @@ find $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/legal -type f -exec chmod 6
|
||||
# end, dual install
|
||||
done
|
||||
|
||||
%check
|
||||
|
||||
# We test debug first as it will give better diagnostics on a crash
|
||||
for suffix in %{build_loop} ; do
|
||||
|
||||
# Tests in the check stage are performed on the installed image
|
||||
# rpmbuild operates as follows: build -> install -> test
|
||||
export JAVA_HOME=${RPM_BUILD_ROOT}%{_jvmdir}/%{sdkdir -- $suffix}
|
||||
|
||||
#check Shenandoah is enabled
|
||||
%if %{use_shenandoah_hotspot}
|
||||
$JAVA_HOME/bin/java -XX:+UnlockExperimentalVMOptions -XX:+UseShenandoahGC -version
|
||||
%endif
|
||||
|
||||
# Check unlimited policy has been used
|
||||
$JAVA_HOME/bin/javac -d . %{SOURCE13}
|
||||
$JAVA_HOME/bin/java --add-opens java.base/javax.crypto=ALL-UNNAMED TestCryptoLevel
|
||||
|
||||
# Check ECC is working
|
||||
$JAVA_HOME/bin/javac -d . %{SOURCE14}
|
||||
$JAVA_HOME/bin/java $(echo $(basename %{SOURCE14})|sed "s|\.java||")
|
||||
|
||||
# Check system crypto (policy) is active and can be disabled
|
||||
# Test takes a single argument - true or false - to state whether system
|
||||
# security properties are enabled or not.
|
||||
$JAVA_HOME/bin/javac -d . %{SOURCE15}
|
||||
export PROG=$(echo $(basename %{SOURCE15})|sed "s|\.java||")
|
||||
export SEC_DEBUG="-Djava.security.debug=properties"
|
||||
$JAVA_HOME/bin/java ${SEC_DEBUG} ${PROG} true
|
||||
$JAVA_HOME/bin/java ${SEC_DEBUG} -Djava.security.disableSystemPropertiesFile=true ${PROG} false
|
||||
|
||||
# Check java launcher has no SSB mitigation
|
||||
if ! nm $JAVA_HOME/bin/java | grep set_speculation ; then true ; else false; fi
|
||||
|
||||
# Check alt-java launcher has SSB mitigation on supported architectures
|
||||
%ifarch %{ssbd_arches}
|
||||
nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation
|
||||
%else
|
||||
if ! nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation ; then true ; else false; fi
|
||||
%endif
|
||||
|
||||
# Check correct vendor values have been set
|
||||
$JAVA_HOME/bin/javac -d . %{SOURCE16}
|
||||
$JAVA_HOME/bin/java $(echo $(basename %{SOURCE16})|sed "s|\.java||") "%{oj_vendor}" "%{oj_vendor_url}" "%{oj_vendor_bug_url}" "%{oj_vendor_version}"
|
||||
|
||||
%if %{include_staticlibs}
|
||||
# Check debug symbols in static libraries (smoke test)
|
||||
export STATIC_LIBS_HOME=${JAVA_HOME}/%{static_libs_install_dir}
|
||||
readelf --debug-dump $STATIC_LIBS_HOME/libfdlibm.a | grep w_remainder.c
|
||||
readelf --debug-dump $STATIC_LIBS_HOME/libfdlibm.a | grep e_remainder.c
|
||||
%endif
|
||||
|
||||
# Check src.zip has all sources. See RHBZ#1130490
|
||||
unzip -l $JAVA_HOME/lib/src.zip | grep 'sun.misc.Unsafe'
|
||||
|
||||
# Check class files include useful debugging information
|
||||
$JAVA_HOME/bin/javap -l java.lang.Object | grep "Compiled from"
|
||||
$JAVA_HOME/bin/javap -l java.lang.Object | grep LineNumberTable
|
||||
$JAVA_HOME/bin/javap -l java.lang.Object | grep LocalVariableTable
|
||||
|
||||
# Check generated class files include useful debugging information
|
||||
$JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep "Compiled from"
|
||||
$JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep LineNumberTable
|
||||
$JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep LocalVariableTable
|
||||
|
||||
# build cycles check
|
||||
done
|
||||
|
||||
%if %{include_normal_build}
|
||||
# intentionally only for non-debug
|
||||
%pretrans headless -p <lua>
|
||||
@ -2574,6 +2558,16 @@ cjc.mainProgram(args)
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Wed Jul 20 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.4.0.7-0.2.ea
|
||||
- Revert the following changes until copy-java-configs has adapted to relative symlinks:
|
||||
- * Move cacerts replacement to install section and retain original of this and tzdb.dat
|
||||
- * Run tests on the installed image, rather than the build image
|
||||
- * Introduce variables to refer to the static library installation directories
|
||||
- * Use relative symlinks so they work within the image
|
||||
- * Run debug symbols check during build stage, before the install strips them
|
||||
- The move of turning on system security properties is retained so we don't ship with them off
|
||||
- Related: RHEL-45216
|
||||
|
||||
* Sat Jul 16 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.4.0.7-0.1.ea
|
||||
- Update to jdk-17.0.4.0+7
|
||||
- Update release notes to 17.0.4.0+7
|
||||
|
Loading…
Reference in New Issue
Block a user