Merge branch 'rawhide' into f35

2022-04-28 16:24:02 +02:00 · 2022-04-28 16:24:02 +02:00 · e5bfe5ebd7
commit e5bfe5ebd7
parent b44b85d73d 3cbe105c02
9 changed files with 1808 additions and 63 deletions
--- a/.gitignore
+++ b/.gitignore
@ -21,3 +21,7 @@
 /openjdk-jdk17u-jdk-17.0.1+12.tar.xz
 /tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz
 /openjdk-jdk17u-jdk-17.0.2+8.tar.xz
 /openjdk-jdk17u-jdk-17.0.3+1.tar.xz
 /openjdk-jdk17u-jdk-17.0.3+5.tar.xz
 /openjdk-jdk17u-17usec.17.0.3+5-220408.tar.xz
 /openjdk-jdk17u-jdk-17.0.3+7.tar.xz
--- a/205
+++ b/205
@ -3,6 +3,211 @@ Key:
 JDK-X  - https://bugs.openjdk.java.net/browse/JDK-X
 CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY
 New in release OpenJDK 17.0.3 (2022-04-19):
 ===========================================
 Live versions of these release notes can be found at:
  * https://bitly.com/openjdk1703
  * https://builds.shipilev.net/backports-monitor/release-notes-17.0.3.txt
 * Security fixes
  - JDK-8269938: Enhance XML processing passes redux
  - JDK-8270504, CVE-2022-21426: Better XPath expression handling
  - JDK-8272255: Completely handle MIDI files
  - JDK-8272261: Improve JFR recording file processing
  - JDK-8272588: Enhanced recording parsing
  - JDK-8272594: Better record of recordings
  - JDK-8274221: More definite BER encodings
  - JDK-8275082, JDK-8278008, CVE-2022-21476: Update XML Security for Java to 2.3.0
  - JDK-8275151, CVE-2022-21443: Improved Object Identification
  - JDK-8277227: Better identification of OIDs
  - JDK-8277233, CVE-2022-21449: Improve ECDSA signature support
  - JDK-8277672, CVE-2022-21434: Better invocation handler handling
  - JDK-8278356: Improve file creation
  - JDK-8278449: Improve keychain support
  - JDK-8278798: Improve supported intrinsic
  - JDK-8278805: Enhance BMP image loading
  - JDK-8278972, CVE-2022-21496: Improve URL supports
  - JDK-8281388: Change wrapping of EncryptedPrivateKeyInfo
 * Other changes
  - JDK-8177814: jdk/editpad is not in jdk TEST.groups
  - JDK-8186670: Implement _onSpinWait() intrinsic for AArch64
  - JDK-8190748: java/text/Format/DateFormat/DateFormatTest.java and NonGregorianFormatTest fail intermittently
  - JDK-8225559: assertion error at TransTypes.visitApply
  - JDK-8236505: Mark jdk/editpad/EditPadTest.java as @headful
  - JDK-8239502: [TEST_BUG] Test javax/swing/text/FlowView/6318524/bug6318524.java never fails
  - JDK-8244602: Add JTREG_REPEAT_COUNT to repeat execution of a test
  - JDK-8247980: Exclusive execution of java/util/stream tests slows down tier1
  - JDK-8251216: Implement MD5 intrinsics on AArch64
  - JDK-8253197: vmTestbase/nsk/jvmti/StopThread/stopthrd007/TestDescription.java fails with "ERROR: DebuggeeSleepingThread: ThreadDeath lost"
  - JDK-8262134: compiler/uncommontrap/TestDeoptOOM.java failed with "guarantee(false) failed: wrong number of expression stack elements during deopt"
  - JDK-8263567: gtests don't terminate the VM safely
  - JDK-8265150: AsyncGetCallTrace crashes on ResourceMark
  - JDK-8266490: Extend the OSContainer API to support the pids controller of cgroups
  - JDK-8269032: Stringdedup tests are failing if the ergonomically select GC does not support it
  - JDK-8269037: jsig/Testjsig.java doesn't have to be restricted to linux only
  - JDK-8269087: CheckSegmentedCodeCache test fails in an emulated-client VM
  - JDK-8269175: [macosx-aarch64] wrong CPU speed in hs_err file
  - JDK-8269206: A small typo in comment in test/lib/sun/hotspot/WhiteBox.java
  - JDK-8269523: runtime/Safepoint/TestAbortOnVMOperationTimeout.java failed when expecting 'VM operation took too long'
  - JDK-8269616: serviceability/dcmd/framework/VMVersionTest.java fails with Address already in use error
  - JDK-8269849: vmTestbase/gc/gctests/PhantomReference/phantom002/TestDescription.java failed with "OutOfMemoryError: Java heap space: failed reallocation of scalar replaced objects"
  - JDK-8270117: Broken jtreg link in "Building the JDK" page
  - JDK-8270874: JFrame paint artifacts when dragged from standard monitor to HiDPI monitor
  - JDK-8271056: C2: "assert(no_dead_loop) failed: dead loop detected" due to cmoving identity
  - JDK-8271199: Mutual TLS handshake fails signing client certificate with custom sensitive PKCS11 key
  - JDK-8271202: C1: assert(false) failed: live_in set of first block must be empty
  - JDK-8271506: Add ResourceHashtable support for deleting selected entries
  - JDK-8271721: Split gc/g1/TestMixedGCLiveThreshold into separate tests
  - JDK-8272167: AbsPathsInImage.java should skip *.dSYM directories
  - JDK-8272327: Shenandoah: Avoid enqueuing duplicate string candidates
  - JDK-8272398: Update DockerTestUtils.buildJdkDockerImage()
  - JDK-8272541: Incorrect overflow test in Toom-Cook branch of BigInteger multiplication
  - JDK-8272553: several hotspot runtime/CommandLine tests don't check exit code
  - JDK-8272600: (test) Use native "sleep" in Basic.java
  - JDK-8272866: java.util.random package summary contains incorrect mixing function in table
  - JDK-8272996: JNDI DNS provider fails to resolve SRV entries when IPV6 stack is enabled
  - JDK-8273162: AbstractSplittableWithBrineGenerator does not create a random salt
  - JDK-8273277: C2: Move conditional negation into rc_predicate
  - JDK-8273341: Update Siphash to version 1.0
  - JDK-8273351: bad tag in jdk.random module-info.java
  - JDK-8273366: [testbug] javax/swing/UIDefaults/6302464/bug6302464.java fails on macOS12
  - JDK-8273381: Assert in PtrQueueBufferAllocatorTest.stress_free_list_allocator_vm
  - JDK-8273387: remove some unreferenced gtk-related functions
  - JDK-8273433: Enable parallelism in vmTestbase_nsk_sysdict tests
  - JDK-8273438: Enable parallelism in vmTestbase/metaspace/stressHierarchy tests
  - JDK-8273526: Extend the OSContainer API  pids controller with pids.current
  - JDK-8273634: [TEST_BUG] Improve javax/swing/text/ParagraphView/6364882/bug6364882.java
  - JDK-8273655: content-types.properties files are missing some common types
  - JDK-8273682: Upgrade Jline to 3.20.0
  - JDK-8273704: DrawStringWithInfiniteXform.java failed : drawString with InfiniteXform transform takes long time
  - JDK-8273895: compiler/ciReplay/TestVMNoCompLevel.java fails due to wrong data size with TieredStopAtLevel=2,3
  - JDK-8273933: [TESTBUG] Test must run without preallocated exceptions
  - JDK-8273967: gtest os.dll_address_to_function_and_library_name_vm fails on macOS12
  - JDK-8273972: Multi-core choke point in CMM engine (LCMSTransform.doTransform)
  - JDK-8274130: C2: MulNode::Ideal chained transformations may act on wrong nodes
  - JDK-8274171: java/nio/file/Files/probeContentType/Basic.java failed on "Content type" mismatches
  - JDK-8274465: Fix javax/swing/text/ParagraphView/6364882/bug6364882.java failures
  - JDK-8274471: Add support for RSASSA-PSS in OCSP Response
  - JDK-8274506: TestPids.java and TestPidsLimit.java fail with podman run as root
  - JDK-8274524: SSLSocket.close() hangs if it is called during the ssl handshake
  - JDK-8274562: (fs) UserDefinedFileAttributeView doesn't correctly determine if supported when using OverlayFS
  - JDK-8274658: ISO 4217 Amendment 170 Update
  - JDK-8274714: Incorrect verifier protected access error message
  - JDK-8274750: java/io/File/GetXSpace.java failed: '/dev': 191488 != 190976
  - JDK-8274753: ZGC: SEGV in MetaspaceShared::link_shared_classes
  - JDK-8274795: AArch64: avoid spilling and restoring r18 in macro assembler
  - JDK-8274935: dumptime_table has stale entry
  - JDK-8274944: AppCDS dump causes SEGV in VM thread while adjusting lambda proxy class info
  - JDK-8275326: C2: assert(no_dead_loop) failed: dead loop detected
  - JDK-8275330: C2:  assert(n->is_Root() || n->is_Region() || n->is_Phi() || n->is_MachMerge() || def_block->dominates(block)) failed: uses must be dominated by definitions
  - JDK-8275536: Add test to check that File::lastModified returns same time stamp as Files.getLastModifiedTime
  - JDK-8275586: Zero: Simplify interpreter initialization
  - JDK-8275608: runtime/Metaspace/elastic/TestMetaspaceAllocationMT2 too slow
  - JDK-8275610: C2: Object field load floats above its null check resulting in a segfault
  - JDK-8275643: C2's unaryOp vector intrinsic does not properly handle LongVector.neg
  - JDK-8275645: [JVMCI] avoid unaligned volatile reads on AArch64
  - JDK-8275650: Problemlist java/io/File/createTempFile/SpecialTempFile.java for Windows 11
  - JDK-8275687: runtime/CommandLine/PrintTouchedMethods test shouldn't catch RuntimeException
  - JDK-8275800: Redefinition leaks MethodData::_extra_data_lock
  - JDK-8275847: Scheduling fails with "too many D-U pinch points" on small method
  - JDK-8275874: [JVMCI] only support aligned reads in c2v_readFieldValue
  - JDK-8276057: Update JMH devkit to 1.33
  - JDK-8276141: XPathFactory set/getProperty method
  - JDK-8276177: nsk/jvmti/RedefineClasses/StressRedefineWithoutBytecodeCorruption failed with "assert(def_ik->is_being_redefined()) failed: should be being redefined to get here"
  - JDK-8276314: [JVMCI] check alignment of call displacement during code installation
  - JDK-8276623: JDK-8275650 accidentally pushed "out" file
  - JDK-8276654: element-list order is non deterministic
  - JDK-8276662: Scalability bottleneck in SymbolTable::lookup_common()
  - JDK-8276764: Enable deterministic file content ordering for Jar and Jmod
  - JDK-8276766: Enable jar and jmod to produce deterministic timestamped content
  - JDK-8276841: Add support for Visual Studio 2022
  - JDK-8277069: [REDO] JDK-8276743 Make openjdk build Zip Archive generation "reproducible"
  - JDK-8277137: Set OnSpinWaitInst/OnSpinWaitInstCount defaults to "isb"/1 for Arm Neoverse N1
  - JDK-8277180: Intrinsify recursive ObjectMonitor locking for C2 x64 and A64
  - JDK-8277299: STACK_OVERFLOW in Java_sun_awt_shell_Win32ShellFolder2_getIconBits
  - JDK-8277328: jdk/jshell/CommandCompletionTest.java failures on Windows
  - JDK-8277342: vmTestbase/nsk/stress/strace/strace004.java fails with SIGSEGV in InstanceKlass::jni_id_for
  - JDK-8277383: VM.metaspace optionally show chunk freelist details
  - JDK-8277385: Zero: Enable CompactStrings support
  - JDK-8277441: CompileQueue::add fails with assert(_last->next() == __null) failed: not last
  - JDK-8277447: Hotspot C1 compiler crashes on Kotlin suspend fun with loop
  - JDK-8277449: compiler/vectorapi/TestLongVectorNeg.java fails with release VMs
  - JDK-8277488: Add expiry exception for Digicert (geotrustglobalca) expiring in May 2022
  - JDK-8277497: Last column cell in the JTable row is read as empty cell
  - JDK-8277503: compiler/onSpinWait/TestOnSpinWaitAArch64DefaultFlags.java failed with "OnSpinWaitInst with the expected value 'isb' not found."
  - JDK-8277762: Allow configuration of HOTSPOT_BUILD_USER
  - JDK-8277777: [Vector API] assert(r->is_XMMRegister()) failed: must be in x86_32.ad
  - JDK-8277795: ldap connection timeout not honoured under contention
  - JDK-8277846: Implement fast-path for ASCII-compatible CharsetEncoders on ppc64
  - JDK-8277919: OldObjectSample event causing bloat in the class constant pool in JFR recording
  - JDK-8277992: Add fast jdk_svc subtests to jdk:tier3
  - JDK-8278016: Add compiler tests to tier{2,3}
  - JDK-8278020: ~13% variation in Renaissance-Scrabble
  - JDK-8278080: Add --with-cacerts-src='user cacerts folder' to enable deterministic cacerts generation
  - JDK-8278099: two sun/security/pkcs11/Signature tests failed with AssertionError
  - JDK-8278104: C1 should support the compiler directive 'BreakAtExecute'
  - JDK-8278115: gc/stress/gclocker/TestGCLockerWithSerial.java has duplicate -Xmx
  - JDK-8278116: runtime/modules/LoadUnloadModuleStress.java has duplicate -Xmx
  - JDK-8278163: --with-cacerts-src variable resolved after GenerateCacerts recipe setup
  - JDK-8278172: java/nio/channels/FileChannel/BlockDeviceSize.java should only run on Linux
  - JDK-8278185: Custom JRE cannot find non-ASCII named module inside
  - JDK-8278239: vmTestbase/nsk/jvmti/RedefineClasses/StressRedefine failed with EXCEPTION_ACCESS_VIOLATION at 0x000000000000000d
  - JDK-8278241: Implement JVM SpinPause on linux-aarch64
  - JDK-8278309: [windows] use of uninitialized OSThread::_state
  - JDK-8278344: sun/security/pkcs12/KeytoolOpensslInteropTest.java test fails because of different openssl output
  - JDK-8278346: java/nio/file/Files/probeContentType/Basic.java fails on Linux SLES15 machine
  - JDK-8278381: [GCC 11] Address::make_raw() does not initialize rspec
  - JDK-8278384: Bytecodes::result_type() for arraylength returns T_VOID instead of T_INT
  - JDK-8278389: SuspendibleThreadSet::_suspend_all should be volatile/atomic
  - JDK-8278526: [macos] Screen reader reads SwingSet2 JTable row selection as null, dimmed row for last column
  - JDK-8278604: SwingSet2 table demo does not have accessible description set for images
  - JDK-8278627: Shenandoah: TestHeapDump test failed
  - JDK-8278758: runtime/BootstrapMethod/BSMCalledTwice.java fails with release VMs after JDK-8262134
  - JDK-8278822: Bump update version for OpenJDK: jdk-17.0.3
  - JDK-8278824: Uneven work distribution when scanning heap roots in G1
  - JDK-8278871: [JVMCI] assert((uint)reason < 2* _trap_hist_limit) failed: oob
  - JDK-8278951: containers/cgroup/PlainRead.java fails on Ubuntu 21.10
  - JDK-8278987: RunThese24H.java failed with EXCEPTION_ACCESS_VIOLATION in __write_sample_info__
  - JDK-8279011: JFR: JfrChunkWriter incorrectly handles int64_t chunk size as size_t
  - JDK-8279076: C2: Bad AD file when matching SqrtF with UseSSE=0
  - JDK-8279124: VM does not handle SIGQUIT during initialization
  - JDK-8279225: [arm32] C1 longs comparison operation destroys argument registers
  - JDK-8279300: [arm32] SIGILL when running GetObjectSizeIntrinsicsTest
  - JDK-8279379: GHA: Print tests that are in error
  - JDK-8279385: [test]  Adjust sun/security/pkcs12/KeytoolOpensslInteropTest.java after 8278344
  - JDK-8279412: [JVMCI] failed speculations list must outlive any nmethod that refers to it
  - JDK-8279445: Update JMH devkit to 1.34
  - JDK-8279453: Disable tools/jar/ReproducibleJar.java on 32-bit platforms
  - JDK-8279505: Update documentation for RETRY_COUNT and REPEAT_COUNT
  - JDK-8279669: test/jdk/com/sun/jdi/TestScaffold.java uses wrong condition
  - JDK-8279695: [TESTBUG] modify compiler/loopopts/TestSkeletonPredicateNegation.java to run on C1 also
  - JDK-8279702: [macosx] ignore xcodebuild warnings on M1
  - JDK-8279833: Loop optimization issue in String.encodeUTF8_UTF16
  - JDK-8279924: [PPC64, s390] implement frame::is_interpreted_frame_valid checks
  - JDK-8279998: PPC64 debug builds fail with "untested: RangeCheckStub: predicate_failed_trap_id"
  - JDK-8280002: jmap -histo may leak stream
  - JDK-8280155: [PPC64, s390] frame size checks are not yet correct
  - JDK-8280373: Update Xalan serializer / SystemIDResolver to align with JDK-8270492
  - JDK-8280414: Memory leak in DefaultProxySelector
  - JDK-8280526: x86_32 Math.sqrt performance regression with -XX:UseSSE={0,1}
  - JDK-8281061: [s390] JFR runs into assertions while validating interpreter frames
  - JDK-8281460: Let ObjectMonitor have its own NMT category
  - JDK-8282219: jdk/java/lang/ProcessBuilder/Basic.java fails on AIX
  - JDK-8282300: Throws NamingException instead of InvalidNameException after JDK-8278972
  - JDK-8282397: createTempFile method of java.io.File is failing when called with suffix of spaces character
  - JDK-8282761: XPathFactoryImpl remove setProperty and getProperty methods
  - JDK-8284548: Invalid XPath expression causes StringIndexOutOfBoundsException
  - JDK-8284920: Incorrect Token type causes XPath expression to return empty result
 Notes on individual issues:
 ===========================
 security-libs/java.security:
 JDK-8274791: Support for RSASSA-PSS in OCSP Response
 ====================================================
 An OCSP response signed with the RSASSA-PSS algorithm is now supported.
 New in release OpenJDK 17.0.2 (2022-01-18):
 ===========================================
 Live versions of these release notes can be found at:
--- a/README.md
+++ b/README.md
@ -1,10 +1,13 @@
-Package of LTS OpenJDK 17
+OpenJDK 17 is the latest Long-Term Support (LTS) release of the Java platform.
 OpenJDK have release cadence of 6 months. but 3/4 of them are Short Term Supported for 6 months only. 
-JDK17 is last LTS release of Java platform. It is bringing many cool improvements - http://openjdk.java.net/projects/jdk/17/ and is landing to your Fedora. Where it will be maintained for several years. You will always be allowed to install Used LTSs in build root, and alongside via alternatives. 
+* https://fedoraproject.org/wiki/Changes/Java17
-See announcement: http://mail.openjdk.java.net/pipermail/discuss/2017-September/004281.html
+For a list of major changes from OpenJDK 11 (java-11-openjdk), see the upstream
-See java SIG plans: https://jvanek.fedorapeople.org/devconf/2018/changesInjavaReleaseProcess.pdf
+release page for OpenJDK 17 and the preceding interim releases:
-https://fedoraproject.org/wiki/Changes/Java17
+* 12: https://openjdk.java.net/projects/jdk/12/
-https://fedoraproject.org/wiki/Changes/java-11-openjdk-TechPreview
+* 13: https://openjdk.java.net/projects/jdk/13/
 * 14: https://openjdk.java.net/projects/jdk/14/
 * 15: https://openjdk.java.net/projects/jdk/15/
 * 16: https://openjdk.java.net/projects/jdk/16/
 * 17: https://openjdk.java.net/projects/jdk/17/
--- a/generate_source_tarball.sh
+++ b/generate_source_tarball.sh
@ -8,8 +8,8 @@
 #
 # In any case you have to set PROJECT_NAME REPO_NAME and VERSION. eg:
 # PROJECT_NAME=openjdk
-# REPO_NAME=jdk16
+# REPO_NAME=jdk17u
-# VERSION=HEAD
+# VERSION=jdk-17.0.3+5
 # or to eg prepare systemtap:
 # icedtea7's jstack and other tapsets
 # VERSION=6327cf1cea9e
@ -130,7 +130,7 @@ pushd "${FILE_NAME_ROOT}"
                # get PR3823.patch (from http://icedtea.classpath.org/hg/icedtea16) from most correct tag
                # Do not push it or publish it (see https://icedtea.classpath.org/bugzilla/show_bug.cgi?id=3823)
 		echo "PR3823 not found. Downloading..."
-		wget https://icedtea.classpath.org/hg/icedtea16/raw-file/tip/patches/pr3823.patch
+		wget https://icedtea.wildebeest.org/hg/icedtea16/raw-file/tip/patches/pr3823.patch
 	        echo "Applying ${PWD}/pr3823.patch"
 		patch -Np1 < pr3823.patch
 		rm pr3823.patch
--- a/java-17-openjdk.spec
+++ b/java-17-openjdk.spec
@ -21,6 +21,8 @@
 %bcond_without release
 # Enable static library builds by default.
 %bcond_without staticlibs
 # Build a fresh libjvm.so for use in a copy of the bootstrap JDK
 %bcond_without fresh_libjvm
 # Workaround for stripping of debug symbols from static libraries
 %if %{with staticlibs}
@ -30,6 +32,13 @@
 %global include_staticlibs 0
 %endif
 # Define whether to use the bootstrap JDK directly or with a fresh libjvm.so
 %if %{with fresh_libjvm}
 %global build_hotspot_first 1
 %else
 %global build_hotspot_first 0
 %endif
 # The -g flag says to use strip -g instead of full strip on DSOs or EXEs.
 # This fixes detailed NMT and other tools which need minimal debug info.
 # See: https://bugzilla.redhat.com/show_bug.cgi?id=1520879
@ -91,7 +100,7 @@
 # while JDK is a techpreview(is_system_jdk=0), some provides are turned off. Once jdk stops to be an techpreview, move it to 1
 # as sytem JDK, we mean any JDK which can run whole system java stack without issues (like bytecode issues, module issues, dependencies...)
-%global is_system_jdk 0
+%global is_system_jdk 1
 %global aarch64         aarch64 arm64 armv8
 # we need to distinguish between big and little endian PPC64
@ -104,7 +113,7 @@
 # Set of architectures for which we build fastdebug builds
 %global fastdebug_arches x86_64 ppc64le aarch64
 # Set of architectures with a Just-In-Time (JIT) compiler
-%global jit_arches      %{debug_arches} %{arm}
+%global jit_arches      %{arm} %{aarch64} %{ix86} %{power64} s390x sparcv9 sparc64 x86_64
 # Set of architectures which use the Zero assembler port (!jit_arches)
 %global zero_arches ppc s390
 # Set of architectures which run a full bootstrap cycle
@ -127,13 +136,8 @@
 %global ssbd_arches x86_64
 # Set of architectures for which java has short vector math library (libsvml.so)
 %global svml_arches x86_64
-# Set of architectures where we verify backtraces with gdb (ideally all)
+# Set of architectures where we verify backtraces with gdb
-# Temporarily disable check on x86, x86_64, ppc64le and s390x as gdb crashes
+%global gdb_arches %{jit_arches} %{zero_arches}
 # ../../gdb/objfiles.h:510: internal-error: sect_index_data not initialized
 # A problem internal to GDB has been detected,
 # further debugging may prove unreliable.
 # See https://bugzilla.redhat.com/show_bug.cgi?id=2041970
 %global gdb_arches sparcv9 sparc64 %{aarch64} %{arm} %{zero_arches}
 # By default, we build a debug build during main build on JIT architectures
 %if %{with slowdebug}
@ -176,7 +180,7 @@
 %global fastdebug_build %{nil}
 %endif
-# If you disable both builds, then the build fails
+# If you disable all builds, then the build fails
 # Build and test slowdebug first as it provides the best diagnostics
 %global build_loop %{slowdebug_build} %{fastdebug_build} %{normal_build}
@ -210,6 +214,11 @@
 %global release_targets images docs-zip
 # No docs nor bootcycle for debug builds
 %global debug_targets images
 # Target to use to just build HotSpot
 %global hotspot_target hotspot
 # JDK to use for bootstrapping
 %global bootjdk /usr/lib/jvm/java-%{buildjdkver}-openjdk
 # Filter out flags from the optflags macro that cause problems with the OpenJDK build
@ -230,51 +239,63 @@
 # In some cases, the arch used by the JDK does
 # not match _arch.
 # Also, in some cases, the machine name used by SystemTap
-# does not match that given by _build_cpu
+# does not match that given by _target_cpu
 %ifarch x86_64
 %global archinstall amd64
 %global stapinstall x86_64
 %endif
 %ifarch ppc
 %global archinstall ppc
 %global stapinstall powerpc
 %endif
 %ifarch %{ppc64be}
 %global archinstall ppc64
 %global stapinstall powerpc
 %endif
 %ifarch %{ppc64le}
 %global archinstall ppc64le
 %global stapinstall powerpc
 %endif
 %ifarch %{ix86}
 %global archinstall i686
 %global stapinstall i386
 %endif
 %ifarch ia64
 %global archinstall ia64
 %global stapinstall ia64
 %endif
 %ifarch s390
 %global archinstall s390
 %global stapinstall s390
 %endif
 %ifarch s390x
 %global archinstall s390x
 %global stapinstall s390
 %endif
 %ifarch %{arm}
 %global archinstall arm
 %global stapinstall arm
 %endif
 %ifarch %{aarch64}
 %global archinstall aarch64
 %global stapinstall arm64
 %endif
 # 32 bit sparc, optimized for v9
 %ifarch sparcv9
 %global archinstall sparc
 %global stapinstall %{_target_cpu}
 %endif
 # 64 bit sparc
 %ifarch sparc64
 %global archinstall sparcv9
 %global stapinstall %{_target_cpu}
 %endif
-%ifnarch %{jit_arches}
+# Need to support noarch for srpm build
-%global archinstall %{_arch}
+%ifarch noarch
 %global archinstall %{nil}
 %global stapinstall %{nil}
 %endif
 %ifarch %{systemtap_arches}
 %global with_systemtap 1
 %else
@ -284,7 +305,7 @@
 # New Version-String scheme-style defines
 %global featurever 17
 %global interimver 0
-%global updatever 2
+%global updatever 3
 %global patchver 0
 # If you bump featurever, you must also bump vendor_version_string
 # Used via new version scheme. JDK 17 was
@ -312,8 +333,8 @@
 %global origin_nice     OpenJDK
 %global top_level_dir_name   %{origin}
 %global top_level_dir_name_backup %{top_level_dir_name}-backup
-%global buildver        8
+%global buildver        7
-%global rpmrelease      2
+%global rpmrelease      1
 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
 %if %is_system_jdk
 # Using 10 digits may overflow the int used for priority, so we combine the patch and build versions
@ -332,6 +353,9 @@
 # Strip up to 6 trailing zeros in newjavaver, as the JDK does, to get the correct version used in filenames
 %global filever %(svn=%{newjavaver}; for i in 1 2 3 4 5 6 ; do svn=${svn%%.0} ; done; echo ${svn})
 # The tag used to create the OpenJDK tarball
 %global vcstag jdk-%{filever}+%{buildver}%{?tagsuffix:-%{tagsuffix}}
 # Define milestone (EA for pre-releases, GA for releases)
 # Release will be (where N is usually a number starting at 1):
 # - 0.N%%{?extraver}%%{?dist} for EA releases,
@ -434,10 +458,10 @@
 # and 32 bit architectures we place the tapsets under the arch
 # specific dir (note that systemtap will only pickup the tapset
 # for the primary arch for now). Systemtap uses the machine name
-# aka build_cpu as architecture specific directory name.
+# aka target_cpu as architecture specific directory name.
 %global tapsetroot /usr/share/systemtap
 %global tapsetdirttapset %{tapsetroot}/tapset/
-%global tapsetdir %{tapsetdirttapset}/%{_build_cpu}
+%global tapsetdir %{tapsetdirttapset}/%{stapinstall}
 %endif
 # not-duplicated scriptlets for normal/debug packages
@ -595,7 +619,9 @@ alternatives \\
  --slave %{_bindir}/jlink jlink %{sdkbindir -- %{?1}}/jlink \\
  --slave %{_bindir}/jmod jmod %{sdkbindir -- %{?1}}/jmod \\
 %ifarch %{sa_arches}
 %ifnarch %{zero_arches}
  --slave %{_bindir}/jhsdb jhsdb %{sdkbindir -- %{?1}}/jhsdb \\
 %endif
 %endif
  --slave %{_bindir}/jar jar %{sdkbindir -- %{?1}}/jar \\
  --slave %{_bindir}/jarsigner jarsigner %{sdkbindir -- %{?1}}/jarsigner \\
@ -808,8 +834,10 @@ exit 0
 %{_jvmdir}/%{sdkdir -- %{?1}}/lib/librmi.so
 # Some architectures don't have the serviceability agent
 %ifarch %{sa_arches}
 %ifnarch %{zero_arches}
 %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsaproc.so
 %endif
 %endif
 %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsctp.so
 %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsystemconf.so
 %ifarch %{svml_arches}
@ -901,9 +929,11 @@ exit 0
 %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jimage
 # Some architectures don't have the serviceability agent
 %ifarch %{sa_arches}
 %ifnarch %{zero_arches}
 %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jhsdb
 %{_mandir}/man1/jhsdb-%{uniquesuffix -- %{?1}}.1.gz
 %endif
 %endif
 %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jinfo
 %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jlink
 %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jmap
@ -1077,6 +1107,8 @@ OrderWithRequires: copy-jdk-configs
 %endif
 # for printing support
 Requires: cups-libs
 # for FIPS PKCS11 provider
 Requires: nss
 # Post requires alternatives to install tool alternatives
 Requires(post):   %{alternatives_requires}
 # Postun requires alternatives to uninstall tool alternatives
@ -1220,9 +1252,8 @@ License:  ASL 1.1 and ASL 2.0 and BSD and BSD with advertising and GPL+ and GPLv
 URL:      http://openjdk.java.net/
-# to regenerate source0 (jdk) run update_package.sh
+# The source tarball, generated using generate_source_tarball.sh
-# update_package.sh contains hard-coded repos, revisions, tags, and projects to regenerate the source archives
+Source0: openjdk-jdk%{featurever}u-%{vcstag}.tar.xz
 Source0: openjdk-jdk%{featurever}u-jdk-%{filever}+%{buildver}%{?tagsuffix:-%{tagsuffix}}.tar.xz
 # Use 'icedtea_sync.sh' to update the following
 # They are based on code contained in the IcedTea project (6.x).
@ -1299,13 +1330,20 @@ Patch1013: rh1991003-enable_fips_keys_import.patch
 # RH2021263: Resolve outstanding FIPS issues
 Patch1014: rh2021263-fips_ensure_security_initialised.patch
 Patch1015: rh2021263-fips_missing_native_returns.patch
 # RH2052819: Fix FIPS reliance on crypto policies
 Patch1016: rh2021263-fips_separate_policy_and_fips_init.patch
 # RH2052829: Detect NSS at Runtime for FIPS detection
 Patch1017: rh2052829-fips_runtime_nss_detection.patch
 # RH2052070: Enable AlgorithmParameters and AlgorithmParameterGenerator services in FIPS mode
 Patch1018: rh2052070-enable_algorithmparameters_in_fips_mode.patch
 #############################################
 #
 # OpenJDK patches in need of upstreaming
 #
 #############################################
 # JDK-8282004: x86_32.ad rules that call SharedRuntime helpers should have CALL effects
 Patch7: jdk8282004-x86_32-missing_call_effects.patch
 BuildRequires: autoconf
 BuildRequires: automake
@ -1332,15 +1370,15 @@ BuildRequires: libXrandr-devel
 BuildRequires: libXrender-devel
 BuildRequires: libXt-devel
 BuildRequires: libXtst-devel
-# Requirements for setting up the nss.cfg and FIPS support
+# Requirement for setting up nss.cfg and nss.fips.cfg
-BuildRequires: nss-devel >= 3.53
+BuildRequires: nss-devel
 BuildRequires: pkgconfig
 BuildRequires: xorg-x11-proto-devel
 BuildRequires: zip
 BuildRequires: javapackages-filesystem
 BuildRequires: java-%{buildjdkver}-openjdk-devel
 # Zero-assembler build requirement
-%ifnarch %{jit_arches}
+%ifarch %{zero_arches}
 BuildRequires: libffi-devel
 %endif
 BuildRequires: tzdata-java >= 2015d
@ -1660,6 +1698,14 @@ The %{origin_nice} %{featurever} API documentation compressed in a single archiv
 %endif
 %prep
 # Using the echo macro breaks rpmdev-bumpspec, as it parses the first line of stdout :-(
 %if 0%{?stapinstall:1}
  echo "CPU: %{_target_cpu}, arch install directory: %{archinstall}, SystemTap install directory: %{stapinstall}"
 %else
  %{error:Unrecognised architecture %{_target_cpu}}
 %endif
 if [ %{include_normal_build} -eq 0 -o  %{include_normal_build} -eq 1 ] ; then
  echo "include_normal_build is %{include_normal_build}"
 else
@ -1702,6 +1748,7 @@ pushd %{top_level_dir_name}
 %patch4 -p1
 %patch5 -p1
 %patch6 -p1
 %patch7 -p1
 popd # openjdk
 %patch1000
@ -1719,6 +1766,8 @@ popd # openjdk
 %patch1014
 %patch1015
 %patch1016
 %patch1017
 %patch1018
 # Extract systemtap tapsets
 %if %{with_systemtap}
@ -1798,7 +1847,12 @@ EXTRA_CPP_FLAGS="%ourcppflags"
 # fix rpmlint warnings
 EXTRA_CFLAGS="$EXTRA_CFLAGS -fno-strict-aliasing"
 %endif
-export EXTRA_CFLAGS
+%ifarch %{ix86}
 # Align stack boundary on x86_32
 EXTRA_CFLAGS="$(echo ${EXTRA_CFLAGS} | sed -e 's|-mstackrealign|-mincoming-stack-boundary=2 -mpreferred-stack-boundary=4|')"
 EXTRA_CPP_FLAGS="$(echo ${EXTRA_CPP_FLAGS} | sed -e 's|-mstackrealign|-mincoming-stack-boundary=2 -mpreferred-stack-boundary=4|')"
 %endif
 export EXTRA_CFLAGS EXTRA_CPP_FLAGS
 function buildjdk() {
    local outputdir=${1}
@ -1840,7 +1894,7 @@ function buildjdk() {
    pushd ${outputdir}
    bash ${top_dir_abs_src_path}/configure \
-%ifnarch %{jit_arches}
+%ifarch %{zero_arches}
    --with-jvm-variants=zero \
 %endif
 %ifarch %{ppc64le}
@ -1857,7 +1911,7 @@ function buildjdk() {
    --with-boot-jdk=${buildjdk} \
    --with-debug-level=${debuglevel} \
    --with-native-debug-symbols="%{debug_symbols}" \
-    --enable-sysconf-nss \
+    --disable-sysconf-nss \
    --enable-unlimited-crypto \
    --with-zlib=system \
    --with-libjpeg=${link_opt} \
@ -1891,34 +1945,46 @@ function buildjdk() {
 function installjdk() {
    local imagepath=${1}
-    # the build (erroneously) removes read permissions from some jars
+    if [ -d ${imagepath} ] ; then
-    # this is a regression in OpenJDK 7 (our compiler):
+	# the build (erroneously) removes read permissions from some jars
-    # http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1437
+	# this is a regression in OpenJDK 7 (our compiler):
-    find ${imagepath} -iname '*.jar' -exec chmod ugo+r {} \;
+	# http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1437
 	find ${imagepath} -iname '*.jar' -exec chmod ugo+r {} \;
-    # Build screws up permissions on binaries
+	# Build screws up permissions on binaries
-    # https://bugs.openjdk.java.net/browse/JDK-8173610
+	# https://bugs.openjdk.java.net/browse/JDK-8173610
-    find ${imagepath} -iname '*.so' -exec chmod +x {} \;
+	find ${imagepath} -iname '*.so' -exec chmod +x {} \;
-    find ${imagepath}/bin/ -exec chmod +x {} \;
+	find ${imagepath}/bin/ -exec chmod +x {} \;
-    # Install nss.cfg right away as we will be using the JRE above
+	# Install nss.cfg right away as we will be using the JRE above
-    install -m 644 nss.cfg ${imagepath}/conf/security/
+	install -m 644 nss.cfg ${imagepath}/conf/security/
-    # Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies)
+	# Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies)
-    install -m 644 nss.fips.cfg ${imagepath}/conf/security/
+	install -m 644 nss.fips.cfg ${imagepath}/conf/security/
-    # Use system-wide tzdata
+	# Use system-wide tzdata
-    rm ${imagepath}/lib/tzdb.dat
+	rm ${imagepath}/lib/tzdb.dat
-    ln -s %{_datadir}/javazi-1.8/tzdb.dat ${imagepath}/lib/tzdb.dat
+	ln -s %{_datadir}/javazi-1.8/tzdb.dat ${imagepath}/lib/tzdb.dat
-    # Create fake alt-java as a placeholder for future alt-java
+	# Create fake alt-java as a placeholder for future alt-java
-    pushd ${imagepath}
+	pushd ${imagepath}
-    # add alt-java man page
+	# add alt-java man page
-    echo "Hardened java binary recommended for launching untrusted code from the Web e.g. javaws" > man/man1/%{alt_java_name}.1
+	echo "Hardened java binary recommended for launching untrusted code from the Web e.g. javaws" > man/man1/%{alt_java_name}.1
-    cat man/man1/java.1 >> man/man1/%{alt_java_name}.1
+	cat man/man1/java.1 >> man/man1/%{alt_java_name}.1
-    popd
+	popd
    fi
 }
 %if %{build_hotspot_first}
  # Build a fresh libjvm.so first and use it to bootstrap
  cp -LR --preserve=mode,timestamps %{bootjdk} newboot
  systemjdk=$(pwd)/newboot
  buildjdk build/newboot ${systemjdk} %{hotspot_target} "release" "bundled"
  mv build/newboot/jdk/lib/server/libjvm.so newboot/lib/server
 %else
  systemjdk=%{bootjdk}
 %endif
 for suffix in %{build_loop} ; do
  if [ "x$suffix" = "x" ] ; then
@ -1928,7 +1994,6 @@ for suffix in %{build_loop} ; do
      debugbuild=`echo $suffix  | sed "s/-//g"`
  fi
  systemjdk=/usr/lib/jvm/java-%{buildjdkver}-openjdk
  for loop in %{main_suffix} %{staticlibs_loop} ; do
@ -2474,9 +2539,54 @@ cjc.mainProgram(args)
 %endif
 %changelog
-* Wed Mar 30 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.2.0.8-2
+* Sun Apr 24 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.3.0.7-1
 - April 2022 security update to jdk 17.0.3+7
 - Update release notes to 17.0.3.0+7
 - Update README.md and generate_source_tarball.sh to match CentOS
 - Switch to GA mode for release
 - JDK-8283911 patch no longer needed now we're GA...
 * Wed Apr 13 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.3.0.5-0.1.ea
 - Update to jdk-17.0.3.0+5
 - Update release notes to 17.0.3.0+5
 * Fri Apr 08 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.3.0.1-0.1.ea
 - Update to jdk-17.0.3.0+1
 - Update release notes to 17.0.3.0+1
 - Switch to EA mode for 17.0.3 pre-release builds.
 - Add JDK-8283911 to fix bad DEFAULT_PROMOTED_VERSION_PRE value
 * Wed Apr 06 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.2.0.8-9
 - Enable AlgorithmParameters and AlgorithmParameterGenerator services in FIPS mode
 * Wed Mar 30 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.2.0.8-8
 - java-17-openjdk should depend on itself to build, not java-latest-openjdk which is now OpenJDK 18
 * Wed Feb 23 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.2.0.8-8
 - Detect NSS at runtime for FIPS detection
 - Turn off build-time NSS linking and go back to an explicit Requires on NSS
 * Tue Feb 08 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.2.0.8-7
 - Reinstate JIT builds on x86_32.
 - Add JDK-8282004 to fix missing CALL effects on x86_32.
 * Mon Feb 07 2022 Severin Gehwolf <sgehwolf@redhat.com> - 1:17.0.2.0.8-6
 - Re-enable gdb backtrace check.
 * Mon Feb 07 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.2.0.8-5
 - Introduce stapinstall variable to set SystemTap arch directory correctly (e.g. arm64 on aarch64)
 - Need to support noarch for creating source RPMs for non-scratch builds.
 * Fri Feb 04 2022 Jiri Vanek <jvanek@redhat.com> - 1:17.0.2.0.8-4
 - moved to become system jdk
 * Fri Feb 04 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.2.0.8-2
 - Temporarily move x86 to use Zero in order to get a working build
 - Replace -mstackrealign with -mincoming-stack-boundary=2 -mpreferred-stack-boundary=4 on x86_32 for stack alignment
 - Support a HotSpot-only build so a freshly built libjvm.so can then be used in the bootstrap JDK.
 - Explicitly list JIT architectures rather than relying on those with slowdebug builds
 - Disable the serviceability agent on Zero architectures even when the architecture itself is supported
 * Mon Jan 24 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.2.0.8-1.rolling
 - January 2022 security update to jdk 17.0.2+8
 - Extend LTS check to exclude EPEL.
--- a/jdk8282004-x86_32-missing_call_effects.patch
+++ b/jdk8282004-x86_32-missing_call_effects.patch
@ -0,0 +1,28 @@
 diff --git a/src/hotspot/cpu/x86/x86_32.ad b/src/hotspot/cpu/x86/x86_32.ad
 index a31a38a384f..6138ca5281f 100644
 --- a/src/hotspot/cpu/x86/x86_32.ad
 +++ b/src/hotspot/cpu/x86/x86_32.ad
@@ -7825,9 +7825,9 @@ instruct divI_eReg(eAXRegI rax, eDXRegI rdx, eCXRegI div, eFlagsReg cr) %{
 %}
 // Divide Register Long
 -instruct divL_eReg( eADXRegL dst, eRegL src1, eRegL src2, eFlagsReg cr, eCXRegI cx, eBXRegI bx ) %{
 +instruct divL_eReg(eADXRegL dst, eRegL src1, eRegL src2) %{
   match(Set dst (DivL src1 src2));
 -  effect( KILL cr, KILL cx, KILL bx );
 +  effect(CALL);
   ins_cost(10000);
   format %{ "PUSH   $src1.hi\n\t"
             "PUSH   $src1.lo\n\t"
@@ -7873,9 +7873,9 @@ instruct modI_eReg(eDXRegI rdx, eAXRegI rax, eCXRegI div, eFlagsReg cr) %{
 %}
 // Remainder Register Long
 -instruct modL_eReg( eADXRegL dst, eRegL src1, eRegL src2, eFlagsReg cr, eCXRegI cx, eBXRegI bx ) %{
 +instruct modL_eReg(eADXRegL dst, eRegL src1, eRegL src2) %{
   match(Set dst (ModL src1 src2));
 -  effect( KILL cr, KILL cx, KILL bx );
 +  effect(CALL);
   ins_cost(10000);
   format %{ "PUSH   $src1.hi\n\t"
             "PUSH   $src1.lo\n\t"
--- a/rh2052070-enable_algorithmparameters_in_fips_mode.patch
+++ b/rh2052070-enable_algorithmparameters_in_fips_mode.patch
--- a/rh2052829-fips_runtime_nss_detection.patch
+++ b/rh2052829-fips_runtime_nss_detection.patch
@ -0,0 +1,213 @@
 commit 090ea0389db5c2e0c8ee13652bccd544b17872c2
 Author: Andrew Hughes <gnu.andrew@redhat.com>
 Date:   Mon Feb 7 15:33:27 2022 +0000
    RH2051605: Detect NSS at Runtime for FIPS detection
 diff --git openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c openjdk/src/java.base/linux/native/libsystemconf/systemconf.c
 index caf678a7dd6..8dcb7d9073f 100644
 --- openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c
 +++ openjdk/src/java.base/linux/native/libsystemconf/systemconf.c
@@ -23,26 +23,37 @@
  * questions.
  */
 -#include <dlfcn.h>
 #include <jni.h>
 #include <jni_util.h>
 +#include "jvm_md.h"
 #include <stdio.h>
 #ifdef SYSCONF_NSS
 #include <nss3/pk11pub.h>
 +#else
 +#include <dlfcn.h>
 #endif //SYSCONF_NSS
 #include "java_security_SystemConfigurator.h"
 -#define MSG_MAX_SIZE 96
 +#define MSG_MAX_SIZE 256
 +#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled"
 +
 +typedef int (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE)(void);
 +static SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE *getSystemFIPSEnabled;
 static jmethodID debugPrintlnMethodID = NULL;
 static jobject debugObj = NULL;
 -// Only used when NSS is unavailable and FIPS_ENABLED_PATH is read
 -#ifndef SYSCONF_NSS
 -
 -#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled"
 +static void dbgPrint(JNIEnv *env, const char* msg)
 +{
 +    jstring jMsg;
 +    if (debugObj != NULL) {
 +        jMsg = (*env)->NewStringUTF(env, msg);
 +        CHECK_NULL(jMsg);
 +        (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg);
 +    }
 +}
 static void throwIOException(JNIEnv *env, const char *msg)
 {
@@ -51,18 +62,61 @@ static void throwIOException(JNIEnv *env, const char *msg)
         (*env)->ThrowNew(env, cls, msg);
 }
 -#endif
 +static void handle_msg(JNIEnv *env, const char* msg, int msg_bytes)
 +{
 +  if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
 +    dbgPrint(env, msg);
 +  } else {
 +    dbgPrint(env, "systemconf: cannot render message");
 +  }
 +}
 -static void dbgPrint(JNIEnv *env, const char* msg)
 +// Only used when NSS is not linked at build time
 +#ifndef SYSCONF_NSS
 +
 +static void *nss_handle;
 +
 +static jboolean loadNSS(JNIEnv *env)
 {
 -    jstring jMsg;
 -    if (debugObj != NULL) {
 -        jMsg = (*env)->NewStringUTF(env, msg);
 -        CHECK_NULL(jMsg);
 -        (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg);
 -    }
 +  char msg[MSG_MAX_SIZE];
 +  int msg_bytes;
 +  const char* errmsg;
 +
 +  nss_handle = dlopen(JNI_LIB_NAME("nss3"), RTLD_LAZY);
 +  if (nss_handle == NULL) {
 +    errmsg = dlerror();
 +    msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlopen: %s\n",
 +                         errmsg);
 +    handle_msg(env, msg, msg_bytes);
 +    return JNI_FALSE;
 +  }
 +  dlerror(); /* Clear errors */
 +  getSystemFIPSEnabled = (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE*)dlsym(nss_handle, "SECMOD_GetSystemFIPSEnabled");
 +  if ((errmsg = dlerror()) != NULL) {
 +    msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlsym: %s\n",
 +                         errmsg);
 +    handle_msg(env, msg, msg_bytes);
 +    return JNI_FALSE;
 +  }
 +  return JNI_TRUE;
 +}
 +
 +static void closeNSS(JNIEnv *env)
 +{
 +  char msg[MSG_MAX_SIZE];
 +  int msg_bytes;
 +  const char* errmsg;
 +
 +  if (dlclose(nss_handle) != 0) {
 +    errmsg = dlerror();
 +    msg_bytes = snprintf(msg, MSG_MAX_SIZE, "closeNSS: dlclose: %s\n",
 +                         errmsg);
 +    handle_msg(env, msg, msg_bytes);
 +  }
 }
 +#endif
 +
 /*
  * Class:     java_security_SystemConfigurator
  * Method:    JNI_OnLoad
@@ -104,6 +158,14 @@ JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved)
         debugObj = (*env)->NewGlobalRef(env, debugObj);
     }
 +#ifdef SYSCONF_NSS
 +    getSystemFIPSEnabled = *SECMOD_GetSystemFIPSEnabled;
 +#else
 +    if (loadNSS(env) == JNI_FALSE) {
 +      dbgPrint(env, "libsystemconf: Failed to load NSS library.");
 +    }
 +#endif
 +
     return (*env)->GetVersion(env);
 }
@@ -119,6 +181,9 @@ JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *vm, void *reserved)
         if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) {
             return; /* Should not happen */
         }
 +#ifndef SYSCONF_NSS
 +        closeNSS(env);
 +#endif
         (*env)->DeleteGlobalRef(env, debugObj);
     }
 }
@@ -130,44 +195,30 @@ JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEn
     char msg[MSG_MAX_SIZE];
     int msg_bytes;
 -#ifdef SYSCONF_NSS
 -
 -    dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled");
 -    fips_enabled = SECMOD_GetSystemFIPSEnabled();
 -    msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
 -            " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled);
 -    if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
 -        dbgPrint(env, msg);
 +    if (getSystemFIPSEnabled != NULL) {
 +      dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled");
 +      fips_enabled = (*getSystemFIPSEnabled)();
 +      msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:"   \
 +                           " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled);
 +      handle_msg(env, msg, msg_bytes);
 +      return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE);
     } else {
 -        dbgPrint(env, "getSystemFIPSEnabled: cannot render" \
 -                " SECMOD_GetSystemFIPSEnabled return value");
 -    }
 -    return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE);
 +      FILE *fe;
 -#else // SYSCONF_NSS
 -
 -    FILE *fe;
 -
 -    dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
 -    if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
 +      dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
 +      if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
         throwIOException(env, "Cannot open " FIPS_ENABLED_PATH);
         return JNI_FALSE;
 -    }
 -    fips_enabled = fgetc(fe);
 -    fclose(fe);
 -    if (fips_enabled == EOF) {
 +      }
 +      fips_enabled = fgetc(fe);
 +      fclose(fe);
 +      if (fips_enabled == EOF) {
         throwIOException(env, "Cannot read " FIPS_ENABLED_PATH);
         return JNI_FALSE;
 +      }
 +      msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:"   \
 +                           " read character is '%c'", fips_enabled);
 +      handle_msg(env, msg, msg_bytes);
 +      return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE);
     }
 -    msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
 -            " read character is '%c'", fips_enabled);
 -    if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
 -        dbgPrint(env, msg);
 -    } else {
 -        dbgPrint(env, "getSystemFIPSEnabled: cannot render" \
 -                " read character");
 -    }
 -    return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE);
 -
 -#endif // SYSCONF_NSS
 }
--- a/2
+++ b/2
@ -1,2 +1,2 @@
 SHA512 (tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz) = 97d026212363b3c83f6a04100ad7f6fdde833d16579717f8756e2b8c2eb70e144a41a330cb9ccde9c3badd37a2d54fdf4650a950ec21d8b686d545ecb2a64d30
-SHA512 (openjdk-jdk17u-jdk-17.0.2+8.tar.xz) = 03371771574c19c38f9091eaad7c46d1638c95e5a3ab16e5ce540bf0f9dcbf8f60fd3848f75fd6fb5eb5fa35a91ca8a6a7b582ce4cf5c7cd2efe6c0957c98719
+SHA512 (openjdk-jdk17u-jdk-17.0.3+7.tar.xz) = 9f6aa266ff26bee08a6c6e9060f616d0acd0613567526463386ee7a8b7ad367a1347b9d6db6e05d73f20bf08d02e8650e33ccd83c8e62587710d885191d1b567
`@ -1,2 +1,2 @@`
	`SHA512 (tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz) = 97d026212363b3c83f6a04100ad7f6fdde833d16579717f8756e2b8c2eb70e144a41a330cb9ccde9c3badd37a2d54fdf4650a950ec21d8b686d545ecb2a64d30`	`SHA512 (tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz) = 97d026212363b3c83f6a04100ad7f6fdde833d16579717f8756e2b8c2eb70e144a41a330cb9ccde9c3badd37a2d54fdf4650a950ec21d8b686d545ecb2a64d30`
	`SHA512 (openjdk-jdk17u-jdk-17.0.2+8.tar.xz) = 03371771574c19c38f9091eaad7c46d1638c95e5a3ab16e5ce540bf0f9dcbf8f60fd3848f75fd6fb5eb5fa35a91ca8a6a7b582ce4cf5c7cd2efe6c0957c98719`	`SHA512 (openjdk-jdk17u-jdk-17.0.3+7.tar.xz) = 9f6aa266ff26bee08a6c6e9060f616d0acd0613567526463386ee7a8b7ad367a1347b9d6db6e05d73f20bf08d02e8650e33ccd83c8e62587710d885191d1b567`