PR#105: Added checks and restrictions around alt-java - rpms/java-11-openjdk

rpms / java-11-openjdk

#105 Added checks and restrictions around alt-java

Merged 3 years ago by jvanek. Opened 3 years ago by jvanek.

Unknown source extAltJava into master

Added checks and restrictions around alt-java

Jiri Vanek • 3 years ago

cef412c

java-11-openjdk.spec

file modified

+18 -1

		`@@ -101,6 +101,8 @@`
		`%global shenandoah_arches x86_64 %{aarch64}`
		`# Set of architectures for which we build the Z garbage collector`
		`%global zgc_arches x86_64`
		`+ # Set of architectures for which alt-java has SSB mitigation`
		`+ %global ssbd_arches x86_64`

		`# By default, we build a debug build during main build on JIT architectures`
		`%if %{with slowdebug}`
		`@@ -259,7 +261,7 @@`
		`%global top_level_dir_name %{origin}`
		`%global minorver 0`
		`%global buildver 11`
		`- %global rpmrelease 5`
		`+ %global rpmrelease 6`
		`#%%global tagsuffix ""`
		`# priority must be 8 digits in total; untill openjdk 1.8 we were using 18..... so when moving to 11 we had to add another digit`
		`%if %is_system_jdk`
		`@@ -1598,6 +1600,16 @@`
		`$JAVA_HOME/bin/javac -d . %{SOURCE15}`
		`$JAVA_HOME/bin/java -Djava.security.disableSystemPropertiesFile=true $(echo $(basename %{SOURCE15})\|sed "s\|\.java\|\|")`

		`+ # Check java launcher has no SSB mitigation`
		`+ if ! nm $JAVA_HOME/bin/java \| grep set_speculation ; then true ; else false; fi`
		`+`
		`+ # Check alt-java launcher has SSB mitigation on supported architectures`
		`+ %ifarch %{ssbd_arches}`
		`+ nm $JAVA_HOME/bin/%{alt_java_name} \| grep set_speculation`
		`+ %else`
		`+ if ! nm $JAVA_HOME/bin/%{alt_java_name} \| grep set_speculation ; then true ; else false; fi`
		`+ %endif`
		`+`
		`# Check debug symbols in static libraries (smoke test)`
		`export STATIC_LIBS_HOME=$(pwd)/%{buildoutputdir -- $suffix}/images/%{static_libs_image}`
		`readelf --debug-dump $STATIC_LIBS_HOME/lib/libfdlibm.a \| grep w_remainder.c`
		`@@ -1974,6 +1986,11 @@`


		`%changelog`
		`+ * Thu Dec 17 2020 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.9.11-6`
		`+ - introduced nm based check to verify alt-java on x86_64 is patched, and no other alt-java or java is patched`
		`+ - patch600 rh1750419-redhat_alt_java.patch amended to die, if it is used wrongly`
		`+ - introduced ssbd_arches with currently only valid arch of x86_64 to separate real alt-java architectures`
		`+`
		`* Tue Dec 01 2020 Jiri Vanek <jvanek@redhat.com> - 1:11.0.9.11-5`
		`- removed patch6, rh1566890-CVE_2018_3639-speculative_store_bypass.patch, surpassed by new patch`
		`- added patch600, rh1750419-redhat_alt_java.patch, suprassing removed patch`

rh1750419-redhat_alt_java.patch

file modified

+8 -3

		`@@ -1,12 +1,13 @@`
		`diff -r 1356affa5e44 make/launcher/Launcher-java.base.gmk`
		`--- openjdk/make/launcher/Launcher-java.base.gmk Wed Nov 25 08:27:15 2020 +0100`
		`+++ openjdk/make/launcher/Launcher-java.base.gmk Tue Dec 01 12:29:30 2020 +0100`
		`- @@ -41,6 +41,15 @@`
		`+ @@ -41,6 +41,16 @@`
		`OPTIMIZATION := HIGH, \`
		`))`

		`+ +#Wno-error=cpp is present to allow commented warning in ifdef part of main.c`
		`+$(eval $(call SetupBuildLauncher, alt-java, \`
		`- + CFLAGS := -DEXPAND_CLASSPATH_WILDCARDS -DENABLE_ARG_FILES -DREDHAT_ALT_JAVA, \`
		`+ + CFLAGS := -DEXPAND_CLASSPATH_WILDCARDS -DENABLE_ARG_FILES -DREDHAT_ALT_JAVA -Wno-error=cpp, \`
		`+ LDFLAGS_solaris := -R$(OPENWIN_HOME)/lib$(OPENJDK_TARGET_CPU_ISADIR), \`
		`+ LIBS_windows := user32.lib comctl32.lib, \`
		`+ EXTRA_RC_FLAGS := $(JAVA_RC_FLAGS), \`
		`@@ -98,12 +99,16 @@`
		`diff -r 25e94aa812b2 src/share/bin/main.c`
		`--- openjdk/src/java.base/share/native/launcher/main.c Wed Feb 05 12:20:36 2020 -0300`
		`+++ openjdk/src/java.base/share/native/launcher/main.c Tue Jun 02 17:15:28 2020 +0100`
		`- @@ -34,6 +34,10 @@`
		`+ @@ -34,6 +34,14 @@`
		`#include "jli_util.h"`
		`#include "jni.h"`

		`+ +#ifdef REDHAT_ALT_JAVA`
		`+#if defined(__linux__) && defined(__x86_64__)`
		`+#include "alt_main.h"`
		`+ +#else`
		`+ +#warning alt-java requested but SSB mitigation not available on this platform.`
		`+ +#endif`
		`+#endif`
		`+`
		`#ifdef _MSC_VER`

jvanek commented 3 years ago

I'm in favour of merge both commits to single one

zuul commented 3 years ago

Build failed.

rpm-scratch-build : SUCCESS in 33m 56s
rpm-linter : FAILURE in 6m 52s
rpm-rpminspect : TIMED_OUT in 30m 40s (non-voting)
check-for-tests : SUCCESS in 5s
rpm-install-test : SUCCESS in 5m 04s
rpm-test : SKIPPED

ahughes commented 3 years ago

Thanks for porting this to Fedora.
I agree with your changes. Thanks for catching the need to use the %{alt_java_name} macro. I missed that.
I'd rebase this into one commit, but also add a Changelog entry for your own changes, so I'm not stealing credit for them all :)

rebased onto cef412c

3 years ago

Pull-Request has been merged by jvanek

3 years ago

zuul commented 3 years ago

Build failed.