Movatterモバイル変換

JDK 10 Release Notes

SeeJDK-8140281

Several new APIs have been added that facilitate the creation of unmodifiable collections. TheList.copyOf,Set.copyOf, andMap.copyOf methods create new collection instances from existing instances. New methodstoUnmodifiableList,toUnmodifiableSet, andtoUnmodifiableMap have been added to theCollectors class in the Stream package. These allow the elements of a Stream to be collected into an unmodifiable collection.

SeeJDK-8177290

A new system propertyjdk.disableLastUsageTracking has been introduced to disable JRE last usage tracking for a running VM. This property can be set in the command line by using either-Djdk.disableLastUsageTracking=true or-Djdk.disableLastUsageTracking. With this system property set, JRE last usage tracking will be disabled regardless of thecom.oracle.usagetracker.track.last.usage property value set inusagetracker.properties.

JDK-8192039 (not public)

The clear passwords present in thejmxremote.password file are now being over-written with their SHA3-512 hash by the JMX agent. Each line for the role follows the format:

role_name W hashedPassword

Where:

• role_name is any string that does not itself contain spaces or tabs.
• W = spaces or tabs

The hashed password follows the format:

hashedPassword = base64_encoded_64_byte_salt W base64_encoded_hash W hash_algorithm

Where:

• base64_encoded_64_byte_salt = 64 byte random salt
• base64_encoded_hash = Hash_algorithm (password + salt)
• W = spaces or tabs
• hash_algorithm = Algorithm string specified using a format inhttps://docs.oracle.com/javase/10/docs/specs/security/standard-names.html#messagedigest-algorithms. This is an optional field. If not specified, SHA3-512 is assumed to be the algorithm string.

If passwords are in the clear, they are overwritten by their hash if all of the following criteria are met:

1. com.sun.management.jmxremote.password.toHashes property is set to true in themanagement.properties file.
2. The password file is writable.
3. The system security policy allows writing into the password file if a security manager is configured.

In order to change the password for a role, replace the hashed password entry with a new clear-text password or a new hashed password. If the new password is in the clear, it will be replaced with its hash when a new login attempt is made.

A given role should have at least one entry in this file. If a role has no entry, it has no access. If multiple entries are found for the same role name, then the last one is used.

A user generated hashed password file can also be used instead of a clear-text password file. If generated by the user, hashed passwords must follow the format specified above.

This file must be made accessible by ONLY the owner, otherwise the program will exit with an error.

In order to prevent inadvertent edits to the password file in a production environment, it is recommended that a read-only hashed password file be deployed. The hashed entries for clear passwords can be generated in advance by running the JMX agent.

It is recommended that the password file not be edited while the agent is running. Edits could be lost if a client connection triggers the hashing of the password file at the same time that the file is externally modified. The integrity of the file is guaranteed, but any external edits made to the file during the short period between the time that the agent reads the file and the time that it writes it back might be lost.

SeeJDK-5016517

Applications that either explicitly or implicitly callorg.omg.CORBA.ORB.string_to_object, and wish to ensure the integrity of the IDL stub type involved in theORB::string_to_object call flow, should specify additional IDL stub type checking. This is an "opt in" feature and is not enabled by default.

To take advantage of the additional type checking, the list of valid IDL interface class names of IDL stub classes is configured by one of the following:

• Specifying the security propertycom.sun.CORBA.ORBIorTypeCheckRegistryFilter located in the fileconf/security/java.security in Java SE 9 or injre/lib/security/java.security in Java SE 8 and earlier.

• Specifying the system propertycom.sun.CORBA.ORBIorTypeCheckRegistryFilter with the list of classes. If the system property is set, its value overrides the corresponding property defined in thejava.security configuration.

If thecom.sun.CORBA.ORBIorTypeCheckRegistryFilter property is not set, the type checking is only performed against a set of class names of the IDL interface types corresponding to the built-in IDL stub classes.

Improves G1 worst-case latencies by making the full GC parallel. The G1 garbage collector is designed to avoid full collections, but when the concurrent collections can't reclaim memory fast enough a fall back full GC will occur. The old implementation of the full GC for G1 used a single threaded mark-sweep-compact algorithm. With JEP 307 the full GC has been parallelized and now use the same amount of parallel worker threads as the young and mixed collections.

SeeJDK-8172890

Provides a default set of root Certification Authority (CA) certificates in the JDK.

Thecacerts keystore of the OpenJDK 9 binary for Linux x64 has been populated byJEP 319: Root Certificates [1] with a set of root certificates issued by the CAs of Oracle's Java SE Root CA Program. This addresses the problem of the emptycacerts keystore in the OpenJDK 9 binary for Linux x64. The emptycacerts keystore had prevented TLS connections from being established because Trusted Root Certificate Authorities were not installed. As a workaround for OpenJDK 9 binaries, users had to set thejavax.net.ssl.trustStore System Property to use a different keystore.

[1] https://bugs.java.com/view_bug.do?bug_id=JDK-8191486

SeeJDK-8189131

Support has been added for the TLS session hash and extended master secret extension (RFC 7627) in JDK JSSE provider. Note that in general, a server certificate change is restricted if endpoint identification is not enabled and the previous handshake is a session-resumption abbreviated initial handshake, unless the identities represented by both certificates can be regarded as the same. However, if the extension is enabled or negotiated, the server certificate changing restriction is not necessary and will be discarded accordingly. In case of compatibility issues, an application may disable negotiation of this extension by setting the System Propertyjdk.tls.useExtendedMasterSecret tofalse in the JDK. By setting the System Propertyjdk.tls.allowLegacyResumption tofalse, an application can reject abbreviated handshaking when the session hash and extended master secret extension are not negotiated. By setting the System Propertyjdk.tls.allowLegacyMasterSecret tofalse, an application can reject connections that do not support the session hash and extended master secret extension.

SeeJDK-8148421

Bytecode generation has been improved for enhanced for loops, providing an improvement in the translation approach for them. For example:

The following is the code generated after the enhancement:

Declaring the iterator variable outside of the for loop allows a null to be assigned to it as soon as it is no longer used. This makes it accessible to the GC, which can then get rid of the unused memory. Something similar is done for the case when the expression in the enhanced for loop is an array.

SeeJDK-8175883

A new javadoc command-line option,--add-stylesheet, has been added to the javadoc tool. The new--add-stylesheet option provides support for the use of multiple stylesheets in the generated documentation. The existing-stylesheetfile option now has an alias,--main-stylesheet, to help distinguish the main stylesheet from any additional stylesheets. For more details, see thejavadoc section in the Tools Reference document.

SeeJDK-8185371

A new option--overridden-methods=value, has been added to the javadoc tool. Many classes override inherited methods without changing the specification. The--overridden-methods=value option can be used to group these methods with other inherited methods, instead of documenting them in detail with the other methods declared in the class. For more details, see thejavadoc section in the Tools Reference document.

SeeJDK-8157000

A new inline tag,{@summary ...}, has been added to explicitly specify the text used as the summary of the API description. By default, the summary of an API description is inferred from the first sentence. This is determined by using either a simple algorithm orjava.text.BreakIterator. However, the heuristics for this are not always correct and can lead to an incorrect determination of the end of the first sentence. The new tag enables the API summary text to be explicitly set instead of inferred. Please refer toDocumentation Comment Specification for the Standard Doclet.

SeeJDK-8173425

It is no longer possible for applications to use old or unsupported LookAndFeels. Some applications (such as, Nimbus and Aqua) used old class names to instantiate JDK internal Swing LookAndFeels. For example:

• javax.swing.UIManager.setLookAndFeel

• javax.swing.UIManager.setLookAndFeel("apple.laf.AquaLookAndFeel");

These classes were internal to the JDK and applications should have always treated them as such. Applications that use these class names to instantiate JDK internal Swing LookAndFeels must migrate now to the following APIs:

• For Nimbus use:

UIManager.setLookAndFeel("javax.swing.plaf.nimbus.NimbusLookAndFeel");

• For Aqua use:

UIManager.setLookAndFeel(UIManager.getSystemLookAndFeelClassName());

SeeJDK-8185683

The methodsRuntime.getLocalizedInputStream andRuntime.getLocalizedOutputStream have been removed. They were part of an obsolete internationalization mechanism and have no known uses.

SeeJDK-8177681

The RMI Multiplex protocol was disabled in JDK 9 and has been removed. For the background and history seeJDK-8087189.

SeeJDK-8087189

Thecom.sun.java.browser.plugin2.DOM, andsun.plugin.dom.DOMObject APIs have been removed. Applications can usenetscape.javascript.JSObject to manipulate the DOM.

Deprecated Features and Options

This section describes the deprecated APIs, features, and options that have been identified as deprecated in this release and are subject to removal from future versions of Java SE and the JDK. They should be used with that possibility in mind.

Other sources of information about the APIs, features, and options deprecated in Java SE 10 and JDK 10 include:

• Deprecated API page (API specification) - Identifies all deprecated APIs including those deprecated in Java SE 10.
• Java SE 10 (18.3) ( JSR 383) specification - Documents changes to the specification made between Java SE 9 and Java SE 10 that include the identification of deprecated APIs and features not described here.

You should be aware of the contents in those documents as well as the items described in this release notes page.

The descriptions of deprecated APIs might include references to the deprecation warnings offorRemoval=true andforRemoval=false. TheforRemoval=true text indicates that a deprecated API might be removed from the next major release. TheforRemoval=false text indicates that a deprecated API is not expected to be removed from the next major release but might be removed in some later release.

Note: JEP 277: Enhanced Deprecation provides a detailed description of the updated deprecation policy. You should be aware of the policy described in this document.

The descriptions below also identify potential compatibility issues that you might encounter when migrating to JDK 10. See the JDK 10 Migration Guide for descriptions of specific compatibility issues. See theCompatibility & Specification Review (CSR) page on the OpenJDK wiki for information about compatibility as it relates to JDK 10.

The deprecatedjava.security.{Certificate, Identity, IdentityScope, Signer} classes have been markedforRemoval=true and are subject to removal in a future version of Java SE.

SeeJDK-8175091

The deprecatedjava.security.acl APIs have been markedforRemoval=true and are subject to removal in a future version of Java SE.

SeeJDK-8175094

The deprecatedjavax.security.auth.Policy class has been markedforRemoval=true and will be removed in a future release. Thejavax.security.auth.Policy class has been deprecated since JDK 1.4 and superseded or replaced byjava.security.Policy.

SeeJDK-8159535

SeeJDK-8191510

This release adds support for automatically showing the touch keyboard for Swing/AWT text components on Microsoft Windows 8 or later. A user can display the touch keyboard either by using a touch screen to tap the text component area or by using a mouse to click in the area, when a keyboard is not attached to a computer.

The system propertyawt.touchKeyboardAutoShowIsEnabled controls whether this functionality is enabled in the JDK. This functionality is enabled by default. However, if the functionality is not needed, the user can switch it off from the command line by setting the system property tofalse:

-Dawt.touchKeyboardAutoShowIsEnabled=false

SeeJDK-8166772

On macOS, thejava.awt.TrayIcon.displayMessage() method has been re-implemented to use theNSUserNotification api to show messages to users. New messages on macOS are now shown by using the standard notification center instead of a custom window.

SeeJDK-8187639

The specifications ofFileInputStream andFileOutputStream are changed to require calling theclose method when "there are no more references to the stream" only in the case where it would affect a subclass that has overridden theclose method. The stream'sfinalize method does not callclose directly in this case. In other cases, the release of resources is implementation specific. Refer to theFileInputStream andFileOutputStream documentation for recommendations.

SeeJDK-8080225

The bootstrap class loader has been changed to skip an empty element specified in-Xbootclasspath/a when locating resources. This change might impact existing code that relies on an empty element in the boot class path to find resources in the current working directory. Those applications will now need to use the-Xbootclasspath/a option to properly set the directory that the bootstrap class loader searches when locating resources.

SeeJDK-8185540

The RMI Registry built-in serial filter has been modified to check only the array size and not the component type. The maximum array size has been increased to 1,000,000. The override filter can be used to decrease the limit. Array sizes greater than the maxarray limit will be rejected. Sizes less than the maxarray limit will be allowed.

Thejava.security file contains more information about thesun.rmi.registry.registryFilter property and theconf/security/java.security configuration file has been updated to better describe the default behavior and how to override it.

SeeJDK-8185346

A new validation for theimpact parameter ofjavax.management.MBeanOperationInfo.MBeanOperationInfo constructor has been introduced.MBeanOperationInfo now throws a newIllegalArgumentException if theimpact provided is not one of INFO, ACTION, ACTION_INFO, or UNKNOWN.

SeeJDK-8024352

New public attributes,RMIConnectorServer.CREDENTIALS_FILTER_PATTERN andRMIConnectorServer.SERIAL_FILTER_PATTERN have been added toRMIConnectorServer.java. With these new attributes, users can specify the deserialization filter pattern strings to be used while making aRMIServer.newClient() remote call and while sending deserializing parameters over RMI to server respectively.

The user can also provide a filter pattern string to the default agent via management.properties. As a result, a new attribute is added to management.properties.

Existing attributeRMIConnectorServer.CREDENTIAL_TYPES is superseded byRMIConnectorServer.CREDENTIALS_FILTER_PATTERN and has been removed.

JDK-8159377 (not public)

A deprecation warning dialog has been added that is shown the first time an application is launched via Java Web Start.

JDK-8191920 (not public)

The two flags,TraceYoungGenTime andTraceOldGenTime, have been removed. The same information is now available by using Unified Logging and enabling the tag-setgc+heap+exit at the debug level.

SeeJDK-8184286

The default value forBiasedLockingStartupDelay has been changed to 0. The flagBiasedLockingStartupDelay previously had the default value 4000 which delayed the use of biased locking with 4 s (4000 ms). The reason for this delay was performance but recent performance runs show no difference between the 4000 ms delay and no delay. Since having the delay will cause other parts of the VM to do extra work, having the default set to 0 makes more sense.

SeeJDK-8180421

The following changes have been introduced in JDK 10 to improve the execution and configurability of Java running in Docker containers:

• JDK-8146115 Improve docker container detection and resource configuration usage

The JVM has been modified to be aware that it is running in a Docker container and will extract container specific configuration information instead of querying the operating system. The information being extracted is the number of CPUs and total memory that have been allocated to the container. The total number of CPUs available to the Java process is calculated from any specified cpu sets, cpu shares or cpu quotas. This support is only available on Linux-based platforms. This new support is enabled by default and can be disabled in the command line with the JVM option:

-XX:-UseContainerSupport

In addition, this change adds a JVM option that provides the ability to specify the number of CPUs that the JVM will use:

-XX:ActiveProcessorCount=count

This count overrides any other automatic CPU detection logic in the JVM.

• JDK-8186248 Allow more flexibility in selecting Heap % of available RAM

Three new JVM options have been added to allow Docker container users to gain more fine grained control over the amount of system memory that will be used for the Java Heap:

-XX:InitialRAMPercentage
-XX:MaxRAMPercentage
-XX:MinRAMPercentage

These options replace the deprecated Fraction forms (-XX:InitialRAMFraction,-XX:MaxRAMFraction, and-XX:MinRAMFraction).

• JDK-8179498 attach in Linux should be relative to /proc/pid/root and namespace aware

This bug fix corrects the attach mechanism when trying to attach from a host process to a Java process that is running in a Docker container.

SeeJDK-8146115

Ifkrb5.conf contains the "includedir DIRNAME" directive and a file in this directory has a name ending with.conf, its content will be included inkrb5.conf. Before this change, only those files whose names consisted solely of alphanumeric characters, dashes, or underscores were included.

SeeJDK-8177085

New Class AST nodes with an enclosing instance that incorrectly return a null have been fixed. In some cases, thegetEnclosingExpression() method of the NewClassTree AST node was returning null for code like:

This has been fixed, andgetEnclosingExpression() now returns the enclosing expression.

SeeJDK-8044853

An enhancement has been made to improve the error message produced byjavac when ajava.lang.IllegalAccessError is thrown because external tools have loadedjavac classes with multiple class loaders.

SeeJDK-8167638

The javadoc tool has been changed to treat failure to access a URL as an error instead of a warning. If javadoc cannot access the contents of a URL provided with the-link or-linkoffline options, the tool will now report an error. Previously, the tool continued with a warning and produced incorrect documentation output.

SeeJDK-8180019

The standard doclet has been updated to copy HTML files in the doc-files subdirectories for the packages being documented to the document output directory. The content of these files are wrapped with the standard header, footer, and navigation bars. In addition, any appropriate comment tags within these files are processed.

Note: Some files may not be wrapped. This is a known bug.

SeeJDK-8185985

The time needed to start JShell has been significantly reduced, especially in cases where a start file with many snippets is used.

SeeJDK-8186694

The@Deprecated annotation has been removed from thenewFactory() method injavax.xml.stream.XMLInputFactory. In Java SE 9, an@Deprecated annotation was incorrectly added to thenewFactory() method injavax.xml.stream.XMLInputFactory. The method should not have been deprecated. Applications using thenewInstance() method are not affected.

SeeJDK-8183519

Java SE 9 changes the JDK'sTransform,Validation andXPath implementations to use the JDK's system-default parser even when a third party parser is on the classpath. In order to override the JDK system-default parser, applications need to explicitly set the new System propertyjdk.xml.overrideDefaultParser.

1. Support through the API

   TheoverrideDefaultParser property is supported by the following APIs:

   1. TransformerFactory::setFeature
   2. SchemaFactory::setFeature
   3. Validator::setFeature
   4. XPathFactory::setFeature
2. Support as a System property

TheoverrideDefaultParser property can be set through the System.setProperty.

3. Support as a JAXP system property

TheoverrideDefaultParser property can be set in the JAXP configuration filejaxp.properties.

4. Scope and order

TheoverrideDefaultParser property follows the same rule as other JDK JAXP properties in that a setting of a narrower scope takes preference over that of a wider scope. A setting through the API overrides the System property which in turn overrides that in thejaxp.properties file.

A number ofjava.xml APIs containing method declarations with raw types have been updated to add a type parameter. The updated methods are:

• javax.xml.namespace.NamespaceContext

Iterator<String> getPrefixes(String namespaceURI);

• javax.xml.xpath.XPathFunction

public Object evaluate(List<?> args)

• org.xml.sax.helpers.NamespaceSupport

public Enumeration<String> getPrefixes ()public Enumeration<String> getPrefixes (String uri)public Enumeration<String> getDeclaredPrefixes ()

SeeJDK-8181149