changeset 43256:6ae453d6bc05

Merge
author duke
date Wed, 05 Jul 2017 22:44:27 +0200
parents c910b570468e 909b0dad8817
children f18ab4800cc7
files jdk/make/copy/Copy-jdk.crypto.token.gmk jdk/make/lib/Lib-jdk.crypto.token.gmk jdk/src/java.base/share/classes/sun/security/util/AuthResourcesProvider.java jdk/src/java.base/share/classes/sun/security/util/AuthResourcesProviderImpl.java jdk/src/jdk.crypto.token/share/classes/module-info.java jdk/src/jdk.crypto.token/share/classes/sun/security/pkcs11/Config.java jdk/src/jdk.crypto.token/share/classes/sun/security/pkcs11/KeyCache.java jdk/src/jdk.crypto.token/share/classes/sun/security/pkcs11/P11Cipher.java jdk/src/jdk.crypto.token/share/classes/sun/security/pkcs11/P11DHKeyFactory.java jdk/src/jdk.crypto.token/share/classes/sun/security/pkcs11/P11DSAKeyFactory.java jdk/src/jdk.crypto.token/share/classes/sun/security/pkcs11/P11Digest.java jdk/src/jdk.crypto.token/share/classes/sun/security/pkcs11/P11ECDHKeyAgreement.java jdk/src/jdk.crypto.token/share/classes/sun/security/pkcs11/P11ECKeyFactory.java jdk/src/jdk.crypto.token/share/classes/sun/security/pkcs11/P11Key.java jdk/src/jdk.crypto.token/share/classes/sun/security/pkcs11/P11KeyAgreement.java jdk/src/jdk.crypto.token/share/classes/sun/security/pkcs11/P11KeyFactory.java jdk/src/jdk.crypto.token/share/classes/sun/security/pkcs11/P11KeyGenerator.java jdk/src/jdk.crypto.token/share/classes/sun/security/pkcs11/P11KeyPairGenerator.java jdk/src/jdk.crypto.token/share/classes/sun/security/pkcs11/P11KeyStore.java jdk/src/jdk.crypto.token/share/classes/sun/security/pkcs11/P11Mac.java jdk/src/jdk.crypto.token/share/classes/sun/security/pkcs11/P11RSACipher.java jdk/src/jdk.crypto.token/share/classes/sun/security/pkcs11/P11RSAKeyFactory.java jdk/src/jdk.crypto.token/share/classes/sun/security/pkcs11/P11SecretKeyFactory.java jdk/src/jdk.crypto.token/share/classes/sun/security/pkcs11/P11SecureRandom.java jdk/src/jdk.crypto.token/share/classes/sun/security/pkcs11/P11Signature.java jdk/src/jdk.crypto.token/share/classes/sun/security/pkcs11/P11TlsKeyMaterialGenerator.java jdk/src/jdk.crypto.token/share/classes/sun/security/pkcs11/P11TlsMasterSecretGenerator.java jdk/src/jdk.crypto.token/share/classes/sun/security/pkcs11/P11TlsPrfGenerator.java jdk/src/jdk.crypto.token/share/classes/sun/security/pkcs11/P11TlsRsaPremasterSecretGenerator.java jdk/src/jdk.crypto.token/share/classes/sun/security/pkcs11/P11Util.java jdk/src/jdk.crypto.token/share/classes/sun/security/pkcs11/Secmod.java jdk/src/jdk.crypto.token/share/classes/sun/security/pkcs11/Session.java jdk/src/jdk.crypto.token/share/classes/sun/security/pkcs11/SessionManager.java jdk/src/jdk.crypto.token/share/classes/sun/security/pkcs11/SunPKCS11.java jdk/src/jdk.crypto.token/share/classes/sun/security/pkcs11/TemplateManager.java jdk/src/jdk.crypto.token/share/classes/sun/security/pkcs11/Token.java jdk/src/jdk.crypto.token/share/classes/sun/security/pkcs11/wrapper/CK_AES_CTR_PARAMS.java jdk/src/jdk.crypto.token/share/classes/sun/security/pkcs11/wrapper/CK_ATTRIBUTE.java jdk/src/jdk.crypto.token/share/classes/sun/security/pkcs11/wrapper/CK_CREATEMUTEX.java jdk/src/jdk.crypto.token/share/classes/sun/security/pkcs11/wrapper/CK_C_INITIALIZE_ARGS.java jdk/src/jdk.crypto.token/share/classes/sun/security/pkcs11/wrapper/CK_DATE.java jdk/src/jdk.crypto.token/share/classes/sun/security/pkcs11/wrapper/CK_DESTROYMUTEX.java jdk/src/jdk.crypto.token/share/classes/sun/security/pkcs11/wrapper/CK_ECDH1_DERIVE_PARAMS.java jdk/src/jdk.crypto.token/share/classes/sun/security/pkcs11/wrapper/CK_ECDH2_DERIVE_PARAMS.java jdk/src/jdk.crypto.token/share/classes/sun/security/pkcs11/wrapper/CK_INFO.java jdk/src/jdk.crypto.token/share/classes/sun/security/pkcs11/wrapper/CK_LOCKMUTEX.java jdk/src/jdk.crypto.token/share/classes/sun/security/pkcs11/wrapper/CK_MECHANISM.java jdk/src/jdk.crypto.token/share/classes/sun/security/pkcs11/wrapper/CK_MECHANISM_INFO.java jdk/src/jdk.crypto.token/share/classes/sun/security/pkcs11/wrapper/CK_NOTIFY.java jdk/src/jdk.crypto.token/share/classes/sun/security/pkcs11/wrapper/CK_PBE_PARAMS.java jdk/src/jdk.crypto.token/share/classes/sun/security/pkcs11/wrapper/CK_PKCS5_PBKD2_PARAMS.java jdk/src/jdk.crypto.token/share/classes/sun/security/pkcs11/wrapper/CK_RSA_PKCS_OAEP_PARAMS.java jdk/src/jdk.crypto.token/share/classes/sun/security/pkcs11/wrapper/CK_RSA_PKCS_PSS_PARAMS.java jdk/src/jdk.crypto.token/share/classes/sun/security/pkcs11/wrapper/CK_SESSION_INFO.java jdk/src/jdk.crypto.token/share/classes/sun/security/pkcs11/wrapper/CK_SLOT_INFO.java jdk/src/jdk.crypto.token/share/classes/sun/security/pkcs11/wrapper/CK_SSL3_KEY_MAT_OUT.java jdk/src/jdk.crypto.token/share/classes/sun/security/pkcs11/wrapper/CK_SSL3_KEY_MAT_PARAMS.java jdk/src/jdk.crypto.token/share/classes/sun/security/pkcs11/wrapper/CK_SSL3_MASTER_KEY_DERIVE_PARAMS.java jdk/src/jdk.crypto.token/share/classes/sun/security/pkcs11/wrapper/CK_SSL3_RANDOM_DATA.java jdk/src/jdk.crypto.token/share/classes/sun/security/pkcs11/wrapper/CK_TLS_PRF_PARAMS.java jdk/src/jdk.crypto.token/share/classes/sun/security/pkcs11/wrapper/CK_TOKEN_INFO.java jdk/src/jdk.crypto.token/share/classes/sun/security/pkcs11/wrapper/CK_UNLOCKMUTEX.java jdk/src/jdk.crypto.token/share/classes/sun/security/pkcs11/wrapper/CK_VERSION.java jdk/src/jdk.crypto.token/share/classes/sun/security/pkcs11/wrapper/CK_X9_42_DH1_DERIVE_PARAMS.java jdk/src/jdk.crypto.token/share/classes/sun/security/pkcs11/wrapper/CK_X9_42_DH2_DERIVE_PARAMS.java jdk/src/jdk.crypto.token/share/classes/sun/security/pkcs11/wrapper/Constants.java jdk/src/jdk.crypto.token/share/classes/sun/security/pkcs11/wrapper/Functions.java jdk/src/jdk.crypto.token/share/classes/sun/security/pkcs11/wrapper/PKCS11.java jdk/src/jdk.crypto.token/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java jdk/src/jdk.crypto.token/share/classes/sun/security/pkcs11/wrapper/PKCS11Exception.java jdk/src/jdk.crypto.token/share/classes/sun/security/pkcs11/wrapper/PKCS11RuntimeException.java jdk/src/jdk.crypto.token/share/legal/pkcs11cryptotoken.md jdk/src/jdk.crypto.token/share/legal/pkcs11wrapper.md jdk/src/jdk.crypto.token/share/native/libj2pkcs11/j2secmod.c jdk/src/jdk.crypto.token/share/native/libj2pkcs11/j2secmod.h jdk/src/jdk.crypto.token/share/native/libj2pkcs11/p11_convert.c jdk/src/jdk.crypto.token/share/native/libj2pkcs11/p11_crypt.c jdk/src/jdk.crypto.token/share/native/libj2pkcs11/p11_digest.c jdk/src/jdk.crypto.token/share/native/libj2pkcs11/p11_dual.c jdk/src/jdk.crypto.token/share/native/libj2pkcs11/p11_general.c jdk/src/jdk.crypto.token/share/native/libj2pkcs11/p11_keymgmt.c jdk/src/jdk.crypto.token/share/native/libj2pkcs11/p11_mutex.c jdk/src/jdk.crypto.token/share/native/libj2pkcs11/p11_objmgmt.c jdk/src/jdk.crypto.token/share/native/libj2pkcs11/p11_sessmgmt.c jdk/src/jdk.crypto.token/share/native/libj2pkcs11/p11_sign.c jdk/src/jdk.crypto.token/share/native/libj2pkcs11/p11_util.c jdk/src/jdk.crypto.token/share/native/libj2pkcs11/pkcs-11v2-20a3.h jdk/src/jdk.crypto.token/share/native/libj2pkcs11/pkcs11.h jdk/src/jdk.crypto.token/share/native/libj2pkcs11/pkcs11f.h jdk/src/jdk.crypto.token/share/native/libj2pkcs11/pkcs11t.h jdk/src/jdk.crypto.token/share/native/libj2pkcs11/pkcs11wrapper.h jdk/src/jdk.crypto.token/solaris/conf/security/sunpkcs11-solaris.cfg jdk/src/jdk.crypto.token/unix/native/libj2pkcs11/j2secmod_md.c jdk/src/jdk.crypto.token/unix/native/libj2pkcs11/j2secmod_md.h jdk/src/jdk.crypto.token/unix/native/libj2pkcs11/p11_md.c jdk/src/jdk.crypto.token/unix/native/libj2pkcs11/p11_md.h jdk/src/jdk.crypto.token/windows/native/libj2pkcs11/j2secmod_md.c jdk/src/jdk.crypto.token/windows/native/libj2pkcs11/j2secmod_md.h jdk/src/jdk.crypto.token/windows/native/libj2pkcs11/p11_md.c jdk/src/jdk.crypto.token/windows/native/libj2pkcs11/p11_md.h jdk/src/linux/doc/man/ja/jvisualvm.1 jdk/src/linux/doc/man/jvisualvm.1 jdk/src/solaris/doc/sun/man/man1/ja/jvisualvm.1 jdk/src/solaris/doc/sun/man/man1/jvisualvm.1 jdk/test/java/lang/SecurityManager/RestrictedPackages.java
diffstat 549 files changed, 47483 insertions(+), 44720 deletions(-) [+]
line wrap: on
line diff
--- a/common/bin/unshuffle_list.txt	Fri Jan 20 19:09:53 2017 +0000
+++ b/common/bin/unshuffle_list.txt	Wed Jul 05 22:44:27 2017 +0200
@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2014, 2015, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2014, 2017, Oracle and/or its affiliates. All rights reserved.
 # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 #
 # This code is free software; you can redistribute it and/or modify it
@@ -1266,33 +1266,33 @@
 jdk/src/jdk.crypto.ec/share/native/libsunec/impl : jdk/src/share/native/sun/security/ec/impl
 jdk/src/jdk.crypto.mscapi/windows/classes/sun/security/mscapi : jdk/src/windows/classes/sun/security/mscapi
 jdk/src/jdk.crypto.mscapi/windows/native/libsunmscapi : jdk/src/windows/native/sun/security/mscapi
-jdk/src/jdk.crypto.token/share/classes/sun/security/pkcs11 : jdk/src/share/classes/sun/security/pkcs11
-jdk/src/jdk.crypto.token/share/native/libj2pkcs11/j2secmod.c : jdk/src/share/native/sun/security/pkcs11/j2secmod.c
-jdk/src/jdk.crypto.token/share/native/libj2pkcs11/j2secmod.h : jdk/src/share/native/sun/security/pkcs11/j2secmod.h
-jdk/src/jdk.crypto.token/share/native/libj2pkcs11/p11_convert.c : jdk/src/share/native/sun/security/pkcs11/wrapper/p11_convert.c
-jdk/src/jdk.crypto.token/share/native/libj2pkcs11/p11_crypt.c : jdk/src/share/native/sun/security/pkcs11/wrapper/p11_crypt.c
-jdk/src/jdk.crypto.token/share/native/libj2pkcs11/p11_digest.c : jdk/src/share/native/sun/security/pkcs11/wrapper/p11_digest.c
-jdk/src/jdk.crypto.token/share/native/libj2pkcs11/p11_dual.c : jdk/src/share/native/sun/security/pkcs11/wrapper/p11_dual.c
-jdk/src/jdk.crypto.token/share/native/libj2pkcs11/p11_general.c : jdk/src/share/native/sun/security/pkcs11/wrapper/p11_general.c
-jdk/src/jdk.crypto.token/share/native/libj2pkcs11/p11_keymgmt.c : jdk/src/share/native/sun/security/pkcs11/wrapper/p11_keymgmt.c
-jdk/src/jdk.crypto.token/share/native/libj2pkcs11/p11_mutex.c : jdk/src/share/native/sun/security/pkcs11/wrapper/p11_mutex.c
-jdk/src/jdk.crypto.token/share/native/libj2pkcs11/p11_objmgmt.c : jdk/src/share/native/sun/security/pkcs11/wrapper/p11_objmgmt.c
-jdk/src/jdk.crypto.token/share/native/libj2pkcs11/p11_sessmgmt.c : jdk/src/share/native/sun/security/pkcs11/wrapper/p11_sessmgmt.c
-jdk/src/jdk.crypto.token/share/native/libj2pkcs11/p11_sign.c : jdk/src/share/native/sun/security/pkcs11/wrapper/p11_sign.c
-jdk/src/jdk.crypto.token/share/native/libj2pkcs11/p11_util.c : jdk/src/share/native/sun/security/pkcs11/wrapper/p11_util.c
-jdk/src/jdk.crypto.token/share/native/libj2pkcs11/pkcs11f.h : jdk/src/share/native/sun/security/pkcs11/wrapper/pkcs11f.h
-jdk/src/jdk.crypto.token/share/native/libj2pkcs11/pkcs11.h : jdk/src/share/native/sun/security/pkcs11/wrapper/pkcs11.h
-jdk/src/jdk.crypto.token/share/native/libj2pkcs11/pkcs11t.h : jdk/src/share/native/sun/security/pkcs11/wrapper/pkcs11t.h
-jdk/src/jdk.crypto.token/share/native/libj2pkcs11/pkcs-11v2-20a3.h : jdk/src/share/native/sun/security/pkcs11/wrapper/pkcs-11v2-20a3.h
-jdk/src/jdk.crypto.token/share/native/libj2pkcs11/pkcs11wrapper.h : jdk/src/share/native/sun/security/pkcs11/wrapper/pkcs11wrapper.h
-jdk/src/jdk.crypto.token/unix/native/libj2pkcs11/j2secmod_md.c : jdk/src/solaris/native/sun/security/pkcs11/j2secmod_md.c
-jdk/src/jdk.crypto.token/unix/native/libj2pkcs11/j2secmod_md.h : jdk/src/solaris/native/sun/security/pkcs11/j2secmod_md.h
-jdk/src/jdk.crypto.token/unix/native/libj2pkcs11/p11_md.c : jdk/src/solaris/native/sun/security/pkcs11/wrapper/p11_md.c
-jdk/src/jdk.crypto.token/unix/native/libj2pkcs11/p11_md.h : jdk/src/solaris/native/sun/security/pkcs11/wrapper/p11_md.h
-jdk/src/jdk.crypto.token/windows/native/libj2pkcs11/j2secmod_md.c : jdk/src/windows/native/sun/security/pkcs11/j2secmod_md.c
-jdk/src/jdk.crypto.token/windows/native/libj2pkcs11/j2secmod_md.h : jdk/src/windows/native/sun/security/pkcs11/j2secmod_md.h
-jdk/src/jdk.crypto.token/windows/native/libj2pkcs11/p11_md.c : jdk/src/windows/native/sun/security/pkcs11/wrapper/p11_md.c
-jdk/src/jdk.crypto.token/windows/native/libj2pkcs11/p11_md.h : jdk/src/windows/native/sun/security/pkcs11/wrapper/p11_md.h
+jdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11 : jdk/src/share/classes/sun/security/pkcs11
+jdk/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/j2secmod.c : jdk/src/share/native/sun/security/pkcs11/j2secmod.c
+jdk/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/j2secmod.h : jdk/src/share/native/sun/security/pkcs11/j2secmod.h
+jdk/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c : jdk/src/share/native/sun/security/pkcs11/wrapper/p11_convert.c
+jdk/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_crypt.c : jdk/src/share/native/sun/security/pkcs11/wrapper/p11_crypt.c
+jdk/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_digest.c : jdk/src/share/native/sun/security/pkcs11/wrapper/p11_digest.c
+jdk/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_dual.c : jdk/src/share/native/sun/security/pkcs11/wrapper/p11_dual.c
+jdk/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_general.c : jdk/src/share/native/sun/security/pkcs11/wrapper/p11_general.c
+jdk/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_keymgmt.c : jdk/src/share/native/sun/security/pkcs11/wrapper/p11_keymgmt.c
+jdk/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_mutex.c : jdk/src/share/native/sun/security/pkcs11/wrapper/p11_mutex.c
+jdk/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_objmgmt.c : jdk/src/share/native/sun/security/pkcs11/wrapper/p11_objmgmt.c
+jdk/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_sessmgmt.c : jdk/src/share/native/sun/security/pkcs11/wrapper/p11_sessmgmt.c
+jdk/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_sign.c : jdk/src/share/native/sun/security/pkcs11/wrapper/p11_sign.c
+jdk/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_util.c : jdk/src/share/native/sun/security/pkcs11/wrapper/p11_util.c
+jdk/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/pkcs11f.h : jdk/src/share/native/sun/security/pkcs11/wrapper/pkcs11f.h
+jdk/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/pkcs11.h : jdk/src/share/native/sun/security/pkcs11/wrapper/pkcs11.h
+jdk/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/pkcs11t.h : jdk/src/share/native/sun/security/pkcs11/wrapper/pkcs11t.h
+jdk/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/pkcs-11v2-20a3.h : jdk/src/share/native/sun/security/pkcs11/wrapper/pkcs-11v2-20a3.h
+jdk/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/pkcs11wrapper.h : jdk/src/share/native/sun/security/pkcs11/wrapper/pkcs11wrapper.h
+jdk/src/jdk.crypto.cryptoki/unix/native/libj2pkcs11/j2secmod_md.c : jdk/src/solaris/native/sun/security/pkcs11/j2secmod_md.c
+jdk/src/jdk.crypto.cryptoki/unix/native/libj2pkcs11/j2secmod_md.h : jdk/src/solaris/native/sun/security/pkcs11/j2secmod_md.h
+jdk/src/jdk.crypto.cryptoki/unix/native/libj2pkcs11/p11_md.c : jdk/src/solaris/native/sun/security/pkcs11/wrapper/p11_md.c
+jdk/src/jdk.crypto.cryptoki/unix/native/libj2pkcs11/p11_md.h : jdk/src/solaris/native/sun/security/pkcs11/wrapper/p11_md.h
+jdk/src/jdk.crypto.cryptoki/windows/native/libj2pkcs11/j2secmod_md.c : jdk/src/windows/native/sun/security/pkcs11/j2secmod_md.c
+jdk/src/jdk.crypto.cryptoki/windows/native/libj2pkcs11/j2secmod_md.h : jdk/src/windows/native/sun/security/pkcs11/j2secmod_md.h
+jdk/src/jdk.crypto.cryptoki/windows/native/libj2pkcs11/p11_md.c : jdk/src/windows/native/sun/security/pkcs11/wrapper/p11_md.c
+jdk/src/jdk.crypto.cryptoki/windows/native/libj2pkcs11/p11_md.h : jdk/src/windows/native/sun/security/pkcs11/wrapper/p11_md.h
 jdk/src/java.desktop/macosx/native/libosx/CFileManager.m : jdk/src/macosx/native/com/apple/eio/CFileManager.m
 jdk/src/java.base/macosx/native/libosxsecurity/KeystoreImpl.m : jdk/src/macosx/native/apple/security/KeystoreImpl.m
 jdk/src/jdk.hprof.agent/share/classes/com/sun/demo/jvmti/hprof : jdk/src/share/classes/com/sun/demo/jvmti/hprof
--- a/common/nb_native/nbproject/configurations.xml	Fri Jan 20 19:09:53 2017 +0000
+++ b/common/nb_native/nbproject/configurations.xml	Wed Jul 05 22:44:27 2017 +0200
@@ -2166,7 +2166,7 @@
               </df>
             </df>
           </df>
-          <df name="jdk.crypto.token">
+          <df name="jdk.crypto.cryptoki">
             <df name="share">
               <df name="native">
                 <df name="libj2pkcs11">
@@ -29422,35 +29422,35 @@
         <cTool flags="5">
         </cTool>
       </item>
-      <item path="../../jdk/src/jdk.crypto.token/share/native/libj2pkcs11/j2secmod.c"
-            ex="false"
-            tool="0"
-            flavor2="3">
-        <cTool flags="5">
-        </cTool>
-      </item>
-      <item path="../../jdk/src/jdk.crypto.token/share/native/libj2pkcs11/p11_convert.c"
-            ex="false"
-            tool="0"
-            flavor2="3">
-        <cTool flags="5">
-        </cTool>
-      </item>
-      <item path="../../jdk/src/jdk.crypto.token/share/native/libj2pkcs11/p11_crypt.c"
-            ex="false"
-            tool="0"
-            flavor2="3">
-        <cTool flags="5">
-        </cTool>
-      </item>
-      <item path="../../jdk/src/jdk.crypto.token/share/native/libj2pkcs11/p11_digest.c"
-            ex="false"
-            tool="0"
-            flavor2="3">
-        <cTool flags="5">
-        </cTool>
-      </item>
-      <item path="../../jdk/src/jdk.crypto.token/share/native/libj2pkcs11/p11_dual.c"
+      <item path="../../jdk/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/j2secmod.c"
+            ex="false"
+            tool="0"
+            flavor2="3">
+        <cTool flags="5">
+        </cTool>
+      </item>
+      <item path="../../jdk/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c"
+            ex="false"
+            tool="0"
+            flavor2="3">
+        <cTool flags="5">
+        </cTool>
+      </item>
+      <item path="../../jdk/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_crypt.c"
+            ex="false"
+            tool="0"
+            flavor2="3">
+        <cTool flags="5">
+        </cTool>
+      </item>
+      <item path="../../jdk/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_digest.c"
+            ex="false"
+            tool="0"
+            flavor2="3">
+        <cTool flags="5">
+        </cTool>
+      </item>
+      <item path="../../jdk/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_dual.c"
             ex="false"
             tool="0"
             flavor2="2">
@@ -29460,63 +29460,63 @@
           </preprocessorList>
         </cTool>
       </item>
-      <item path="../../jdk/src/jdk.crypto.token/share/native/libj2pkcs11/p11_general.c"
-            ex="false"
-            tool="0"
-            flavor2="3">
-        <cTool flags="5">
-        </cTool>
-      </item>
-      <item path="../../jdk/src/jdk.crypto.token/share/native/libj2pkcs11/p11_keymgmt.c"
-            ex="false"
-            tool="0"
-            flavor2="3">
-        <cTool flags="5">
-        </cTool>
-      </item>
-      <item path="../../jdk/src/jdk.crypto.token/share/native/libj2pkcs11/p11_mutex.c"
-            ex="false"
-            tool="0"
-            flavor2="3">
-        <cTool flags="5">
-        </cTool>
-      </item>
-      <item path="../../jdk/src/jdk.crypto.token/share/native/libj2pkcs11/p11_objmgmt.c"
-            ex="false"
-            tool="0"
-            flavor2="3">
-        <cTool flags="5">
-        </cTool>
-      </item>
-      <item path="../../jdk/src/jdk.crypto.token/share/native/libj2pkcs11/p11_sessmgmt.c"
-            ex="false"
-            tool="0"
-            flavor2="3">
-        <cTool flags="5">
-        </cTool>
-      </item>
-      <item path="../../jdk/src/jdk.crypto.token/share/native/libj2pkcs11/p11_sign.c"
-            ex="false"
-            tool="0"
-            flavor2="3">
-        <cTool flags="5">
-        </cTool>
-      </item>
-      <item path="../../jdk/src/jdk.crypto.token/share/native/libj2pkcs11/p11_util.c"
-            ex="false"
-            tool="0"
-            flavor2="3">
-        <cTool flags="5">
-        </cTool>
-      </item>
-      <item path="../../jdk/src/jdk.crypto.token/unix/native/libj2pkcs11/j2secmod_md.c"
-            ex="false"
-            tool="0"
-            flavor2="3">
-        <cTool flags="5">
-        </cTool>
-      </item>
-      <item path="../../jdk/src/jdk.crypto.token/unix/native/libj2pkcs11/p11_md.c"
+      <item path="../../jdk/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_general.c"
+            ex="false"
+            tool="0"
+            flavor2="3">
+        <cTool flags="5">
+        </cTool>
+      </item>
+      <item path="../../jdk/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_keymgmt.c"
+            ex="false"
+            tool="0"
+            flavor2="3">
+        <cTool flags="5">
+        </cTool>
+      </item>
+      <item path="../../jdk/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_mutex.c"
+            ex="false"
+            tool="0"
+            flavor2="3">
+        <cTool flags="5">
+        </cTool>
+      </item>
+      <item path="../../jdk/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_objmgmt.c"
+            ex="false"
+            tool="0"
+            flavor2="3">
+        <cTool flags="5">
+        </cTool>
+      </item>
+      <item path="../../jdk/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_sessmgmt.c"
+            ex="false"
+            tool="0"
+            flavor2="3">
+        <cTool flags="5">
+        </cTool>
+      </item>
+      <item path="../../jdk/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_sign.c"
+            ex="false"
+            tool="0"
+            flavor2="3">
+        <cTool flags="5">
+        </cTool>
+      </item>
+      <item path="../../jdk/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_util.c"
+            ex="false"
+            tool="0"
+            flavor2="3">
+        <cTool flags="5">
+        </cTool>
+      </item>
+      <item path="../../jdk/src/jdk.crypto.cryptoki/unix/native/libj2pkcs11/j2secmod_md.c"
+            ex="false"
+            tool="0"
+            flavor2="3">
+        <cTool flags="5">
+        </cTool>
+      </item>
+      <item path="../../jdk/src/jdk.crypto.cryptoki/unix/native/libj2pkcs11/p11_md.c"
             ex="false"
             tool="0"
             flavor2="3">
@@ -31752,18 +31752,18 @@
           </preprocessorList>
         </ccTool>
       </folder>
-      <folder path="0/jdk/src/jdk.crypto.token">
-        <cTool>
-          <incDir>
-            <pElem>../../jdk/src/java.base/share/native/include</pElem>
-            <pElem>../../jdk/src/java.base/macosx/native/include</pElem>
-            <pElem>../../jdk/src/java.base/unix/native/include</pElem>
-            <pElem>../../jdk/src/java.base/share/native/libjava</pElem>
-            <pElem>../../jdk/src/java.base/unix/native/libjava</pElem>
-            <pElem>../../jdk/src/jdk.crypto.token/share/native/libj2pkcs11</pElem>
-            <pElem>../../jdk/src/jdk.crypto.token/unix/native/libj2pkcs11</pElem>
-            <pElem>../../jdk/src/java.base/macosx/native/libjava</pElem>
-            <pElem>../../build/support/headers/jdk.crypto.token</pElem>
+      <folder path="0/jdk/src/jdk.crypto.cryptoki">
+        <cTool>
+          <incDir>
+            <pElem>../../jdk/src/java.base/share/native/include</pElem>
+            <pElem>../../jdk/src/java.base/macosx/native/include</pElem>
+            <pElem>../../jdk/src/java.base/unix/native/include</pElem>
+            <pElem>../../jdk/src/java.base/share/native/libjava</pElem>
+            <pElem>../../jdk/src/java.base/unix/native/libjava</pElem>
+            <pElem>../../jdk/src/jdk.crypto.cryptoki/share/native/libj2pkcs11</pElem>
+            <pElem>../../jdk/src/jdk.crypto.cryptoki/unix/native/libj2pkcs11</pElem>
+            <pElem>../../jdk/src/java.base/macosx/native/libjava</pElem>
+            <pElem>../../build/support/headers/jdk.crypto.cryptoki</pElem>
             <pElem>../../make</pElem>
           </incDir>
           <preprocessorList>
@@ -31772,7 +31772,7 @@
           </preprocessorList>
         </cTool>
       </folder>
-      <folder path="0/jdk/src/jdk.crypto.token/unix">
+      <folder path="0/jdk/src/jdk.crypto.cryptoki/unix">
         <cTool>
           <preprocessorList>
             <Elem>THIS_FILE="j2secmod_md.c"</Elem>
@@ -44741,14 +44741,14 @@
           </preprocessorList>
         </cTool>
       </item>
-      <item path="../../jdk/src/jdk.crypto.token/share/native/libj2pkcs11/j2secmod.c"
-            ex="false"
-            tool="0"
-            flavor2="0">
-        <cTool flags="4">
-        </cTool>
-      </item>
-      <item path="../../jdk/src/jdk.crypto.token/share/native/libj2pkcs11/p11_convert.c"
+      <item path="../../jdk/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/j2secmod.c"
+            ex="false"
+            tool="0"
+            flavor2="0">
+        <cTool flags="4">
+        </cTool>
+      </item>
+      <item path="../../jdk/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c"
             ex="false"
             tool="0"
             flavor2="0">
@@ -44758,7 +44758,7 @@
           </preprocessorList>
         </cTool>
       </item>
-      <item path="../../jdk/src/jdk.crypto.token/share/native/libj2pkcs11/p11_crypt.c"
+      <item path="../../jdk/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_crypt.c"
             ex="false"
             tool="0"
             flavor2="0">
@@ -44768,7 +44768,7 @@
           </preprocessorList>
         </cTool>
       </item>
-      <item path="../../jdk/src/jdk.crypto.token/share/native/libj2pkcs11/p11_digest.c"
+      <item path="../../jdk/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_digest.c"
             ex="false"
             tool="0"
             flavor2="0">
@@ -44778,7 +44778,7 @@
           </preprocessorList>
         </cTool>
       </item>
-      <item path="../../jdk/src/jdk.crypto.token/share/native/libj2pkcs11/p11_dual.c"
+      <item path="../../jdk/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_dual.c"
             ex="false"
             tool="0"
             flavor2="0">
@@ -44788,7 +44788,7 @@
           </preprocessorList>
         </cTool>
       </item>
-      <item path="../../jdk/src/jdk.crypto.token/share/native/libj2pkcs11/p11_general.c"
+      <item path="../../jdk/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_general.c"
             ex="false"
             tool="0"
             flavor2="0">
@@ -44798,7 +44798,7 @@
           </preprocessorList>
         </cTool>
       </item>
-      <item path="../../jdk/src/jdk.crypto.token/share/native/libj2pkcs11/p11_keymgmt.c"
+      <item path="../../jdk/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_keymgmt.c"
             ex="false"
             tool="0"
             flavor2="0">
@@ -44808,7 +44808,7 @@
           </preprocessorList>
         </cTool>
       </item>
-      <item path="../../jdk/src/jdk.crypto.token/share/native/libj2pkcs11/p11_mutex.c"
+      <item path="../../jdk/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_mutex.c"
             ex="false"
             tool="0"
             flavor2="0">
@@ -44818,7 +44818,7 @@
           </preprocessorList>
         </cTool>
       </item>
-      <item path="../../jdk/src/jdk.crypto.token/share/native/libj2pkcs11/p11_objmgmt.c"
+      <item path="../../jdk/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_objmgmt.c"
             ex="false"
             tool="0"
             flavor2="0">
@@ -44828,7 +44828,7 @@
           </preprocessorList>
         </cTool>
       </item>
-      <item path="../../jdk/src/jdk.crypto.token/share/native/libj2pkcs11/p11_sessmgmt.c"
+      <item path="../../jdk/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_sessmgmt.c"
             ex="false"
             tool="0"
             flavor2="0">
@@ -44838,7 +44838,7 @@
           </preprocessorList>
         </cTool>
       </item>
-      <item path="../../jdk/src/jdk.crypto.token/share/native/libj2pkcs11/p11_sign.c"
+      <item path="../../jdk/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_sign.c"
             ex="false"
             tool="0"
             flavor2="0">
@@ -44848,7 +44848,7 @@
           </preprocessorList>
         </cTool>
       </item>
-      <item path="../../jdk/src/jdk.crypto.token/share/native/libj2pkcs11/p11_util.c"
+      <item path="../../jdk/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_util.c"
             ex="false"
             tool="0"
             flavor2="0">
@@ -44858,14 +44858,14 @@
           </preprocessorList>
         </cTool>
       </item>
-      <item path="../../jdk/src/jdk.crypto.token/unix/native/libj2pkcs11/j2secmod_md.c"
-            ex="false"
-            tool="0"
-            flavor2="0">
-        <cTool flags="4">
-        </cTool>
-      </item>
-      <item path="../../jdk/src/jdk.crypto.token/unix/native/libj2pkcs11/p11_md.c"
+      <item path="../../jdk/src/jdk.crypto.cryptoki/unix/native/libj2pkcs11/j2secmod_md.c"
+            ex="false"
+            tool="0"
+            flavor2="0">
+        <cTool flags="4">
+        </cTool>
+      </item>
+      <item path="../../jdk/src/jdk.crypto.cryptoki/unix/native/libj2pkcs11/p11_md.c"
             ex="false"
             tool="0"
             flavor2="0">
@@ -47795,18 +47795,18 @@
           </preprocessorList>
         </ccTool>
       </folder>
-      <folder path="0/jdk/src/jdk.crypto.token">
-        <cTool>
-          <incDir>
-            <pElem>../../jdk/src/java.base/share/native/include</pElem>
-            <pElem>../../jdk/src/java.base/linux/native/include</pElem>
-            <pElem>../../jdk/src/java.base/unix/native/include</pElem>
-            <pElem>../../jdk/src/java.base/share/native/libjava</pElem>
-            <pElem>../../jdk/src/java.base/unix/native/libjava</pElem>
-            <pElem>../../jdk/src/jdk.crypto.token/share/native/libj2pkcs11</pElem>
-            <pElem>../../jdk/src/jdk.crypto.token/unix/native/libj2pkcs11</pElem>
-            <pElem>../../jdk/src/java.base/linux/native/libjava</pElem>
-            <pElem>../../build/support/headers/jdk.crypto.token</pElem>
+      <folder path="0/jdk/src/jdk.crypto.cryptoki">
+        <cTool>
+          <incDir>
+            <pElem>../../jdk/src/java.base/share/native/include</pElem>
+            <pElem>../../jdk/src/java.base/linux/native/include</pElem>
+            <pElem>../../jdk/src/java.base/unix/native/include</pElem>
+            <pElem>../../jdk/src/java.base/share/native/libjava</pElem>
+            <pElem>../../jdk/src/java.base/unix/native/libjava</pElem>
+            <pElem>../../jdk/src/jdk.crypto.cryptoki/share/native/libj2pkcs11</pElem>
+            <pElem>../../jdk/src/jdk.crypto.cryptoki/unix/native/libj2pkcs11</pElem>
+            <pElem>../../jdk/src/java.base/linux/native/libjava</pElem>
+            <pElem>../../build/support/headers/jdk.crypto.cryptoki</pElem>
             <pElem>../../make</pElem>
           </incDir>
           <preprocessorList>
@@ -47815,7 +47815,7 @@
           </preprocessorList>
         </cTool>
       </folder>
-      <folder path="0/jdk/src/jdk.crypto.token/unix">
+      <folder path="0/jdk/src/jdk.crypto.cryptoki/unix">
         <cTool>
           <preprocessorList>
             <Elem>THIS_FILE="j2secmod_md.c"</Elem>
@@ -62728,14 +62728,14 @@
           </preprocessorList>
         </cTool>
       </item>
-      <item path="../../jdk/src/jdk.crypto.token/share/native/libj2pkcs11/j2secmod.c"
-            ex="false"
-            tool="0"
-            flavor2="0">
-        <cTool flags="2">
-        </cTool>
-      </item>
-      <item path="../../jdk/src/jdk.crypto.token/share/native/libj2pkcs11/p11_convert.c"
+      <item path="../../jdk/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/j2secmod.c"
+            ex="false"
+            tool="0"
+            flavor2="0">
+        <cTool flags="2">
+        </cTool>
+      </item>
+      <item path="../../jdk/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c"
             ex="false"
             tool="0"
             flavor2="0">
@@ -62745,7 +62745,7 @@
           </preprocessorList>
         </cTool>
       </item>
-      <item path="../../jdk/src/jdk.crypto.token/share/native/libj2pkcs11/p11_crypt.c"
+      <item path="../../jdk/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_crypt.c"
             ex="false"
             tool="0"
             flavor2="0">
@@ -62755,7 +62755,7 @@
           </preprocessorList>
         </cTool>
       </item>
-      <item path="../../jdk/src/jdk.crypto.token/share/native/libj2pkcs11/p11_digest.c"
+      <item path="../../jdk/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_digest.c"
             ex="false"
             tool="0"
             flavor2="0">
@@ -62765,7 +62765,7 @@
           </preprocessorList>
         </cTool>
       </item>
-      <item path="../../jdk/src/jdk.crypto.token/share/native/libj2pkcs11/p11_dual.c"
+      <item path="../../jdk/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_dual.c"
             ex="false"
             tool="0"
             flavor2="0">
@@ -62775,7 +62775,7 @@
           </preprocessorList>
         </cTool>
       </item>
-      <item path="../../jdk/src/jdk.crypto.token/share/native/libj2pkcs11/p11_general.c"
+      <item path="../../jdk/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_general.c"
             ex="false"
             tool="0"
             flavor2="0">
@@ -62785,7 +62785,7 @@
           </preprocessorList>
         </cTool>
       </item>
-      <item path="../../jdk/src/jdk.crypto.token/share/native/libj2pkcs11/p11_keymgmt.c"
+      <item path="../../jdk/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_keymgmt.c"
             ex="false"
             tool="0"
             flavor2="0">
@@ -62795,7 +62795,7 @@
           </preprocessorList>
         </cTool>
       </item>
-      <item path="../../jdk/src/jdk.crypto.token/share/native/libj2pkcs11/p11_mutex.c"
+      <item path="../../jdk/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_mutex.c"
             ex="false"
             tool="0"
             flavor2="0">
@@ -62805,7 +62805,7 @@
           </preprocessorList>
         </cTool>
       </item>
-      <item path="../../jdk/src/jdk.crypto.token/share/native/libj2pkcs11/p11_objmgmt.c"
+      <item path="../../jdk/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_objmgmt.c"
             ex="false"
             tool="0"
             flavor2="0">
@@ -62815,7 +62815,7 @@
           </preprocessorList>
         </cTool>
       </item>
-      <item path="../../jdk/src/jdk.crypto.token/share/native/libj2pkcs11/p11_sessmgmt.c"
+      <item path="../../jdk/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_sessmgmt.c"
             ex="false"
             tool="0"
             flavor2="0">
@@ -62825,7 +62825,7 @@
           </preprocessorList>
         </cTool>
       </item>
-      <item path="../../jdk/src/jdk.crypto.token/share/native/libj2pkcs11/p11_sign.c"
+      <item path="../../jdk/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_sign.c"
             ex="false"
             tool="0"
             flavor2="0">
@@ -62835,7 +62835,7 @@
           </preprocessorList>
         </cTool>
       </item>
-      <item path="../../jdk/src/jdk.crypto.token/share/native/libj2pkcs11/p11_util.c"
+      <item path="../../jdk/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_util.c"
             ex="false"
             tool="0"
             flavor2="0">
@@ -62845,14 +62845,14 @@
           </preprocessorList>
         </cTool>
       </item>
-      <item path="../../jdk/src/jdk.crypto.token/unix/native/libj2pkcs11/j2secmod_md.c"
-            ex="false"
-            tool="0"
-            flavor2="0">
-        <cTool flags="2">
-        </cTool>
-      </item>
-      <item path="../../jdk/src/jdk.crypto.token/unix/native/libj2pkcs11/p11_md.c"
+      <item path="../../jdk/src/jdk.crypto.cryptoki/unix/native/libj2pkcs11/j2secmod_md.c"
+            ex="false"
+            tool="0"
+            flavor2="0">
+        <cTool flags="2">
+        </cTool>
+      </item>
+      <item path="../../jdk/src/jdk.crypto.cryptoki/unix/native/libj2pkcs11/p11_md.c"
             ex="false"
             tool="0"
             flavor2="0">
@@ -66281,18 +66281,18 @@
           </preprocessorList>
         </ccTool>
       </folder>
-      <folder path="0/jdk/src/jdk.crypto.token">
-        <cTool>
-          <incDir>
-            <pElem>../../jdk/src/java.base/share/native/include</pElem>
-            <pElem>../../jdk/src/java.base/solaris/native/include</pElem>
-            <pElem>../../jdk/src/java.base/unix/native/include</pElem>
-            <pElem>../../jdk/src/java.base/share/native/libjava</pElem>
-            <pElem>../../jdk/src/java.base/unix/native/libjava</pElem>
-            <pElem>../../jdk/src/jdk.crypto.token/share/native/libj2pkcs11</pElem>
-            <pElem>../../jdk/src/jdk.crypto.token/unix/native/libj2pkcs11</pElem>
-            <pElem>../../jdk/src/java.base/solaris/native/libjava</pElem>
-            <pElem>../../build/support/headers/jdk.crypto.token</pElem>
+      <folder path="0/jdk/src/jdk.crypto.cryptoki">
+        <cTool>
+          <incDir>
+            <pElem>../../jdk/src/java.base/share/native/include</pElem>
+            <pElem>../../jdk/src/java.base/solaris/native/include</pElem>
+            <pElem>../../jdk/src/java.base/unix/native/include</pElem>
+            <pElem>../../jdk/src/java.base/share/native/libjava</pElem>
+            <pElem>../../jdk/src/java.base/unix/native/libjava</pElem>
+            <pElem>../../jdk/src/jdk.crypto.cryptoki/share/native/libj2pkcs11</pElem>
+            <pElem>../../jdk/src/jdk.crypto.cryptoki/unix/native/libj2pkcs11</pElem>
+            <pElem>../../jdk/src/java.base/solaris/native/libjava</pElem>
+            <pElem>../../build/support/headers/jdk.crypto.cryptoki</pElem>
             <pElem>../../make</pElem>
           </incDir>
           <preprocessorList>
@@ -66301,7 +66301,7 @@
           </preprocessorList>
         </cTool>
       </folder>
-      <folder path="0/jdk/src/jdk.crypto.token/unix">
+      <folder path="0/jdk/src/jdk.crypto.cryptoki/unix">
         <cTool>
           <preprocessorList>
             <Elem>THIS_FILE="j2secmod_md.c"</Elem>
--- a/corba/src/java.corba/share/classes/com/sun/jndi/cosnaming/CNBindingEnumeration.java	Fri Jan 20 19:09:53 2017 +0000
+++ b/corba/src/java.corba/share/classes/com/sun/jndi/cosnaming/CNBindingEnumeration.java	Wed Jul 05 22:44:27 2017 +0200
@@ -33,6 +33,8 @@
 
 import org.omg.CosNaming.*;
 
+import com.sun.jndi.toolkit.corba.CorbaUtils;
+
 /**
   * Implements the JNDI NamingEnumeration interface for COS
   * Naming. Gets hold of a list of bindings from the COS Naming Server
@@ -212,7 +214,10 @@
         Name cname = CNNameParser.cosNameToName(bndg.binding_name);
 
         try {
-            obj = NamingManager.getObjectInstance(obj, cname, _ctx, _env);
+            // Check whether object factory codebase is trusted
+            if (CorbaUtils.isObjectFactoryTrusted(obj)) {
+                obj = NamingManager.getObjectInstance(obj, cname, _ctx, _env);
+            }
         } catch (NamingException e) {
             throw e;
         } catch (Exception e) {
--- a/corba/src/java.corba/share/classes/com/sun/jndi/cosnaming/CNCtx.java	Fri Jan 20 19:09:53 2017 +0000
+++ b/corba/src/java.corba/share/classes/com/sun/jndi/cosnaming/CNCtx.java	Wed Jul 05 22:44:27 2017 +0200
@@ -36,6 +36,8 @@
 import java.io.InputStreamReader;
 import java.io.BufferedReader;
 import java.io.IOException;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
 
 import org.omg.CosNaming.*;
 import org.omg.CosNaming.NamingContextPackage.*;
@@ -82,6 +84,19 @@
     private static final String FED_PROP = "com.sun.jndi.cosnaming.federation";
     boolean federation = false;
 
+    /**
+     * Determines whether classes may be loaded from an arbitrary URL code base.
+     */
+    public static final boolean trustURLCodebase;
+    static {
+        // System property to control whether classes may be loaded from an
+        // arbitrary URL code base
+        PrivilegedAction<String> act = () -> System.getProperty(
+            "com.sun.jndi.cosnaming.object.trustURLCodebase", "false");
+        String trust = AccessController.doPrivileged(act);
+        trustURLCodebase = "true".equalsIgnoreCase(trust);
+    }
+
     // Reference counter for tracking _orb references
     OrbReuseTracker orbTracker = null;
     int enumCount;
@@ -534,12 +549,16 @@
             if (name.size() == 0 )
                 return this; // %%% should clone() so that env can be changed
             NameComponent[] path = CNNameParser.nameToCosName(name);
+            java.lang.Object answer = null;
 
             try {
-                java.lang.Object answer = callResolve(path);
-
+                answer = callResolve(path);
                 try {
-                    return NamingManager.getObjectInstance(answer, name, this, _env);
+                    // Check whether object factory codebase is trusted
+                    if (CorbaUtils.isObjectFactoryTrusted(answer)) {
+                        answer = NamingManager.getObjectInstance(
+                            answer, name, this, _env);
+                    }
                 } catch (NamingException e) {
                     throw e;
                 } catch (Exception e) {
@@ -552,6 +571,7 @@
                 javax.naming.Context cctx = getContinuationContext(cpe);
                 return cctx.lookup(cpe.getRemainingName());
             }
+            return answer;
     }
 
     /**
--- a/corba/src/java.corba/share/classes/com/sun/jndi/cosnaming/ExceptionMapper.java	Fri Jan 20 19:09:53 2017 +0000
+++ b/corba/src/java.corba/share/classes/com/sun/jndi/cosnaming/ExceptionMapper.java	Wed Jul 05 22:44:27 2017 +0200
@@ -33,6 +33,8 @@
 import org.omg.CosNaming.NamingContextPackage.*;
 import org.omg.CORBA.*;
 
+import com.sun.jndi.toolkit.corba.CorbaUtils;
+
 /**
   * A convenience class to map the COS Naming exceptions to the JNDI exceptions.
   * @author Raj Krishnamurthy
@@ -202,10 +204,13 @@
             // Not a context, use object factory to transform object.
 
             Name cname = CNNameParser.cosNameToName(resolvedName);
-            java.lang.Object resolvedObj2;
+            java.lang.Object resolvedObj2 = null;
             try {
-                resolvedObj2 = NamingManager.getObjectInstance(resolvedObj,
-                    cname, ctx, ctx._env);
+                // Check whether object factory codebase is trusted
+                if (CorbaUtils.isObjectFactoryTrusted(resolvedObj)) {
+                    resolvedObj2 = NamingManager.getObjectInstance(resolvedObj,
+                        cname, ctx, ctx._env);
+                }
             } catch (NamingException ge) {
                 throw ge;
             } catch (Exception ge) {
--- a/corba/src/java.corba/share/classes/com/sun/jndi/toolkit/corba/CorbaUtils.java	Fri Jan 20 19:09:53 2017 +0000
+++ b/corba/src/java.corba/share/classes/com/sun/jndi/toolkit/corba/CorbaUtils.java	Wed Jul 05 22:44:27 2017 +0200
@@ -36,11 +36,12 @@
 
 import org.omg.CORBA.ORB;
 
-import javax.naming.Context;
-import javax.naming.ConfigurationException;
+import javax.naming.*;
 import javax.rmi.CORBA.Stub;
 import javax.rmi.PortableRemoteObject;
 
+import com.sun.jndi.cosnaming.CNCtx;
+
 import java.io.UnsupportedEncodingException;
 import java.net.MalformedURLException;
 import java.net.URLDecoder;
@@ -183,6 +184,32 @@
     }
 
     /**
+     * Check whether object factory code base is trusted.
+     * Classes may only be loaded from an arbitrary URL code base when
+     * the system property com.sun.jndi.rmi.object.trustURLCodebase
+     * has been set to "true".
+     */
+    public static boolean isObjectFactoryTrusted(Object obj)
+        throws NamingException {
+
+        // Extract Reference, if possible
+        Reference ref = null;
+        if (obj instanceof Reference) {
+            ref = (Reference) obj;
+        } else if (obj instanceof Referenceable) {
+            ref = ((Referenceable)(obj)).getReference();
+        }
+
+        if (ref != null && ref.getFactoryClassLocation() != null &&
+                !CNCtx.trustURLCodebase) {
+            throw new ConfigurationException(
+                "The object factory is untrusted. Set the system property" +
+                " 'com.sun.jndi.cosnaming.object.trustURLCodebase' to 'true'.");
+        }
+        return true;
+    }
+
+    /**
      * Decode a URI string (according to RFC 2396).
      */
     public static final String decode(String s) throws MalformedURLException {
--- a/hotspot/src/share/vm/classfile/classFileParser.cpp	Fri Jan 20 19:09:53 2017 +0000
+++ b/hotspot/src/share/vm/classfile/classFileParser.cpp	Wed Jul 05 22:44:27 2017 +0200
@@ -1025,16 +1025,20 @@
 
 static int skip_annotation_value(const u1*, int, int); // fwd decl
 
+// Safely increment index by val if does not pass limit
+#define SAFE_ADD(index, limit, val) \
+if (index >= limit - val) return limit; \
+index += val;
+
 // Skip an annotation.  Return >=limit if there is any problem.
 static int skip_annotation(const u1* buffer, int limit, int index) {
   assert(buffer != NULL, "invariant");
   // annotation := atype:u2 do(nmem:u2) {member:u2 value}
   // value := switch (tag:u1) { ... }
-  index += 2;  // skip atype
-  if ((index += 2) >= limit)  return limit;  // read nmem
+  SAFE_ADD(index, limit, 4); // skip atype and read nmem
   int nmem = Bytes::get_Java_u2((address)buffer + index - 2);
   while (--nmem >= 0 && index < limit) {
-    index += 2; // skip member
+    SAFE_ADD(index, limit, 2); // skip member
     index = skip_annotation_value(buffer, limit, index);
   }
   return index;
@@ -1052,7 +1056,7 @@
   //   case @: annotation;
   //   case s: s_con:u2;
   // }
-  if ((index += 1) >= limit)  return limit;  // read tag
+  SAFE_ADD(index, limit, 1); // read tag
   const u1 tag = buffer[index - 1];
   switch (tag) {
     case 'B':
@@ -1065,14 +1069,14 @@
     case 'J':
     case 'c':
     case 's':
-      index += 2;  // skip con or s_con
+      SAFE_ADD(index, limit, 2);  // skip con or s_con
       break;
     case 'e':
-      index += 4;  // skip e_class, e_name
+      SAFE_ADD(index, limit, 4);  // skip e_class, e_name
       break;
     case '[':
     {
-      if ((index += 2) >= limit)  return limit;  // read nval
+      SAFE_ADD(index, limit, 2); // read nval
       int nval = Bytes::get_Java_u2((address)buffer + index - 2);
       while (--nval >= 0 && index < limit) {
         index = skip_annotation_value(buffer, limit, index);
@@ -1101,8 +1105,8 @@
   assert(loader_data != NULL, "invariant");
 
   // annotations := do(nann:u2) {annotation}
-  int index = 0;
-  if ((index += 2) >= limit)  return;  // read nann
+  int index = 2; // read nann
+  if (index >= limit)  return;
   int nann = Bytes::get_Java_u2((address)buffer + index - 2);
   enum {  // initial annotation layout
     atype_off = 0,      // utf8 such as 'Ljava/lang/annotation/Retention;'
@@ -1121,7 +1125,8 @@
     s_size = 9,
     min_size = 6        // smallest possible size (zero members)
   };
-  while ((--nann) >= 0 && (index - 2 + min_size <= limit)) {
+  // Cannot add min_size to index in case of overflow MAX_INT
+  while ((--nann) >= 0 && (index - 2 <= limit - min_size)) {
     int index0 = index;
     index = skip_annotation(buffer, limit, index);
     const u1* const abase = buffer + index0;
@@ -1253,13 +1258,14 @@
         runtime_visible_annotations_length = attribute_length;
         runtime_visible_annotations = cfs->get_u1_buffer();
         assert(runtime_visible_annotations != NULL, "null visible annotations");
+        cfs->guarantee_more(runtime_visible_annotations_length, CHECK);
         parse_annotations(cp,
                           runtime_visible_annotations,
                           runtime_visible_annotations_length,
                           parsed_annotations,
                           _loader_data,
                           CHECK);
-        cfs->skip_u1(runtime_visible_annotations_length, CHECK);
+        cfs->skip_u1_fast(runtime_visible_annotations_length);
       } else if (attribute_name == vmSymbols::tag_runtime_invisible_annotations()) {
         if (runtime_invisible_annotations_exists) {
           classfile_parse_error(
@@ -2574,13 +2580,14 @@
         runtime_visible_annotations_length = method_attribute_length;
         runtime_visible_annotations = cfs->get_u1_buffer();
         assert(runtime_visible_annotations != NULL, "null visible annotations");
+        cfs->guarantee_more(runtime_visible_annotations_length, CHECK_NULL);
         parse_annotations(cp,
                           runtime_visible_annotations,
                           runtime_visible_annotations_length,
                           &parsed_annotations,
                           _loader_data,
                           CHECK_NULL);
-        cfs->skip_u1(runtime_visible_annotations_length, CHECK_NULL);
+        cfs->skip_u1_fast(runtime_visible_annotations_length);
       } else if (method_attribute_name == vmSymbols::tag_runtime_invisible_annotations()) {
         if (runtime_invisible_annotations_exists) {
           classfile_parse_error(
@@ -3285,13 +3292,14 @@
         runtime_visible_annotations_length = attribute_length;
         runtime_visible_annotations = cfs->get_u1_buffer();
         assert(runtime_visible_annotations != NULL, "null visible annotations");
+        cfs->guarantee_more(runtime_visible_annotations_length, CHECK);
         parse_annotations(cp,
                           runtime_visible_annotations,
                           runtime_visible_annotations_length,
                           parsed_annotations,
                           _loader_data,
                           CHECK);
-        cfs->skip_u1(runtime_visible_annotations_length, CHECK);
+        cfs->skip_u1_fast(runtime_visible_annotations_length);
       } else if (tag == vmSymbols::tag_runtime_invisible_annotations()) {
         if (runtime_invisible_annotations_exists) {
           classfile_parse_error(
--- a/hotspot/src/share/vm/classfile/stackMapFrame.cpp	Fri Jan 20 19:09:53 2017 +0000
+++ b/hotspot/src/share/vm/classfile/stackMapFrame.cpp	Wed Jul 05 22:44:27 2017 +0200
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, 2015, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2016, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -155,47 +155,8 @@
   return i;
 }
 
-bool StackMapFrame::has_flag_match_exception(
-    const StackMapFrame* target) const {
-  // We allow flags of {UninitThis} to assign to {} if-and-only-if the
-  // target frame does not depend upon the current type.
-  // This is slightly too strict, as we need only enforce that the
-  // slots that were initialized by the <init> (the things that were
-  // UninitializedThis before initialize_object() converted them) are unused.
-  // However we didn't save that information so we'll enforce this upon
-  // anything that might have been initialized.  This is a rare situation
-  // and javac never generates code that would end up here, but some profilers
-  // (such as NetBeans) might, when adding exception handlers in <init>
-  // methods to cover the invokespecial instruction.  See 7020118.
-
-  assert(max_locals() == target->max_locals() &&
-         stack_size() == target->stack_size(), "StackMap sizes must match");
-
-  VerificationType top = VerificationType::top_type();
-  VerificationType this_type = verifier()->current_type();
-
-  if (!flag_this_uninit() || target->flags() != 0) {
-    return false;
-  }
-
-  for (int i = 0; i < target->locals_size(); ++i) {
-    if (locals()[i] == this_type && target->locals()[i] != top) {
-      return false;
-    }
-  }
-
-  for (int i = 0; i < target->stack_size(); ++i) {
-    if (stack()[i] == this_type && target->stack()[i] != top) {
-      return false;
-    }
-  }
-
-  return true;
-}
-
 bool StackMapFrame::is_assignable_to(
-    const StackMapFrame* target, bool is_exception_handler,
-    ErrorContext* ctx, TRAPS) const {
+    const StackMapFrame* target, ErrorContext* ctx, TRAPS) const {
   if (_max_locals != target->max_locals()) {
     *ctx = ErrorContext::locals_size_mismatch(
         _offset, (StackMapFrame*)this, (StackMapFrame*)target);
@@ -226,8 +187,7 @@
     return false;
   }
 
-  bool match_flags = (_flags | target->flags()) == target->flags();
-  if (match_flags || is_exception_handler && has_flag_match_exception(target)) {
+  if ((_flags | target->flags()) == target->flags()) {
     return true;
   } else {
     *ctx = ErrorContext::bad_flags(target->offset(),
--- a/hotspot/src/share/vm/classfile/stackMapFrame.hpp	Fri Jan 20 19:09:53 2017 +0000
+++ b/hotspot/src/share/vm/classfile/stackMapFrame.hpp	Wed Jul 05 22:44:27 2017 +0200
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, 2015, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2016, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -167,8 +167,7 @@
 
   // Return true if this stack map frame is assignable to target.
   bool is_assignable_to(
-      const StackMapFrame* target, bool is_exception_handler,
-      ErrorContext* ctx, TRAPS) const;
+      const StackMapFrame* target, ErrorContext* ctx, TRAPS) const;
 
   inline void set_mark() {
 #ifdef ASSERT
@@ -290,8 +289,6 @@
   int is_assignable_to(
     VerificationType* src, VerificationType* target, int32_t len, TRAPS) const;
 
-  bool has_flag_match_exception(const StackMapFrame* target) const;
-
   TypeOrigin stack_top_ctx();
 
   void print_on(outputStream* str) const;
--- a/hotspot/src/share/vm/classfile/stackMapTable.cpp	Fri Jan 20 19:09:53 2017 +0000
+++ b/hotspot/src/share/vm/classfile/stackMapTable.cpp	Wed Jul 05 22:44:27 2017 +0200
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2016, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -70,26 +70,25 @@
 
 bool StackMapTable::match_stackmap(
     StackMapFrame* frame, int32_t target,
-    bool match, bool update, bool handler, ErrorContext* ctx, TRAPS) const {
+    bool match, bool update, ErrorContext* ctx, TRAPS) const {
   int index = get_index_from_offset(target);
-  return match_stackmap(frame, target, index, match, update, handler, ctx, THREAD);
+  return match_stackmap(frame, target, index, match, update, ctx, THREAD);
 }
 
 // Match and/or update current_frame to the frame in stackmap table with
 // specified offset and frame index. Return true if the two frames match.
-// handler is true if the frame in stackmap_table is for an exception handler.
 //
-// The values of match and update are:                  _match__update__handler
+// The values of match and update are:                  _match__update
 //
-// checking a branch target:                             true   false   false
-// checking an exception handler:                        true   false   true
+// checking a branch target:                             true   false
+// checking an exception handler:                        true   false
 // linear bytecode verification following an
-// unconditional branch:                                 false  true    false
+// unconditional branch:                                 false  true
 // linear bytecode verification not following an
-// unconditional branch:                                 true   true    false
+// unconditional branch:                                 true   true
 bool StackMapTable::match_stackmap(
     StackMapFrame* frame, int32_t target, int32_t frame_index,
-    bool match, bool update, bool handler, ErrorContext* ctx, TRAPS) const {
+    bool match, bool update, ErrorContext* ctx, TRAPS) const {
   if (frame_index < 0 || frame_index >= _frame_count) {
     *ctx = ErrorContext::missing_stackmap(frame->offset());
     frame->verifier()->verify_error(
@@ -102,7 +101,7 @@
   if (match) {
     // Has direct control flow from last instruction, need to match the two
     // frames.
-    result = frame->is_assignable_to(stackmap_frame, handler,
+    result = frame->is_assignable_to(stackmap_frame,
         ctx, CHECK_VERIFY_(frame->verifier(), result));
   }
   if (update) {
@@ -126,7 +125,7 @@
     StackMapFrame* frame, int32_t target, TRAPS) const {
   ErrorContext ctx;
   bool match = match_stackmap(
-    frame, target, true, false, false, &ctx, CHECK_VERIFY(frame->verifier()));
+    frame, target, true, false, &ctx, CHECK_VERIFY(frame->verifier()));
   if (!match || (target < 0 || target >= _code_length)) {
     frame->verifier()->verify_error(ctx,
         "Inconsistent stackmap frames at branch target %d", target);
--- a/hotspot/src/share/vm/classfile/stackMapTable.hpp	Fri Jan 20 19:09:53 2017 +0000
+++ b/hotspot/src/share/vm/classfile/stackMapTable.hpp	Wed Jul 05 22:44:27 2017 +0200
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2016, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -60,12 +60,12 @@
   // specified offset. Return true if the two frames match.
   bool match_stackmap(
     StackMapFrame* current_frame, int32_t offset,
-    bool match, bool update, bool handler, ErrorContext* ctx, TRAPS) const;
+    bool match, bool update, ErrorContext* ctx, TRAPS) const;
   // Match and/or update current_frame to the frame in stackmap table with
   // specified offset and frame index. Return true if the two frames match.
   bool match_stackmap(
     StackMapFrame* current_frame, int32_t offset, int32_t frame_index,
-    bool match, bool update, bool handler, ErrorContext* ctx, TRAPS) const;
+    bool match, bool update, ErrorContext* ctx, TRAPS) const;
 
   // Check jump instructions. Make sure there are no uninitialized
   // instances on backward branch.
--- a/hotspot/src/share/vm/classfile/verifier.cpp	Fri Jan 20 19:09:53 2017 +0000
+++ b/hotspot/src/share/vm/classfile/verifier.cpp	Wed Jul 05 22:44:27 2017 +0200
@@ -541,19 +541,13 @@
     stack_map_frame* sm_frame = sm_table->entries();
     streamIndentor si2(ss);
     int current_offset = -1;
-    // Subtract two from StackMapAttribute length because the length includes
-    // two bytes for number of table entries.
-    size_t sm_table_space = method->stackmap_data()->length() - 2;
+    address end_of_sm_table = (address)sm_table + method->stackmap_data()->length();
     for (u2 i = 0; i < sm_table->number_of_entries(); ++i) {
       ss->indent();
-      size_t sm_frame_size = sm_frame->size();
-      // If the size of the next stackmap exceeds the length of the entire
-      // stackmap table then print a truncated message and return.
-      if (sm_frame_size > sm_table_space) {
+      if (!sm_frame->verify((address)sm_frame, end_of_sm_table)) {
         sm_frame->print_truncated(ss, current_offset);
         return;
       }
-      sm_table_space -= sm_frame_size;
       sm_frame->print_on(ss, current_offset);
       ss->cr();
       current_offset += sm_frame->offset_delta();
@@ -1863,7 +1857,7 @@
       // If matched, current_frame will be updated by this method.
       bool matches = stackmap_table->match_stackmap(
         current_frame, this_offset, stackmap_index,
-        !no_control_flow, true, false, &ctx, CHECK_VERIFY_(this, 0));
+        !no_control_flow, true, &ctx, CHECK_VERIFY_(this, 0));
       if (!matches) {
         // report type error
         verify_error(ctx, "Instruction type does not match stack map");
@@ -1913,7 +1907,7 @@
       }
       ErrorContext ctx;
       bool matches = stackmap_table->match_stackmap(
-        new_frame, handler_pc, true, false, true, &ctx, CHECK_VERIFY(this));
+        new_frame, handler_pc, true, false, &ctx, CHECK_VERIFY(this));
       if (!matches) {
         verify_error(ctx, "Stack map does not match the one at "
             "exception handler %d", handler_pc);
--- a/hotspot/test/runtime/handlerInTry/LoadHandlerInTry.java	Fri Jan 20 19:09:53 2017 +0000
+++ b/hotspot/test/runtime/handlerInTry/LoadHandlerInTry.java	Wed Jul 05 22:44:27 2017 +0200
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2015, 2016, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -24,7 +24,7 @@
 /*
  * @test
  * @bug 8075118
- * @summary Allow a ctor to call super() from a switch bytecode.
+ * @summary JVM stuck in infinite loop during verification
  * @compile HandlerInTry.jasm
  * @compile IsolatedHandlerInTry.jasm
  * @run main/othervm -Xverify:all LoadHandlerInTry
@@ -70,9 +70,10 @@
         System.out.println("Regression test for bug 8075118");
         try {
             Class newClass = Class.forName("HandlerInTry");
-        } catch (Exception e) {
-            System.out.println("Failed: Exception was thrown: " + e.toString());
-            throw e;
+            throw new RuntimeException(
+                 "Failed to throw VerifyError for HandlerInTry");
+        } catch (java.lang.VerifyError e) {
+            System.out.println("Passed: VerifyError exception was thrown");
         }
 
         try {
--- a/jdk/make/CompileModuleTools.gmk	Fri Jan 20 19:09:53 2017 +0000
+++ b/jdk/make/CompileModuleTools.gmk	Wed Jul 05 22:44:27 2017 +0200
@@ -37,6 +37,5 @@
                 build/tools/jigsaw, \
     BIN := $(TOOLS_CLASSES_DIR), \
     ADD_JAVAC_FLAGS := \
-        --add-exports jdk.jdeps/com.sun.tools.classfile=ALL-UNNAMED \
         --add-exports java.base/jdk.internal.module=ALL-UNNAMED \
 ))
--- a/jdk/make/ModuleTools.gmk	Fri Jan 20 19:09:53 2017 +0000
+++ b/jdk/make/ModuleTools.gmk	Wed Jul 05 22:44:27 2017 +0200
@@ -39,7 +39,6 @@
     build.tools.jigsaw.GenGraphs
 
 TOOL_MODULESUMMARY := $(BUILD_JAVA) -esa -ea -cp $(TOOLS_CLASSES_DIR) \
-    --add-exports jdk.jdeps/com.sun.tools.classfile=ALL-UNNAMED \
     build.tools.jigsaw.ModuleSummary
 
 TOOL_ADD_PACKAGES_ATTRIBUTE := $(BUILD_JAVA) $(JAVA_FLAGS_SMALL) \
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/jdk/make/copy/Copy-jdk.crypto.cryptoki.gmk	Wed Jul 05 22:44:27 2017 +0200
@@ -0,0 +1,45 @@
+#
+# Copyright (c) 2014, 2017, Oracle and/or its affiliates. All rights reserved.
+# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+#
+# This code is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License version 2 only, as
+# published by the Free Software Foundation.  Oracle designates this
+# particular file as subject to the "Classpath" exception as provided
+# by Oracle in the LICENSE file that accompanied this code.
+#
+# This code is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# version 2 for more details (a copy is included in the LICENSE file that
+# accompanied this code).
+#
+# You should have received a copy of the GNU General Public License version
+# 2 along with this work; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+# or visit www.oracle.com if you need additional information or have any
+# questions.
+#
+
+include CopyCommon.gmk
+
+################################################################################
+
+ifeq ($(OPENJDK_TARGET_OS), solaris)
+
+  SUNPKCS11_CFG_SRC := \
+      $(JDK_TOPDIR)/src/jdk.crypto.cryptoki/solaris/conf/security/sunpkcs11-solaris.cfg
+  SUNPKCS11_CFG_DST := $(CONF_DST_DIR)/security/sunpkcs11-solaris.cfg
+
+  $(SUNPKCS11_CFG_DST): $(SUNPKCS11_CFG_SRC)
+	$(call install-file)
+
+  SECURITY_PKCS11_CONF_FILES += $(SUNPKCS11_CFG_DST)
+
+  TARGETS := $(SUNPKCS11_CFG_DST)
+
+endif
+
+################################################################################
--- a/jdk/make/copy/Copy-jdk.crypto.token.gmk	Fri Jan 20 19:09:53 2017 +0000
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,45 +0,0 @@
-#
-# Copyright (c) 2014, Oracle and/or its affiliates. All rights reserved.
-# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-#
-# This code is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License version 2 only, as
-# published by the Free Software Foundation.  Oracle designates this
-# particular file as subject to the "Classpath" exception as provided
-# by Oracle in the LICENSE file that accompanied this code.
-#
-# This code is distributed in the hope that it will be useful, but WITHOUT
-# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
-# FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# version 2 for more details (a copy is included in the LICENSE file that
-# accompanied this code).
-#
-# You should have received a copy of the GNU General Public License version
-# 2 along with this work; if not, write to the Free Software Foundation,
-# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
-# or visit www.oracle.com if you need additional information or have any
-# questions.
-#
-
-include CopyCommon.gmk
-
-################################################################################
-
-ifeq ($(OPENJDK_TARGET_OS), solaris)
-
-  SUNPKCS11_CFG_SRC := \
-      $(JDK_TOPDIR)/src/jdk.crypto.token/solaris/conf/security/sunpkcs11-solaris.cfg
-  SUNPKCS11_CFG_DST := $(CONF_DST_DIR)/security/sunpkcs11-solaris.cfg
-
-  $(SUNPKCS11_CFG_DST): $(SUNPKCS11_CFG_SRC)
-	$(call install-file)
-
-  SECURITY_PKCS11_CONF_FILES += $(SUNPKCS11_CFG_DST)
-
-  TARGETS := $(SUNPKCS11_CFG_DST)
-
-endif
-
-################################################################################
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/jdk/make/lib/Lib-jdk.crypto.cryptoki.gmk	Wed Jul 05 22:44:27 2017 +0200
@@ -0,0 +1,56 @@
+#
+# Copyright (c) 2011, 2017, Oracle and/or its affiliates. All rights reserved.
+# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+#
+# This code is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License version 2 only, as
+# published by the Free Software Foundation.  Oracle designates this
+# particular file as subject to the "Classpath" exception as provided
+# by Oracle in the LICENSE file that accompanied this code.
+#
+# This code is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# version 2 for more details (a copy is included in the LICENSE file that
+# accompanied this code).
+#
+# You should have received a copy of the GNU General Public License version
+# 2 along with this work; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+# or visit www.oracle.com if you need additional information or have any
+# questions.
+#
+
+include LibCommon.gmk
+
+################################################################################
+
+LIBJ2PKCS11_SRC := $(JDK_TOPDIR)/src/jdk.crypto.cryptoki/share/native/libj2pkcs11 \
+    $(JDK_TOPDIR)/src/jdk.crypto.cryptoki/$(OPENJDK_TARGET_OS_TYPE)/native/libj2pkcs11
+
+$(eval $(call SetupNativeCompilation,BUILD_LIBJ2PKCS11, \
+    LIBRARY := j2pkcs11, \
+    OUTPUT_DIR := $(INSTALL_LIBRARIES_HERE), \
+    SRC := $(LIBJ2PKCS11_SRC), \
+    OPTIMIZATION := LOW, \
+    CFLAGS := $(CFLAGS_JDKLIB) $(addprefix -I, $(LIBJ2PKCS11_SRC)) \
+        $(LIBJAVA_HEADER_FLAGS) \
+        -I$(SUPPORT_OUTPUTDIR)/headers/jdk.crypto.cryptoki, \
+    MAPFILE := $(JDK_TOPDIR)/make/mapfiles/libj2pkcs11/mapfile-vers, \
+    LDFLAGS := $(LDFLAGS_JDKLIB) \
+        $(call SET_SHARED_LIBRARY_ORIGIN), \
+    LIBS_unix := $(LIBDL), \
+    LIBS_solaris := -lc, \
+    VERSIONINFO_RESOURCE := $(GLOBAL_VERSION_INFO_RESOURCE), \
+    RC_FLAGS := $(RC_FLAGS) \
+        -D "JDK_FNAME=j2pkcs11.dll" \
+        -D "JDK_INTERNAL_NAME=j2pkcs11" \
+        -D "JDK_FTYPE=0x2L", \
+    OBJECT_DIR := $(SUPPORT_OUTPUTDIR)/native/$(MODULE)/libj2pkcs11, \
+))
+
+TARGETS += $(BUILD_LIBJ2PKCS11)
+
+################################################################################
--- a/jdk/make/lib/Lib-jdk.crypto.token.gmk	Fri Jan 20 19:09:53 2017 +0000
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,56 +0,0 @@
-#
-# Copyright (c) 2011, 2016, Oracle and/or its affiliates. All rights reserved.
-# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-#
-# This code is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License version 2 only, as
-# published by the Free Software Foundation.  Oracle designates this
-# particular file as subject to the "Classpath" exception as provided
-# by Oracle in the LICENSE file that accompanied this code.
-#
-# This code is distributed in the hope that it will be useful, but WITHOUT
-# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
-# FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# version 2 for more details (a copy is included in the LICENSE file that
-# accompanied this code).
-#
-# You should have received a copy of the GNU General Public License version
-# 2 along with this work; if not, write to the Free Software Foundation,
-# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
-# or visit www.oracle.com if you need additional information or have any
-# questions.
-#
-
-include LibCommon.gmk
-
-################################################################################
-
-LIBJ2PKCS11_SRC := $(JDK_TOPDIR)/src/jdk.crypto.token/share/native/libj2pkcs11 \
-    $(JDK_TOPDIR)/src/jdk.crypto.token/$(OPENJDK_TARGET_OS_TYPE)/native/libj2pkcs11
-
-$(eval $(call SetupNativeCompilation,BUILD_LIBJ2PKCS11, \
-    LIBRARY := j2pkcs11, \
-    OUTPUT_DIR := $(INSTALL_LIBRARIES_HERE), \
-    SRC := $(LIBJ2PKCS11_SRC), \
-    OPTIMIZATION := LOW, \
-    CFLAGS := $(CFLAGS_JDKLIB) $(addprefix -I, $(LIBJ2PKCS11_SRC)) \
-        $(LIBJAVA_HEADER_FLAGS) \
-        -I$(SUPPORT_OUTPUTDIR)/headers/jdk.crypto.token, \
-    MAPFILE := $(JDK_TOPDIR)/make/mapfiles/libj2pkcs11/mapfile-vers, \
-    LDFLAGS := $(LDFLAGS_JDKLIB) \
-        $(call SET_SHARED_LIBRARY_ORIGIN), \
-    LIBS_unix := $(LIBDL), \
-    LIBS_solaris := -lc, \
-    VERSIONINFO_RESOURCE := $(GLOBAL_VERSION_INFO_RESOURCE), \
-    RC_FLAGS := $(RC_FLAGS) \
-        -D "JDK_FNAME=j2pkcs11.dll" \
-        -D "JDK_INTERNAL_NAME=j2pkcs11" \
-        -D "JDK_FTYPE=0x2L", \
-    OBJECT_DIR := $(SUPPORT_OUTPUTDIR)/native/$(MODULE)/libj2pkcs11, \
-))
-
-TARGETS += $(BUILD_LIBJ2PKCS11)
-
-################################################################################
--- a/jdk/src/java.base/share/classes/com/sun/net/ssl/HttpsURLConnection.java	Fri Jan 20 19:09:53 2017 +0000
+++ b/jdk/src/java.base/share/classes/com/sun/net/ssl/HttpsURLConnection.java	Wed Jul 05 22:44:27 2017 +0200
@@ -69,6 +69,10 @@
     /**
      * Returns the server's X.509 certificate chain, or null if
      * the server did not authenticate.
+     * <P>
+     * Note: The returned value may not be a valid certificate chain
+     * and should not be relied on for trust decisions.
+     *
      * @return the server certificate chain
      */
     public abstract Certificate[] getServerCertificates()
--- a/jdk/src/java.base/share/classes/java/lang/Class.java	Fri Jan 20 19:09:53 2017 +0000
+++ b/jdk/src/java.base/share/classes/java/lang/Class.java	Wed Jul 05 22:44:27 2017 +0200
@@ -508,8 +508,9 @@
     public T newInstance()
         throws InstantiationException, IllegalAccessException
     {
-        if (System.getSecurityManager() != null) {
-            checkMemberAccess(Member.PUBLIC, Reflection.getCallerClass(), false);
+        SecurityManager sm = System.getSecurityManager();
+        if (sm != null) {
+            checkMemberAccess(sm, Member.PUBLIC, Reflection.getCallerClass(), false);
         }
 
         // NOTE: the following code may not be strictly correct under
@@ -1223,38 +1224,27 @@
 
             // Perform access check
             final Class<?> enclosingCandidate = enclosingInfo.getEnclosingClass();
-            enclosingCandidate.checkMemberAccess(Member.DECLARED,
-                                                 Reflection.getCallerClass(), true);
-            // Client is ok to access declared methods but j.l.Class might not be.
-            Method[] candidates = AccessController.doPrivileged(
-                    new PrivilegedAction<>() {
-                        @Override
-                        public Method[] run() {
-                            return enclosingCandidate.getDeclaredMethods();
-                        }
-                    });
+            SecurityManager sm = System.getSecurityManager();
+            if (sm != null) {
+                enclosingCandidate.checkMemberAccess(sm, Member.DECLARED,
+                                                     Reflection.getCallerClass(), true);
+            }
+            Method[] candidates = enclosingCandidate.privateGetDeclaredMethods(false);
+
             /*
              * Loop over all declared methods; match method name,
              * number of and type of parameters, *and* return
              * type.  Matching return type is also necessary
              * because of covariant returns, etc.
              */
-            for(Method m: candidates) {
-                if (m.getName().equals(enclosingInfo.getName()) ) {
-                    Class<?>[] candidateParamClasses = m.getParameterTypes();
-                    if (candidateParamClasses.length == parameterClasses.length) {
-                        boolean matches = true;
-                        for(int i = 0; i < candidateParamClasses.length; i++) {
-                            if (!candidateParamClasses[i].equals(parameterClasses[i])) {
-                                matches = false;
-                                break;
-                            }
-                        }
-
-                        if (matches) { // finally, check return type
-                            if (m.getReturnType().equals(returnType) )
-                                return m;
-                        }
+            ReflectionFactory fact = getReflectionFactory();
+            for (Method m : candidates) {
+                if (m.getName().equals(enclosingInfo.getName()) &&
+                    arrayContentsEq(parameterClasses,
+                                    fact.getExecutableSharedParameterTypes(m))) {
+                    // finally, check return type
+                    if (m.getReturnType().equals(returnType)) {
+                        return fact.copyMethod(m);
                     }
                 }
             }
@@ -1390,33 +1380,23 @@
 
             // Perform access check
             final Class<?> enclosingCandidate = enclosingInfo.getEnclosingClass();
-            enclosingCandidate.checkMemberAccess(Member.DECLARED,
-                                                 Reflection.getCallerClass(), true);
-            // Client is ok to access declared methods but j.l.Class might not be.
-            Constructor<?>[] candidates = AccessController.doPrivileged(
-                    new PrivilegedAction<>() {
-                        @Override
-                        public Constructor<?>[] run() {
-                            return enclosingCandidate.getDeclaredConstructors();
-                        }
-                    });
+            SecurityManager sm = System.getSecurityManager();
+            if (sm != null) {
+                enclosingCandidate.checkMemberAccess(sm, Member.DECLARED,
+                                                     Reflection.getCallerClass(), true);
+            }
+
+            Constructor<?>[] candidates = enclosingCandidate
+                    .privateGetDeclaredConstructors(false);
             /*
              * Loop over all declared constructors; match number
              * of and type of parameters.
              */
-            for(Constructor<?> c: candidates) {
-                Class<?>[] candidateParamClasses = c.getParameterTypes();
-                if (candidateParamClasses.length == parameterClasses.length) {
-                    boolean matches = true;
-                    for(int i = 0; i < candidateParamClasses.length; i++) {
-                        if (!candidateParamClasses[i].equals(parameterClasses[i])) {
-                            matches = false;
-                            break;
-                        }
-                    }
-
-                    if (matches)
-                        return c;
+            ReflectionFactory fact = getReflectionFactory();
+            for (Constructor<?> c : candidates) {
+                if (arrayContentsEq(parameterClasses,
+                                    fact.getExecutableSharedParameterTypes(c))) {
+                    return fact.copyConstructor(c);
                 }
             }
 
@@ -1446,9 +1426,13 @@
     public Class<?> getDeclaringClass() throws SecurityException {
         final Class<?> candidate = getDeclaringClass0();
 
-        if (candidate != null)
-            candidate.checkPackageAccess(
+        if (candidate != null) {
+            SecurityManager sm = System.getSecurityManager();
+            if (sm != null) {
+                candidate.checkPackageAccess(sm,
                     ClassLoader.getClassLoader(Reflection.getCallerClass()), true);
+            }
+        }
         return candidate;
     }
 
@@ -1496,9 +1480,13 @@
                 enclosingCandidate = enclosingClass;
         }
 
-        if (enclosingCandidate != null)
-            enclosingCandidate.checkPackageAccess(
+        if (enclosingCandidate != null) {
+            SecurityManager sm = System.getSecurityManager();
+            if (sm != null) {
+                enclosingCandidate.checkPackageAccess(sm,
                     ClassLoader.getClassLoader(Reflection.getCallerClass()), true);
+            }
+        }
         return enclosingCandidate;
     }
 
@@ -1688,7 +1676,10 @@
      */
     @CallerSensitive
     public Class<?>[] getClasses() {
-        checkMemberAccess(Member.PUBLIC, Reflection.getCallerClass(), false);
+        SecurityManager sm = System.getSecurityManager();
+        if (sm != null) {
+            checkMemberAccess(sm, Member.PUBLIC, Reflection.getCallerClass(), false);
+        }
 
         // Privileged so this implementation can look at DECLARED classes,
         // something the caller might not have privilege to do.  The code here
@@ -1754,7 +1745,10 @@
      */
     @CallerSensitive
     public Field[] getFields() throws SecurityException {
-        checkMemberAccess(Member.PUBLIC, Reflection.getCallerClass(), true);
+        SecurityManager sm = System.getSecurityManager();
+        if (sm != null) {
+            checkMemberAccess(sm, Member.PUBLIC, Reflection.getCallerClass(), true);
+        }
         return copyFields(privateGetPublicFields(null));
     }
 
@@ -1841,7 +1835,10 @@
      */
     @CallerSensitive
     public Method[] getMethods() throws SecurityException {
-        checkMemberAccess(Member.PUBLIC, Reflection.getCallerClass(), true);
+        SecurityManager sm = System.getSecurityManager();
+        if (sm != null) {
+            checkMemberAccess(sm, Member.PUBLIC, Reflection.getCallerClass(), true);
+        }
         return copyMethods(privateGetPublicMethods());
     }
 
@@ -1877,7 +1874,10 @@
      */
     @CallerSensitive
     public Constructor<?>[] getConstructors() throws SecurityException {
-        checkMemberAccess(Member.PUBLIC, Reflection.getCallerClass(), true);
+        SecurityManager sm = System.getSecurityManager();
+        if (sm != null) {
+            checkMemberAccess(sm, Member.PUBLIC, Reflection.getCallerClass(), true);
+        }
         return copyConstructors(privateGetDeclaredConstructors(true));
     }
 
@@ -1928,7 +1928,10 @@
     public Field getField(String name)
         throws NoSuchFieldException, SecurityException {
         Objects.requireNonNull(name);
-        checkMemberAccess(Member.PUBLIC, Reflection.getCallerClass(), true);
+        SecurityManager sm = System.getSecurityManager();
+        if (sm != null) {
+            checkMemberAccess(sm, Member.PUBLIC, Reflection.getCallerClass(), true);
+        }
         Field field = getField0(name);
         if (field == null) {
             throw new NoSuchFieldException(name);
@@ -2034,10 +2037,13 @@
     public Method getMethod(String name, Class<?>... parameterTypes)
         throws NoSuchMethodException, SecurityException {
         Objects.requireNonNull(name);
-        checkMemberAccess(Member.PUBLIC, Reflection.getCallerClass(), true);
+        SecurityManager sm = System.getSecurityManager();
+        if (sm != null) {
+            checkMemberAccess(sm, Member.PUBLIC, Reflection.getCallerClass(), true);
+        }
         Method method = getMethod0(name, parameterTypes);
         if (method == null) {
-            throw new NoSuchMethodException(getName() + "." + name + argumentTypesToString(parameterTypes));
+            throw new NoSuchMethodException(methodToString(name, parameterTypes));
         }
         return getReflectionFactory().copyMethod(method);
     }
@@ -2092,8 +2098,12 @@
      */
     @CallerSensitive
     public Constructor<T> getConstructor(Class<?>... parameterTypes)
-        throws NoSuchMethodException, SecurityException {
-        checkMemberAccess(Member.PUBLIC, Reflection.getCallerClass(), true);
+        throws NoSuchMethodException, SecurityException
+    {
+        SecurityManager sm = System.getSecurityManager();
+        if (sm != null) {
+            checkMemberAccess(sm, Member.PUBLIC, Reflection.getCallerClass(), true);
+        }
         return getReflectionFactory().copyConstructor(
             getConstructor0(parameterTypes, Member.PUBLIC));
     }
@@ -2136,7 +2146,10 @@
      */
     @CallerSensitive
     public Class<?>[] getDeclaredClasses() throws SecurityException {
-        checkMemberAccess(Member.DECLARED, Reflection.getCallerClass(), false);
+        SecurityManager sm = System.getSecurityManager();
+        if (sm != null) {
+            checkMemberAccess(sm, Member.DECLARED, Reflection.getCallerClass(), false);
+        }
         return getDeclaredClasses0();
     }
 
@@ -2185,7 +2198,10 @@
      */
     @CallerSensitive
     public Field[] getDeclaredFields() throws SecurityException {
-        checkMemberAccess(Member.DECLARED, Reflection.getCallerClass(), true);
+        SecurityManager sm = System.getSecurityManager();
+        if (sm != null) {
+            checkMemberAccess(sm, Member.DECLARED, Reflection.getCallerClass(), true);
+        }
         return copyFields(privateGetDeclaredFields(false));
     }
 
@@ -2244,7 +2260,10 @@
      */
     @CallerSensitive
     public Method[] getDeclaredMethods() throws SecurityException {
-        checkMemberAccess(Member.DECLARED, Reflection.getCallerClass(), true);
+        SecurityManager sm = System.getSecurityManager();
+        if (sm != null) {
+            checkMemberAccess(sm, Member.DECLARED, Reflection.getCallerClass(), true);
+        }
         return copyMethods(privateGetDeclaredMethods(false));
     }
 
@@ -2289,7 +2308,10 @@
      */
     @CallerSensitive
     public Constructor<?>[] getDeclaredConstructors() throws SecurityException {
-        checkMemberAccess(Member.DECLARED, Reflection.getCallerClass(), true);
+        SecurityManager sm = System.getSecurityManager();
+        if (sm != null) {
+            checkMemberAccess(sm, Member.DECLARED, Reflection.getCallerClass(), true);
+        }
         return copyConstructors(privateGetDeclaredConstructors(false));
     }
 
@@ -2338,7 +2360,10 @@
     public Field getDeclaredField(String name)
         throws NoSuchFieldException, SecurityException {
         Objects.requireNonNull(name);
-        checkMemberAccess(Member.DECLARED, Reflection.getCallerClass(), true);
+        SecurityManager sm = System.getSecurityManager();
+        if (sm != null) {
+            checkMemberAccess(sm, Member.DECLARED, Reflection.getCallerClass(), true);
+        }
         Field field = searchFields(privateGetDeclaredFields(false), name);
         if (field == null) {
             throw new NoSuchFieldException(name);
@@ -2399,10 +2424,13 @@
     public Method getDeclaredMethod(String name, Class<?>... parameterTypes)
         throws NoSuchMethodException, SecurityException {
         Objects.requireNonNull(name);
-        checkMemberAccess(Member.DECLARED, Reflection.getCallerClass(), true);
+        SecurityManager sm = System.getSecurityManager();
+        if (sm != null) {
+            checkMemberAccess(sm, Member.DECLARED, Reflection.getCallerClass(), true);
+        }
         Method method = searchMethods(privateGetDeclaredMethods(false), name, parameterTypes);
         if (method == null) {
-            throw new NoSuchMethodException(getName() + "." + name + argumentTypesToString(parameterTypes));
+            throw new NoSuchMethodException(methodToString(name, parameterTypes));
         }
         return getReflectionFactory().copyMethod(method);
     }
@@ -2448,8 +2476,13 @@
      */
     @CallerSensitive
     public Constructor<T> getDeclaredConstructor(Class<?>... parameterTypes)
-        throws NoSuchMethodException, SecurityException {
-        checkMemberAccess(Member.DECLARED, Reflection.getCallerClass(), true);
+        throws NoSuchMethodException, SecurityException
+    {
+        SecurityManager sm = System.getSecurityManager();
+        if (sm != null) {
+            checkMemberAccess(sm, Member.DECLARED, Reflection.getCallerClass(), true);
+        }
+
         return getReflectionFactory().copyConstructor(
             getConstructor0(parameterTypes, Member.DECLARED));
     }
@@ -2697,51 +2730,49 @@
      *
      * <p> Default policy: allow all clients access with normal Java access
      * control.
+     *
+     * <p> NOTE: should only be called if a SecurityManager is installed
      */
-    private void checkMemberAccess(int which, Class<?> caller, boolean checkProxyInterfaces) {
-        final SecurityManager s = System.getSecurityManager();
-        if (s != null) {
-            /* Default policy allows access to all {@link Member#PUBLIC} members,
-             * as well as access to classes that have the same class loader as the caller.
-             * In all other cases, it requires RuntimePermission("accessDeclaredMembers")
-             * permission.
-             */
-            final ClassLoader ccl = ClassLoader.getClassLoader(caller);
+    private void checkMemberAccess(SecurityManager sm, int which,
+                                   Class<?> caller, boolean checkProxyInterfaces) {
+        /* Default policy allows access to all {@link Member#PUBLIC} members,
+         * as well as access to classes that have the same class loader as the caller.
+         * In all other cases, it requires RuntimePermission("accessDeclaredMembers")
+         * permission.
+         */
+        final ClassLoader ccl = caller.getClassLoader0();
+        if (which != Member.PUBLIC) {
             final ClassLoader cl = getClassLoader0();
-            if (which != Member.PUBLIC) {
-                if (ccl != cl) {
-                    s.checkPermission(SecurityConstants.CHECK_MEMBER_ACCESS_PERMISSION);
-                }
+            if (ccl != cl) {
+                sm.checkPermission(SecurityConstants.CHECK_MEMBER_ACCESS_PERMISSION);
             }
-            this.checkPackageAccess(ccl, checkProxyInterfaces);
         }
+        this.checkPackageAccess(sm, ccl, checkProxyInterfaces);
     }
 
     /*
      * Checks if a client loaded in ClassLoader ccl is allowed to access this
      * class under the current package access policy. If access is denied,
      * throw a SecurityException.
+     *
+     * NOTE: this method should only be called if a SecurityManager is active
      */
-    private void checkPackageAccess(final ClassLoader ccl, boolean checkProxyInterfaces) {
-        final SecurityManager s = System.getSecurityManager();
-        if (s != null) {
-            final ClassLoader cl = getClassLoader0();
-
-            if (ReflectUtil.needsPackageAccessCheck(ccl, cl)) {
-                String name = this.getName();
-                int i = name.lastIndexOf('.');
-                if (i != -1) {
-                    // skip the package access check on a proxy class in default proxy package
-                    String pkg = name.substring(0, i);
-                    if (!Proxy.isProxyClass(this) || ReflectUtil.isNonPublicProxyClass(this)) {
-                        s.checkPackageAccess(pkg);
-                    }
+    private void checkPackageAccess(SecurityManager sm, final ClassLoader ccl,
+                                    boolean checkProxyInterfaces) {
+        final ClassLoader cl = getClassLoader0();
+
+        if (ReflectUtil.needsPackageAccessCheck(ccl, cl)) {
+            String pkg = this.getPackageName();
+            if (pkg != null && !pkg.isEmpty()) {
+                // skip the package access check on a proxy class in default proxy package
+                if (!Proxy.isProxyClass(this) || ReflectUtil.isNonPublicProxyClass(this)) {
+                    sm.checkPackageAccess(pkg);
                 }
             }
-            // check package access on the proxy interfaces
-            if (checkProxyInterfaces && Proxy.isProxyClass(this)) {
-                ReflectUtil.checkProxyPackageAccess(ccl, this.getInterfaces());
-            }
+        }
+        // check package access on the proxy interfaces
+        if (checkProxyInterfaces && Proxy.isProxyClass(this)) {
+            ReflectUtil.checkProxyPackageAccess(ccl, this.getInterfaces());
         }
     }
 
@@ -2755,11 +2786,9 @@
             while (c.isArray()) {
                 c = c.getComponentType();
             }
-            String baseName = c.getName();
-            int index = baseName.lastIndexOf('.');
-            if (index != -1) {
-                name = baseName.substring(0, index).replace('.', '/')
-                    +"/"+name;
+            String baseName = c.getPackageName();
+            if (baseName != null && !baseName.isEmpty()) {
+                name = baseName.replace('.', '/') + "/" + name;
             }
         } else {
             name = name.substring(1);
@@ -3233,7 +3262,7 @@
                 return constructor;
             }
         }
-        throw new NoSuchMethodException(getName() + ".<init>" + argumentTypesToString(parameterTypes));
+        throw new NoSuchMethodException(methodToString("<init>", parameterTypes));
     }
 
     //
@@ -3294,8 +3323,11 @@
     private native Constructor<T>[] getDeclaredConstructors0(boolean publicOnly);
     private native Class<?>[]   getDeclaredClasses0();
 
-    private static String        argumentTypesToString(Class<?>[] argTypes) {
-        StringJoiner sj = new StringJoiner(", ", "(", ")");
+    /**
+     * Helper method to get the method name from arguments.
+     */
+    private String methodToString(String name, Class<?>[] argTypes) {
+        StringJoiner sj = new StringJoiner(", ", getName() + "." + name + "(", ")");
         if (argTypes != null) {
             for (int i = 0; i < argTypes.length; i++) {
                 Class<?> c = argTypes[i];
--- a/jdk/src/java.base/share/classes/java/lang/SecurityManager.java	Fri Jan 20 19:09:53 2017 +0000
+++ b/jdk/src/java.base/share/classes/java/lang/SecurityManager.java	Wed Jul 05 22:44:27 2017 +0200
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1995, 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1995, 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -25,18 +25,30 @@
 
 package java.lang;
 
-import java.security.*;
+import java.lang.RuntimePermission;
+import java.lang.module.ModuleDescriptor;
+import java.lang.module.ModuleDescriptor.Exports;
+import java.lang.module.ModuleDescriptor.Opens;
+import java.lang.reflect.Layer;
+import java.lang.reflect.Member;
+import java.lang.reflect.Module;
 import java.io.FileDescriptor;
 import java.io.File;
 import java.io.FilePermission;
+import java.net.InetAddress;
+import java.net.SocketPermission;
+import java.security.AccessControlContext;
+import java.security.AccessController;
+import java.security.Permission;
+import java.security.PrivilegedAction;
+import java.security.Security;
+import java.security.SecurityPermission;
+import java.util.HashSet;
+import java.util.Objects;
 import java.util.PropertyPermission;
-import java.lang.RuntimePermission;
-import java.net.SocketPermission;
-import java.net.NetPermission;
-import java.util.Hashtable;
-import java.net.InetAddress;
-import java.lang.reflect.*;
-import java.net.URL;
+import java.util.Set;
+import java.util.stream.Collectors;
+import java.util.stream.Stream;
 
 import jdk.internal.reflect.CallerSensitive;
 import sun.security.util.SecurityConstants;
@@ -1415,46 +1427,108 @@
             }
         }
 
-        if (packages == null)
+        if (packages == null) {
             packages = new String[0];
+        }
         return packages;
     }
 
+    // The non-exported packages of the modules in the boot layer that are
+    // loaded by the platform class loader or its ancestors. A non-exported
+    // package is a package that either is not exported at all by its containing
+    // module or is exported in a qualified fashion by its containing module.
+    private static final Set<String> nonExportedPkgs;
+
+    static {
+        // Get the modules in the boot layer
+        Stream<Module> bootLayerModules = Layer.boot().modules().stream();
+
+        // Filter out the modules loaded by the boot or platform loader
+        PrivilegedAction<Set<Module>> pa = () ->
+            bootLayerModules.filter(SecurityManager::isBootOrPlatformModule)
+                            .collect(Collectors.toSet());
+        Set<Module> modules = AccessController.doPrivileged(pa);
+
+        // Filter out the non-exported packages
+        nonExportedPkgs = modules.stream()
+                                 .map(Module::getDescriptor)
+                                 .map(SecurityManager::nonExportedPkgs)
+                                 .flatMap(Set::stream)
+                                 .collect(Collectors.toSet());
+    }
+
     /**
-     * Throws a <code>SecurityException</code> if the
-     * calling thread is not allowed to access the package specified by
-     * the argument.
+     * Returns true if the module's loader is the boot or platform loader.
+     */
+    private static boolean isBootOrPlatformModule(Module m) {
+        return m.getClassLoader() == null ||
+               m.getClassLoader() == ClassLoader.getPlatformClassLoader();
+    }
+
+    /**
+     * Returns the non-exported packages of the specified module.
+     */
+    private static Set<String> nonExportedPkgs(ModuleDescriptor md) {
+        // start with all packages in the module
+        Set<String> pkgs = new HashSet<>(md.packages());
+
+        // remove the non-qualified exported packages
+        md.exports().stream()
+                    .filter(p -> !p.isQualified())
+                    .map(Exports::source)
+                    .forEach(pkgs::remove);
+
+        // remove the non-qualified open packages
+        md.opens().stream()
+                  .filter(p -> !p.isQualified())
+                  .map(Opens::source)
+                  .forEach(pkgs::remove);
+
+        return pkgs;
+    }
+
+    /**
+     * Throws a {@code SecurityException} if the calling thread is not allowed
+     * to access the specified package.
      * <p>
-     * This method is used by the <code>loadClass</code> method of class
-     * loaders.
+     * This method is called by the {@code loadClass} method of class loaders.
      * <p>
-     * This method first gets a list of
-     * restricted packages by obtaining a comma-separated list from
-     * a call to
-     * <code>java.security.Security.getProperty("package.access")</code>,
-     * and checks to see if <code>pkg</code> starts with or equals
-     * any of the restricted packages. If it does, then
-     * <code>checkPermission</code> gets called with the
-     * <code>RuntimePermission("accessClassInPackage."+pkg)</code>
-     * permission.
+     * This method checks if the specified package starts with or equals
+     * any of the packages in the {@code package.access} Security Property.
+     * An implementation may also check the package against an additional
+     * list of restricted packages as noted below. If the package is restricted,
+     * {@link #checkPermission(Permission)} is called with a
+     * {@code RuntimePermission("accessClassInPackage."+pkg)} permission.
      * <p>
-     * If this method is overridden, then
-     * <code>super.checkPackageAccess</code> should be called
-     * as the first line in the overridden method.
+     * If this method is overridden, then {@code super.checkPackageAccess}
+     * should be called as the first line in the overridden method.
+     *
+     * @implNote
+     * This implementation also restricts all non-exported packages of modules
+     * loaded by {@linkplain ClassLoader#getPlatformClassLoader
+     * the platform class loader} or its ancestors. A "non-exported package"
+     * refers to a package that is not exported to all modules. Specifically,
+     * it refers to a package that either is not exported at all by its
+     * containing module or is exported in a qualified fashion by its
+     * containing module.
      *
      * @param      pkg   the package name.
-     * @exception  SecurityException  if the calling thread does not have
+     * @throws     SecurityException  if the calling thread does not have
      *             permission to access the specified package.
-     * @exception  NullPointerException if the package name argument is
-     *             <code>null</code>.
-     * @see        java.lang.ClassLoader#loadClass(java.lang.String, boolean)
-     *  loadClass
+     * @throws     NullPointerException if the package name argument is
+     *             {@code null}.
+     * @see        java.lang.ClassLoader#loadClass(String, boolean) loadClass
      * @see        java.security.Security#getProperty getProperty
-     * @see        #checkPermission(java.security.Permission) checkPermission
+     * @see        #checkPermission(Permission) checkPermission
      */
     public void checkPackageAccess(String pkg) {
-        if (pkg == null) {
-            throw new NullPointerException("package name can't be null");
+        Objects.requireNonNull(pkg, "package name can't be null");
+
+        // check if pkg is not exported to all modules
+        if (nonExportedPkgs.contains(pkg)) {
+            checkPermission(
+                new RuntimePermission("accessClassInPackage." + pkg));
+            return;
         }
 
         String[] restrictedPkgs;
@@ -1512,36 +1586,48 @@
     }
 
     /**
-     * Throws a <code>SecurityException</code> if the
-     * calling thread is not allowed to define classes in the package
-     * specified by the argument.
+     * Throws a {@code SecurityException} if the calling thread is not
+     * allowed to define classes in the specified package.
      * <p>
-     * This method is used by the <code>loadClass</code> method of some
+     * This method is called by the {@code loadClass} method of some
      * class loaders.
      * <p>
-     * This method first gets a list of restricted packages by
-     * obtaining a comma-separated list from a call to
-     * <code>java.security.Security.getProperty("package.definition")</code>,
-     * and checks to see if <code>pkg</code> starts with or equals
-     * any of the restricted packages. If it does, then
-     * <code>checkPermission</code> gets called with the
-     * <code>RuntimePermission("defineClassInPackage."+pkg)</code>
-     * permission.
+     * This method checks if the specified package starts with or equals
+     * any of the packages in the {@code package.definition} Security
+     * Property. An implementation may also check the package against an
+     * additional list of restricted packages as noted below. If the package
+     * is restricted, {@link #checkPermission(Permission)} is called with a
+     * {@code RuntimePermission("defineClassInPackage."+pkg)} permission.
      * <p>
-     * If this method is overridden, then
-     * <code>super.checkPackageDefinition</code> should be called
-     * as the first line in the overridden method.
+     * If this method is overridden, then {@code super.checkPackageDefinition}
+     * should be called as the first line in the overridden method.
+     *
+     * @implNote
+     * This implementation also restricts all non-exported packages of modules
+     * loaded by {@linkplain ClassLoader#getPlatformClassLoader
+     * the platform class loader} or its ancestors. A "non-exported package"
+     * refers to a package that is not exported to all modules. Specifically,
+     * it refers to a package that either is not exported at all by its
+     * containing module or is exported in a qualified fashion by its
+     * containing module.
      *
      * @param      pkg   the package name.
-     * @exception  SecurityException  if the calling thread does not have
+     * @throws     SecurityException  if the calling thread does not have
      *             permission to define classes in the specified package.
-     * @see        java.lang.ClassLoader#loadClass(java.lang.String, boolean)
+     * @throws     NullPointerException if the package name argument is
+     *             {@code null}.
+     * @see        java.lang.ClassLoader#loadClass(String, boolean)
      * @see        java.security.Security#getProperty getProperty
-     * @see        #checkPermission(java.security.Permission) checkPermission
+     * @see        #checkPermission(Permission) checkPermission
      */
     public void checkPackageDefinition(String pkg) {
-        if (pkg == null) {
-            throw new NullPointerException("package name can't be null");
+        Objects.requireNonNull(pkg, "package name can't be null");
+
+        // check if pkg is not exported to all modules
+        if (nonExportedPkgs.contains(pkg)) {
+            checkPermission(
+                new RuntimePermission("defineClassInPackage." + pkg));
+            return;
         }
 
         String[] pkgs;
--- a/jdk/src/java.base/share/classes/java/lang/System.java	Fri Jan 20 19:09:53 2017 +0000
+++ b/jdk/src/java.base/share/classes/java/lang/System.java	Wed Jul 05 22:44:27 2017 +0200
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1994, 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1994, 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -310,12 +310,13 @@
      * @see SecurityManager#checkPermission
      * @see java.lang.RuntimePermission
      */
-    public static
-    void setSecurityManager(final SecurityManager s) {
-        try {
-            s.checkPackageAccess("java.lang");
-        } catch (Exception e) {
-            // no-op
+    public static void setSecurityManager(final SecurityManager s) {
+        if (s != null) {
+            try {
+                s.checkPackageAccess("java.lang");
+            } catch (Exception e) {
+                // no-op
+            }
         }
         setSecurityManager0(s);
     }
--- a/jdk/src/java.base/share/classes/java/lang/invoke/CallSite.java	Fri Jan 20 19:09:53 2017 +0000
+++ b/jdk/src/java.base/share/classes/java/lang/invoke/CallSite.java	Wed Jul 05 22:44:27 2017 +0200
@@ -28,6 +28,8 @@
 import static java.lang.invoke.MethodHandleStatics.*;
 import static java.lang.invoke.MethodHandles.Lookup.IMPL_LOOKUP;
 
+import jdk.internal.vm.annotation.Stable;
+
 /**
  * A {@code CallSite} is a holder for a variable {@link MethodHandle},
  * which is called its {@code target}.
@@ -215,19 +217,36 @@
     public abstract MethodHandle dynamicInvoker();
 
     /*non-public*/ MethodHandle makeDynamicInvoker() {
-        MethodHandle getTarget = GET_TARGET.bindArgumentL(0, this);
+        MethodHandle getTarget = getTargetHandle().bindArgumentL(0, this);
         MethodHandle invoker = MethodHandles.exactInvoker(this.type());
         return MethodHandles.foldArguments(invoker, getTarget);
     }
 
-    private static final MethodHandle GET_TARGET;
-    private static final MethodHandle THROW_UCS;
-    static {
+    private static @Stable MethodHandle GET_TARGET;
+    private static MethodHandle getTargetHandle() {
+        MethodHandle handle = GET_TARGET;
+        if (handle != null) {
+            return handle;
+        }
         try {
-            GET_TARGET = IMPL_LOOKUP.
-                findVirtual(CallSite.class, "getTarget", MethodType.methodType(MethodHandle.class));
-            THROW_UCS = IMPL_LOOKUP.
-                findStatic(CallSite.class, "uninitializedCallSite", MethodType.methodType(Object.class, Object[].class));
+            return GET_TARGET = IMPL_LOOKUP.
+                    findVirtual(CallSite.class, "getTarget",
+                                MethodType.methodType(MethodHandle.class));
+        } catch (ReflectiveOperationException e) {
+            throw newInternalError(e);
+        }
+    }
+
+    private static @Stable MethodHandle THROW_UCS;
+    private static MethodHandle uninitializedCallSiteHandle() {
+        MethodHandle handle = THROW_UCS;
+        if (handle != null) {
+            return handle;
+        }
+        try {
+            return THROW_UCS = IMPL_LOOKUP.
+                findStatic(CallSite.class, "uninitializedCallSite",
+                           MethodType.methodType(Object.class, Object[].class));
         } catch (ReflectiveOperationException e) {
             throw newInternalError(e);
         }
@@ -242,7 +261,7 @@
         MethodType basicType = targetType.basicType();
         MethodHandle invoker = basicType.form().cachedMethodHandle(MethodTypeForm.MH_UNINIT_CS);
         if (invoker == null) {
-            invoker = THROW_UCS.asType(basicType);
+            invoker = uninitializedCallSiteHandle().asType(basicType);
             invoker = basicType.form().setCachedMethodHandle(MethodTypeForm.MH_UNINIT_CS, invoker);
         }
         // unchecked view is OK since no values will be received or returned
@@ -250,12 +269,16 @@
     }
 
     // unsafe stuff:
-    private static final long  TARGET_OFFSET;
-    private static final long CONTEXT_OFFSET;
-    static {
+    private static @Stable long TARGET_OFFSET;
+    private static long getTargetOffset() {
+        long offset = TARGET_OFFSET;
+        if (offset > 0) {
+            return offset;
+        }
         try {
-            TARGET_OFFSET  = UNSAFE.objectFieldOffset(CallSite.class.getDeclaredField("target"));
-            CONTEXT_OFFSET = UNSAFE.objectFieldOffset(CallSite.class.getDeclaredField("context"));
+            offset = TARGET_OFFSET = UNSAFE.objectFieldOffset(CallSite.class.getDeclaredField("target"));
+            assert(offset > 0);
+            return offset;
         } catch (Exception ex) { throw newInternalError(ex); }
     }
 
@@ -265,7 +288,7 @@
     }
     /*package-private*/
     MethodHandle getTargetVolatile() {
-        return (MethodHandle) UNSAFE.getObjectVolatile(this, TARGET_OFFSET);
+        return (MethodHandle) UNSAFE.getObjectVolatile(this, getTargetOffset());
     }
     /*package-private*/
     void setTargetVolatile(MethodHandle newTarget) {
@@ -324,7 +347,7 @@
                         final int NON_SPREAD_ARG_COUNT = 3;  // (caller, name, type)
                         if (NON_SPREAD_ARG_COUNT + argv.length > MethodType.MAX_MH_ARITY)
                             throw new BootstrapMethodError("too many bootstrap method arguments");
-                        MethodType bsmType = bootstrapMethod.type();
+
                         MethodType invocationType = MethodType.genericMethodType(NON_SPREAD_ARG_COUNT + argv.length);
                         MethodHandle typedBSM = bootstrapMethod.asType(invocationType);
                         MethodHandle spreader = invocationType.invokers().spreadInvoker(NON_SPREAD_ARG_COUNT);
--- a/jdk/src/java.base/share/classes/java/lang/invoke/MethodHandles.java	Fri Jan 20 19:09:53 2017 +0000
+++ b/jdk/src/java.base/share/classes/java/lang/invoke/MethodHandles.java	Wed Jul 05 22:44:27 2017 +0200
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2008, 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2008, 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -846,8 +846,11 @@
             // that does not bluntly restrict classes under packages within
             // java.base from looking up MethodHandles or VarHandles.
             if (allowedModes == ALL_MODES && lookupClass.getClassLoader() == null) {
-                if ((name.startsWith("java.") && !name.startsWith("java.util.concurrent.")) ||
-                        (name.startsWith("sun.") && !name.startsWith("sun.invoke."))) {
+                if ((name.startsWith("java.") &&
+                     !name.equals("java.lang.Thread") &&
+                     !name.startsWith("java.util.concurrent.")) ||
+                    (name.startsWith("sun.") &&
+                     !name.startsWith("sun.invoke."))) {
                     throw newIllegalArgumentException("illegal lookupClass: " + lookupClass);
                 }
             }
--- a/jdk/src/java.base/share/classes/java/lang/invoke/MethodType.java	Fri Jan 20 19:09:53 2017 +0000
+++ b/jdk/src/java.base/share/classes/java/lang/invoke/MethodType.java	Wed Jul 05 22:44:27 2017 +0200
@@ -1128,7 +1128,7 @@
     public String toMethodDescriptorString() {
         String desc = methodDescriptor;
         if (desc == null) {
-            desc = BytecodeDescriptor.unparse(this);
+            desc = BytecodeDescriptor.unparseMethod(this.rtype, this.ptypes);
             methodDescriptor = desc;
         }
         return desc;
@@ -1256,7 +1256,7 @@
         private final ReferenceQueue<T> stale;
 
         public ConcurrentWeakInternSet() {
-            this.map = new ConcurrentHashMap<>();
+            this.map = new ConcurrentHashMap<>(512);
             this.stale = new ReferenceQueue<>();
         }
 
--- a/jdk/src/java.base/share/classes/java/net/SocketInputStream.java	Fri Jan 20 19:09:53 2017 +0000
+++ b/jdk/src/java.base/share/classes/java/net/SocketInputStream.java	Wed Jul 05 22:44:27 2017 +0200
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1995, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1995, 2016, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -155,11 +155,12 @@
         }
 
         // bounds check
-        if (length <= 0 || off < 0 || off + length > b.length) {
+        if (length <= 0 || off < 0 || length > b.length - off) {
             if (length == 0) {
                 return 0;
             }
-            throw new ArrayIndexOutOfBoundsException();
+            throw new ArrayIndexOutOfBoundsException("length == " + length
+                    + " off == " + off + " buffer length == " + b.length);
         }
 
         boolean gotReset = false;
--- a/jdk/src/java.base/share/classes/java/net/SocketOutputStream.java	Fri Jan 20 19:09:53 2017 +0000
+++ b/jdk/src/java.base/share/classes/java/net/SocketOutputStream.java	Wed Jul 05 22:44:27 2017 +0200
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1995, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1995, 2016, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -97,11 +97,13 @@
      */
     private void socketWrite(byte b[], int off, int len) throws IOException {
 
-        if (len <= 0 || off < 0 || off + len > b.length) {
+
+        if (len <= 0 || off < 0 || len > b.length - off) {
             if (len == 0) {
                 return;
             }
-            throw new ArrayIndexOutOfBoundsException();
+            throw new ArrayIndexOutOfBoundsException("len == " + len
+                    + " off == " + off + " buffer length == " + b.length);
         }
 
         FileDescriptor fd = impl.acquireFD();
--- a/jdk/src/java.base/share/classes/java/net/URL.java	Fri Jan 20 19:09:53 2017 +0000
+++ b/jdk/src/java.base/share/classes/java/net/URL.java	Wed Jul 05 22:44:27 2017 +0200
@@ -1556,9 +1556,6 @@
                 path = file;
         }
 
-        if (port == -1) {
-            port = 0;
-        }
         // Set the object fields.
         this.protocol = protocol;
         this.host = host;
--- a/jdk/src/java.base/share/classes/java/net/URLClassLoader.java	Fri Jan 20 19:09:53 2017 +0000
+++ b/jdk/src/java.base/share/classes/java/net/URLClassLoader.java	Wed Jul 05 22:44:27 2017 +0200
@@ -115,8 +115,8 @@
         if (security != null) {
             security.checkCreateClassLoader();
         }
-        this.ucp = new URLClassPath(urls);
         this.acc = AccessController.getContext();
+        this.ucp = new URLClassPath(urls, acc);
     }
 
     URLClassLoader(String name, URL[] urls, ClassLoader parent,
@@ -127,8 +127,8 @@
         if (security != null) {
             security.checkCreateClassLoader();
         }
-        this.ucp = new URLClassPath(urls);
         this.acc = acc;
+        this.ucp = new URLClassPath(urls, acc);
     }
 
     /**
@@ -159,8 +159,8 @@
         if (security != null) {
             security.checkCreateClassLoader();
         }
-        this.ucp = new URLClassPath(urls);
         this.acc = AccessController.getContext();
+        this.ucp = new URLClassPath(urls, acc);
     }
 
     URLClassLoader(URL[] urls, AccessControlContext acc) {
@@ -170,8 +170,8 @@
         if (security != null) {
             security.checkCreateClassLoader();
         }
-        this.ucp = new URLClassPath(urls);
         this.acc = acc;
+        this.ucp = new URLClassPath(urls, acc);
     }
 
     /**
@@ -203,8 +203,8 @@
         if (security != null) {
             security.checkCreateClassLoader();
         }
-        this.ucp = new URLClassPath(urls, factory);
         this.acc = AccessController.getContext();
+        this.ucp = new URLClassPath(urls, factory, acc);
     }
 
 
@@ -238,8 +238,8 @@
         if (security != null) {
             security.checkCreateClassLoader();
         }
-        this.ucp = new URLClassPath(urls);
         this.acc = AccessController.getContext();
+        this.ucp = new URLClassPath(urls, acc);
     }
 
     /**
@@ -271,8 +271,8 @@
         if (security != null) {
             security.checkCreateClassLoader();
         }
-        this.ucp = new URLClassPath(urls, factory);
         this.acc = AccessController.getContext();
+        this.ucp = new URLClassPath(urls, factory, acc);
     }
 
     /* A map (used as a set) to keep track of closeable local resources
--- a/jdk/src/java.base/share/classes/java/net/URLStreamHandler.java	Fri Jan 20 19:09:53 2017 +0000
+++ b/jdk/src/java.base/share/classes/java/net/URLStreamHandler.java	Wed Jul 05 22:44:27 2017 +0200
@@ -161,9 +161,9 @@
             (spec.charAt(start + 1) == '/')) {
             start += 2;
             i = spec.indexOf('/', start);
-            if (i < 0) {
+            if (i < 0 || i > limit) {
                 i = spec.indexOf('?', start);
-                if (i < 0)
+                if (i < 0 || i > limit)
                     i = limit;
             }
 
@@ -171,8 +171,14 @@
 
             int ind = authority.indexOf('@');
             if (ind != -1) {
-                userInfo = authority.substring(0, ind);
-                host = authority.substring(ind+1);
+                if (ind != authority.lastIndexOf('@')) {
+                    // more than one '@' in authority. This is not server based
+                    userInfo = null;
+                    host = null;
+                } else {
+                    userInfo = authority.substring(0, ind);
+                    host = authority.substring(ind+1);
+                }
             } else {
                 userInfo = null;
             }
--- a/jdk/src/java.base/share/classes/java/util/ResourceBundle.java	Fri Jan 20 19:09:53 2017 +0000
+++ b/jdk/src/java.base/share/classes/java/util/ResourceBundle.java	Wed Jul 05 22:44:27 2017 +0200
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1996, 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -43,6 +43,7 @@
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.UncheckedIOException;
+import java.lang.ref.Reference;
 import java.lang.ref.ReferenceQueue;
 import java.lang.ref.SoftReference;
 import java.lang.ref.WeakReference;
@@ -365,7 +366,7 @@
                 @Override
                 public ResourceBundle getBundle(String baseName, Locale locale, Module module) {
                     // use the given module as the caller to bypass the access check
-                    return getBundleImpl(module, module, getLoader(module),
+                    return getBundleImpl(module, module,
                                          baseName, locale, Control.INSTANCE);
                 }
 
@@ -537,63 +538,19 @@
         return locale;
     }
 
-    /*
-     * Automatic determination of the ClassLoader to be used to load
-     * resources on behalf of the client.
-     */
-    private static ClassLoader getLoader(Class<?> caller) {
-        ClassLoader cl = caller == null ? null : caller.getClassLoader();
-        if (cl == null) {
-            // When the caller's loader is the boot class loader, cl is null
-            // here. In that case, ClassLoader.getSystemClassLoader() may
-            // return the same class loader that the application is
-            // using. We therefore use a wrapper ClassLoader to create a
-            // separate scope for bundles loaded on behalf of the Java
-            // runtime so that these bundles cannot be returned from the
-            // cache to the application (5048280).
-            cl = RBClassLoader.INSTANCE;
-        }
-        return cl;
-    }
-
     private static ClassLoader getLoader(Module module) {
         PrivilegedAction<ClassLoader> pa = module::getClassLoader;
         return AccessController.doPrivileged(pa);
     }
 
     /**
-     * A wrapper of ClassLoader.getSystemClassLoader().
+     * @param module a non-null-screened module form the {@link CacheKey#getModule()}.
+     * @return the ClassLoader to use in {@link Control#needsReload}
+     *         and {@link Control#newBundle}
      */
-    private static class RBClassLoader extends ClassLoader {
-        private static final RBClassLoader INSTANCE = AccessController.doPrivileged(
-                    new PrivilegedAction<RBClassLoader>() {
-                        public RBClassLoader run() {
-                            return new RBClassLoader();
-                        }
-                    });
-        private RBClassLoader() {
-        }
-        public Class<?> loadClass(String name) throws ClassNotFoundException {
-            ClassLoader loader = ClassLoader.getSystemClassLoader();
-            if (loader != null) {
-                return loader.loadClass(name);
-            }
-            return Class.forName(name);
-        }
-        public URL getResource(String name) {
-            ClassLoader loader = ClassLoader.getSystemClassLoader();
-            if (loader != null) {
-                return loader.getResource(name);
-            }
-            return ClassLoader.getSystemResource(name);
-        }
-        public InputStream getResourceAsStream(String name) {
-            ClassLoader loader = ClassLoader.getSystemClassLoader();
-            if (loader != null) {
-                return loader.getResourceAsStream(name);
-            }
-            return ClassLoader.getSystemResourceAsStream(name);
-        }
+    private static ClassLoader getLoaderForControl(Module module) {
+        ClassLoader loader = getLoader(module);
+        return loader == null ? ClassLoader.getSystemClassLoader() : loader;
     }
 
     /**
@@ -610,23 +567,23 @@
 
     /**
      * Key used for cached resource bundles.  The key checks the base
-     * name, the locale, the class loader, and the caller module
+     * name, the locale, the bundle module, and the caller module
      * to determine if the resource is a match to the requested one.
-     * The loader may be null, but the base name, the locale and
-     * module must have a non-null value.
+     * The base name, the locale and both modules must have a non-null value.
      */
-    private static class CacheKey implements Cloneable {
+    private static final class CacheKey {
         // These four are the actual keys for lookup in Map.
-        private String name;
-        private Locale locale;
-        private KeyElementReference<ClassLoader> loaderRef;
-        private KeyElementReference<Module> moduleRef;
-        private KeyElementReference<Module> callerRef;
-
+        private final String name;
+        private volatile Locale locale;
+        private final KeyElementReference<Module> moduleRef;
+        private final KeyElementReference<Module> callerRef;
+        // this is the part of hashCode that pertains to module and callerModule
+        // which can be GCed..
+        private final int modulesHash;
 
         // bundle format which is necessary for calling
         // Control.needsReload().
-        private String format;
+        private volatile String format;
 
         // These time values are in CacheKey so that NONEXISTENT_BUNDLE
         // doesn't need to be cloned for caching.
@@ -639,63 +596,55 @@
         private volatile long expirationTime;
 
         // Placeholder for an error report by a Throwable
-        private Throwable cause;
-
-        // Hash code value cache to avoid recalculating the hash code
-        // of this instance.
-        private int hashCodeCache;
+        private volatile Throwable cause;
 
         // ResourceBundleProviders for loading ResourceBundles
-        private ServiceLoader<ResourceBundleProvider> providers;
-        private boolean providersChecked;
+        private volatile ServiceLoader<ResourceBundleProvider> providers;
+        private volatile boolean providersChecked;
 
         // Boolean.TRUE if the factory method caller provides a ResourceBundleProvier.
-        private Boolean callerHasProvider;
+        private volatile Boolean callerHasProvider;
 
-        CacheKey(String baseName, Locale locale, ClassLoader loader, Module module, Module caller) {
+        CacheKey(String baseName, Locale locale, Module module, Module caller) {
             Objects.requireNonNull(module);
+            Objects.requireNonNull(caller);
 
             this.name = baseName;
             this.locale = locale;
-            if (loader == null) {
-                this.loaderRef = null;
-            } else {
-                this.loaderRef = new KeyElementReference<>(loader, referenceQueue, this);
-            }
             this.moduleRef = new KeyElementReference<>(module, referenceQueue, this);
             this.callerRef = new KeyElementReference<>(caller, referenceQueue, this);
+            this.modulesHash = module.hashCode() ^ caller.hashCode();
+        }
 
-            calculateHashCode();
+        CacheKey(CacheKey src) {
+            // Create References to src's modules
+            this.moduleRef = new KeyElementReference<>(
+                Objects.requireNonNull(src.getModule()), referenceQueue, this);
+            this.callerRef = new KeyElementReference<>(
+                Objects.requireNonNull(src.getCallerModule()), referenceQueue, this);
+            // Copy fields from src. ResourceBundleProviders related fields
+            // and "cause" should not be copied.
+            this.name = src.name;
+            this.locale = src.locale;
+            this.modulesHash = src.modulesHash;
+            this.format = src.format;
+            this.loadTime = src.loadTime;
+            this.expirationTime = src.expirationTime;
         }
 
         String getName() {
             return name;
         }
 
-        CacheKey setName(String baseName) {
-            if (!this.name.equals(baseName)) {
-                this.name = baseName;
-                calculateHashCode();
-            }
-            return this;
-        }
-
         Locale getLocale() {
             return locale;
         }
 
         CacheKey setLocale(Locale locale) {
-            if (!this.locale.equals(locale)) {
-                this.locale = locale;
-                calculateHashCode();
-            }
+            this.locale = locale;
             return this;
         }
 
-        ClassLoader getLoader() {
-            return (loaderRef != null) ? loaderRef.get() : null;
-        }
-
         Module getModule() {
             return moduleRef.get();
         }
@@ -728,7 +677,7 @@
             try {
                 final CacheKey otherEntry = (CacheKey)other;
                 //quick check to see if they are not equal
-                if (hashCodeCache != otherEntry.hashCodeCache) {
+                if (modulesHash != otherEntry.modulesHash) {
                     return false;
                 }
                 //are the names the same?
@@ -739,24 +688,11 @@
                 if (!locale.equals(otherEntry.locale)) {
                     return false;
                 }
-                //are refs (both non-null) or (both null)?
-                if (loaderRef == null) {
-                    return otherEntry.loaderRef == null;
-                }
-                ClassLoader loader = getLoader();
+                // are modules and callerModules the same and non-null?
                 Module module = getModule();
                 Module caller = getCallerModule();
-
-                return (otherEntry.loaderRef != null)
-                        // with a null reference we can no longer find
-                        // out which class loader or module was referenced; so
-                        // treat it as unequal
-                        && (loader != null)
-                        && (loader == otherEntry.getLoader())
-                        && (module != null)
-                        && (module.equals(otherEntry.getModule()))
-                        && (caller != null)
-                        && (caller.equals(otherEntry.getCallerModule()));
+                return ((module != null) && (module.equals(otherEntry.getModule())) &&
+                        (caller != null) && (caller.equals(otherEntry.getCallerModule())));
             } catch (NullPointerException | ClassCastException e) {
             }
             return false;
@@ -764,51 +700,7 @@
 
         @Override
         public int hashCode() {
-            return hashCodeCache;
-        }
-
-        private void calculateHashCode() {
-            hashCodeCache = name.hashCode() << 3;
-            hashCodeCache ^= locale.hashCode();
-            ClassLoader loader = getLoader();
-            if (loader != null) {
-                hashCodeCache ^= loader.hashCode();
-            }
-            Module module = getModule();
-            if (module != null) {
-                hashCodeCache ^= module.hashCode();
-            }
-            Module caller = getCallerModule();
-            if (caller != null) {
-                hashCodeCache ^= caller.hashCode();
-            }
-        }
-
-        @Override
-        public Object clone() {
-            try {
-                CacheKey clone = (CacheKey) super.clone();
-                if (loaderRef != null) {
-                    clone.loaderRef = new KeyElementReference<>(getLoader(),
-                                                                referenceQueue, clone);
-                }
-                clone.moduleRef = new KeyElementReference<>(getModule(),
-                                                            referenceQueue, clone);
-                clone.callerRef = new KeyElementReference<>(getCallerModule(),
-                                                            referenceQueue, clone);
-
-                // Clear the reference to ResourceBundleProviders and the flag
-                clone.providers = null;
-                clone.providersChecked = false;
-                // Clear the reference to a Throwable
-                clone.cause = null;
-                // Clear callerHasProvider
-                clone.callerHasProvider = null;
-                return clone;
-            } catch (CloneNotSupportedException e) {
-                //this should never happen
-                throw new InternalError(e);
-            }
+            return (name.hashCode() << 3) ^ locale.hashCode() ^ modulesHash;
         }
 
         String getFormat() {
@@ -845,8 +737,12 @@
                     l = "\"\"";
                 }
             }
-            return "CacheKey[" + name + ", lc=" + l + ", ldr=" + getLoader()
-                + "(format=" + format + ")]";
+            return "CacheKey[" + name +
+                   ", locale=" + l +
+                   ", module=" + getModule() +
+                   ", callerModule=" + getCallerModule() +
+                   ", format=" + format +
+                   "]";
         }
     }
 
@@ -1568,7 +1464,7 @@
                                                 Locale locale,
                                                 Class<?> caller,
                                                 Control control) {
-        return getBundleImpl(baseName, locale, caller, getLoader(caller), control);
+        return getBundleImpl(baseName, locale, caller, caller.getClassLoader(), control);
     }
 
     /**
@@ -1587,26 +1483,25 @@
                                                 Class<?> caller,
                                                 ClassLoader loader,
                                                 Control control) {
-        if (caller != null && caller.getModule().isNamed()) {
-            Module module = caller.getModule();
-            ClassLoader ml = getLoader(module);
-            // get resource bundles for a named module only
-            // if loader is the module's class loader
-            if (loader == ml || (ml == null && loader == RBClassLoader.INSTANCE)) {
-                return getBundleImpl(module, module, loader, baseName, locale, control);
-            }
-        }
-        // find resource bundles from unnamed module
-        Module unnamedModule = loader != null
-            ? loader.getUnnamedModule()
-            : ClassLoader.getSystemClassLoader().getUnnamedModule();
-
         if (caller == null) {
             throw new InternalError("null caller");
         }
+        Module callerModule = caller.getModule();
 
-        Module callerModule = caller.getModule();
-        return getBundleImpl(callerModule, unnamedModule, loader, baseName, locale, control);
+        // get resource bundles for a named module only if loader is the module's class loader
+        if (callerModule.isNamed() && loader == getLoader(callerModule)) {
+            return getBundleImpl(callerModule, callerModule, baseName, locale, control);
+        }
+
+        // find resource bundles from unnamed module of given class loader
+        // Java agent can add to the bootclasspath e.g. via
+        // java.lang.instrument.Instrumentation and load classes in unnamed module.
+        // It may call RB::getBundle that will end up here with loader == null.
+        Module unnamedModule = loader != null
+            ? loader.getUnnamedModule()
+            : BootLoader.getUnnamedModule();
+
+        return getBundleImpl(callerModule, unnamedModule, baseName, locale, control);
     }
 
     private static ResourceBundle getBundleFromModule(Class<?> caller,
@@ -1622,12 +1517,11 @@
                 sm.checkPermission(GET_CLASSLOADER_PERMISSION);
             }
         }
-        return getBundleImpl(callerModule, module, getLoader(module), baseName, locale, control);
+        return getBundleImpl(callerModule, module, baseName, locale, control);
     }
 
     private static ResourceBundle getBundleImpl(Module callerModule,
                                                 Module module,
-                                                ClassLoader loader,
                                                 String baseName,
                                                 Locale locale,
                                                 Control control) {
@@ -1636,10 +1530,10 @@
         }
 
         // We create a CacheKey here for use by this call. The base name
-        // loader, and module will never change during the bundle loading
+        // and modules will never change during the bundle loading
         // process. We have to make sure that the locale is set before
         // using it as a cache key.
-        CacheKey cacheKey = new CacheKey(baseName, locale, loader, module, callerModule);
+        CacheKey cacheKey = new CacheKey(baseName, locale, module, callerModule);
         ResourceBundle bundle = null;
 
         // Quick lookup of the cache.
@@ -1708,6 +1602,11 @@
             bundle = baseBundle;
         }
 
+        // keep callerModule and module reachable for as long as we are operating
+        // with WeakReference(s) to them (in CacheKey)...
+        Reference.reachabilityFence(callerModule);
+        Reference.reachabilityFence(module);
+
         return bundle;
     }
 
@@ -1745,7 +1644,7 @@
         }
 
         // Before we do the real loading work, see whether we need to
-        // do some housekeeping: If references to class loaders or
+        // do some housekeeping: If references to modules or
         // resource bundles have been nulled out, remove all related
         // information from the cache.
         Object ref;
@@ -1781,31 +1680,24 @@
         }
 
         if (bundle != NONEXISTENT_BUNDLE) {
-            CacheKey constKey = (CacheKey) cacheKey.clone();
             trace("findBundle: %d %s %s formats: %s%n", index, candidateLocales, cacheKey, formats);
-            try {
-                if (module.isNamed()) {
-                    bundle = loadBundle(cacheKey, formats, control, module, callerModule);
-                } else {
-                    bundle = loadBundle(cacheKey, formats, control, expiredBundle);
+            if (module.isNamed()) {
+                bundle = loadBundle(cacheKey, formats, control, module, callerModule);
+            } else {
+                bundle = loadBundle(cacheKey, formats, control, expiredBundle);
+            }
+            if (bundle != null) {
+                if (bundle.parent == null) {
+                    bundle.setParent(parent);
                 }
-                if (bundle != null) {
-                    if (bundle.parent == null) {
-                        bundle.setParent(parent);
-                    }
-                    bundle.locale = targetLocale;
-                    bundle = putBundleInCache(cacheKey, bundle, control);
-                    return bundle;
-                }
+                bundle.locale = targetLocale;
+                bundle = putBundleInCache(cacheKey, bundle, control);
+                return bundle;
+            }
 
-                // Put NONEXISTENT_BUNDLE in the cache as a mark that there's no bundle
-                // instance for the locale.
-                putBundleInCache(cacheKey, NONEXISTENT_BUNDLE, control);
-            } finally {
-                if (constKey.getCause() instanceof InterruptedException) {
-                    Thread.currentThread().interrupt();
-                }
-            }
+            // Put NONEXISTENT_BUNDLE in the cache as a mark that there's no bundle
+            // instance for the locale.
+            putBundleInCache(cacheKey, NONEXISTENT_BUNDLE, control);
         }
         return parent;
     }
@@ -1991,12 +1883,20 @@
         // specified by the getFormats() value.
         Locale targetLocale = cacheKey.getLocale();
 
+        Module module = cacheKey.getModule();
+        if (module == null) {
+            // should not happen
+            throw new InternalError(
+                "Module for cache key: " + cacheKey + " has been GCed.");
+        }
+        ClassLoader loader = getLoaderForControl(module);
+
         ResourceBundle bundle = null;
         for (String format : formats) {
             try {
                 // ResourceBundle.Control.newBundle may be overridden
                 bundle = control.newBundle(cacheKey.getName(), targetLocale, format,
-                                           cacheKey.getLoader(), reload);
+                                           loader, reload);
             } catch (LinkageError | Exception error) {
                 // We need to handle the LinkageError case due to
                 // inconsistent case-sensitivity in ClassLoader.
@@ -2138,12 +2038,15 @@
                         if (!bundle.expired && expirationTime >= 0 &&
                             expirationTime <= System.currentTimeMillis()) {
                             try {
-                                bundle.expired = control.needsReload(key.getName(),
-                                                                     key.getLocale(),
-                                                                     key.getFormat(),
-                                                                     key.getLoader(),
-                                                                     bundle,
-                                                                     key.loadTime);
+                                Module module = cacheKey.getModule();
+                                bundle.expired =
+                                    module == null || // already GCed
+                                    control.needsReload(key.getName(),
+                                                        key.getLocale(),
+                                                        key.getFormat(),
+                                                        getLoaderForControl(module),
+                                                        bundle,
+                                                        key.loadTime);
                             } catch (Exception e) {
                                 cacheKey.setCause(e);
                             }
@@ -2185,7 +2088,7 @@
                                                    Control control) {
         setExpirationTime(cacheKey, control);
         if (cacheKey.expirationTime != Control.TTL_DONT_CACHE) {
-            CacheKey key = (CacheKey) cacheKey.clone();
+            CacheKey key = new CacheKey(cacheKey);
             BundleReference bundleRef = new BundleReference(bundle, referenceQueue, key);
             bundle.cacheKey = key;
 
@@ -2231,7 +2134,7 @@
 
     /**
      * Removes all resource bundles from the cache that have been loaded
-     * by the caller's module using the caller's class loader.
+     * by the caller's module.
      *
      * @since 1.6
      * @see ResourceBundle.Control#getTimeToLive(String,Locale)
@@ -2239,47 +2142,29 @@
     @CallerSensitive
     public static final void clearCache() {
         Class<?> caller = Reflection.getCallerClass();
-        clearCache(getLoader(caller), caller.getModule());
+        cacheList.keySet().removeIf(
+            key -> key.getCallerModule() == caller.getModule()
+        );
     }
 
     /**
      * Removes all resource bundles from the cache that have been loaded
-     * by the caller's module using the given class loader.
+     * by the given class loader.
      *
      * @param loader the class loader
      * @exception NullPointerException if <code>loader</code> is null
      * @since 1.6
      * @see ResourceBundle.Control#getTimeToLive(String,Locale)
      */
-    @CallerSensitive
     public static final void clearCache(ClassLoader loader) {
         Objects.requireNonNull(loader);
-        clearCache(loader, Reflection.getCallerClass().getModule());
-    }
-
-    /**
-     * Removes all resource bundles from the cache that have been loaded by the
-     * given {@code module}.
-     *
-     * @param module the module
-     * @throws NullPointerException
-     *         if {@code module} is {@code null}
-     * @throws SecurityException
-     *         if the caller doesn't have the permission to
-     *         {@linkplain Module#getClassLoader() get the class loader}
-     *         of the given {@code module}
-     * @since 9
-     * @see ResourceBundle.Control#getTimeToLive(String,Locale)
-     */
-    public static final void clearCache(Module module) {
-        clearCache(module.getClassLoader(), module);
-    }
-
-    private static void clearCache(ClassLoader loader, Module module) {
-        Set<CacheKey> set = cacheList.keySet();
-        set.stream()
-           .filter((key) -> (key.getLoader() == loader && key.getModule() == module))
-           .forEach(set::remove);
+        cacheList.keySet().removeIf(
+            key -> {
+                Module m;
+                return (m = key.getModule()) != null &&
+                       getLoader(m) == loader;
+            }
+        );
     }
 
     /**
--- a/jdk/src/java.base/share/classes/java/util/concurrent/ForkJoinWorkerThread.java	Fri Jan 20 19:09:53 2017 +0000
+++ b/jdk/src/java.base/share/classes/java/util/concurrent/ForkJoinWorkerThread.java	Wed Jul 05 22:44:27 2017 +0200
@@ -185,7 +185,14 @@
     static final class InnocuousForkJoinWorkerThread extends ForkJoinWorkerThread {
         /** The ThreadGroup for all InnocuousForkJoinWorkerThreads */
         private static final ThreadGroup innocuousThreadGroup =
-            ThreadLocalRandom.createThreadGroup("InnocuousForkJoinWorkerThreadGroup");
+                java.security.AccessController.doPrivileged(
+                    new java.security.PrivilegedAction<>() {
+                        public ThreadGroup run() {
+                            ThreadGroup group = Thread.currentThread().getThreadGroup();
+                            for (ThreadGroup p; (p = group.getParent()) != null; )
+                                group = p;
+                            return new ThreadGroup(group, "InnocuousForkJoinWorkerThreadGroup");
+                        }});
 
         /** An AccessControlContext supporting no privileges */
         private static final AccessControlContext INNOCUOUS_ACC =
@@ -215,6 +222,5 @@
         public void setContextClassLoader(ClassLoader cl) {
             throw new SecurityException("setContextClassLoader");
         }
-
     }
 }
--- a/jdk/src/java.base/share/classes/java/util/concurrent/ThreadLocalRandom.java	Fri Jan 20 19:09:53 2017 +0000
+++ b/jdk/src/java.base/share/classes/java/util/concurrent/ThreadLocalRandom.java	Wed Jul 05 22:44:27 2017 +0200
@@ -985,34 +985,6 @@
         U.putObjectRelease(thread, INHERITEDACCESSCONTROLCONTEXT, acc);
     }
 
-    /**
-     * Returns a new group with the system ThreadGroup (the
-     * topmost, parent-less group) as parent.  Uses Unsafe to
-     * traverse Thread.group and ThreadGroup.parent fields.
-     */
-    static final ThreadGroup createThreadGroup(String name) {
-        if (name == null)
-            throw new NullPointerException();
-        try {
-            long tg = U.objectFieldOffset
-                (Thread.class.getDeclaredField("group"));
-            long gp = U.objectFieldOffset
-                (ThreadGroup.class.getDeclaredField("parent"));
-            ThreadGroup group = (ThreadGroup)
-                U.getObject(Thread.currentThread(), tg);
-            while (group != null) {
-                ThreadGroup parent = (ThreadGroup)U.getObject(group, gp);
-                if (parent == null)
-                    return new ThreadGroup(group, name);
-                group = parent;
-            }
-        } catch (ReflectiveOperationException e) {
-            throw new Error(e);
-        }
-        // fall through if null as cannot-happen safeguard
-        throw new Error("Cannot create ThreadGroup");
-    }
-
     // Serialization support
 
     private static final long serialVersionUID = -5851777807851030925L;
@@ -1087,17 +1059,17 @@
     static {
         try {
             SEED = U.objectFieldOffset
-                (Thread.class.getDeclaredField("threadLocalRandomSeed"));
+                    (Thread.class.getDeclaredField("threadLocalRandomSeed"));
             PROBE = U.objectFieldOffset
-                (Thread.class.getDeclaredField("threadLocalRandomProbe"));
+                    (Thread.class.getDeclaredField("threadLocalRandomProbe"));
             SECONDARY = U.objectFieldOffset
-                (Thread.class.getDeclaredField("threadLocalRandomSecondarySeed"));
+                    (Thread.class.getDeclaredField("threadLocalRandomSecondarySeed"));
             THREADLOCALS = U.objectFieldOffset
-                (Thread.class.getDeclaredField("threadLocals"));
+                    (Thread.class.getDeclaredField("threadLocals"));
             INHERITABLETHREADLOCALS = U.objectFieldOffset
-                (Thread.class.getDeclaredField("inheritableThreadLocals"));
+                    (Thread.class.getDeclaredField("inheritableThreadLocals"));
             INHERITEDACCESSCONTROLCONTEXT = U.objectFieldOffset
-                (Thread.class.getDeclaredField("inheritedAccessControlContext"));
+                    (Thread.class.getDeclaredField("inheritedAccessControlContext"));
         } catch (ReflectiveOperationException e) {
             throw new Error(e);
         }
@@ -1123,7 +1095,7 @@
     // at end of <clinit> to survive static initialization circularity
     static {
         if (java.security.AccessController.doPrivileged(
-            new java.security.PrivilegedAction<Boolean>() {
+            new java.security.PrivilegedAction<>() {
                 public Boolean run() {
                     return Boolean.getBoolean("java.util.secureRandomSeed");
                 }})) {
--- a/jdk/src/java.base/share/classes/java/util/concurrent/atomic/AtomicIntegerFieldUpdater.java	Fri Jan 20 19:09:53 2017 +0000
+++ b/jdk/src/java.base/share/classes/java/util/concurrent/atomic/AtomicIntegerFieldUpdater.java	Wed Jul 05 22:44:27 2017 +0200
@@ -40,6 +40,7 @@
 import java.security.AccessController;
 import java.security.PrivilegedActionException;
 import java.security.PrivilegedExceptionAction;
+import java.util.Objects;
 import java.util.function.IntBinaryOperator;
 import java.util.function.IntUnaryOperator;
 import jdk.internal.misc.Unsafe;
@@ -411,7 +412,17 @@
             if (!Modifier.isVolatile(modifiers))
                 throw new IllegalArgumentException("Must be volatile type");
 
-            this.cclass = (Modifier.isProtected(modifiers)) ? caller : tclass;
+            // Access to protected field members is restricted to receivers only
+            // of the accessing class, or one of its subclasses, and the
+            // accessing class must in turn be a subclass (or package sibling)
+            // of the protected member's defining class.
+            // If the updater refers to a protected field of a declaring class
+            // outside the current package, the receiver argument will be
+            // narrowed to the type of the accessing class.
+            this.cclass = (Modifier.isProtected(modifiers) &&
+                           tclass.isAssignableFrom(caller) &&
+                           !isSamePackage(tclass, caller))
+                          ? caller : tclass;
             this.tclass = tclass;
             this.offset = U.objectFieldOffset(field);
         }
@@ -433,6 +444,15 @@
         }
 
         /**
+         * Returns true if the two classes have the same class loader and
+         * package qualifier
+         */
+        private static boolean isSamePackage(Class<?> class1, Class<?> class2) {
+            return class1.getClassLoader() == class2.getClassLoader()
+                   && Objects.equals(class1.getPackageName(), class2.getPackageName());
+        }
+
+        /**
          * Checks that target argument is instance of cclass.  On
          * failure, throws cause.
          */
--- a/jdk/src/java.base/share/classes/java/util/concurrent/atomic/AtomicLongFieldUpdater.java	Fri Jan 20 19:09:53 2017 +0000
+++ b/jdk/src/java.base/share/classes/java/util/concurrent/atomic/AtomicLongFieldUpdater.java	Wed Jul 05 22:44:27 2017 +0200
@@ -40,6 +40,7 @@
 import java.security.AccessController;
 import java.security.PrivilegedActionException;
 import java.security.PrivilegedExceptionAction;
+import java.util.Objects;
 import java.util.function.LongBinaryOperator;
 import java.util.function.LongUnaryOperator;
 import jdk.internal.misc.Unsafe;
@@ -409,7 +410,17 @@
             if (!Modifier.isVolatile(modifiers))
                 throw new IllegalArgumentException("Must be volatile type");
 
-            this.cclass = (Modifier.isProtected(modifiers)) ? caller : tclass;
+            // Access to protected field members is restricted to receivers only
+            // of the accessing class, or one of its subclasses, and the
+            // accessing class must in turn be a subclass (or package sibling)
+            // of the protected member's defining class.
+            // If the updater refers to a protected field of a declaring class
+            // outside the current package, the receiver argument will be
+            // narrowed to the type of the accessing class.
+            this.cclass = (Modifier.isProtected(modifiers) &&
+                           tclass.isAssignableFrom(caller) &&
+                           !isSamePackage(tclass, caller))
+                          ? caller : tclass;
             this.tclass = tclass;
             this.offset = U.objectFieldOffset(field);
         }
@@ -540,7 +551,17 @@
             if (!Modifier.isVolatile(modifiers))
                 throw new IllegalArgumentException("Must be volatile type");
 
-            this.cclass = (Modifier.isProtected(modifiers)) ? caller : tclass;
+            // Access to protected field members is restricted to receivers only
+            // of the accessing class, or one of its subclasses, and the
+            // accessing class must in turn be a subclass (or package sibling)
+            // of the protected member's defining class.
+            // If the updater refers to a protected field of a declaring class
+            // outside the current package, the receiver argument will be
+            // narrowed to the type of the accessing class.
+            this.cclass = (Modifier.isProtected(modifiers) &&
+                           tclass.isAssignableFrom(caller) &&
+                           !isSamePackage(tclass, caller))
+                          ? caller : tclass;
             this.tclass = tclass;
             this.offset = U.objectFieldOffset(field);
         }
@@ -621,4 +642,13 @@
         } while (acl != null);
         return false;
     }
+
+    /**
+     * Returns true if the two classes have the same class loader and
+     * package qualifier
+     */
+    static boolean isSamePackage(Class<?> class1, Class<?> class2) {
+        return class1.getClassLoader() == class2.getClassLoader()
+               && Objects.equals(class1.getPackageName(), class2.getPackageName());
+    }
 }
--- a/jdk/src/java.base/share/classes/java/util/concurrent/atomic/AtomicReferenceFieldUpdater.java	Fri Jan 20 19:09:53 2017 +0000
+++ b/jdk/src/java.base/share/classes/java/util/concurrent/atomic/AtomicReferenceFieldUpdater.java	Wed Jul 05 22:44:27 2017 +0200
@@ -40,6 +40,7 @@
 import java.security.AccessController;
 import java.security.PrivilegedActionException;
 import java.security.PrivilegedExceptionAction;
+import java.util.Objects;
 import java.util.function.BinaryOperator;
 import java.util.function.UnaryOperator;
 import jdk.internal.misc.Unsafe;
@@ -351,7 +352,17 @@
             if (!Modifier.isVolatile(modifiers))
                 throw new IllegalArgumentException("Must be volatile type");
 
-            this.cclass = (Modifier.isProtected(modifiers)) ? caller : tclass;
+            // Access to protected field members is restricted to receivers only
+            // of the accessing class, or one of its subclasses, and the
+            // accessing class must in turn be a subclass (or package sibling)
+            // of the protected member's defining class.
+            // If the updater refers to a protected field of a declaring class
+            // outside the current package, the receiver argument will be
+            // narrowed to the type of the accessing class.
+            this.cclass = (Modifier.isProtected(modifiers) &&
+                           tclass.isAssignableFrom(caller) &&
+                           !isSamePackage(tclass, caller))
+                          ? caller : tclass;
             this.tclass = tclass;
             this.vclass = vclass;
             this.offset = U.objectFieldOffset(field);
@@ -374,6 +385,15 @@
         }
 
         /**
+         * Returns true if the two classes have the same class loader and
+         * package qualifier
+         */
+        private static boolean isSamePackage(Class<?> class1, Class<?> class2) {
+            return class1.getClassLoader() == class2.getClassLoader()
+                   && Objects.equals(class1.getPackageName(), class2.getPackageName());
+        }
+
+        /**
          * Checks that target argument is instance of cclass.  On
          * failure, throws cause.
          */
--- a/jdk/src/java.base/share/classes/java/util/concurrent/atomic/Striped64.java	Fri Jan 20 19:09:53 2017 +0000
+++ b/jdk/src/java.base/share/classes/java/util/concurrent/atomic/Striped64.java	Wed Jul 05 22:44:27 2017 +0200
@@ -41,7 +41,6 @@
 import java.util.concurrent.ThreadLocalRandom;
 import java.util.function.DoubleBinaryOperator;
 import java.util.function.LongBinaryOperator;
-import jdk.internal.misc.Unsafe;
 
 /**
  * A package-local class holding common representation and mechanics
@@ -191,7 +190,7 @@
      * Duplicated from ThreadLocalRandom because of packaging restrictions.
      */
     static final int getProbe() {
-        return U.getInt(Thread.currentThread(), PROBE);
+        return (int) THREAD_PROBE.get(Thread.currentThread());
     }
 
     /**
@@ -203,7 +202,7 @@
         probe ^= probe << 13;   // xorshift
         probe ^= probe >>> 17;
         probe ^= probe << 5;
-        U.putInt(Thread.currentThread(), PROBE, probe);
+        THREAD_PROBE.set(Thread.currentThread(), probe);
         return probe;
     }
 
@@ -373,18 +372,28 @@
         }
     }
 
-    // Unsafe and VarHandle mechanics
-    private static final Unsafe U = Unsafe.getUnsafe();
+    // VarHandle mechanics
     private static final VarHandle BASE;
     private static final VarHandle CELLSBUSY;
-    private static final long PROBE;
+    private static final VarHandle THREAD_PROBE;
     static {
         try {
             MethodHandles.Lookup l = MethodHandles.lookup();
-            BASE = l.findVarHandle(Striped64.class, "base", long.class);
-            CELLSBUSY = l.findVarHandle(Striped64.class, "cellsBusy", int.class);
-            PROBE = U.objectFieldOffset
-                (Thread.class.getDeclaredField("threadLocalRandomProbe"));
+            BASE = l.findVarHandle(Striped64.class,
+                    "base", long.class);
+            CELLSBUSY = l.findVarHandle(Striped64.class,
+                    "cellsBusy", int.class);
+            l = java.security.AccessController.doPrivileged(
+                    new java.security.PrivilegedAction<>() {
+                        public MethodHandles.Lookup run() {
+                            try {
+                                return MethodHandles.privateLookupIn(Thread.class, MethodHandles.lookup());
+                            } catch (ReflectiveOperationException e) {
+                                throw new Error(e);
+                            }
+                        }});
+            THREAD_PROBE = l.findVarHandle(Thread.class,
+                    "threadLocalRandomProbe", int.class);
         } catch (ReflectiveOperationException e) {
             throw new Error(e);
         }
--- a/jdk/src/java.base/share/classes/java/util/concurrent/locks/LockSupport.java	Fri Jan 20 19:09:53 2017 +0000
+++ b/jdk/src/java.base/share/classes/java/util/concurrent/locks/LockSupport.java	Wed Jul 05 22:44:27 2017 +0200
@@ -425,11 +425,11 @@
     static {
         try {
             PARKBLOCKER = U.objectFieldOffset
-                (Thread.class.getDeclaredField("parkBlocker"));
+                    (Thread.class.getDeclaredField("parkBlocker"));
             SECONDARY = U.objectFieldOffset
-                (Thread.class.getDeclaredField("threadLocalRandomSecondarySeed"));
+                    (Thread.class.getDeclaredField("threadLocalRandomSecondarySeed"));
             TID = U.objectFieldOffset
-                (Thread.class.getDeclaredField("tid"));
+                    (Thread.class.getDeclaredField("tid"));
 
         } catch (ReflectiveOperationException e) {
             throw new Error(e);
--- a/jdk/src/java.base/share/classes/javax/net/ssl/HandshakeCompletedEvent.java	Fri Jan 20 19:09:53 2017 +0000
+++ b/jdk/src/java.base/share/classes/javax/net/ssl/HandshakeCompletedEvent.java	Wed Jul 05 22:44:27 2017 +0200
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2015, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2016, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -120,6 +120,9 @@
      * Note: This method can be used only when using certificate-based
      * cipher suites; using it with non-certificate-based cipher suites,
      * such as Kerberos, will throw an SSLPeerUnverifiedException.
+     * <P>
+     * Note: The returned value may not be a valid certificate chain
+     * and should not be relied on for trust decisions.
      *
      * @return an ordered array of the peer certificates,
      *          with the peer's own certificate first followed by
@@ -140,6 +143,9 @@
      * Note: This method can be used only when using certificate-based
      * cipher suites; using it with non-certificate-based cipher suites,
      * such as Kerberos, will throw an SSLPeerUnverifiedException.
+     * <P>
+     * Note: The returned value may not be a valid certificate chain
+     * and should not be relied on for trust decisions.
      *
      * <p><em>Note: this method exists for compatibility with previous
      * releases. New applications should use
--- a/jdk/src/java.base/share/classes/javax/net/ssl/HttpsURLConnection.java	Fri Jan 20 19:09:53 2017 +0000
+++ b/jdk/src/java.base/share/classes/javax/net/ssl/HttpsURLConnection.java	Wed Jul 05 22:44:27 2017 +0200
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1999, 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1999, 2016, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -104,6 +104,9 @@
      * Note: This method can be used only when using certificate-based
      * cipher suites; using it with non-certificate-based cipher suites,
      * such as Kerberos, will throw an SSLPeerUnverifiedException.
+     * <P>
+     * Note: The returned value may not be a valid certificate chain
+     * and should not be relied on for trust decisions.
      *
      * @return an ordered array of server certificates,
      *          with the peer's own certificate first followed by
--- a/jdk/src/java.base/share/classes/javax/net/ssl/SSLSession.java	Fri Jan 20 19:09:53 2017 +0000
+++ b/jdk/src/java.base/share/classes/javax/net/ssl/SSLSession.java	Wed Jul 05 22:44:27 2017 +0200
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2015, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2016, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -219,6 +219,9 @@
      * Note: This method can be used only when using certificate-based
      * cipher suites; using it with non-certificate-based cipher suites,
      * such as Kerberos, will throw an SSLPeerUnverifiedException.
+     * <P>
+     * Note: The returned value may not be a valid certificate chain
+     * and should not be relied on for trust decisions.
      *
      * @return an ordered array of peer certificates,
      *          with the peer's own certificate first followed by any
@@ -259,6 +262,9 @@
      * Note: This method can be used only when using certificate-based
      * cipher suites; using it with non-certificate-based cipher suites,
      * such as Kerberos, will throw an SSLPeerUnverifiedException.
+     * <P>
+     * Note: The returned value may not be a valid certificate chain
+     * and should not be relied on for trust decisions.
      *
      * <p><em>Note: this method exists for compatibility with previous
      * releases. New applications should use
--- a/jdk/src/java.base/share/classes/jdk/internal/loader/URLClassPath.java	Fri Jan 20 19:09:53 2017 +0000
+++ b/jdk/src/java.base/share/classes/jdk/internal/loader/URLClassPath.java	Wed Jul 05 22:44:27 2017 +0200
@@ -38,6 +38,7 @@
 import java.net.URLConnection;
 import java.net.URLStreamHandler;
 import java.net.URLStreamHandlerFactory;
+import java.security.AccessControlContext;
 import java.security.AccessControlException;
 import java.security.AccessController;
 import java.security.CodeSigner;
@@ -83,6 +84,7 @@
     private static final String JAVA_VERSION;
     private static final boolean DEBUG;
     private static final boolean DISABLE_JAR_CHECKING;
+    private static final boolean DISABLE_ACC_CHECKING;
 
     static {
         Properties props = GetPropertyAction.privilegedGetProperties();
@@ -90,6 +92,9 @@
         DEBUG = (props.getProperty("sun.misc.URLClassPath.debug") != null);
         String p = props.getProperty("sun.misc.URLClassPath.disableJarChecking");
         DISABLE_JAR_CHECKING = p != null ? p.equals("true") || p.equals("") : false;
+
+        p = props.getProperty("jdk.net.URLClassPath.disableRestrictedPermissions");
+        DISABLE_ACC_CHECKING = p != null ? p.equals("true") || p.equals("") : false;
     }
 
     /* The original search path of URLs. */
@@ -110,6 +115,11 @@
     /* Whether this URLClassLoader has been closed yet */
     private boolean closed = false;
 
+    /* The context to be used when loading classes and resources.  If non-null
+     * this is the context that was captured during the creation of the
+     * URLClassLoader. null implies no additional security restrictions. */
+    private final AccessControlContext acc;
+
     /**
      * Creates a new URLClassPath for the given URLs. The URLs will be
      * searched in the order specified for classes and resources. A URL
@@ -119,8 +129,12 @@
      * @param urls the directory and JAR file URLs to search for classes
      *        and resources
      * @param factory the URLStreamHandlerFactory to use when creating new URLs
+     * @param acc the context to be used when loading classes and resources, may
+     *            be null
      */
-    public URLClassPath(URL[] urls, URLStreamHandlerFactory factory) {
+    public URLClassPath(URL[] urls,
+                        URLStreamHandlerFactory factory,
+                        AccessControlContext acc) {
         for (int i = 0; i < urls.length; i++) {
             path.add(urls[i]);
         }
@@ -128,10 +142,22 @@
         if (factory != null) {
             jarHandler = factory.createURLStreamHandler("jar");
         }
+        if (DISABLE_ACC_CHECKING)
+            this.acc = null;
+        else
+            this.acc = acc;
     }
 
+    /**
+     * Constructs a URLClassPath with no additional security restrictions.
+     * Used by code that implements the class path.
+     */
     public URLClassPath(URL[] urls) {
-        this(urls, null);
+        this(urls, null, null);
+    }
+
+    public URLClassPath(URL[] urls, AccessControlContext acc) {
+        this(urls, null, acc);
     }
 
     public synchronized List<IOException> closeLoaders() {
@@ -356,6 +382,14 @@
             } catch (IOException e) {
                 // Silently ignore for now...
                 continue;
+            } catch (SecurityException se) {
+                // Always silently ignore. The context, if there is one, that
+                // this URLClassPath was given during construction will never
+                // have permission to access the URL.
+                if (DEBUG) {
+                    System.err.println("Failed to access " + url + ", " + se );
+                }
+                continue;
             }
             // Finally, add the Loader to the search path.
             loaders.add(loader);
@@ -378,7 +412,7 @@
                             && file != null && (file.indexOf("!/") == file.length() - 2)) {
                         // extract the nested URL
                         URL nestedUrl = new URL(file.substring(0, file.length() - 2));
-                        return new JarLoader(nestedUrl, jarHandler, lmap);
+                        return new JarLoader(nestedUrl, jarHandler, lmap, acc);
                     } else if (file != null && file.endsWith("/")) {
                         if ("file".equals(protocol)) {
                             return new FileLoader(url);
@@ -386,10 +420,10 @@
                             return new Loader(url);
                         }
                     } else {
-                        return new JarLoader(url, jarHandler, lmap);
+                        return new JarLoader(url, jarHandler, lmap, acc);
                     }
                 }
-            });
+            }, acc);
         } catch (java.security.PrivilegedActionException pae) {
             throw (IOException)pae.getException();
         }
@@ -585,10 +619,11 @@
      */
     static class JarLoader extends Loader {
         private JarFile jar;
-        private URL csu;
+        private final URL csu;
         private JarIndex index;
         private URLStreamHandler handler;
-        private HashMap<String, Loader> lmap;
+        private final HashMap<String, Loader> lmap;
+        private final AccessControlContext acc;
         private boolean closed = false;
         private static final JavaUtilZipFileAccess zipAccess =
                 SharedSecrets.getJavaUtilZipFileAccess();
@@ -598,13 +633,15 @@
          * a JAR file.
          */
         JarLoader(URL url, URLStreamHandler jarHandler,
-                  HashMap<String, Loader> loaderMap)
+                  HashMap<String, Loader> loaderMap,
+                  AccessControlContext acc)
             throws IOException
         {
             super(new URL("jar", "", -1, url + "!/", jarHandler));
             csu = url;
             handler = jarHandler;
             lmap = loaderMap;
+            this.acc = acc;
 
             ensureOpen();
         }
@@ -663,8 +700,7 @@
                                 }
                                 return null;
                             }
-                        }
-                    );
+                        }, acc);
                 } catch (java.security.PrivilegedActionException pae) {
                     throw (IOException)pae.getException();
                 }
@@ -859,9 +895,9 @@
                                 new PrivilegedExceptionAction<>() {
                                     public JarLoader run() throws IOException {
                                         return new JarLoader(url, handler,
-                                            lmap);
+                                            lmap, acc);
                                     }
-                                });
+                                }, acc);
 
                             /* this newly opened jar file has its own index,
                              * merge it into the parent's index, taking into
--- a/jdk/src/java.base/share/classes/jdk/internal/util/jar/JarIndex.java	Fri Jan 20 19:09:53 2017 +0000
+++ b/jdk/src/java.base/share/classes/jdk/internal/util/jar/JarIndex.java	Wed Jul 05 22:44:27 2017 +0200
@@ -29,6 +29,7 @@
 import java.util.*;
 import java.util.jar.*;
 import java.util.zip.*;
+import static sun.security.action.GetPropertyAction.privilegedGetProperty;
 
 /**
  * This class is used to maintain mappings from packages, classes
@@ -72,7 +73,7 @@
      * be added to the index. Otherwise, just the directory names are added.
      */
     private static final boolean metaInfFilenames =
-        "true".equals(System.getProperty("sun.misc.JarIndex.metaInfFilenames"));
+        "true".equals(privilegedGetProperty("sun.misc.JarIndex.metaInfFilenames"));
 
     /**
      * Constructs a new, empty jar index.
--- a/jdk/src/java.base/share/classes/module-info.java	Fri Jan 20 19:09:53 2017 +0000
+++ b/jdk/src/java.base/share/classes/module-info.java	Wed Jul 05 22:44:27 2017 +0200
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2014, 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2014, 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -219,7 +219,7 @@
         java.security.jgss;
     exports sun.nio.ch to
         java.management,
-        jdk.crypto.token,
+        jdk.crypto.cryptoki,
         jdk.sctp,
         jdk.unsupported;
     exports sun.nio.cs to
@@ -244,14 +244,13 @@
         java.desktop,
         java.security.jgss;
     exports sun.security.internal.interfaces to
-        jdk.crypto.token;
+        jdk.crypto.cryptoki;
     exports sun.security.internal.spec to
-        jdk.crypto.token;
+        jdk.crypto.cryptoki;
     exports sun.security.jca to
         java.smartcardio,
-        java.xml.crypto,
         jdk.crypto.ec,
-        jdk.crypto.token,
+        jdk.crypto.cryptoki,
         jdk.naming.dns;
     exports sun.security.pkcs to
         jdk.crypto.ec,
@@ -259,13 +258,13 @@
     exports sun.security.provider to
         java.rmi,
         java.security.jgss,
-        jdk.crypto.token,
+        jdk.crypto.cryptoki,
         jdk.policytool,
         jdk.security.auth;
     exports sun.security.provider.certpath to
         java.naming;
     exports sun.security.rsa to
-        jdk.crypto.token;
+        jdk.crypto.cryptoki;
     exports sun.security.ssl to
         java.security.jgss;
     exports sun.security.timestamp to
@@ -279,17 +278,20 @@
         java.security.jgss,
         java.security.sasl,
         java.smartcardio,
+        java.xml.crypto,
         jdk.crypto.ec,
-        jdk.crypto.token,
+        jdk.crypto.cryptoki,
         jdk.jartool,
         jdk.policytool,
         jdk.security.auth,
         jdk.security.jgss;
     exports sun.security.x509 to
         jdk.crypto.ec,
-        jdk.crypto.token,
+        jdk.crypto.cryptoki,
         jdk.jartool,
         jdk.security.auth;
+    exports sun.security.validator to
+        jdk.jartool;
     exports sun.text.resources to
         jdk.localedata;
     exports sun.util.cldr to
@@ -308,7 +310,6 @@
     // JDK-internal service types
     uses jdk.internal.logger.DefaultLoggerFinder;
     uses sun.security.ssl.ClientKeyExchangeService;
-    uses sun.security.util.AuthResourcesProvider;
     uses sun.text.spi.JavaTimeDateTimePatternProvider;
     uses sun.util.spi.CalendarProvider;
     uses sun.util.locale.provider.LocaleDataMetaInfo;
@@ -320,6 +321,4 @@
 
     provides java.nio.file.spi.FileSystemProvider with
         jdk.internal.jrtfs.JrtFileSystemProvider;
-    provides sun.security.util.AuthResourcesProvider with
-        sun.security.util.AuthResourcesProviderImpl;
 }
--- a/jdk/src/java.base/share/classes/sun/reflect/misc/ReflectUtil.java	Fri Jan 20 19:09:53 2017 +0000
+++ b/jdk/src/java.base/share/classes/sun/reflect/misc/ReflectUtil.java	Wed Jul 05 22:44:27 2017 +0200
@@ -96,7 +96,7 @@
 
         final Class<?> declaringClass = m.getDeclaringClass();
 
-        checkPackageAccess(declaringClass);
+        privateCheckPackageAccess(sm, declaringClass);
 
         if (Modifier.isPublic(m.getModifiers()) &&
                 Modifier.isPublic(declaringClass.getModifiers()))
@@ -114,9 +114,27 @@
      * also check the package access on the proxy interfaces.
      */
     public static void checkPackageAccess(Class<?> clazz) {
-        checkPackageAccess(clazz.getName());
+        SecurityManager s = System.getSecurityManager();
+        if (s != null) {
+            privateCheckPackageAccess(s, clazz);
+        }
+    }
+
+    /**
+     * NOTE: should only be called if a SecurityManager is installed
+     */
+    private static void privateCheckPackageAccess(SecurityManager s, Class<?> clazz) {
+        while (clazz.isArray()) {
+            clazz = clazz.getComponentType();
+        }
+
+        String pkg = clazz.getPackageName();
+        if (pkg != null && !pkg.isEmpty()) {
+            s.checkPackageAccess(pkg);
+        }
+
         if (isNonPublicProxyClass(clazz)) {
-            checkProxyPackageAccess(clazz);
+            privateCheckProxyPackageAccess(s, clazz);
         }
     }
 
@@ -195,15 +213,21 @@
     public static void checkProxyPackageAccess(Class<?> clazz) {
         SecurityManager s = System.getSecurityManager();
         if (s != null) {
-            // check proxy interfaces if the given class is a proxy class
-            if (Proxy.isProxyClass(clazz)) {
-                for (Class<?> intf : clazz.getInterfaces()) {
-                    checkPackageAccess(intf);
-                }
+            privateCheckProxyPackageAccess(s, clazz);
+        }
+    }
+
+    /**
+     * NOTE: should only be called if a SecurityManager is installed
+     */
+    private static void privateCheckProxyPackageAccess(SecurityManager s, Class<?> clazz) {
+        // check proxy interfaces if the given class is a proxy class
+        if (Proxy.isProxyClass(clazz)) {
+            for (Class<?> intf : clazz.getInterfaces()) {
+                privateCheckPackageAccess(s, intf);
             }
         }
     }
-
     /**
      * Access check on the interfaces that a proxy class implements and throw
      * {@code SecurityException} if it accesses a restricted package from
@@ -220,7 +244,7 @@
             for (Class<?> intf : interfaces) {
                 ClassLoader cl = intf.getClassLoader();
                 if (needsPackageAccessCheck(ccl, cl)) {
-                    checkPackageAccess(intf);
+                    privateCheckPackageAccess(sm, intf);
                 }
             }
         }
@@ -236,10 +260,11 @@
      * package that bypasses checkPackageAccess.
      */
     public static boolean isNonPublicProxyClass(Class<?> cls) {
-        String name = cls.getName();
-        int i = name.lastIndexOf('.');
-        String pkg = (i != -1) ? name.substring(0, i) : "";
-        return Proxy.isProxyClass(cls) && !pkg.startsWith(PROXY_PACKAGE);
+        if (!Proxy.isProxyClass(cls)) {
+            return false;
+        }
+        String pkg = cls.getPackageName();
+        return pkg == null || !pkg.startsWith(PROXY_PACKAGE);
     }
 
     /**
@@ -255,7 +280,7 @@
         // check if it is a valid proxy instance
         if (proxy == null || !Proxy.isProxyClass(proxy.getClass())) {
             throw new IllegalArgumentException("Not a Proxy instance");
-}
+        }
         if (Modifier.isStatic(method.getModifiers())) {
             throw new IllegalArgumentException("Can't handle static method");
         }
--- a/jdk/src/java.base/share/classes/sun/security/provider/ConfigFile.java	Fri Jan 20 19:09:53 2017 +0000
+++ b/jdk/src/java.base/share/classes/sun/security/provider/ConfigFile.java	Wed Jul 05 22:44:27 2017 +0200
@@ -331,9 +331,8 @@
                 if (debugConfig != null) {
                     debugConfig.println(fnfe.toString());
                 }
-                throw new IOException(ResourcesMgr.getString
-                    ("Configuration.Error.No.such.file.or.directory",
-                    "sun.security.util.AuthResources"));
+                throw new IOException(ResourcesMgr.getAuthResourceString
+                    ("Configuration.Error.No.such.file.or.directory"));
             }
         }
 
@@ -661,8 +660,8 @@
         }
 
         private IOException ioException(String resourceKey, Object... args) {
-            MessageFormat form = new MessageFormat(ResourcesMgr.getString
-                (resourceKey, "sun.security.util.AuthResources"));
+            MessageFormat form = new MessageFormat(
+                ResourcesMgr.getAuthResourceString(resourceKey));
             return new IOException(form.format(args));
         }
     }
--- a/jdk/src/java.base/share/classes/sun/security/provider/DSA.java	Fri Jan 20 19:09:53 2017 +0000
+++ b/jdk/src/java.base/share/classes/sun/security/provider/DSA.java	Wed Jul 05 22:44:27 2017 +0200
@@ -322,19 +322,20 @@
         } else {
             // first decode the signature.
             try {
-                DerInputStream in = new DerInputStream(signature, offset,
-                                                       length);
+                // Enforce strict DER checking for signatures
+                DerInputStream in =
+                    new DerInputStream(signature, offset, length, false);
                 DerValue[] values = in.getSequence(2);
 
+                // check number of components in the read sequence
+                // and trailing data
+                if ((values.length != 2) || (in.available() != 0)) {
+                    throw new IOException("Invalid encoding for signature");
+                }
                 r = values[0].getBigInteger();
                 s = values[1].getBigInteger();
-
-                // Check for trailing signature data
-                if (in.available() != 0) {
-                    throw new IOException("Incorrect signature length");
-                }
             } catch (IOException e) {
-                throw new SignatureException("invalid encoding for signature");
+                throw new SignatureException("Invalid encoding for signature", e);
             }
         }
 
@@ -427,13 +428,49 @@
         return t5.mod(q);
     }
 
-    // NOTE: This following impl is defined in FIPS 186-4 AppendixB.2.1.
     protected BigInteger generateK(BigInteger q) {
+        // Implementation defined in FIPS 186-4 AppendixB.2.1.
         SecureRandom random = getSigningRandom();
         byte[] kValue = new byte[(q.bitLength() + 7)/8 + 8];
 
         random.nextBytes(kValue);
-        return new BigInteger(1, kValue).mod(q.subtract(BigInteger.ONE)).add(BigInteger.ONE);
+        BigInteger k = new BigInteger(1, kValue).mod(
+                q.subtract(BigInteger.ONE)).add(BigInteger.ONE);
+
+        // Using an equivalent exponent of fixed length (same as q or 1 bit
+        // less than q) to keep the kG timing relatively constant.
+        //
+        // Note that this is an extra step on top of the approach defined in
+        // FIPS 186-4 AppendixB.2.1 so as to make a fixed length K.
+        k = k.add(q).divide(BigInteger.TWO);
+
+        // An alternative implementation based on FIPS 186-4 AppendixB2.2
+        // with fixed-length K.
+        //
+        // Please keep it here as we may need to switch to it in the future.
+        //
+        // SecureRandom random = getSigningRandom();
+        // byte[] kValue = new byte[(q.bitLength() + 7)/8];
+        // BigInteger d = q.subtract(BigInteger.TWO);
+        // BigInteger k;
+        // do {
+        //     random.nextBytes(kValue);
+        //     BigInteger c = new BigInteger(1, kValue);
+        //     if (c.compareTo(d) <= 0) {
+        //         k = c.add(BigInteger.ONE);
+        //         // Using an equivalent exponent of fixed length to keep
+        //         // the g^k timing relatively constant.
+        //         //
+        //         // Note that this is an extra step on top of the approach
+        //         // defined in FIPS 186-4 AppendixB.2.2 so as to make a
+        //         // fixed length K.
+        //         if (k.bitLength() >= q.bitLength()) {
+        //             break;
+        //         }
+        //     }
+        // } while (true);
+
+        return k;
     }
 
     // Use the application-specified SecureRandom Object if provided.
--- a/jdk/src/java.base/share/classes/sun/security/provider/SubjectCodeSource.java	Fri Jan 20 19:09:53 2017 +0000
+++ b/jdk/src/java.base/share/classes/sun/security/provider/SubjectCodeSource.java	Wed Jul 05 22:44:27 2017 +0200
@@ -34,6 +34,7 @@
 
 import javax.security.auth.Subject;
 import sun.security.provider.PolicyParser.PrincipalEntry;
+import sun.security.util.ResourcesMgr;
 
 /**
  * <p> This <code>SubjectCodeSource</code> class contains
@@ -47,15 +48,6 @@
 
     private static final long serialVersionUID = 6039418085604715275L;
 
-    private static final java.util.ResourceBundle rb =
-        java.security.AccessController.doPrivileged
-        (new java.security.PrivilegedAction<java.util.ResourceBundle>() {
-            public java.util.ResourceBundle run() {
-                return (java.util.ResourceBundle.getBundle
-                        ("sun.security.util.AuthResources"));
-            }
-        });
-
     private Subject subject;
     private LinkedList<PrincipalEntry> principals;
     private static final Class<?>[] PARAMS = { String.class };
@@ -391,7 +383,7 @@
             ListIterator<PrincipalEntry> li = principals.listIterator();
             while (li.hasNext()) {
                 PrincipalEntry pppe = li.next();
-                returnMe = returnMe + rb.getString("NEWLINE") +
+                returnMe = returnMe + ResourcesMgr.getAuthResourceString("NEWLINE") +
                         pppe.getPrincipalClass() + " " +
                         pppe.getPrincipalName();
             }
--- a/jdk/src/java.base/share/classes/sun/security/rsa/RSASignature.java	Fri Jan 20 19:09:53 2017 +0000
+++ b/jdk/src/java.base/share/classes/sun/security/rsa/RSASignature.java	Wed Jul 05 22:44:27 2017 +0200
@@ -226,9 +226,10 @@
      * Decode the signature data. Verify that the object identifier matches
      * and return the message digest.
      */
-    public static byte[] decodeSignature(ObjectIdentifier oid, byte[] signature)
+    public static byte[] decodeSignature(ObjectIdentifier oid, byte[] sig)
             throws IOException {
-        DerInputStream in = new DerInputStream(signature);
+        // Enforce strict DER checking for signatures
+        DerInputStream in = new DerInputStream(sig, 0, sig.length, false);
         DerValue[] values = in.getSequence(2);
         if ((values.length != 2) || (in.available() != 0)) {
             throw new IOException("SEQUENCE length error");
--- a/jdk/src/java.base/share/classes/sun/security/ssl/ClientHandshaker.java	Fri Jan 20 19:09:53 2017 +0000
+++ b/jdk/src/java.base/share/classes/sun/security/ssl/ClientHandshaker.java	Wed Jul 05 22:44:27 2017 +0200
@@ -673,8 +673,11 @@
             } else {
                 // we wanted to resume, but the server refused
                 //
-                // Invalidate the session in case of reusing next time.
-                session.invalidate();
+                // Invalidate the session for initial handshake in case
+                // of reusing next time.
+                if (isInitialHandshake) {
+                    session.invalidate();
+                }
                 session = null;
                 if (!enableNewSession) {
                     throw new SSLException("New session creation is disabled");
--- a/jdk/src/java.base/share/classes/sun/security/ssl/X509KeyManagerImpl.java	Fri Jan 20 19:09:53 2017 +0000
+++ b/jdk/src/java.base/share/classes/sun/security/ssl/X509KeyManagerImpl.java	Wed Jul 05 22:44:27 2017 +0200
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2004, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2004, 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -818,6 +818,11 @@
             checker.init(false);
         } catch (CertPathValidatorException cpve) {
             // unlikely to happen
+            if (useDebug) {
+                debug.println(
+                    "Cannot initialize algorithm constraints checker: " + cpve);
+            }
+
             return false;
         }
 
@@ -828,6 +833,11 @@
                 // We don't care about the unresolved critical extensions.
                 checker.check(cert, Collections.<String>emptySet());
             } catch (CertPathValidatorException cpve) {
+                if (useDebug) {
+                    debug.println("Certificate (" + cert +
+                        ") does not conform to algorithm constraints: " + cpve);
+                }
+
                 return false;
             }
         }
--- a/jdk/src/java.base/share/classes/sun/security/tools/keytool/Main.java	Fri Jan 20 19:09:53 2017 +0000
+++ b/jdk/src/java.base/share/classes/sun/security/tools/keytool/Main.java	Wed Jul 05 22:44:27 2017 +0200
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -3522,7 +3522,8 @@
             System.err.flush();
             reply = (new BufferedReader(new InputStreamReader
                                         (System.in))).readLine();
-            if (collator.compare(reply, "") == 0 ||
+            if (reply == null ||
+                collator.compare(reply, "") == 0 ||
                 collator.compare(reply, rb.getString("n")) == 0 ||
                 collator.compare(reply, rb.getString("no")) == 0) {
                 reply = "NO";
--- a/jdk/src/java.base/share/classes/sun/security/util/AuthResourcesProvider.java	Fri Jan 20 19:09:53 2017 +0000
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,29 +0,0 @@
-/*
- * Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.  Oracle designates this
- * particular file as subject to the "Classpath" exception as provided
- * by Oracle in the LICENSE file that accompanied this code.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
- * or visit www.oracle.com if you need additional information or have any
- * questions.
- */
-
-package sun.security.util;
-
-public interface AuthResourcesProvider extends java.util.spi.ResourceBundleProvider {
-}
--- a/jdk/src/java.base/share/classes/sun/security/util/AuthResourcesProviderImpl.java	Fri Jan 20 19:09:53 2017 +0000
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,35 +0,0 @@
-/*
- * Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.  Oracle designates this
- * particular file as subject to the "Classpath" exception as provided
- * by Oracle in the LICENSE file that accompanied this code.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
- * or visit www.oracle.com if you need additional information or have any
- * questions.
- */
-
-package sun.security.util;
-
-import java.util.spi.AbstractResourceBundleProvider;
-
-public final class AuthResourcesProviderImpl extends AbstractResourceBundleProvider
-       implements AuthResourcesProvider {
-    public AuthResourcesProviderImpl() {
-        super("java.class");
-    }
-}
\ No newline at end of file
--- a/jdk/src/java.base/share/classes/sun/security/util/DerInputBuffer.java	Fri Jan 20 19:09:53 2017 +0000
+++ b/jdk/src/java.base/share/classes/sun/security/util/DerInputBuffer.java	Wed Jul 05 22:44:27 2017 +0200
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1996, 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2016, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -147,6 +147,11 @@
         System.arraycopy(buf, pos, bytes, 0, len);
         skip(len);
 
+        // check to make sure no extra leading 0s for DER
+        if (len >= 2 && (bytes[0] == 0) && (bytes[1] >= 0)) {
+            throw new IOException("Invalid encoding: redundant leading 0s");
+        }
+
         if (makePositive) {
             return new BigInteger(1, bytes);
         } else {
--- a/jdk/src/java.base/share/classes/sun/security/util/DerInputStream.java	Fri Jan 20 19:09:53 2017 +0000
+++ b/jdk/src/java.base/share/classes/sun/security/util/DerInputStream.java	Wed Jul 05 22:44:27 2017 +0200
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1996, 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2016, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -77,7 +77,7 @@
      * @param data the buffer from which to create the string (CONSUMED)
      */
     public DerInputStream(byte[] data) throws IOException {
-        init(data, 0, data.length);
+        init(data, 0, data.length, true);
     }
 
     /**
@@ -92,23 +92,48 @@
      *          starting at "offset"
      */
     public DerInputStream(byte[] data, int offset, int len) throws IOException {
-        init(data, offset, len);
+        init(data, offset, len, true);
+    }
+
+    /**
+     * Create a DER input stream from part of a data buffer with
+     * additional arg to indicate whether to allow constructed
+     * indefinite-length encoding.
+     * The buffer is not copied, it is shared.  Accordingly, the
+     * buffer should be treated as read-only.
+     *
+     * @param data the buffer from which to create the string (CONSUMED)
+     * @param offset the first index of <em>data</em> which will
+     *          be read as DER input in the new stream
+     * @param len how long a chunk of the buffer to use,
+     *          starting at "offset"
+     * @param allowIndefiniteLength whether to allow constructed
+     *          indefinite-length encoding
+     */
+    public DerInputStream(byte[] data, int offset, int len,
+        boolean allowIndefiniteLength) throws IOException {
+        init(data, offset, len, allowIndefiniteLength);
     }
 
     /*
      * private helper routine
      */
-    private void init(byte[] data, int offset, int len) throws IOException {
+    private void init(byte[] data, int offset, int len,
+        boolean allowIndefiniteLength) throws IOException {
         if ((offset+2 > data.length) || (offset+len > data.length)) {
             throw new IOException("Encoding bytes too short");
         }
         // check for indefinite length encoding
         if (DerIndefLenConverter.isIndefinite(data[offset+1])) {
-            byte[] inData = new byte[len];
-            System.arraycopy(data, offset, inData, 0, len);
+            if (!allowIndefiniteLength) {
+                throw new IOException("Indefinite length BER encoding found");
+            } else {
+                byte[] inData = new byte[len];
+                System.arraycopy(data, offset, inData, 0, len);
 
-            DerIndefLenConverter derIn = new DerIndefLenConverter();
-            buffer = new DerInputBuffer(derIn.convert(inData));
+                DerIndefLenConverter derIn = new DerIndefLenConverter();
+                buffer = new DerInputBuffer(derIn.convert(inData));
+            }
         } else
             buffer = new DerInputBuffer(data, offset, len);
         buffer.mark(Integer.MAX_VALUE);
@@ -239,15 +264,19 @@
          * representation.
          */
         length--;
-        int validBits = length*8 - buffer.read();
+        int excessBits = buffer.read();
+        if (excessBits < 0) {
+            throw new IOException("Unused bits of bit string invalid");
+        }
+        int validBits = length*8 - excessBits;
         if (validBits < 0) {
-            throw new IOException("valid bits of bit string invalid");
+            throw new IOException("Valid bits of bit string invalid");
         }
 
         byte[] repn = new byte[length];
 
         if ((length != 0) && (buffer.read(repn) != length)) {
-            throw new IOException("short read of DER bit string");
+            throw new IOException("Short read of DER bit string");
         }
 
         return new BitArray(validBits, repn);
@@ -263,7 +292,7 @@
         int length = getDefiniteLength(buffer);
         byte[] retval = new byte[length];
         if ((length != 0) && (buffer.read(retval) != length))
-            throw new IOException("short read of DER octet string");
+            throw new IOException("Short read of DER octet string");
 
         return retval;
     }
@@ -273,7 +302,7 @@
      */
     public void getBytes(byte[] val) throws IOException {
         if ((val.length != 0) && (buffer.read(val) != val.length)) {
-            throw new IOException("short read of DER octet string");
+            throw new IOException("Short read of DER octet string");
         }
     }
 
@@ -357,7 +386,7 @@
         DerInputStream  newstr;
 
         byte lenByte = (byte)buffer.read();
-        int len = getLength((lenByte & 0xff), buffer);
+        int len = getLength(lenByte, buffer);
 
         if (len == -1) {
            // indefinite length encoding found
@@ -403,7 +432,7 @@
         } while (newstr.available() > 0);
 
         if (newstr.available() != 0)
-            throw new IOException("extra data at end of vector");
+            throw new IOException("Extra data at end of vector");
 
         /*
          * Now stick them into the array we're returning.
@@ -494,7 +523,7 @@
         int length = getDefiniteLength(buffer);
         byte[] retval = new byte[length];
         if ((length != 0) && (buffer.read(retval) != length))
-            throw new IOException("short read of DER " +
+            throw new IOException("Short read of DER " +
                                   stringName + " string");
 
         return new String(retval, enc);
@@ -555,7 +584,11 @@
      */
     static int getLength(int lenByte, InputStream in) throws IOException {
         int value, tmp;
+        if (lenByte == -1) {
+            throw new IOException("Short read of DER length");
+        }
 
+        String mdName = "DerInputStream.getLength(): ";
         tmp = lenByte;
         if ((tmp & 0x080) == 0x00) { // short form, 1 byte datum
             value = tmp;
@@ -569,17 +602,23 @@
             if (tmp == 0)
                 return -1;
             if (tmp < 0 || tmp > 4)
-                throw new IOException("DerInputStream.getLength(): lengthTag="
-                    + tmp + ", "
+                throw new IOException(mdName + "lengthTag=" + tmp + ", "
                     + ((tmp < 0) ? "incorrect DER encoding." : "too big."));
 
-            for (value = 0; tmp > 0; tmp --) {
+            value = 0x0ff & in.read();
+            tmp--;
+            if (value == 0) {
+                // DER requires length value be encoded in minimum number of bytes
+                throw new IOException(mdName + "Redundant length bytes found");
+            }
+            while (tmp-- > 0) {
                 value <<= 8;
                 value += 0x0ff & in.read();
             }
             if (value < 0) {
-                throw new IOException("DerInputStream.getLength(): "
-                        + "Invalid length bytes");
+                throw new IOException(mdName + "Invalid length bytes");
+            } else if (value <= 127) {
+                throw new IOException(mdName + "Should use short form for length");
             }
         }
         return value;
--- a/jdk/src/java.base/share/classes/sun/security/util/DerValue.java	Fri Jan 20 19:09:53 2017 +0000
+++ b/jdk/src/java.base/share/classes/sun/security/util/DerValue.java	Wed Jul 05 22:44:27 2017 +0200
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1996, 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2016, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -248,7 +248,7 @@
 
         tag = (byte)in.read();
         byte lenByte = (byte)in.read();
-        length = DerInputStream.getLength((lenByte & 0xff), in);
+        length = DerInputStream.getLength(lenByte, in);
         if (length == -1) {  // indefinite length encoding found
             DerInputBuffer inbuf = in.dup();
             int readLen = inbuf.available();
@@ -361,7 +361,7 @@
 
         tag = (byte)in.read();
         byte lenByte = (byte)in.read();
-        length = DerInputStream.getLength((lenByte & 0xff), in);
+        length = DerInputStream.getLength(lenByte, in);
         if (length == -1) { // indefinite length encoding found
             int readLen = in.available();
             int offset = 2;     // for tag and length bytes
--- a/jdk/src/java.base/share/classes/sun/security/util/ObjectIdentifier.java	Fri Jan 20 19:09:53 2017 +0000
+++ b/jdk/src/java.base/share/classes/sun/security/util/ObjectIdentifier.java	Wed Jul 05 22:44:27 2017 +0200
@@ -255,7 +255,13 @@
                 + " (tag = " +  type_id + ")"
                 );
 
-        encoding = new byte[in.getDefiniteLength()];
+        int len = in.getDefiniteLength();
+        if (len > in.available()) {
+            throw new IOException("ObjectIdentifier() -- length exceeds" +
+                    "data available.  Length: " + len + ", Available: " +
+                    in.available());
+        }
+        encoding = new byte[len];
         in.getBytes(encoding);
         check(encoding);
     }
--- a/jdk/src/java.base/share/classes/sun/security/util/ResourcesMgr.java	Fri Jan 20 19:09:53 2017 +0000
+++ b/jdk/src/java.base/share/classes/sun/security/util/ResourcesMgr.java	Wed Jul 05 22:44:27 2017 +0200
@@ -25,18 +25,22 @@
 
 package sun.security.util;
 
+import java.util.Map;
+import java.util.ResourceBundle;
+import java.util.concurrent.ConcurrentHashMap;
+import jdk.internal.misc.VM;
+
 /**
  */
 public class ResourcesMgr {
+    // intended for java.security, javax.security and sun.security resources
+    private final static String RESOURCES = "sun.security.util.Resources";
+    private final static String AUTH_RESOURCES = "sun.security.util.AuthResources";
 
-    // intended for java.security, javax.security and sun.security resources
-    private static java.util.ResourceBundle bundle;
-
-    // intended for com.sun.security resources
-    private static java.util.ResourceBundle altBundle;
+    private final static Map<String, ResourceBundle> bundles = new ConcurrentHashMap<>();
 
     public static String getString(String s) {
-
+        ResourceBundle bundle = bundles.get(RESOURCES);
         if (bundle == null) {
 
             // only load if/when needed
@@ -52,19 +56,15 @@
         return bundle.getString(s);
     }
 
-    public static String getString(String s, final String altBundleName) {
-
-        if (altBundle == null) {
-
-            // only load if/when needed
-            altBundle = java.security.AccessController.doPrivileged(
-                new java.security.PrivilegedAction<java.util.ResourceBundle>() {
-                public java.util.ResourceBundle run() {
-                    return (java.util.ResourceBundle.getBundle(altBundleName));
-                }
-            });
+    public static String getAuthResourceString(String s) {
+        if (VM.initLevel() == 3) {
+            // cannot trigger loading of any resource bundle as
+            // it depends on the system class loader fully initialized.
+            throw new InternalError("system class loader is being initialized");
         }
 
-        return altBundle.getString(s);
+        return bundles.computeIfAbsent(AUTH_RESOURCES, ResourceBundle::getBundle)
+                      .getString(s);
     }
+
 }
--- a/jdk/src/java.base/share/conf/security/java.security	Fri Jan 20 19:09:53 2017 +0000
+++ b/jdk/src/java.base/share/conf/security/java.security	Wed Jul 05 22:44:27 2017 +0200
@@ -298,111 +298,24 @@
 
 #
 # List of comma-separated packages that start with or equal this string
-# will cause a security exception to be thrown when
-# passed to checkPackageAccess unless the
-# corresponding RuntimePermission ("accessClassInPackage."+package) has
-# been granted.
-package.access=sun.,\
-               com.sun.xml.internal.,\
-               com.sun.imageio.,\
-               com.sun.istack.internal.,\
-               com.sun.jmx.,\
-               com.sun.media.sound.,\
-               com.sun.naming.internal.,\
-               com.sun.proxy.,\
-               com.sun.corba.se.,\
-               com.sun.org.apache.bcel.internal.,\
-               com.sun.org.apache.regexp.internal.,\
-               com.sun.org.apache.xerces.internal.,\
-               com.sun.org.apache.xpath.internal.,\
-               com.sun.org.apache.xalan.internal.extensions.,\
-               com.sun.org.apache.xalan.internal.lib.,\
-               com.sun.org.apache.xalan.internal.res.,\
-               com.sun.org.apache.xalan.internal.templates.,\
-               com.sun.org.apache.xalan.internal.utils.,\
-               com.sun.org.apache.xalan.internal.xslt.,\
-               com.sun.org.apache.xalan.internal.xsltc.cmdline.,\
-               com.sun.org.apache.xalan.internal.xsltc.compiler.,\
-               com.sun.org.apache.xalan.internal.xsltc.trax.,\
-               com.sun.org.apache.xalan.internal.xsltc.util.,\
-               com.sun.org.apache.xml.internal.res.,\
-               com.sun.org.apache.xml.internal.security.,\
-               com.sun.org.apache.xml.internal.serializer.dom3.,\
-               com.sun.org.apache.xml.internal.serializer.utils.,\
-               com.sun.org.apache.xml.internal.utils.,\
-               com.sun.org.glassfish.,\
-               com.sun.tools.script.,\
-               com.oracle.xmlns.internal.,\
-               com.oracle.webservices.internal.,\
-               org.jcp.xml.dsig.internal.,\
-               jdk.internal.,\
-               jdk.nashorn.internal.,\
-               jdk.nashorn.tools.,\
-               jdk.tools.jimage.,\
-               com.sun.activation.registries.,\
-               com.sun.java.accessibility.util.internal.,\
-#ifdef windows
-               com.sun.java.accessibility.internal.,\
-#endif
-#ifdef macosx
-               apple.,\
-#endif
+# will cause a security exception to be thrown when passed to the
+# SecurityManager::checkPackageAccess method unless the corresponding
+# RuntimePermission("accessClassInPackage."+package) has been granted.
+#
+package.access=sun.misc.,\
+               sun.reflect.,\
 
 #
 # List of comma-separated packages that start with or equal this string
-# will cause a security exception to be thrown when
-# passed to checkPackageDefinition unless the
-# corresponding RuntimePermission ("defineClassInPackage."+package) has
-# been granted.
+# will cause a security exception to be thrown when passed to the
+# SecurityManager::checkPackageDefinition method unless the corresponding
+# RuntimePermission("defineClassInPackage."+package) has been granted.
 #
-# by default, none of the class loaders supplied with the JDK call
+# By default, none of the class loaders supplied with the JDK call
 # checkPackageDefinition.
 #
-package.definition=sun.,\
-                   com.sun.xml.internal.,\
-                   com.sun.imageio.,\
-                   com.sun.istack.internal.,\
-                   com.sun.jmx.,\
-                   com.sun.media.sound.,\
-                   com.sun.naming.internal.,\
-                   com.sun.proxy.,\
-                   com.sun.corba.se.,\
-                   com.sun.org.apache.bcel.internal.,\
-                   com.sun.org.apache.regexp.internal.,\
-                   com.sun.org.apache.xerces.internal.,\
-                   com.sun.org.apache.xpath.internal.,\
-                   com.sun.org.apache.xalan.internal.extensions.,\
-                   com.sun.org.apache.xalan.internal.lib.,\
-                   com.sun.org.apache.xalan.internal.res.,\
-                   com.sun.org.apache.xalan.internal.templates.,\
-                   com.sun.org.apache.xalan.internal.utils.,\
-                   com.sun.org.apache.xalan.internal.xslt.,\
-                   com.sun.org.apache.xalan.internal.xsltc.cmdline.,\
-                   com.sun.org.apache.xalan.internal.xsltc.compiler.,\
-                   com.sun.org.apache.xalan.internal.xsltc.trax.,\
-                   com.sun.org.apache.xalan.internal.xsltc.util.,\
-                   com.sun.org.apache.xml.internal.res.,\
-                   com.sun.org.apache.xml.internal.security.,\
-                   com.sun.org.apache.xml.internal.serializer.dom3.,\
-                   com.sun.org.apache.xml.internal.serializer.utils.,\
-                   com.sun.org.apache.xml.internal.utils.,\
-                   com.sun.org.glassfish.,\
-                   com.sun.tools.script.,\
-                   com.oracle.xmlns.internal.,\
-                   com.oracle.webservices.internal.,\
-                   org.jcp.xml.dsig.internal.,\
-                   jdk.internal.,\
-                   jdk.nashorn.internal.,\
-                   jdk.nashorn.tools.,\
-                   jdk.tools.jimage.,\
-                   com.sun.activation.registries.,\
-                   com.sun.java.accessibility.util.internal.,\
-#ifdef windows
-                   com.sun.java.accessibility.internal.,\
-#endif
-#ifdef macosx
-                   apple.,\
-#endif
+package.definition=sun.misc.,\
+                   sun.reflect.,\
 
 #
 # Determines whether this properties file can be appended to
@@ -658,6 +571,36 @@
 jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & denyAfter 2017-01-01, \
     RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224
 
+#
+# RMI Registry Serial Filter
+#
+# The filter pattern uses the same format as jdk.serialFilter.
+# This filter can override the builtin filter if additional types need to be
+# allowed or rejected from the RMI Registry.
+#
+# Note: This property is currently used by the JDK Reference implementation.
+# It is not guaranteed to be examined and used by other implementations.
+#
+#sun.rmi.registry.registryFilter=pattern;pattern
+#
+# RMI Distributed Garbage Collector (DGC) Serial Filter
+#
+# The filter pattern uses the same format as jdk.serialFilter.
+# This filter can override the builtin filter if additional types need to be
+# allowed or rejected from the RMI DGC.
+#
+# Note: This property is currently used by the JDK Reference implementation.
+# It is not guaranteed to be examined and used by other implementations.
+#
+# The builtin DGC filter can approximately be represented as the filter pattern:
+#
+#sun.rmi.transport.dgcFilter=\
+#    java.rmi.server.ObjID;\
+#    java.rmi.server.UID;\
+#    java.rmi.dgc.VMID;\
+#    java.rmi.dgc.Lease;\
+#    maxdepth=5;maxarray=10000
+
 # Algorithm restrictions for signed JAR files
 #
 # In some environments, certain algorithms or key lengths may be undesirable
@@ -720,7 +663,7 @@
 # Note: The algorithm restrictions do not apply to trust anchors or
 # self-signed certificates.
 #
-# Note: This property is currently used by Oracle's JSSE implementation.
+# Note: This property is currently used by the JDK Reference implementation.
 # It is not guaranteed to be examined and used by other implementations.
 #
 # Example:
@@ -740,7 +683,7 @@
 # During SSL/TLS security parameters negotiation, legacy algorithms will
 # not be negotiated unless there are no other candidates.
 #
-# The syntax of the disabled algorithm string is described as this Java
+# The syntax of the legacy algorithms string is described as this Java
 # BNF-style:
 #   LegacyAlgorithms:
 #       " LegacyAlgorithm { , LegacyAlgorithm } "
@@ -776,7 +719,7 @@
 # javax.net.ssl.SSLParameters.setAlgorithmConstraints()),
 # then the algorithm is completely disabled and will not be negotiated.
 #
-# Note: This property is currently used by Oracle's JSSE implementation.
+# Note: This property is currently used by the JDK Reference implementation.
 # It is not guaranteed to be examined and used by other implementations.
 # There is no guarantee the property will continue to exist or be of the
 # same syntax in future releases.
@@ -789,7 +732,8 @@
         DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_anon_EXPORT, DH_DSS_EXPORT, \
         DH_RSA_EXPORT, RSA_EXPORT, \
         DH_anon, ECDH_anon, \
-        RC4_128, RC4_40, DES_CBC, DES40_CBC
+        RC4_128, RC4_40, DES_CBC, DES40_CBC, \
+        3DES_EDE_CBC
 
 # The pre-defined default finite field Diffie-Hellman ephemeral (DHE)
 # parameters for Transport Layer Security (SSL/TLS/DTLS) processing.
@@ -912,7 +856,7 @@
 #       Constraint {"," Constraint }
 #   Constraint:
 #       AlgConstraint | MaxTransformsConstraint | MaxReferencesConstraint |
-#       ReferenceUriSchemeConstraint | OtherConstraint
+#       ReferenceUriSchemeConstraint | KeySizeConstraint | OtherConstraint
 #   AlgConstraint
 #       "disallowAlg" Uri
 #   MaxTransformsConstraint:
@@ -921,12 +865,16 @@
 #       "maxReferences" Integer
 #   ReferenceUriSchemeConstraint:
 #       "disallowReferenceUriSchemes" String { String }
+#   KeySizeConstraint:
+#       "minKeySize" KeyAlg Integer
 #   OtherConstraint:
 #       "noDuplicateIds" | "noRetrievalMethodLoops"
 #
 # For AlgConstraint, Uri is the algorithm URI String that is not allowed.
 # See the XML Signature Recommendation for more information on algorithm
-# URI Identifiers. If the MaxTransformsConstraint or MaxReferencesConstraint is
+# URI Identifiers. For KeySizeConstraint, KeyAlg is the standard algorithm
+# name of the key type (ex: "RSA"). If the MaxTransformsConstraint,
+# MaxReferencesConstraint or KeySizeConstraint (for the same key type) is
 # specified more than once, only the last entry is enforced.
 #
 # Note: This property is currently used by the JDK Reference implementation. It
@@ -940,6 +888,8 @@
     maxTransforms 5,\
     maxReferences 30,\
     disallowReferenceUriSchemes file http https,\
+    minKeySize RSA 1024,\
+    minKeySize DSA 1024,\
     noDuplicateIds,\
     noRetrievalMethodLoops
 
--- a/jdk/src/java.base/share/lib/security/default.policy	Fri Jan 20 19:09:53 2017 +0000
+++ b/jdk/src/java.base/share/lib/security/default.policy	Wed Jul 05 22:44:27 2017 +0200
@@ -81,6 +81,8 @@
 };
 
 grant codeBase "jrt:/java.xml.crypto" {
+    permission java.lang.RuntimePermission
+                   "accessClassInPackage.sun.security.util";
     permission java.util.PropertyPermission "*", "read";
     permission java.security.SecurityPermission "putProviderProperty.XMLDSig";
     permission java.security.SecurityPermission
@@ -91,10 +93,20 @@
                    "com.sun.org.apache.xml.internal.security.register";
     permission java.security.SecurityPermission
                    "getProperty.jdk.xml.dsig.secureValidationPolicy";
+    permission java.lang.RuntimePermission
+                   "accessClassInPackage.com.sun.org.apache.xml.internal.*";
+    permission java.lang.RuntimePermission
+                   "accessClassInPackage.com.sun.org.apache.xpath.internal";
+    permission java.lang.RuntimePermission
+                   "accessClassInPackage.com.sun.org.apache.xpath.internal.*";
 };
 
 grant codeBase "jrt:/java.xml.ws" {
     permission java.lang.RuntimePermission
+                   "accessClassInPackage.com.sun.org.apache.xml.internal.resolver";
+    permission java.lang.RuntimePermission
+                   "accessClassInPackage.com.sun.org.apache.xml.internal.resolver.tools";
+    permission java.lang.RuntimePermission
                    "accessClassInPackage.com.sun.xml.internal.*";
     permission java.lang.RuntimePermission
                    "accessClassInPackage.com.sun.istack.internal";
@@ -125,7 +137,7 @@
     permission java.security.SecurityPermission "removeProviderProperty.SunEC";
 };
 
-grant codeBase "jrt:/jdk.crypto.token" {
+grant codeBase "jrt:/jdk.crypto.cryptoki" {
     permission java.lang.RuntimePermission
                    "accessClassInPackage.sun.security.*";
     permission java.lang.RuntimePermission "accessClassInPackage.sun.nio.ch";
@@ -186,3 +198,18 @@
     permission java.util.PropertyPermission "os.name", "read";
 };
 
+grant codeBase "jrt:/jdk.accessibility" {
+    permission java.lang.RuntimePermission "accessClassInPackage.sun.awt";
+};
+
+grant codeBase "jrt:/jdk.desktop" {
+    permission java.lang.RuntimePermission "accessClassInPackage.com.sun.awt";
+};
+
+// permissions needed by applications using java.desktop module
+grant {
+    permission java.lang.RuntimePermission "accessClassInPackage.com.sun.beans";
+    permission java.lang.RuntimePermission "accessClassInPackage.com.sun.beans.*";
+    permission java.lang.RuntimePermission "accessClassInPackage.com.sun.java.swing.plaf.*";
+    permission java.lang.RuntimePermission "accessClassInPackage.com.apple.*";
+};
--- a/jdk/src/java.base/unix/native/libnet/SocketOutputStream.c	Fri Jan 20 19:09:53 2017 +0000
+++ b/jdk/src/java.base/unix/native/libnet/SocketOutputStream.c	Wed Jul 05 22:44:27 2017 +0200
@@ -98,27 +98,31 @@
         int llen = chunkLen;
         (*env)->GetByteArrayRegion(env, data, off, chunkLen, (jbyte *)bufP);
 
-        while(llen > 0) {
-            int n = NET_Send(fd, bufP + loff, llen, 0);
-            if (n > 0) {
-                llen -= n;
-                loff += n;
-                continue;
+        if ((*env)->ExceptionCheck(env)) {
+            break;
+        } else {
+            while(llen > 0) {
+                int n = NET_Send(fd, bufP + loff, llen, 0);
+                if (n > 0) {
+                    llen -= n;
+                    loff += n;
+                    continue;
+                }
+                if (errno == ECONNRESET) {
+                    JNU_ThrowByName(env, "sun/net/ConnectionResetException",
+                        "Connection reset");
+                } else {
+                    JNU_ThrowByNameWithMessageAndLastError
+                        (env, "java/net/SocketException", "Write failed");
+                }
+                if (bufP != BUF) {
+                    free(bufP);
+                }
+                return;
             }
-            if (errno == ECONNRESET) {
-                JNU_ThrowByName(env, "sun/net/ConnectionResetException",
-                    "Connection reset");
-            } else {
-                JNU_ThrowByNameWithMessageAndLastError
-                    (env, "java/net/SocketException", "Write failed");
-            }
-            if (bufP != BUF) {
-                free(bufP);
-            }
-            return;
+            len -= chunkLen;
+            off += chunkLen;
         }
-        len -= chunkLen;
-        off += chunkLen;
     }
 
     if (bufP != BUF) {
--- a/jdk/src/java.base/windows/native/libnet/SocketOutputStream.c	Fri Jan 20 19:09:53 2017 +0000
+++ b/jdk/src/java.base/windows/native/libnet/SocketOutputStream.c	Wed Jul 05 22:44:27 2017 +0200
@@ -92,66 +92,69 @@
         int retry = 0;
 
         (*env)->GetByteArrayRegion(env, data, off, chunkLen, (jbyte *)bufP);
-
-        while(llen > 0) {
-            int n = send(fd, bufP + loff, llen, 0);
-            if (n > 0) {
-                llen -= n;
-                loff += n;
-                continue;
-            }
-
-            /*
-             * Due to a bug in Windows Sockets (observed on NT and Windows
-             * 2000) it may be necessary to retry the send. The issue is that
-             * on blocking sockets send/WSASend is supposed to block if there
-             * is insufficient buffer space available. If there are a large
-             * number of threads blocked on write due to congestion then it's
-             * possile to hit the NT/2000 bug whereby send returns WSAENOBUFS.
-             * The workaround we use is to retry the send. If we have a
-             * large buffer to send (>2k) then we retry with a maximum of
-             * 2k buffer. If we hit the issue with <=2k buffer then we backoff
-             * for 1 second and retry again. We repeat this up to a reasonable
-             * limit before bailing out and throwing an exception. In load
-             * conditions we've observed that the send will succeed after 2-3
-             * attempts but this depends on network buffers associated with
-             * other sockets draining.
-             */
-            if (WSAGetLastError() == WSAENOBUFS) {
-                if (llen > MAX_BUFFER_LEN) {
-                    buflen = MAX_BUFFER_LEN;
-                    chunkLen = MAX_BUFFER_LEN;
-                    llen = MAX_BUFFER_LEN;
+        if ((*env)->ExceptionCheck(env)) {
+            break;
+        } else {
+            while(llen > 0) {
+                int n = send(fd, bufP + loff, llen, 0);
+                if (n > 0) {
+                    llen -= n;
+                    loff += n;
                     continue;
                 }
-                if (retry >= 30) {
-                    JNU_ThrowByName(env, JNU_JAVANETPKG "SocketException",
-                        "No buffer space available - exhausted attempts to queue buffer");
-                    if (bufP != BUF) {
-                        free(bufP);
+
+                /*
+                 * Due to a bug in Windows Sockets (observed on NT and Windows
+                 * 2000) it may be necessary to retry the send. The issue is that
+                 * on blocking sockets send/WSASend is supposed to block if there
+                 * is insufficient buffer space available. If there are a large
+                 * number of threads blocked on write due to congestion then it's
+                 * possile to hit the NT/2000 bug whereby send returns WSAENOBUFS.
+                 * The workaround we use is to retry the send. If we have a
+                 * large buffer to send (>2k) then we retry with a maximum of
+                 * 2k buffer. If we hit the issue with <=2k buffer then we backoff
+                 * for 1 second and retry again. We repeat this up to a reasonable
+                 * limit before bailing out and throwing an exception. In load
+                 * conditions we've observed that the send will succeed after 2-3
+                 * attempts but this depends on network buffers associated with
+                 * other sockets draining.
+                 */
+                if (WSAGetLastError() == WSAENOBUFS) {
+                    if (llen > MAX_BUFFER_LEN) {
+                        buflen = MAX_BUFFER_LEN;
+                        chunkLen = MAX_BUFFER_LEN;
+                        llen = MAX_BUFFER_LEN;
+                        continue;
                     }
-                    return;
+                    if (retry >= 30) {
+                        JNU_ThrowByName(env, JNU_JAVANETPKG "SocketException",
+                            "No buffer space available - exhausted attempts to queue buffer");
+                        if (bufP != BUF) {
+                            free(bufP);
+                        }
+                        return;
+                    }
+                    Sleep(1000);
+                    retry++;
+                    continue;
                 }
-                Sleep(1000);
-                retry++;
-                continue;
+
+                /*
+                 * Send failed - can be caused by close or write error.
+                 */
+                if (WSAGetLastError() == WSAENOTSOCK) {
+                    JNU_ThrowByName(env, JNU_JAVANETPKG "SocketException", "Socket closed");
+                } else {
+                    NET_ThrowCurrent(env, "socket write error");
+                }
+                if (bufP != BUF) {
+                    free(bufP);
+                }
+                return;
             }
-
-            /*
-             * Send failed - can be caused by close or write error.
-             */
-            if (WSAGetLastError() == WSAENOTSOCK) {
-                JNU_ThrowByName(env, JNU_JAVANETPKG "SocketException", "Socket closed");
-            } else {
-                NET_ThrowCurrent(env, "socket write error");
-            }
-            if (bufP != BUF) {
-                free(bufP);
-            }
-            return;
+            len -= chunkLen;
+            off += chunkLen;
         }
-        len -= chunkLen;
-        off += chunkLen;
     }
 
     if (bufP != BUF) {
--- a/jdk/src/java.base/windows/native/libnio/ch/WindowsSelectorImpl.c	Fri Jan 20 19:09:53 2017 +0000
+++ b/jdk/src/java.base/windows/native/libnio/ch/WindowsSelectorImpl.c	Wed Jul 05 22:44:27 2017 +0200
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2002, 2010, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2002, 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -32,6 +32,7 @@
 
 #define FD_SETSIZE 1024
 
+#include <limits.h>
 #include <stdlib.h>
 #include <winsock2.h>
 
@@ -74,9 +75,19 @@
     } else if (timeout < 0) {
         tv = NULL;
     } else {
+        jlong sec = timeout / 1000;
         tv = &timevalue;
-        tv->tv_sec =  (long)(timeout / 1000);
-        tv->tv_usec = (long)((timeout % 1000) * 1000);
+        //
+        // struct timeval members are signed 32-bit integers so the
+        // signed 64-bit jlong needs to be clamped
+        //
+        if (sec > INT_MAX) {
+            tv->tv_sec  = INT_MAX;
+            tv->tv_usec = 0;
+        } else {
+            tv->tv_sec  = (long)sec;
+            tv->tv_usec = (long)((timeout % 1000) * 1000);
+        }
     }
 
     /* Set FD_SET structures required for select */
--- a/jdk/src/java.desktop/macosx/classes/com/apple/eawt/_AppMenuBarHandler.java	Fri Jan 20 19:09:53 2017 +0000
+++ b/jdk/src/java.desktop/macosx/classes/com/apple/eawt/_AppMenuBarHandler.java	Wed Jul 05 22:44:27 2017 +0200
@@ -123,7 +123,7 @@
         }
 
         // grab the pointer to the CMenuBar, and retain it in native
-        nativeSetDefaultMenuBar(((CMenuBar)peer).getModel());
+        ((CMenuBar) peer).execute(_AppMenuBarHandler::nativeSetDefaultMenuBar);
     }
 
     void setAboutMenuItemVisible(final boolean present) {
--- a/jdk/src/java.desktop/macosx/classes/sun/lwawt/macosx/CCheckboxMenuItem.java	Fri Jan 20 19:09:53 2017 +0000
+++ b/jdk/src/java.desktop/macosx/classes/sun/lwawt/macosx/CCheckboxMenuItem.java	Wed Jul 05 22:44:27 2017 +0200
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2011, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2011, 2016, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -26,29 +26,28 @@
 package sun.lwawt.macosx;
 
 import java.awt.CheckboxMenuItem;
-import java.awt.EventQueue;
 import java.awt.event.ItemEvent;
 import java.awt.peer.CheckboxMenuItemPeer;
 
 import sun.awt.SunToolkit;
 
 public class CCheckboxMenuItem extends CMenuItem implements CheckboxMenuItemPeer {
-    boolean fAutoToggle = true;
-    boolean fIsIndeterminate = false;
+    volatile boolean fAutoToggle = true;
+    volatile boolean fIsIndeterminate = false;
 
     private native void nativeSetState(long modelPtr, boolean state);
     private native void nativeSetIsCheckbox(long modelPtr);
 
-    CCheckboxMenuItem(CheckboxMenuItem target) {
+    CCheckboxMenuItem(final CheckboxMenuItem target) {
         super(target);
-        nativeSetIsCheckbox(getModel());
+        execute(this::nativeSetIsCheckbox);
         setState(target.getState());
     }
 
     // MenuItemPeer implementation
     @Override
-    public void setState(boolean state) {
-        nativeSetState(getModel(), state);
+    public void setState(final boolean state) {
+        execute(ptr -> nativeSetState(ptr, state));
     }
 
     public void handleAction(final boolean state) {
--- a/jdk/src/java.desktop/macosx/classes/sun/lwawt/macosx/CFRetainedResource.java	Fri Jan 20 19:09:53 2017 +0000
+++ b/jdk/src/java.desktop/macosx/classes/sun/lwawt/macosx/CFRetainedResource.java	Wed Jul 05 22:44:27 2017 +0200
@@ -23,7 +23,6 @@
  * questions.
  */
 
-
 package sun.lwawt.macosx;
 
 /**
@@ -34,6 +33,7 @@
     private static native void nativeCFRelease(final long ptr, final boolean disposeOnAppKitThread);
 
     private final boolean disposeOnAppKitThread;
+    // TODO this pointer should be private and accessed via CFNativeAction class
     protected volatile long ptr;
 
     /**
@@ -70,8 +70,72 @@
         nativeCFRelease(oldPtr, disposeOnAppKitThread); // perform outside of the synchronized block
     }
 
+    /**
+     * The interface which allows to execute some native operations with
+     * assumption that the native pointer will be valid till the end.
+     */
+    public interface CFNativeAction {
+
+        /**
+         * The native operation should be called from this method.
+         *
+         * @param  ptr the pointer to the native data
+         */
+        void run(long ptr);
+    }
+
+    /**
+     * The interface which allows to execute some native operations and get a
+     * result with assumption that the native pointer will be valid till the
+     * end.
+     */
+    interface CFNativeActionGet {
+
+        /**
+         * The native operation should be called from this method.
+         *
+         * @param  ptr the pointer to the native data
+         * @return result of the native operation
+         */
+        long run(long ptr);
+    }
+
+    /**
+     * This is utility method which should be used instead of the direct access
+     * to the {@link #ptr}, because this method guaranteed that the pointer will
+     * not be zero and will be valid till the end of the operation.It is highly
+     * recomended to not use any external lock in action. If the current
+     * {@link #ptr} is {@code 0} then action will be ignored.
+     *
+     * @param  action The native operation
+     */
+    public final synchronized void execute(final CFNativeAction action) {
+        if (ptr != 0) {
+            action.run(ptr);
+        }
+    }
+
+    /**
+     * This is utility method which should be used instead of the direct access
+     * to the {@link #ptr}, because this method guaranteed that the pointer will
+     * not be zero and will be valid till the end of the operation. It is highly
+     * recomended to not use any external lock in action. If the current
+     * {@link #ptr} is {@code 0} then action will be ignored and {@code} is
+     * returned.
+     *
+     * @param  action the native operation
+     * @return result of the native operation, usually the native pointer to
+     *         some other data
+     */
+    final synchronized long executeGet(final CFNativeActionGet action) {
+        if (ptr != 0) {
+            return action.run(ptr);
+        }
+        return 0;
+    }
+
     @Override
-    protected void finalize() throws Throwable {
+    protected final void finalize() throws Throwable {
         dispose();
     }
 }
--- a/jdk/src/java.desktop/macosx/classes/sun/lwawt/macosx/CMenu.java	Fri Jan 20 19:09:53 2017 +0000
+++ b/jdk/src/java.desktop/macosx/classes/sun/lwawt/macosx/CMenu.java	Wed Jul 05 22:44:27 2017 +0200
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2011, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2011, 2016, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -25,7 +25,9 @@
 
 package sun.lwawt.macosx;
 
-import java.awt.*;
+import java.awt.Menu;
+import java.awt.MenuBar;
+import java.awt.MenuItem;
 import java.awt.peer.MenuItemPeer;
 import java.awt.peer.MenuPeer;
 
@@ -37,7 +39,7 @@
 
     // This way we avoiding invocation of the setters twice
     @Override
-    protected void initialize(MenuItem target) {
+    protected final void initialize(MenuItem target) {
         setLabel(target.getLabel());
         setEnabled(target.isEnabled());
     }
@@ -57,52 +59,50 @@
     }
 
     @Override
-    protected long createModel() {
+    long createModel() {
         CMenuComponent parent = (CMenuComponent)
             LWCToolkit.targetToPeer(getTarget().getParent());
 
-        if (parent instanceof CMenu ||
-            parent instanceof CPopupMenu)
-        {
-            return nativeCreateSubMenu(parent.getModel());
-        } else if (parent instanceof CMenuBar) {
+        if (parent instanceof CMenu) {
+            return parent.executeGet(this::nativeCreateSubMenu);
+        }
+        if (parent instanceof CMenuBar) {
             MenuBar parentContainer = (MenuBar)getTarget().getParent();
             boolean isHelpMenu = parentContainer.getHelpMenu() == getTarget();
             int insertionLocation = ((CMenuBar)parent).getNextInsertionIndex();
-            return nativeCreateMenu(parent.getModel(),
-                                    isHelpMenu, insertionLocation);
-        } else {
-            throw new InternalError("Parent must be CMenu or CMenuBar");
+            return parent.executeGet(ptr -> nativeCreateMenu(ptr, isHelpMenu,
+                                                             insertionLocation));
         }
+        throw new InternalError("Parent must be CMenu or CMenuBar");
     }
 
     @Override
-    public void addItem(MenuItem item) {
+    public final void addItem(MenuItem item) {
         // Nothing to do here -- we added it when we created the
         // menu item's peer.
     }
 
     @Override
-    public void delItem(int index) {
-        nativeDeleteItem(getModel(), index);
+    public final void delItem(final int index) {
+        execute(ptr -> nativeDeleteItem(ptr, index));
     }
 
     @Override
-    public void setLabel(String label) {
-        nativeSetMenuTitle(getModel(), label);
+    public final void setLabel(final String label) {
+        execute(ptr->nativeSetMenuTitle(ptr, label));
         super.setLabel(label);
     }
 
     // Note that addSeparator is never called directly from java.awt.Menu,
     // though it is required in the MenuPeer interface.
     @Override
-    public void addSeparator() {
-        nativeAddSeparator(getModel());
+    public final void addSeparator() {
+        execute(this::nativeAddSeparator);
     }
 
     // Used by ScreenMenuBar to get to the native menu for event handling.
-    public long getNativeMenu() {
-        return nativeGetNSMenu(getModel());
+    public final long getNativeMenu() {
+        return executeGet(this::nativeGetNSMenu);
     }
 
     private native long nativeCreateMenu(long parentMenuPtr,
--- a/jdk/src/java.desktop/macosx/classes/sun/lwawt/macosx/CMenuBar.java	Fri Jan 20 19:09:53 2017 +0000
+++ b/jdk/src/java.desktop/macosx/classes/sun/lwawt/macosx/CMenuBar.java	Wed Jul 05 22:44:27 2017 +0200
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2011, 2015, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2011, 2016, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -31,7 +31,7 @@
 
 import sun.awt.AWTAccessor;
 
-public class CMenuBar extends CMenuComponent implements MenuBarPeer {
+public final class CMenuBar extends CMenuComponent implements MenuBarPeer {
 
     private int nextInsertionIndex = -1;
 
@@ -40,14 +40,15 @@
     }
 
     @Override
-    protected long createModel() {
+    long createModel() {
         return nativeCreateMenuBar();
     }
 
     @Override
-    public void addHelpMenu(Menu m) {
-        CMenu cMenu = AWTAccessor.getMenuComponentAccessor().getPeer(m);
-        nativeSetHelpMenu(getModel(), cMenu.getModel());
+    public void addHelpMenu(final Menu m) {
+        final CMenu cMenu = AWTAccessor.getMenuComponentAccessor().getPeer(m);
+        execute(parentPtr -> cMenu.execute(
+                menuPtr -> nativeSetHelpMenu(parentPtr, menuPtr)));
     }
 
     public int getNextInsertionIndex() {
@@ -65,8 +66,8 @@
     }
 
     @Override
-    public void delMenu(int index) {
-        nativeDelMenu(getModel(), index);
+    public void delMenu(final int index) {
+        execute(ptr -> nativeDelMenu(ptr, index));
     }
 
     private native long nativeCreateMenuBar();
--- a/jdk/src/java.desktop/macosx/classes/sun/lwawt/macosx/CMenuComponent.java	Fri Jan 20 19:09:53 2017 +0000
+++ b/jdk/src/java.desktop/macosx/classes/sun/lwawt/macosx/CMenuComponent.java	Wed Jul 05 22:44:27 2017 +0200
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2011, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2011, 2016, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -29,36 +29,32 @@
 import java.awt.MenuComponent;
 import java.awt.peer.MenuComponentPeer;
 
-public abstract class CMenuComponent implements MenuComponentPeer {
+abstract class CMenuComponent extends CFRetainedResource
+        implements MenuComponentPeer {
 
-    private MenuComponent target;
-    private long modelPtr;
+    private final MenuComponent target;
 
-    CMenuComponent(MenuComponent target) {
+    CMenuComponent(final MenuComponent target) {
+        super(0, true);
         this.target = target;
-        this.modelPtr = createModel();
+        setPtr(createModel());
     }
 
-    MenuComponent getTarget() {
+    final MenuComponent getTarget() {
         return target;
     }
 
-    public long getModel() {
-        return modelPtr;
+    abstract long createModel();
+
+    @Override
+    public final void dispose() {
+        super.dispose();
+        LWCToolkit.targetDisposedPeer(target, this);
     }
 
-    protected abstract long createModel();
-
-    public void dispose() {
-        LWCToolkit.targetDisposedPeer(target, this);
-        nativeDispose(modelPtr);
-        target = null;
-    }
-
-    private native void nativeDispose(long modelPtr);
-
     // 1.5 peer method
-    public void setFont(Font f) {
+    @Override
+    public final void setFont(final Font f) {
         // no-op, as we don't currently support menu fonts
         // c.f. radar 4032912
     }
--- a/jdk/src/java.desktop/macosx/classes/sun/lwawt/macosx/CMenuItem.java	Fri Jan 20 19:09:53 2017 +0000
+++ b/jdk/src/java.desktop/macosx/classes/sun/lwawt/macosx/CMenuItem.java	Wed Jul 05 22:44:27 2017 +0200
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2011, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2011, 2016, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -25,16 +25,17 @@
 
 package sun.lwawt.macosx;
 
+import java.awt.MenuItem;
+import java.awt.MenuShortcut;
+import java.awt.event.ActionEvent;
+import java.awt.event.InputEvent;
+import java.awt.event.KeyEvent;
+import java.awt.peer.MenuItemPeer;
+import java.util.concurrent.atomic.AtomicBoolean;
+
 import sun.awt.SunToolkit;
 import sun.lwawt.LWToolkit;
 
-import java.awt.MenuContainer;
-import java.awt.MenuItem;
-import java.awt.MenuShortcut;
-import java.awt.event.*;
-import java.awt.peer.MenuItemPeer;
-import java.util.concurrent.atomic.AtomicBoolean;
-
 public class CMenuItem extends CMenuComponent implements MenuItemPeer {
 
     private final AtomicBoolean enabled = new AtomicBoolean(true);
@@ -58,9 +59,9 @@
     }
 
     @Override
-    protected long createModel() {
+    long createModel() {
         CMenuComponent parent = (CMenuComponent)LWToolkit.targetToPeer(getTarget().getParent());
-        return nativeCreate(parent.getModel(), isSeparator());
+        return parent.executeGet(ptr->nativeCreate(ptr, isSeparator()));
     }
 
     public void setLabel(String label, char keyChar, int keyCode, int modifiers) {
@@ -90,7 +91,12 @@
             keyChar = 0;
         }
 
-        nativeSetLabel(getModel(), label, keyChar, keyCode, keyMask);
+        final String finalLabel = label;
+        final char finalKeyChar = keyChar;
+        final int finalKeyCode = keyCode;
+        final int finalKeyMask = keyMask;
+        execute(ptr -> nativeSetLabel(ptr, finalLabel, finalKeyChar,
+                                      finalKeyCode, finalKeyMask));
     }
 
     @Override
@@ -105,16 +111,16 @@
      * There isn't a need to expose this except in a instanceof because
      * it isn't defined in the peer api.
      */
-    public void setImage(java.awt.Image img) {
+    public final void setImage(final java.awt.Image img) {
         CImage cimg = CImage.getCreator().createFromImage(img);
-        nativeSetImage(getModel(), cimg == null ? 0L : cimg.ptr);
+        execute(ptr -> nativeSetImage(ptr, cimg == null ? 0L : cimg.ptr));
     }
 
     /**
      * New API for tooltips
      */
-    public void setToolTipText(String text) {
-        nativeSetTooltip(getModel(), text);
+    public final void setToolTipText(final String text) {
+        execute(ptr -> nativeSetTooltip(ptr, text));
     }
 
 //    @Override
@@ -138,7 +144,8 @@
             b &= ((CMenuItem) parent).isEnabled();
         }
         if (enabled.compareAndSet(!b, b)) {
-            nativeSetEnabled(getModel(), b);
+            final boolean finalB = b;
+            execute(ptr->nativeSetEnabled(ptr, finalB));
         }
     }
 
--- a/jdk/src/java.desktop/macosx/classes/sun/lwawt/macosx/CPlatformWindow.java	Fri Jan 20 19:09:53 2017 +0000
+++ b/jdk/src/java.desktop/macosx/classes/sun/lwawt/macosx/CPlatformWindow.java	Wed Jul 05 22:44:27 2017 +0200
@@ -449,7 +449,7 @@
         final long nsWindowPtr = getNSWindowPtr();
         CMenuBar mbPeer = (CMenuBar)LWToolkit.targetToPeer(mb);
         if (mbPeer != null) {
-            nativeSetNSWindowMenuBar(nsWindowPtr, mbPeer.getModel());
+            mbPeer.execute(ptr -> nativeSetNSWindowMenuBar(nsWindowPtr, ptr));
         } else {
             nativeSetNSWindowMenuBar(nsWindowPtr, 0);
         }
--- a/jdk/src/java.desktop/macosx/classes/sun/lwawt/macosx/CPopupMenu.java	Fri Jan 20 19:09:53 2017 +0000
+++ b/jdk/src/java.desktop/macosx/classes/sun/lwawt/macosx/CPopupMenu.java	Wed Jul 05 22:44:27 2017 +0200
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2011, 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2011, 2016, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -25,18 +25,20 @@
 
 package sun.lwawt.macosx;
 
-import java.awt.*;
+import java.awt.Component;
+import java.awt.Event;
+import java.awt.Point;
+import java.awt.PopupMenu;
 import java.awt.peer.PopupMenuPeer;
 
-import sun.lwawt.LWWindowPeer;
+final class CPopupMenu extends CMenu implements PopupMenuPeer {
 
-public class CPopupMenu extends CMenu implements PopupMenuPeer {
     CPopupMenu(PopupMenu target) {
         super(target);
     }
 
     @Override
-    protected long createModel() {
+    long createModel() {
         return nativeCreatePopupMenu();
     }
 
@@ -50,7 +52,7 @@
             Point loc = origin.getLocationOnScreen();
             e.x += loc.x;
             e.y += loc.y;
-            nativeShowPopupMenu(getModel(), e.x, e.y);
+            execute(ptr -> nativeShowPopupMenu(ptr, e.x, e.y));
         }
     }
 }
--- a/jdk/src/java.desktop/macosx/classes/sun/lwawt/macosx/CTrayIcon.java	Fri Jan 20 19:09:53 2017 +0000
+++ b/jdk/src/java.desktop/macosx/classes/sun/lwawt/macosx/CTrayIcon.java	Wed Jul 05 22:44:27 2017 +0200
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2011, 2015, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2011, 2016, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -118,7 +118,10 @@
             }
         }
 
-        return checkAndCreatePopupPeer().getModel();
+        // This method is executed on Appkit, so if ptr is not zero means that,
+        // it is still not deallocated(even if we call NSApp postRunnableEvent)
+        // and sent CFRelease to the native queue
+        return checkAndCreatePopupPeer().ptr;
     }
 
     /**
--- a/jdk/src/java.desktop/macosx/native/libawt_lwawt/awt/CMenu.m	Fri Jan 20 19:09:53 2017 +0000
+++ b/jdk/src/java.desktop/macosx/native/libawt_lwawt/awt/CMenu.m	Wed Jul 05 22:44:27 2017 +0200
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2011, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2011, 2016, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -38,7 +38,7 @@
 - (id)initWithPeer:(jobject)peer {
 AWT_ASSERT_APPKIT_THREAD;
     // Create the new NSMenu
-    self = [super initWithPeer:peer asSeparator:[NSNumber numberWithBool:NO]];
+    self = [super initWithPeer:peer asSeparator:NO];
     if (self) {
         fMenu = [NSMenu javaMenuWithTitle:@""];
         [fMenu retain];
@@ -133,14 +133,13 @@
 
 CMenu * createCMenu (jobject cPeerObjGlobal) {
 
-    CMenu *aCMenu = nil;
+    __block CMenu *aCMenu = nil;
 
-    // We use an array here only to be able to get a return value
-    NSMutableArray *args = [[NSMutableArray alloc] initWithObjects:[NSValue valueWithBytes:&cPeerObjGlobal objCType:@encode(jobject)], nil];
+    [ThreadUtilities performOnMainThreadWaiting:YES block:^(){
 
-    [ThreadUtilities performOnMainThread:@selector(_create_OnAppKitThread:) on:[CMenu alloc] withObject:args waitUntilDone:YES];
-
-    aCMenu = (CMenu *)[args objectAtIndex: 0];
+        aCMenu = [[CMenu alloc] initWithPeer:cPeerObjGlobal];
+        // the aCMenu is released in CMenuComponent.dispose()
+    }];
 
     if (aCMenu == nil) {
         return 0L;
--- a/jdk/src/java.desktop/macosx/native/libawt_lwawt/awt/CMenuBar.m	Fri Jan 20 19:09:53 2017 +0000
+++ b/jdk/src/java.desktop/macosx/native/libawt_lwawt/awt/CMenuBar.m	Wed Jul 05 22:44:27 2017 +0200
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2011, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2011, 2016, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -383,27 +383,20 @@
 Java_sun_lwawt_macosx_CMenuBar_nativeCreateMenuBar
     (JNIEnv *env, jobject peer)
 {
-    CMenuBar *aCMenuBar = nil;
+    __block CMenuBar *aCMenuBar = nil;
     JNF_COCOA_ENTER(env);
 
     jobject cPeerObjGlobal = (*env)->NewGlobalRef(env, peer);
 
-    // We use an array here only to be able to get a return value
-    NSMutableArray *args = [[NSMutableArray alloc] initWithObjects:[NSValue valueWithBytes:&cPeerObjGlobal objCType:@encode(jobject)], nil];
+    [ThreadUtilities performOnMainThreadWaiting:YES block:^(){
 
-    [ThreadUtilities performOnMainThread:@selector(_create_OnAppKitThread:) on:[CMenuBar alloc] withObject:args waitUntilDone:YES];
-
-    aCMenuBar = (CMenuBar *)[args objectAtIndex: 0];
-
+        aCMenuBar = [[CMenuBar alloc] initWithPeer:cPeerObjGlobal];
+        // the aCMenuBar is released in CMenuComponent.dispose()
+    }];
     if (aCMenuBar == nil) {
         return 0L;
     }
 
-    // [args release];
-
-    // A strange memory managment after that.
-
-
     JNF_COCOA_EXIT(env);
     return ptr_to_jlong(aCMenuBar);
 }
--- a/jdk/src/java.desktop/macosx/native/libawt_lwawt/awt/CMenuComponent.m	Fri Jan 20 19:09:53 2017 +0000
+++ b/jdk/src/java.desktop/macosx/native/libawt_lwawt/awt/CMenuComponent.m	Wed Jul 05 22:44:27 2017 +0200
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2011, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2011, 2016, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -41,45 +41,11 @@
     return self;
 }
 
--(void) cleanup {
-    // Used by subclasses
-}
-
--(void) disposer {
+- (void)dealloc {
     JNIEnv *env = [ThreadUtilities getJNIEnvUncached];
     JNFDeleteGlobalRef(env, fPeer);
     fPeer = NULL;
 
-    [self cleanup];
-    [self release];
+    [super dealloc];
 }
-
-// The method is used by all subclasses, since the process of the creation
-// is the same. The only exception is the CMenuItem class.
-- (void) _create_OnAppKitThread: (NSMutableArray *)argValue {
-    jobject cPeerObjGlobal = (jobject)[[argValue objectAtIndex: 0] pointerValue];
-    CMenuItem *aCMenuItem = [self initWithPeer:cPeerObjGlobal];
-    [argValue removeAllObjects];
-    [argValue addObject: aCMenuItem];
-}
-
 @end
-
-/*
- * Class:     sun_lwawt_macosx_CMenuComponent
- * Method:    nativeDispose
- * Signature: (J)V
- */
-JNIEXPORT void JNICALL
-Java_sun_lwawt_macosx_CMenuComponent_nativeDispose
-(JNIEnv *env, jobject peer, jlong menuItemObj)
-{
-JNF_COCOA_ENTER(env);
-
-    [ThreadUtilities performOnMainThread:@selector(disposer)
-                                      on:((id)jlong_to_ptr(menuItemObj))
-                              withObject:nil
-                           waitUntilDone:NO];
-
-JNF_COCOA_EXIT(env);
-}
--- a/jdk/src/java.desktop/macosx/native/libawt_lwawt/awt/CMenuItem.h	Fri Jan 20 19:09:53 2017 +0000
+++ b/jdk/src/java.desktop/macosx/native/libawt_lwawt/awt/CMenuItem.h	Wed Jul 05 22:44:27 2017 +0200
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2011, 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2011, 2016, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -32,7 +32,7 @@
 }
 
 // Setup
-- (id) initWithPeer:(jobject)peer asSeparator: (NSNumber *) asSeparator;
+- (id) initWithPeer:(jobject)peer asSeparator: (BOOL) asSeparator;
 - (void) setIsCheckbox;
 
 // Events
--- a/jdk/src/java.desktop/macosx/native/libawt_lwawt/awt/CMenuItem.m	Fri Jan 20 19:09:53 2017 +0000
+++ b/jdk/src/java.desktop/macosx/native/libawt_lwawt/awt/CMenuItem.m	Wed Jul 05 22:44:27 2017 +0200
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2011, 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2011, 2016, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -39,11 +39,11 @@
 
 @implementation CMenuItem
 
-- (id) initWithPeer:(jobject)peer asSeparator: (NSNumber *) asSeparator{
+- (id) initWithPeer:(jobject)peer asSeparator: (BOOL) asSeparator{
     AWT_ASSERT_APPKIT_THREAD;
     self = [super initWithPeer:peer];
     if (self) {
-        if ([asSeparator boolValue]) {
+        if (asSeparator) {
             fMenuItem = (NSMenuItem*)[NSMenuItem separatorItem];
             [fMenuItem retain];
         } else {
@@ -204,12 +204,9 @@
     }];
 }
 
-- (void)cleanup {
+- (void)dealloc {
     [fMenuItem setAction:NULL];
     [fMenuItem setTarget:nil];
-}
-
-- (void)dealloc {
     [fMenuItem release];
     fMenuItem = nil;
     
@@ -228,14 +225,6 @@
     fIsCheckbox = YES;
 }
 
-- (void) _createMenuItem_OnAppKitThread: (NSMutableArray *)argValue {
-    jobject cPeerObjGlobal = (jobject)[[argValue objectAtIndex: 0] pointerValue];
-    NSNumber * asSeparator = (NSNumber *)[argValue objectAtIndex: 1];
-    CMenuItem *aCMenuItem = [self initWithPeer: cPeerObjGlobal asSeparator: asSeparator];
-    [argValue removeAllObjects];
-    [argValue addObject: aCMenuItem];
-}
-
 - (NSString *)description {
     return [NSString stringWithFormat:@"CMenuItem[ %@ ]", fMenuItem];
 }
@@ -397,24 +386,18 @@
 (JNIEnv *env, jobject peer, jlong parentCMenuObj, jboolean isSeparator)
 {
     
-    CMenuItem *aCMenuItem = nil;
+    __block CMenuItem *aCMenuItem = nil;
+    BOOL asSeparator = (isSeparator == JNI_TRUE) ? YES: NO;
     CMenu *parentCMenu = (CMenu *)jlong_to_ptr(parentCMenuObj);
     JNF_COCOA_ENTER(env);
     
     jobject cPeerObjGlobal = (*env)->NewGlobalRef(env, peer);
-    
-    NSMutableArray *args = nil;
-    
-    // Create a new item....
-    if (isSeparator == JNI_TRUE) {
-        args = [[NSMutableArray alloc] initWithObjects:[NSValue valueWithBytes:&cPeerObjGlobal objCType:@encode(jobject)], [NSNumber numberWithBool:YES],  nil];
-    } else {
-        args = [[NSMutableArray alloc] initWithObjects:[NSValue valueWithBytes:&cPeerObjGlobal objCType:@encode(jobject)], [NSNumber numberWithBool:NO],  nil];
-    }
-    
-    [ThreadUtilities performOnMainThread:@selector(_createMenuItem_OnAppKitThread:) on:[CMenuItem alloc] withObject:args waitUntilDone:YES];
-    
-    aCMenuItem = (CMenuItem *)[args objectAtIndex: 0];
+
+    [ThreadUtilities performOnMainThreadWaiting:YES block:^(){
+        aCMenuItem = [[CMenuItem alloc] initWithPeer: cPeerObjGlobal
+                                         asSeparator: asSeparator];
+        // the CMenuItem is released in CMenuComponent.dispose()
+    }];
     
     if (aCMenuItem == nil) {
         return 0L;
--- a/jdk/src/java.desktop/share/classes/com/sun/imageio/plugins/png/PNGImageReader.java	Fri Jan 20 19:09:53 2017 +0000
+++ b/jdk/src/java.desktop/share/classes/com/sun/imageio/plugins/png/PNGImageReader.java	Wed Jul 05 22:44:27 2017 +0200
@@ -735,7 +735,11 @@
                     parse_iCCP_chunk(chunkLength);
                     break;
                 case iTXt_TYPE:
-                    parse_iTXt_chunk(chunkLength);
+                    if (ignoreMetadata) {
+                        stream.skipBytes(chunkLength);
+                    } else {
+                        parse_iTXt_chunk(chunkLength);
+                    }
                     break;
                 case pHYs_TYPE:
                     parse_pHYs_chunk();
@@ -759,7 +763,11 @@
                     parse_tRNS_chunk(chunkLength);
                     break;
                 case zTXt_TYPE:
-                    parse_zTXt_chunk(chunkLength);
+                    if (ignoreMetadata) {
+                        stream.skipBytes(chunkLength);
+                    } else {
+                        parse_zTXt_chunk(chunkLength);
+                    }
                     break;
                 default:
                     // Read an unknown chunk
--- a/jdk/src/java.desktop/share/native/libfontmanager/harfbuzz/hb-blob.cc	Fri Jan 20 19:09:53 2017 +0000
+++ b/jdk/src/java.desktop/share/native/libfontmanager/harfbuzz/hb-blob.cc	Wed Jul 05 22:44:27 2017 +0200
@@ -247,7 +247,7 @@
  * @destroy: callback to call when @data is not needed anymore.
  * @replace: whether to replace an existing data with the same key.
  *
- * Return value:
+ * Return value: 
  *
  * Since: 0.9.2
  **/
@@ -266,9 +266,9 @@
  * @blob: a blob.
  * @key: key for data to get.
  *
+ * 
  *
- *
- * Return value: (transfer none):
+ * Return value: (transfer none): 
  *
  * Since: 0.9.2
  **/
@@ -284,7 +284,7 @@
  * hb_blob_make_immutable:
  * @blob: a blob.
  *
- *
+ * 
  *
  * Since: 0.9.2
  **/
@@ -301,7 +301,7 @@
  * hb_blob_is_immutable:
  * @blob: a blob.
  *
- *
+ * 
  *
  * Return value: TODO
  *
@@ -318,7 +318,7 @@
  * hb_blob_get_length:
  * @blob: a blob.
  *
- *
+ * 
  *
  * Return value: the length of blob data in bytes.
  *
@@ -335,9 +335,9 @@
  * @blob: a blob.
  * @length: (out):
  *
+ * 
  *
- *
- * Returns: (transfer none) (array length=length):
+ * Returns: (transfer none) (array length=length): 
  *
  * Since: 0.9.2
  **/
--- a/jdk/src/java.desktop/share/native/libfontmanager/harfbuzz/hb-buffer-deserialize-json.hh	Fri Jan 20 19:09:53 2017 +0000
+++ b/jdk/src/java.desktop/share/native/libfontmanager/harfbuzz/hb-buffer-deserialize-json.hh	Wed Jul 05 22:44:27 2017 +0200
@@ -34,397 +34,397 @@
 
 #line 36 "hb-buffer-deserialize-json.hh"
 static const unsigned char _deserialize_json_trans_keys[] = {
-        0u, 0u, 9u, 123u, 9u, 34u, 97u, 103u, 120u, 121u, 34u, 34u, 9u, 58u, 9u, 57u,
-        48u, 57u, 9u, 125u, 9u, 125u, 9u, 125u, 34u, 34u, 9u, 58u, 9u, 57u, 48u, 57u,
-        9u, 125u, 9u, 125u, 108u, 108u, 34u, 34u, 9u, 58u, 9u, 57u, 9u, 125u, 9u, 125u,
-        120u, 121u, 34u, 34u, 9u, 58u, 9u, 57u, 48u, 57u, 9u, 125u, 9u, 125u, 34u, 34u,
-        9u, 58u, 9u, 57u, 48u, 57u, 9u, 125u, 9u, 125u, 34u, 34u, 9u, 58u, 9u, 57u,
+        0u, 0u, 9u, 123u, 9u, 34u, 97u, 103u, 120u, 121u, 34u, 34u, 9u, 58u, 9u, 57u, 
+        48u, 57u, 9u, 125u, 9u, 125u, 9u, 125u, 34u, 34u, 9u, 58u, 9u, 57u, 48u, 57u, 
+        9u, 125u, 9u, 125u, 108u, 108u, 34u, 34u, 9u, 58u, 9u, 57u, 9u, 125u, 9u, 125u, 
+        120u, 121u, 34u, 34u, 9u, 58u, 9u, 57u, 48u, 57u, 9u, 125u, 9u, 125u, 34u, 34u, 
+        9u, 58u, 9u, 57u, 48u, 57u, 9u, 125u, 9u, 125u, 34u, 34u, 9u, 58u, 9u, 57u, 
         65u, 122u, 34u, 122u, 9u, 125u, 9u, 125u, 9u, 93u, 9u, 123u, 0u, 0u, 0
 };
 
 static const char _deserialize_json_key_spans[] = {
-        0, 115, 26, 7, 2, 1, 50, 49,
-        10, 117, 117, 117, 1, 50, 49, 10,
-        117, 117, 1, 1, 50, 49, 117, 117,
-        2, 1, 50, 49, 10, 117, 117, 1,
-        50, 49, 10, 117, 117, 1, 50, 49,
+        0, 115, 26, 7, 2, 1, 50, 49, 
+        10, 117, 117, 117, 1, 50, 49, 10, 
+        117, 117, 1, 1, 50, 49, 117, 117, 
+        2, 1, 50, 49, 10, 117, 117, 1, 
+        50, 49, 10, 117, 117, 1, 50, 49, 
         58, 89, 117, 117, 85, 115, 0
 };
 
 static const short _deserialize_json_index_offsets[] = {
-        0, 0, 116, 143, 151, 154, 156, 207,
-        257, 268, 386, 504, 622, 624, 675, 725,
-        736, 854, 972, 974, 976, 1027, 1077, 1195,
-        1313, 1316, 1318, 1369, 1419, 1430, 1548, 1666,
-        1668, 1719, 1769, 1780, 1898, 2016, 2018, 2069,
+        0, 0, 116, 143, 151, 154, 156, 207, 
+        257, 268, 386, 504, 622, 624, 675, 725, 
+        736, 854, 972, 974, 976, 1027, 1077, 1195, 
+        1313, 1316, 1318, 1369, 1419, 1430, 1548, 1666, 
+        1668, 1719, 1769, 1780, 1898, 2016, 2018, 2069, 
         2119, 2178, 2268, 2386, 2504, 2590, 2706
 };
 
 static const char _deserialize_json_indicies[] = {
-        0, 0, 0, 0, 0, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        0, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 2, 1, 3, 3, 3,
-        3, 3, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 3, 1, 4, 1,
-        5, 1, 6, 7, 1, 1, 8, 1,
-        9, 10, 1, 11, 1, 11, 11, 11,
-        11, 11, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 11, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 12, 1,
-        12, 12, 12, 12, 12, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 12,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 13, 1, 1, 14,
-        15, 15, 15, 15, 15, 15, 15, 15,
-        15, 1, 16, 17, 17, 17, 17, 17,
-        17, 17, 17, 17, 1, 18, 18, 18,
-        18, 18, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 18, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        19, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 20, 1, 21, 21, 21, 21, 21,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 21, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 3, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 22,
-        1, 18, 18, 18, 18, 18, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        18, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 19, 1, 1, 1,
-        17, 17, 17, 17, 17, 17, 17, 17,
-        17, 17, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 20, 1, 23,
-        1, 23, 23, 23, 23, 23, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        23, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 24, 1, 24, 24, 24, 24,
-        24, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 24, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        25, 1, 1, 26, 27, 27, 27, 27,
-        27, 27, 27, 27, 27, 1, 28, 29,
-        29, 29, 29, 29, 29, 29, 29, 29,
-        1, 30, 30, 30, 30, 30, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        30, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 31, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 32, 1, 30,
-        30, 30, 30, 30, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 30, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 31, 1, 1, 1, 29, 29,
-        29, 29, 29, 29, 29, 29, 29, 29,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 32, 1, 33, 1, 34,
-        1, 34, 34, 34, 34, 34, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        34, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 35, 1, 35, 35, 35, 35,
-        35, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 35, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 36, 37, 37, 37, 37,
-        37, 37, 37, 37, 37, 1, 38, 38,
-        38, 38, 38, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 38, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 39, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 40, 1, 38, 38, 38, 38,
-        38, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 38, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 39,
-        1, 1, 1, 41, 41, 41, 41, 41,
-        41, 41, 41, 41, 41, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        40, 1, 42, 43, 1, 44, 1, 44,
-        44, 44, 44, 44, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 44, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        45, 1, 45, 45, 45, 45, 45, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 45, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 46, 1,
-        1, 47, 48, 48, 48, 48, 48, 48,
-        48, 48, 48, 1, 49, 50, 50, 50,
-        50, 50, 50, 50, 50, 50, 1, 51,
-        51, 51, 51, 51, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 51, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 52, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 53, 1, 51, 51, 51,
-        51, 51, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 51, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        52, 1, 1, 1, 50, 50, 50, 50,
-        50, 50, 50, 50, 50, 50, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 53, 1, 54, 1, 54, 54, 54,
-        54, 54, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 54, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 55, 1,
-        55, 55, 55, 55, 55, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 55,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 56, 1, 1, 57,
-        58, 58, 58, 58, 58, 58, 58, 58,
-        58, 1, 59, 60, 60, 60, 60, 60,
-        60, 60, 60, 60, 1, 61, 61, 61,
-        61, 61, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 61, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        62, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 63, 1, 61, 61, 61, 61, 61,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 61, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 62, 1,
-        1, 1, 60, 60, 60, 60, 60, 60,
-        60, 60, 60, 60, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 63,
-        1, 64, 1, 64, 64, 64, 64, 64,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 64, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 65, 1, 65, 65,
-        65, 65, 65, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 65, 1, 66,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 67, 68, 68,
-        68, 68, 68, 68, 68, 68, 68, 1,
-        69, 69, 69, 69, 69, 69, 69, 69,
-        69, 69, 69, 69, 69, 69, 69, 69,
-        69, 69, 69, 69, 69, 69, 69, 69,
-        69, 69, 1, 1, 1, 1, 1, 1,
-        69, 69, 69, 69, 69, 69, 69, 69,
-        69, 69, 69, 69, 69, 69, 69, 69,
-        69, 69, 69, 69, 69, 69, 69, 69,
-        69, 69, 1, 70, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 71, 71,
-        1, 71, 71, 71, 71, 71, 71, 71,
-        71, 71, 71, 1, 1, 1, 1, 1,
-        1, 1, 71, 71, 71, 71, 71, 71,
-        71, 71, 71, 71, 71, 71, 71, 71,
-        71, 71, 71, 71, 71, 71, 71, 71,
-        71, 71, 71, 71, 1, 1, 1, 1,
-        71, 1, 71, 71, 71, 71, 71, 71,
-        71, 71, 71, 71, 71, 71, 71, 71,
-        71, 71, 71, 71, 71, 71, 71, 71,
-        71, 71, 71, 71, 1, 72, 72, 72,
-        72, 72, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 72, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        73, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 74, 1, 72, 72, 72, 72, 72,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 72, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 73, 1,
-        1, 1, 75, 75, 75, 75, 75, 75,
-        75, 75, 75, 75, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 74,
-        1, 76, 76, 76, 76, 76, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        76, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 77, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 78, 1, 0,
-        0, 0, 0, 0, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 0, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
+        0, 0, 0, 0, 0, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        0, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 2, 1, 3, 3, 3, 
+        3, 3, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 3, 1, 4, 1, 
+        5, 1, 6, 7, 1, 1, 8, 1, 
+        9, 10, 1, 11, 1, 11, 11, 11, 
+        11, 11, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 11, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 12, 1, 
+        12, 12, 12, 12, 12, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 12, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 13, 1, 1, 14, 
+        15, 15, 15, 15, 15, 15, 15, 15, 
+        15, 1, 16, 17, 17, 17, 17, 17, 
+        17, 17, 17, 17, 1, 18, 18, 18, 
+        18, 18, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 18, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        19, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 20, 1, 21, 21, 21, 21, 21, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 21, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 3, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 22, 
+        1, 18, 18, 18, 18, 18, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        18, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 19, 1, 1, 1, 
+        17, 17, 17, 17, 17, 17, 17, 17, 
+        17, 17, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 20, 1, 23, 
+        1, 23, 23, 23, 23, 23, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        23, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 24, 1, 24, 24, 24, 24, 
+        24, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 24, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        25, 1, 1, 26, 27, 27, 27, 27, 
+        27, 27, 27, 27, 27, 1, 28, 29, 
+        29, 29, 29, 29, 29, 29, 29, 29, 
+        1, 30, 30, 30, 30, 30, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        30, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 31, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 32, 1, 30, 
+        30, 30, 30, 30, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 30, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 31, 1, 1, 1, 29, 29, 
+        29, 29, 29, 29, 29, 29, 29, 29, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 32, 1, 33, 1, 34, 
+        1, 34, 34, 34, 34, 34, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        34, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 35, 1, 35, 35, 35, 35, 
+        35, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 35, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 36, 37, 37, 37, 37, 
+        37, 37, 37, 37, 37, 1, 38, 38, 
+        38, 38, 38, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 38, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 39, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 40, 1, 38, 38, 38, 38, 
+        38, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 38, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 39, 
+        1, 1, 1, 41, 41, 41, 41, 41, 
+        41, 41, 41, 41, 41, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        40, 1, 42, 43, 1, 44, 1, 44, 
+        44, 44, 44, 44, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 44, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        45, 1, 45, 45, 45, 45, 45, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 45, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 46, 1, 
+        1, 47, 48, 48, 48, 48, 48, 48, 
+        48, 48, 48, 1, 49, 50, 50, 50, 
+        50, 50, 50, 50, 50, 50, 1, 51, 
+        51, 51, 51, 51, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 51, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 52, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 53, 1, 51, 51, 51, 
+        51, 51, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 51, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        52, 1, 1, 1, 50, 50, 50, 50, 
+        50, 50, 50, 50, 50, 50, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 53, 1, 54, 1, 54, 54, 54, 
+        54, 54, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 54, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 55, 1, 
+        55, 55, 55, 55, 55, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 55, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 56, 1, 1, 57, 
+        58, 58, 58, 58, 58, 58, 58, 58, 
+        58, 1, 59, 60, 60, 60, 60, 60, 
+        60, 60, 60, 60, 1, 61, 61, 61, 
+        61, 61, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 61, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        62, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 63, 1, 61, 61, 61, 61, 61, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 61, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 62, 1, 
+        1, 1, 60, 60, 60, 60, 60, 60, 
+        60, 60, 60, 60, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 63, 
+        1, 64, 1, 64, 64, 64, 64, 64, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 64, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 65, 1, 65, 65, 
+        65, 65, 65, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 65, 1, 66, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 67, 68, 68, 
+        68, 68, 68, 68, 68, 68, 68, 1, 
+        69, 69, 69, 69, 69, 69, 69, 69, 
+        69, 69, 69, 69, 69, 69, 69, 69, 
+        69, 69, 69, 69, 69, 69, 69, 69, 
+        69, 69, 1, 1, 1, 1, 1, 1, 
+        69, 69, 69, 69, 69, 69, 69, 69, 
+        69, 69, 69, 69, 69, 69, 69, 69, 
+        69, 69, 69, 69, 69, 69, 69, 69, 
+        69, 69, 1, 70, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 71, 71, 
+        1, 71, 71, 71, 71, 71, 71, 71, 
+        71, 71, 71, 1, 1, 1, 1, 1, 
+        1, 1, 71, 71, 71, 71, 71, 71, 
+        71, 71, 71, 71, 71, 71, 71, 71, 
+        71, 71, 71, 71, 71, 71, 71, 71, 
+        71, 71, 71, 71, 1, 1, 1, 1, 
+        71, 1, 71, 71, 71, 71, 71, 71, 
+        71, 71, 71, 71, 71, 71, 71, 71, 
+        71, 71, 71, 71, 71, 71, 71, 71, 
+        71, 71, 71, 71, 1, 72, 72, 72, 
+        72, 72, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 72, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        73, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 74, 1, 72, 72, 72, 72, 72, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 72, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 73, 1, 
+        1, 1, 75, 75, 75, 75, 75, 75, 
+        75, 75, 75, 75, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 74, 
+        1, 76, 76, 76, 76, 76, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        76, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 77, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 78, 1, 0, 
+        0, 0, 0, 0, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 0, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
         1, 2, 1, 1, 0
 };
 
 static const char _deserialize_json_trans_targs[] = {
-        1, 0, 2, 2, 3, 4, 18, 24,
-        37, 5, 12, 6, 7, 8, 9, 11,
-        9, 11, 10, 2, 44, 10, 44, 13,
-        14, 15, 16, 17, 16, 17, 10, 2,
-        44, 19, 20, 21, 22, 23, 10, 2,
-        44, 23, 25, 31, 26, 27, 28, 29,
-        30, 29, 30, 10, 2, 44, 32, 33,
-        34, 35, 36, 35, 36, 10, 2, 44,
-        38, 39, 40, 42, 43, 41, 10, 41,
+        1, 0, 2, 2, 3, 4, 18, 24, 
+        37, 5, 12, 6, 7, 8, 9, 11, 
+        9, 11, 10, 2, 44, 10, 44, 13, 
+        14, 15, 16, 17, 16, 17, 10, 2, 
+        44, 19, 20, 21, 22, 23, 10, 2, 
+        44, 23, 25, 31, 26, 27, 28, 29, 
+        30, 29, 30, 10, 2, 44, 32, 33, 
+        34, 35, 36, 35, 36, 10, 2, 44, 
+        38, 39, 40, 42, 43, 41, 10, 41, 
         10, 2, 44, 43, 44, 45, 46
 };
 
 static const char _deserialize_json_trans_actions[] = {
-        0, 0, 1, 0, 0, 0, 0, 0,
-        0, 0, 0, 0, 0, 2, 2, 2,
-        0, 0, 3, 3, 4, 0, 5, 0,
-        0, 2, 2, 2, 0, 0, 6, 6,
-        7, 0, 0, 0, 2, 2, 8, 8,
-        9, 0, 0, 0, 0, 0, 2, 2,
-        2, 0, 0, 10, 10, 11, 0, 0,
-        2, 2, 2, 0, 0, 12, 12, 13,
-        0, 0, 0, 2, 2, 2, 14, 0,
+        0, 0, 1, 0, 0, 0, 0, 0, 
+        0, 0, 0, 0, 0, 2, 2, 2, 
+        0, 0, 3, 3, 4, 0, 5, 0, 
+        0, 2, 2, 2, 0, 0, 6, 6, 
+        7, 0, 0, 0, 2, 2, 8, 8, 
+        9, 0, 0, 0, 0, 0, 2, 2, 
+        2, 0, 0, 10, 10, 11, 0, 0, 
+        2, 2, 2, 0, 0, 12, 12, 13, 
+        0, 0, 0, 2, 2, 2, 14, 0, 
         15, 15, 16, 0, 0, 0, 0
 };
 
@@ -461,7 +461,7 @@
   int cs;
   hb_glyph_info_t info = {0};
   hb_glyph_position_t pos = {0};
-
+  
 #line 466 "hb-buffer-deserialize-json.hh"
         {
         cs = deserialize_json_start;
--- a/jdk/src/java.desktop/share/native/libfontmanager/harfbuzz/hb-buffer-deserialize-text.hh	Fri Jan 20 19:09:53 2017 +0000
+++ b/jdk/src/java.desktop/share/native/libfontmanager/harfbuzz/hb-buffer-deserialize-text.hh	Wed Jul 05 22:44:27 2017 +0200
@@ -34,274 +34,274 @@
 
 #line 36 "hb-buffer-deserialize-text.hh"
 static const unsigned char _deserialize_text_trans_keys[] = {
-        0u, 0u, 9u, 122u, 45u, 57u, 48u, 57u, 45u, 57u, 48u, 57u, 48u, 57u, 45u, 57u,
-        48u, 57u, 44u, 44u, 45u, 57u, 48u, 57u, 44u, 57u, 9u, 124u, 9u, 124u, 0u, 0u,
-        9u, 122u, 9u, 124u, 9u, 124u, 9u, 124u, 9u, 124u, 9u, 124u, 9u, 124u, 9u, 124u,
+        0u, 0u, 9u, 122u, 45u, 57u, 48u, 57u, 45u, 57u, 48u, 57u, 48u, 57u, 45u, 57u, 
+        48u, 57u, 44u, 44u, 45u, 57u, 48u, 57u, 44u, 57u, 9u, 124u, 9u, 124u, 0u, 0u, 
+        9u, 122u, 9u, 124u, 9u, 124u, 9u, 124u, 9u, 124u, 9u, 124u, 9u, 124u, 9u, 124u, 
         9u, 124u, 9u, 124u, 9u, 124u, 0
 };
 
 static const char _deserialize_text_key_spans[] = {
-        0, 114, 13, 10, 13, 10, 10, 13,
-        10, 1, 13, 10, 14, 116, 116, 0,
-        114, 116, 116, 116, 116, 116, 116, 116,
+        0, 114, 13, 10, 13, 10, 10, 13, 
+        10, 1, 13, 10, 14, 116, 116, 0, 
+        114, 116, 116, 116, 116, 116, 116, 116, 
         116, 116, 116
 };
 
 static const short _deserialize_text_index_offsets[] = {
-        0, 0, 115, 129, 140, 154, 165, 176,
-        190, 201, 203, 217, 228, 243, 360, 477,
-        478, 593, 710, 827, 944, 1061, 1178, 1295,
+        0, 0, 115, 129, 140, 154, 165, 176, 
+        190, 201, 203, 217, 228, 243, 360, 477, 
+        478, 593, 710, 827, 944, 1061, 1178, 1295, 
         1412, 1529, 1646
 };
 
 static const char _deserialize_text_indicies[] = {
-        0, 0, 0, 0, 0, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        0, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        2, 3, 3, 3, 3, 3, 3, 3,
-        3, 3, 1, 1, 1, 1, 1, 1,
-        1, 4, 4, 4, 4, 4, 4, 4,
-        4, 4, 4, 4, 4, 4, 4, 4,
-        4, 4, 4, 4, 4, 4, 4, 4,
-        4, 4, 4, 1, 1, 1, 1, 1,
-        1, 4, 4, 4, 4, 4, 4, 4,
-        4, 4, 4, 4, 4, 4, 4, 4,
-        4, 4, 4, 4, 4, 4, 4, 4,
-        4, 4, 4, 1, 5, 1, 1, 6,
-        7, 7, 7, 7, 7, 7, 7, 7,
-        7, 1, 8, 9, 9, 9, 9, 9,
-        9, 9, 9, 9, 1, 10, 1, 1,
-        11, 12, 12, 12, 12, 12, 12, 12,
-        12, 12, 1, 13, 14, 14, 14, 14,
-        14, 14, 14, 14, 14, 1, 15, 16,
-        16, 16, 16, 16, 16, 16, 16, 16,
-        1, 17, 1, 1, 18, 19, 19, 19,
-        19, 19, 19, 19, 19, 19, 1, 20,
-        21, 21, 21, 21, 21, 21, 21, 21,
-        21, 1, 22, 1, 23, 1, 1, 24,
-        25, 25, 25, 25, 25, 25, 25, 25,
-        25, 1, 26, 27, 27, 27, 27, 27,
-        27, 27, 27, 27, 1, 22, 1, 1,
-        1, 21, 21, 21, 21, 21, 21, 21,
-        21, 21, 21, 1, 28, 28, 28, 28,
-        28, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 28, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 29, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        30, 1, 1, 31, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        32, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 33,
-        1, 34, 34, 34, 34, 34, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        34, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 35, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 36, 1, 1, 0,
-        0, 0, 0, 0, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 0, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 2, 3,
-        3, 3, 3, 3, 3, 3, 3, 3,
-        1, 1, 1, 1, 1, 1, 1, 4,
-        4, 4, 4, 4, 4, 4, 4, 4,
-        4, 4, 4, 4, 4, 4, 4, 4,
-        4, 4, 4, 4, 4, 4, 4, 4,
-        4, 1, 1, 1, 1, 1, 1, 4,
-        4, 4, 4, 4, 4, 4, 4, 4,
-        4, 4, 4, 4, 4, 4, 4, 4,
-        4, 4, 4, 4, 4, 4, 4, 4,
-        4, 1, 28, 28, 28, 28, 28, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 28, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 29, 1, 1, 1,
-        1, 37, 37, 37, 37, 37, 37, 37,
-        37, 37, 37, 1, 1, 1, 30, 1,
-        1, 31, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 32, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 33, 1, 38,
-        38, 38, 38, 38, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 38, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 39, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 40, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 41, 1, 42, 42, 42, 42,
-        42, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 42, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        43, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 44,
-        1, 42, 42, 42, 42, 42, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        42, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        14, 14, 14, 14, 14, 14, 14, 14,
-        14, 14, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 43, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 44, 1, 38, 38,
-        38, 38, 38, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 38, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 39, 1, 1, 1, 9, 9, 9,
-        9, 9, 9, 9, 9, 9, 9, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 40, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 41, 1, 45, 45, 45, 45, 45,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 45, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 46, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 47, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 48,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 49, 1,
-        50, 50, 50, 50, 50, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 50,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 51, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 52, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 53, 1, 50, 50, 50,
-        50, 50, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 50, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 51,
-        1, 1, 1, 1, 27, 27, 27, 27,
-        27, 27, 27, 27, 27, 27, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 52, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        53, 1, 45, 45, 45, 45, 45, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 45, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 46, 1, 1, 1,
-        1, 54, 54, 54, 54, 54, 54, 54,
-        54, 54, 54, 1, 1, 1, 1, 1,
-        1, 47, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 48, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 49, 1, 28,
-        28, 28, 28, 28, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 1, 1, 1, 1, 1, 28, 1,
-        1, 1, 1, 1, 1, 1, 1, 1,
-        1, 29, 1, 55, 55, 1, 55, 55,
-        55, 55, 55, 55, 55, 55, 55, 55,
-        1, 1, 1, 30, 1, 1, 31, 55,
-        55, 55, 55, 55, 55, 55, 55, 55,
-        55, 55, 55, 55, 55, 55, 55, 55,
-        55, 55, 55, 55, 55, 55, 55, 55,
-        55, 1, 1, 32, 1, 55, 1, 55,
-        55, 55, 55, 55, 55, 55, 55, 55,
-        55, 55, 55, 55, 55, 55, 55, 55,
-        55, 55, 55, 55, 55, 55, 55, 55,
+        0, 0, 0, 0, 0, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        0, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        2, 3, 3, 3, 3, 3, 3, 3, 
+        3, 3, 1, 1, 1, 1, 1, 1, 
+        1, 4, 4, 4, 4, 4, 4, 4, 
+        4, 4, 4, 4, 4, 4, 4, 4, 
+        4, 4, 4, 4, 4, 4, 4, 4, 
+        4, 4, 4, 1, 1, 1, 1, 1, 
+        1, 4, 4, 4, 4, 4, 4, 4, 
+        4, 4, 4, 4, 4, 4, 4, 4, 
+        4, 4, 4, 4, 4, 4, 4, 4, 
+        4, 4, 4, 1, 5, 1, 1, 6, 
+        7, 7, 7, 7, 7, 7, 7, 7, 
+        7, 1, 8, 9, 9, 9, 9, 9, 
+        9, 9, 9, 9, 1, 10, 1, 1, 
+        11, 12, 12, 12, 12, 12, 12, 12, 
+        12, 12, 1, 13, 14, 14, 14, 14, 
+        14, 14, 14, 14, 14, 1, 15, 16, 
+        16, 16, 16, 16, 16, 16, 16, 16, 
+        1, 17, 1, 1, 18, 19, 19, 19, 
+        19, 19, 19, 19, 19, 19, 1, 20, 
+        21, 21, 21, 21, 21, 21, 21, 21, 
+        21, 1, 22, 1, 23, 1, 1, 24, 
+        25, 25, 25, 25, 25, 25, 25, 25, 
+        25, 1, 26, 27, 27, 27, 27, 27, 
+        27, 27, 27, 27, 1, 22, 1, 1, 
+        1, 21, 21, 21, 21, 21, 21, 21, 
+        21, 21, 21, 1, 28, 28, 28, 28, 
+        28, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 28, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 29, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        30, 1, 1, 31, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        32, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 33, 
+        1, 34, 34, 34, 34, 34, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        34, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 35, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 36, 1, 1, 0, 
+        0, 0, 0, 0, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 0, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 2, 3, 
+        3, 3, 3, 3, 3, 3, 3, 3, 
+        1, 1, 1, 1, 1, 1, 1, 4, 
+        4, 4, 4, 4, 4, 4, 4, 4, 
+        4, 4, 4, 4, 4, 4, 4, 4, 
+        4, 4, 4, 4, 4, 4, 4, 4, 
+        4, 1, 1, 1, 1, 1, 1, 4, 
+        4, 4, 4, 4, 4, 4, 4, 4, 
+        4, 4, 4, 4, 4, 4, 4, 4, 
+        4, 4, 4, 4, 4, 4, 4, 4, 
+        4, 1, 28, 28, 28, 28, 28, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 28, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 29, 1, 1, 1, 
+        1, 37, 37, 37, 37, 37, 37, 37, 
+        37, 37, 37, 1, 1, 1, 30, 1, 
+        1, 31, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 32, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 33, 1, 38, 
+        38, 38, 38, 38, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 38, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 39, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 40, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 41, 1, 42, 42, 42, 42, 
+        42, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 42, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        43, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 44, 
+        1, 42, 42, 42, 42, 42, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        42, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        14, 14, 14, 14, 14, 14, 14, 14, 
+        14, 14, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 43, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 44, 1, 38, 38, 
+        38, 38, 38, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 38, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 39, 1, 1, 1, 9, 9, 9, 
+        9, 9, 9, 9, 9, 9, 9, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 40, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 41, 1, 45, 45, 45, 45, 45, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 45, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 46, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 47, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 48, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 49, 1, 
+        50, 50, 50, 50, 50, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 50, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 51, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 52, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 53, 1, 50, 50, 50, 
+        50, 50, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 50, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 51, 
+        1, 1, 1, 1, 27, 27, 27, 27, 
+        27, 27, 27, 27, 27, 27, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 52, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        53, 1, 45, 45, 45, 45, 45, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 45, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 46, 1, 1, 1, 
+        1, 54, 54, 54, 54, 54, 54, 54, 
+        54, 54, 54, 1, 1, 1, 1, 1, 
+        1, 47, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 48, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 49, 1, 28, 
+        28, 28, 28, 28, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 1, 1, 1, 1, 1, 28, 1, 
+        1, 1, 1, 1, 1, 1, 1, 1, 
+        1, 29, 1, 55, 55, 1, 55, 55, 
+        55, 55, 55, 55, 55, 55, 55, 55, 
+        1, 1, 1, 30, 1, 1, 31, 55, 
+        55, 55, 55, 55, 55, 55, 55, 55, 
+        55, 55, 55, 55, 55, 55, 55, 55, 
+        55, 55, 55, 55, 55, 55, 55, 55, 
+        55, 1, 1, 32, 1, 55, 1, 55, 
+        55, 55, 55, 55, 55, 55, 55, 55, 
+        55, 55, 55, 55, 55, 55, 55, 55, 
+        55, 55, 55, 55, 55, 55, 55, 55, 
         55, 1, 33, 1, 0
 };
 
 static const char _deserialize_text_trans_targs[] = {
-        1, 0, 13, 17, 26, 3, 18, 21,
-        18, 21, 5, 19, 20, 19, 20, 22,
-        25, 8, 9, 12, 9, 12, 10, 11,
-        23, 24, 23, 24, 14, 2, 6, 7,
-        15, 16, 14, 15, 16, 17, 14, 4,
-        15, 16, 14, 15, 16, 14, 2, 7,
+        1, 0, 13, 17, 26, 3, 18, 21, 
+        18, 21, 5, 19, 20, 19, 20, 22, 
+        25, 8, 9, 12, 9, 12, 10, 11, 
+        23, 24, 23, 24, 14, 2, 6, 7, 
+        15, 16, 14, 15, 16, 17, 14, 4, 
+        15, 16, 14, 15, 16, 14, 2, 7, 
         15, 16, 14, 2, 15, 16, 25, 26
 };
 
 static const char _deserialize_text_trans_actions[] = {
-        0, 0, 1, 1, 1, 2, 2, 2,
-        0, 0, 2, 2, 2, 0, 0, 2,
-        2, 2, 2, 2, 0, 0, 3, 2,
-        2, 2, 0, 0, 4, 5, 5, 5,
-        4, 4, 0, 0, 0, 0, 6, 7,
-        6, 6, 8, 8, 8, 9, 10, 10,
+        0, 0, 1, 1, 1, 2, 2, 2, 
+        0, 0, 2, 2, 2, 0, 0, 2, 
+        2, 2, 2, 2, 0, 0, 3, 2, 
+        2, 2, 0, 0, 4, 5, 5, 5, 
+        4, 4, 0, 0, 0, 0, 6, 7, 
+        6, 6, 8, 8, 8, 9, 10, 10, 
         9, 9, 11, 12, 11, 11, 0, 0
 };
 
 static const char _deserialize_text_eof_actions[] = {
-        0, 0, 0, 0, 0, 0, 0, 0,
-        0, 0, 0, 0, 0, 4, 0, 0,
-        0, 4, 6, 8, 8, 6, 9, 11,
+        0, 0, 0, 0, 0, 0, 0, 0, 
+        0, 0, 0, 0, 0, 4, 0, 0, 
+        0, 4, 6, 8, 8, 6, 9, 11, 
         11, 9, 4
 };
 
@@ -338,7 +338,7 @@
   int cs;
   hb_glyph_info_t info = {0};
   hb_glyph_position_t pos = {0};
-
+  
 #line 343 "hb-buffer-deserialize-text.hh"
         {
         cs = deserialize_text_start;
--- a/jdk/src/java.desktop/share/native/libfontmanager/harfbuzz/hb-buffer-private.hh	Fri Jan 20 19:09:53 2017 +0000
+++ b/jdk/src/java.desktop/share/native/libfontmanager/harfbuzz/hb-buffer-private.hh	Wed Jul 05 22:44:27 2017 +0200
@@ -134,7 +134,7 @@
 #ifndef HB_NDEBUG
     unsigned int end = start + count;
     assert (end <= 8);
-    unsigned int bits = (1<<end) - (1<<start);
+    unsigned int bits = (1u<<end) - (1u<<start);
     assert (0 == (allocated_var_bits & bits));
     allocated_var_bits |= bits;
 #endif
@@ -144,7 +144,7 @@
 #ifndef HB_NDEBUG
     unsigned int end = start + count;
     assert (end <= 8);
-    unsigned int bits = (1<<end) - (1<<start);
+    unsigned int bits = (1u<<end) - (1u<<start);
     assert (bits == (allocated_var_bits & bits));
     allocated_var_bits &= ~bits;
 #endif
@@ -154,7 +154,7 @@
 #ifndef HB_NDEBUG
     unsigned int end = start + count;
     assert (end <= 8);
-    unsigned int bits = (1<<end) - (1<<start);
+    unsigned int bits = (1u<<end) - (1u<<start);
     assert (bits == (allocated_var_bits & bits));
 #endif
   }
--- a/jdk/src/java.desktop/share/native/libfontmanager/harfbuzz/hb-buffer-serialize.cc	Fri Jan 20 19:09:53 2017 +0000
+++ b/jdk/src/java.desktop/share/native/libfontmanager/harfbuzz/hb-buffer-serialize.cc	Wed Jul 05 22:44:27 2017 +0200
@@ -58,7 +58,7 @@
  * @str is a valid buffer serialization format, use
  * hb_buffer_serialize_list_formats() to get the list of supported formats.
  *
- * Return value:
+ * Return value: 
  * The parsed #hb_buffer_serialize_format_t.
  *
  * Since: 0.9.7
@@ -289,7 +289,7 @@
  * ## json
  * TODO.
  *
- * Return value:
+ * Return value: 
  * The number of serialized items.
  *
  * Since: 0.9.7
@@ -393,14 +393,14 @@
  * hb_buffer_deserialize_glyphs:
  * @buffer: an #hb_buffer_t buffer.
  * @buf: (array length=buf_len):
- * @buf_len:
+ * @buf_len: 
  * @end_ptr: (out):
- * @font:
- * @format:
+ * @font: 
+ * @format: 
  *
+ * 
  *
- *
- * Return value:
+ * Return value: 
  *
  * Since: 0.9.7
  **/
--- a/jdk/src/java.desktop/share/native/libfontmanager/harfbuzz/hb-buffer.cc	Fri Jan 20 19:09:53 2017 +0000
+++ b/jdk/src/java.desktop/share/native/libfontmanager/harfbuzz/hb-buffer.cc	Wed Jul 05 22:44:27 2017 +0200
@@ -703,7 +703,7 @@
 /**
  * hb_buffer_get_empty:
  *
- *
+ * 
  *
  * Return value: (transfer full):
  *
@@ -780,14 +780,14 @@
 /**
  * hb_buffer_set_user_data: (skip)
  * @buffer: an #hb_buffer_t.
- * @key:
- * @data:
- * @destroy:
- * @replace:
+ * @key: 
+ * @data: 
+ * @destroy: 
+ * @replace: 
  *
+ * 
  *
- *
- * Return value:
+ * Return value: 
  *
  * Since: 0.9.2
  **/
@@ -804,11 +804,11 @@
 /**
  * hb_buffer_get_user_data: (skip)
  * @buffer: an #hb_buffer_t.
- * @key:
+ * @key: 
  *
+ * 
  *
- *
- * Return value:
+ * Return value: 
  *
  * Since: 0.9.2
  **/
@@ -858,9 +858,9 @@
 /**
  * hb_buffer_set_unicode_funcs:
  * @buffer: an #hb_buffer_t.
- * @unicode_funcs:
+ * @unicode_funcs: 
  *
- *
+ * 
  *
  * Since: 0.9.2
  **/
@@ -884,9 +884,9 @@
  * hb_buffer_get_unicode_funcs:
  * @buffer: an #hb_buffer_t.
  *
+ * 
  *
- *
- * Return value:
+ * Return value: 
  *
  * Since: 0.9.2
  **/
@@ -1090,7 +1090,7 @@
  *
  * See hb_buffer_set_flags().
  *
- * Return value:
+ * Return value: 
  * The @buffer flags.
  *
  * Since: 0.9.7
@@ -1104,9 +1104,9 @@
 /**
  * hb_buffer_set_cluster_level:
  * @buffer: an #hb_buffer_t.
- * @cluster_level:
+ * @cluster_level: 
  *
- *
+ * 
  *
  * Since: 0.9.42
  **/
@@ -1124,9 +1124,9 @@
  * hb_buffer_get_cluster_level:
  * @buffer: an #hb_buffer_t.
  *
+ * 
  *
- *
- * Return value:
+ * Return value: 
  *
  * Since: 0.9.42
  **/
@@ -1165,7 +1165,7 @@
  *
  * See hb_buffer_set_replacement_codepoint().
  *
- * Return value:
+ * Return value: 
  * The @buffer replacement #hb_codepoint_t.
  *
  * Since: 0.9.31
@@ -1276,7 +1276,7 @@
  * Similar to hb_buffer_pre_allocate(), but clears any new items added at the
  * end.
  *
- * Return value:
+ * Return value: 
  * %true if @buffer memory allocation succeeded, %false otherwise.
  *
  * Since: 0.9.2
@@ -1786,7 +1786,7 @@
  * @user_data:
  * @destroy:
  *
- *
+ * 
  *
  * Since: 1.1.3
  **/
--- a/jdk/src/java.desktop/share/native/libfontmanager/harfbuzz/hb-cache-private.hh	Fri Jan 20 19:09:53 2017 +0000
+++ b/jdk/src/java.desktop/share/native/libfontmanager/harfbuzz/hb-cache-private.hh	Wed Jul 05 22:44:27 2017 +0200
@@ -45,11 +45,11 @@
 
   inline bool get (unsigned int key, unsigned int *value)
   {
-    unsigned int k = key & ((1<<cache_bits)-1);
+    unsigned int k = key & ((1u<<cache_bits)-1);
     unsigned int v = values[k];
     if ((v >> value_bits) != (key >> cache_bits))
       return false;
-    *value = v & ((1<<value_bits)-1);
+    *value = v & ((1u<<value_bits)-1);
     return true;
   }
 
@@ -57,14 +57,14 @@
   {
     if (unlikely ((key >> key_bits) || (value >> value_bits)))
       return false; /* Overflows */
-    unsigned int k = key & ((1<<cache_bits)-1);
+    unsigned int k = key & ((1u<<cache_bits)-1);
     unsigned int v = ((key>>cache_bits)<<value_bits) | value;
     values[k] = v;
     return true;
   }
 
   private:
-  unsigned int values[1<<cache_bits];
+  unsigned int values[1u<<cache_bits];
 };
 
 typedef hb_cache_t<21, 16, 8> hb_cmap_cache_t;
--- a/jdk/src/java.desktop/share/native/libfontmanager/harfbuzz/hb-common.cc	Fri Jan 20 19:09:53 2017 +0000
+++ b/jdk/src/java.desktop/share/native/libfontmanager/harfbuzz/hb-common.cc	Wed Jul 05 22:44:27 2017 +0200
@@ -57,12 +57,12 @@
 
 /**
  * hb_tag_from_string:
- * @str: (array length=len) (element-type uint8_t):
- * @len:
+ * @str: (array length=len) (element-type uint8_t): 
+ * @len: 
  *
+ * 
  *
- *
- * Return value:
+ * Return value: 
  *
  * Since: 0.9.2
  **/
@@ -87,10 +87,10 @@
 
 /**
  * hb_tag_to_string:
- * @tag:
- * @buf: (out caller-allocates) (array fixed-size=4) (element-type uint8_t):
+ * @tag: 
+ * @buf: (out caller-allocates) (array fixed-size=4) (element-type uint8_t): 
  *
- *
+ * 
  *
  * Since: 0.9.5
  **/
@@ -115,12 +115,12 @@
 
 /**
  * hb_direction_from_string:
- * @str: (array length=len) (element-type uint8_t):
- * @len:
+ * @str: (array length=len) (element-type uint8_t): 
+ * @len: 
  *
+ * 
  *
- *
- * Return value:
+ * Return value: 
  *
  * Since: 0.9.2
  **/
@@ -143,11 +143,11 @@
 
 /**
  * hb_direction_to_string:
- * @direction:
+ * @direction: 
  *
+ * 
  *
- *
- * Return value: (transfer none):
+ * Return value: (transfer none): 
  *
  * Since: 0.9.2
  **/
@@ -337,7 +337,7 @@
 /**
  * hb_language_get_default:
  *
- *
+ * 
  *
  * Return value: (transfer none):
  *
@@ -366,7 +366,7 @@
  *
  * Converts an ISO 15924 script tag to a corresponding #hb_script_t.
  *
- * Return value:
+ * Return value: 
  * An #hb_script_t corresponding to the ISO 15924 tag.
  *
  * Since: 0.9.2
@@ -415,7 +415,7 @@
  * corresponding #hb_script_t. Shorthand for hb_tag_from_string() then
  * hb_script_from_iso15924_tag().
  *
- * Return value:
+ * Return value: 
  * An #hb_script_t corresponding to the ISO 15924 tag.
  *
  * Since: 0.9.2
@@ -445,11 +445,11 @@
 
 /**
  * hb_script_get_horizontal_direction:
- * @script:
+ * @script: 
  *
+ * 
  *
- *
- * Return value:
+ * Return value: 
  *
  * Since: 0.9.2
  **/
@@ -588,13 +588,13 @@
 
 /**
  * hb_version_atleast:
- * @major:
- * @minor:
- * @micro:
+ * @major: 
+ * @minor: 
+ * @micro: 
  *
+ * 
  *
- *
- * Return value:
+ * Return value: 
  *
  * Since: 0.9.30
  **/
--- a/jdk/src/java.desktop/share/native/libfontmanager/harfbuzz/hb-coretext.cc	Fri Jan 20 19:09:53 2017 +0000
+++ b/jdk/src/java.desktop/share/native/libfontmanager/harfbuzz/hb-coretext.cc	Wed Jul 05 22:44:27 2017 +0200
@@ -145,6 +145,22 @@
     DEBUG_MSG (CORETEXT, cg_font, "Font CTFontCreateWithGraphicsFont() failed");
     return NULL;
   }
+
+  /* crbug.com/576941 and crbug.com/625902 and the investigation in the latter
+   * bug indicate that the cascade list reconfiguration occasionally causes
+   * crashes in CoreText on OS X 10.9, thus let's skip this step on older
+   * operating system versions. Except for the emoji font, where _not_
+   * reconfiguring the cascade list causes CoreText crashes. For details, see
+   * crbug.com/549610 */
+  // 0x00070000 stands for "kCTVersionNumber10_10", see CoreText.h
+  if (&CTGetCoreTextVersion != NULL && CTGetCoreTextVersion() < 0x00070000) {
+    CFStringRef fontName = CTFontCopyPostScriptName (ct_font);
+    bool isEmojiFont = CFStringCompare (fontName, CFSTR("AppleColorEmoji"), 0) == kCFCompareEqualTo;
+    CFRelease (fontName);
+    if (!isEmojiFont)
+      return ct_font;
+  }
+
   CFURLRef original_url = (CFURLRef)CTFontCopyAttribute(ct_font, kCTFontURLAttribute);
 
   /* Create font copy with cascade list that has LastResort first; this speeds up CoreText
@@ -272,7 +288,9 @@
 hb_coretext_shaper_shape_plan_data_t *
 _hb_coretext_shaper_shape_plan_data_create (hb_shape_plan_t    *shape_plan HB_UNUSED,
                                              const hb_feature_t *user_features HB_UNUSED,
-                                             unsigned int        num_user_features HB_UNUSED)
+                                             unsigned int        num_user_features HB_UNUSED,
+                                             const int          *coords HB_UNUSED,
+                                             unsigned int        num_coords HB_UNUSED)
 {
   return (hb_coretext_shaper_shape_plan_data_t *) HB_SHAPER_DATA_SUCCEEDED;
 }
@@ -717,7 +735,7 @@
       pchars[chars_len++] = 0xFFFDu;
     else {
       pchars[chars_len++] = 0xD800u + ((c - 0x10000u) >> 10);
-      pchars[chars_len++] = 0xDC00u + ((c - 0x10000u) & ((1 << 10) - 1));
+      pchars[chars_len++] = 0xDC00u + ((c - 0x10000u) & ((1u << 10) - 1));
     }
   }
 
@@ -1264,7 +1282,9 @@
 hb_coretext_aat_shaper_shape_plan_data_t *
 _hb_coretext_aat_shaper_shape_plan_data_create (hb_shape_plan_t    *shape_plan HB_UNUSED,
                                              const hb_feature_t *user_features HB_UNUSED,
-                                             unsigned int        num_user_features HB_UNUSED)
+                                             unsigned int        num_user_features HB_UNUSED,
+                                             const int          *coords HB_UNUSED,
+                                             unsigned int        num_coords HB_UNUSED)
 {
   return (hb_coretext_aat_shaper_shape_plan_data_t *) HB_SHAPER_DATA_SUCCEEDED;
 }
--- a/jdk/src/java.desktop/share/native/libfontmanager/harfbuzz/hb-face.cc	Fri Jan 20 19:09:53 2017 +0000
+++ b/jdk/src/java.desktop/share/native/libfontmanager/harfbuzz/hb-face.cc	Wed Jul 05 22:44:27 2017 +0200
@@ -35,8 +35,6 @@
 #include "hb-ot-head-table.hh"
 #include "hb-ot-maxp-table.hh"
 
-#include "hb-cache-private.hh"
-
 #include <string.h>
 
 
@@ -70,10 +68,10 @@
 /**
  * hb_face_create_for_tables:
  * @reference_table_func: (closure user_data) (destroy destroy) (scope notified):
- * @user_data:
- * @destroy:
+ * @user_data: 
+ * @destroy: 
  *
- *
+ * 
  *
  * Return value: (transfer full)
  *
@@ -150,10 +148,10 @@
 
 /**
  * hb_face_create: (Xconstructor)
- * @blob:
- * @index:
+ * @blob: 
+ * @index: 
  *
- *
+ * 
  *
  * Return value: (transfer full):
  *
@@ -185,7 +183,7 @@
 /**
  * hb_face_get_empty:
  *
- *
+ * 
  *
  * Return value: (transfer full)
  *
@@ -202,9 +200,9 @@
  * hb_face_reference: (skip)
  * @face: a face.
  *
+ * 
  *
- *
- * Return value:
+ * Return value: 
  *
  * Since: 0.9.2
  **/
@@ -218,7 +216,7 @@
  * hb_face_destroy: (skip)
  * @face: a face.
  *
- *
+ * 
  *
  * Since: 0.9.2
  **/
@@ -248,14 +246,14 @@
 /**
  * hb_face_set_user_data: (skip)
  * @face: a face.
- * @key:
- * @data:
- * @destroy:
- * @replace:
+ * @key: 
+ * @data: 
+ * @destroy: 
+ * @replace: 
  *
+ * 
  *
- *
- * Return value:
+ * Return value: 
  *
  * Since: 0.9.2
  **/
@@ -272,9 +270,9 @@
 /**
  * hb_face_get_user_data: (skip)
  * @face: a face.
- * @key:
+ * @key: 
  *
- *
+ * 
  *
  * Return value: (transfer none):
  *
@@ -291,7 +289,7 @@
  * hb_face_make_immutable:
  * @face: a face.
  *
- *
+ * 
  *
  * Since: 0.9.2
  **/
@@ -308,9 +306,9 @@
  * hb_face_is_immutable:
  * @face: a face.
  *
+ * 
  *
- *
- * Return value:
+ * Return value: 
  *
  * Since: 0.9.2
  **/
@@ -324,9 +322,9 @@
 /**
  * hb_face_reference_table:
  * @face: a face.
- * @tag:
+ * @tag: 
  *
- *
+ * 
  *
  * Return value: (transfer full):
  *
@@ -343,7 +341,7 @@
  * hb_face_reference_blob:
  * @face: a face.
  *
- *
+ * 
  *
  * Return value: (transfer full):
  *
@@ -358,9 +356,9 @@
 /**
  * hb_face_set_index:
  * @face: a face.
- * @index:
+ * @index: 
  *
- *
+ * 
  *
  * Since: 0.9.2
  **/
@@ -378,9 +376,9 @@
  * hb_face_get_index:
  * @face: a face.
  *
+ * 
  *
- *
- * Return value:
+ * Return value: 
  *
  * Since: 0.9.2
  **/
@@ -393,9 +391,9 @@
 /**
  * hb_face_set_upem:
  * @face: a face.
- * @upem:
+ * @upem: 
  *
- *
+ * 
  *
  * Since: 0.9.2
  **/
@@ -413,9 +411,9 @@
  * hb_face_get_upem:
  * @face: a face.
  *
+ * 
  *
- *
- * Return value:
+ * Return value: 
  *
  * Since: 0.9.2
  **/
@@ -437,9 +435,9 @@
 /**
  * hb_face_set_glyph_count:
  * @face: a face.
- * @glyph_count:
+ * @glyph_count: 
  *
- *
+ * 
  *
  * Since: 0.9.7
  **/
@@ -457,9 +455,9 @@
  * hb_face_get_glyph_count:
  * @face: a face.
  *
+ * 
  *
- *
- * Return value:
+ * Return value: 
  *
  * Since: 0.9.7
  **/
--- a/jdk/src/java.desktop/share/native/libfontmanager/harfbuzz/hb-fallback-shape.cc	Fri Jan 20 19:09:53 2017 +0000
+++ b/jdk/src/java.desktop/share/native/libfontmanager/harfbuzz/hb-fallback-shape.cc	Wed Jul 05 22:44:27 2017 +0200
@@ -73,7 +73,9 @@
 hb_fallback_shaper_shape_plan_data_t *
 _hb_fallback_shaper_shape_plan_data_create (hb_shape_plan_t    *shape_plan HB_UNUSED,
                                             const hb_feature_t *user_features HB_UNUSED,
-                                            unsigned int        num_user_features HB_UNUSED)
+                                            unsigned int        num_user_features HB_UNUSED,
+                                            const int          *coords HB_UNUSED,
+                                            unsigned int        num_coords HB_UNUSED)
 {
   return (hb_fallback_shaper_shape_plan_data_t *) HB_SHAPER_DATA_SUCCEEDED;
 }
--- a/jdk/src/java.desktop/share/native/libfontmanager/harfbuzz/hb-font-private.hh	Fri Jan 20 19:09:53 2017 +0000
+++ b/jdk/src/java.desktop/share/native/libfontmanager/harfbuzz/hb-font-private.hh	Wed Jul 05 22:44:27 2017 +0200
@@ -108,6 +108,10 @@
   unsigned int x_ppem;
   unsigned int y_ppem;
 
+  /* Font variation coordinates. */
+  unsigned int num_coords;
+  int *coords;
+
   hb_font_funcs_t   *klass;
   void              *user_data;
   hb_destroy_func_t  destroy;
@@ -116,8 +120,14 @@
 
 
   /* Convert from font-space to user-space */
-  inline hb_position_t em_scale_x (int16_t v) { return em_scale (v, this->x_scale); }
-  inline hb_position_t em_scale_y (int16_t v) { return em_scale (v, this->y_scale); }
+  inline int dir_scale (hb_direction_t direction)
+  { return HB_DIRECTION_IS_VERTICAL(direction) ? y_scale : x_scale; }
+  inline hb_position_t em_scale_x (int16_t v) { return em_scale (v, x_scale); }
+  inline hb_position_t em_scale_y (int16_t v) { return em_scale (v, y_scale); }
+  inline hb_position_t em_scalef_x (float v) { return em_scalef (v, this->x_scale); }
+  inline hb_position_t em_scalef_y (float v) { return em_scalef (v, this->y_scale); }
+  inline hb_position_t em_scale_dir (int16_t v, hb_direction_t direction)
+  { return em_scale (v, dir_scale (direction)); }
 
   /* Convert from parent-font user-space to our user-space */
   inline hb_position_t parent_scale_x_distance (hb_position_t v) {
@@ -292,24 +302,32 @@
 
   /* A bit higher-level, and with fallback */
 
+  inline void get_h_extents_with_fallback (hb_font_extents_t *extents)
+  {
+    if (!get_font_h_extents (extents))
+    {
+      extents->ascender = y_scale * .8;
+      extents->descender = extents->ascender - y_scale;
+      extents->line_gap = 0;
+    }
+  }
+  inline void get_v_extents_with_fallback (hb_font_extents_t *extents)
+  {
+    if (!get_font_v_extents (extents))
+    {
+      extents->ascender = x_scale / 2;
+      extents->descender = extents->ascender - x_scale;
+      extents->line_gap = 0;
+    }
+  }
+
   inline void get_extents_for_direction (hb_direction_t direction,
                                          hb_font_extents_t *extents)
   {
-    if (likely (HB_DIRECTION_IS_HORIZONTAL (direction))) {
-      if (!get_font_h_extents (extents))
-      {
-        extents->ascender = y_scale * .8;
-        extents->descender = y_scale - extents->ascender;
-        extents->line_gap = 0;
-      }
-    } else {
-      if (!get_font_v_extents (extents))
-      {
-        extents->ascender = x_scale / 2;
-        extents->descender = x_scale - extents->ascender;
-        extents->line_gap = 0;
-      }
-    }
+    if (likely (HB_DIRECTION_IS_HORIZONTAL (direction)))
+      get_h_extents_with_fallback (extents);
+    else
+      get_v_extents_with_fallback (extents);
   }
 
   inline void get_glyph_advance_for_direction (hb_codepoint_t glyph,
@@ -325,14 +343,38 @@
     }
   }
 
-  /* Internal only */
   inline void guess_v_origin_minus_h_origin (hb_codepoint_t glyph,
                                              hb_position_t *x, hb_position_t *y)
   {
     *x = get_glyph_h_advance (glyph) / 2;
 
-    /* TODO use font_extents.ascender */
-    *y = y_scale;
+    /* TODO cache this somehow?! */
+    hb_font_extents_t extents;
+    get_h_extents_with_fallback (&extents);
+    *y = extents.ascender;
+  }
+
+  inline void get_glyph_h_origin_with_fallback (hb_codepoint_t glyph,
+                                                hb_position_t *x, hb_position_t *y)
+  {
+    if (!get_glyph_h_origin (glyph, x, y) &&
+         get_glyph_v_origin (glyph, x, y))
+    {
+      hb_position_t dx, dy;
+      guess_v_origin_minus_h_origin (glyph, &dx, &dy);
+      *x -= dx; *y -= dy;
+    }
+  }
+  inline void get_glyph_v_origin_with_fallback (hb_codepoint_t glyph,
+                                                hb_position_t *x, hb_position_t *y)
+  {
+    if (!get_glyph_v_origin (glyph, x, y) &&
+         get_glyph_h_origin (glyph, x, y))
+    {
+      hb_position_t dx, dy;
+      guess_v_origin_minus_h_origin (glyph, &dx, &dy);
+      *x += dx; *y += dy;
+    }
   }
 
   inline void get_glyph_origin_for_direction (hb_codepoint_t glyph,
@@ -340,25 +382,9 @@
                                               hb_position_t *x, hb_position_t *y)
   {
     if (likely (HB_DIRECTION_IS_HORIZONTAL (direction)))
-    {
-      if (!get_glyph_h_origin (glyph, x, y) &&
-           get_glyph_v_origin (glyph, x, y))
-      {
-        hb_position_t dx, dy;
-        guess_v_origin_minus_h_origin (glyph, &dx, &dy);
-        *x -= dx; *y -= dy;
-      }
-    }
+      get_glyph_h_origin_with_fallback (glyph, x, y);
     else
-    {
-      if (!get_glyph_v_origin (glyph, x, y) &&
-           get_glyph_h_origin (glyph, x, y))
-      {
-        hb_position_t dx, dy;
-        guess_v_origin_minus_h_origin (glyph, &dx, &dy);
-        *x += dx; *y += dy;
-      }
-    }
+      get_glyph_v_origin_with_fallback (glyph, x, y);
   }
 
   inline void add_glyph_h_origin (hb_codepoint_t glyph,
@@ -366,7 +392,7 @@
   {
     hb_position_t origin_x, origin_y;
 
-    get_glyph_h_origin (glyph, &origin_x, &origin_y);
+    get_glyph_h_origin_with_fallback (glyph, &origin_x, &origin_y);
 
     *x += origin_x;
     *y += origin_y;
@@ -376,7 +402,7 @@
   {
     hb_position_t origin_x, origin_y;
 
-    get_glyph_v_origin (glyph, &origin_x, &origin_y);
+    get_glyph_v_origin_with_fallback (glyph, &origin_x, &origin_y);
 
     *x += origin_x;
     *y += origin_y;
@@ -398,7 +424,7 @@
   {
     hb_position_t origin_x, origin_y;
 
-    get_glyph_h_origin (glyph, &origin_x, &origin_y);
+    get_glyph_h_origin_with_fallback (glyph, &origin_x, &origin_y);
 
     *x -= origin_x;
     *y -= origin_y;
@@ -408,7 +434,7 @@
   {
     hb_position_t origin_x, origin_y;
 
-    get_glyph_v_origin (glyph, &origin_x, &origin_y);
+    get_glyph_v_origin_with_fallback (glyph, &origin_x, &origin_y);
 
     *x -= origin_x;
     *y -= origin_y;
@@ -504,7 +530,6 @@
     return false;
   }
 
-  private:
   inline hb_position_t em_scale (int16_t v, int scale)
   {
     int upem = face->get_upem ();
@@ -512,6 +537,10 @@
     scaled += scaled >= 0 ? upem/2 : -upem/2; /* Round. */
     return (hb_position_t) (scaled / upem);
   }
+  inline hb_position_t em_scalef (float v, int scale)
+  {
+    return (hb_position_t) (v * scale / face->get_upem ());
+  }
 };
 
 #define HB_SHAPER_DATA_CREATE_FUNC_EXTRA_ARGS
--- a/jdk/src/java.desktop/share/native/libfontmanager/harfbuzz/hb-font.cc	Fri Jan 20 19:09:53 2017 +0000
+++ b/jdk/src/java.desktop/share/native/libfontmanager/harfbuzz/hb-font.cc	Wed Jul 05 22:44:27 2017 +0200
@@ -35,8 +35,6 @@
 #include "hb-ot-head-table.hh"
 #include "hb-ot-maxp-table.hh"
 
-#include "hb-cache-private.hh"
-
 #include <string.h>
 
 
@@ -401,9 +399,9 @@
 /**
  * hb_font_funcs_create: (Xconstructor)
  *
+ * 
  *
- *
- * Return value: (transfer full):
+ * Return value: (transfer full): 
  *
  * Since: 0.9.2
  **/
@@ -423,9 +421,9 @@
 /**
  * hb_font_funcs_get_empty:
  *
+ * 
  *
- *
- * Return value: (transfer full):
+ * Return value: (transfer full): 
  *
  * Since: 0.9.2
  **/
@@ -439,9 +437,9 @@
  * hb_font_funcs_reference: (skip)
  * @ffuncs: font functions.
  *
+ * 
  *
- *
- * Return value:
+ * Return value: 
  *
  * Since: 0.9.2
  **/
@@ -455,7 +453,7 @@
  * hb_font_funcs_destroy: (skip)
  * @ffuncs: font functions.
  *
- *
+ * 
  *
  * Since: 0.9.2
  **/
@@ -475,14 +473,14 @@
 /**
  * hb_font_funcs_set_user_data: (skip)
  * @ffuncs: font functions.
- * @key:
- * @data:
- * @destroy:
- * @replace:
+ * @key: 
+ * @data: 
+ * @destroy: 
+ * @replace: 
  *
+ * 
  *
- *
- * Return value:
+ * Return value: 
  *
  * Since: 0.9.2
  **/
@@ -499,11 +497,11 @@
 /**
  * hb_font_funcs_get_user_data: (skip)
  * @ffuncs: font functions.
- * @key:
+ * @key: 
  *
+ * 
  *
- *
- * Return value: (transfer none):
+ * Return value: (transfer none): 
  *
  * Since: 0.9.2
  **/
@@ -519,7 +517,7 @@
  * hb_font_funcs_make_immutable:
  * @ffuncs: font functions.
  *
- *
+ * 
  *
  * Since: 0.9.2
  **/
@@ -536,9 +534,9 @@
  * hb_font_funcs_is_immutable:
  * @ffuncs: font functions.
  *
+ * 
  *
- *
- * Return value:
+ * Return value: 
  *
  * Since: 0.9.2
  **/
@@ -629,13 +627,13 @@
 /**
  * hb_font_get_glyph:
  * @font: a font.
- * @unicode:
- * @variation_selector:
- * @glyph: (out):
+ * @unicode: 
+ * @variation_selector: 
+ * @glyph: (out): 
  *
+ * 
  *
- *
- * Return value:
+ * Return value: 
  *
  * Since: 0.9.2
  **/
@@ -652,12 +650,12 @@
 /**
  * hb_font_get_nominal_glyph:
  * @font: a font.
- * @unicode:
- * @glyph: (out):
+ * @unicode: 
+ * @glyph: (out): 
  *
+ * 
  *
- *
- * Return value:
+ * Return value: 
  *
  * Since: 1.2.3
  **/
@@ -672,13 +670,13 @@
 /**
  * hb_font_get_variation_glyph:
  * @font: a font.
- * @unicode:
- * @variation_selector:
- * @glyph: (out):
+ * @unicode: 
+ * @variation_selector: 
+ * @glyph: (out): 
  *
+ * 
  *
- *
- * Return value:
+ * Return value: 
  *
  * Since: 1.2.3
  **/
@@ -693,11 +691,11 @@
 /**
  * hb_font_get_glyph_h_advance:
  * @font: a font.
- * @glyph:
+ * @glyph: 
  *
+ * 
  *
- *
- * Return value:
+ * Return value: 
  *
  * Since: 0.9.2
  **/
@@ -711,11 +709,11 @@
 /**
  * hb_font_get_glyph_v_advance:
  * @font: a font.
- * @glyph:
+ * @glyph: 
  *
+ * 
  *
- *
- * Return value:
+ * Return value: 
  *
  * Since: 0.9.2
  **/
@@ -729,13 +727,13 @@
 /**
  * hb_font_get_glyph_h_origin:
  * @font: a font.
- * @glyph:
- * @x: (out):
- * @y: (out):
+ * @glyph: 
+ * @x: (out): 
+ * @y: (out): 
  *
+ * 
  *
- *
- * Return value:
+ * Return value: 
  *
  * Since: 0.9.2
  **/
@@ -750,13 +748,13 @@
 /**
  * hb_font_get_glyph_v_origin:
  * @font: a font.
- * @glyph:
- * @x: (out):
- * @y: (out):
+ * @glyph: 
+ * @x: (out): 
+ * @y: (out): 
  *
+ * 
  *
- *
- * Return value:
+ * Return value: 
  *
  * Since: 0.9.2
  **/
@@ -771,12 +769,12 @@
 /**
  * hb_font_get_glyph_h_kerning:
  * @font: a font.
- * @left_glyph:
- * @right_glyph:
+ * @left_glyph: 
+ * @right_glyph: 
  *
+ * 
  *
- *
- * Return value:
+ * Return value: 
  *
  * Since: 0.9.2
  **/
@@ -790,12 +788,12 @@
 /**
  * hb_font_get_glyph_v_kerning:
  * @font: a font.
- * @top_glyph:
- * @bottom_glyph:
+ * @top_glyph: 
+ * @bottom_glyph: 
  *
+ * 
  *
- *
- * Return value:
+ * Return value: 
  *
  * Since: 0.9.2
  **/
@@ -809,12 +807,12 @@