[jdk11u-dev] Impact of JDK-8279219 and potential patch update 11.0.16.1

Thu Aug 11 16:42:57 UTC 2022

> On Aug 11, 2022, at 5:12 AM, Andrew Haley <aph-open at littlepinkcloud.com> wrote:
> 
> On 8/11/22 05:01, Alvarez, David wrote:
>> We have been seeing the same crashes mentioned in a previous email [1]
>> to this list. For one of our customers this crash is affecting
>> approximately 1% of all java invocations.
>> We have been able to confirm that crashes do go away after backing out
>> JDK-8279219 [4][5].
>> We are advocating for a patch release (11.0.16.1) to address this issue.
>> We don't believe it is appropriate to roll back given there was a high
>> severity CVE addressed in 11.0.16.

I'd like to voice support for David's position above. We too have had multiple crash
reports from the field related to this issue, rising to the point where people are stuck
between the demonstrated destabilization resulting from wide 11.0.16 rollout and
accepting continued exposure to a high severity CVE. That is not a good place
to be. Some are choosing to systemically roll back or otherwise delay the rollout
of 11.0.16.

We believe that this should raise the priority of JDK-8291665 to a P1, that
an 11.0.16.1 is warranted in this case, and the need for a stable 11.0.16(.1)
is fairly urgent.

>> Regarding 17 and 18, we are working on a reproducer. We believe this
>> issue affects them as well.

Agreed. While we have not gotten specific reports of crashes in 17.0.4, we believe
a 17.0.4.1 may be warranted as well, for the same reasons.

Whether or not to push out an 18.0.2.1 may be a more debate-able thing. 11 and 17
are positioned and used as LTS releases. 18 is not, and 18.0.2 was meant to be the
last update for 18. Whether or not that last update is fixed for stability with an
18.0.2.1 update is much less critical (IMO) than having the LTS updates containing
the latest security updates be stable.

> 
> But not JDK head, to which the fix was applied?

The urgency for fixing this in the JDK head is much lower than in the LTS
updates IMO. It may be a good idea to revert the fix for JDK-8279219 in
the head as well, until a reworked fix that does not destabilize in 11 is done.

> 
>> This is the error reported initially as JDK-8291665 [2] (and also as
>> JDK-8291919 [3] which was closed as duplicate).
> 
> OK, but (presumably) we'd still have to deal with the bug which was fixed
> by JDK-8279219. In that case we'd need to do another fix, to back-port
> JDK-8279219 properly. Or is it the case that the 8279219 is not important?

This would be most easily depicted by re-prioritizing JDK-8291665 to a P1…

> 
> Roland Westrelin will be back in a few days' time, and he will be able
> to analyse the problem.
> 

Given the urgency of getting a stable 11.0.16.1 out, I don't think we should
wait a few days with analysis.

------
[2] https://bugs.openjdk.org/browse/JDK-8291665 <https://bugs.openjdk.org/browse/JDK-8291665>
[4] https://bugs.openjdk.org/browse/JDK-8279219 <https://bugs.openjdk.org/browse/JDK-8279219>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/jdk-updates-dev/attachments/20220811/97734e88/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <https://mail.openjdk.org/pipermail/jdk-updates-dev/attachments/20220811/97734e88/signature-0001.asc>