diff --git a/.gitignore b/.gitignore
index 7211c7d..29dfc59 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,2 @@
-SOURCES/shenandoah-jdk11-shenandoah-jdk-11.0.1+13.tar.xz
+SOURCES/shenandoah-jdk11-shenandoah-jdk-11.0.2+7.tar.xz
SOURCES/systemtap_3.2_tapsets_hg-icedtea8-9d464368e06d.tar.xz
diff --git a/.java-11-openjdk.metadata b/.java-11-openjdk.metadata
index 7fe2ae3..c7e0243 100644
--- a/.java-11-openjdk.metadata
+++ b/.java-11-openjdk.metadata
@@ -1,2 +1,2 @@
-aedf1cc419fa0203658204b275e5599f7536ca9a SOURCES/shenandoah-jdk11-shenandoah-jdk-11.0.1+13.tar.xz
+a01def53d91f1d55c27e8609f84891dccfae1ee1 SOURCES/shenandoah-jdk11-shenandoah-jdk-11.0.2+7.tar.xz
cd8bf91753b9eb1401cfc529e78517105fc66011 SOURCES/systemtap_3.2_tapsets_hg-icedtea8-9d464368e06d.tar.xz
diff --git a/SOURCES/JDK-8210416-RHBZ-1632174-fdlibm-opt-fix.patch b/SOURCES/JDK-8210416-RHBZ-1632174-fdlibm-opt-fix.patch
deleted file mode 100644
index 85428db..0000000
--- a/SOURCES/JDK-8210416-RHBZ-1632174-fdlibm-opt-fix.patch
+++ /dev/null
@@ -1,84 +0,0 @@
-# HG changeset patch
-# User sgehwolf
-# Date 1536142767 -7200
-# Wed Sep 05 12:19:27 2018 +0200
-# Node ID 7ea57274e55054579d1532e757edb21e67beed83
-# Parent 3ee91722550680c18b977f0e00b1013323b5c9ef
-8210416: [linux] Poor StrictMath performance due to non-optimized compilation
-Summary: Compile fdlibm with -O2 -ffp-contract=off on gcc/clang arches.
-Reviewed-by: aph, erikj, dholmes, darcy
-
-diff --git a/make/autoconf/flags-cflags.m4 b/make/autoconf/flags-cflags.m4
---- a/make/autoconf/flags-cflags.m4
-+++ b/make/autoconf/flags-cflags.m4
-@@ -373,6 +373,18 @@
-
- FLAGS_SETUP_CFLAGS_CPU_DEP([BUILD], [OPENJDK_BUILD_])
-
-+ COMPILER_FP_CONTRACT_OFF_FLAG="-ffp-contract=off"
-+ # Check that the compiler supports -ffp-contract=off flag
-+ # Set FDLIBM_CFLAGS to -ffp-contract=off if it does. Empty
-+ # otherwise.
-+ # These flags are required for GCC-based builds of
-+ # fdlibm with optimization without losing precision.
-+ # Notably, -ffp-contract=off needs to be added for GCC >= 4.6.
-+ FLAGS_COMPILER_CHECK_ARGUMENTS(ARGUMENT: [${COMPILER_FP_CONTRACT_OFF_FLAG}],
-+ IF_TRUE: [FDLIBM_CFLAGS=${COMPILER_FP_CONTRACT_OFF_FLAG}],
-+ IF_FALSE: [FDLIBM_CFLAGS=""])
-+ AC_SUBST(FDLIBM_CFLAGS)
-+
- # Tests are only ever compiled for TARGET
- CFLAGS_TESTLIB="$CFLAGS_JDKLIB"
- CXXFLAGS_TESTLIB="$CXXFLAGS_JDKLIB"
-diff --git a/make/autoconf/spec.gmk.in b/make/autoconf/spec.gmk.in
---- a/make/autoconf/spec.gmk.in
-+++ b/make/autoconf/spec.gmk.in
-@@ -450,6 +450,7 @@
- LIBJSIG_HASHSTYLE_LDFLAGS := @LIBJSIG_HASHSTYLE_LDFLAGS@
- LIBJSIG_NOEXECSTACK_LDFLAGS := @LIBJSIG_NOEXECSTACK_LDFLAGS@
-
-+FDLIBM_CFLAGS := @FDLIBM_CFLAGS@
- JVM_CFLAGS := @JVM_CFLAGS@
- JVM_LDFLAGS := @JVM_LDFLAGS@
- JVM_ASFLAGS := @JVM_ASFLAGS@
-diff --git a/make/lib/CoreLibraries.gmk b/make/lib/CoreLibraries.gmk
---- a/make/lib/CoreLibraries.gmk
-+++ b/make/lib/CoreLibraries.gmk
-@@ -39,20 +39,15 @@
- BUILD_LIBFDLIBM_OPTIMIZATION := HIGH
- endif
-
--ifeq ($(OPENJDK_TARGET_OS), linux)
-- ifeq ($(OPENJDK_TARGET_CPU), ppc64)
-- BUILD_LIBFDLIBM_OPTIMIZATION := HIGH
-- else ifeq ($(OPENJDK_TARGET_CPU), ppc64le)
-- BUILD_LIBFDLIBM_OPTIMIZATION := HIGH
-- else ifeq ($(OPENJDK_TARGET_CPU), s390x)
-- BUILD_LIBFDLIBM_OPTIMIZATION := HIGH
-- else ifeq ($(OPENJDK_TARGET_CPU), aarch64)
-- BUILD_LIBFDLIBM_OPTIMIZATION := HIGH
-- endif
-+# If FDLIBM_CFLAGS is non-empty we know that we can optimize
-+# fdlibm by adding those extra C flags. Currently GCC,
-+# and clang only.
-+ifneq ($(FDLIBM_CFLAGS), )
-+ BUILD_LIBFDLIBM_OPTIMIZATION := LOW
- endif
-
- LIBFDLIBM_SRC := $(TOPDIR)/src/java.base/share/native/libfdlibm
--LIBFDLIBM_CFLAGS := -I$(LIBFDLIBM_SRC)
-+LIBFDLIBM_CFLAGS := -I$(LIBFDLIBM_SRC) $(FDLIBM_CFLAGS)
-
- ifneq ($(OPENJDK_TARGET_OS), macosx)
- $(eval $(call SetupNativeCompilation, BUILD_LIBFDLIBM, \
-@@ -64,10 +59,6 @@
- CFLAGS := $(CFLAGS_JDKLIB) $(LIBFDLIBM_CFLAGS), \
- CFLAGS_windows_debug := -DLOGGING, \
- CFLAGS_aix := -qfloat=nomaf, \
-- CFLAGS_linux_ppc64 := -ffp-contract=off, \
-- CFLAGS_linux_ppc64le := -ffp-contract=off, \
-- CFLAGS_linux_s390x := -ffp-contract=off, \
-- CFLAGS_linux_aarch64 := -ffp-contract=off, \
- DISABLED_WARNINGS_gcc := sign-compare misleading-indentation, \
- DISABLED_WARNINGS_microsoft := 4146 4244 4018, \
- ARFLAGS := $(ARFLAGS), \
diff --git a/SOURCES/JDK-8210425-RHBZ-1632174-sharedRuntimeTrig-opt-fix.patch b/SOURCES/JDK-8210425-RHBZ-1632174-sharedRuntimeTrig-opt-fix.patch
deleted file mode 100644
index 843ae3c..0000000
--- a/SOURCES/JDK-8210425-RHBZ-1632174-sharedRuntimeTrig-opt-fix.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-# HG changeset patch
-# User sgehwolf
-# Date 1536682731 -7200
-# Tue Sep 11 18:18:51 2018 +0200
-# Node ID 7157249fdd4366d95dd68f3d083ebb0ef84c753b
-# Parent 8d86b149e10f0a0896e5fd4d8d407e5fda64a529
-8210425: [x86] sharedRuntimeTrig/sharedRuntimeTrans compiled without optimization
-Reviewed-by: duke
-
-diff --git a/make/hotspot/lib/JvmOverrideFiles.gmk b/make/hotspot/lib/JvmOverrideFiles.gmk
---- a/make/hotspot/lib/JvmOverrideFiles.gmk
-+++ b/make/hotspot/lib/JvmOverrideFiles.gmk
-@@ -43,20 +43,26 @@ ifeq ($(TOOLCHAIN_TYPE), gcc)
- endif
- endif
-
-+LIBJVM_FDLIBM_COPY_OPT_FLAG := $(CXX_O_FLAG_NONE)
-+# If the FDLIBM_CFLAGS variable is non-empty we know
-+# that the fdlibm-fork in hotspot can get optimized
-+# by using -ffp-contract=off on GCC/Clang platforms.
-+ifneq ($(FDLIBM_CFLAGS), )
-+ LIBJVM_FDLIBM_COPY_OPT_FLAG := $(CXX_O_FLAG_NORM)
-+endif
-+
- ifeq ($(OPENJDK_TARGET_OS), linux)
- BUILD_LIBJVM_ostream.cpp_CXXFLAGS := -D_FILE_OFFSET_BITS=64
- BUILD_LIBJVM_logFileOutput.cpp_CXXFLAGS := -D_FILE_OFFSET_BITS=64
-
-- ifeq ($(OPENJDK_TARGET_CPU_ARCH), x86)
-- BUILD_LIBJVM_sharedRuntimeTrig.cpp_CXXFLAGS := -DNO_PCH $(CXX_O_FLAG_NONE)
-- BUILD_LIBJVM_sharedRuntimeTrans.cpp_CXXFLAGS := -DNO_PCH $(CXX_O_FLAG_NONE)
-+ BUILD_LIBJVM_sharedRuntimeTrig.cpp_CXXFLAGS := -DNO_PCH $(FDLIBM_CFLAGS) $(LIBJVM_FDLIBM_COPY_OPT_FLAG)
-+ BUILD_LIBJVM_sharedRuntimeTrans.cpp_CXXFLAGS := -DNO_PCH $(FDLIBM_CFLAGS) $(LIBJVM_FDLIBM_COPY_OPT_FLAG)
-
-- ifeq ($(TOOLCHAIN_TYPE), clang)
-- JVM_PRECOMPILED_HEADER_EXCLUDE := \
-- sharedRuntimeTrig.cpp \
-- sharedRuntimeTrans.cpp \
-- #
-- endif
-+ ifeq ($(TOOLCHAIN_TYPE), clang)
-+ JVM_PRECOMPILED_HEADER_EXCLUDE := \
-+ sharedRuntimeTrig.cpp \
-+ sharedRuntimeTrans.cpp \
-+ #
- endif
-
- ifeq ($(OPENJDK_TARGET_CPU), x86)
diff --git a/SOURCES/JDK-8210647-RHBZ-1632174-libsaproc-opt-fix.patch b/SOURCES/JDK-8210647-RHBZ-1632174-libsaproc-opt-fix.patch
deleted file mode 100644
index a279f8a..0000000
--- a/SOURCES/JDK-8210647-RHBZ-1632174-libsaproc-opt-fix.patch
+++ /dev/null
@@ -1,21 +0,0 @@
-# HG changeset patch
-# User sgehwolf
-# Date 1536751862 -7200
-# Wed Sep 12 13:31:02 2018 +0200
-# Node ID f95c6746fe256fe0456e0ea0d2930631ef840286
-# Parent 7157249fdd4366d95dd68f3d083ebb0ef84c753b
-8210647: libsaproc is being compiled without optimization
-Reviewed-by: duke
-
-diff --git a/make/lib/Lib-jdk.hotspot.agent.gmk b/make/lib/Lib-jdk.hotspot.agent.gmk
---- a/make/lib/Lib-jdk.hotspot.agent.gmk
-+++ b/make/lib/Lib-jdk.hotspot.agent.gmk
-@@ -52,7 +52,7 @@
-
- $(eval $(call SetupJdkLibrary, BUILD_LIBSA, \
- NAME := saproc, \
-- OPTIMIZATION := NONE, \
-+ OPTIMIZATION := LOW, \
- DISABLED_WARNINGS_microsoft := 4267, \
- DISABLED_WARNINGS_gcc := sign-compare, \
- DISABLED_WARNINGS_CXX_solstudio := truncwarn unknownpragma, \
diff --git a/SOURCES/JDK-8210703-RHBZ-1632174-vmStructs-opt-fix.patch b/SOURCES/JDK-8210703-RHBZ-1632174-vmStructs-opt-fix.patch
deleted file mode 100644
index 6fc6c07..0000000
--- a/SOURCES/JDK-8210703-RHBZ-1632174-vmStructs-opt-fix.patch
+++ /dev/null
@@ -1,21 +0,0 @@
-# HG changeset patch
-# User sgehwolf
-# Date 1536829660 -7200
-# Thu Sep 13 11:07:40 2018 +0200
-# Node ID 39ccca116f79139fc4b779f5df83cb32357b9ae9
-# Parent 7512bd28304cf0dc5676247990f1907162c719ca
-8210703: vmStructs.cpp compiled with -O0
-Reviewed-by: duke
-
-diff --git a/make/hotspot/lib/JvmOverrideFiles.gmk b/make/hotspot/lib/JvmOverrideFiles.gmk
---- a/make/hotspot/lib/JvmOverrideFiles.gmk
-+++ b/make/hotspot/lib/JvmOverrideFiles.gmk
-@@ -30,7 +30,7 @@
- # status for individual files on specific platforms.
-
- ifeq ($(TOOLCHAIN_TYPE), gcc)
-- BUILD_LIBJVM_vmStructs.cpp_CXXFLAGS := -fno-var-tracking-assignments -O0
-+ BUILD_LIBJVM_vmStructs.cpp_CXXFLAGS := -fno-var-tracking-assignments
- BUILD_LIBJVM_jvmciCompilerToVM.cpp_CXXFLAGS := -fno-var-tracking-assignments
- BUILD_LIBJVM_jvmciCompilerToVMInit.cpp_CXXFLAGS := -fno-var-tracking-assignments
- BUILD_LIBJVM_assembler_x86.cpp_CXXFLAGS := -Wno-maybe-uninitialized
diff --git a/SOURCES/JDK-8210761-RHBZ-1632174-libjsig-opt-fix.patch b/SOURCES/JDK-8210761-RHBZ-1632174-libjsig-opt-fix.patch
deleted file mode 100644
index b5a88b0..0000000
--- a/SOURCES/JDK-8210761-RHBZ-1632174-libjsig-opt-fix.patch
+++ /dev/null
@@ -1,20 +0,0 @@
-# HG changeset patch
-# User sgehwolf
-# Date 1537541916 -7200
-# Fri Sep 21 16:58:36 2018 +0200
-# Node ID cd8483acfe56ade257685d93323f78e6e13704a0
-# Parent e40fa3a70efdbc22f85c0d30350189f632779831
-8210761: libjsig is being compiled without optimization
-Reviewed-by: duke
-
-diff --git a/make/lib/Lib-java.base.gmk b/make/lib/Lib-java.base.gmk
---- a/make/lib/Lib-java.base.gmk
-+++ b/make/lib/Lib-java.base.gmk
-@@ -138,6 +138,7 @@
-
- $(eval $(call SetupJdkLibrary, BUILD_LIBJSIG, \
- NAME := jsig, \
-+ OPTIMIZATION := LOW, \
- CFLAGS := $(CFLAGS_JDKLIB) $(LIBJSIG_CFLAGS), \
- LDFLAGS := $(LDFLAGS_JDKLIB) \
- $(call SET_SHARED_LIBRARY_ORIGIN), \
diff --git a/SOURCES/RHBZ-1249083-system-crypto-policy-PR3183.patch b/SOURCES/RHBZ-1249083-system-crypto-policy-PR3183.patch
deleted file mode 100644
index 4efbe9a..0000000
--- a/SOURCES/RHBZ-1249083-system-crypto-policy-PR3183.patch
+++ /dev/null
@@ -1,88 +0,0 @@
-
-# HG changeset patch
-# User andrew
-# Date 1478057514 0
-# Node ID 1c4d5cb2096ae55106111da200b0bcad304f650c
-# Parent 3d53f19b48384e5252f4ec8891f7a3a82d77af2a
-PR3183: Support Fedora/RHEL system crypto policy
-diff -r 3d53f19b4838 -r 1c4d5cb2096a src/java.base/share/classes/java/security/Security.java
---- a/src/java.base/share/classes/java/security/Security.java Wed Oct 26 03:51:39 2016 +0100
-+++ b/src/java.base/share/classes/java/security/Security.java Wed Nov 02 03:31:54 2016 +0000
-@@ -43,6 +43,9 @@
- * implementation-specific location, which is typically the properties file
- * {@code conf/security/java.security} in the Java installation directory.
- *
-+ *
Additional default values of security properties are read from a
-+ * system-specific location, if available.
-+ *
- * @author Benjamin Renaud
- * @since 1.1
- */
-@@ -52,6 +55,10 @@
- private static final Debug sdebug =
- Debug.getInstance("properties");
-
-+ /* System property file*/
-+ private static final String SYSTEM_PROPERTIES =
-+ "/etc/crypto-policies/back-ends/java.config";
-+
- /* The java.security properties */
- private static Properties props;
-
-@@ -93,6 +100,7 @@
- if (sdebug != null) {
- sdebug.println("reading security properties file: " +
- propFile);
-+ sdebug.println(props.toString());
- }
- } catch (IOException e) {
- if (sdebug != null) {
-@@ -114,6 +122,31 @@
- }
-
- if ("true".equalsIgnoreCase(props.getProperty
-+ ("security.useSystemPropertiesFile"))) {
-+
-+ // now load the system file, if it exists, so its values
-+ // will win if they conflict with the earlier values
-+ try (BufferedInputStream bis =
-+ new BufferedInputStream(new FileInputStream(SYSTEM_PROPERTIES))) {
-+ props.load(bis);
-+ loadedProps = true;
-+
-+ if (sdebug != null) {
-+ sdebug.println("reading system security properties file " +
-+ SYSTEM_PROPERTIES);
-+ sdebug.println(props.toString());
-+ }
-+ } catch (IOException e) {
-+ if (sdebug != null) {
-+ sdebug.println
-+ ("unable to load security properties from " +
-+ SYSTEM_PROPERTIES);
-+ e.printStackTrace();
-+ }
-+ }
-+ }
-+
-+ if ("true".equalsIgnoreCase(props.getProperty
- ("security.overridePropertiesFile"))) {
-
- String extraPropFile = System.getProperty
-diff -r 3d53f19b4838 -r 1c4d5cb2096a src/java.base/share/conf/security/java.security
---- a/src/java.base/share/conf/security/java.security Wed Oct 26 03:51:39 2016 +0100
-+++ b/src/java.base/share/conf/security/java.security Wed Nov 02 03:31:54 2016 +0000
-@@ -276,6 +276,13 @@
- security.overridePropertiesFile=true
-
- #
-+# Determines whether this properties file will be appended to
-+# using the system properties file stored at
-+# /etc/crypto-policies/back-ends/java.config
-+#
-+security.useSystemPropertiesFile=true
-+
-+#
- # Determines the default key and trust manager factory algorithms for
- # the javax.net.ssl package.
- #
diff --git a/SOURCES/RHBZ-1565658-system-nss-SunEC.patch b/SOURCES/RHBZ-1565658-system-nss-SunEC.patch
deleted file mode 100644
index 42ce7cd..0000000
--- a/SOURCES/RHBZ-1565658-system-nss-SunEC.patch
+++ /dev/null
@@ -1,644 +0,0 @@
-diff --git a/make/autoconf/jdk-options.m4 b/make/autoconf/jdk-options.m4
---- a/make/autoconf/jdk-options.m4
-+++ b/make/autoconf/jdk-options.m4
-@@ -267,9 +267,10 @@
- #
- AC_DEFUN_ONCE([JDKOPT_DETECT_INTREE_EC],
- [
-+ AC_REQUIRE([LIB_SETUP_MISC_LIBS])
- AC_MSG_CHECKING([if elliptic curve crypto implementation is present])
-
-- if test -d "${TOPDIR}/src/jdk.crypto.ec/share/native/libsunec/impl"; then
-+ if test "x${system_nss}" = "xyes" -o -d "${TOPDIR}/src/jdk.crypto.ec/share/native/libsunec/impl"; then
- ENABLE_INTREE_EC=true
- AC_MSG_RESULT([yes])
- else
-diff --git a/make/autoconf/libraries.m4 b/make/autoconf/libraries.m4
---- a/make/autoconf/libraries.m4
-+++ b/make/autoconf/libraries.m4
-@@ -178,6 +178,48 @@
- AC_SUBST(LIBDL)
- LIBS="$save_LIBS"
-
-+ ###############################################################################
-+ #
-+ # Check for the NSS libraries
-+ #
-+
-+ AC_MSG_CHECKING([whether to build the Sun EC provider against the system NSS libraries])
-+
-+ # default is bundled
-+ DEFAULT_SYSTEM_NSS=no
-+
-+ AC_ARG_ENABLE([system-nss], [AS_HELP_STRING([--enable-system-nss],
-+ [build the SunEC provider using the system NSS libraries @<:@disabled@:>@])],
-+ [
-+ case "${enableval}" in
-+ yes)
-+ system_nss=yes
-+ ;;
-+ *)
-+ system_nss=no
-+ ;;
-+ esac
-+ ],
-+ [
-+ system_nss=${DEFAULT_SYSTEM_NSS}
-+ ])
-+ AC_MSG_RESULT([$system_nss])
-+
-+ if test "x${system_nss}" = "xyes"; then
-+ PKG_CHECK_MODULES(NSS_SOFTTKN, nss-softokn >= 3.16.1, [NSS_SOFTOKN_FOUND=yes], [NSS_SOFTOKN_FOUND=no])
-+ PKG_CHECK_MODULES(NSS, nss >= 3.16.1, [NSS_FOUND=yes], [NSS_FOUND=no])
-+ if test "x${NSS_SOFTOKN_FOUND}" = "xyes" -a "x${NSS_FOUND}" = "xyes"; then
-+ NSS_LIBS="$NSS_SOFTOKN_LIBS $NSS_LIBS -lfreebl";
-+ USE_EXTERNAL_NSS=true
-+ else
-+ AC_MSG_ERROR([--enable-system-nss specified, but NSS not found.])
-+ fi
-+ else
-+ USE_EXTERNAL_NSS=false
-+ fi
-+ AC_SUBST(USE_EXTERNAL_NSS)
-+
-+
- # Deprecated libraries, keep the flags for backwards compatibility
- if test "x$OPENJDK_TARGET_OS" = "xwindows"; then
- BASIC_DEPRECATED_ARG_WITH([dxsdk])
-diff --git a/make/autoconf/spec.gmk.in b/make/autoconf/spec.gmk.in
---- a/make/autoconf/spec.gmk.in
-+++ b/make/autoconf/spec.gmk.in
-@@ -795,6 +795,10 @@
- # Libraries
- #
-
-+USE_EXTERNAL_NSS:=@USE_EXTERNAL_NSS@
-+NSS_LIBS:=@NSS_LIBS@
-+NSS_CFLAGS:=@NSS_CFLAGS@
-+
- USE_EXTERNAL_LCMS:=@USE_EXTERNAL_LCMS@
- LCMS_CFLAGS:=@LCMS_CFLAGS@
- LCMS_LIBS:=@LCMS_LIBS@
-diff --git a/make/lib/Lib-jdk.crypto.ec.gmk b/make/lib/Lib-jdk.crypto.ec.gmk
---- a/make/lib/Lib-jdk.crypto.ec.gmk
-+++ b/make/lib/Lib-jdk.crypto.ec.gmk
-@@ -38,6 +38,11 @@
- BUILD_LIBSUNEC_CXXFLAGS_JDKLIB := $(CXXFLAGS_JDKLIB)
- endif
-
-+ ifeq ($(USE_EXTERNAL_NSS), true)
-+ BUILD_LIBSUNEC_CFLAGS_JDKLIB += $(NSS_CFLAGS) -DSYSTEM_NSS -DNSS_ENABLE_ECC
-+ BUILD_LIBSUNEC_CXXFLAGS_JDKLIB += $(NSS_CFLAGS) -DSYSTEM_NSS -DNSS_ENABLE_ECC
-+ endif
-+
- $(eval $(call SetupJdkLibrary, BUILD_LIBSUNEC, \
- NAME := sunec, \
- TOOLCHAIN := TOOLCHAIN_LINK_CXX, \
-@@ -47,9 +52,11 @@
- CXXFLAGS := $(BUILD_LIBSUNEC_CXXFLAGS_JDKLIB), \
- DISABLED_WARNINGS_gcc := sign-compare implicit-fallthrough, \
- DISABLED_WARNINGS_microsoft := 4101 4244 4146 4018, \
-- LDFLAGS := $(LDFLAGS_JDKLIB) $(LDFLAGS_CXX_JDK), \
-+ LDFLAGS := $(subst -Xlinker --as-needed,, \
-+ $(subst -Wl$(COMMA)--as-needed,, $(LDFLAGS_JDKLIB))) $(LDFLAGS_CXX_JDK), \
- LDFLAGS_macosx := $(call SET_SHARED_LIBRARY_ORIGIN), \
- LIBS := $(LIBCXX), \
-+ LIBS_linux := -lc $(NSS_LIBS), \
- ))
-
- TARGETS += $(BUILD_LIBSUNEC)
-diff --git a/src/java.base/unix/native/include/jni_md.h b/src/java.base/unix/native/include/jni_md.h
---- a/src/java.base/unix/native/include/jni_md.h
-+++ b/src/java.base/unix/native/include/jni_md.h
-@@ -41,6 +41,11 @@
- #define JNIEXPORT
- #define JNIIMPORT
- #endif
-+#if (defined(__GNUC__)) || __has_attribute(unused)
-+ #define UNUSED(x) UNUSED_ ## x __attribute__((__unused__))
-+#else
-+ #define UNUSED(x) UNUSED_ ## x
-+#endif
-
- #define JNICALL
-
-diff --git a/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java b/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java
---- a/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java
-+++ b/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java
-@@ -61,6 +61,7 @@
- AccessController.doPrivileged(new PrivilegedAction() {
- public Void run() {
- System.loadLibrary("sunec"); // check for native library
-+ initialize();
- return null;
- }
- });
-@@ -293,6 +294,11 @@
- "ECDH", "sun.security.ec.ECDHKeyAgreement", null, ATTRS));
- }
-
-+ /**
-+ * Initialize the native code.
-+ */
-+ private static native void initialize();
-+
- private void putXDHEntries() {
-
- HashMap ATTRS = new HashMap<>(1);
-diff --git a/src/jdk.crypto.ec/share/native/libsunec/ECC_JNI.cpp b/src/jdk.crypto.ec/share/native/libsunec/ECC_JNI.cpp
---- a/src/jdk.crypto.ec/share/native/libsunec/ECC_JNI.cpp
-+++ b/src/jdk.crypto.ec/share/native/libsunec/ECC_JNI.cpp
-@@ -25,7 +25,11 @@
-
- #include
- #include "jni_util.h"
-+#ifdef SYSTEM_NSS
-+#include "ecc_impl.h"
-+#else
- #include "impl/ecc_impl.h"
-+#endif
- #include "sun_security_ec_ECDHKeyAgreement.h"
- #include "sun_security_ec_ECKeyPairGenerator.h"
- #include "sun_security_ec_ECDSASignature.h"
-@@ -33,6 +37,13 @@
- #define INVALID_PARAMETER_EXCEPTION \
- "java/security/InvalidParameterException"
- #define KEY_EXCEPTION "java/security/KeyException"
-+#define INTERNAL_ERROR "java/lang/InternalError"
-+
-+#ifdef SYSTEM_NSS
-+#define SYSTEM_UNUSED(x) UNUSED(x)
-+#else
-+#define SYSTEM_UNUSED(x) x
-+#endif
-
- extern "C" {
-
-@@ -55,8 +66,13 @@
- /*
- * Deep free of the ECParams struct
- */
--void FreeECParams(ECParams *ecparams, jboolean freeStruct)
-+void FreeECParams(ECParams *ecparams, jboolean SYSTEM_UNUSED(freeStruct))
- {
-+#ifdef SYSTEM_NSS
-+ // Needs to be freed using the matching method to the one
-+ // that allocated it. PR_TRUE means the memory is zeroed.
-+ PORT_FreeArena(ecparams->arena, PR_TRUE);
-+#else
- // Use B_FALSE to free the SECItem->data element, but not the SECItem itself
- // Use B_TRUE to free both
-
-@@ -70,6 +86,7 @@
- SECITEM_FreeItem(&ecparams->curveOID, B_FALSE);
- if (freeStruct)
- free(ecparams);
-+#endif
- }
-
- jbyteArray getEncodedBytes(JNIEnv *env, SECItem *hSECItem)
-@@ -139,7 +156,7 @@
- */
- JNIEXPORT jobjectArray
- JNICALL Java_sun_security_ec_ECKeyPairGenerator_generateECKeyPair
-- (JNIEnv *env, jclass clazz, jint keySize, jbyteArray encodedParams, jbyteArray seed)
-+ (JNIEnv *env, jclass UNUSED(clazz), jint UNUSED(keySize), jbyteArray encodedParams, jbyteArray seed)
- {
- ECPrivateKey *privKey = NULL; // contains both public and private values
- ECParams *ecparams = NULL;
-@@ -171,8 +188,17 @@
- env->GetByteArrayRegion(seed, 0, jSeedLength, pSeedBuffer);
-
- // Generate the new keypair (using the supplied seed)
-+#ifdef SYSTEM_NSS
-+ if (RNG_RandomUpdate((unsigned char *) pSeedBuffer, jSeedLength)
-+ != SECSuccess) {
-+ ThrowException(env, KEY_EXCEPTION);
-+ goto cleanup;
-+ }
-+ if (EC_NewKey(ecparams, &privKey) != SECSuccess) {
-+#else
- if (EC_NewKey(ecparams, &privKey, (unsigned char *) pSeedBuffer,
- jSeedLength, 0) != SECSuccess) {
-+#endif
- ThrowException(env, KEY_EXCEPTION);
- goto cleanup;
- }
-@@ -219,10 +245,15 @@
- }
- if (privKey) {
- FreeECParams(&privKey->ecParams, false);
-+#ifndef SYSTEM_NSS
-+ // The entire ECPrivateKey is allocated in the arena
-+ // when using system NSS, so only the in-tree version
-+ // needs to clear these manually.
- SECITEM_FreeItem(&privKey->version, B_FALSE);
- SECITEM_FreeItem(&privKey->privateValue, B_FALSE);
- SECITEM_FreeItem(&privKey->publicValue, B_FALSE);
- free(privKey);
-+#endif
- }
-
- if (pSeedBuffer) {
-@@ -240,7 +271,7 @@
- */
- JNIEXPORT jbyteArray
- JNICALL Java_sun_security_ec_ECDSASignature_signDigest
-- (JNIEnv *env, jclass clazz, jbyteArray digest, jbyteArray privateKey, jbyteArray encodedParams, jbyteArray seed, jint timing)
-+ (JNIEnv *env, jclass UNUSED(clazz), jbyteArray digest, jbyteArray privateKey, jbyteArray encodedParams, jbyteArray seed, jint timing)
- {
- jbyte* pDigestBuffer = NULL;
- jint jDigestLength = env->GetArrayLength(digest);
-@@ -299,8 +330,18 @@
- env->GetByteArrayRegion(seed, 0, jSeedLength, pSeedBuffer);
-
- // Sign the digest (using the supplied seed)
-+#ifdef SYSTEM_NSS
-+ if (RNG_RandomUpdate((unsigned char *) pSeedBuffer, jSeedLength)
-+ != SECSuccess) {
-+ ThrowException(env, KEY_EXCEPTION);
-+ goto cleanup;
-+ }
-+ if (ECDSA_SignDigest(&privKey, &signature_item, &digest_item)
-+ != SECSuccess) {
-+#else
- if (ECDSA_SignDigest(&privKey, &signature_item, &digest_item,
- (unsigned char *) pSeedBuffer, jSeedLength, 0, timing) != SECSuccess) {
-+#endif
- ThrowException(env, KEY_EXCEPTION);
- goto cleanup;
- }
-@@ -349,7 +390,7 @@
- */
- JNIEXPORT jboolean
- JNICALL Java_sun_security_ec_ECDSASignature_verifySignedDigest
-- (JNIEnv *env, jclass clazz, jbyteArray signedDigest, jbyteArray digest, jbyteArray publicKey, jbyteArray encodedParams)
-+ (JNIEnv *env, jclass UNUSED(clazz), jbyteArray signedDigest, jbyteArray digest, jbyteArray publicKey, jbyteArray encodedParams)
- {
- jboolean isValid = false;
-
-@@ -406,9 +447,10 @@
-
- cleanup:
- {
-- if (params_item.data)
-+ if (params_item.data) {
- env->ReleaseByteArrayElements(encodedParams,
- (jbyte *) params_item.data, JNI_ABORT);
-+ }
-
- if (pubKey.publicValue.data)
- env->ReleaseByteArrayElements(publicKey,
-@@ -434,7 +476,7 @@
- */
- JNIEXPORT jbyteArray
- JNICALL Java_sun_security_ec_ECDHKeyAgreement_deriveKey
-- (JNIEnv *env, jclass clazz, jbyteArray privateKey, jbyteArray publicKey, jbyteArray encodedParams)
-+ (JNIEnv *env, jclass UNUSED(clazz), jbyteArray privateKey, jbyteArray publicKey, jbyteArray encodedParams)
- {
- jbyteArray jSecret = NULL;
- ECParams *ecparams = NULL;
-@@ -510,9 +552,10 @@
- env->ReleaseByteArrayElements(publicKey,
- (jbyte *) publicValue_item.data, JNI_ABORT);
-
-- if (params_item.data)
-+ if (params_item.data) {
- env->ReleaseByteArrayElements(encodedParams,
- (jbyte *) params_item.data, JNI_ABORT);
-+ }
-
- if (ecparams)
- FreeECParams(ecparams, true);
-@@ -521,4 +564,28 @@
- return jSecret;
- }
-
-+JNIEXPORT void
-+JNICALL Java_sun_security_ec_SunEC_initialize
-+ (JNIEnv *env, jclass UNUSED(clazz))
-+{
-+#ifdef SYSTEM_NSS
-+ if (SECOID_Init() != SECSuccess) {
-+ ThrowException(env, INTERNAL_ERROR);
-+ }
-+ if (RNG_RNGInit() != SECSuccess) {
-+ ThrowException(env, INTERNAL_ERROR);
-+ }
-+#endif
-+}
-+
-+JNIEXPORT void
-+JNICALL JNI_OnUnload
-+ (JavaVM *vm, void *reserved)
-+{
-+#ifdef SYSTEM_NSS
-+ RNG_RNGShutdown();
-+ SECOID_Shutdown();
-+#endif
-+}
-+
- } /* extern "C" */
-diff --git a/src/jdk.crypto.ec/share/native/libsunec/ecc_impl.h b/src/jdk.crypto.ec/share/native/libsunec/ecc_impl.h
-new file mode 100644
---- /dev/null
-+++ b/src/jdk.crypto.ec/share/native/libsunec/ecc_impl.h
-@@ -0,0 +1,298 @@
-+/*
-+ * Copyright (c) 2007, 2017, Oracle and/or its affiliates. All rights reserved.
-+ * Use is subject to license terms.
-+ *
-+ * This library is free software; you can redistribute it and/or
-+ * modify it under the terms of the GNU Lesser General Public
-+ * License as published by the Free Software Foundation; either
-+ * version 2.1 of the License, or (at your option) any later version.
-+ *
-+ * This library is distributed in the hope that it will be useful,
-+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
-+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-+ * Lesser General Public License for more details.
-+ *
-+ * You should have received a copy of the GNU Lesser General Public License
-+ * along with this library; if not, write to the Free Software Foundation,
-+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-+ *
-+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
-+ * or visit www.oracle.com if you need additional information or have any
-+ * questions.
-+ */
-+
-+/* *********************************************************************
-+ *
-+ * The Original Code is the Netscape security libraries.
-+ *
-+ * The Initial Developer of the Original Code is
-+ * Netscape Communications Corporation.
-+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
-+ * the Initial Developer. All Rights Reserved.
-+ *
-+ * Contributor(s):
-+ * Dr Vipul Gupta and
-+ * Douglas Stebila , Sun Microsystems Laboratories
-+ *
-+ * Last Modified Date from the Original Code: May 2017
-+ *********************************************************************** */
-+
-+#ifndef _ECC_IMPL_H
-+#define _ECC_IMPL_H
-+
-+#ifdef __cplusplus
-+extern "C" {
-+#endif
-+
-+#include
-+
-+#ifdef SYSTEM_NSS
-+#include
-+#include
-+#include
-+#ifdef LEGACY_NSS
-+#include
-+#else
-+#include
-+#endif
-+#else
-+#include "ecl-exp.h"
-+#endif
-+
-+/*
-+ * Multi-platform definitions
-+ */
-+#ifdef __linux__
-+#define B_FALSE FALSE
-+#define B_TRUE TRUE
-+typedef unsigned char uint8_t;
-+typedef unsigned long ulong_t;
-+typedef enum { B_FALSE, B_TRUE } boolean_t;
-+#endif /* __linux__ */
-+
-+#ifdef _ALLBSD_SOURCE
-+#include
-+#define B_FALSE FALSE
-+#define B_TRUE TRUE
-+typedef unsigned long ulong_t;
-+typedef enum boolean { B_FALSE, B_TRUE } boolean_t;
-+#endif /* _ALLBSD_SOURCE */
-+
-+#ifdef AIX
-+#define B_FALSE FALSE
-+#define B_TRUE TRUE
-+typedef unsigned char uint8_t;
-+typedef unsigned long ulong_t;
-+#endif /* AIX */
-+
-+#ifdef _WIN32
-+typedef unsigned char uint8_t;
-+typedef unsigned long ulong_t;
-+typedef enum boolean { B_FALSE, B_TRUE } boolean_t;
-+#define strdup _strdup /* Replace POSIX name with ISO C++ name */
-+#endif /* _WIN32 */
-+
-+#ifndef _KERNEL
-+#include
-+#endif /* _KERNEL */
-+
-+#define EC_MAX_DIGEST_LEN 1024 /* max digest that can be signed */
-+#define EC_MAX_POINT_LEN 145 /* max len of DER encoded Q */
-+#define EC_MAX_VALUE_LEN 72 /* max len of ANSI X9.62 private value d */
-+#define EC_MAX_SIG_LEN 144 /* max signature len for supported curves */
-+#define EC_MIN_KEY_LEN 112 /* min key length in bits */
-+#define EC_MAX_KEY_LEN 571 /* max key length in bits */
-+#define EC_MAX_OID_LEN 10 /* max length of OID buffer */
-+
-+/*
-+ * Various structures and definitions from NSS are here.
-+ */
-+
-+#ifndef SYSTEM_NSS
-+#ifdef _KERNEL
-+#define PORT_ArenaAlloc(a, n, f) kmem_alloc((n), (f))
-+#define PORT_ArenaZAlloc(a, n, f) kmem_zalloc((n), (f))
-+#define PORT_ArenaGrow(a, b, c, d) NULL
-+#define PORT_ZAlloc(n, f) kmem_zalloc((n), (f))
-+#define PORT_Alloc(n, f) kmem_alloc((n), (f))
-+#else
-+#define PORT_ArenaAlloc(a, n, f) malloc((n))
-+#define PORT_ArenaZAlloc(a, n, f) calloc(1, (n))
-+#define PORT_ArenaGrow(a, b, c, d) NULL
-+#define PORT_ZAlloc(n, f) calloc(1, (n))
-+#define PORT_Alloc(n, f) malloc((n))
-+#endif
-+
-+#define PORT_NewArena(b) (char *)12345
-+#define PORT_ArenaMark(a) NULL
-+#define PORT_ArenaUnmark(a, b)
-+#define PORT_ArenaRelease(a, m)
-+#define PORT_FreeArena(a, b)
-+#define PORT_Strlen(s) strlen((s))
-+#define PORT_SetError(e)
-+
-+#define PRBool boolean_t
-+#define PR_TRUE B_TRUE
-+#define PR_FALSE B_FALSE
-+
-+#ifdef _KERNEL
-+#define PORT_Assert ASSERT
-+#define PORT_Memcpy(t, f, l) bcopy((f), (t), (l))
-+#else
-+#define PORT_Assert assert
-+#define PORT_Memcpy(t, f, l) memcpy((t), (f), (l))
-+#endif
-+
-+#endif
-+
-+#define CHECK_OK(func) if (func == NULL) goto cleanup
-+#define CHECK_SEC_OK(func) if (SECSuccess != (rv = func)) goto cleanup
-+
-+#ifndef SYSTEM_NSS
-+typedef enum {
-+ siBuffer = 0,
-+ siClearDataBuffer = 1,
-+ siCipherDataBuffer = 2,
-+ siDERCertBuffer = 3,
-+ siEncodedCertBuffer = 4,
-+ siDERNameBuffer = 5,
-+ siEncodedNameBuffer = 6,
-+ siAsciiNameString = 7,
-+ siAsciiString = 8,
-+ siDEROID = 9,
-+ siUnsignedInteger = 10,
-+ siUTCTime = 11,
-+ siGeneralizedTime = 12
-+} SECItemType;
-+
-+typedef struct SECItemStr SECItem;
-+
-+struct SECItemStr {
-+ SECItemType type;
-+ unsigned char *data;
-+ unsigned int len;
-+};
-+
-+typedef SECItem SECKEYECParams;
-+
-+typedef enum { ec_params_explicit,
-+ ec_params_named
-+} ECParamsType;
-+
-+typedef enum { ec_field_GFp = 1,
-+ ec_field_GF2m
-+} ECFieldType;
-+
-+struct ECFieldIDStr {
-+ int size; /* field size in bits */
-+ ECFieldType type;
-+ union {
-+ SECItem prime; /* prime p for (GFp) */
-+ SECItem poly; /* irreducible binary polynomial for (GF2m) */
-+ } u;
-+ int k1; /* first coefficient of pentanomial or
-+ * the only coefficient of trinomial
-+ */
-+ int k2; /* two remaining coefficients of pentanomial */
-+ int k3;
-+};
-+typedef struct ECFieldIDStr ECFieldID;
-+
-+struct ECCurveStr {
-+ SECItem a; /* contains octet stream encoding of
-+ * field element (X9.62 section 4.3.3)
-+ */
-+ SECItem b;
-+ SECItem seed;
-+};
-+typedef struct ECCurveStr ECCurve;
-+
-+typedef void PRArenaPool;
-+
-+struct ECParamsStr {
-+ PRArenaPool * arena;
-+ ECParamsType type;
-+ ECFieldID fieldID;
-+ ECCurve curve;
-+ SECItem base;
-+ SECItem order;
-+ int cofactor;
-+ SECItem DEREncoding;
-+ ECCurveName name;
-+ SECItem curveOID;
-+};
-+typedef struct ECParamsStr ECParams;
-+
-+struct ECPublicKeyStr {
-+ ECParams ecParams;
-+ SECItem publicValue; /* elliptic curve point encoded as
-+ * octet stream.
-+ */
-+};
-+typedef struct ECPublicKeyStr ECPublicKey;
-+
-+struct ECPrivateKeyStr {
-+ ECParams ecParams;
-+ SECItem publicValue; /* encoded ec point */
-+ SECItem privateValue; /* private big integer */
-+ SECItem version; /* As per SEC 1, Appendix C, Section C.4 */
-+};
-+typedef struct ECPrivateKeyStr ECPrivateKey;
-+
-+typedef enum _SECStatus {
-+ SECBufferTooSmall = -3,
-+ SECWouldBlock = -2,
-+ SECFailure = -1,
-+ SECSuccess = 0
-+} SECStatus;
-+#endif
-+
-+#ifdef _KERNEL
-+#define RNG_GenerateGlobalRandomBytes(p,l) ecc_knzero_random_generator((p), (l))
-+#else
-+/*
-+ This function is no longer required because the random bytes are now
-+ supplied by the caller. Force a failure.
-+*/
-+#ifndef SYSTEM_NSS
-+#define RNG_GenerateGlobalRandomBytes(p,l) SECFailure
-+#endif
-+#endif
-+#define CHECK_MPI_OK(func) if (MP_OKAY > (err = func)) goto cleanup
-+#define MP_TO_SEC_ERROR(err)
-+
-+#define SECITEM_TO_MPINT(it, mp) \
-+ CHECK_MPI_OK(mp_read_unsigned_octets((mp), (it).data, (it).len))
-+
-+extern int ecc_knzero_random_generator(uint8_t *, size_t);
-+extern ulong_t soft_nzero_random_generator(uint8_t *, ulong_t);
-+
-+#ifdef SYSTEM_NSS
-+#define EC_DecodeParams(a,b,c) EC_DecodeParams(a,b)
-+#define ECDSA_VerifyDigest(a,b,c,d) ECDSA_VerifyDigest(a,b,c)
-+#define ECDH_Derive(a,b,c,d,e,f) ECDH_Derive(a,b,c,d,e)
-+#else
-+extern SECStatus EC_DecodeParams(const SECItem *, ECParams **, int);
-+
-+extern SECItem * SECITEM_AllocItem(PRArenaPool *, SECItem *, unsigned int, int);
-+extern SECStatus SECITEM_CopyItem(PRArenaPool *, SECItem *, const SECItem *,
-+ int);
-+extern void SECITEM_FreeItem(SECItem *, boolean_t);
-+
-+/* This function has been modified to accept an array of random bytes */
-+extern SECStatus EC_NewKey(ECParams *ecParams, ECPrivateKey **privKey,
-+ const unsigned char* random, int randomlen, int);
-+/* This function has been modified to accept an array of random bytes */
-+extern SECStatus ECDSA_SignDigest(ECPrivateKey *, SECItem *, const SECItem *,
-+ const unsigned char* random, int randomlen, int, int timing);
-+extern SECStatus ECDSA_VerifyDigest(ECPublicKey *, const SECItem *,
-+ const SECItem *, int);
-+extern SECStatus ECDH_Derive(SECItem *, ECParams *, SECItem *, boolean_t,
-+ SECItem *, int);
-+#endif
-+
-+#ifdef __cplusplus
-+}
-+#endif
-+
-+#endif /* _ECC_IMPL_H */
diff --git a/SOURCES/RHBZ-1628612-JDK-8210461-workaround-disable-aarch64-intrinsic.patch b/SOURCES/RHBZ-1628612-JDK-8210461-workaround-disable-aarch64-intrinsic.patch
deleted file mode 100644
index 7edc7a1..0000000
--- a/SOURCES/RHBZ-1628612-JDK-8210461-workaround-disable-aarch64-intrinsic.patch
+++ /dev/null
@@ -1,18 +0,0 @@
-diff -r 1ddf9a99e4ad src/hotspot/cpu/aarch64/stubGenerator_aarch64.cpp
---- a/src/hotspot/cpu/aarch64/stubGenerator_aarch64.cpp Wed Aug 22 21:50:12 2018 +0200
-+++ b/src/hotspot/cpu/aarch64/stubGenerator_aarch64.cpp Thu Sep 13 13:51:53 2018 +0100
-@@ -5745,11 +5745,13 @@
- }
-
- if (vmIntrinsics::is_intrinsic_available(vmIntrinsics::_dsin)) {
-- StubRoutines::_dsin = generate_dsin_dcos(/* isCos = */ false);
-+ // disabled pending fix and retest of generated code
-+ // StubRoutines::_dsin = generate_dsin_dcos(/* isCos = */ false);
- }
-
- if (vmIntrinsics::is_intrinsic_available(vmIntrinsics::_dcos)) {
-- StubRoutines::_dcos = generate_dsin_dcos(/* isCos = */ true);
-+ // disabled pending fix and retest of generated code
-+ // StubRoutines::_dcos = generate_dsin_dcos(/* isCos = */ true);
- }
- }
diff --git a/SOURCES/RHBZ-1630996-JDK-8210858-workaround-disable-aarch64-intrinsic-log.patch b/SOURCES/RHBZ-1630996-JDK-8210858-workaround-disable-aarch64-intrinsic-log.patch
deleted file mode 100644
index 7f3c8af..0000000
--- a/SOURCES/RHBZ-1630996-JDK-8210858-workaround-disable-aarch64-intrinsic-log.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-diff --git a/src/hotspot/cpu/aarch64/stubGenerator_aarch64.cpp b/src/hotspot/cpu/aarch64/stubGenerator_aarch64.cpp
---- a/src/hotspot/cpu/aarch64/stubGenerator_aarch64.cpp
-+++ b/src/hotspot/cpu/aarch64/stubGenerator_aarch64.cpp
-@@ -5741,7 +5741,8 @@
- }
-
- if (vmIntrinsics::is_intrinsic_available(vmIntrinsics::_dlog)) {
-- StubRoutines::_dlog = generate_dlog();
-+ // disabled pending fix and retest of generated code
-+ // StubRoutines::_dlog = generate_dlog();
- }
-
- if (vmIntrinsics::is_intrinsic_available(vmIntrinsics::_dsin)) {
diff --git a/SOURCES/accessible-toolkit.patch b/SOURCES/accessible-toolkit.patch
deleted file mode 100644
index a877506..0000000
--- a/SOURCES/accessible-toolkit.patch
+++ /dev/null
@@ -1,18 +0,0 @@
-diff -uNr openjdk/src/java.desktop/share/classes/java/awt/Toolkit.java jdk8/jdk/src/java.desktop/share/classes/java/awt/Toolkit.java
---- openjdk/src/java.desktop/share/classes/java/awt/Toolkit.java
-+++ openjdk/src/java.desktop/share/classes/java/awt/Toolkit.java
-@@ -883,9 +883,13 @@
- return null;
- }
- });
- if (!GraphicsEnvironment.isHeadless()) {
-- loadAssistiveTechnologies();
-+ try {
-+ loadAssistiveTechnologies();
-+ } catch (AWTError error) {
-+ // ignore silently
-+ }
- }
- }
- return toolkit;
- }
diff --git a/SOURCES/enableCommentedOutSystemNss.patch b/SOURCES/enableCommentedOutSystemNss.patch
deleted file mode 100644
index 1b92ddc..0000000
--- a/SOURCES/enableCommentedOutSystemNss.patch
+++ /dev/null
@@ -1,11 +0,0 @@
-diff -r 5b86f66575b7 src/share/lib/security/java.security-linux
---- openjdk/src/java.base/share/conf/security/java.security Tue May 16 13:29:05 2017 -0700
-+++ openjdk/src/java.base/share/conf/security/java.security Tue Jun 06 14:05:12 2017 +0200
-@@ -83,6 +83,7 @@
- #ifndef solaris
- security.provider.tbd=SunPKCS11
- #endif
-+#security.provider.tbd=SunPKCS11 ${java.home}/lib/security/nss.cfg
-
- #
- # A list of preferred providers for specific algorithms. These providers will
diff --git a/SOURCES/java-atk-wrapper-security.patch b/SOURCES/java-atk-wrapper-security.patch
deleted file mode 100644
index 53026ad..0000000
--- a/SOURCES/java-atk-wrapper-security.patch
+++ /dev/null
@@ -1,20 +0,0 @@
---- openjdk/src/java.base/share/conf/security/java.security
-+++ openjdk/src/java.base/share/conf/security/java.security
-@@ -304,6 +304,8 @@
- #
- package.access=sun.misc.,\
- sun.reflect.,\
-+ org.GNOME.Accessibility.,\
-+ org.GNOME.Bonobo.,\
-
- #
- # List of comma-separated packages that start with or equal this string
-@@ -316,6 +318,8 @@
- #
- package.definition=sun.misc.,\
- sun.reflect.,\
-+ org.GNOME.Accessibility.,\
-+ org.GNOME.Bonobo.,\
-
- #
- # Determines whether this properties file can be appended to
diff --git a/SOURCES/jdk8210416-rh1632174-compile_fdlibm_with_o2_ffp_contract_off_on_gcc_clang_arches.patch b/SOURCES/jdk8210416-rh1632174-compile_fdlibm_with_o2_ffp_contract_off_on_gcc_clang_arches.patch
new file mode 100644
index 0000000..16eb4da
--- /dev/null
+++ b/SOURCES/jdk8210416-rh1632174-compile_fdlibm_with_o2_ffp_contract_off_on_gcc_clang_arches.patch
@@ -0,0 +1,84 @@
+# HG changeset patch
+# User sgehwolf
+# Date 1536142767 -7200
+# Wed Sep 05 12:19:27 2018 +0200
+# Node ID 7ea57274e55054579d1532e757edb21e67beed83
+# Parent 3ee91722550680c18b977f0e00b1013323b5c9ef
+8210416: [linux] Poor StrictMath performance due to non-optimized compilation
+Summary: Compile fdlibm with -O2 -ffp-contract=off on gcc/clang arches.
+Reviewed-by: aph, erikj, dholmes, darcy
+
+diff --git a/make/autoconf/flags-cflags.m4 b/make/autoconf/flags-cflags.m4
+--- a/make/autoconf/flags-cflags.m4
++++ b/make/autoconf/flags-cflags.m4
+@@ -366,6 +366,18 @@
+
+ FLAGS_SETUP_CFLAGS_CPU_DEP([BUILD], [OPENJDK_BUILD_])
+
++ COMPILER_FP_CONTRACT_OFF_FLAG="-ffp-contract=off"
++ # Check that the compiler supports -ffp-contract=off flag
++ # Set FDLIBM_CFLAGS to -ffp-contract=off if it does. Empty
++ # otherwise.
++ # These flags are required for GCC-based builds of
++ # fdlibm with optimization without losing precision.
++ # Notably, -ffp-contract=off needs to be added for GCC >= 4.6.
++ FLAGS_COMPILER_CHECK_ARGUMENTS(ARGUMENT: [${COMPILER_FP_CONTRACT_OFF_FLAG}],
++ IF_TRUE: [FDLIBM_CFLAGS=${COMPILER_FP_CONTRACT_OFF_FLAG}],
++ IF_FALSE: [FDLIBM_CFLAGS=""])
++ AC_SUBST(FDLIBM_CFLAGS)
++
+ # Tests are only ever compiled for TARGET
+ CFLAGS_TESTLIB="$CFLAGS_JDKLIB"
+ CXXFLAGS_TESTLIB="$CXXFLAGS_JDKLIB"
+diff --git a/make/autoconf/spec.gmk.in b/make/autoconf/spec.gmk.in
+--- a/make/autoconf/spec.gmk.in
++++ b/make/autoconf/spec.gmk.in
+@@ -444,6 +444,7 @@
+ LIBJSIG_HASHSTYLE_LDFLAGS := @LIBJSIG_HASHSTYLE_LDFLAGS@
+ LIBJSIG_NOEXECSTACK_LDFLAGS := @LIBJSIG_NOEXECSTACK_LDFLAGS@
+
++FDLIBM_CFLAGS := @FDLIBM_CFLAGS@
+ JVM_CFLAGS := @JVM_CFLAGS@
+ JVM_LDFLAGS := @JVM_LDFLAGS@
+ JVM_ASFLAGS := @JVM_ASFLAGS@
+diff --git a/make/lib/CoreLibraries.gmk b/make/lib/CoreLibraries.gmk
+--- a/make/lib/CoreLibraries.gmk
++++ b/make/lib/CoreLibraries.gmk
+@@ -39,20 +39,15 @@
+ BUILD_LIBFDLIBM_OPTIMIZATION := HIGH
+ endif
+
+-ifeq ($(OPENJDK_TARGET_OS), linux)
+- ifeq ($(OPENJDK_TARGET_CPU), ppc64)
+- BUILD_LIBFDLIBM_OPTIMIZATION := HIGH
+- else ifeq ($(OPENJDK_TARGET_CPU), ppc64le)
+- BUILD_LIBFDLIBM_OPTIMIZATION := HIGH
+- else ifeq ($(OPENJDK_TARGET_CPU), s390x)
+- BUILD_LIBFDLIBM_OPTIMIZATION := HIGH
+- else ifeq ($(OPENJDK_TARGET_CPU), aarch64)
+- BUILD_LIBFDLIBM_OPTIMIZATION := HIGH
+- endif
++# If FDLIBM_CFLAGS is non-empty we know that we can optimize
++# fdlibm by adding those extra C flags. Currently GCC,
++# and clang only.
++ifneq ($(FDLIBM_CFLAGS), )
++ BUILD_LIBFDLIBM_OPTIMIZATION := LOW
+ endif
+
+ LIBFDLIBM_SRC := $(TOPDIR)/src/java.base/share/native/libfdlibm
+-LIBFDLIBM_CFLAGS := -I$(LIBFDLIBM_SRC)
++LIBFDLIBM_CFLAGS := -I$(LIBFDLIBM_SRC) $(FDLIBM_CFLAGS)
+
+ ifneq ($(OPENJDK_TARGET_OS), macosx)
+ $(eval $(call SetupNativeCompilation, BUILD_LIBFDLIBM, \
+@@ -64,10 +59,6 @@
+ CFLAGS := $(CFLAGS_JDKLIB) $(LIBFDLIBM_CFLAGS), \
+ CFLAGS_windows_debug := -DLOGGING, \
+ CFLAGS_aix := -qfloat=nomaf, \
+- CFLAGS_linux_ppc64 := -ffp-contract=off, \
+- CFLAGS_linux_ppc64le := -ffp-contract=off, \
+- CFLAGS_linux_s390x := -ffp-contract=off, \
+- CFLAGS_linux_aarch64 := -ffp-contract=off, \
+ DISABLED_WARNINGS_gcc := sign-compare misleading-indentation array-bounds, \
+ DISABLED_WARNINGS_microsoft := 4146 4244 4018, \
+ ARFLAGS := $(ARFLAGS), \
diff --git a/SOURCES/jdk8210425-rh1632174-sharedRuntimeTrig_sharedRuntimeTrans_compiled_without_optimization.patch b/SOURCES/jdk8210425-rh1632174-sharedRuntimeTrig_sharedRuntimeTrans_compiled_without_optimization.patch
new file mode 100644
index 0000000..843ae3c
--- /dev/null
+++ b/SOURCES/jdk8210425-rh1632174-sharedRuntimeTrig_sharedRuntimeTrans_compiled_without_optimization.patch
@@ -0,0 +1,48 @@
+# HG changeset patch
+# User sgehwolf
+# Date 1536682731 -7200
+# Tue Sep 11 18:18:51 2018 +0200
+# Node ID 7157249fdd4366d95dd68f3d083ebb0ef84c753b
+# Parent 8d86b149e10f0a0896e5fd4d8d407e5fda64a529
+8210425: [x86] sharedRuntimeTrig/sharedRuntimeTrans compiled without optimization
+Reviewed-by: duke
+
+diff --git a/make/hotspot/lib/JvmOverrideFiles.gmk b/make/hotspot/lib/JvmOverrideFiles.gmk
+--- a/make/hotspot/lib/JvmOverrideFiles.gmk
++++ b/make/hotspot/lib/JvmOverrideFiles.gmk
+@@ -43,20 +43,26 @@ ifeq ($(TOOLCHAIN_TYPE), gcc)
+ endif
+ endif
+
++LIBJVM_FDLIBM_COPY_OPT_FLAG := $(CXX_O_FLAG_NONE)
++# If the FDLIBM_CFLAGS variable is non-empty we know
++# that the fdlibm-fork in hotspot can get optimized
++# by using -ffp-contract=off on GCC/Clang platforms.
++ifneq ($(FDLIBM_CFLAGS), )
++ LIBJVM_FDLIBM_COPY_OPT_FLAG := $(CXX_O_FLAG_NORM)
++endif
++
+ ifeq ($(OPENJDK_TARGET_OS), linux)
+ BUILD_LIBJVM_ostream.cpp_CXXFLAGS := -D_FILE_OFFSET_BITS=64
+ BUILD_LIBJVM_logFileOutput.cpp_CXXFLAGS := -D_FILE_OFFSET_BITS=64
+
+- ifeq ($(OPENJDK_TARGET_CPU_ARCH), x86)
+- BUILD_LIBJVM_sharedRuntimeTrig.cpp_CXXFLAGS := -DNO_PCH $(CXX_O_FLAG_NONE)
+- BUILD_LIBJVM_sharedRuntimeTrans.cpp_CXXFLAGS := -DNO_PCH $(CXX_O_FLAG_NONE)
++ BUILD_LIBJVM_sharedRuntimeTrig.cpp_CXXFLAGS := -DNO_PCH $(FDLIBM_CFLAGS) $(LIBJVM_FDLIBM_COPY_OPT_FLAG)
++ BUILD_LIBJVM_sharedRuntimeTrans.cpp_CXXFLAGS := -DNO_PCH $(FDLIBM_CFLAGS) $(LIBJVM_FDLIBM_COPY_OPT_FLAG)
+
+- ifeq ($(TOOLCHAIN_TYPE), clang)
+- JVM_PRECOMPILED_HEADER_EXCLUDE := \
+- sharedRuntimeTrig.cpp \
+- sharedRuntimeTrans.cpp \
+- #
+- endif
++ ifeq ($(TOOLCHAIN_TYPE), clang)
++ JVM_PRECOMPILED_HEADER_EXCLUDE := \
++ sharedRuntimeTrig.cpp \
++ sharedRuntimeTrans.cpp \
++ #
+ endif
+
+ ifeq ($(OPENJDK_TARGET_CPU), x86)
diff --git a/SOURCES/jdk8210647-rh1632174-libsaproc_is_being_compiled_without_optimization.patch b/SOURCES/jdk8210647-rh1632174-libsaproc_is_being_compiled_without_optimization.patch
new file mode 100644
index 0000000..a279f8a
--- /dev/null
+++ b/SOURCES/jdk8210647-rh1632174-libsaproc_is_being_compiled_without_optimization.patch
@@ -0,0 +1,21 @@
+# HG changeset patch
+# User sgehwolf
+# Date 1536751862 -7200
+# Wed Sep 12 13:31:02 2018 +0200
+# Node ID f95c6746fe256fe0456e0ea0d2930631ef840286
+# Parent 7157249fdd4366d95dd68f3d083ebb0ef84c753b
+8210647: libsaproc is being compiled without optimization
+Reviewed-by: duke
+
+diff --git a/make/lib/Lib-jdk.hotspot.agent.gmk b/make/lib/Lib-jdk.hotspot.agent.gmk
+--- a/make/lib/Lib-jdk.hotspot.agent.gmk
++++ b/make/lib/Lib-jdk.hotspot.agent.gmk
+@@ -52,7 +52,7 @@
+
+ $(eval $(call SetupJdkLibrary, BUILD_LIBSA, \
+ NAME := saproc, \
+- OPTIMIZATION := NONE, \
++ OPTIMIZATION := LOW, \
+ DISABLED_WARNINGS_microsoft := 4267, \
+ DISABLED_WARNINGS_gcc := sign-compare, \
+ DISABLED_WARNINGS_CXX_solstudio := truncwarn unknownpragma, \
diff --git a/SOURCES/jdk8210703-rh1632174-vmStructs_cpp_no_longer_compiled_with_o0 b/SOURCES/jdk8210703-rh1632174-vmStructs_cpp_no_longer_compiled_with_o0
new file mode 100644
index 0000000..6fc6c07
--- /dev/null
+++ b/SOURCES/jdk8210703-rh1632174-vmStructs_cpp_no_longer_compiled_with_o0
@@ -0,0 +1,21 @@
+# HG changeset patch
+# User sgehwolf
+# Date 1536829660 -7200
+# Thu Sep 13 11:07:40 2018 +0200
+# Node ID 39ccca116f79139fc4b779f5df83cb32357b9ae9
+# Parent 7512bd28304cf0dc5676247990f1907162c719ca
+8210703: vmStructs.cpp compiled with -O0
+Reviewed-by: duke
+
+diff --git a/make/hotspot/lib/JvmOverrideFiles.gmk b/make/hotspot/lib/JvmOverrideFiles.gmk
+--- a/make/hotspot/lib/JvmOverrideFiles.gmk
++++ b/make/hotspot/lib/JvmOverrideFiles.gmk
+@@ -30,7 +30,7 @@
+ # status for individual files on specific platforms.
+
+ ifeq ($(TOOLCHAIN_TYPE), gcc)
+- BUILD_LIBJVM_vmStructs.cpp_CXXFLAGS := -fno-var-tracking-assignments -O0
++ BUILD_LIBJVM_vmStructs.cpp_CXXFLAGS := -fno-var-tracking-assignments
+ BUILD_LIBJVM_jvmciCompilerToVM.cpp_CXXFLAGS := -fno-var-tracking-assignments
+ BUILD_LIBJVM_jvmciCompilerToVMInit.cpp_CXXFLAGS := -fno-var-tracking-assignments
+ BUILD_LIBJVM_assembler_x86.cpp_CXXFLAGS := -Wno-maybe-uninitialized
diff --git a/SOURCES/jdk8210761-rh1632174-libjsig_is_being_compiled_without_optimization.patch b/SOURCES/jdk8210761-rh1632174-libjsig_is_being_compiled_without_optimization.patch
new file mode 100644
index 0000000..b5a88b0
--- /dev/null
+++ b/SOURCES/jdk8210761-rh1632174-libjsig_is_being_compiled_without_optimization.patch
@@ -0,0 +1,20 @@
+# HG changeset patch
+# User sgehwolf
+# Date 1537541916 -7200
+# Fri Sep 21 16:58:36 2018 +0200
+# Node ID cd8483acfe56ade257685d93323f78e6e13704a0
+# Parent e40fa3a70efdbc22f85c0d30350189f632779831
+8210761: libjsig is being compiled without optimization
+Reviewed-by: duke
+
+diff --git a/make/lib/Lib-java.base.gmk b/make/lib/Lib-java.base.gmk
+--- a/make/lib/Lib-java.base.gmk
++++ b/make/lib/Lib-java.base.gmk
+@@ -138,6 +138,7 @@
+
+ $(eval $(call SetupJdkLibrary, BUILD_LIBJSIG, \
+ NAME := jsig, \
++ OPTIMIZATION := LOW, \
+ CFLAGS := $(CFLAGS_JDKLIB) $(LIBJSIG_CFLAGS), \
+ LDFLAGS := $(LDFLAGS_JDKLIB) \
+ $(call SET_SHARED_LIBRARY_ORIGIN), \
diff --git a/SOURCES/libjpeg-turbo-1.4-compat.patch b/SOURCES/libjpeg-turbo-1.4-compat.patch
deleted file mode 100644
index 1b706a1..0000000
--- a/SOURCES/libjpeg-turbo-1.4-compat.patch
+++ /dev/null
@@ -1,19 +0,0 @@
-Remove uses of FAR in jpeg code
-
-Upstream libjpeg-trubo removed the (empty) FAR macro:
-http://sourceforge.net/p/libjpeg-turbo/code/1312/
-
-Adjust our code to not use the undefined FAR macro anymore.
-
-diff --git a/jdk/src/java.desktop/share/native/libjavajpeg/imageioJPEG.c b/jdk/src/java.desktop/share/native/libjavajpeg/imageioJPEG.c
---- openjdk/src/java.desktop/share/native/libjavajpeg/imageioJPEG.c
-+++ openjdk/src/java.desktop/share/native/libjavajpeg/imageioJPEG.c
-@@ -1385,7 +1385,7 @@
- /* and fill it in */
- dst_ptr = icc_data;
- for (seq_no = first; seq_no < last; seq_no++) {
-- JOCTET FAR *src_ptr = icc_markers[seq_no]->data + ICC_OVERHEAD_LEN;
-+ JOCTET *src_ptr = icc_markers[seq_no]->data + ICC_OVERHEAD_LEN;
- unsigned int length =
- icc_markers[seq_no]->data_length - ICC_OVERHEAD_LEN;
-
diff --git a/SOURCES/pr1983-rh1565658-support_using_the_system_installation_of_nss_with_the_sunec_provider_jdk11.patch b/SOURCES/pr1983-rh1565658-support_using_the_system_installation_of_nss_with_the_sunec_provider_jdk11.patch
new file mode 100644
index 0000000..999d74e
--- /dev/null
+++ b/SOURCES/pr1983-rh1565658-support_using_the_system_installation_of_nss_with_the_sunec_provider_jdk11.patch
@@ -0,0 +1,434 @@
+diff --git a/make/autoconf/jdk-options.m4 b/make/autoconf/jdk-options.m4
+--- a/make/autoconf/jdk-options.m4
++++ b/make/autoconf/jdk-options.m4
+@@ -267,9 +267,10 @@
+ #
+ AC_DEFUN_ONCE([JDKOPT_DETECT_INTREE_EC],
+ [
++ AC_REQUIRE([LIB_SETUP_MISC_LIBS])
+ AC_MSG_CHECKING([if elliptic curve crypto implementation is present])
+
+- if test -d "${TOPDIR}/src/jdk.crypto.ec/share/native/libsunec/impl"; then
++ if test "x${system_nss}" = "xyes" -o -d "${TOPDIR}/src/jdk.crypto.ec/share/native/libsunec/impl"; then
+ ENABLE_INTREE_EC=true
+ AC_MSG_RESULT([yes])
+ else
+diff --git a/make/autoconf/libraries.m4 b/make/autoconf/libraries.m4
+--- a/make/autoconf/libraries.m4
++++ b/make/autoconf/libraries.m4
+@@ -178,6 +178,48 @@
+ AC_SUBST(LIBDL)
+ LIBS="$save_LIBS"
+
++ ###############################################################################
++ #
++ # Check for the NSS libraries
++ #
++
++ AC_MSG_CHECKING([whether to build the Sun EC provider against the system NSS libraries])
++
++ # default is bundled
++ DEFAULT_SYSTEM_NSS=no
++
++ AC_ARG_ENABLE([system-nss], [AS_HELP_STRING([--enable-system-nss],
++ [build the SunEC provider using the system NSS libraries @<:@disabled@:>@])],
++ [
++ case "${enableval}" in
++ yes)
++ system_nss=yes
++ ;;
++ *)
++ system_nss=no
++ ;;
++ esac
++ ],
++ [
++ system_nss=${DEFAULT_SYSTEM_NSS}
++ ])
++ AC_MSG_RESULT([$system_nss])
++
++ if test "x${system_nss}" = "xyes"; then
++ PKG_CHECK_MODULES(NSS_SOFTTKN, nss-softokn >= 3.16.1, [NSS_SOFTOKN_FOUND=yes], [NSS_SOFTOKN_FOUND=no])
++ PKG_CHECK_MODULES(NSS, nss >= 3.16.1, [NSS_FOUND=yes], [NSS_FOUND=no])
++ if test "x${NSS_SOFTOKN_FOUND}" = "xyes" -a "x${NSS_FOUND}" = "xyes"; then
++ NSS_LIBS="$NSS_SOFTOKN_LIBS $NSS_LIBS -lfreebl";
++ USE_EXTERNAL_NSS=true
++ else
++ AC_MSG_ERROR([--enable-system-nss specified, but NSS not found.])
++ fi
++ else
++ USE_EXTERNAL_NSS=false
++ fi
++ AC_SUBST(USE_EXTERNAL_NSS)
++
++
+ # Deprecated libraries, keep the flags for backwards compatibility
+ if test "x$OPENJDK_TARGET_OS" = "xwindows"; then
+ BASIC_DEPRECATED_ARG_WITH([dxsdk])
+diff --git a/make/autoconf/spec.gmk.in b/make/autoconf/spec.gmk.in
+--- a/make/autoconf/spec.gmk.in
++++ b/make/autoconf/spec.gmk.in
+@@ -795,6 +795,10 @@
+ # Libraries
+ #
+
++USE_EXTERNAL_NSS:=@USE_EXTERNAL_NSS@
++NSS_LIBS:=@NSS_LIBS@
++NSS_CFLAGS:=@NSS_CFLAGS@
++
+ USE_EXTERNAL_LCMS:=@USE_EXTERNAL_LCMS@
+ LCMS_CFLAGS:=@LCMS_CFLAGS@
+ LCMS_LIBS:=@LCMS_LIBS@
+diff --git a/make/lib/Lib-jdk.crypto.ec.gmk b/make/lib/Lib-jdk.crypto.ec.gmk
+--- a/make/lib/Lib-jdk.crypto.ec.gmk
++++ b/make/lib/Lib-jdk.crypto.ec.gmk
+@@ -38,6 +38,11 @@
+ BUILD_LIBSUNEC_CXXFLAGS_JDKLIB := $(CXXFLAGS_JDKLIB)
+ endif
+
++ ifeq ($(USE_EXTERNAL_NSS), true)
++ BUILD_LIBSUNEC_CFLAGS_JDKLIB += $(NSS_CFLAGS) -DSYSTEM_NSS -DNSS_ENABLE_ECC
++ BUILD_LIBSUNEC_CXXFLAGS_JDKLIB += $(NSS_CFLAGS) -DSYSTEM_NSS -DNSS_ENABLE_ECC
++ endif
++
+ $(eval $(call SetupJdkLibrary, BUILD_LIBSUNEC, \
+ NAME := sunec, \
+ TOOLCHAIN := TOOLCHAIN_LINK_CXX, \
+@@ -47,9 +52,11 @@
+ CXXFLAGS := $(BUILD_LIBSUNEC_CXXFLAGS_JDKLIB), \
+ DISABLED_WARNINGS_gcc := sign-compare implicit-fallthrough, \
+ DISABLED_WARNINGS_microsoft := 4101 4244 4146 4018, \
+- LDFLAGS := $(LDFLAGS_JDKLIB) $(LDFLAGS_CXX_JDK), \
++ LDFLAGS := $(subst -Xlinker --as-needed,, \
++ $(subst -Wl$(COMMA)--as-needed,, $(LDFLAGS_JDKLIB))) $(LDFLAGS_CXX_JDK), \
+ LDFLAGS_macosx := $(call SET_SHARED_LIBRARY_ORIGIN), \
+ LIBS := $(LIBCXX), \
++ LIBS_linux := -lc $(NSS_LIBS), \
+ ))
+
+ TARGETS += $(BUILD_LIBSUNEC)
+diff --git a/src/java.base/unix/native/include/jni_md.h b/src/java.base/unix/native/include/jni_md.h
+--- a/src/java.base/unix/native/include/jni_md.h
++++ b/src/java.base/unix/native/include/jni_md.h
+@@ -41,6 +41,11 @@
+ #define JNIEXPORT
+ #define JNIIMPORT
+ #endif
++#if (defined(__GNUC__)) || __has_attribute(unused)
++ #define UNUSED(x) UNUSED_ ## x __attribute__((__unused__))
++#else
++ #define UNUSED(x) UNUSED_ ## x
++#endif
+
+ #define JNICALL
+
+diff --git a/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java b/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java
+--- a/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java
++++ b/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java
+@@ -61,6 +61,7 @@
+ AccessController.doPrivileged(new PrivilegedAction() {
+ public Void run() {
+ System.loadLibrary("sunec"); // check for native library
++ initialize();
+ return null;
+ }
+ });
+@@ -293,6 +294,11 @@
+ "ECDH", "sun.security.ec.ECDHKeyAgreement", null, ATTRS));
+ }
+
++ /**
++ * Initialize the native code.
++ */
++ private static native void initialize();
++
+ private void putXDHEntries() {
+
+ HashMap ATTRS = new HashMap<>(1);
+diff --git a/src/jdk.crypto.ec/share/native/libsunec/ECC_JNI.cpp b/src/jdk.crypto.ec/share/native/libsunec/ECC_JNI.cpp
+--- a/src/jdk.crypto.ec/share/native/libsunec/ECC_JNI.cpp
++++ b/src/jdk.crypto.ec/share/native/libsunec/ECC_JNI.cpp
+@@ -25,7 +25,11 @@
+
+ #include
+ #include "jni_util.h"
++#ifdef SYSTEM_NSS
++#include "ecc_impl.h"
++#else
+ #include "impl/ecc_impl.h"
++#endif
+ #include "sun_security_ec_ECDHKeyAgreement.h"
+ #include "sun_security_ec_ECKeyPairGenerator.h"
+ #include "sun_security_ec_ECDSASignature.h"
+@@ -33,6 +37,13 @@
+ #define INVALID_PARAMETER_EXCEPTION \
+ "java/security/InvalidParameterException"
+ #define KEY_EXCEPTION "java/security/KeyException"
++#define INTERNAL_ERROR "java/lang/InternalError"
++
++#ifdef SYSTEM_NSS
++#define SYSTEM_UNUSED(x) UNUSED(x)
++#else
++#define SYSTEM_UNUSED(x) x
++#endif
+
+ extern "C" {
+
+@@ -55,8 +66,13 @@
+ /*
+ * Deep free of the ECParams struct
+ */
+-void FreeECParams(ECParams *ecparams, jboolean freeStruct)
++void FreeECParams(ECParams *ecparams, jboolean SYSTEM_UNUSED(freeStruct))
+ {
++#ifdef SYSTEM_NSS
++ // Needs to be freed using the matching method to the one
++ // that allocated it. PR_TRUE means the memory is zeroed.
++ PORT_FreeArena(ecparams->arena, PR_TRUE);
++#else
+ // Use B_FALSE to free the SECItem->data element, but not the SECItem itself
+ // Use B_TRUE to free both
+
+@@ -70,6 +86,7 @@
+ SECITEM_FreeItem(&ecparams->curveOID, B_FALSE);
+ if (freeStruct)
+ free(ecparams);
++#endif
+ }
+
+ jbyteArray getEncodedBytes(JNIEnv *env, SECItem *hSECItem)
+@@ -139,7 +156,7 @@
+ */
+ JNIEXPORT jobjectArray
+ JNICALL Java_sun_security_ec_ECKeyPairGenerator_generateECKeyPair
+- (JNIEnv *env, jclass clazz, jint keySize, jbyteArray encodedParams, jbyteArray seed)
++ (JNIEnv *env, jclass UNUSED(clazz), jint UNUSED(keySize), jbyteArray encodedParams, jbyteArray seed)
+ {
+ ECPrivateKey *privKey = NULL; // contains both public and private values
+ ECParams *ecparams = NULL;
+@@ -171,8 +188,17 @@
+ env->GetByteArrayRegion(seed, 0, jSeedLength, pSeedBuffer);
+
+ // Generate the new keypair (using the supplied seed)
++#ifdef SYSTEM_NSS
++ if (RNG_RandomUpdate((unsigned char *) pSeedBuffer, jSeedLength)
++ != SECSuccess) {
++ ThrowException(env, KEY_EXCEPTION);
++ goto cleanup;
++ }
++ if (EC_NewKey(ecparams, &privKey) != SECSuccess) {
++#else
+ if (EC_NewKey(ecparams, &privKey, (unsigned char *) pSeedBuffer,
+ jSeedLength, 0) != SECSuccess) {
++#endif
+ ThrowException(env, KEY_EXCEPTION);
+ goto cleanup;
+ }
+@@ -219,10 +245,15 @@
+ }
+ if (privKey) {
+ FreeECParams(&privKey->ecParams, false);
++#ifndef SYSTEM_NSS
++ // The entire ECPrivateKey is allocated in the arena
++ // when using system NSS, so only the in-tree version
++ // needs to clear these manually.
+ SECITEM_FreeItem(&privKey->version, B_FALSE);
+ SECITEM_FreeItem(&privKey->privateValue, B_FALSE);
+ SECITEM_FreeItem(&privKey->publicValue, B_FALSE);
+ free(privKey);
++#endif
+ }
+
+ if (pSeedBuffer) {
+@@ -240,7 +271,7 @@
+ */
+ JNIEXPORT jbyteArray
+ JNICALL Java_sun_security_ec_ECDSASignature_signDigest
+- (JNIEnv *env, jclass clazz, jbyteArray digest, jbyteArray privateKey, jbyteArray encodedParams, jbyteArray seed, jint timing)
++ (JNIEnv *env, jclass UNUSED(clazz), jbyteArray digest, jbyteArray privateKey, jbyteArray encodedParams, jbyteArray seed, jint timing)
+ {
+ jbyte* pDigestBuffer = NULL;
+ jint jDigestLength = env->GetArrayLength(digest);
+@@ -299,8 +330,18 @@
+ env->GetByteArrayRegion(seed, 0, jSeedLength, pSeedBuffer);
+
+ // Sign the digest (using the supplied seed)
++#ifdef SYSTEM_NSS
++ if (RNG_RandomUpdate((unsigned char *) pSeedBuffer, jSeedLength)
++ != SECSuccess) {
++ ThrowException(env, KEY_EXCEPTION);
++ goto cleanup;
++ }
++ if (ECDSA_SignDigest(&privKey, &signature_item, &digest_item)
++ != SECSuccess) {
++#else
+ if (ECDSA_SignDigest(&privKey, &signature_item, &digest_item,
+ (unsigned char *) pSeedBuffer, jSeedLength, 0, timing) != SECSuccess) {
++#endif
+ ThrowException(env, KEY_EXCEPTION);
+ goto cleanup;
+ }
+@@ -349,7 +390,7 @@
+ */
+ JNIEXPORT jboolean
+ JNICALL Java_sun_security_ec_ECDSASignature_verifySignedDigest
+- (JNIEnv *env, jclass clazz, jbyteArray signedDigest, jbyteArray digest, jbyteArray publicKey, jbyteArray encodedParams)
++ (JNIEnv *env, jclass UNUSED(clazz), jbyteArray signedDigest, jbyteArray digest, jbyteArray publicKey, jbyteArray encodedParams)
+ {
+ jboolean isValid = false;
+
+@@ -406,9 +447,10 @@
+
+ cleanup:
+ {
+- if (params_item.data)
++ if (params_item.data) {
+ env->ReleaseByteArrayElements(encodedParams,
+ (jbyte *) params_item.data, JNI_ABORT);
++ }
+
+ if (pubKey.publicValue.data)
+ env->ReleaseByteArrayElements(publicKey,
+@@ -434,7 +476,7 @@
+ */
+ JNIEXPORT jbyteArray
+ JNICALL Java_sun_security_ec_ECDHKeyAgreement_deriveKey
+- (JNIEnv *env, jclass clazz, jbyteArray privateKey, jbyteArray publicKey, jbyteArray encodedParams)
++ (JNIEnv *env, jclass UNUSED(clazz), jbyteArray privateKey, jbyteArray publicKey, jbyteArray encodedParams)
+ {
+ jbyteArray jSecret = NULL;
+ ECParams *ecparams = NULL;
+@@ -510,9 +552,10 @@
+ env->ReleaseByteArrayElements(publicKey,
+ (jbyte *) publicValue_item.data, JNI_ABORT);
+
+- if (params_item.data)
++ if (params_item.data) {
+ env->ReleaseByteArrayElements(encodedParams,
+ (jbyte *) params_item.data, JNI_ABORT);
++ }
+
+ if (ecparams)
+ FreeECParams(ecparams, true);
+@@ -521,4 +564,28 @@
+ return jSecret;
+ }
+
++JNIEXPORT void
++JNICALL Java_sun_security_ec_SunEC_initialize
++ (JNIEnv *env, jclass UNUSED(clazz))
++{
++#ifdef SYSTEM_NSS
++ if (SECOID_Init() != SECSuccess) {
++ ThrowException(env, INTERNAL_ERROR);
++ }
++ if (RNG_RNGInit() != SECSuccess) {
++ ThrowException(env, INTERNAL_ERROR);
++ }
++#endif
++}
++
++JNIEXPORT void
++JNICALL JNI_OnUnload
++ (JavaVM *vm, void *reserved)
++{
++#ifdef SYSTEM_NSS
++ RNG_RNGShutdown();
++ SECOID_Shutdown();
++#endif
++}
++
+ } /* extern "C" */
+--- a/src/jdk.crypto.ec/share/native/libsunec/ecc_impl.h 2019-01-11 00:01:25.000000000 -0500
++++ b/src/jdk.crypto.ec/share/native/libsunec/ecc_impl.h 2019-01-14 03:52:54.145695946 -0500
+@@ -45,7 +45,19 @@
+ #endif
+
+ #include
++
++#ifdef SYSTEM_NSS
++#include
++#include
++#include
++#ifdef LEGACY_NSS
++#include
++#else
++#include
++#endif
++#else
+ #include "ecl-exp.h"
++#endif
+
+ /*
+ * Multi-platform definitions
+@@ -96,6 +108,7 @@
+ * Various structures and definitions from NSS are here.
+ */
+
++#ifndef SYSTEM_NSS
+ #ifdef _KERNEL
+ #define PORT_ArenaAlloc(a, n, f) kmem_alloc((n), (f))
+ #define PORT_ArenaZAlloc(a, n, f) kmem_zalloc((n), (f))
+@@ -130,9 +143,12 @@
+ #define PORT_Memcpy(t, f, l) memcpy((t), (f), (l))
+ #endif
+
++#endif
++
+ #define CHECK_OK(func) if (func == NULL) goto cleanup
+ #define CHECK_SEC_OK(func) if (SECSuccess != (rv = func)) goto cleanup
+
++#ifndef SYSTEM_NSS
+ typedef enum {
+ siBuffer = 0,
+ siClearDataBuffer = 1,
+@@ -229,6 +245,7 @@
+ SECFailure = -1,
+ SECSuccess = 0
+ } SECStatus;
++#endif
+
+ #ifdef _KERNEL
+ #define RNG_GenerateGlobalRandomBytes(p,l) ecc_knzero_random_generator((p), (l))
+@@ -237,8 +254,10 @@
+ This function is no longer required because the random bytes are now
+ supplied by the caller. Force a failure.
+ */
++#ifndef SYSTEM_NSS
+ #define RNG_GenerateGlobalRandomBytes(p,l) SECFailure
+ #endif
++#endif
+ #define CHECK_MPI_OK(func) if (MP_OKAY > (err = func)) goto cleanup
+ #define MP_TO_SEC_ERROR(err)
+
+@@ -248,11 +267,18 @@
+ extern int ecc_knzero_random_generator(uint8_t *, size_t);
+ extern ulong_t soft_nzero_random_generator(uint8_t *, ulong_t);
+
++#ifdef SYSTEM_NSS
++#define EC_DecodeParams(a,b,c) EC_DecodeParams(a,b)
++#define ECDSA_VerifyDigest(a,b,c,d) ECDSA_VerifyDigest(a,b,c)
++#define ECDH_Derive(a,b,c,d,e,f) ECDH_Derive(a,b,c,d,e)
++#else
+ extern SECStatus EC_DecodeParams(const SECItem *, ECParams **, int);
++
+ extern SECItem * SECITEM_AllocItem(PRArenaPool *, SECItem *, unsigned int, int);
+ extern SECStatus SECITEM_CopyItem(PRArenaPool *, SECItem *, const SECItem *,
+ int);
+ extern void SECITEM_FreeItem(SECItem *, boolean_t);
++
+ /* This function has been modified to accept an array of random bytes */
+ extern SECStatus EC_NewKey(ECParams *ecParams, ECPrivateKey **privKey,
+ const unsigned char* random, int randomlen, int);
+@@ -263,9 +289,10 @@
+ const SECItem *, int);
+ extern SECStatus ECDH_Derive(SECItem *, ECParams *, SECItem *, boolean_t,
+ SECItem *, int);
++#endif
+
+ #ifdef __cplusplus
+ }
+ #endif
+
+-#endif /* _ECC_IMPL_H */
++#endif /* _ECC_IMPL_H */
diff --git a/SOURCES/pr3183-rh1340845-support_fedora_rhel_system_crypto_policy.patch b/SOURCES/pr3183-rh1340845-support_fedora_rhel_system_crypto_policy.patch
new file mode 100644
index 0000000..4efbe9a
--- /dev/null
+++ b/SOURCES/pr3183-rh1340845-support_fedora_rhel_system_crypto_policy.patch
@@ -0,0 +1,88 @@
+
+# HG changeset patch
+# User andrew
+# Date 1478057514 0
+# Node ID 1c4d5cb2096ae55106111da200b0bcad304f650c
+# Parent 3d53f19b48384e5252f4ec8891f7a3a82d77af2a
+PR3183: Support Fedora/RHEL system crypto policy
+diff -r 3d53f19b4838 -r 1c4d5cb2096a src/java.base/share/classes/java/security/Security.java
+--- a/src/java.base/share/classes/java/security/Security.java Wed Oct 26 03:51:39 2016 +0100
++++ b/src/java.base/share/classes/java/security/Security.java Wed Nov 02 03:31:54 2016 +0000
+@@ -43,6 +43,9 @@
+ * implementation-specific location, which is typically the properties file
+ * {@code conf/security/java.security} in the Java installation directory.
+ *
++ * Additional default values of security properties are read from a
++ * system-specific location, if available.
++ *
+ * @author Benjamin Renaud
+ * @since 1.1
+ */
+@@ -52,6 +55,10 @@
+ private static final Debug sdebug =
+ Debug.getInstance("properties");
+
++ /* System property file*/
++ private static final String SYSTEM_PROPERTIES =
++ "/etc/crypto-policies/back-ends/java.config";
++
+ /* The java.security properties */
+ private static Properties props;
+
+@@ -93,6 +100,7 @@
+ if (sdebug != null) {
+ sdebug.println("reading security properties file: " +
+ propFile);
++ sdebug.println(props.toString());
+ }
+ } catch (IOException e) {
+ if (sdebug != null) {
+@@ -114,6 +122,31 @@
+ }
+
+ if ("true".equalsIgnoreCase(props.getProperty
++ ("security.useSystemPropertiesFile"))) {
++
++ // now load the system file, if it exists, so its values
++ // will win if they conflict with the earlier values
++ try (BufferedInputStream bis =
++ new BufferedInputStream(new FileInputStream(SYSTEM_PROPERTIES))) {
++ props.load(bis);
++ loadedProps = true;
++
++ if (sdebug != null) {
++ sdebug.println("reading system security properties file " +
++ SYSTEM_PROPERTIES);
++ sdebug.println(props.toString());
++ }
++ } catch (IOException e) {
++ if (sdebug != null) {
++ sdebug.println
++ ("unable to load security properties from " +
++ SYSTEM_PROPERTIES);
++ e.printStackTrace();
++ }
++ }
++ }
++
++ if ("true".equalsIgnoreCase(props.getProperty
+ ("security.overridePropertiesFile"))) {
+
+ String extraPropFile = System.getProperty
+diff -r 3d53f19b4838 -r 1c4d5cb2096a src/java.base/share/conf/security/java.security
+--- a/src/java.base/share/conf/security/java.security Wed Oct 26 03:51:39 2016 +0100
++++ b/src/java.base/share/conf/security/java.security Wed Nov 02 03:31:54 2016 +0000
+@@ -276,6 +276,13 @@
+ security.overridePropertiesFile=true
+
+ #
++# Determines whether this properties file will be appended to
++# using the system properties file stored at
++# /etc/crypto-policies/back-ends/java.config
++#
++security.useSystemPropertiesFile=true
++
++#
+ # Determines the default key and trust manager factory algorithms for
+ # the javax.net.ssl package.
+ #
diff --git a/SOURCES/remove-intree-libraries.sh b/SOURCES/remove-intree-libraries.sh
index 95cec20..0e87b0c 100644
--- a/SOURCES/remove-intree-libraries.sh
+++ b/SOURCES/remove-intree-libraries.sh
@@ -94,13 +94,13 @@ if [ ! -d ${PNG_SRC} ]; then
fi
rm -rvf ${PNG_SRC}
-echo "Skipping removal of LCMS on rhel7. Internal will be used intentionally"
-exit 0
echo "Removing lcms"
if [ ! -d ${LCMS_SRC} ]; then
echo "${LCMS_SRC} does not exist. Refusing to proceed."
exit 1
fi
+echo "Skipped on RHEL 7 as system LCMS is too old"
+if [ ! true ]; then
rm -vf ${LCMS_SRC}/cmscam02.c
rm -vf ${LCMS_SRC}/cmscgats.c
rm -vf ${LCMS_SRC}/cmscnvrt.c
@@ -129,3 +129,12 @@ rm -vf ${LCMS_SRC}/cmsxform.c
rm -vf ${LCMS_SRC}/lcms2.h
rm -vf ${LCMS_SRC}/lcms2_internal.h
rm -vf ${LCMS_SRC}/lcms2_plugin.h
+fi
+
+# Get rid of in-tree SunEC until RH1656676 is implemented
+echo "Removing SunEC native code"
+mv -v src/jdk.crypto.ec/share/native/libsunec/impl/ecc_impl.h .
+rm -vrf src/jdk.crypto.ec/share/native/libsunec/impl
+mv -v ecc_impl.h src/jdk.crypto.ec/share/native/libsunec
+
+
diff --git a/SOURCES/rh1022017-reduce_ssl_curves.patch b/SOURCES/rh1022017-reduce_ssl_curves.patch
new file mode 100644
index 0000000..6dab416
--- /dev/null
+++ b/SOURCES/rh1022017-reduce_ssl_curves.patch
@@ -0,0 +1,66 @@
+diff --git openjdk.orig///src/java.base/share/classes/sun/security/ssl/SupportedGroupsExtension.java openjdk///src/java.base/share/classes/sun/security/ssl/SupportedGroupsExtension.java
+--- openjdk.orig///src/java.base/share/classes/sun/security/ssl/SupportedGroupsExtension.java
++++ openjdk///src/java.base/share/classes/sun/security/ssl/SupportedGroupsExtension.java
+@@ -515,50 +515,19 @@
+ }
+ } else { // default groups
+ NamedGroup[] groups;
+- if (requireFips) {
+- groups = new NamedGroup[] {
+- // only NIST curves in FIPS mode
+- NamedGroup.SECP256_R1,
+- NamedGroup.SECP384_R1,
+- NamedGroup.SECP521_R1,
+- NamedGroup.SECT283_K1,
+- NamedGroup.SECT283_R1,
+- NamedGroup.SECT409_K1,
+- NamedGroup.SECT409_R1,
+- NamedGroup.SECT571_K1,
+- NamedGroup.SECT571_R1,
++ groups = new NamedGroup[] {
++ // only NIST curves in FIPS mode
++ NamedGroup.SECP256_R1,
++ NamedGroup.SECP384_R1,
++ NamedGroup.SECP521_R1,
+
+- // FFDHE 2048
+- NamedGroup.FFDHE_2048,
+- NamedGroup.FFDHE_3072,
+- NamedGroup.FFDHE_4096,
+- NamedGroup.FFDHE_6144,
+- NamedGroup.FFDHE_8192,
+- };
+- } else {
+- groups = new NamedGroup[] {
+- // NIST curves first
+- NamedGroup.SECP256_R1,
+- NamedGroup.SECP384_R1,
+- NamedGroup.SECP521_R1,
+- NamedGroup.SECT283_K1,
+- NamedGroup.SECT283_R1,
+- NamedGroup.SECT409_K1,
+- NamedGroup.SECT409_R1,
+- NamedGroup.SECT571_K1,
+- NamedGroup.SECT571_R1,
+-
+- // non-NIST curves
+- NamedGroup.SECP256_K1,
+-
+- // FFDHE 2048
+- NamedGroup.FFDHE_2048,
+- NamedGroup.FFDHE_3072,
+- NamedGroup.FFDHE_4096,
+- NamedGroup.FFDHE_6144,
+- NamedGroup.FFDHE_8192,
+- };
+- }
++ // FFDHE 2048
++ NamedGroup.FFDHE_2048,
++ NamedGroup.FFDHE_3072,
++ NamedGroup.FFDHE_4096,
++ NamedGroup.FFDHE_6144,
++ NamedGroup.FFDHE_8192,
++ };
+
+ groupList = new ArrayList<>(groups.length);
+ for (NamedGroup group : groups) {
diff --git a/SOURCES/rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch b/SOURCES/rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch
new file mode 100644
index 0000000..a877506
--- /dev/null
+++ b/SOURCES/rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch
@@ -0,0 +1,18 @@
+diff -uNr openjdk/src/java.desktop/share/classes/java/awt/Toolkit.java jdk8/jdk/src/java.desktop/share/classes/java/awt/Toolkit.java
+--- openjdk/src/java.desktop/share/classes/java/awt/Toolkit.java
++++ openjdk/src/java.desktop/share/classes/java/awt/Toolkit.java
+@@ -883,9 +883,13 @@
+ return null;
+ }
+ });
+ if (!GraphicsEnvironment.isHeadless()) {
+- loadAssistiveTechnologies();
++ try {
++ loadAssistiveTechnologies();
++ } catch (AWTError error) {
++ // ignore silently
++ }
+ }
+ }
+ return toolkit;
+ }
diff --git a/SOURCES/rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch b/SOURCES/rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch
new file mode 100644
index 0000000..1b92ddc
--- /dev/null
+++ b/SOURCES/rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch
@@ -0,0 +1,11 @@
+diff -r 5b86f66575b7 src/share/lib/security/java.security-linux
+--- openjdk/src/java.base/share/conf/security/java.security Tue May 16 13:29:05 2017 -0700
++++ openjdk/src/java.base/share/conf/security/java.security Tue Jun 06 14:05:12 2017 +0200
+@@ -83,6 +83,7 @@
+ #ifndef solaris
+ security.provider.tbd=SunPKCS11
+ #endif
++#security.provider.tbd=SunPKCS11 ${java.home}/lib/security/nss.cfg
+
+ #
+ # A list of preferred providers for specific algorithms. These providers will
diff --git a/SOURCES/rh1648644-java_access_bridge_privileged_security.patch b/SOURCES/rh1648644-java_access_bridge_privileged_security.patch
new file mode 100644
index 0000000..53026ad
--- /dev/null
+++ b/SOURCES/rh1648644-java_access_bridge_privileged_security.patch
@@ -0,0 +1,20 @@
+--- openjdk/src/java.base/share/conf/security/java.security
++++ openjdk/src/java.base/share/conf/security/java.security
+@@ -304,6 +304,8 @@
+ #
+ package.access=sun.misc.,\
+ sun.reflect.,\
++ org.GNOME.Accessibility.,\
++ org.GNOME.Bonobo.,\
+
+ #
+ # List of comma-separated packages that start with or equal this string
+@@ -316,6 +318,8 @@
+ #
+ package.definition=sun.misc.,\
+ sun.reflect.,\
++ org.GNOME.Accessibility.,\
++ org.GNOME.Bonobo.,\
+
+ #
+ # Determines whether this properties file can be appended to
diff --git a/SOURCES/rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch b/SOURCES/rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch
new file mode 100644
index 0000000..1b706a1
--- /dev/null
+++ b/SOURCES/rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch
@@ -0,0 +1,19 @@
+Remove uses of FAR in jpeg code
+
+Upstream libjpeg-trubo removed the (empty) FAR macro:
+http://sourceforge.net/p/libjpeg-turbo/code/1312/
+
+Adjust our code to not use the undefined FAR macro anymore.
+
+diff --git a/jdk/src/java.desktop/share/native/libjavajpeg/imageioJPEG.c b/jdk/src/java.desktop/share/native/libjavajpeg/imageioJPEG.c
+--- openjdk/src/java.desktop/share/native/libjavajpeg/imageioJPEG.c
++++ openjdk/src/java.desktop/share/native/libjavajpeg/imageioJPEG.c
+@@ -1385,7 +1385,7 @@
+ /* and fill it in */
+ dst_ptr = icc_data;
+ for (seq_no = first; seq_no < last; seq_no++) {
+- JOCTET FAR *src_ptr = icc_markers[seq_no]->data + ICC_OVERHEAD_LEN;
++ JOCTET *src_ptr = icc_markers[seq_no]->data + ICC_OVERHEAD_LEN;
+ unsigned int length =
+ icc_markers[seq_no]->data_length - ICC_OVERHEAD_LEN;
+
diff --git a/SPECS/java-11-openjdk.spec b/SPECS/java-11-openjdk.spec
index 5013ba4..89cad59 100644
--- a/SPECS/java-11-openjdk.spec
+++ b/SPECS/java-11-openjdk.spec
@@ -189,7 +189,7 @@
# New Version-String scheme-style defines
%global majorver 11
-%global securityver 1
+%global securityver 2
# Used via new version scheme. JDK 11 was
# GA'ed in September 2018 => 18.9
%global vendor_version_string 18.9
@@ -207,7 +207,8 @@
%global origin_nice OpenJDK
%global top_level_dir_name %{origin}
%global minorver 0
-%global buildver 13
+%global buildver 7
+#%%global tagsuffix %{nil}
# priority must be 7 digits in total
# setting to 1, so debug ones can have 0
%global priority 00000%{minorver}1
@@ -845,7 +846,7 @@ Provides: java-%{javaver}-%{origin}-src%1 = %{epoch}:%{version}-%{release}
Name: java-%{javaver}-%{origin}
Version: %{newjavaver}.%{buildver}
-Release: 3%{?dist}
+Release: 0%{?dist}
# java-1.5.0-ibm from jpackage.org set Epoch to 1 for unknown reasons
# and this change was brought into RHEL-4. java-1.5.0-ibm packages
# also included the epoch in their virtual provides. This created a
@@ -880,7 +881,7 @@ URL: http://openjdk.java.net/
# to regenerate source0 (jdk) and source8 (jdk's taspets) run update_package.sh
# update_package.sh contains hard-coded repos, revisions, tags, and projects to regenerate the source archives
-Source0: shenandoah-jdk%{majorver}-shenandoah-jdk-%{newjavaver}+%{buildver}.tar.xz
+Source0: shenandoah-jdk%{majorver}-shenandoah-jdk-%{newjavaver}+%{buildver}%{?tagsuffix:-%{tagsuffix}}.tar.xz
Source8: systemtap_3.2_tapsets_hg-icedtea8-9d464368e06d.tar.xz
# Desktop files. Adapted from IcedTea
@@ -906,25 +907,27 @@ Source14: TestECDSA.java
# NSS via SunPKCS11 Provider (disabled comment
# due to memory leak).
-Patch1000: enableCommentedOutSystemNss.patch
+Patch1000: rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch
# Ignore AWTError when assistive technologies are loaded
-Patch1: accessible-toolkit.patch
+Patch1: rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch
# Restrict access to java-atk-wrapper classes
-Patch2: java-atk-wrapper-security.patch
-Patch3: libjpeg-turbo-1.4-compat.patch
+Patch2: rh1648644-java_access_bridge_privileged_security.patch
+# PR1834, RH1022017: Reduce curves reported by SSL to those in NSS
+# Not currently suitable to go upstream as it disables curves
+# for all providers unconditionally
+Patch525: rh1022017-reduce_ssl_curves.patch
+Patch3: rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch
# Follow system wide crypto policy RHBZ#1249083
-Patch4: RHBZ-1249083-system-crypto-policy-PR3183.patch
+Patch4: pr3183-rh1340845-support_fedora_rhel_system_crypto_policy.patch
# System NSS via SunEC Provider
-Patch5: RHBZ-1565658-system-nss-SunEC.patch
-# Temporarily disable dsin/dcos intrinsics on aarch64, falling
-# back to C code. Re-enable once JDK-8210461 is fixed and
-# available in jdk11u.
-Patch6: RHBZ-1628612-JDK-8210461-workaround-disable-aarch64-intrinsic.patch
-# Temporarily disable log intrinsics on aarch64, falling
-# back to C code. Re-enable once JDK-8210858 is fixed and
-# available in jdk11u.
-Patch7: RHBZ-1630996-JDK-8210858-workaround-disable-aarch64-intrinsic-log.patch
+Patch5: pr1983-rh1565658-support_using_the_system_installation_of_nss_with_the_sunec_provider_jdk11.patch
+
+#############################################
+#
+# Shenandaoh specific patches
+#
+#############################################
#############################################
#
@@ -933,9 +936,9 @@ Patch7: RHBZ-1630996-JDK-8210858-workaround-disable-aarch64-intrinsic-log.pat
#############################################
# 8210416, RHBZ#1632174: [linux] Poor StrictMath performance due to non-optimized compilation
-Patch8: JDK-8210416-RHBZ-1632174-fdlibm-opt-fix.patch
+Patch8: jdk8210416-rh1632174-compile_fdlibm_with_o2_ffp_contract_off_on_gcc_clang_arches.patch
# 8210425, RHBZ#1632174: [x86] sharedRuntimeTrig/sharedRuntimeTrans compiled without optimization
-Patch9: JDK-8210425-RHBZ-1632174-sharedRuntimeTrig-opt-fix.patch
+Patch9: jdk8210425-rh1632174-sharedRuntimeTrig_sharedRuntimeTrans_compiled_without_optimization.patch
#############################################
#
@@ -944,12 +947,17 @@ Patch9: JDK-8210425-RHBZ-1632174-sharedRuntimeTrig-opt-fix.patch
#############################################
# 8210647, RHBZ#1632174: libsaproc is being compiled without optimization
-Patch10: JDK-8210647-RHBZ-1632174-libsaproc-opt-fix.patch
+Patch10: jdk8210647-rh1632174-libsaproc_is_being_compiled_without_optimization.patch
# 8210761, RHBZ#1632174: libjsig is being compiled without optimization
-Patch11: JDK-8210761-RHBZ-1632174-libjsig-opt-fix.patch
+Patch11: jdk8210761-rh1632174-libjsig_is_being_compiled_without_optimization.patch
# 8210703, RHBZ#1632174: vmStructs.cpp compiled with -O0
-Patch12: JDK-8210703-RHBZ-1632174-vmStructs-opt-fix.patch
+Patch12: jdk8210703-rh1632174-vmStructs_cpp_no_longer_compiled_with_o0
+#############################################
+#
+# Patches appearing in 11.0.2
+#
+#############################################
BuildRequires: autoconf
BuildRequires: automake
@@ -1214,14 +1222,12 @@ pushd %{top_level_dir_name}
%patch3 -p1
%patch4 -p1
%patch5 -p1
-%patch6 -p1
-%patch7 -p1
%patch8 -p1
%patch9 -p1
%patch10 -p1
%patch11 -p1
%patch12 -p1
-
+%patch525 -p1
popd # openjdk
%patch1000
@@ -1759,8 +1765,33 @@ require "copy_jdk_configs.lua"
%changelog
-* Wed Oct 24 2018 Severin Gehwolf - 1:11.0.1.13-3
-- Bump release for rebuild.
+* Tue Jan 15 2019 Andrew Hughes - 1:11.0.2.7-0
+- Update to shenandoah-jdk-11.0.2+7 (January 2019 CPU)
+- Make tagsuffix optional and comment it out while unused.
+- Drop JDK-8211105/RH1628612/RH1630996 applied upstream.
+- Drop JDK-8209639/RH1640127 applied upstream.
+- Re-generate JDK-8210416/RH1632174 following JDK-8209786
+- Resolves: rhbz#1661577
+
+* Mon Jan 14 2019 Andrew Hughes - 1:11.0.1.13-4
+- Update to shenandoah-jdk-11.0.1+13-20190101
+- Update tarball generation script in preparation for PR3681/RH1656677 SunEC changes.
+- Use remove-intree-libraries.sh to remove the remaining SunEC code for now.
+- Fix remove-intree-libraries.sh to not exit early and skip SunEC handling.
+- Fix PR1983 SunEC patch so that ecc_impl.h is patched rather than added
+- Add missing RH1022017 patch to reduce curves reported by SSL to those we support.
+- Resolves: rhbz#1661577
+
+* Thu Nov 01 2018 Jiri Vanek - 1:11.0.1.13-3
+- added Patch584 jdk8209639-rh1640127-02-coalesce_attempted_spill_non_spillable.patch
+
+* Mon Oct 29 2018 Severin Gehwolf - 1:11.0.1.13-3
+- Use upstream's version of Aarch64 intrinsics disable patch:
+ - Removed:
+ RHBZ-1628612-JDK-8210461-workaround-disable-aarch64-intrinsic.patch
+ RHBZ-1630996-JDK-8210858-workaround-disable-aarch64-intrinsic-log.patch
+ - Superceded by:
+ jdk8211105-aarch64-disable_cos_sin_and_log_intrinsics.patch
* Thu Oct 18 2018 Severin Gehwolf - 1:11.0.1.13-2
- Use LTS designator in version output for RHEL.
@@ -1779,16 +1810,16 @@ require "copy_jdk_configs.lua"
* Fri Sep 28 2018 Severin Gehwolf - 1:11.0.ea.28-9
- Rework changes from 1:11.0.ea.22-6. RHBZ#1632174 supercedes
RHBZ-1624122.
-- Add patch, JDK-8210416-RHBZ-1632174-fdlibm-opt-fix.patch, so as to
+- Add patch, jdk8210416-rh1632174-compile_fdlibm_with_o2_ffp_contract_off_on_gcc_clang_arches.patch, so as to
optimize compilation of fdlibm library.
-- Add patch, JDK-8210425-RHBZ-1632174-sharedRuntimeTrig-opt-fix.patch, so
+- Add patch, jdk8210425-rh1632174-sharedRuntimeTrig_sharedRuntimeTrans_compiled_without_optimization.patch, so
as to optimize compilation of sharedRuntime{Trig,Trans}.cpp
-- Add patch, JDK-8210647-RHBZ-1632174-libsaproc-opt-fix.patch, so as to
+- Add patch, jdk8210647-rh1632174-libsaproc_is_being_compiled_without_optimization.patch, so as to
optimize compilation of libsaproc (extra c flags won't override
optimization).
-- Add patch, JDK-8210761-RHBZ-1632174-libjsig-opt-fix.patch, so as to
+- Add patch, jdk8210761-rh1632174-libjsig_is_being_compiled_without_optimization.patch, so as to
optimize compilation of libjsig.
-- Add patch, JDK-8210703-RHBZ-1632174-vmStructs-opt-fix.patch, so as to
+- Add patch, jdk8210703-rh1632174-vmStructs_cpp_no_longer_compiled_with_o0, so as to
optimize compilation of vmStructs.cpp (part of libjvm.so).
- Reinstate filtering of opt flags coming from redhat-rpm-config.
@@ -1847,7 +1878,7 @@ require "copy_jdk_configs.lua"
- Resolves: rhbz#1570856
* Wed Aug 29 2018 Severin Gehwolf - 1:11.0.ea.22-8
-- Adjust system NSS patch, RHBZ-1565658-system-nss-SunEC.patch, so
+- Adjust system NSS patch, pr1983-rh1565658-support_using_the_system_installation_of_nss_with_the_sunec_provider_jdk11.patch, so
as to filter -Wl,--as-needed from linker flags. Fixes FTBFS issue.
- Resolves: rhbz#1570856