July 17, 2018
The full version string for this update release is 10.0.2+13 (where "+" means "build"). The version number is 10.0.2.JDK 10.0.2 contains IANA time zone data version 2018e. For more information, refer to Timezone Data Versions in the JRE Software.
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 10.0.2 are specified in the following table:
JRE Family Version | JRE Security Baseline (Full Version String) |
---|---|
10 | 10.0.2+13 |
9 | 9.0.99 |
8 | 1.8.0_181-b13 |
7 | 1.7.0_191-b08 |
6 | 1.6.0_201-b07 |
The JRE expires whenever a new release with security vulnerability fixes becomes available. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. This JRE (version 10.0.2) will expire with the release of the next critical patch update scheduled for October 16, 2018.
For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 10.0.2) on November 16, 2018. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see JRE Expiration Date.
filterArguments runs multiple filters in the wrong order
The specification of the method java.lang.invoke.MethodHandles.filterArguments
was clarified to state more clearly that filter arguments are invoked in left to right order. The implementation of this method was also fixed to ensure it conformed to the specification. Prior to the fix the implementation incorrectly invoked filters in right to left order. For the majority of usages it is expected such a change in behavior will not be observable. Only in the minority of cases where two or more filters have side-effects that affect their results will such behavior be observable.
See JDK-8194554
Improve LDAP support
Endpoint identification has been enabled on LDAPS connections.
To improve the robustness of LDAPS (secure LDAP over TLS) connections, endpoint identification algorithms have been enabled by default.
Note that there may be situations where some applications that were previously able to successfully connect to an LDAPS server may no longer be able to do so. Such applications may, if they deem appropriate, disable endpoint identification using a new system property: com.sun.jndi.ldap.object.disableEndpointIdentification
.
Define this system property (or set it to true
) to disable endpoint identification algorithms.
JDK-8200666 (not public)
Better stack walking
New access checks have been added during the object creation phase of deserialization. This should not affect ordinary uses of deserialization. However, reflective frameworks that make use of JDK-internal APIs may be impacted. The new checks can be disabled if necessary by setting the system property jdk.disableSerialConstructorChecks
to the value "true". This must be done by adding the argument -Djdk.disableSerialConstructorChecks=true
to the Java command line.
JDK-8197925 (not public)
The following are some of the notable bug fixes included in this release:
JVM Crash during G1 GC
A klass that has been considered unreachable by the concurrent marking of G1, can be looked up in the ClassLoaderData/SystemDictionary, and its _java_mirror or _class_loader fields can be stored in a root or any other reachable object making it alive again. Whenever a klass is resurrected in this manner, the SATB part of G1 needs to be notified about this, otherwise, the concurrent marking remark phase will erroneously unload that klass.
In this particular crash, while G1 was doing concurrent marking and had prepared its list of unreachable classes, JVMTI on a Java thread could traverse classes in the CLD and store thread-local JNIHandles for the java_mirror of the loaded classes. G1 did not have knowledge of these thread-local JNIHandles, and in the remark phase, it unloaded the classes per its prior knowledge of unreachable classes. When these JNIHandles were later scanned, it lead to a crash.
This fix for JDK-8187577 informs G1's SATB that a klass has been resurrected and it should not be unloaded.
See JDK-8187577
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update. For a more complete list of the bug fixes included in this release, see the JDK 10.0.2 Bug Fixes page.
April 17, 2018
The full version string for this update release is 10.0.1+10 (where "+" means "build"). The version number is 10.0.1.
For the April CPU, two different JDK10 bundles have been released:
This page provides release notes for both bundles. Content that only applies to a specific bundle is presented in sections that contain either OpenJDK or Oracle JDK in their titles. Sections that do not contain OpenJDK or Oracle JDK in their titles apply to both bundles.
JDK 10.0.1 contains IANA time zone data version 2018c. For more information, refer to Timezone Data Versions in the JRE Software.
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 10.0.1 are specified in the following table:
JRE Family Version | JRE Security Baseline (Full Version String) |
---|---|
10 | 10.0.1+10 |
9 | 9.0.99 |
8 | 1.8.0_171-b11 |
7 | 1.7.0_181-b09 |
6 | 1.6.0_191-b09 |
The JRE expires whenever a new release with security vulnerability fixes becomes available. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Third Party Bulletin. This JRE (version 10.0.1) will expire with the release of the next critical patch update scheduled for July 17, 2018.
For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 10.0.1) on August 17, 2018. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see JRE Expiration Date.
security-libs/javax.crypto
The specification of javax.crypto.CipherOutputStream
has been clarified to indicate that this class catches BadPaddingException and other exceptions thrown by failed integrity checks during decryption. These exceptions are not re-thrown, so the client is not informed that integrity checks have failed. Because of this behavior, this class may not be suitable for use with decryption in an authenticated mode of operation (for example, GCM) if the application requires explicit notification when authentication fails. These applications can use the Cipher API directly as an alternative to using this class.
JDK-8182362 (not public)
security-libs/javax.crypto
A new security property named jceks.key.serialFilter
has been introduced. If this filter is configured, the JCEKS KeyStore uses it during the deserialization of the encrypted Key object stored inside a SecretKeyEntry. If it is not configured or if the filter result is UNDECIDED (for example, none of the patterns match), then the filter configured by jdk.serialFilter
is consulted.
If the system property jceks.key.serialFilter
is also supplied, it supersedes the security property value defined here.
The filter pattern uses the same format as jdk.serialFilter
. The default pattern allows java.lang.Enum
, java.security.KeyRep
, java.security.KeyRep$Type
, and javax.crypto.spec.SecretKeySpec
but rejects all the others.
Customers storing a SecretKey that does not serialize to the above types must modify the filter to make the key extractable.
JDK-8189997 (not public)
security-libs/javax.xml.crypto
The secure validation mode of the XML Signature implementation has been enhanced to restrict EC keys less than 224 bits by default. The secure validation mode is enabled either by setting the property org.jcp.xml.dsig.secureValidation
to true with the javax.xml.crypto.XMLCryptoContext.setProperty()
method, or by running the code with a SecurityManager.
JDK-8186032 (not public)
security-libs/javax.net.ssl
To improve the strength of SSL/TLS connections, 3DES cipher suites have been disabled in SSL/TLS connections in the JDK via the jdk.tls.disabledAlgorithms
Security Property.
JDK-8175075 (not public)
This release contains fixes for security vulnerabilities described in the Oracle Critical Patch Update. For a more complete list of the bug fixes included in this release, see the JDK 10.0.1 Bug Fixes page.
The following sections are included in these Release Notes:
The following notes describe important changes and information about this release. In some cases, the descriptions provide links to additional detailed information about an issue or a change. This page does not duplicate the descriptions provided by the Java SE 10 (18.3) ( JSR 383) specification, which provides informative background for all specification changes and might also include the identification of removed or deprecated APIs and features not described here. The Java SE 10 (18.3) (JSR 383) specification provides links to:
Annex 1: The complete Java SE 10 API Specification.
Annex 2: An annotated API specification showing the exact differences relative to Java SE 9. Informative background for these changes may be found in the list of approved Change Specification Requests for this release.
Annex 3: Java SE 10 Editions of The Java Language Specification and The Java Virtual Machine Specification. The Java SE 10 Editions contain all corrections and clarifications made since the Java SE 9 Editions, as well as additions for new features.
The descriptions on this Release Note page might also identify potential compatibility issues that you could encounter when migrating to JDK 10. The Kinds of Compatibility page on the OpenJDK wiki identifies three types of potential compatibility issues for Java programs used in these descriptions:
Source: Source compatibility concerns translating Java source code into class files.
Binary: Binary compatibility is defined in The Java Language Specification as preserving the ability to link without error.
Behavioral: Behavioral compatibility includes the semantics of the code that is executed at runtime.
See the Compatibility & Specification Review (CSR) page on the OpenJDK wiki for information about compatibility as it relates to JDK 10.
The following notes describe some of the enhancements in Java SE 10 and JDK 10. The descriptions might include links to additional documentation that describes the enhancement in greater detail. Another source of information about important enhancements and new features in Java SE 10 and JDK 10 is the Java SE 10 (18.3) ( JSR 383) specification, which documents the changes to the specification made between Java SE 9 and Java SE 10. This document includes descriptions of those new features and enhancements that are also changes to the specification. The descriptions below might also identify potential compatibility issues that you could encounter when migrating to JDK 10. See the Compatibility & Specification Review (CSR) page on the OpenJDK wiki for information about compatibility as it relates to JDK 10.
A new method orElseThrow
has been added to the Optional
class. It is synonymous with and is now the preferred alternative to the existing get
method.
See JDK-8140281
Several new APIs have been added that facilitate the creation of unmodifiable collections. The List.copyOf
, Set.copyOf
, and Map.copyOf
methods create new collection instances from existing instances. New methods toUnmodifiableList
, toUnmodifiableSet
, and toUnmodifiableMap
have been added to the Collectors
class in the Stream package. These allow the elements of a Stream to be collected into an unmodifiable collection.
See JDK-8177290
A new system property jdk.disableLastUsageTracking
has been introduced to disable JRE last usage tracking for a running VM. This property can be set in the command line by using either -Djdk.disableLastUsageTracking=true
or -Djdk.disableLastUsageTracking
. With this system property set, JRE last usage tracking will be disabled regardless of the com.oracle.usagetracker.track.last.usage
property value set in usagetracker.properties
.
JDK-8192039 (not public)
The clear passwords present in the jmxremote.password
file are now being over-written with their SHA3-512 hash by the JMX agent. Each line for the role follows the format:
role_name W hashedPassword
Where:
The hashed password follows the format:
hashedPassword = base64_encoded_64_byte_salt W base64_encoded_hash W hash_algorithm
Where:
https://docs.oracle.com/javase/10/docs/specs/security/standard-names.html#messagedigest-algorithms
. This is an optional field. If not specified, SHA3-512 is assumed to be the algorithm string.If passwords are in the clear, they are overwritten by their hash if all of the following criteria are met:
com.sun.management.jmxremote.password.toHashes
property is set to true in the management.properties
file.In order to change the password for a role, replace the hashed password entry with a new clear-text password or a new hashed password. If the new password is in the clear, it will be replaced with its hash when a new login attempt is made.
A given role should have at least one entry in this file. If a role has no entry, it has no access. If multiple entries are found for the same role name, then the last one is used.
A user generated hashed password file can also be used instead of a clear-text password file. If generated by the user, hashed passwords must follow the format specified above.
This file must be made accessible by ONLY the owner, otherwise the program will exit with an error.
In order to prevent inadvertent edits to the password file in a production environment, it is recommended that a read-only hashed password file be deployed. The hashed entries for clear passwords can be generated in advance by running the JMX agent.
It is recommended that the password file not be edited while the agent is running. Edits could be lost if a client connection triggers the hashing of the password file at the same time that the file is externally modified. The integrity of the file is guaranteed, but any external edits made to the file during the short period between the time that the agent reads the file and the time that it writes it back might be lost.
See JDK-5016517
Applications that either explicitly or implicitly call org.omg.CORBA.ORB.string_to_object
, and wish to ensure the integrity of the IDL stub type involved in the ORB::string_to_object
call flow, should specify additional IDL stub type checking. This is an "opt in" feature and is not enabled by default.
To take advantage of the additional type checking, the list of valid IDL interface class names of IDL stub classes is configured by one of the following:
Specifying the security property com.sun.CORBA.ORBIorTypeCheckRegistryFilter
located in the file conf/security/java.security
in Java SE 9 or in jre/lib/security/java.security
in Java SE 8 and earlier.
Specifying the system property com.sun.CORBA.ORBIorTypeCheckRegistryFilter
with the list of classes. If the system property is set, its value overrides the corresponding property defined in the java.security
configuration.
If the com.sun.CORBA.ORBIorTypeCheckRegistryFilter
property is not set, the type checking is only performed against a set of class names of the IDL interface types corresponding to the built-in IDL stub classes.
Improves G1 worst-case latencies by making the full GC parallel. The G1 garbage collector is designed to avoid full collections, but when the concurrent collections can't reclaim memory fast enough a fall back full GC will occur. The old implementation of the full GC for G1 used a single threaded mark-sweep-compact algorithm. With JEP 307 the full GC has been parallelized and now use the same amount of parallel worker threads as the young and mixed collections.
See JDK-8172890
Provides a default set of root Certification Authority (CA) certificates in the JDK.
The cacerts
keystore of the OpenJDK 9 binary for Linux x64 has been populated by JEP 319: Root Certificates [1] with a set of root certificates issued by the CAs of Oracle's Java SE Root CA Program. This addresses the problem of the empty cacerts
keystore in the OpenJDK 9 binary for Linux x64. The empty cacerts
keystore had prevented TLS connections from being established because Trusted Root Certificate Authorities were not installed. As a workaround for OpenJDK 9 binaries, users had to set the javax.net.ssl.trustStore
System Property to use a different keystore.
[1] https://bugs.java.com/view_bug.do?bug_id=JDK-8191486
See JDK-8189131
security-libs/javax.net.ssl
Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for TLS
The JDK SunJSSE implementation now supports the TLS FFDHE mechanisms defined in RFC 7919. If a server cannot process the supported_groups
TLS extension or the named groups in the extension, applications can either customize the supported group names with jdk.tls.namedGroups
, or turn off the FFDHE mechanisms by setting the System Property jsse.enableFFDHEExtension
to false
.
See JDK-8140436
Support has been added for the TLS session hash and extended master secret extension (RFC 7627) in JDK JSSE provider. Note that in general, a server certificate change is restricted if endpoint identification is not enabled and the previous handshake is a session-resumption abbreviated initial handshake, unless the identities represented by both certificates can be regarded as the same. However, if the extension is enabled or negotiated, the server certificate changing restriction is not necessary and will be discarded accordingly. In case of compatibility issues, an application may disable negotiation of this extension by setting the System Property jdk.tls.useExtendedMasterSecret
to false
in the JDK. By setting the System Property jdk.tls.allowLegacyResumption
to false
, an application can reject abbreviated handshaking when the session hash and extended master secret extension are not negotiated. By setting the System Property jdk.tls.allowLegacyMasterSecret
to false
, an application can reject connections that do not support the session hash and extended master secret extension.
See JDK-8148421
Bytecode generation has been improved for enhanced for loops, providing an improvement in the translation approach for them. For example:
List<String> data = new ArrayList<>(); for (String b : data);
The following is the code generated after the enhancement:
{ /*synthetic*/ Iterator i$ = data.iterator(); for (; i$.hasNext(); ) { String b = (String)i$.next(); } b = null; i$ = null; }
Declaring the iterator variable outside of the for loop allows a null to be assigned to it as soon as it is no longer used. This makes it accessible to the GC, which can then get rid of the unused memory. Something similar is done for the case when the expression in the enhanced for loop is an array.
See JDK-8175883
A new javadoc command-line option, --add-stylesheet
, has been added to the javadoc tool. The new --add-stylesheet
option provides support for the use of multiple stylesheets in the generated documentation. The existing -stylesheetfile
option now has an alias, --main-stylesheet
, to help distinguish the main stylesheet from any additional stylesheets. For more details, see the javadoc section in the Tools Reference document.
See JDK-8185371
A new option --overridden-methods=
value, has been added to the javadoc tool. Many classes override inherited methods without changing the specification. The --overridden-methods=
value option can be used to group these methods with other inherited methods, instead of documenting them in detail with the other methods declared in the class. For more details, see the javadoc section in the Tools Reference document.
See JDK-8157000
A new inline tag, {@summary ...}
, has been added to explicitly specify the text used as the summary of the API description. By default, the summary of an API description is inferred from the first sentence. This is determined by using either a simple algorithm or java.text.BreakIterator
. However, the heuristics for this are not always correct and can lead to an incorrect determination of the end of the first sentence. The new tag enables the API summary text to be explicitly set instead of inferred. Please refer to Documentation Comment Specification for the Standard Doclet.
See JDK-8173425
This section describes the APIs, features, and options that were removed in Java SE 10 and JDK 10. Another source of information about features and options removed in Java SE 10 and JDK 10 is the Java SE 10 (18.3) ( JSR 383) specification, which documents changes to the specification made between Java SE 9 and Java SE 10. This document includes the identification of removed APIs and features not described here. The descriptions below might also identify potential compatibility issues that you could encounter when migrating to JDK 10. See the Compatibility & Specification Review (CSR) page on the OpenJDK wiki for information about compatibility as it relates to JDK 10.
It is no longer possible for applications to use old or unsupported LookAndFeels. Some applications (such as, Nimbus and Aqua) used old class names to instantiate JDK internal Swing LookAndFeels. For example:
javax.swing.UIManager.setLookAndFeel
("com.sun.java.swing.plaf.nimbus.NimbusLookAndFeel");
javax.swing.UIManager.setLookAndFeel("apple.laf.AquaLookAndFeel");
These classes were internal to the JDK and applications should have always treated them as such. Applications that use these class names to instantiate JDK internal Swing LookAndFeels must migrate now to the following APIs:
UIManager.setLookAndFeel("javax.swing.plaf.nimbus.NimbusLookAndFeel");
UIManager.setLookAndFeel(UIManager.getSystemLookAndFeelClassName());
See JDK-8185683
The methods Runtime.getLocalizedInputStream
and Runtime.getLocalizedOutputStream
have been removed. They were part of an obsolete internationalization mechanism and have no known uses.
See JDK-8177681
The RMI Multiplex protocol was disabled in JDK 9 and has been removed. For the background and history see JDK-8087189.
See JDK-8087189
The com.sun.java.browser.plugin2.DOM
, and sun.plugin.dom.DOMObject
APIs have been removed. Applications can use netscape.javascript.JSObject
to manipulate the DOM.
JDK-8133601 (not public)
The FlatProfiler, deprecated in JDK 9, has been made obsolete by removing the implementation code. The FlatProfiler was enabled by setting the -Xprof
VM argument. The -Xprof
flag remains recognized in this release; however, setting it will print out a warning message.
See JDK-8173715
The obsolete HotSpot VM options (-Xoss
, -Xsqnopause
, -Xoptimize
, -Xboundthreads
, and -Xusealtsigs
) have been removed.
See JDK-8179018
The HostServices::getWebContext
method, which was deprecated for removal in JDK 9, has been removed. There is no replacement for this functionality. Applications will no longer be able to communicate with the enclosing web page of a JavaFX Applet. Note that the Java Plug-in, on which this functionality depends, is deprecated for removal as well.
See JDK-8187149
The T2K rasterizer and ICU layout engine have been removed from JavaFX.
See JDK-8187147
Support for VP6 video encoding format and FXM/FLV container has been removed in JavaFX Media. Users are encouraged to use H.264/AVC1 in the MP4 container or HTTP Live Streaming instead.
See JDK-8187637
The following pre-1.2 deprecated java.lang.SecurityManager
methods and fields that were marked forRemoval=true
have been removed:
inCheck
fieldgetInCheck
methodclassDepth
methodclassLoaderDepth
methodcurrentClassLoader
methodcurrentLoadedClass
methodinClass
methodinClassLoader
methodIn addition, the deprecated checkMemberAccess
method has been changed to throw a SecurityException
if the caller has not been granted AllPermission
. This method is error-prone and users should instead invoke the checkPermission
method directly.
See JDK-8186535
The policytool
security tool has been removed from the JDK.
See JDK-8148371
The following deprecated classes that were marked for removal in JDK 9 have been removed:
com.sun.security.auth.PolicyFile
com.sun.security.auth.SolarisNumericGroupPrincipal
com.sun.security.auth.SolarisNumericUserPrincipal
com.sun.security.auth.SolarisPrincipal
com.sun.security.auth.X500Principal
com.sun.security.auth.module.SolarisLoginModule
com.sun.security.auth.module.SolarisSystem
See JDK-8159544
The old (JDK 6, JDK 7 and JDK 8 era) standard doclet, which outputs HTML content, and which has been superseded by a replacement, has been removed in this release. The underlying javadoc API (see com.sun.javadoc
in the API documentation) has been deprecated, but is still available for the time being, for use by user-provided doclets.
See JDK-8177511
As previously announced, the native-header tool, javah
, has been removed.
Native headers can now be generated by using the Java compiler, javac
, with the -h
option.
See JDK-8182758
The java
launcher's data model selection options (-d32, -d64, -J-d32 and -J-d64) have been removed. They are obsolete and were previously deprecated. To prevent the launcher from failing, users must remove usages of these options when invoking the java
launcher or tools such as javac
and javah
.
See JDK-8180286
This section describes the deprecated APIs, features, and options that have been identified as deprecated in this release and are subject to removal from future versions of Java SE and the JDK. They should be used with that possibility in mind.
Other sources of information about the APIs, features, and options deprecated in Java SE 10 and JDK 10 include:
You should be aware of the contents in those documents as well as the items described in this release notes page.
The descriptions of deprecated APIs might include references to the deprecation warnings of forRemoval=true
and forRemoval=false
. The forRemoval=true
text indicates that a deprecated API might be removed from the next major release. The forRemoval=false
text indicates that a deprecated API is not expected to be removed from the next major release but might be removed in some later release.
Note: JEP 277: Enhanced Deprecation provides a detailed description of the updated deprecation policy. You should be aware of the policy described in this document.
The descriptions below also identify potential compatibility issues that you might encounter when migrating to JDK 10. See the JDK 10 Migration Guide for descriptions of specific compatibility issues. See the Compatibility & Specification Review (CSR) page on the OpenJDK wiki for information about compatibility as it relates to JDK 10.
The jdk.snmp
module that provides the SNMP monitoring and management support for the Java virtual machine has been deprecated and is planned to be removed in a future release.
A warning message for deprecation is emitted when JVM SNMP monitoring is enabled (via the com.sun.management.snmp.port
property configured in the management.properties
configuration file).
JDK-8194051 (not public)
The deprecated java.security.{Certificate, Identity, IdentityScope, Signer}
classes have been marked forRemoval=true
and are subject to removal in a future version of Java SE.
See JDK-8175091
The deprecated java.security.acl
APIs have been marked forRemoval=true
and are subject to removal in a future version of Java SE.
See JDK-8175094
The deprecated javax.security.auth.Policy
class has been marked forRemoval=true
and will be removed in a future release. The javax.security.auth.Policy
class has been deprecated since JDK 1.4 and superseded or replaced by java.security.Policy
.
See JDK-8159535
The following notes describe additional changes and information about this release. In some cases, the following descriptions provide links to additional detailed information about an issue or a change.
The class file version has been changed from 53 (or 44 + 9) to 54 (44 +10), even though JDK 10 did not introduce other changes to the class file format.
The OpenJDK community has adopted a new time-based release model, in which major releases of the Java platform occur every 6 months. As a consequence, it is anticipated that class file changes will also occur more rapidly. To ensure predictability for the tooling that processes class file bytes, the class file version will be incremented every major release even if there are no other changes to the class file format. In effect, the class file version will be 44 + $FEATURE, where $FEATURE is the feature-release counter (previously referred to as the major number) of the Java SE Platform and the JDK version string.
See JDK-8191510
This release adds support for automatically showing the touch keyboard for Swing/AWT text components on Microsoft Windows 8 or later. A user can display the touch keyboard either by using a touch screen to tap the text component area or by using a mouse to click in the area, when a keyboard is not attached to a computer.
The system property awt.touchKeyboardAutoShowIsEnabled
controls whether this functionality is enabled in the JDK. This functionality is enabled by default. However, if the functionality is not needed, the user can switch it off from the command line by setting the system property to false
:
-Dawt.touchKeyboardAutoShowIsEnabled=false
See JDK-8166772
On macOS, the java.awt.TrayIcon.displayMessage()
method has been re-implemented to use the NSUserNotification
api to show messages to users. New messages on macOS are now shown by using the standard notification center instead of a custom window.
See JDK-8187639
The specifications of FileInputStream
and FileOutputStream
are changed to require calling the close
method when "there are no more references to the stream" only in the case where it would affect a subclass that has overridden the close
method. The stream's finalize
method does not call close
directly in this case. In other cases, the release of resources is implementation specific. Refer to the FileInputStream
and FileOutputStream
documentation for recommendations.
See JDK-8080225
The bootstrap class loader has been changed to skip an empty element specified in -Xbootclasspath/a
when locating resources. This change might impact existing code that relies on an empty element in the boot class path to find resources in the current working directory. Those applications will now need to use the -Xbootclasspath/a
option to properly set the directory that the bootstrap class loader searches when locating resources.
See JDK-8185540
The RMI Registry built-in serial filter has been modified to check only the array size and not the component type. The maximum array size has been increased to 1,000,000. The override filter can be used to decrease the limit. Array sizes greater than the maxarray limit will be rejected. Sizes less than the maxarray limit will be allowed.
The java.security
file contains more information about the sun.rmi.registry.registryFilter
property and the conf/security/java.security
configuration file has been updated to better describe the default behavior and how to override it.
See JDK-8185346
A new validation for the impact
parameter of javax.management.MBeanOperationInfo.MBeanOperationInfo
constructor has been introduced. MBeanOperationInfo
now throws a new IllegalArgumentException
if the impact
provided is not one of INFO, ACTION, ACTION_INFO, or UNKNOWN.
See JDK-8024352
New public attributes, RMIConnectorServer.CREDENTIALS_FILTER_PATTERN
and RMIConnectorServer.SERIAL_FILTER_PATTERN
have been added to RMIConnectorServer.java
. With these new attributes, users can specify the deserialization filter pattern strings to be used while making a RMIServer.newClient()
remote call and while sending deserializing parameters over RMI to server respectively.
The user can also provide a filter pattern string to the default agent via management.properties. As a result, a new attribute is added to management.properties.
Existing attribute RMIConnectorServer.CREDENTIAL_TYPES
is superseded by RMIConnectorServer.CREDENTIALS_FILTER_PATTERN
and has been removed.
JDK-8159377 (not public)
A deprecation warning dialog has been added that is shown the first time an application is launched via Java Web Start.
JDK-8191920 (not public)
The two flags, TraceYoungGenTime
and TraceOldGenTime
, have been removed. The same information is now available by using Unified Logging and enabling the tag-set gc+heap+exit
at the debug level.
See JDK-8184286
The default value for BiasedLockingStartupDelay
has been changed to 0. The flag BiasedLockingStartupDelay
previously had the default value 4000 which delayed the use of biased locking with 4 s (4000 ms). The reason for this delay was performance but recent performance runs show no difference between the 4000 ms delay and no delay. Since having the delay will cause other parts of the VM to do extra work, having the default set to 0 makes more sense.
See JDK-8180421
The following changes have been introduced in JDK 10 to improve the execution and configurability of Java running in Docker containers:
The JVM has been modified to be aware that it is running in a Docker container and will extract container specific configuration information instead of querying the operating system. The information being extracted is the number of CPUs and total memory that have been allocated to the container. The total number of CPUs available to the Java process is calculated from any specified cpu sets, cpu shares or cpu quotas. This support is only available on Linux-based platforms. This new support is enabled by default and can be disabled in the command line with the JVM option:
-XX:-UseContainerSupport
In addition, this change adds a JVM option that provides the ability to specify the number of CPUs that the JVM will use:
-XX:ActiveProcessorCount=count
This count overrides any other automatic CPU detection logic in the JVM.
Three new JVM options have been added to allow Docker container users to gain more fine grained control over the amount of system memory that will be used for the Java Heap:
-XX:InitialRAMPercentage
-XX:MaxRAMPercentage
-XX:MinRAMPercentage
These options replace the deprecated Fraction forms (-XX:InitialRAMFraction
, -XX:MaxRAMFraction
, and -XX:MinRAMFraction
).
/proc/pid/root
and namespace awareThis bug fix corrects the attach mechanism when trying to attach from a host process to a Java process that is running in a Docker container.
See JDK-8146115
If krb5.conf
contains the "includedir DIRNAME" directive and a file in this directory has a name ending with .conf
, its content will be included in krb5.conf
. Before this change, only those files whose names consisted solely of alphanumeric characters, dashes, or underscores were included.
See JDK-8177085
New Class AST nodes with an enclosing instance that incorrectly return a null have been fixed. In some cases, the getEnclosingExpression()
method of the NewClassTree AST node was returning null for code like:
<enclosing>.new <Class>(...) { ... }
This has been fixed, and getEnclosingExpression()
now returns the enclosing expression.
See JDK-8044853
An enhancement has been made to improve the error message produced by javac
when a java.lang.IllegalAccessError
is thrown because external tools have loaded javac
classes with multiple class loaders.
See JDK-8167638
The javadoc tool has been changed to treat failure to access a URL as an error instead of a warning. If javadoc cannot access the contents of a URL provided with the -link
or -linkoffline
options, the tool will now report an error. Previously, the tool continued with a warning and produced incorrect documentation output.
See JDK-8180019
The standard doclet has been updated to copy HTML files in the doc-files subdirectories for the packages being documented to the document output directory. The content of these files are wrapped with the standard header, footer, and navigation bars. In addition, any appropriate comment tags within these files are processed.
Note: Some files may not be wrapped. This is a known bug.
See JDK-8185985
The time needed to start JShell has been significantly reduced, especially in cases where a start file with many snippets is used.
See JDK-8186694
The @Deprecated
annotation has been removed from the newFactory()
method in javax.xml.stream.XMLInputFactory
. In Java SE 9, an @Deprecated
annotation was incorrectly added to the newFactory()
method in javax.xml.stream.XMLInputFactory
. The method should not have been deprecated. Applications using the newInstance()
method are not affected.
See JDK-8183519
Java SE 9 changes the JDK's Transform
, Validation
and XPath
implementations to use the JDK's system-default parser even when a third party parser is on the classpath. In order to override the JDK system-default parser, applications need to explicitly set the new System property jdk.xml.overrideDefaultParser
.
The overrideDefaultParser
property is supported by the following APIs:
The overrideDefaultParser
property can be set through the System.setProperty.
The overrideDefaultParser
property can be set in the JAXP configuration file jaxp.properties
.
The overrideDefaultParser
property follows the same rule as other JDK JAXP properties in that a setting of a narrower scope takes preference over that of a wider scope. A setting through the API overrides the System property which in turn overrides that in the jaxp.properties
file.
JDK-8186080 (not public)
A number of java.xml
APIs containing method declarations with raw types have been updated to add a type parameter. The updated methods are:
javax.xml.namespace.NamespaceContext
Iterator<String> getPrefixes(String namespaceURI);
javax.xml.xpath.XPathFunction
public Object evaluate(List<?> args)
org.xml.sax.helpers.NamespaceSupport
public Enumeration<String> getPrefixes ()
public Enumeration<String> getPrefixes (String uri)
public Enumeration<String> getDeclaredPrefixes ()
See JDK-8181149