changeset 53073:11033c4ada54 jdk-13+1

Merge
author jwilhelm
date Wed, 19 Dec 2018 20:53:30 +0100
parents b732de3068f4 82d3f0820d37
children 1e213c37befa
files .hgtags src/hotspot/cpu/aarch64/aarch64.ad test/hotspot/jtreg/serviceability/jvmti/HeapMonitor/MyPackage/HeapMonitorThreadTest.java test/jdk/java/net/MulticastSocket/PromiscuousIPv6.java test/jdk/java/nio/channels/DatagramChannel/PromiscuousIPv6.java
diffstat 111 files changed, 2697 insertions(+), 1215 deletions(-) [+]
line wrap: on
line diff
--- a/.hgtags	Wed Dec 19 11:44:57 2018 -0800
+++ b/.hgtags	Wed Dec 19 20:53:30 2018 +0100
@@ -527,3 +527,4 @@
 732bec44c89e8b93a38296bf690f97b7230c5b6d jdk-12+22
 eef755718cb24813031a842bbfc716a6cea18e9a jdk-12+23
 cc4098b3bc10d1c390384289025fea7b0d4b9e93 jdk-13+0
+7d4397b43fa305806160785a4c7210600d59581a jdk-12+24
--- a/src/hotspot/cpu/aarch64/aarch64.ad	Wed Dec 19 11:44:57 2018 -0800
+++ b/src/hotspot/cpu/aarch64/aarch64.ad	Wed Dec 19 20:53:30 2018 +0100
@@ -2133,7 +2133,12 @@
 }
 
 const uint Matcher::vector_shift_count_ideal_reg(int size) {
-  return Op_VecX;
+  switch(size) {
+    case  8: return Op_VecD;
+    case 16: return Op_VecX;
+  }
+  ShouldNotReachHere();
+  return 0;
 }
 
 // AES support not yet implemented
@@ -16581,32 +16586,32 @@
 %}
 
 // ------------------------------ Shift ---------------------------------------
-
-instruct vshiftcntL(vecX dst, iRegIorL2I cnt) %{
+instruct vshiftcnt8B(vecD dst, iRegIorL2I cnt) %{
+  predicate(n->as_Vector()->length_in_bytes() == 8);
   match(Set dst (LShiftCntV cnt));
-  format %{ "dup  $dst, $cnt\t# shift count (vecX)" %}
+  match(Set dst (RShiftCntV cnt));
+  format %{ "dup  $dst, $cnt\t# shift count vector (8B)" %}
+  ins_encode %{
+    __ dup(as_FloatRegister($dst$$reg), __ T8B, as_Register($cnt$$reg));
+  %}
+  ins_pipe(vdup_reg_reg64);
+%}
+
+instruct vshiftcnt16B(vecX dst, iRegIorL2I cnt) %{
+  predicate(n->as_Vector()->length_in_bytes() == 16);
+  match(Set dst (LShiftCntV cnt));
+  match(Set dst (RShiftCntV cnt));
+  format %{ "dup  $dst, $cnt\t# shift count vector (16B)" %}
   ins_encode %{
     __ dup(as_FloatRegister($dst$$reg), __ T16B, as_Register($cnt$$reg));
   %}
   ins_pipe(vdup_reg_reg128);
 %}
 
-// Right shifts on aarch64 SIMD are implemented as left shift by -ve amount
-instruct vshiftcntR(vecX dst, iRegIorL2I cnt) %{
-  match(Set dst (RShiftCntV cnt));
-  format %{ "dup  $dst, $cnt\t# shift count (vecX)\n\tneg  $dst, $dst\t T16B" %}
-  ins_encode %{
-    __ dup(as_FloatRegister($dst$$reg), __ T16B, as_Register($cnt$$reg));
-    __ negr(as_FloatRegister($dst$$reg), __ T16B, as_FloatRegister($dst$$reg));
-  %}
-  ins_pipe(vdup_reg_reg128);
-%}
-
-instruct vsll8B(vecD dst, vecD src, vecX shift) %{
+instruct vsll8B(vecD dst, vecD src, vecD shift) %{
   predicate(n->as_Vector()->length() == 4 ||
             n->as_Vector()->length() == 8);
   match(Set dst (LShiftVB src shift));
-  match(Set dst (RShiftVB src shift));
   ins_cost(INSN_COST);
   format %{ "sshl  $dst,$src,$shift\t# vector (8B)" %}
   ins_encode %{
@@ -16620,7 +16625,6 @@
 instruct vsll16B(vecX dst, vecX src, vecX shift) %{
   predicate(n->as_Vector()->length() == 16);
   match(Set dst (LShiftVB src shift));
-  match(Set dst (RShiftVB src shift));
   ins_cost(INSN_COST);
   format %{ "sshl  $dst,$src,$shift\t# vector (16B)" %}
   ins_encode %{
@@ -16631,29 +16635,93 @@
   ins_pipe(vshift128);
 %}
 
-instruct vsrl8B(vecD dst, vecD src, vecX shift) %{
+// Right shifts with vector shift count on aarch64 SIMD are implemented
+// as left shift by negative shift count.
+// There are two cases for vector shift count.
+//
+// Case 1: The vector shift count is from replication.
+//        |            |
+//    LoadVector  RShiftCntV
+//        |       /
+//     RShiftVI
+// Note: In inner loop, multiple neg instructions are used, which can be
+// moved to outer loop and merge into one neg instruction.
+//
+// Case 2: The vector shift count is from loading.
+// This case isn't supported by middle-end now. But it's supported by
+// panama/vectorIntrinsics(JEP 338: Vector API).
+//        |            |
+//    LoadVector  LoadVector
+//        |       /
+//     RShiftVI
+//
+
+instruct vsra8B(vecD dst, vecD src, vecD shift, vecD tmp) %{
+  predicate(n->as_Vector()->length() == 4 ||
+            n->as_Vector()->length() == 8);
+  match(Set dst (RShiftVB src shift));
+  ins_cost(INSN_COST);
+  effect(TEMP tmp);
+  format %{ "negr  $tmp,$shift\t"
+            "sshl  $dst,$src,$tmp\t# vector (8B)" %}
+  ins_encode %{
+    __ negr(as_FloatRegister($tmp$$reg), __ T8B,
+            as_FloatRegister($shift$$reg));
+    __ sshl(as_FloatRegister($dst$$reg), __ T8B,
+            as_FloatRegister($src$$reg),
+            as_FloatRegister($tmp$$reg));
+  %}
+  ins_pipe(vshift64);
+%}
+
+instruct vsra16B(vecX dst, vecX src, vecX shift, vecX tmp) %{
+  predicate(n->as_Vector()->length() == 16);
+  match(Set dst (RShiftVB src shift));
+  ins_cost(INSN_COST);
+  effect(TEMP tmp);
+  format %{ "negr  $tmp,$shift\t"
+            "sshl  $dst,$src,$tmp\t# vector (16B)" %}
+  ins_encode %{
+    __ negr(as_FloatRegister($tmp$$reg), __ T16B,
+            as_FloatRegister($shift$$reg));
+    __ sshl(as_FloatRegister($dst$$reg), __ T16B,
+            as_FloatRegister($src$$reg),
+            as_FloatRegister($tmp$$reg));
+  %}
+  ins_pipe(vshift128);
+%}
+
+instruct vsrl8B(vecD dst, vecD src, vecD shift, vecD tmp) %{
   predicate(n->as_Vector()->length() == 4 ||
             n->as_Vector()->length() == 8);
   match(Set dst (URShiftVB src shift));
   ins_cost(INSN_COST);
-  format %{ "ushl  $dst,$src,$shift\t# vector (8B)" %}
-  ins_encode %{
+  effect(TEMP tmp);
+  format %{ "negr  $tmp,$shift\t"
+            "ushl  $dst,$src,$tmp\t# vector (8B)" %}
+  ins_encode %{
+    __ negr(as_FloatRegister($tmp$$reg), __ T8B,
+            as_FloatRegister($shift$$reg));
     __ ushl(as_FloatRegister($dst$$reg), __ T8B,
             as_FloatRegister($src$$reg),
-            as_FloatRegister($shift$$reg));
+            as_FloatRegister($tmp$$reg));
   %}
   ins_pipe(vshift64);
 %}
 
-instruct vsrl16B(vecX dst, vecX src, vecX shift) %{
+instruct vsrl16B(vecX dst, vecX src, vecX shift, vecX tmp) %{
   predicate(n->as_Vector()->length() == 16);
   match(Set dst (URShiftVB src shift));
   ins_cost(INSN_COST);
-  format %{ "ushl  $dst,$src,$shift\t# vector (16B)" %}
-  ins_encode %{
+  effect(TEMP tmp);
+  format %{ "negr  $tmp,$shift\t"
+            "ushl  $dst,$src,$tmp\t# vector (16B)" %}
+  ins_encode %{
+    __ negr(as_FloatRegister($tmp$$reg), __ T16B,
+            as_FloatRegister($shift$$reg));
     __ ushl(as_FloatRegister($dst$$reg), __ T16B,
             as_FloatRegister($src$$reg),
-            as_FloatRegister($shift$$reg));
+            as_FloatRegister($tmp$$reg));
   %}
   ins_pipe(vshift128);
 %}
@@ -16765,11 +16833,10 @@
   ins_pipe(vshift128_imm);
 %}
 
-instruct vsll4S(vecD dst, vecD src, vecX shift) %{
+instruct vsll4S(vecD dst, vecD src, vecD shift) %{
   predicate(n->as_Vector()->length() == 2 ||
             n->as_Vector()->length() == 4);
   match(Set dst (LShiftVS src shift));
-  match(Set dst (RShiftVS src shift));
   ins_cost(INSN_COST);
   format %{ "sshl  $dst,$src,$shift\t# vector (4H)" %}
   ins_encode %{
@@ -16783,7 +16850,6 @@
 instruct vsll8S(vecX dst, vecX src, vecX shift) %{
   predicate(n->as_Vector()->length() == 8);
   match(Set dst (LShiftVS src shift));
-  match(Set dst (RShiftVS src shift));
   ins_cost(INSN_COST);
   format %{ "sshl  $dst,$src,$shift\t# vector (8H)" %}
   ins_encode %{
@@ -16794,29 +16860,72 @@
   ins_pipe(vshift128);
 %}
 
-instruct vsrl4S(vecD dst, vecD src, vecX shift) %{
+instruct vsra4S(vecD dst, vecD src, vecD shift, vecD tmp) %{
+  predicate(n->as_Vector()->length() == 2 ||
+            n->as_Vector()->length() == 4);
+  match(Set dst (RShiftVS src shift));
+  ins_cost(INSN_COST);
+  effect(TEMP tmp);
+  format %{ "negr  $tmp,$shift\t"
+            "sshl  $dst,$src,$tmp\t# vector (4H)" %}
+  ins_encode %{
+    __ negr(as_FloatRegister($tmp$$reg), __ T8B,
+            as_FloatRegister($shift$$reg));
+    __ sshl(as_FloatRegister($dst$$reg), __ T4H,
+            as_FloatRegister($src$$reg),
+            as_FloatRegister($tmp$$reg));
+  %}
+  ins_pipe(vshift64);
+%}
+
+instruct vsra8S(vecX dst, vecX src, vecX shift, vecX tmp) %{
+  predicate(n->as_Vector()->length() == 8);
+  match(Set dst (RShiftVS src shift));
+  ins_cost(INSN_COST);
+  effect(TEMP tmp);
+  format %{ "negr  $tmp,$shift\t"
+            "sshl  $dst,$src,$tmp\t# vector (8H)" %}
+  ins_encode %{
+    __ negr(as_FloatRegister($tmp$$reg), __ T16B,
+            as_FloatRegister($shift$$reg));
+    __ sshl(as_FloatRegister($dst$$reg), __ T8H,
+            as_FloatRegister($src$$reg),
+            as_FloatRegister($tmp$$reg));
+  %}
+  ins_pipe(vshift128);
+%}
+
+instruct vsrl4S(vecD dst, vecD src, vecD shift, vecD tmp) %{
   predicate(n->as_Vector()->length() == 2 ||
             n->as_Vector()->length() == 4);
   match(Set dst (URShiftVS src shift));
   ins_cost(INSN_COST);
-  format %{ "ushl  $dst,$src,$shift\t# vector (4H)" %}
-  ins_encode %{
+  effect(TEMP tmp);
+  format %{ "negr  $tmp,$shift\t"
+            "ushl  $dst,$src,$tmp\t# vector (4H)" %}
+  ins_encode %{
+    __ negr(as_FloatRegister($tmp$$reg), __ T8B,
+            as_FloatRegister($shift$$reg));
     __ ushl(as_FloatRegister($dst$$reg), __ T4H,
             as_FloatRegister($src$$reg),
-            as_FloatRegister($shift$$reg));
+            as_FloatRegister($tmp$$reg));
   %}
   ins_pipe(vshift64);
 %}
 
-instruct vsrl8S(vecX dst, vecX src, vecX shift) %{
+instruct vsrl8S(vecX dst, vecX src, vecX shift, vecX tmp) %{
   predicate(n->as_Vector()->length() == 8);
   match(Set dst (URShiftVS src shift));
   ins_cost(INSN_COST);
-  format %{ "ushl  $dst,$src,$shift\t# vector (8H)" %}
-  ins_encode %{
+  effect(TEMP tmp);
+  format %{ "negr  $tmp,$shift\t"
+            "ushl  $dst,$src,$tmp\t# vector (8H)" %}
+  ins_encode %{
+    __ negr(as_FloatRegister($tmp$$reg), __ T16B,
+            as_FloatRegister($shift$$reg));
     __ ushl(as_FloatRegister($dst$$reg), __ T8H,
             as_FloatRegister($src$$reg),
-            as_FloatRegister($shift$$reg));
+            as_FloatRegister($tmp$$reg));
   %}
   ins_pipe(vshift128);
 %}
@@ -16928,10 +17037,9 @@
   ins_pipe(vshift128_imm);
 %}
 
-instruct vsll2I(vecD dst, vecD src, vecX shift) %{
+instruct vsll2I(vecD dst, vecD src, vecD shift) %{
   predicate(n->as_Vector()->length() == 2);
   match(Set dst (LShiftVI src shift));
-  match(Set dst (RShiftVI src shift));
   ins_cost(INSN_COST);
   format %{ "sshl  $dst,$src,$shift\t# vector (2S)" %}
   ins_encode %{
@@ -16945,7 +17053,6 @@
 instruct vsll4I(vecX dst, vecX src, vecX shift) %{
   predicate(n->as_Vector()->length() == 4);
   match(Set dst (LShiftVI src shift));
-  match(Set dst (RShiftVI src shift));
   ins_cost(INSN_COST);
   format %{ "sshl  $dst,$src,$shift\t# vector (4S)" %}
   ins_encode %{
@@ -16956,28 +17063,70 @@
   ins_pipe(vshift128);
 %}
 
-instruct vsrl2I(vecD dst, vecD src, vecX shift) %{
+instruct vsra2I(vecD dst, vecD src, vecD shift, vecD tmp) %{
+  predicate(n->as_Vector()->length() == 2);
+  match(Set dst (RShiftVI src shift));
+  ins_cost(INSN_COST);
+  effect(TEMP tmp);
+  format %{ "negr  $tmp,$shift\t"
+            "sshl  $dst,$src,$tmp\t# vector (2S)" %}
+  ins_encode %{
+    __ negr(as_FloatRegister($tmp$$reg), __ T8B,
+            as_FloatRegister($shift$$reg));
+    __ sshl(as_FloatRegister($dst$$reg), __ T2S,
+            as_FloatRegister($src$$reg),
+            as_FloatRegister($tmp$$reg));
+  %}
+  ins_pipe(vshift64);
+%}
+
+instruct vsra4I(vecX dst, vecX src, vecX shift, vecX tmp) %{
+  predicate(n->as_Vector()->length() == 4);
+  match(Set dst (RShiftVI src shift));
+  ins_cost(INSN_COST);
+  effect(TEMP tmp);
+  format %{ "negr  $tmp,$shift\t"
+            "sshl  $dst,$src,$tmp\t# vector (4S)" %}
+  ins_encode %{
+    __ negr(as_FloatRegister($tmp$$reg), __ T16B,
+            as_FloatRegister($shift$$reg));
+    __ sshl(as_FloatRegister($dst$$reg), __ T4S,
+            as_FloatRegister($src$$reg),
+            as_FloatRegister($tmp$$reg));
+  %}
+  ins_pipe(vshift128);
+%}
+
+instruct vsrl2I(vecD dst, vecD src, vecD shift, vecD tmp) %{
   predicate(n->as_Vector()->length() == 2);
   match(Set dst (URShiftVI src shift));
   ins_cost(INSN_COST);
-  format %{ "ushl  $dst,$src,$shift\t# vector (2S)" %}
-  ins_encode %{
+  effect(TEMP tmp);
+  format %{ "negr  $tmp,$shift\t"
+            "ushl  $dst,$src,$tmp\t# vector (2S)" %}
+  ins_encode %{
+    __ negr(as_FloatRegister($tmp$$reg), __ T8B,
+            as_FloatRegister($shift$$reg));
     __ ushl(as_FloatRegister($dst$$reg), __ T2S,
             as_FloatRegister($src$$reg),
-            as_FloatRegister($shift$$reg));
+            as_FloatRegister($tmp$$reg));
   %}
   ins_pipe(vshift64);
 %}
 
-instruct vsrl4I(vecX dst, vecX src, vecX shift) %{
+instruct vsrl4I(vecX dst, vecX src, vecX shift, vecX tmp) %{
   predicate(n->as_Vector()->length() == 4);
   match(Set dst (URShiftVI src shift));
   ins_cost(INSN_COST);
-  format %{ "ushl  $dst,$src,$shift\t# vector (4S)" %}
-  ins_encode %{
+  effect(TEMP tmp);
+  format %{ "negr  $tmp,$shift\t"
+            "ushl  $dst,$src,$tmp\t# vector (4S)" %}
+  ins_encode %{
+    __ negr(as_FloatRegister($tmp$$reg), __ T16B,
+            as_FloatRegister($shift$$reg));
     __ ushl(as_FloatRegister($dst$$reg), __ T4S,
             as_FloatRegister($src$$reg),
-            as_FloatRegister($shift$$reg));
+            as_FloatRegister($tmp$$reg));
   %}
   ins_pipe(vshift128);
 %}
@@ -17063,7 +17212,6 @@
 instruct vsll2L(vecX dst, vecX src, vecX shift) %{
   predicate(n->as_Vector()->length() == 2);
   match(Set dst (LShiftVL src shift));
-  match(Set dst (RShiftVL src shift));
   ins_cost(INSN_COST);
   format %{ "sshl  $dst,$src,$shift\t# vector (2D)" %}
   ins_encode %{
@@ -17074,15 +17222,36 @@
   ins_pipe(vshift128);
 %}
 
-instruct vsrl2L(vecX dst, vecX src, vecX shift) %{
+instruct vsra2L(vecX dst, vecX src, vecX shift, vecX tmp) %{
+  predicate(n->as_Vector()->length() == 2);
+  match(Set dst (RShiftVL src shift));
+  ins_cost(INSN_COST);
+  effect(TEMP tmp);
+  format %{ "negr  $tmp,$shift\t"
+            "sshl  $dst,$src,$tmp\t# vector (2D)" %}
+  ins_encode %{
+    __ negr(as_FloatRegister($tmp$$reg), __ T16B,
+            as_FloatRegister($shift$$reg));
+    __ sshl(as_FloatRegister($dst$$reg), __ T2D,
+            as_FloatRegister($src$$reg),
+            as_FloatRegister($tmp$$reg));
+  %}
+  ins_pipe(vshift128);
+%}
+
+instruct vsrl2L(vecX dst, vecX src, vecX shift, vecX tmp) %{
   predicate(n->as_Vector()->length() == 2);
   match(Set dst (URShiftVL src shift));
   ins_cost(INSN_COST);
-  format %{ "ushl  $dst,$src,$shift\t# vector (2D)" %}
-  ins_encode %{
+  effect(TEMP tmp);
+  format %{ "negr  $tmp,$shift\t"
+            "ushl  $dst,$src,$tmp\t# vector (2D)" %}
+  ins_encode %{
+    __ negr(as_FloatRegister($tmp$$reg), __ T16B,
+            as_FloatRegister($shift$$reg));
     __ ushl(as_FloatRegister($dst$$reg), __ T2D,
             as_FloatRegister($src$$reg),
-            as_FloatRegister($shift$$reg));
+            as_FloatRegister($tmp$$reg));
   %}
   ins_pipe(vshift128);
 %}
--- a/src/hotspot/cpu/arm/arm.ad	Wed Dec 19 11:44:57 2018 -0800
+++ b/src/hotspot/cpu/arm/arm.ad	Wed Dec 19 20:53:30 2018 +0100
@@ -8945,9 +8945,10 @@
 instruct cmpFastLock(flagsRegP pcc, iRegP object, iRegP box, iRegP scratch2, iRegP scratch )
 %{
   match(Set pcc (FastLock object box));
+  predicate(!(UseBiasedLocking && !UseOptoBiasInlining));
 
   effect(TEMP scratch, TEMP scratch2);
-  ins_cost(100);
+  ins_cost(DEFAULT_COST*3);
 
   format %{ "FASTLOCK  $object, $box; KILL $scratch, $scratch2" %}
   ins_encode %{
@@ -8956,6 +8957,21 @@
   ins_pipe(long_memory_op);
 %}
 
+instruct cmpFastLock_noBiasInline(flagsRegP pcc, iRegP object, iRegP box, iRegP scratch2,
+                                  iRegP scratch, iRegP scratch3) %{
+  match(Set pcc (FastLock object box));
+  predicate(UseBiasedLocking && !UseOptoBiasInlining);
+
+  effect(TEMP scratch, TEMP scratch2, TEMP scratch3);
+  ins_cost(DEFAULT_COST*5);
+
+  format %{ "FASTLOCK  $object, $box; KILL $scratch, $scratch2, $scratch3" %}
+  ins_encode %{
+    __ fast_lock($object$$Register, $box$$Register, $scratch$$Register, $scratch2$$Register, $scratch3$$Register);
+  %}
+  ins_pipe(long_memory_op);
+%}
+
 
 instruct cmpFastUnlock(flagsRegP pcc, iRegP object, iRegP box, iRegP scratch2, iRegP scratch ) %{
   match(Set pcc (FastUnlock object box));
--- a/src/hotspot/cpu/arm/macroAssembler_arm.cpp	Wed Dec 19 11:44:57 2018 -0800
+++ b/src/hotspot/cpu/arm/macroAssembler_arm.cpp	Wed Dec 19 20:53:30 2018 +0100
@@ -1971,7 +1971,7 @@
 
 
 #ifdef COMPILER2
-void MacroAssembler::fast_lock(Register Roop, Register Rbox, Register Rscratch, Register Rscratch2)
+void MacroAssembler::fast_lock(Register Roop, Register Rbox, Register Rscratch, Register Rscratch2, Register scratch3)
 {
   assert(VM_Version::supports_ldrex(), "unsupported, yet?");
 
@@ -1985,11 +1985,13 @@
   Label fast_lock, done;
 
   if (UseBiasedLocking && !UseOptoBiasInlining) {
-    Label failed;
-    biased_locking_enter(Roop, Rmark, Rscratch, false, noreg, done, failed);
-    bind(failed);
+    assert(scratch3 != noreg, "need extra temporary for -XX:-UseOptoBiasInlining");
+    biased_locking_enter(Roop, Rmark, Rscratch, false, scratch3, done, done);
+    // Fall through if lock not biased otherwise branch to done
   }
 
+  // Invariant: Rmark loaded below does not contain biased lock pattern
+
   ldr(Rmark, Address(Roop, oopDesc::mark_offset_in_bytes()));
   tst(Rmark, markOopDesc::unlocked_value);
   b(fast_lock, ne);
@@ -2016,6 +2018,9 @@
 
   bind(done);
 
+  // At this point flags are set as follows:
+  //  EQ -> Success
+  //  NE -> Failure, branch to slow path
 }
 
 void MacroAssembler::fast_unlock(Register Roop, Register Rbox, Register Rscratch, Register Rscratch2)
--- a/src/hotspot/cpu/arm/macroAssembler_arm.hpp	Wed Dec 19 11:44:57 2018 -0800
+++ b/src/hotspot/cpu/arm/macroAssembler_arm.hpp	Wed Dec 19 20:53:30 2018 +0100
@@ -371,10 +371,10 @@
   // lock_reg and obj_reg must be loaded up with the appropriate values.
   // swap_reg must be supplied.
   // tmp_reg must be supplied.
-  // Optional slow case is for implementations (interpreter and C1) which branch to
-  // slow case directly. If slow_case is NULL, then leaves condition
-  // codes set (for C2's Fast_Lock node) and jumps to done label.
-  // Falls through for the fast locking attempt.
+  // Done label is branched to with condition code EQ set if the lock is
+  // biased and we acquired it. Slow case label is branched to with
+  // condition code NE set if the lock is biased but we failed to acquire
+  // it. Otherwise fall through.
   // Returns offset of first potentially-faulting instruction for null
   // check info (currently consumed only by C1). If
   // swap_reg_contains_mark is true then returns -1 as it is assumed
@@ -1073,7 +1073,7 @@
   void restore_default_fp_mode();
 
 #ifdef COMPILER2
-  void fast_lock(Register obj, Register box, Register scratch, Register scratch2);
+  void fast_lock(Register obj, Register box, Register scratch, Register scratch2, Register scratch3 = noreg);
   void fast_unlock(Register obj, Register box, Register scratch, Register scratch2);
 #endif
 
--- a/src/hotspot/cpu/x86/x86_32.ad	Wed Dec 19 11:44:57 2018 -0800
+++ b/src/hotspot/cpu/x86/x86_32.ad	Wed Dec 19 20:53:30 2018 +0100
@@ -7760,9 +7760,9 @@
   match(Set dst (MulAddS2I (Binary dst src1) (Binary src2 src3)));
   effect(KILL cr, KILL src2);
 
-  expand %{ mulI_rReg(dst, src1, cr);
-           mulI_rReg(src2, src3, cr);
-           addI_rReg(dst, src2, cr); %}
+  expand %{ mulI_eReg(dst, src1, cr);
+           mulI_eReg(src2, src3, cr);
+           addI_eReg(dst, src2, cr); %}
 %}
 
 // Multiply Register Int to Long
--- a/src/hotspot/share/classfile/dictionary.hpp	Wed Dec 19 11:44:57 2018 -0800
+++ b/src/hotspot/share/classfile/dictionary.hpp	Wed Dec 19 20:53:30 2018 +0100
@@ -173,7 +173,7 @@
     for (ProtectionDomainEntry* current = pd_set(); // accessed at a safepoint
                                 current != NULL;
                                 current = current->_next) {
-      guarantee(oopDesc::is_oop(current->_pd_cache->object_no_keepalive()), "Invalid oop");
+      guarantee(oopDesc::is_oop_or_null(current->_pd_cache->object_no_keepalive()), "Invalid oop");
     }
   }
 
--- a/src/hotspot/share/code/scopeDesc.cpp	Wed Dec 19 11:44:57 2018 -0800
+++ b/src/hotspot/share/code/scopeDesc.cpp	Wed Dec 19 20:53:30 2018 +0100
@@ -51,9 +51,9 @@
 }
 
 
-ScopeDesc::ScopeDesc(const ScopeDesc* parent) {
+void ScopeDesc::initialize(const ScopeDesc* parent, int decode_offset) {
   _code          = parent->_code;
-  _decode_offset = parent->_sender_decode_offset;
+  _decode_offset = decode_offset;
   _objects       = parent->_objects;
   _reexecute     = false; //reexecute only applies to the first scope
   _rethrow_exception = false;
@@ -61,6 +61,14 @@
   decode_body();
 }
 
+ScopeDesc::ScopeDesc(const ScopeDesc* parent) {
+  initialize(parent, parent->_sender_decode_offset);
+}
+
+ScopeDesc::ScopeDesc(const ScopeDesc* parent, int decode_offset) {
+  initialize(parent, decode_offset);
+}
+
 
 void ScopeDesc::decode_body() {
   if (decode_offset() == DebugInformationRecorder::serialized_null) {
--- a/src/hotspot/share/code/scopeDesc.hpp	Wed Dec 19 11:44:57 2018 -0800
+++ b/src/hotspot/share/code/scopeDesc.hpp	Wed Dec 19 20:53:30 2018 +0100
@@ -67,6 +67,9 @@
   // avoid a .hpp-.hpp dependency.)
   ScopeDesc(const CompiledMethod* code, int decode_offset, bool reexecute, bool rethrow_exception, bool return_oop);
 
+  // Direct access to scope
+  ScopeDesc* at_offset(int decode_offset) { return new ScopeDesc(this, decode_offset); }
+
   // JVM state
   Method* method()      const { return _method; }
   int          bci()      const { return _bci;    }
@@ -85,12 +88,16 @@
   // Returns where the scope was decoded
   int decode_offset() const { return _decode_offset; }
 
+  int sender_decode_offset() const { return _sender_decode_offset; }
+
   // Tells whether sender() returns NULL
   bool is_top() const;
 
  private:
-  // Alternative constructor
+  void initialize(const ScopeDesc* parent, int decode_offset);
+  // Alternative constructors
   ScopeDesc(const ScopeDesc* parent);
+  ScopeDesc(const ScopeDesc* parent, int decode_offset);
 
   // JVM state
   Method*       _method;
--- a/src/hotspot/share/gc/z/zObjectAllocator.cpp	Wed Dec 19 11:44:57 2018 -0800
+++ b/src/hotspot/share/gc/z/zObjectAllocator.cpp	Wed Dec 19 20:53:30 2018 +0100
@@ -128,7 +128,8 @@
 }
 
 uintptr_t ZObjectAllocator::alloc_small_object_from_nonworker(size_t size, ZAllocationFlags flags) {
-  assert(ZThread::is_java() || ZThread::is_vm(), "Should be a Java or VM thread");
+  assert(ZThread::is_java() || ZThread::is_vm() || ZThread::is_runtime_worker(),
+         "Should be a Java, VM or Runtime worker thread");
 
   // Non-worker small page allocation can never use the reserve
   flags.set_no_reserve();
@@ -193,7 +194,8 @@
 }
 
 uintptr_t ZObjectAllocator::alloc_object_for_relocation(size_t size) {
-  assert(ZThread::is_java() || ZThread::is_worker() || ZThread::is_vm(), "Unknown thread");
+  assert(ZThread::is_java() || ZThread::is_vm() || ZThread::is_worker() || ZThread::is_runtime_worker(),
+         "Unknown thread");
 
   ZAllocationFlags flags;
   flags.set_relocation();
--- a/src/hotspot/share/gc/z/zRuntimeWorkers.cpp	Wed Dec 19 11:44:57 2018 -0800
+++ b/src/hotspot/share/gc/z/zRuntimeWorkers.cpp	Wed Dec 19 20:53:30 2018 +0100
@@ -22,7 +22,43 @@
  */
 
 #include "precompiled.hpp"
+#include "gc/shared/workgroup.hpp"
 #include "gc/z/zRuntimeWorkers.hpp"
+#include "gc/z/zThread.hpp"
+#include "runtime/mutexLocker.hpp"
+
+class ZRuntimeWorkersInitializeTask : public AbstractGangTask {
+private:
+  const uint _nworkers;
+  uint       _started;
+  Monitor    _monitor;
+
+public:
+  ZRuntimeWorkersInitializeTask(uint nworkers) :
+      AbstractGangTask("ZRuntimeWorkersInitializeTask"),
+      _nworkers(nworkers),
+      _started(0),
+      _monitor(Monitor::leaf,
+               "ZRuntimeWorkersInitialize",
+               false /* allow_vm_block */,
+               Monitor::_safepoint_check_never) {}
+
+  virtual void work(uint worker_id) {
+    // Register as runtime worker
+    ZThread::set_runtime_worker();
+
+    // Wait for all threads to start
+    MonitorLockerEx ml(&_monitor, Monitor::_no_safepoint_check_flag);
+    if (++_started == _nworkers) {
+      // All threads started
+      ml.notify_all();
+    } else {
+      while (_started != _nworkers) {
+        ml.wait(Monitor::_no_safepoint_check_flag);
+      }
+    }
+  }
+};
 
 ZRuntimeWorkers::ZRuntimeWorkers() :
     _workers("RuntimeWorker",
@@ -35,6 +71,15 @@
   // Initialize worker threads
   _workers.initialize_workers();
   _workers.update_active_workers(nworkers());
+  if (_workers.active_workers() != nworkers()) {
+    vm_exit_during_initialization("Failed to create ZRuntimeWorkers");
+  }
+
+  // Execute task to register threads as runtime workers. This also
+  // helps reduce latency in early safepoints, which otherwise would
+  // have to take on any warmup costs.
+  ZRuntimeWorkersInitializeTask task(nworkers());
+  _workers.run_task(&task);
 }
 
 uint ZRuntimeWorkers::nworkers() const {
--- a/src/hotspot/share/gc/z/zThread.cpp	Wed Dec 19 11:44:57 2018 -0800
+++ b/src/hotspot/share/gc/z/zThread.cpp	Wed Dec 19 20:53:30 2018 +0100
@@ -31,6 +31,7 @@
 __thread bool      ZThread::_is_vm;
 __thread bool      ZThread::_is_java;
 __thread bool      ZThread::_is_worker;
+__thread bool      ZThread::_is_runtime_worker;
 __thread uint      ZThread::_worker_id;
 
 void ZThread::initialize() {
@@ -40,7 +41,8 @@
   _id = (uintptr_t)thread;
   _is_vm = thread->is_VM_thread();
   _is_java = thread->is_Java_thread();
-  _is_worker = thread->is_Worker_thread();
+  _is_worker = false;
+  _is_runtime_worker = false;
   _worker_id = (uint)-1;
 }
 
@@ -56,6 +58,16 @@
   return "Unknown";
 }
 
+void ZThread::set_worker() {
+  ensure_initialized();
+  _is_worker = true;
+}
+
+void ZThread::set_runtime_worker() {
+  ensure_initialized();
+  _is_runtime_worker = true;
+}
+
 bool ZThread::has_worker_id() {
   return _initialized &&
          _is_worker &&
--- a/src/hotspot/share/gc/z/zThread.hpp	Wed Dec 19 11:44:57 2018 -0800
+++ b/src/hotspot/share/gc/z/zThread.hpp	Wed Dec 19 20:53:30 2018 +0100
@@ -29,6 +29,8 @@
 
 class ZThread : public AllStatic {
   friend class ZTask;
+  friend class ZWorkersInitializeTask;
+  friend class ZRuntimeWorkersInitializeTask;
 
 private:
   static __thread bool      _initialized;
@@ -36,6 +38,7 @@
   static __thread bool      _is_vm;
   static __thread bool      _is_java;
   static __thread bool      _is_worker;
+  static __thread bool      _is_runtime_worker;
   static __thread uint      _worker_id;
 
   static void initialize();
@@ -46,6 +49,9 @@
     }
   }
 
+  static void set_worker();
+  static void set_runtime_worker();
+
   static bool has_worker_id();
   static void set_worker_id(uint worker_id);
   static void clear_worker_id();
@@ -73,6 +79,11 @@
     return _is_worker;
   }
 
+  static bool is_runtime_worker() {
+    ensure_initialized();
+    return _is_runtime_worker;
+  }
+
   static uint worker_id() {
     assert(has_worker_id(), "Worker id not initialized");
     return _worker_id;
--- a/src/hotspot/share/gc/z/zWorkers.cpp	Wed Dec 19 11:44:57 2018 -0800
+++ b/src/hotspot/share/gc/z/zWorkers.cpp	Wed Dec 19 20:53:30 2018 +0100
@@ -24,6 +24,7 @@
 #include "precompiled.hpp"
 #include "gc/z/zGlobals.hpp"
 #include "gc/z/zTask.hpp"
+#include "gc/z/zThread.hpp"
 #include "gc/z/zWorkers.inline.hpp"
 #include "runtime/os.hpp"
 #include "runtime/mutexLocker.hpp"
@@ -64,20 +65,26 @@
   return calculate_nworkers(12.5);
 }
 
-class ZWorkersWarmupTask : public ZTask {
+class ZWorkersInitializeTask : public ZTask {
 private:
   const uint _nworkers;
   uint       _started;
   Monitor    _monitor;
 
 public:
-  ZWorkersWarmupTask(uint nworkers) :
-      ZTask("ZWorkersWarmupTask"),
+  ZWorkersInitializeTask(uint nworkers) :
+      ZTask("ZWorkersInitializeTask"),
       _nworkers(nworkers),
       _started(0),
-      _monitor(Monitor::leaf, "ZWorkersWarmup", false, Monitor::_safepoint_check_never) {}
+      _monitor(Monitor::leaf,
+               "ZWorkersInitialize",
+               false /* allow_vm_block */,
+               Monitor::_safepoint_check_never) {}
 
   virtual void work() {
+    // Register as worker
+    ZThread::set_worker();
+
     // Wait for all threads to start
     MonitorLockerEx ml(&_monitor, Monitor::_no_safepoint_check_flag);
     if (++_started == _nworkers) {
@@ -107,10 +114,10 @@
     vm_exit_during_initialization("Failed to create ZWorkers");
   }
 
-  // Warm up worker threads by having them execute a dummy task.
-  // This helps reduce latency in early GC pauses, which otherwise
-  // would have to take on any warmup costs.
-  ZWorkersWarmupTask task(nworkers());
+  // Execute task to register threads as workers. This also helps
+  // reduce latency in early GC pauses, which otherwise would have
+  // to take on any warmup costs.
+  ZWorkersInitializeTask task(nworkers());
   run(&task, nworkers());
 }
 
--- a/src/hotspot/share/include/jvm.h	Wed Dec 19 11:44:57 2018 -0800
+++ b/src/hotspot/share/include/jvm.h	Wed Dec 19 20:53:30 2018 +0100
@@ -625,6 +625,15 @@
 JNIEXPORT jobject JNICALL
 JVM_GetInheritedAccessControlContext(JNIEnv *env, jclass cls);
 
+/*
+ * Ensure that code doing a stackwalk and using javaVFrame::locals() to
+ * get the value will see a materialized value and not a scalar-replaced
+ * null value.
+ */
+#define JVM_EnsureMaterializedForStackWalk(env, value) \
+    do {} while(0) // Nothing to do.  The fact that the value escaped
+                   // through a native method is enough.
+
 JNIEXPORT jobject JNICALL
 JVM_GetStackAccessControlContext(JNIEnv *env, jclass cls);
 
--- a/src/hotspot/share/opto/compile.cpp	Wed Dec 19 11:44:57 2018 -0800
+++ b/src/hotspot/share/opto/compile.cpp	Wed Dec 19 20:53:30 2018 +0100
@@ -3469,8 +3469,7 @@
   }
   case Op_CmpUL: {
     if (!Matcher::has_match_rule(Op_CmpUL)) {
-      // We don't support unsigned long comparisons. Set 'max_idx_expr'
-      // to max_julong if < 0 to make the signed comparison fail.
+      // No support for unsigned long comparisons
       ConINode* sign_pos = new ConINode(TypeInt::make(BitsPerLong - 1));
       Node* sign_bit_mask = new RShiftLNode(n->in(1), sign_pos);
       Node* orl = new OrLNode(n->in(1), sign_bit_mask);
--- a/src/hotspot/share/opto/loopTransform.cpp	Wed Dec 19 11:44:57 2018 -0800
+++ b/src/hotspot/share/opto/loopTransform.cpp	Wed Dec 19 20:53:30 2018 +0100
@@ -2289,9 +2289,9 @@
   register_new_node(opaque_bol, predicate_proj);
   IfNode* new_iff = NULL;
   if (overflow) {
-    new_iff = new IfNode(predicate_proj, bol, PROB_MAX, COUNT_UNKNOWN);
+    new_iff = new IfNode(predicate_proj, opaque_bol, PROB_MAX, COUNT_UNKNOWN);
   } else {
-    new_iff = new RangeCheckNode(predicate_proj, bol, PROB_MAX, COUNT_UNKNOWN);
+    new_iff = new RangeCheckNode(predicate_proj, opaque_bol, PROB_MAX, COUNT_UNKNOWN);
   }
   register_control(new_iff, loop->_parent, predicate_proj);
   Node* iffalse = new IfFalseNode(new_iff);
--- a/src/hotspot/share/opto/loopnode.hpp	Wed Dec 19 11:44:57 2018 -0800
+++ b/src/hotspot/share/opto/loopnode.hpp	Wed Dec 19 20:53:30 2018 +0100
@@ -302,7 +302,7 @@
   void set_slp_max_unroll(int unroll_factor) { _slp_maximum_unroll_factor = unroll_factor; }
   int  slp_max_unroll() const                { return _slp_maximum_unroll_factor; }
 
-  virtual LoopNode* skip_strip_mined(int expect_opaq = 1);
+  virtual LoopNode* skip_strip_mined(int expect_skeleton = 1);
   OuterStripMinedLoopNode* outer_loop() const;
   virtual IfTrueNode* outer_loop_tail() const;
   virtual OuterStripMinedLoopEndNode* outer_loop_end() const;
--- a/src/hotspot/share/opto/node.cpp	Wed Dec 19 11:44:57 2018 -0800
+++ b/src/hotspot/share/opto/node.cpp	Wed Dec 19 20:53:30 2018 +0100
@@ -1367,7 +1367,7 @@
         igvn->C->remove_range_check_cast(cast);
       }
       if (dead->Opcode() == Op_Opaque4) {
-        igvn->C->remove_range_check_cast(dead);
+        igvn->C->remove_opaque4_node(dead);
       }
       BarrierSetC2* bs = BarrierSet::barrier_set()->barrier_set_c2();
       bs->unregister_potential_barrier_node(dead);
--- a/src/hotspot/share/prims/jni.cpp	Wed Dec 19 11:44:57 2018 -0800
+++ b/src/hotspot/share/prims/jni.cpp	Wed Dec 19 20:53:30 2018 +0100
@@ -823,9 +823,7 @@
 
   HOTSPOT_JNI_ISSAMEOBJECT_ENTRY(env, r1, r2);
 
-  oop a = JNIHandles::resolve(r1);
-  oop b = JNIHandles::resolve(r2);
-  jboolean ret = oopDesc::equals(a, b) ? JNI_TRUE : JNI_FALSE;
+  jboolean ret = JNIHandles::is_same_object(r1, r2) ? JNI_TRUE : JNI_FALSE;
 
   HOTSPOT_JNI_ISSAMEOBJECT_RETURN(ret);
   return ret;
--- a/src/hotspot/share/prims/jvm.cpp	Wed Dec 19 11:44:57 2018 -0800
+++ b/src/hotspot/share/prims/jvm.cpp	Wed Dec 19 20:53:30 2018 +0100
@@ -61,6 +61,7 @@
 #include "runtime/handles.inline.hpp"
 #include "runtime/init.hpp"
 #include "runtime/interfaceSupport.inline.hpp"
+#include "runtime/deoptimization.hpp"
 #include "runtime/java.hpp"
 #include "runtime/javaCalls.hpp"
 #include "runtime/jfieldIDWorkaround.hpp"
@@ -1230,11 +1231,10 @@
   oop protection_domain = NULL;
 
   // Iterate through Java frames
-  RegisterMap reg_map(thread);
-  javaVFrame *vf = thread->last_java_vframe(&reg_map);
-  for (; vf != NULL; vf = vf->java_sender()) {
+  vframeStream vfst(thread);
+  for(; !vfst.at_end(); vfst.next()) {
     // get method of frame
-    Method* method = vf->method();
+    Method* method = vfst.method();
 
     // stop at the first privileged frame
     if (method->method_holder() == SystemDictionary::AccessController_klass() &&
@@ -1243,13 +1243,15 @@
       // this frame is privileged
       is_privileged = true;
 
-      javaVFrame *priv = vf;                        // executePrivileged
-      javaVFrame *caller_fr = priv->java_sender();  // doPrivileged
-      caller_fr = caller_fr->java_sender();         // caller
+      javaVFrame *priv = vfst.asJavaVFrame();       // executePrivileged
 
       StackValueCollection* locals = priv->locals();
-      privileged_context = locals->obj_at(1);
-      Handle caller      = locals->obj_at(2);
+      StackValue* ctx_sv = locals->at(1); // AccessControlContext context
+      StackValue* clr_sv = locals->at(2); // Class<?> caller
+      assert(!ctx_sv->obj_is_scalar_replaced(), "found scalar-replaced object");
+      assert(!clr_sv->obj_is_scalar_replaced(), "found scalar-replaced object");
+      privileged_context    = ctx_sv->get_obj();
+      Handle caller         = clr_sv->get_obj();
 
       Klass *caller_klass = java_lang_Class::as_Klass(caller());
       protection_domain  = caller_klass->protection_domain();
--- a/src/hotspot/share/runtime/jniHandles.cpp	Wed Dec 19 11:44:57 2018 -0800
+++ b/src/hotspot/share/runtime/jniHandles.cpp	Wed Dec 19 20:53:30 2018 +0100
@@ -152,17 +152,11 @@
 oop JNIHandles::resolve_external_guard(jobject handle) {
   oop result = NULL;
   if (handle != NULL) {
-    result = resolve_impl<true /* external_guard */ >(handle);
+    result = resolve_impl<0 /* decorators */, true /* external_guard */>(handle);
   }
   return result;
 }
 
-oop JNIHandles::resolve_jweak(jweak handle) {
-  assert(handle != NULL, "precondition");
-  assert(is_jweak(handle), "precondition");
-  return NativeAccess<ON_PHANTOM_OOP_REF>::oop_load(jweak_ptr(handle));
-}
-
 bool JNIHandles::is_global_weak_cleared(jweak handle) {
   assert(handle != NULL, "precondition");
   assert(is_jweak(handle), "not a weak handle");
@@ -318,7 +312,7 @@
 class VerifyJNIHandles: public OopClosure {
 public:
   virtual void do_oop(oop* root) {
-    guarantee(oopDesc::is_oop(RawAccess<>::oop_load(root)), "Invalid oop");
+    guarantee(oopDesc::is_oop_or_null(RawAccess<>::oop_load(root)), "Invalid oop");
   }
   virtual void do_oop(narrowOop* root) { ShouldNotReachHere(); }
 };
--- a/src/hotspot/share/runtime/jniHandles.hpp	Wed Dec 19 11:44:57 2018 -0800
+++ b/src/hotspot/share/runtime/jniHandles.hpp	Wed Dec 19 20:53:30 2018 +0100
@@ -42,8 +42,10 @@
   inline static oop* jobject_ptr(jobject handle); // NOT jweak!
   inline static oop* jweak_ptr(jobject handle);
 
-  template<bool external_guard> inline static oop resolve_impl(jobject handle);
-  static oop resolve_jweak(jweak handle);
+  template <DecoratorSet decorators, bool external_guard> inline static oop resolve_impl(jobject handle);
+
+  // Resolve handle into oop, without keeping the object alive
+  inline static oop resolve_no_keepalive(jobject handle);
 
   // This method is not inlined in order to avoid circular includes between
   // this header file and thread.hpp.
@@ -70,6 +72,9 @@
   // Resolve externally provided handle into oop with some guards
   static oop resolve_external_guard(jobject handle);
 
+  // Check for equality without keeping objects alive
+  static bool is_same_object(jobject handle1, jobject handle2);
+
   // Local handles
   static jobject make_local(oop obj);
   static jobject make_local(JNIEnv* env, oop obj);    // Fast version when env is known
--- a/src/hotspot/share/runtime/jniHandles.inline.hpp	Wed Dec 19 11:44:57 2018 -0800
+++ b/src/hotspot/share/runtime/jniHandles.inline.hpp	Wed Dec 19 20:53:30 2018 +0100
@@ -49,15 +49,15 @@
 }
 
 // external_guard is true if called from resolve_external_guard.
-template<bool external_guard>
+template <DecoratorSet decorators, bool external_guard>
 inline oop JNIHandles::resolve_impl(jobject handle) {
   assert(handle != NULL, "precondition");
   assert(!current_thread_in_native(), "must not be in native");
   oop result;
   if (is_jweak(handle)) {       // Unlikely
-    result = resolve_jweak(handle);
+    result = NativeAccess<ON_PHANTOM_OOP_REF|decorators>::oop_load(jweak_ptr(handle));
   } else {
-    result = NativeAccess<>::oop_load(jobject_ptr(handle));
+    result = NativeAccess<decorators>::oop_load(jobject_ptr(handle));
     // Construction of jobjects canonicalize a null value into a null
     // jobject, so for non-jweak the pointee should never be null.
     assert(external_guard || result != NULL, "Invalid JNI handle");
@@ -68,14 +68,28 @@
 inline oop JNIHandles::resolve(jobject handle) {
   oop result = NULL;
   if (handle != NULL) {
-    result = resolve_impl<false /* external_guard */ >(handle);
+    result = resolve_impl<0 /* decorators */, false /* external_guard */>(handle);
   }
   return result;
 }
 
+inline oop JNIHandles::resolve_no_keepalive(jobject handle) {
+  oop result = NULL;
+  if (handle != NULL) {
+    result = resolve_impl<AS_NO_KEEPALIVE, false /* external_guard */>(handle);
+  }
+  return result;
+}
+
+inline bool JNIHandles::is_same_object(jobject handle1, jobject handle2) {
+  oop obj1 = resolve_no_keepalive(handle1);
+  oop obj2 = resolve_no_keepalive(handle2);
+  return oopDesc::equals(obj1, obj2);
+}
+
 inline oop JNIHandles::resolve_non_null(jobject handle) {
   assert(handle != NULL, "JNI handle should not be null");
-  oop result = resolve_impl<false /* external_guard */ >(handle);
+  oop result = resolve_impl<0 /* decorators */, false /* external_guard */>(handle);
   assert(result != NULL, "NULL read from jni handle");
   return result;
 }
--- a/src/hotspot/share/runtime/vframe.cpp	Wed Dec 19 11:44:57 2018 -0800
+++ b/src/hotspot/share/runtime/vframe.cpp	Wed Dec 19 20:53:30 2018 +0100
@@ -452,8 +452,10 @@
   _stop_at_java_call_stub = stop_at_java_call_stub;
 
   // skip top frame, as it may not be at safepoint
+  _prev_frame = top_frame;
   _frame  = top_frame.sender(&_reg_map);
   while (!fill_from_frame()) {
+    _prev_frame = _frame;
     _frame = _frame.sender(&_reg_map);
   }
 }
@@ -534,6 +536,37 @@
   }
 }
 
+javaVFrame* vframeStreamCommon::asJavaVFrame() {
+  javaVFrame* result = NULL;
+  if (_mode == compiled_mode) {
+    guarantee(_frame.is_compiled_frame(), "expected compiled Java frame");
+
+    // lazy update to register map
+    bool update_map = true;
+    RegisterMap map(_thread, update_map);
+    frame f = _prev_frame.sender(&map);
+
+    guarantee(f.is_compiled_frame(), "expected compiled Java frame");
+
+    compiledVFrame* cvf = compiledVFrame::cast(vframe::new_vframe(&f, &map, _thread));
+
+    guarantee(cvf->cb() == cb(), "wrong code blob");
+
+    // get the same scope as this stream
+    cvf = cvf->at_scope(_decode_offset, _vframe_id);
+
+    guarantee(cvf->scope()->decode_offset() == _decode_offset, "wrong scope");
+    guarantee(cvf->scope()->sender_decode_offset() == _sender_decode_offset, "wrong scope");
+    guarantee(cvf->vframe_id() == _vframe_id, "wrong vframe");
+
+    result = cvf;
+  } else {
+    result = javaVFrame::cast(vframe::new_vframe(&_frame, &_reg_map, _thread));
+  }
+  guarantee(result->method() == method(), "wrong method");
+  return result;
+}
+
 
 #ifndef PRODUCT
 void vframe::print() {
--- a/src/hotspot/share/runtime/vframe.hpp	Wed Dec 19 11:44:57 2018 -0800
+++ b/src/hotspot/share/runtime/vframe.hpp	Wed Dec 19 20:53:30 2018 +0100
@@ -278,12 +278,16 @@
 class vframeStreamCommon : StackObj {
  protected:
   // common
+  frame        _prev_frame;
   frame        _frame;
   JavaThread*  _thread;
   RegisterMap  _reg_map;
   enum { interpreted_mode, compiled_mode, at_end_mode } _mode;
 
+  // For compiled_mode
+  int _decode_offset;
   int _sender_decode_offset;
+  int _vframe_id;
 
   // Cached information
   Method* _method;
@@ -320,6 +324,8 @@
       return (CompiledMethod*) cb();
   }
 
+  javaVFrame* asJavaVFrame();
+
   // Frame type
   inline bool is_interpreted_frame() const;
   inline bool is_entry_frame() const;
--- a/src/hotspot/share/runtime/vframe.inline.hpp	Wed Dec 19 11:44:57 2018 -0800
+++ b/src/hotspot/share/runtime/vframe.inline.hpp	Wed Dec 19 20:53:30 2018 +0100
@@ -44,6 +44,7 @@
 
   // handle general case
   do {
+    _prev_frame = _frame;
     _frame = _frame.sender(&_reg_map);
   } while (!fill_from_frame());
 }
@@ -59,6 +60,7 @@
 
   _frame = _thread->last_frame();
   while (!fill_from_frame()) {
+    _prev_frame = _frame;
     _frame = _frame.sender(&_reg_map);
   }
 }
@@ -68,12 +70,14 @@
     return false;
   }
   fill_from_compiled_frame(_sender_decode_offset);
+  ++_vframe_id;
   return true;
 }
 
 
 inline void vframeStreamCommon::fill_from_compiled_frame(int decode_offset) {
   _mode = compiled_mode;
+  _decode_offset = decode_offset;
 
   // Range check to detect ridiculous offsets.
   if (decode_offset == DebugInformationRecorder::serialized_null ||
@@ -118,6 +122,8 @@
 inline void vframeStreamCommon::fill_from_compiled_native_frame() {
   _mode = compiled_mode;
   _sender_decode_offset = DebugInformationRecorder::serialized_null;
+  _decode_offset = DebugInformationRecorder::serialized_null;
+  _vframe_id = 0;
   _method = nm()->method();
   _bci = 0;
 }
@@ -187,6 +193,7 @@
         decode_offset = pc_desc->scope_decode_offset();
       }
       fill_from_compiled_frame(decode_offset);
+      _vframe_id = 0;
     }
     return true;
   }
--- a/src/hotspot/share/runtime/vframe_hp.cpp	Wed Dec 19 11:44:57 2018 -0800
+++ b/src/hotspot/share/runtime/vframe_hp.cpp	Wed Dec 19 20:53:30 2018 +0100
@@ -252,6 +252,14 @@
   guarantee(_scope != NULL, "scope must be present");
 }
 
+compiledVFrame* compiledVFrame::at_scope(int decode_offset, int vframe_id) {
+  if (scope()->decode_offset() != decode_offset) {
+    ScopeDesc* scope = this->scope()->at_offset(decode_offset);
+    return new compiledVFrame(frame_pointer(), register_map(), thread(), scope, vframe_id);
+  }
+  assert(_vframe_id == vframe_id, "wrong frame id");
+  return this;
+}
 
 bool compiledVFrame::is_top() const {
   // FIX IT: Remove this when new native stubs are in place
--- a/src/hotspot/share/runtime/vframe_hp.hpp	Wed Dec 19 11:44:57 2018 -0800
+++ b/src/hotspot/share/runtime/vframe_hp.hpp	Wed Dec 19 20:53:30 2018 +0100
@@ -72,6 +72,9 @@
   // Returns the scopeDesc
   ScopeDesc* scope() const { return _scope; }
 
+  // Return the compiledVFrame for the desired scope
+  compiledVFrame* at_scope(int decode_offset, int vframe_id);
+
   // Returns SynchronizationEntryBCI or bci() (used for synchronization)
   int raw_bci() const;
 
--- a/src/hotspot/share/runtime/vmThread.cpp	Wed Dec 19 11:44:57 2018 -0800
+++ b/src/hotspot/share/runtime/vmThread.cpp	Wed Dec 19 20:53:30 2018 +0100
@@ -206,7 +206,7 @@
   if (is_armed()) {
     jlong delay = (os::javaTimeMillis() - _arm_time);
     if (delay > AbortVMOnVMOperationTimeoutDelay) {
-      fatal("VM operation took too long: " SIZE_FORMAT " ms (timeout: " SIZE_FORMAT " ms)",
+      fatal("VM operation took too long: " JLONG_FORMAT " ms (timeout: " INTX_FORMAT " ms)",
             delay, AbortVMOnVMOperationTimeoutDelay);
     }
   }
--- a/src/java.base/share/classes/java/lang/String.java	Wed Dec 19 11:44:57 2018 -0800
+++ b/src/java.base/share/classes/java/lang/String.java	Wed Dec 19 20:53:30 2018 +0100
@@ -664,7 +664,7 @@
      *          object.
      */
     public int length() {
-        return isLatin1() ? value.length : value.length >> UTF16;
+        return value.length >> coder();
     }
 
     /**
--- a/src/java.base/share/classes/java/security/AccessController.java	Wed Dec 19 11:44:57 2018 -0800
+++ b/src/java.base/share/classes/java/security/AccessController.java	Wed Dec 19 20:53:30 2018 +0100
@@ -710,6 +710,13 @@
     }
 
     /**
+     * The value needs to be physically located in the frame, so that it
+     * can be found by a stack walk.
+     */
+    @Hidden
+    private static native void ensureMaterializedForStackWalk(Object o);
+
+    /**
      * Sanity check that the caller context is indeed privileged.
      *
      * Used by executePrivileged to make sure the frame is properly
@@ -734,6 +741,11 @@
                           AccessControlContext context,
                           Class<?> caller)
     {
+        // Ensure context has a physical value in the frame
+        if (context != null) {
+            ensureMaterializedForStackWalk(context);
+        }
+
         assert isPrivileged(); // sanity check invariant
         T result = action.run();
         assert isPrivileged(); // sanity check invariant
@@ -742,7 +754,6 @@
         // retrieved by getStackAccessControlContext().
         Reference.reachabilityFence(context);
         Reference.reachabilityFence(caller);
-        Reference.reachabilityFence(action);
         return result;
     }
 
@@ -761,6 +772,11 @@
                           Class<?> caller)
         throws Exception
     {
+        // Ensure context has a physical value in the frame
+        if (context != null) {
+            ensureMaterializedForStackWalk(context);
+        }
+
         assert isPrivileged(); // sanity check invariant
         T result = action.run();
         assert isPrivileged(); // sanity check invariant
@@ -769,7 +785,6 @@
         // retrieved by getStackAccessControlContext().
         Reference.reachabilityFence(context);
         Reference.reachabilityFence(caller);
-        Reference.reachabilityFence(action);
         return result;
     }
 
--- a/src/java.base/share/classes/sun/security/ssl/Alert.java	Wed Dec 19 11:44:57 2018 -0800
+++ b/src/java.base/share/classes/sun/security/ssl/Alert.java	Wed Dec 19 20:53:30 2018 +0100
@@ -122,11 +122,17 @@
             reason = (cause != null) ? cause.getMessage() : "";
         }
 
-        SSLException ssle = (this == UNEXPECTED_MESSAGE) ?
-                new SSLProtocolException(reason) :
-                (handshakeOnly ?
-                        new SSLHandshakeException(reason) :
-                        new SSLException(reason));
+        SSLException ssle;
+        if ((cause != null) && (cause instanceof IOException)) {
+            ssle = new SSLException(reason);
+        } else if ((this == UNEXPECTED_MESSAGE)) {
+            ssle = new SSLProtocolException(reason);
+        } else if (handshakeOnly) {
+            ssle = new SSLHandshakeException(reason);
+        } else {
+            ssle = new SSLException(reason);
+        }
+
         if (cause != null) {
             ssle.initCause(cause);
         }
@@ -187,7 +193,7 @@
             //      AlertDescription description;
             //  } Alert;
             if (m.remaining() != 2) {
-                context.fatal(Alert.ILLEGAL_PARAMETER,
+                throw context.fatal(Alert.ILLEGAL_PARAMETER,
                     "Invalid Alert message: no sufficient data");
             }
 
@@ -241,14 +247,14 @@
                 if (tc.peerUserCanceled) {
                     tc.closeOutbound();
                 } else if (tc.handshakeContext != null) {
-                    tc.fatal(Alert.UNEXPECTED_MESSAGE,
+                    throw tc.fatal(Alert.UNEXPECTED_MESSAGE,
                             "Received close_notify during handshake");
                 }
             } else if (alert == Alert.USER_CANCELED) {
                 if (level == Level.WARNING) {
                     tc.peerUserCanceled = true;
                 } else {
-                    tc.fatal(alert,
+                    throw tc.fatal(alert,
                             "Received fatal close_notify alert", true, null);
                 }
             } else if ((level == Level.WARNING) && (alert != null)) {
@@ -263,7 +269,7 @@
                             alert != Alert.NO_CERTIFICATE ||
                             (tc.sslConfig.clientAuthType !=
                                     ClientAuthType.CLIENT_AUTH_REQUESTED)) {
-                        tc.fatal(Alert.HANDSHAKE_FAILURE,
+                        throw tc.fatal(Alert.HANDSHAKE_FAILURE,
                             "received handshake warning: " + alert.description);
                     }  // Otherwise, ignore the warning
                 }   // Otherwise, ignore the warning.
@@ -276,7 +282,7 @@
                     diagnostic = "Received fatal alert: " + alert.description;
                 }
 
-                tc.fatal(alert, diagnostic, true, null);
+                throw tc.fatal(alert, diagnostic, true, null);
             }
         }
     }
--- a/src/java.base/share/classes/sun/security/ssl/AlpnExtension.java	Wed Dec 19 11:44:57 2018 -0800
+++ b/src/java.base/share/classes/sun/security/ssl/AlpnExtension.java	Wed Dec 19 20:53:30 2018 +0100
@@ -174,7 +174,8 @@
                         SSLLogger.severe(
                                 "Application protocol name cannot be empty");
                     }
-                    chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+
+                    throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                             "Application protocol name cannot be empty");
                 }
 
@@ -189,7 +190,8 @@
                                 ") exceeds the size limit (" +
                                 MAX_AP_LENGTH + " bytes)");
                     }
-                    chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+
+                    throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                                 "Application protocol name (" + ap +
                                 ") exceeds the size limit (" +
                                 MAX_AP_LENGTH + " bytes)");
@@ -204,7 +206,8 @@
                                 ") exceed the size limit (" +
                                 MAX_AP_LIST_LENGTH + " bytes)");
                     }
-                    chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+
+                    throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                                 "The configured application protocols (" +
                                 Arrays.toString(laps) +
                                 ") exceed the size limit (" +
@@ -283,8 +286,7 @@
             try {
                 spec = new AlpnSpec(buffer);
             } catch (IOException ioe) {
-                shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
-                return;     // fatal() always throws, make the compiler happy.
+                throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
             }
 
             // Update the context.
@@ -302,7 +304,7 @@
                 }
 
                 if (!matched) {
-                    shc.conContext.fatal(Alert.NO_APPLICATION_PROTOCOL,
+                    throw shc.conContext.fatal(Alert.NO_APPLICATION_PROTOCOL,
                             "No matching application layer protocol values");
                 }
             }   // Otherwise, applicationProtocol will be set by the
@@ -379,7 +381,8 @@
                     if ((shc.applicationProtocol == null) ||
                             (!shc.applicationProtocol.isEmpty() &&
                             !alps.contains(shc.applicationProtocol))) {
-                        shc.conContext.fatal(Alert.NO_APPLICATION_PROTOCOL,
+                        throw shc.conContext.fatal(
+                            Alert.NO_APPLICATION_PROTOCOL,
                             "No matching application layer protocol values");
                     }
                 }
@@ -391,7 +394,8 @@
                     if ((shc.applicationProtocol == null) ||
                             (!shc.applicationProtocol.isEmpty() &&
                             !alps.contains(shc.applicationProtocol))) {
-                        shc.conContext.fatal(Alert.NO_APPLICATION_PROTOCOL,
+                        throw shc.conContext.fatal(
+                            Alert.NO_APPLICATION_PROTOCOL,
                             "No matching application layer protocol values");
                     }
                 }
@@ -454,7 +458,7 @@
             if (requestedAlps == null ||
                     requestedAlps.applicationProtocols == null ||
                     requestedAlps.applicationProtocols.isEmpty()) {
-                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
                     "Unexpected " + SSLExtension.CH_ALPN.name + " extension");
             }
 
@@ -463,13 +467,12 @@
             try {
                 spec = new AlpnSpec(buffer);
             } catch (IOException ioe) {
-                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
-                return;     // fatal() always throws, make the compiler happy.
+                throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
             }
 
             // Only one application protocol is allowed.
             if (spec.applicationProtocols.size() != 1) {
-                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
                     "Invalid " + SSLExtension.CH_ALPN.name + " extension: " +
                     "Only one application protocol name " +
                     "is allowed in ServerHello message");
@@ -478,7 +481,7 @@
             // The respond application protocol must be one of the requested.
             if (!requestedAlps.applicationProtocols.containsAll(
                     spec.applicationProtocols)) {
-                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
                     "Invalid " + SSLExtension.CH_ALPN.name + " extension: " +
                     "Only client specified application protocol " +
                     "is allowed in ServerHello message");
--- a/src/java.base/share/classes/sun/security/ssl/CertSignAlgsExtension.java	Wed Dec 19 11:44:57 2018 -0800
+++ b/src/java.base/share/classes/sun/security/ssl/CertSignAlgsExtension.java	Wed Dec 19 20:53:30 2018 +0100
@@ -153,8 +153,7 @@
             try {
                 spec = new SignatureSchemesSpec(buffer);
             } catch (IOException ioe) {
-                shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
-                return;     // fatal() always throws, make the compiler happy.
+                throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
             }
 
             // Update the context.
@@ -297,8 +296,7 @@
             try {
                 spec = new SignatureSchemesSpec(buffer);
             } catch (IOException ioe) {
-                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
-                return;     // fatal() always throws, make the compiler happy.
+                throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
             }
 
             // Update the context.
--- a/src/java.base/share/classes/sun/security/ssl/CertStatusExtension.java	Wed Dec 19 11:44:57 2018 -0800
+++ b/src/java.base/share/classes/sun/security/ssl/CertStatusExtension.java	Wed Dec 19 20:53:30 2018 +0100
@@ -606,8 +606,7 @@
             try {
                 spec = new CertStatusRequestSpec(buffer);
             } catch (IOException ioe) {
-                shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
-                return;     // fatal() always throws, make the compiler happy.
+                throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
             }
 
             // Update the context.
@@ -711,13 +710,13 @@
             CertStatusRequestSpec requestedCsr = (CertStatusRequestSpec)
                     chc.handshakeExtensions.get(CH_STATUS_REQUEST);
             if (requestedCsr == null) {
-                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
                     "Unexpected status_request extension in ServerHello");
             }
 
             // Parse the extension.
             if (buffer.hasRemaining()) {
-                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
                   "Invalid status_request extension in ServerHello message: " +
                   "the extension data must be empty");
             }
@@ -964,8 +963,7 @@
             try {
                 spec = new CertStatusRequestV2Spec(buffer);
             } catch (IOException ioe) {
-                shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
-                return;     // fatal() always throws, make the compiler happy.
+                throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
             }
 
             // Update the context.
@@ -1067,13 +1065,13 @@
             CertStatusRequestV2Spec requestedCsr = (CertStatusRequestV2Spec)
                     chc.handshakeExtensions.get(CH_STATUS_REQUEST_V2);
             if (requestedCsr == null) {
-                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
                     "Unexpected status_request_v2 extension in ServerHello");
             }
 
             // Parse the extension.
             if (buffer.hasRemaining()) {
-                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
                   "Invalid status_request_v2 extension in ServerHello: " +
                   "the extension data must be empty");
             }
@@ -1157,10 +1155,10 @@
                                 respBytes);
                 producedData = certResp.toByteArray();
             } catch (CertificateException ce) {
-                shc.conContext.fatal(Alert.BAD_CERTIFICATE,
+                throw shc.conContext.fatal(Alert.BAD_CERTIFICATE,
                         "Failed to parse server certificates", ce);
             } catch (IOException ioe) {
-                shc.conContext.fatal(Alert.BAD_CERT_STATUS_RESPONSE,
+                throw shc.conContext.fatal(Alert.BAD_CERT_STATUS_RESPONSE,
                         "Failed to parse certificate status response", ioe);
             }
 
@@ -1188,8 +1186,7 @@
             try {
                 spec = new CertStatusResponseSpec(buffer);
             } catch (IOException ioe) {
-                chc.conContext.fatal(Alert.DECODE_ERROR, ioe);
-                return;     // fatal() always throws, make the compiler happy.
+                throw chc.conContext.fatal(Alert.DECODE_ERROR, ioe);
             }
 
             if (chc.sslContext.isStaplingEnabled(true)) {
--- a/src/java.base/share/classes/sun/security/ssl/CertificateMessage.java	Wed Dec 19 11:44:57 2018 -0800
+++ b/src/java.base/share/classes/sun/security/ssl/CertificateMessage.java	Wed Dec 19 20:53:30 2018 +0100
@@ -111,10 +111,10 @@
                     encodedCerts.add(cert.getEncoded());
                 } catch (CertificateEncodingException cee) {
                     // unlikely
-                    handshakeContext.conContext.fatal(Alert.INTERNAL_ERROR,
+                    throw handshakeContext.conContext.fatal(
+                            Alert.INTERNAL_ERROR,
                             "Could not encode certificate (" +
                             cert.getSubjectX500Principal() + ")", cee);
-                    break;
                 }
             }
 
@@ -127,7 +127,8 @@
 
             int listLen = Record.getInt24(m);
             if (listLen > m.remaining()) {
-                handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw handshakeContext.conContext.fatal(
+                    Alert.ILLEGAL_PARAMETER,
                     "Error parsing certificate message:no sufficient data");
             }
             if (listLen > 0) {
@@ -248,10 +249,8 @@
             }
 
             if (x509Possession == null) {       // unlikely
-                shc.conContext.fatal(Alert.INTERNAL_ERROR,
+                throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
                     "No expected X.509 certificate for server authentication");
-
-                return null;        // make the compiler happy
             }
 
             shc.handshakeSession.setLocalPrivateKey(
@@ -375,7 +374,7 @@
                 if (shc.sslConfig.clientAuthType !=
                         ClientAuthType.CLIENT_AUTH_REQUESTED) {
                     // unexpected or require client authentication
-                    shc.conContext.fatal(Alert.BAD_CERTIFICATE,
+                    throw shc.conContext.fatal(Alert.BAD_CERTIFICATE,
                         "Empty server certificate chain");
                 } else {
                     return;
@@ -392,7 +391,7 @@
                                     new ByteArrayInputStream(encodedCert));
                 }
             } catch (CertificateException ce) {
-                shc.conContext.fatal(Alert.BAD_CERTIFICATE,
+                throw shc.conContext.fatal(Alert.BAD_CERTIFICATE,
                     "Failed to parse server certificates", ce);
             }
 
@@ -410,7 +409,7 @@
                 T12CertificateMessage certificateMessage) throws IOException {
             List<byte[]> encodedCerts = certificateMessage.encodedCertChain;
             if (encodedCerts == null || encodedCerts.isEmpty()) {
-                chc.conContext.fatal(Alert.BAD_CERTIFICATE,
+                throw chc.conContext.fatal(Alert.BAD_CERTIFICATE,
                     "Empty server certificate chain");
             }
 
@@ -424,7 +423,7 @@
                                     new ByteArrayInputStream(encodedCert));
                 }
             } catch (CertificateException ce) {
-                chc.conContext.fatal(Alert.BAD_CERTIFICATE,
+                throw chc.conContext.fatal(Alert.BAD_CERTIFICATE,
                     "Failed to parse server certificates", ce);
             }
 
@@ -443,7 +442,7 @@
                 if ((identityAlg == null || identityAlg.isEmpty()) &&
                         !isIdentityEquivalent(x509Certs[0],
                                 chc.reservedServerCerts[0])) {
-                    chc.conContext.fatal(Alert.BAD_CERTIFICATE,
+                    throw chc.conContext.fatal(Alert.BAD_CERTIFICATE,
                             "server certificate change is restricted " +
                             "during renegotiation");
                 }
@@ -639,7 +638,7 @@
                 // the certificate chain in the TLS session.
                 chc.handshakeSession.setPeerCertificates(certs);
             } catch (CertificateException ce) {
-                chc.conContext.fatal(getCertificateAlert(chc, ce), ce);
+                throw chc.conContext.fatal(getCertificateAlert(chc, ce), ce);
             }
         }
 
@@ -685,7 +684,7 @@
                             "Improper X509TrustManager implementation");
                 }
             } catch (CertificateException ce) {
-                shc.conContext.fatal(Alert.CERTIFICATE_UNKNOWN, ce);
+                throw shc.conContext.fatal(Alert.CERTIFICATE_UNKNOWN, ce);
             }
         }
 
@@ -942,22 +941,20 @@
 
             SSLPossession pos = choosePossession(shc, clientHello);
             if (pos == null) {
-                shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                         "No available authentication scheme");
-                return null;    // make the complier happy
             }
 
             if (!(pos instanceof X509Possession)) {
-                shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                         "No X.509 certificate for server authentication");
             }
 
             X509Possession x509Possession = (X509Possession)pos;
             X509Certificate[] localCerts = x509Possession.popCerts;
             if (localCerts == null || localCerts.length == 0) {
-                shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                         "No X.509 certificate for server authentication");
-                return null;    // make the complier happy
             }
 
             // update the context
@@ -969,9 +966,8 @@
             try {
                 cm = new T13CertificateMessage(shc, (new byte[0]), localCerts);
             } catch (SSLException | CertificateException ce) {
-                shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                         "Failed to produce server Certificate message", ce);
-                return null;    // make the complier happy
             }
 
             // Check the OCSP stapling extensions and attempt
@@ -1108,9 +1104,8 @@
                 cm = new T13CertificateMessage(
                         chc, chc.certRequestContext, localCerts);
             } catch (SSLException | CertificateException ce) {
-                chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                         "Failed to produce client Certificate message", ce);
-                return null;
             }
             if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
                 SSLLogger.fine("Produced client Certificate message", cm);
@@ -1163,7 +1158,7 @@
             if (certificateMessage.certEntries == null ||
                     certificateMessage.certEntries.isEmpty()) {
                 if (shc.sslConfig.clientAuthType == CLIENT_AUTH_REQUIRED) {
-                    shc.conContext.fatal(Alert.BAD_CERTIFICATE,
+                    throw shc.conContext.fatal(Alert.BAD_CERTIFICATE,
                         "Empty client certificate chain");
                 } else {
                     // optional client authentication
@@ -1187,7 +1182,7 @@
                 T13CertificateMessage certificateMessage )throws IOException {
             if (certificateMessage.certEntries == null ||
                     certificateMessage.certEntries.isEmpty()) {
-                chc.conContext.fatal(Alert.BAD_CERTIFICATE,
+                throw chc.conContext.fatal(Alert.BAD_CERTIFICATE,
                     "Empty server certificate chain");
             }
 
@@ -1224,7 +1219,7 @@
                                     new ByteArrayInputStream(entry.encoded));
                 }
             } catch (CertificateException ce) {
-                shc.conContext.fatal(Alert.BAD_CERTIFICATE,
+                throw shc.conContext.fatal(Alert.BAD_CERTIFICATE,
                     "Failed to parse server certificates", ce);
             }
 
@@ -1270,7 +1265,7 @@
                 // the certificate chain in the TLS session.
                 shc.handshakeSession.setPeerCertificates(certs);
             } catch (CertificateException ce) {
-                shc.conContext.fatal(Alert.CERTIFICATE_UNKNOWN, ce);
+                throw shc.conContext.fatal(Alert.CERTIFICATE_UNKNOWN, ce);
             }
 
             return certs;
@@ -1289,7 +1284,7 @@
                                     new ByteArrayInputStream(entry.encoded));
                 }
             } catch (CertificateException ce) {
-                chc.conContext.fatal(Alert.BAD_CERTIFICATE,
+                throw chc.conContext.fatal(Alert.BAD_CERTIFICATE,
                     "Failed to parse server certificates", ce);
             }
 
@@ -1326,7 +1321,7 @@
                 // the certificate chain in the TLS session.
                 chc.handshakeSession.setPeerCertificates(certs);
             } catch (CertificateException ce) {
-                chc.conContext.fatal(getCertificateAlert(chc, ce), ce);
+                throw chc.conContext.fatal(getCertificateAlert(chc, ce), ce);
             }
 
             return certs;
--- a/src/java.base/share/classes/sun/security/ssl/CertificateRequest.java	Wed Dec 19 11:44:57 2018 -0800
+++ b/src/java.base/share/classes/sun/security/ssl/CertificateRequest.java	Wed Dec 19 20:53:30 2018 +0100
@@ -171,14 +171,14 @@
             //     DistinguishedName certificate_authorities<0..2^16-1>;
             // } CertificateRequest;
             if (m.remaining() < 4) {
-                handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                     "Incorrect CertificateRequest message: no sufficient data");
             }
             this.types = Record.getBytes8(m);
 
             int listLen = Record.getInt16(m);
             if (listLen > m.remaining()) {
-                handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                     "Incorrect CertificateRequest message:no sufficient data");
             }
 
@@ -407,7 +407,7 @@
             this.types = ClientCertificateType.CERT_TYPES;
 
             if (signatureSchemes == null || signatureSchemes.isEmpty()) {
-                handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                         "No signature algorithms specified for " +
                         "CertificateRequest hanshake message");
             }
@@ -437,7 +437,7 @@
 
             // certificate_authorities
             if (m.remaining() < 8) {
-                handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                         "Invalid CertificateRequest handshake message: " +
                         "no sufficient data");
             }
@@ -445,14 +445,14 @@
 
             // supported_signature_algorithms
             if (m.remaining() < 6) {
-                handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                         "Invalid CertificateRequest handshake message: " +
                         "no sufficient data");
             }
 
             byte[] algs = Record.getBytes16(m);
             if (algs == null || algs.length == 0 || (algs.length & 0x01) != 0) {
-                handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                         "Invalid CertificateRequest handshake message: " +
                         "incomplete signature algorithms");
             }
@@ -466,14 +466,14 @@
 
             // certificate_authorities
             if (m.remaining() < 2) {
-                handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                         "Invalid CertificateRequest handshake message: " +
                         "no sufficient data");
             }
 
             int listLen = Record.getInt16(m);
             if (listLen > m.remaining()) {
-                handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                     "Invalid CertificateRequest message: no sufficient data");
             }
 
@@ -597,7 +597,7 @@
 
             if (shc.localSupportedSignAlgs == null ||
                     shc.localSupportedSignAlgs.isEmpty()) {
-                shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                     "No supported signature algorithm");
             }
 
@@ -783,14 +783,14 @@
             //      Extension extensions<2..2^16-1>;
             //  } CertificateRequest;
             if (m.remaining() < 5) {
-                handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                         "Invalid CertificateRequest handshake message: " +
                         "no sufficient data");
             }
             this.requestContext = Record.getBytes8(m);
 
             if (m.remaining() < 4) {
-                handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                         "Invalid CertificateRequest handshake message: " +
                         "no sufficient extensions data");
             }
--- a/src/java.base/share/classes/sun/security/ssl/CertificateStatus.java	Wed Dec 19 11:44:57 2018 -0800
+++ b/src/java.base/share/classes/sun/security/ssl/CertificateStatus.java	Wed Dec 19 20:53:30 2018 +0100
@@ -154,7 +154,8 @@
                     encodedResponses.add(respDER);
                     encodedResponsesLen = 3 + respDER.length;
                 } else {
-                    handshakeContext.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                    throw handshakeContext.conContext.fatal(
+                            Alert.HANDSHAKE_FAILURE,
                             "Zero-length OCSP Response");
                 }
             } else if (statusType == CertStatusRequestType.OCSP_MULTI) {
@@ -172,11 +173,13 @@
                 }
 
                 if (respListLen != 0) {
-                    handshakeContext.conContext.fatal(Alert.INTERNAL_ERROR,
+                    throw handshakeContext.conContext.fatal(
+                            Alert.INTERNAL_ERROR,
                             "Bad OCSP response list length");
                 }
             } else {
-                handshakeContext.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                throw handshakeContext.conContext.fatal(
+                        Alert.HANDSHAKE_FAILURE,
                         "Unsupported StatusResponseType: " + statusType);
             }
             messageLength = messageLength();
--- a/src/java.base/share/classes/sun/security/ssl/CertificateVerify.java	Wed Dec 19 11:44:57 2018 -0800
+++ b/src/java.base/share/classes/sun/security/ssl/CertificateVerify.java	Wed Dec 19 20:53:30 2018 +0100
@@ -83,11 +83,11 @@
                 signer.update(hashes);
                 temproary = signer.sign();
             } catch (NoSuchAlgorithmException nsae) {
-                chc.conContext.fatal(Alert.INTERNAL_ERROR,
+                throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
                         "Unsupported signature algorithm (" + algorithm +
                         ") used in CertificateVerify handshake message", nsae);
             } catch (GeneralSecurityException gse) {
-                chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                         "Cannot produce CertificateVerify signature", gse);
             }
 
@@ -112,7 +112,7 @@
             //    };
             //  } Signature;
             if (m.remaining() < 2) {
-                shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                     "Invalid CertificateVerify message: no sufficient data");
             }
 
@@ -128,7 +128,7 @@
 
             if (x509Credentials == null ||
                     x509Credentials.popPublicKey == null) {
-                shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                     "No X509 credentials negotiated for CertificateVerify");
             }
 
@@ -140,15 +140,15 @@
                         shc.handshakeSession.getMasterSecret());
                 signer.update(hashes);
                 if (!signer.verify(signature)) {
-                    shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                    throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                         "Invalid CertificateVerify message: invalid signature");
                 }
             } catch (NoSuchAlgorithmException nsae) {
-                shc.conContext.fatal(Alert.INTERNAL_ERROR,
+                throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
                         "Unsupported signature algorithm (" + algorithm +
                         ") used in CertificateVerify handshake message", nsae);
             } catch (GeneralSecurityException gse) {
-                shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                         "Cannot verify CertificateVerify signature", gse);
             }
         }
@@ -327,11 +327,11 @@
                 signer.update(hashes);
                 temproary = signer.sign();
             } catch (NoSuchAlgorithmException nsae) {
-                chc.conContext.fatal(Alert.INTERNAL_ERROR,
+                throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
                         "Unsupported signature algorithm (" + algorithm +
                         ") used in CertificateVerify handshake message", nsae);
             } catch (GeneralSecurityException gse) {
-                chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                     "Cannot produce CertificateVerify signature", gse);
             }
 
@@ -356,7 +356,7 @@
             //    };
             //  } Signature;
             if (m.remaining() < 2) {
-                shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                     "Invalid CertificateVerify message: no sufficient data");
             }
 
@@ -372,7 +372,7 @@
 
             if (x509Credentials == null ||
                     x509Credentials.popPublicKey == null) {
-                shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                     "No X509 credentials negotiated for CertificateVerify");
             }
 
@@ -383,15 +383,15 @@
                 byte[] hashes = shc.handshakeHash.digest(algorithm);
                 signer.update(hashes);
                 if (!signer.verify(signature)) {
-                    shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                    throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                         "Invalid CertificateVerify message: invalid signature");
                 }
             } catch (NoSuchAlgorithmException nsae) {
-                shc.conContext.fatal(Alert.INTERNAL_ERROR,
+                throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
                         "Unsupported signature algorithm (" + algorithm +
                         ") used in CertificateVerify handshake message", nsae);
             } catch (GeneralSecurityException gse) {
-                shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                         "Cannot verify CertificateVerify signature", gse);
             }
         }
@@ -570,7 +570,7 @@
             if (signatureScheme == null) {
                 // Unlikely, the credentials generator should have
                 // selected the preferable signature algorithm properly.
-                chc.conContext.fatal(Alert.INTERNAL_ERROR,
+                throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
                     "No preferred signature algorithm for CertificateVerify");
             }
 
@@ -582,12 +582,12 @@
                 temproary = signer.sign();
             } catch (NoSuchAlgorithmException |
                     InvalidAlgorithmParameterException nsae) {
-                chc.conContext.fatal(Alert.INTERNAL_ERROR,
+                throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
                         "Unsupported signature algorithm (" +
                         signatureScheme.name +
                         ") used in CertificateVerify handshake message", nsae);
             } catch (InvalidKeyException | SignatureException ikse) {
-                chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                         "Cannot produce CertificateVerify signature", ikse);
             }
 
@@ -607,7 +607,7 @@
             //     opaque signature<0..2^16-1>;
             // } DigitallySigned;
             if (m.remaining() < 4) {
-                shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                     "Invalid CertificateVerify message: no sufficient data");
             }
 
@@ -615,13 +615,13 @@
             int ssid = Record.getInt16(m);
             this.signatureScheme = SignatureScheme.valueOf(ssid);
             if (signatureScheme == null) {
-                shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                         "Invalid signature algorithm (" + ssid +
                         ") used in CertificateVerify handshake message");
             }
 
             if (!shc.localSupportedSignAlgs.contains(signatureScheme)) {
-                shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                         "Unsupported signature algorithm (" +
                         signatureScheme.name +
                         ") used in CertificateVerify handshake message");
@@ -638,7 +638,7 @@
 
             if (x509Credentials == null ||
                     x509Credentials.popPublicKey == null) {
-                shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                     "No X509 credentials negotiated for CertificateVerify");
             }
 
@@ -649,17 +649,17 @@
                     signatureScheme.getSignature(x509Credentials.popPublicKey);
                 signer.update(shc.handshakeHash.archived());
                 if (!signer.verify(signature)) {
-                    shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                    throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                         "Invalid CertificateVerify signature");
                 }
             } catch (NoSuchAlgorithmException |
                     InvalidAlgorithmParameterException nsae) {
-                shc.conContext.fatal(Alert.INTERNAL_ERROR,
+                throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
                         "Unsupported signature algorithm (" +
                         signatureScheme.name +
                         ") used in CertificateVerify handshake message", nsae);
             } catch (InvalidKeyException | SignatureException ikse) {
-                shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                         "Cannot verify CertificateVerify signature", ikse);
             }
         }
@@ -871,7 +871,7 @@
             if (signatureScheme == null) {
                 // Unlikely, the credentials generator should have
                 // selected the preferable signature algorithm properly.
-                context.conContext.fatal(Alert.INTERNAL_ERROR,
+                throw context.conContext.fatal(Alert.INTERNAL_ERROR,
                     "No preferred signature algorithm for CertificateVerify");
             }
 
@@ -897,12 +897,12 @@
                 temproary = signer.sign();
             } catch (NoSuchAlgorithmException |
                     InvalidAlgorithmParameterException nsae) {
-                context.conContext.fatal(Alert.INTERNAL_ERROR,
+                throw context.conContext.fatal(Alert.INTERNAL_ERROR,
                         "Unsupported signature algorithm (" +
                         signatureScheme.name +
                         ") used in CertificateVerify handshake message", nsae);
             } catch (InvalidKeyException | SignatureException ikse) {
-                context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                throw context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                         "Cannot produce CertificateVerify signature", ikse);
             }
 
@@ -918,7 +918,7 @@
             //     opaque signature<0..2^16-1>;
             // } DigitallySigned;
             if (m.remaining() < 4) {
-                context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                     "Invalid CertificateVerify message: no sufficient data");
             }
 
@@ -926,13 +926,13 @@
             int ssid = Record.getInt16(m);
             this.signatureScheme = SignatureScheme.valueOf(ssid);
             if (signatureScheme == null) {
-                context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                throw context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                         "Invalid signature algorithm (" + ssid +
                         ") used in CertificateVerify handshake message");
             }
 
             if (!context.localSupportedSignAlgs.contains(signatureScheme)) {
-                context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                throw context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                         "Unsupported signature algorithm (" +
                         signatureScheme.name +
                         ") used in CertificateVerify handshake message");
@@ -949,7 +949,7 @@
 
             if (x509Credentials == null ||
                     x509Credentials.popPublicKey == null) {
-                context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                throw context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                     "No X509 credentials negotiated for CertificateVerify");
             }
 
@@ -975,17 +975,17 @@
                     signatureScheme.getSignature(x509Credentials.popPublicKey);
                 signer.update(contentCovered);
                 if (!signer.verify(signature)) {
-                    context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                    throw context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                         "Invalid CertificateVerify signature");
                 }
             } catch (NoSuchAlgorithmException |
                     InvalidAlgorithmParameterException nsae) {
-                context.conContext.fatal(Alert.INTERNAL_ERROR,
+                throw context.conContext.fatal(Alert.INTERNAL_ERROR,
                         "Unsupported signature algorithm (" +
                         signatureScheme.name +
                         ") used in CertificateVerify handshake message", nsae);
             } catch (InvalidKeyException | SignatureException ikse) {
-                context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                throw context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                         "Cannot verify CertificateVerify signature", ikse);
             }
         }
--- a/src/java.base/share/classes/sun/security/ssl/ChangeCipherSpec.java	Wed Dec 19 11:44:57 2018 -0800
+++ b/src/java.base/share/classes/sun/security/ssl/ChangeCipherSpec.java	Wed Dec 19 20:53:30 2018 +0100
@@ -105,6 +105,12 @@
                 throw new SSLException("Algorithm missing:  ", gse);
             }
 
+            if (writeCipher == null) {
+                throw hc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                    "Illegal cipher suite (" + ncs +
+                    ") and protocol version (" + hc.negotiatedProtocol + ")");
+            }
+
             if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
                 SSLLogger.fine("Produced ChangeCipherSpec message");
             }
@@ -136,7 +142,7 @@
 
             // parse
             if (message.remaining() != 1 || message.get() != 1) {
-                tc.fatal(Alert.UNEXPECTED_MESSAGE,
+                throw tc.fatal(Alert.UNEXPECTED_MESSAGE,
                         "Malformed or unexpected ChangeCipherSpec message");
             }
             if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
@@ -145,7 +151,7 @@
 
             // validate
             if (tc.handshakeContext == null) {
-                tc.fatal(Alert.HANDSHAKE_FAILURE,
+                throw tc.fatal(Alert.HANDSHAKE_FAILURE,
                         "Unexpected ChangeCipherSpec message");
             }
 
@@ -153,7 +159,7 @@
             HandshakeContext hc = tc.handshakeContext;
 
             if (hc.handshakeKeyDerivation == null) {
-                tc.fatal(Alert.UNEXPECTED_MESSAGE,
+                throw tc.fatal(Alert.UNEXPECTED_MESSAGE,
                         "Unexpected ChangeCipherSpec message");
             }
 
@@ -195,6 +201,14 @@
                     // unlikely
                     throw new SSLException("Algorithm missing:  ", gse);
                 }
+
+                if (readCipher == null) {
+                    throw hc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                        "Illegal cipher suite (" + hc.negotiatedCipherSuite +
+                        ") and protocol version (" + hc.negotiatedProtocol +
+                        ")");
+                }
+
                 tc.inputRecord.changeReadCiphers(readCipher);
             } else {
                 throw new UnsupportedOperationException("Not supported.");
@@ -225,7 +239,7 @@
 
             // parse
             if (message.remaining() != 1 || message.get() != 1) {
-                tc.fatal(Alert.UNEXPECTED_MESSAGE,
+                throw tc.fatal(Alert.UNEXPECTED_MESSAGE,
                         "Malformed or unexpected ChangeCipherSpec message");
             }
             if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
--- a/src/java.base/share/classes/sun/security/ssl/ClientHello.java	Wed Dec 19 11:44:57 2018 -0800
+++ b/src/java.base/share/classes/sun/security/ssl/ClientHello.java	Wed Dec 19 20:53:30 2018 +0100
@@ -144,8 +144,8 @@
                     if (id == SSLExtension.CH_PRE_SHARED_KEY.id) {
                         // ensure pre_shared_key is the last extension
                         if (remaining > 0) {
-                            tc.fatal(Alert.ILLEGAL_PARAMETER,
-                            "pre_shared_key extension is not last");
+                            throw tc.fatal(Alert.ILLEGAL_PARAMETER,
+                                    "pre_shared_key extension is not last");
                         }
                         // read only up to the IDs
                         Record.getBytes16(m);
@@ -169,7 +169,8 @@
             try {
                 sessionId.checkLength(clientVersion);
             } catch (SSLProtocolException ex) {
-                handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER, ex);
+                throw handshakeContext.conContext.fatal(
+                        Alert.ILLEGAL_PARAMETER, ex);
             }
             if (isDTLS) {
                 this.cookie = Record.getBytes8(m);
@@ -179,8 +180,9 @@
 
             byte[] encodedIds = Record.getBytes16(m);
             if (encodedIds.length == 0 || (encodedIds.length & 0x01) != 0) {
-                handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
-                    "Invalid ClientHello message");
+                throw handshakeContext.conContext.fatal(
+                        Alert.ILLEGAL_PARAMETER,
+                        "Invalid ClientHello message");
             }
 
             this.cipherSuiteIds = new int[encodedIds.length >> 1];
@@ -702,7 +704,8 @@
                     try {
                         chc.kickstart();
                     } catch (IOException ioe) {
-                        chc.conContext.fatal(Alert.HANDSHAKE_FAILURE, ioe);
+                        throw chc.conContext.fatal(
+                                Alert.HANDSHAKE_FAILURE, ioe);
                     }
 
                     // The handshake message has been delivered.
@@ -790,7 +793,7 @@
             // clean up this consumer
             shc.handshakeConsumers.remove(SSLHandshake.CLIENT_HELLO.id);
             if (!shc.handshakeConsumers.isEmpty()) {
-                shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
                         "No more handshake message allowed " +
                         "in a ClientHello flight");
             }
@@ -877,7 +880,7 @@
                     context.activeProtocols, chv);
             if (pv == null || pv == ProtocolVersion.NONE ||
                     pv == ProtocolVersion.SSL20Hello) {
-                context.conContext.fatal(Alert.PROTOCOL_VERSION,
+                throw context.conContext.fatal(Alert.PROTOCOL_VERSION,
                     "Client requested protocol " +
                     ProtocolVersion.nameOf(clientHelloVersion) +
                     " is not enabled or supported in server context");
@@ -910,13 +913,11 @@
             }
 
             // No protocol version can be negotiated.
-            context.conContext.fatal(Alert.PROTOCOL_VERSION,
+            throw context.conContext.fatal(Alert.PROTOCOL_VERSION,
                 "The client supported protocol versions " + Arrays.toString(
                     ProtocolVersion.toStringArray(clientSupportedVersions)) +
                 " are not accepted by server preferences " +
                 context.activeProtocols);
-
-            return null;        // make the compiler happy
         }
     }
 
@@ -957,13 +958,13 @@
             if (shc.conContext.isNegotiated) {
                 if (!shc.conContext.secureRenegotiation &&
                         !HandshakeContext.allowUnsafeRenegotiation) {
-                    shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                    throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                             "Unsafe renegotiation is not allowed");
                 }
 
                 if (ServerHandshakeContext.rejectClientInitiatedRenego &&
                         !shc.kickstartMessageDelivered) {
-                    shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                    throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                             "Client initiated renegotiation is not allowed");
                 }
             }
@@ -1170,13 +1171,13 @@
                     handshakeProducer.produce(shc, clientHello);
             } else {
                 // unlikely
-                shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                     "No HelloRetryRequest producer: " + shc.handshakeProducers);
             }
 
             if (!shc.handshakeProducers.isEmpty()) {
                 // unlikely, but please double check.
-                shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                     "unknown handshake producers: " + shc.handshakeProducers);
             }
         }
@@ -1264,13 +1265,13 @@
             if (shc.conContext.isNegotiated) {
                 if (!shc.conContext.secureRenegotiation &&
                         !HandshakeContext.allowUnsafeRenegotiation) {
-                    shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                    throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                             "Unsafe renegotiation is not allowed");
                 }
 
                 if (ServerHandshakeContext.rejectClientInitiatedRenego &&
                         !shc.kickstartMessageDelivered) {
-                    shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                    throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                             "Client initiated renegotiation is not allowed");
                 }
             }
--- a/src/java.base/share/classes/sun/security/ssl/ClientKeyExchange.java	Wed Dec 19 11:44:57 2018 -0800
+++ b/src/java.base/share/classes/sun/security/ssl/ClientKeyExchange.java	Wed Dec 19 20:53:30 2018 +0100
@@ -68,9 +68,8 @@
             }
 
             // not consumer defined.
-            chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+            throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
                         "Unexpected ClientKeyExchange handshake message.");
-            return null;    // make the compiler happe
         }
     }
 
@@ -105,7 +104,7 @@
             }
 
             // not consumer defined.
-            shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+            throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
                         "Unexpected ClientKeyExchange handshake message.");
         }
     }
--- a/src/java.base/share/classes/sun/security/ssl/CookieExtension.java	Wed Dec 19 11:44:57 2018 -0800
+++ b/src/java.base/share/classes/sun/security/ssl/CookieExtension.java	Wed Dec 19 20:53:30 2018 +0100
@@ -163,8 +163,7 @@
             try {
                 spec = new CookieSpec(buffer);
             } catch (IOException ioe) {
-                shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
-                return;     // fatal() always throws, make the compiler happy.
+                throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
             }
 
             shc.handshakeExtensions.put(SSLExtension.CH_COOKIE, spec);
@@ -201,9 +200,8 @@
             HelloCookieManager hcm =
                 shc.sslContext.getHelloCookieManager(shc.negotiatedProtocol);
             if (!hcm.isCookieValid(shc, clientHello, spec.cookie)) {
-                shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
                         "unrecognized cookie");
-                return;     // fatal() always throws, make the compiler happy.
             }
         }
     }
@@ -270,8 +268,7 @@
             try {
                 spec = new CookieSpec(buffer);
             } catch (IOException ioe) {
-                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
-                return;     // fatal() always throws, make the compiler happy.
+                throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
             }
 
             chc.handshakeExtensions.put(SSLExtension.HRR_COOKIE, spec);
--- a/src/java.base/share/classes/sun/security/ssl/DHClientKeyExchange.java	Wed Dec 19 11:44:57 2018 -0800
+++ b/src/java.base/share/classes/sun/security/ssl/DHClientKeyExchange.java	Wed Dec 19 20:53:30 2018 +0100
@@ -87,7 +87,7 @@
 
             if (dhePossession == null) {
                 // unlikely
-                chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                     "No DHE credentials negotiated for client key exchange");
             }
 
@@ -104,14 +104,14 @@
                     (ServerHandshakeContext)handshakeContext;
 
             if (m.remaining() < 3) {
-                shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                     "Invalid DH ClientKeyExchange message: insufficient data");
             }
 
             this.y = Record.getBytes16(m);
 
             if (m.hasRemaining()) {
-                shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                     "Invalid DH ClientKeyExchange message: unknown extra data");
             }
         }
@@ -177,7 +177,7 @@
             }
 
             if (dheCredentials == null) {
-                chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                     "No DHE credentials negotiated for client key exchange");
             }
 
@@ -202,7 +202,7 @@
                     chc.negotiatedProtocol);
             if (ke == null) {
                 // unlikely
-                chc.conContext.fatal(Alert.INTERNAL_ERROR,
+                throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
                         "Not supported key exchange type");
             } else {
                 SSLKeyDerivation masterKD = ke.createKeyDerivation(chc);
@@ -214,7 +214,7 @@
                         SSLTrafficKeyDerivation.valueOf(chc.negotiatedProtocol);
                 if (kd == null) {
                     // unlikely
-                    chc.conContext.fatal(Alert.INTERNAL_ERROR,
+                    throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
                             "Not supported key derivation: " +
                             chc.negotiatedProtocol);
                 } else {
@@ -254,7 +254,7 @@
 
             if (dhePossession == null) {
                 // unlikely
-                shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                     "No expected DHE possessions for client key exchange");
             }
 
@@ -263,7 +263,7 @@
                     shc.negotiatedProtocol);
             if (ke == null) {
                 // unlikely
-                shc.conContext.fatal(Alert.INTERNAL_ERROR,
+                throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
                         "Not supported key exchange type");
             }
 
@@ -310,7 +310,7 @@
                     SSLTrafficKeyDerivation.valueOf(shc.negotiatedProtocol);
             if (kd == null) {
                 // unlikely
-                shc.conContext.fatal(Alert.INTERNAL_ERROR,
+                throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
                     "Not supported key derivation: " + shc.negotiatedProtocol);
             } else {
                 shc.handshakeKeyDerivation =
--- a/src/java.base/share/classes/sun/security/ssl/DHKeyExchange.java	Wed Dec 19 11:44:57 2018 -0800
+++ b/src/java.base/share/classes/sun/security/ssl/DHKeyExchange.java	Wed Dec 19 20:53:30 2018 +0100
@@ -438,7 +438,7 @@
             }
 
             if (dhePossession == null || dheCredentials == null) {
-                context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                throw context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                     "No sufficient DHE key agreement parameters negotiated");
             }
 
--- a/src/java.base/share/classes/sun/security/ssl/DHServerKeyExchange.java	Wed Dec 19 11:44:57 2018 -0800
+++ b/src/java.base/share/classes/sun/security/ssl/DHServerKeyExchange.java	Wed Dec 19 20:53:30 2018 +0100
@@ -106,7 +106,7 @@
 
             if (dhePossession == null) {
                 // unlikely
-                shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                     "No DHE credentials negotiated for server key exchange");
             }
             DHPublicKey publicKey = dhePossession.publicKey;
@@ -132,7 +132,7 @@
                     if (signatureScheme == null) {
                         // Unlikely, the credentials generator should have
                         // selected the preferable signature algorithm properly.
-                        shc.conContext.fatal(Alert.INTERNAL_ERROR,
+                        throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
                             "No preferred signature algorithm");
                     }
                     try {
@@ -140,7 +140,7 @@
                                 x509Possession.popPrivateKey);
                     } catch (NoSuchAlgorithmException | InvalidKeyException |
                             InvalidAlgorithmParameterException nsae) {
-                        shc.conContext.fatal(Alert.INTERNAL_ERROR,
+                        throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
                             "Unsupported signature algorithm: " +
                             signatureScheme.name, nsae);
                     }
@@ -151,7 +151,7 @@
                                 x509Possession.popPrivateKey.getAlgorithm(),
                                 x509Possession.popPrivateKey);
                     } catch (NoSuchAlgorithmException | InvalidKeyException e) {
-                        shc.conContext.fatal(Alert.INTERNAL_ERROR,
+                        throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
                             "Unsupported signature algorithm: " +
                             x509Possession.popPrivateKey.getAlgorithm(), e);
                     }
@@ -163,7 +163,7 @@
                             shc.serverHelloRandom.randomBytes);
                     signature = signer.sign();
                 } catch (SignatureException ex) {
-                    shc.conContext.fatal(Alert.INTERNAL_ERROR,
+                    throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
                         "Failed to sign dhe parameters: " +
                         x509Possession.popPrivateKey.getAlgorithm(), ex);
                 }
@@ -189,7 +189,7 @@
                         new BigInteger(1, p),
                         new BigInteger(1, p)));
             } catch (InvalidKeyException ike) {
-                chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                     "Invalid DH ServerKeyExchange: invalid parameters", ike);
             }
 
@@ -204,7 +204,7 @@
             if (x509Credentials == null) {
                 // anonymous, no authentication, no signature
                 if (m.hasRemaining()) {
-                    chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                    throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                         "Invalid DH ServerKeyExchange: unknown extra data");
                 }
 
@@ -221,13 +221,13 @@
                 int ssid = Record.getInt16(m);
                 signatureScheme = SignatureScheme.valueOf(ssid);
                 if (signatureScheme == null) {
-                    chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                    throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                             "Invalid signature algorithm (" + ssid +
                             ") used in DH ServerKeyExchange handshake message");
                 }
 
                 if (!chc.localSupportedSignAlgs.contains(signatureScheme)) {
-                    chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                    throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                             "Unsupported signature algorithm (" +
                             signatureScheme.name +
                             ") used in DH ServerKeyExchange handshake message");
@@ -245,11 +245,9 @@
                             x509Credentials.popPublicKey);
                 } catch (NoSuchAlgorithmException | InvalidKeyException |
                         InvalidAlgorithmParameterException nsae) {
-                    chc.conContext.fatal(Alert.INTERNAL_ERROR,
+                    throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
                             "Unsupported signature algorithm: " +
                             signatureScheme.name, nsae);
-
-                    return;     // make the compiler happe
                 }
             } else {
                 try {
@@ -257,11 +255,9 @@
                             x509Credentials.popPublicKey.getAlgorithm(),
                             x509Credentials.popPublicKey);
                 } catch (NoSuchAlgorithmException | InvalidKeyException e) {
-                    chc.conContext.fatal(Alert.INTERNAL_ERROR,
+                    throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
                             "Unsupported signature algorithm: " +
                             x509Credentials.popPublicKey.getAlgorithm(), e);
-
-                    return;     // make the compiler happe
                 }
             }
 
@@ -271,11 +267,11 @@
                         chc.serverHelloRandom.randomBytes);
 
                 if (!signer.verify(paramsSignature)) {
-                    chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                    throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                         "Invalid signature on DH ServerKeyExchange message");
                 }
             } catch (SignatureException ex) {
-                chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                         "Cannot verify DH ServerKeyExchange signature", ex);
             }
         }
@@ -535,15 +531,13 @@
                         new BigInteger(1, skem.g));
                 publicKey = (DHPublicKey)kf.generatePublic(spec);
             } catch (GeneralSecurityException gse) {
-                chc.conContext.fatal(Alert.INSUFFICIENT_SECURITY,
+                throw chc.conContext.fatal(Alert.INSUFFICIENT_SECURITY,
                     "Could not generate DHPublicKey", gse);
-
-                return;     // make the compiler happy
             }
 
             if (!chc.algorithmConstraints.permits(
                     EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), publicKey)) {
-                chc.conContext.fatal(Alert.INSUFFICIENT_SECURITY,
+                throw chc.conContext.fatal(Alert.INSUFFICIENT_SECURITY,
                         "DH ServerKeyExchange does not comply to " +
                         "algorithm constraints");
             }
--- a/src/java.base/share/classes/sun/security/ssl/ECDHClientKeyExchange.java	Wed Dec 19 11:44:57 2018 -0800
+++ b/src/java.base/share/classes/sun/security/ssl/ECDHClientKeyExchange.java	Wed Dec 19 20:53:30 2018 +0100
@@ -190,20 +190,20 @@
             }
 
             if (x509Credentials == null) {
-                chc.conContext.fatal(Alert.INTERNAL_ERROR,
+                throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
                     "No server certificate for ECDH client key exchange");
             }
 
             PublicKey publicKey = x509Credentials.popPublicKey;
             if (!publicKey.getAlgorithm().equals("EC")) {
-                chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                     "Not EC server certificate for ECDH client key exchange");
             }
 
             ECParameterSpec params = ((ECPublicKey)publicKey).getParams();
             NamedGroup namedGroup = NamedGroup.valueOf(params);
             if (namedGroup == null) {
-                chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                     "Unsupported EC server cert for ECDH client key exchange");
             }
 
@@ -228,7 +228,7 @@
                     chc.negotiatedProtocol);
             if (ke == null) {
                 // unlikely
-                chc.conContext.fatal(Alert.INTERNAL_ERROR,
+                throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
                         "Not supported key exchange type");
             } else {
                 SSLKeyDerivation masterKD = ke.createKeyDerivation(chc);
@@ -240,7 +240,7 @@
                         SSLTrafficKeyDerivation.valueOf(chc.negotiatedProtocol);
                 if (kd == null) {
                     // unlikely
-                    chc.conContext.fatal(Alert.INTERNAL_ERROR,
+                    throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
                             "Not supported key derivation: " +
                             chc.negotiatedProtocol);
                 } else {
@@ -280,15 +280,14 @@
 
             if (x509Possession == null) {
                 // unlikely, have been checked during cipher suite negotiation.
-                shc.conContext.fatal(Alert.INTERNAL_ERROR,
+                throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
                     "No expected EC server cert for ECDH client key exchange");
-                return;     // make the compiler happy
             }
 
             PrivateKey privateKey = x509Possession.popPrivateKey;
             if (!privateKey.getAlgorithm().equals("EC")) {
                 // unlikely, have been checked during cipher suite negotiation.
-                shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                     "Not EC server cert for ECDH client key exchange");
             }
 
@@ -296,7 +295,7 @@
             NamedGroup namedGroup = NamedGroup.valueOf(params);
             if (namedGroup == null) {
                 // unlikely, have been checked during cipher suite negotiation.
-                shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                     "Unsupported EC server cert for ECDH client key exchange");
             }
 
@@ -305,9 +304,8 @@
                     shc.negotiatedProtocol);
             if (ke == null) {
                 // unlikely
-                shc.conContext.fatal(Alert.INTERNAL_ERROR,
+                throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
                         "Not supported key exchange type");
-                return;     // make the compiler happy
             }
 
             // parse the handshake message
@@ -353,7 +351,7 @@
                     SSLTrafficKeyDerivation.valueOf(shc.negotiatedProtocol);
             if (kd == null) {
                 // unlikely
-                shc.conContext.fatal(Alert.INTERNAL_ERROR,
+                throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
                     "Not supported key derivation: " + shc.negotiatedProtocol);
             } else {
                 shc.handshakeKeyDerivation =
@@ -387,7 +385,7 @@
             }
 
             if (ecdheCredentials == null) {
-                chc.conContext.fatal(Alert.INTERNAL_ERROR,
+                throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
                     "No ECDHE credentials negotiated for client key exchange");
             }
 
@@ -412,7 +410,7 @@
                     chc.negotiatedProtocol);
             if (ke == null) {
                 // unlikely
-                chc.conContext.fatal(Alert.INTERNAL_ERROR,
+                throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
                         "Not supported key exchange type");
             } else {
                 SSLKeyDerivation masterKD = ke.createKeyDerivation(chc);
@@ -424,7 +422,7 @@
                         SSLTrafficKeyDerivation.valueOf(chc.negotiatedProtocol);
                 if (kd == null) {
                     // unlikely
-                    chc.conContext.fatal(Alert.INTERNAL_ERROR,
+                    throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
                             "Not supported key derivation: " +
                             chc.negotiatedProtocol);
                 } else {
@@ -463,16 +461,15 @@
             }
             if (ecdhePossession == null) {
                 // unlikely
-                shc.conContext.fatal(Alert.INTERNAL_ERROR,
+                throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
                     "No expected ECDHE possessions for client key exchange");
-                return;     // make the compiler happy
             }
 
             ECParameterSpec params = ecdhePossession.publicKey.getParams();
             NamedGroup namedGroup = NamedGroup.valueOf(params);
             if (namedGroup == null) {
                 // unlikely, have been checked during cipher suite negotiation.
-                shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                     "Unsupported EC server cert for ECDHE client key exchange");
             }
 
@@ -481,9 +478,8 @@
                     shc.negotiatedProtocol);
             if (ke == null) {
                 // unlikely
-                shc.conContext.fatal(Alert.INTERNAL_ERROR,
+                throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
                         "Not supported key exchange type");
-                return;     // make the compiler happy
             }
 
             // parse the handshake message
@@ -529,7 +525,7 @@
                     SSLTrafficKeyDerivation.valueOf(shc.negotiatedProtocol);
             if (kd == null) {
                 // unlikely
-                shc.conContext.fatal(Alert.INTERNAL_ERROR,
+                throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
                     "Not supported key derivation: " + shc.negotiatedProtocol);
             } else {
                 shc.handshakeKeyDerivation =
--- a/src/java.base/share/classes/sun/security/ssl/ECDHKeyExchange.java	Wed Dec 19 11:44:57 2018 -0800
+++ b/src/java.base/share/classes/sun/security/ssl/ECDHKeyExchange.java	Wed Dec 19 20:53:30 2018 +0100
@@ -274,7 +274,7 @@
                 NamedGroup ng = NamedGroup.valueOf(params);
                 if (ng == null) {
                     // unlikely, have been checked during cipher suite negotiation.
-                    shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                    throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                         "Unsupported EC server cert for ECDH key exchange");
                 }
 
@@ -295,7 +295,7 @@
             }
 
             if (x509Possession == null || ecdheCredentials == null) {
-                shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                     "No sufficient ECDHE key agreement parameters negotiated");
             }
 
@@ -327,7 +327,7 @@
                     NamedGroup namedGroup = NamedGroup.valueOf(params);
                     if (namedGroup == null) {
                         // unlikely, should have been checked previously
-                        chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                        throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                             "Unsupported EC server cert for ECDH key exchange");
                     }
 
@@ -344,7 +344,7 @@
             }
 
             if (ecdhePossession == null || x509Credentials == null) {
-                chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                     "No sufficient ECDH key agreement parameters negotiated");
             }
 
@@ -388,7 +388,7 @@
             }
 
             if (ecdhePossession == null || ecdheCredentials == null) {
-                context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                throw context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                     "No sufficient ECDHE key agreement parameters negotiated");
             }
 
--- a/src/java.base/share/classes/sun/security/ssl/ECDHServerKeyExchange.java	Wed Dec 19 11:44:57 2018 -0800
+++ b/src/java.base/share/classes/sun/security/ssl/ECDHServerKeyExchange.java	Wed Dec 19 20:53:30 2018 +0100
@@ -113,7 +113,7 @@
 
             if (ecdhePossession == null) {
                 // unlikely
-                shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                     "No ECDHE credentials negotiated for server key exchange");
             }
 
@@ -125,7 +125,7 @@
             this.namedGroup = NamedGroup.valueOf(params);
             if ((namedGroup == null) || (namedGroup.oid == null) ) {
                 // unlikely
-                shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                     "Unnamed EC parameter spec: " + params);
             }
 
@@ -146,7 +146,7 @@
                     if (signatureScheme == null) {
                         // Unlikely, the credentials generator should have
                         // selected the preferable signature algorithm properly.
-                        shc.conContext.fatal(Alert.INTERNAL_ERROR,
+                        throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
                                 "No preferred signature algorithm for " +
                                 x509Possession.popPrivateKey.getAlgorithm() +
                                 "  key");
@@ -156,7 +156,7 @@
                                 x509Possession.popPrivateKey);
                     } catch (NoSuchAlgorithmException | InvalidKeyException |
                             InvalidAlgorithmParameterException nsae) {
-                        shc.conContext.fatal(Alert.INTERNAL_ERROR,
+                        throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
                             "Unsupported signature algorithm: " +
                             signatureScheme.name, nsae);
                     }
@@ -167,7 +167,7 @@
                                 x509Possession.popPrivateKey.getAlgorithm(),
                                 x509Possession.popPrivateKey);
                     } catch (NoSuchAlgorithmException | InvalidKeyException e) {
-                        shc.conContext.fatal(Alert.INTERNAL_ERROR,
+                        throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
                             "Unsupported signature algorithm: " +
                             x509Possession.popPrivateKey.getAlgorithm(), e);
                     }
@@ -180,7 +180,7 @@
                             namedGroup.id, publicPoint);
                     signature = signer.sign();
                 } catch (SignatureException ex) {
-                    shc.conContext.fatal(Alert.INTERNAL_ERROR,
+                    throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
                         "Failed to sign ecdhe parameters: " +
                         x509Possession.popPrivateKey.getAlgorithm(), ex);
                 }
@@ -199,37 +199,37 @@
             byte curveType = (byte)Record.getInt8(m);
             if (curveType != CURVE_NAMED_CURVE) {
                 // Unlikely as only the named curves should be negotiated.
-                chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                     "Unsupported ECCurveType: " + curveType);
             }
 
             int namedGroupId = Record.getInt16(m);
             this.namedGroup = NamedGroup.valueOf(namedGroupId);
             if (namedGroup == null) {
-                chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                     "Unknown named group ID: " + namedGroupId);
             }
 
             if (!SupportedGroups.isSupported(namedGroup)) {
-                chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                     "Unsupported named group: " + namedGroup);
             }
 
             if (namedGroup.oid == null) {
-                chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                     "Unknown named EC curve: " + namedGroup);
             }
 
             ECParameterSpec parameters =
                     JsseJce.getECParameterSpec(namedGroup.oid);
             if (parameters == null) {
-                chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                     "No supported EC parameter: " + namedGroup);
             }
 
             publicPoint = Record.getBytes8(m);
             if (publicPoint.length == 0) {
-                chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                     "Insufficient ECPoint data: " + namedGroup);
             }
 
@@ -242,7 +242,7 @@
                     new ECPublicKeySpec(point, parameters));
             } catch (NoSuchAlgorithmException |
                     InvalidKeySpecException | IOException ex) {
-                chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                     "Invalid ECPoint: " + namedGroup, ex);
             }
 
@@ -259,7 +259,7 @@
             if (x509Credentials == null) {
                 // anonymous, no authentication, no signature
                 if (m.hasRemaining()) {
-                    chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                    throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                         "Invalid DH ServerKeyExchange: unknown extra data");
                 }
                 this.signatureScheme = null;
@@ -275,13 +275,13 @@
                 int ssid = Record.getInt16(m);
                 signatureScheme = SignatureScheme.valueOf(ssid);
                 if (signatureScheme == null) {
-                    chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                    throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                         "Invalid signature algorithm (" + ssid +
                         ") used in ECDH ServerKeyExchange handshake message");
                 }
 
                 if (!chc.localSupportedSignAlgs.contains(signatureScheme)) {
-                    chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                    throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                         "Unsupported signature algorithm (" +
                         signatureScheme.name +
                         ") used in ECDH ServerKeyExchange handshake message");
@@ -299,11 +299,9 @@
                             x509Credentials.popPublicKey);
                 } catch (NoSuchAlgorithmException | InvalidKeyException |
                         InvalidAlgorithmParameterException nsae) {
-                    chc.conContext.fatal(Alert.INTERNAL_ERROR,
+                    throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
                         "Unsupported signature algorithm: " +
                         signatureScheme.name, nsae);
-
-                    return;     // make the compiler happe
                 }
             } else {
                 try {
@@ -311,11 +309,9 @@
                             x509Credentials.popPublicKey.getAlgorithm(),
                             x509Credentials.popPublicKey);
                 } catch (NoSuchAlgorithmException | InvalidKeyException e) {
-                    chc.conContext.fatal(Alert.INTERNAL_ERROR,
+                    throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
                         "Unsupported signature algorithm: " +
                         x509Credentials.popPublicKey.getAlgorithm(), e);
-
-                    return;     // make the compiler happe
                 }
             }
 
@@ -326,11 +322,11 @@
                         namedGroup.id, publicPoint);
 
                 if (!signer.verify(paramsSignature)) {
-                    chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                    throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                         "Invalid ECDH ServerKeyExchange signature");
                 }
             } catch (SignatureException ex) {
-                chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                         "Cannot verify ECDH ServerKeyExchange signature", ex);
             }
         }
@@ -546,7 +542,7 @@
             if (!chc.algorithmConstraints.permits(
                     EnumSet.of(CryptoPrimitive.KEY_AGREEMENT),
                     skem.publicKey)) {
-                chc.conContext.fatal(Alert.INSUFFICIENT_SECURITY,
+                throw chc.conContext.fatal(Alert.INSUFFICIENT_SECURITY,
                         "ECDH ServerKeyExchange does not comply " +
                         "to algorithm constraints");
             }
--- a/src/java.base/share/classes/sun/security/ssl/ECPointFormatsExtension.java	Wed Dec 19 11:44:57 2018 -0800
+++ b/src/java.base/share/classes/sun/security/ssl/ECPointFormatsExtension.java	Wed Dec 19 20:53:30 2018 +0100
@@ -231,13 +231,12 @@
             try {
                 spec = new ECPointFormatsSpec(buffer);
             } catch (IOException ioe) {
-                shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
-                return;     // fatal() always throws, make the compiler happy.
+                throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
             }
 
             // per RFC 4492, uncompressed points must always be supported.
             if (!spec.hasUncompressedFormat()) {
-                shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
                     "Invalid ec_point_formats extension data: " +
                     "peer does not support uncompressed points");
             }
@@ -272,7 +271,7 @@
             ECPointFormatsSpec requestedSpec = (ECPointFormatsSpec)
                     chc.handshakeExtensions.get(CH_EC_POINT_FORMATS);
             if (requestedSpec == null) {
-                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
                     "Unexpected ec_point_formats extension in ServerHello");
             }
 
@@ -281,13 +280,12 @@
             try {
                 spec = new ECPointFormatsSpec(buffer);
             } catch (IOException ioe) {
-                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
-                return;     // fatal() always throws, make the compiler happy.
+                throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
             }
 
             // per RFC 4492, uncompressed points must always be supported.
             if (!spec.hasUncompressedFormat()) {
-                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
                         "Invalid ec_point_formats extension data: " +
                         "peer does not support uncompressed points");
             }
--- a/src/java.base/share/classes/sun/security/ssl/EncryptedExtensions.java	Wed Dec 19 11:44:57 2018 -0800
+++ b/src/java.base/share/classes/sun/security/ssl/EncryptedExtensions.java	Wed Dec 19 20:53:30 2018 +0100
@@ -60,7 +60,7 @@
             //     Extension extensions<0..2^16-1>;
             // } EncryptedExtensions;
             if (m.remaining() < 2) {
-                handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                         "Invalid EncryptedExtensions handshake message: " +
                         "no sufficient data");
             }
--- a/src/java.base/share/classes/sun/security/ssl/ExtendedMasterSecretExtension.java	Wed Dec 19 11:44:57 2018 -0800
+++ b/src/java.base/share/classes/sun/security/ssl/ExtendedMasterSecretExtension.java	Wed Dec 19 20:53:30 2018 +0100
@@ -172,8 +172,7 @@
             try {
                 spec = new ExtendedMasterSecretSpec(buffer);
             } catch (IOException ioe) {
-                shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
-                return;     // fatal() always throws, make the compiler happy.
+                throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
             }
 
             if (shc.isResumption && shc.resumingSession != null &&
@@ -232,7 +231,7 @@
                 //
                 // As if extended master extension is required for full
                 // handshake, it MUST be used in abbreviated handshake too.
-                shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                     "Extended Master Secret extension is required");
             }
 
@@ -242,7 +241,7 @@
                     // session used the "extended_master_secret" extension
                     // but the new ClientHello does not contain it, the
                     // server MUST abort the abbreviated handshake.
-                    shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                    throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                             "Missing Extended Master Secret extension " +
                             "on session resumption");
                 } else {
@@ -250,7 +249,7 @@
                     // original session nor the new ClientHello uses the
                     // extension, the server SHOULD abort the handshake.
                     if (!SSLConfiguration.allowLegacyResumption) {
-                        shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                        throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                             "Missing Extended Master Secret extension " +
                             "on session resumption");
                     } else {  // Otherwise, continue with a full handshake.
@@ -318,7 +317,7 @@
             ExtendedMasterSecretSpec requstedSpec = (ExtendedMasterSecretSpec)
                     chc.handshakeExtensions.get(CH_EXTENDED_MASTER_SECRET);
             if (requstedSpec == null) {
-                chc.conContext.fatal(Alert.UNSUPPORTED_EXTENSION,
+                throw chc.conContext.fatal(Alert.UNSUPPORTED_EXTENSION,
                         "Server sent the extended_master_secret " +
                         "extension improperly");
             }
@@ -328,13 +327,12 @@
             try {
                 spec = new ExtendedMasterSecretSpec(buffer);
             } catch (IOException ioe) {
-                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
-                return;     // fatal() always throws, make the compiler happy.
+                throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
             }
 
             if (chc.isResumption && chc.resumingSession != null &&
                     !chc.resumingSession.useExtendedMasterSecret) {
-                chc.conContext.fatal(Alert.UNSUPPORTED_EXTENSION,
+                throw chc.conContext.fatal(Alert.UNSUPPORTED_EXTENSION,
                         "Server sent an unexpected extended_master_secret " +
                         "extension on session resumption");
             }
@@ -364,7 +362,7 @@
                 // For full handshake, if a client receives a ServerHello
                 // without the extension, it SHOULD abort the handshake if
                 // it does not wish to interoperate with legacy servers.
-                chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                         "Extended Master Secret extension is required");
             }
 
@@ -374,14 +372,14 @@
                     // the "extended_master_secret" extension but the new
                     // ServerHello does not contain the extension, the client
                     // MUST abort the handshake.
-                    chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                    throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                             "Missing Extended Master Secret extension " +
                             "on session resumption");
                 } else if (SSLConfiguration.useExtendedMasterSecret &&
                         !SSLConfiguration.allowLegacyResumption &&
                         chc.negotiatedProtocol.useTLS10PlusSpec()) {
                     // Unlikely, abbreviated handshake should be discarded.
-                    chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                    throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                         "Extended Master Secret extension is required");
                 }
             }
--- a/src/java.base/share/classes/sun/security/ssl/Finished.java	Wed Dec 19 11:44:57 2018 -0800
+++ b/src/java.base/share/classes/sun/security/ssl/Finished.java	Wed Dec 19 20:53:30 2018 +0100
@@ -83,7 +83,7 @@
             try {
                 vd = vds.createVerifyData(context, false);
             } catch (IOException ioe) {
-                context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                         "Failed to generate verify_data", ioe);
             }
 
@@ -102,7 +102,7 @@
             }
 
             if (m.remaining() != verifyDataLen) {
-                context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                     "Inappropriate finished message: need " + verifyDataLen +
                     " but remaining " + m.remaining() + " bytes verify_data");
             }
@@ -116,12 +116,11 @@
             try {
                 myVerifyData = vd.createVerifyData(context, true);
             } catch (IOException ioe) {
-                context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                         "Failed to generate verify_data", ioe);
-                return;     // make the compiler happy
             }
             if (!MessageDigest.isEqual(myVerifyData, verifyData)) {
-                context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                         "The Finished message cannot be verified.");
             }
         }
@@ -518,7 +517,7 @@
             // we have received ChangeCipherSpec
             if (hc.conContext.consumers.containsKey(
                     ContentType.CHANGE_CIPHER_SPEC.id)) {
-                hc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                throw hc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
                         "Missing ChangeCipherSpec message");
             }
 
@@ -679,19 +678,17 @@
             SSLKeyDerivation kd = chc.handshakeKeyDerivation;
             if (kd == null) {
                 // unlikely
-                chc.conContext.fatal(Alert.INTERNAL_ERROR,
+                throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
                     "no key derivation");
-                return null;    // make the compiler happy
             }
 
             SSLTrafficKeyDerivation kdg =
                     SSLTrafficKeyDerivation.valueOf(chc.negotiatedProtocol);
             if (kdg == null) {
                 // unlikely
-                chc.conContext.fatal(Alert.INTERNAL_ERROR,
+                throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
                         "Not supported key derivation: " +
                         chc.negotiatedProtocol);
-                return null;    // make the compiler happy
             }
 
             try {
@@ -713,22 +710,29 @@
                                 chc.negotiatedProtocol, writeKey, writeIv,
                                 chc.sslContext.getSecureRandom());
 
+                if (writeCipher == null) {
+                    throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                        "Illegal cipher suite (" + chc.negotiatedCipherSuite +
+                        ") and protocol version (" + chc.negotiatedProtocol +
+                        ")");
+                }
+
                 chc.baseWriteSecret = writeSecret;
                 chc.conContext.outputRecord.changeWriteCiphers(
                         writeCipher, false);
 
             } catch (GeneralSecurityException gse) {
-                chc.conContext.fatal(Alert.INTERNAL_ERROR,
+                throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
                         "Failure to derive application secrets", gse);
-                return null;    // make the compiler happy
             }
 
             // The resumption master secret is stored in the session so
             // it can be used after the handshake is completed.
             SSLSecretDerivation sd = ((SSLSecretDerivation) kd).forContext(chc);
             SecretKey resumptionMasterSecret = sd.deriveKey(
-            "TlsResumptionMasterSecret", null);
-            chc.handshakeSession.setResumptionMasterSecret(resumptionMasterSecret);
+                    "TlsResumptionMasterSecret", null);
+            chc.handshakeSession.setResumptionMasterSecret(
+                    resumptionMasterSecret);
 
             chc.conContext.conSession = chc.handshakeSession.finish();
             chc.conContext.protocolVersion = chc.negotiatedProtocol;
@@ -762,19 +766,17 @@
             SSLKeyDerivation kd = shc.handshakeKeyDerivation;
             if (kd == null) {
                 // unlikely
-                shc.conContext.fatal(Alert.INTERNAL_ERROR,
+                throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
                     "no key derivation");
-                return null;    // make the compiler happy
             }
 
             SSLTrafficKeyDerivation kdg =
                     SSLTrafficKeyDerivation.valueOf(shc.negotiatedProtocol);
             if (kdg == null) {
                 // unlikely
-                shc.conContext.fatal(Alert.INTERNAL_ERROR,
+                throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
                         "Not supported key derivation: " +
                         shc.negotiatedProtocol);
-                return null;    // make the compiler happy
             }
 
             // derive salt secret
@@ -810,6 +812,13 @@
                                 shc.negotiatedProtocol, writeKey, writeIv,
                                 shc.sslContext.getSecureRandom());
 
+                if (writeCipher == null) {
+                    throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                        "Illegal cipher suite (" + shc.negotiatedCipherSuite +
+                        ") and protocol version (" + shc.negotiatedProtocol +
+                        ")");
+                }
+
                 shc.baseWriteSecret = writeSecret;
                 shc.conContext.outputRecord.changeWriteCiphers(
                         writeCipher, false);
@@ -817,9 +826,8 @@
                 // update the context for the following key derivation
                 shc.handshakeKeyDerivation = secretKD;
             } catch (GeneralSecurityException gse) {
-                shc.conContext.fatal(Alert.INTERNAL_ERROR,
+                throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
                         "Failure to derive application secrets", gse);
-                return null;    // make the compiler happy
             }
 
             /*
@@ -892,19 +900,17 @@
             SSLKeyDerivation kd = chc.handshakeKeyDerivation;
             if (kd == null) {
                 // unlikely
-                chc.conContext.fatal(Alert.INTERNAL_ERROR,
+                throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
                     "no key derivation");
-                return;    // make the compiler happy
             }
 
             SSLTrafficKeyDerivation kdg =
                     SSLTrafficKeyDerivation.valueOf(chc.negotiatedProtocol);
             if (kdg == null) {
                 // unlikely
-                chc.conContext.fatal(Alert.INTERNAL_ERROR,
+                throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
                         "Not supported key derivation: " +
                         chc.negotiatedProtocol);
-                return;    // make the compiler happy
             }
 
             // save the session
@@ -947,15 +953,21 @@
                                 chc.negotiatedProtocol, readKey, readIv,
                                 chc.sslContext.getSecureRandom());
 
+                if (readCipher == null) {
+                    throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                        "Illegal cipher suite (" + chc.negotiatedCipherSuite +
+                        ") and protocol version (" + chc.negotiatedProtocol +
+                        ")");
+                }
+
                 chc.baseReadSecret = readSecret;
                 chc.conContext.inputRecord.changeReadCiphers(readCipher);
 
                 // update the context for the following key derivation
                 chc.handshakeKeyDerivation = secretKD;
             } catch (GeneralSecurityException gse) {
-                chc.conContext.fatal(Alert.INTERNAL_ERROR,
+                throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
                         "Failure to derive application secrets", gse);
-                return;    // make the compiler happy
             }
 
             //
@@ -1003,19 +1015,17 @@
             SSLKeyDerivation kd = shc.handshakeKeyDerivation;
             if (kd == null) {
                 // unlikely
-                shc.conContext.fatal(Alert.INTERNAL_ERROR,
+                throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
                     "no key derivation");
-                return;    // make the compiler happy
             }
 
             SSLTrafficKeyDerivation kdg =
                     SSLTrafficKeyDerivation.valueOf(shc.negotiatedProtocol);
             if (kdg == null) {
                 // unlikely
-                shc.conContext.fatal(Alert.INTERNAL_ERROR,
+                throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
                         "Not supported key derivation: " +
                         shc.negotiatedProtocol);
-                return;    // make the compiler happy
             }
 
             // save the session
@@ -1044,20 +1054,28 @@
                                 shc.negotiatedProtocol, readKey, readIv,
                                 shc.sslContext.getSecureRandom());
 
+                if (readCipher == null) {
+                    throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                        "Illegal cipher suite (" + shc.negotiatedCipherSuite +
+                        ") and protocol version (" + shc.negotiatedProtocol +
+                        ")");
+                }
+
                 shc.baseReadSecret = readSecret;
                 shc.conContext.inputRecord.changeReadCiphers(readCipher);
 
                 // The resumption master secret is stored in the session so
                 // it can be used after the handshake is completed.
                 shc.handshakeHash.update();
-                SSLSecretDerivation sd = ((SSLSecretDerivation)kd).forContext(shc);
+                SSLSecretDerivation sd =
+                        ((SSLSecretDerivation)kd).forContext(shc);
                 SecretKey resumptionMasterSecret = sd.deriveKey(
                 "TlsResumptionMasterSecret", null);
-                shc.handshakeSession.setResumptionMasterSecret(resumptionMasterSecret);
+                shc.handshakeSession.setResumptionMasterSecret(
+                        resumptionMasterSecret);
             } catch (GeneralSecurityException gse) {
-                shc.conContext.fatal(Alert.INTERNAL_ERROR,
+                throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
                         "Failure to derive application secrets", gse);
-                return;    // make the compiler happy
             }
 
             //  update connection context
--- a/src/java.base/share/classes/sun/security/ssl/HandshakeContext.java	Wed Dec 19 11:44:57 2018 -0800
+++ b/src/java.base/share/classes/sun/security/ssl/HandshakeContext.java	Wed Dec 19 20:53:30 2018 +0100
@@ -365,26 +365,20 @@
         //     } Handshake;
 
         if (plaintext.contentType != ContentType.HANDSHAKE.id) {
-            conContext.fatal(Alert.INTERNAL_ERROR,
+            throw conContext.fatal(Alert.INTERNAL_ERROR,
                 "Unexpected operation for record: " + plaintext.contentType);
-
-            return 0;
         }
 
         if (plaintext.fragment == null || plaintext.fragment.remaining() < 4) {
-            conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+            throw conContext.fatal(Alert.UNEXPECTED_MESSAGE,
                     "Invalid handshake message: insufficient data");
-
-            return 0;
         }
 
         byte handshakeType = (byte)Record.getInt8(plaintext.fragment);
         int handshakeLen = Record.getInt24(plaintext.fragment);
         if (handshakeLen != plaintext.fragment.remaining()) {
-            conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+            throw conContext.fatal(Alert.UNEXPECTED_MESSAGE,
                     "Invalid handshake message: insufficient handshake body");
-
-            return 0;
         }
 
         return handshakeType;
@@ -438,16 +432,15 @@
         }
 
         if (consumer == null) {
-            conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+            throw conContext.fatal(Alert.UNEXPECTED_MESSAGE,
                     "Unexpected handshake message: " +
                     SSLHandshake.nameOf(handshakeType));
-            return;
         }
 
         try {
             consumer.consume(this, fragment);
         } catch (UnsupportedOperationException unsoe) {
-            conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+            throw conContext.fatal(Alert.UNEXPECTED_MESSAGE,
                     "Unsupported handshake message: " +
                     SSLHandshake.nameOf(handshakeType), unsoe);
         }
--- a/src/java.base/share/classes/sun/security/ssl/HelloRequest.java	Wed Dec 19 11:44:57 2018 -0800
+++ b/src/java.base/share/classes/sun/security/ssl/HelloRequest.java	Wed Dec 19 20:53:30 2018 +0100
@@ -59,7 +59,7 @@
                 ByteBuffer m) throws IOException {
             super(handshakeContext);
             if (m.hasRemaining()) {
-                handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                     "Error parsing HelloRequest message: not empty");
             }
         }
@@ -185,7 +185,7 @@
             if (!chc.kickstartMessageDelivered) {
                 if (!chc.conContext.secureRenegotiation &&
                         !HandshakeContext.allowUnsafeRenegotiation) {
-                    chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                    throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                             "Unsafe renegotiation is not allowed");
                 }
 
--- a/src/java.base/share/classes/sun/security/ssl/HelloVerifyRequest.java	Wed Dec 19 11:44:57 2018 -0800
+++ b/src/java.base/share/classes/sun/security/ssl/HelloVerifyRequest.java	Wed Dec 19 20:53:30 2018 +0100
@@ -73,7 +73,7 @@
             //      opaque cookie<0..2^8-1>;
             //  } HelloVerifyRequest;
             if (m.remaining() < 3) {
-                chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                     "Invalid HelloVerifyRequest: no sufficient data");
             }
 
@@ -186,7 +186,7 @@
                 chc.handshakeConsumers.remove(SSLHandshake.SERVER_HELLO.id);
             }
             if (!chc.handshakeConsumers.isEmpty()) {
-                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
                         "No more message expected before " +
                         "HelloVerifyRequest is processed");
             }
--- a/src/java.base/share/classes/sun/security/ssl/KeyShareExtension.java	Wed Dec 19 11:44:57 2018 -0800
+++ b/src/java.base/share/classes/sun/security/ssl/KeyShareExtension.java	Wed Dec 19 20:53:30 2018 +0100
@@ -337,8 +337,7 @@
             try {
                 spec = new CHKeyShareSpec(buffer);
             } catch (IOException ioe) {
-                shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
-                return;     // fatal() always throws, make the compiler happy.
+                throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
             }
 
             List<SSLCredentials> credentials = new LinkedList<>();
@@ -610,16 +609,14 @@
             if (chc.clientRequestedNamedGroups == null ||
                     chc.clientRequestedNamedGroups.isEmpty()) {
                 // No supported groups.
-                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
                         "Unexpected key_share extension in ServerHello");
-                return;     // fatal() always throws, make the compiler happy.
             }
 
             // Is it a supported and enabled extension?
             if (!chc.sslConfig.isAvailable(SSLExtension.SH_KEY_SHARE)) {
-                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
                         "Unsupported key_share extension in ServerHello");
-                return;     // fatal() always throws, make the compiler happy.
             }
 
             // Parse the extension
@@ -627,25 +624,22 @@
             try {
                 spec = new SHKeyShareSpec(buffer);
             } catch (IOException ioe) {
-                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
-                return;     // fatal() always throws, make the compiler happy.
+                throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
             }
 
             KeyShareEntry keyShare = spec.serverShare;
             NamedGroup ng = NamedGroup.valueOf(keyShare.namedGroupId);
             if (ng == null || !SupportedGroups.isActivatable(
                     chc.sslConfig.algorithmConstraints, ng)) {
-                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
                         "Unsupported named group: " +
                         NamedGroup.nameOf(keyShare.namedGroupId));
-                return;     // fatal() always throws, make the compiler happy.
             }
 
             SSLKeyExchange ke = SSLKeyExchange.valueOf(ng);
             if (ke == null) {
-                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
                         "No key exchange for named group " + ng.name);
-                return;     // fatal() always throws, make the compiler happy.
             }
 
             SSLCredentials credentials = null;
@@ -657,7 +651,7 @@
                         if (!chc.algorithmConstraints.permits(
                                 EnumSet.of(CryptoPrimitive.KEY_AGREEMENT),
                                 ecdhec.popPublicKey)) {
-                            chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                            throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
                                     "ECDHE key share entry does not " +
                                     "comply to algorithm constraints");
                         } else {
@@ -665,7 +659,7 @@
                         }
                     }
                 } catch (IOException | GeneralSecurityException ex) {
-                    chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                    throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
                             "Cannot decode named group: " +
                             NamedGroup.nameOf(keyShare.namedGroupId));
                 }
@@ -677,7 +671,7 @@
                         if (!chc.algorithmConstraints.permits(
                                 EnumSet.of(CryptoPrimitive.KEY_AGREEMENT),
                                 dhec.popPublicKey)) {
-                            chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                            throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
                                     "DHE key share entry does not " +
                                     "comply to algorithm constraints");
                         } else {
@@ -685,18 +679,18 @@
                         }
                     }
                 } catch (IOException | GeneralSecurityException ex) {
-                    chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                    throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
                             "Cannot decode named group: " +
                             NamedGroup.nameOf(keyShare.namedGroupId));
                 }
             } else {
-                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
                         "Unsupported named group: " +
                         NamedGroup.nameOf(keyShare.namedGroupId));
             }
 
             if (credentials == null) {
-                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
                         "Unsupported named group: " + ng.name);
             }
 
@@ -794,17 +788,15 @@
 
             // Is it a supported and enabled extension?
             if (!shc.sslConfig.isAvailable(SSLExtension.HRR_KEY_SHARE)) {
-                shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
                         "Unsupported key_share extension in HelloRetryRequest");
-                return null;    // make the compiler happy.
             }
 
             if (shc.clientRequestedNamedGroups == null ||
                     shc.clientRequestedNamedGroups.isEmpty()) {
                 // No supported groups.
-                shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
                         "Unexpected key_share extension in HelloRetryRequest");
-                return null;    // make the compiler happy.
             }
 
             NamedGroup selectedGroup = null;
@@ -823,9 +815,8 @@
             }
 
             if (selectedGroup == null) {
-                shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
-                        new IOException("No common named group"));
-                return null;    // make the complier happy
+                throw shc.conContext.fatal(
+                        Alert.UNEXPECTED_MESSAGE, "No common named group");
             }
 
             byte[] extdata = new byte[] {
@@ -861,9 +852,8 @@
 
             // Is it a supported and enabled extension?
             if (!shc.sslConfig.isAvailable(SSLExtension.HRR_KEY_SHARE)) {
-                shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
                         "Unsupported key_share extension in HelloRetryRequest");
-                return null;    // make the compiler happy.
             }
 
             CHKeyShareSpec spec = (CHKeyShareSpec)shc.handshakeExtensions.get(
@@ -903,17 +893,15 @@
 
             // Is it a supported and enabled extension?
             if (!chc.sslConfig.isAvailable(SSLExtension.HRR_KEY_SHARE)) {
-                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
                         "Unsupported key_share extension in HelloRetryRequest");
-                return;     // make the compiler happy.
             }
 
             if (chc.clientRequestedNamedGroups == null ||
                     chc.clientRequestedNamedGroups.isEmpty()) {
                 // No supported groups.
-                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
                         "Unexpected key_share extension in HelloRetryRequest");
-                return;     // make the compiler happy.
             }
 
             // Parse the extension
@@ -921,23 +909,20 @@
             try {
                 spec = new HRRKeyShareSpec(buffer);
             } catch (IOException ioe) {
-                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
-                return;     // fatal() always throws, make the compiler happy.
+                throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
             }
 
             NamedGroup serverGroup = NamedGroup.valueOf(spec.selectedGroup);
             if (serverGroup == null) {
-                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
                         "Unsupported HelloRetryRequest selected group: " +
                                 NamedGroup.nameOf(spec.selectedGroup));
-                return;     // fatal() always throws, make the compiler happy.
             }
 
             if (!chc.clientRequestedNamedGroups.contains(serverGroup)) {
-                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
                         "Unexpected HelloRetryRequest selected group: " +
                                 serverGroup.name);
-                return;     // fatal() always throws, make the compiler happy.
             }
 
             // update the context
--- a/src/java.base/share/classes/sun/security/ssl/KeyUpdate.java	Wed Dec 19 11:44:57 2018 -0800
+++ b/src/java.base/share/classes/sun/security/ssl/KeyUpdate.java	Wed Dec 19 20:53:30 2018 +0100
@@ -78,7 +78,7 @@
             super(context);
 
             if (m.remaining() != 1) {
-                context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                         "KeyUpdate has an unexpected length of "+
                         m.remaining());
             }
@@ -86,7 +86,7 @@
             byte request = m.get();
             this.status = KeyUpdateRequest.valueOf(request);
             if (status == null) {
-                context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                         "Invalid KeyUpdate message value: " +
                         KeyUpdateRequest.nameOf(request));
             }
@@ -198,18 +198,17 @@
                 SSLTrafficKeyDerivation.valueOf(hc.conContext.protocolVersion);
             if (kdg == null) {
                 // unlikely
-                hc.conContext.fatal(Alert.INTERNAL_ERROR,
+                throw hc.conContext.fatal(Alert.INTERNAL_ERROR,
                         "Not supported key derivation: " +
                                 hc.conContext.protocolVersion);
-                return;
             }
 
             SSLKeyDerivation skd = kdg.createKeyDerivation(hc,
                     hc.conContext.inputRecord.readCipher.baseSecret);
             if (skd == null) {
                 // unlikely
-                hc.conContext.fatal(Alert.INTERNAL_ERROR, "no key derivation");
-                return;
+                throw hc.conContext.fatal(
+                        Alert.INTERNAL_ERROR, "no key derivation");
             }
 
             SecretKey nplus1 = skd.deriveKey("TlsUpdateNplus1", null);
@@ -223,15 +222,22 @@
                         Authenticator.valueOf(hc.conContext.protocolVersion),
                         hc.conContext.protocolVersion, key, ivSpec,
                         hc.sslContext.getSecureRandom());
+
+                if (rc == null) {
+                    throw hc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                        "Illegal cipher suite (" + hc.negotiatedCipherSuite +
+                        ") and protocol version (" + hc.negotiatedProtocol +
+                        ")");
+                }
+
                 rc.baseSecret = nplus1;
                 hc.conContext.inputRecord.changeReadCiphers(rc);
                 if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
                     SSLLogger.fine("KeyUpdate: read key updated");
                 }
             } catch (GeneralSecurityException gse) {
-                hc.conContext.fatal(Alert.INTERNAL_ERROR,
+                throw hc.conContext.fatal(Alert.INTERNAL_ERROR,
                         "Failure to derive read secrets", gse);
-                return;
             }
 
             if (km.status == KeyUpdateRequest.REQUESTED) {
@@ -271,18 +277,17 @@
                 SSLTrafficKeyDerivation.valueOf(hc.conContext.protocolVersion);
             if (kdg == null) {
                 // unlikely
-                hc.conContext.fatal(Alert.INTERNAL_ERROR,
+                throw hc.conContext.fatal(Alert.INTERNAL_ERROR,
                         "Not supported key derivation: " +
                                 hc.conContext.protocolVersion);
-                return null;
             }
 
             SSLKeyDerivation skd = kdg.createKeyDerivation(hc,
                     hc.conContext.outputRecord.writeCipher.baseSecret);
             if (skd == null) {
                 // unlikely
-                hc.conContext.fatal(Alert.INTERNAL_ERROR, "no key derivation");
-                return null;
+                throw hc.conContext.fatal(
+                        Alert.INTERNAL_ERROR, "no key derivation");
             }
 
             SecretKey nplus1 = skd.deriveKey("TlsUpdateNplus1", null);
@@ -298,9 +303,14 @@
                         hc.conContext.protocolVersion, key, ivSpec,
                         hc.sslContext.getSecureRandom());
             } catch (GeneralSecurityException gse) {
-                hc.conContext.fatal(Alert.INTERNAL_ERROR,
+                throw hc.conContext.fatal(Alert.INTERNAL_ERROR,
                         "Failure to derive write secrets", gse);
-                return null;
+            }
+
+            if (wc == null) {
+                throw hc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                    "Illegal cipher suite (" + hc.negotiatedCipherSuite +
+                    ") and protocol version (" + hc.negotiatedProtocol + ")");
             }
 
             // Output the handshake message and change the write cipher.
--- a/src/java.base/share/classes/sun/security/ssl/MaxFragExtension.java	Wed Dec 19 11:44:57 2018 -0800
+++ b/src/java.base/share/classes/sun/security/ssl/MaxFragExtension.java	Wed Dec 19 20:53:30 2018 +0100
@@ -253,13 +253,12 @@
             try {
                 spec = new MaxFragLenSpec(buffer);
             } catch (IOException ioe) {
-                shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
-                return;     // fatal() always throws, make the compiler happy.
+                throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
             }
 
             MaxFragLenEnum mfle = MaxFragLenEnum.valueOf(spec.id);
             if (mfle == null) {
-                shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                     "the requested maximum fragment length is other " +
                     "than the allowed values");
             }
@@ -359,7 +358,7 @@
             MaxFragLenSpec requestedSpec = (MaxFragLenSpec)
                     chc.handshakeExtensions.get(CH_MAX_FRAGMENT_LENGTH);
             if (requestedSpec == null) {
-                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
                     "Unexpected max_fragment_length extension in ServerHello");
             }
 
@@ -368,18 +367,17 @@
             try {
                 spec = new MaxFragLenSpec(buffer);
             } catch (IOException ioe) {
-                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
-                return;     // fatal() always throws, make the compiler happy.
+                throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
             }
 
             if (spec.id != requestedSpec.id) {
-                chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                     "The maximum fragment length response is not requested");
             }
 
             MaxFragLenEnum mfle = MaxFragLenEnum.valueOf(spec.id);
             if (mfle == null) {
-                chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                     "the requested maximum fragment length is other " +
                     "than the allowed values");
             }
@@ -532,7 +530,7 @@
             MaxFragLenSpec requestedSpec = (MaxFragLenSpec)
                     chc.handshakeExtensions.get(CH_MAX_FRAGMENT_LENGTH);
             if (requestedSpec == null) {
-                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
                     "Unexpected max_fragment_length extension in ServerHello");
             }
 
@@ -541,18 +539,17 @@
             try {
                 spec = new MaxFragLenSpec(buffer);
             } catch (IOException ioe) {
-                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
-                return;     // fatal() always throws, make the compiler happy.
+                throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
             }
 
             if (spec.id != requestedSpec.id) {
-                chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                     "The maximum fragment length response is not requested");
             }
 
             MaxFragLenEnum mfle = MaxFragLenEnum.valueOf(spec.id);
             if (mfle == null) {
-                chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                     "the requested maximum fragment length is other " +
                     "than the allowed values");
             }
--- a/src/java.base/share/classes/sun/security/ssl/NewSessionTicket.java	Wed Dec 19 11:44:57 2018 -0800
+++ b/src/java.base/share/classes/sun/security/ssl/NewSessionTicket.java	Wed Dec 19 20:53:30 2018 +0100
@@ -86,7 +86,7 @@
             //     Extension extensions<0..2^16-2>;
             // } NewSessionTicket;
             if (m.remaining() < 14) {
-                context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                     "Invalid NewSessionTicket message: no sufficient data");
             }
 
@@ -95,18 +95,18 @@
             this.ticketNonce = Record.getBytes8(m);
 
             if (m.remaining() < 5) {
-                context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                     "Invalid NewSessionTicket message: no sufficient data");
             }
 
             this.ticket = Record.getBytes16(m);
             if (ticket.length == 0) {
-                context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                     "No ticket in the NewSessionTicket handshake message");
             }
 
             if (m.remaining() < 2) {
-                context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                     "Invalid NewSessionTicket message: no sufficient data");
             }
 
--- a/src/java.base/share/classes/sun/security/ssl/PostHandshakeContext.java	Wed Dec 19 11:44:57 2018 -0800
+++ b/src/java.base/share/classes/sun/security/ssl/PostHandshakeContext.java	Wed Dec 19 20:53:30 2018 +0100
@@ -43,7 +43,7 @@
         super(context);
 
         if (!negotiatedProtocol.useTLS13PlusSpec()) {
-            conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+            throw conContext.fatal(Alert.UNEXPECTED_MESSAGE,
                 "Post-handshake not supported in " + negotiatedProtocol.name);
         }
 
@@ -63,16 +63,15 @@
     void dispatch(byte handshakeType, ByteBuffer fragment) throws IOException {
         SSLConsumer consumer = handshakeConsumers.get(handshakeType);
         if (consumer == null) {
-            conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+            throw conContext.fatal(Alert.UNEXPECTED_MESSAGE,
                     "Unexpected post-handshake message: " +
                             SSLHandshake.nameOf(handshakeType));
-            return;
         }
 
         try {
             consumer.consume(this, fragment);
         } catch (UnsupportedOperationException unsoe) {
-            conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+            throw conContext.fatal(Alert.UNEXPECTED_MESSAGE,
                     "Unsupported post-handshake message: " +
                             SSLHandshake.nameOf(handshakeType), unsoe);
         }
--- a/src/java.base/share/classes/sun/security/ssl/PreSharedKeyExtension.java	Wed Dec 19 11:44:57 2018 -0800
+++ b/src/java.base/share/classes/sun/security/ssl/PreSharedKeyExtension.java	Wed Dec 19 20:53:30 2018 +0100
@@ -111,14 +111,14 @@
             //     PskBinderEntry binders<33..2^16-1>;
             // } OfferedPsks;
             if (m.remaining() < 44) {
-                context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                     "Invalid pre_shared_key extension: " +
                     "insufficient data (length=" + m.remaining() + ")");
             }
 
             int idEncodedLength = Record.getInt16(m);
             if (idEncodedLength < 7) {
-                context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                     "Invalid pre_shared_key extension: " +
                     "insufficient identities (length=" + idEncodedLength + ")");
             }
@@ -128,7 +128,7 @@
             while (idReadLength < idEncodedLength) {
                 byte[] id = Record.getBytes16(m);
                 if (id.length < 1) {
-                    context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                    throw context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                         "Invalid pre_shared_key extension: " +
                         "insufficient identity (length=" + id.length + ")");
                 }
@@ -140,7 +140,7 @@
             }
 
             if (m.remaining() < 35) {
-                context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                         "Invalid pre_shared_key extension: " +
                         "insufficient binders data (length=" +
                         m.remaining() + ")");
@@ -148,7 +148,7 @@
 
             int bindersEncodedLen = Record.getInt16(m);
             if (bindersEncodedLen < 33) {
-                context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                         "Invalid pre_shared_key extension: " +
                         "insufficient binders (length=" +
                         bindersEncodedLen + ")");
@@ -159,7 +159,7 @@
             while (bindersReadLength < bindersEncodedLen) {
                 byte[] binder = Record.getBytes8(m);
                 if (binder.length < 32) {
-                    context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                    throw context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                             "Invalid pre_shared_key extension: " +
                             "insufficient binder entry (length=" +
                             binder.length + ")");
@@ -171,7 +171,7 @@
 
         int getIdsEncodedLength() {
             int idEncodedLength = 0;
-            for(PskIdentity curId : identities) {
+            for (PskIdentity curId : identities) {
                 idEncodedLength += curId.getEncodedLength();
             }
 
@@ -194,7 +194,7 @@
             byte[] buffer = new byte[encodedLength];
             ByteBuffer m = ByteBuffer.wrap(buffer);
             Record.putInt16(m, idsEncodedLength);
-            for(PskIdentity curId : identities) {
+            for (PskIdentity curId : identities) {
                 curId.writeEncoded(m);
             }
             Record.putInt16(m, bindersEncodedLength);
@@ -271,7 +271,7 @@
         SHPreSharedKeySpec(HandshakeContext context,
                 ByteBuffer m) throws IOException {
             if (m.remaining() < 2) {
-                context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                         "Invalid pre_shared_key extension: " +
                         "insufficient selected_identity (length=" +
                         m.remaining() + ")");
@@ -348,21 +348,20 @@
             try {
                 pskSpec = new CHPreSharedKeySpec(shc, buffer);
             } catch (IOException ioe) {
-                shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
-                return;     // fatal() always throws, make the compiler happy.
+                throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
             }
 
             // The "psk_key_exchange_modes" extension should have been loaded.
             if (!shc.handshakeExtensions.containsKey(
                     SSLExtension.PSK_KEY_EXCHANGE_MODES)) {
-                shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                         "Client sent PSK but not PSK modes, or the PSK " +
                         "extension is not the last extension");
             }
 
             // error if id and binder lists are not the same length
             if (pskSpec.identities.size() != pskSpec.binders.size()) {
-                shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                         "PSK extension has incorrect number of binders");
             }
 
@@ -506,7 +505,7 @@
             SHPreSharedKeySpec shPsk = (SHPreSharedKeySpec)
                     shc.handshakeExtensions.get(SSLExtension.SH_PRE_SHARED_KEY);
             if (chPsk == null || shPsk == null) {
-                shc.conContext.fatal(Alert.INTERNAL_ERROR,
+                throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
                         "Required extensions are unavailable");
             }
 
@@ -533,17 +532,17 @@
             HandshakeHash pskBinderHash, byte[] binder) throws IOException {
         Optional<SecretKey> pskOpt = session.getPreSharedKey();
         if (!pskOpt.isPresent()) {
-            shc.conContext.fatal(Alert.INTERNAL_ERROR,
+            throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
                     "Session has no PSK");
         }
         SecretKey psk = pskOpt.get();
 
-        SecretKey binderKey = deriveBinderKey(psk, session);
+        SecretKey binderKey = deriveBinderKey(shc, psk, session);
         byte[] computedBinder =
-                computeBinder(binderKey, session, pskBinderHash);
+                computeBinder(shc, binderKey, session, pskBinderHash);
         if (!Arrays.equals(binder, computedBinder)) {
-            shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
-            "Incorect PSK binder value");
+            throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                    "Incorect PSK binder value");
         }
     }
 
@@ -687,13 +686,14 @@
                     ageMillis + chc.resumingSession.getTicketAgeAdd();
             identities.add(new PskIdentity(chc.pskIdentity, obfuscatedAge));
 
-            SecretKey binderKey = deriveBinderKey(psk, chc.resumingSession);
+            SecretKey binderKey =
+                    deriveBinderKey(chc, psk, chc.resumingSession);
             ClientHelloMessage clientHello = (ClientHelloMessage)message;
             CHPreSharedKeySpec pskPrototype = createPskPrototype(
                 chc.resumingSession.getSuite().hashAlg.hashLength, identities);
             HandshakeHash pskBinderHash = chc.handshakeHash.copy();
 
-            byte[] binder = computeBinder(binderKey, pskBinderHash,
+            byte[] binder = computeBinder(chc, binderKey, pskBinderHash,
                     chc.resumingSession, chc, clientHello, pskPrototype);
 
             List<byte[]> binders = new ArrayList<>();
@@ -717,7 +717,8 @@
         }
     }
 
-    private static byte[] computeBinder(SecretKey binderKey,
+    private static byte[] computeBinder(
+            HandshakeContext context, SecretKey binderKey,
             SSLSessionImpl session,
             HandshakeHash pskBinderHash) throws IOException {
 
@@ -726,10 +727,11 @@
         pskBinderHash.update();
         byte[] digest = pskBinderHash.digest();
 
-        return computeBinder(binderKey, session, digest);
+        return computeBinder(context, binderKey, session, digest);
     }
 
-    private static byte[] computeBinder(SecretKey binderKey,
+    private static byte[] computeBinder(
+            HandshakeContext context, SecretKey binderKey,
             HandshakeHash hash, SSLSessionImpl session,
             HandshakeContext ctx, ClientHello.ClientHelloMessage hello,
             CHPreSharedKeySpec pskPrototype) throws IOException {
@@ -745,10 +747,11 @@
         hash.update();
         byte[] digest = hash.digest();
 
-        return computeBinder(binderKey, session, digest);
+        return computeBinder(context, binderKey, session, digest);
     }
 
-    private static byte[] computeBinder(SecretKey binderKey,
+    private static byte[] computeBinder(HandshakeContext context,
+            SecretKey binderKey,
             SSLSessionImpl session, byte[] digest) throws IOException {
         try {
             CipherSuite.HashAlg hashAlg = session.getSuite().hashAlg;
@@ -766,15 +769,15 @@
                 hmac.init(finishedKey);
                 return hmac.doFinal(digest);
             } catch (NoSuchAlgorithmException | InvalidKeyException ex) {
-                throw new IOException(ex);
+                throw context.conContext.fatal(Alert.INTERNAL_ERROR, ex);
             }
         } catch (GeneralSecurityException ex) {
-            throw new IOException(ex);
+            throw context.conContext.fatal(Alert.INTERNAL_ERROR, ex);
         }
     }
 
-    private static SecretKey deriveBinderKey(SecretKey psk,
-            SSLSessionImpl session) throws IOException {
+    private static SecretKey deriveBinderKey(HandshakeContext context,
+            SecretKey psk, SSLSessionImpl session) throws IOException {
         try {
             CipherSuite.HashAlg hashAlg = session.getSuite().hashAlg;
             HKDF hkdf = new HKDF(hashAlg.name);
@@ -788,7 +791,7 @@
             return hkdf.expand(earlySecret,
                     hkdfInfo, hashAlg.hashLength, "TlsBinderKey");
         } catch (GeneralSecurityException ex) {
-            throw new IOException(ex);
+            throw context.conContext.fatal(Alert.INTERNAL_ERROR, ex);
         }
     }
 
@@ -827,7 +830,7 @@
             // Is it a response of the specific request?
             if (!chc.handshakeExtensions.containsKey(
                     SSLExtension.CH_PRE_SHARED_KEY)) {
-                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
                     "Server sent unexpected pre_shared_key extension");
             }
 
@@ -838,13 +841,13 @@
             }
 
             if (shPsk.selectedIdentity != 0) {
-                chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                     "Selected identity index is not in correct range.");
             }
 
             if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
                 SSLLogger.fine(
-                "Resuming session: ", chc.resumingSession);
+                        "Resuming session: ", chc.resumingSession);
             }
         }
     }
--- a/src/java.base/share/classes/sun/security/ssl/PskKeyExchangeModesExtension.java	Wed Dec 19 11:44:57 2018 -0800
+++ b/src/java.base/share/classes/sun/security/ssl/PskKeyExchangeModesExtension.java	Wed Dec 19 20:53:30 2018 +0100
@@ -201,8 +201,7 @@
             try {
                 spec = new PskKeyExchangeModesSpec(buffer);
             } catch (IOException ioe) {
-                shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
-                return;     // fatal() always throws, make the compiler happy.
+                throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
             }
 
             // Update the context.
@@ -324,7 +323,7 @@
             SSLExtensionSpec spec =
                 shc.handshakeExtensions.get(SSLExtension.CH_PRE_SHARED_KEY);
             if (spec != null) {
-                shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                         "pre_shared_key key extension is offered " +
                         "without a psk_key_exchange_modes extension");
             }
--- a/src/java.base/share/classes/sun/security/ssl/RSAClientKeyExchange.java	Wed Dec 19 11:44:57 2018 -0800
+++ b/src/java.base/share/classes/sun/security/ssl/RSAClientKeyExchange.java	Wed Dec 19 20:53:30 2018 +0100
@@ -75,7 +75,7 @@
             super(context);
 
             if (m.remaining() < 2) {
-                context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                throw context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                     "Invalid RSA ClientKeyExchange message: insufficient data");
             }
 
@@ -167,14 +167,14 @@
             }
 
             if (rsaCredentials == null && x509Credentials == null) {
-                chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                     "No RSA credentials negotiated for client key exchange");
             }
 
             PublicKey publicKey = (rsaCredentials != null) ?
                     rsaCredentials.popPublicKey : x509Credentials.popPublicKey;
             if (!publicKey.getAlgorithm().equals("RSA")) {      // unlikely
-                chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                     "Not RSA public key for client key exchange");
             }
 
@@ -186,10 +186,8 @@
                 ckem = new RSAClientKeyExchangeMessage(
                         chc, premaster, publicKey);
             } catch (GeneralSecurityException gse) {
-                chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                         "Cannot generate RSA premaster secret", gse);
-
-                return null;    // make the compiler happy
             }
             if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
                 SSLLogger.fine(
@@ -205,7 +203,7 @@
                     chc.negotiatedCipherSuite.keyExchange,
                     chc.negotiatedProtocol);
             if (ke == null) {   // unlikely
-                chc.conContext.fatal(Alert.INTERNAL_ERROR,
+                throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
                         "Not supported key exchange type");
             } else {
                 SSLKeyDerivation masterKD = ke.createKeyDerivation(chc);
@@ -217,7 +215,7 @@
                 SSLTrafficKeyDerivation kd =
                         SSLTrafficKeyDerivation.valueOf(chc.negotiatedProtocol);
                 if (kd == null) {   // unlikely
-                    chc.conContext.fatal(Alert.INTERNAL_ERROR,
+                    throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
                             "Not supported key derivation: " +
                             chc.negotiatedProtocol);
                 } else {
@@ -262,14 +260,14 @@
             }
 
             if (rsaPossession == null && x509Possession == null) {  // unlikely
-                shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                     "No RSA possessions negotiated for client key exchange");
             }
 
             PrivateKey privateKey = (rsaPossession != null) ?
                     rsaPossession.popPrivateKey : x509Possession.popPrivateKey;
             if (!privateKey.getAlgorithm().equals("RSA")) {     // unlikely
-                shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                     "Not RSA private key for client key exchange");
             }
 
@@ -287,7 +285,7 @@
                     RSAPremasterSecret.decode(shc, privateKey, ckem.encrypted);
                 shc.handshakeCredentials.add(premaster);
             } catch (GeneralSecurityException gse) {
-                shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                     "Cannot decode RSA premaster secret", gse);
             }
 
@@ -296,7 +294,7 @@
                     shc.negotiatedCipherSuite.keyExchange,
                     shc.negotiatedProtocol);
             if (ke == null) {   // unlikely
-                shc.conContext.fatal(Alert.INTERNAL_ERROR,
+                throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
                         "Not supported key exchange type");
             } else {
                 SSLKeyDerivation masterKD = ke.createKeyDerivation(shc);
@@ -308,7 +306,7 @@
                 SSLTrafficKeyDerivation kd =
                         SSLTrafficKeyDerivation.valueOf(shc.negotiatedProtocol);
                 if (kd == null) {       // unlikely
-                    shc.conContext.fatal(Alert.INTERNAL_ERROR,
+                    throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
                             "Not supported key derivation: " +
                             shc.negotiatedProtocol);
                 } else {
--- a/src/java.base/share/classes/sun/security/ssl/RSAKeyExchange.java	Wed Dec 19 11:44:57 2018 -0800
+++ b/src/java.base/share/classes/sun/security/ssl/RSAKeyExchange.java	Wed Dec 19 20:53:30 2018 +0100
@@ -274,7 +274,7 @@
             }
 
             if (premaster == null) {
-                context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                throw context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                     "No sufficient RSA key agreement parameters negotiated");
             }
 
--- a/src/java.base/share/classes/sun/security/ssl/RSAServerKeyExchange.java	Wed Dec 19 11:44:57 2018 -0800
+++ b/src/java.base/share/classes/sun/security/ssl/RSAServerKeyExchange.java	Wed Dec 19 20:53:30 2018 +0100
@@ -94,7 +94,7 @@
                 signature = signer.sign();
             } catch (NoSuchAlgorithmException |
                     InvalidKeyException | SignatureException ex) {
-                shc.conContext.fatal(Alert.INTERNAL_ERROR,
+                throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
                         "Failed to sign ephemeral RSA parameters", ex);
             }
 
@@ -122,7 +122,7 @@
             }
 
             if (x509Credentials == null) {
-                chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                     "No RSA credentials negotiated for server key exchange");
             }
 
@@ -133,12 +133,12 @@
                           chc.clientHelloRandom.randomBytes,
                           chc.serverHelloRandom.randomBytes);
                 if (!signer.verify(paramsSignature)) {
-                    chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                    throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                         "Invalid signature of RSA ServerKeyExchange message");
                 }
             } catch (NoSuchAlgorithmException |
                     InvalidKeyException | SignatureException ex) {
-                chc.conContext.fatal(Alert.INTERNAL_ERROR,
+                throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
                     "Failed to sign ephemeral RSA parameters", ex);
             }
         }
@@ -250,12 +250,12 @@
                 return null;
             } else if (x509Possession == null) {
                 // unlikely
-                shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                     "No RSA certificate negotiated for server key exchange");
             } else if (!"RSA".equals(
                     x509Possession.popPrivateKey.getAlgorithm())) {
                 // unlikely
-                shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                         "No X.509 possession can be used for " +
                         "ephemeral RSA ServerKeyExchange");
             }
@@ -312,15 +312,13 @@
                     new BigInteger(1, skem.exponent));
                 publicKey = (RSAPublicKey)kf.generatePublic(spec);
             } catch (GeneralSecurityException gse) {
-                chc.conContext.fatal(Alert.INSUFFICIENT_SECURITY,
+                throw chc.conContext.fatal(Alert.INSUFFICIENT_SECURITY,
                         "Could not generate RSAPublicKey", gse);
-
-                return;     // make the compiler happy
             }
 
             if (!chc.algorithmConstraints.permits(
                     EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), publicKey)) {
-                chc.conContext.fatal(Alert.INSUFFICIENT_SECURITY,
+                throw chc.conContext.fatal(Alert.INSUFFICIENT_SECURITY,
                         "RSA ServerKeyExchange does not comply to " +
                         "algorithm constraints");
             }
@@ -328,7 +326,8 @@
             //
             // update
             //
-            chc.handshakeCredentials.add(new EphemeralRSACredentials(publicKey));
+            chc.handshakeCredentials.add(
+                    new EphemeralRSACredentials(publicKey));
 
             //
             // produce
--- a/src/java.base/share/classes/sun/security/ssl/RenegoInfoExtension.java	Wed Dec 19 11:44:57 2018 -0800
+++ b/src/java.base/share/classes/sun/security/ssl/RenegoInfoExtension.java	Wed Dec 19 20:53:30 2018 +0100
@@ -185,12 +185,10 @@
                     return null;
                 } else {
                     // terminate the session.
-                    chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                    throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                             "insecure renegotiation is not allowed");
                 }
             }
-
-            return null;
         }
     }
 
@@ -226,14 +224,13 @@
             try {
                 spec = new RenegotiationInfoSpec(buffer);
             } catch (IOException ioe) {
-                shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
-                return;     // fatal() always throws, make the compiler happy.
+                throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
             }
 
             if (!shc.conContext.isNegotiated) {
                 // initial handshaking.
                 if (spec.renegotiatedConnection.length != 0) {
-                    shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                    throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
                         "Invalid renegotiation_info extension data: not empty");
                 }
                 shc.conContext.secureRenegotiation = true;
@@ -241,14 +238,14 @@
                 if (!shc.conContext.secureRenegotiation) {
                     // Unexpected RI extension for insecure renegotiation,
                     // abort the handshake with a fatal handshake_failure alert.
-                    shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                    throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                             "The renegotiation_info is present in a insecure " +
                             "renegotiation");
                 } else {
                     // verify the client_verify_data value
                     if (!Arrays.equals(shc.conContext.clientVerifyData,
                             spec.renegotiatedConnection)) {
-                        shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                        throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
                             "Invalid renegotiation_info extension data: " +
                             "incorrect verify data in ClientHello");
                     }
@@ -295,7 +292,7 @@
                 }
 
                 if (!HandshakeContext.allowLegacyHelloMessages) {
-                    shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                    throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                         "Failed to negotiate the use of secure renegotiation");
                 }   // otherwise, allow legacy hello message
 
@@ -307,7 +304,7 @@
                 shc.conContext.secureRenegotiation = false;
             } else if (shc.conContext.secureRenegotiation) {
                 // Require secure renegotiation, terminate the connection.
-                shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                         "Inconsistent secure renegotiation indication");
             } else {    // renegotiation, not secure
                 if (HandshakeContext.allowUnsafeRenegotiation) {
@@ -320,7 +317,7 @@
                     if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
                         SSLLogger.fine("Terminate insecure renegotiation");
                     }
-                    shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                    throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                         "Unsafe renegotiation is not allowed");
                 }
             }
@@ -430,7 +427,7 @@
             if (requestedSpec == null &&
                     !chc.activeCipherSuites.contains(
                             CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV)) {
-                chc.conContext.fatal(Alert.INTERNAL_ERROR,
+                throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
                     "Missing renegotiation_info and SCSV detected in " +
                     "ClientHello");
             }
@@ -440,8 +437,7 @@
             try {
                 spec = new RenegotiationInfoSpec(buffer);
             } catch (IOException ioe) {
-                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
-                return;     // fatal() always throws, make the compiler happy.
+                throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
             }
 
 
@@ -452,7 +448,7 @@
                 // and if it is not, MUST abort the handshake (by sending
                 // a fatal handshake_failure alert). [RFC 5746]
                 if (spec.renegotiatedConnection.length != 0) {
-                    chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                    throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                         "Invalid renegotiation_info in ServerHello: " +
                         "not empty renegotiated_connection");
                 }
@@ -467,7 +463,7 @@
                 int infoLen = chc.conContext.clientVerifyData.length +
                               chc.conContext.serverVerifyData.length;
                 if (spec.renegotiatedConnection.length != infoLen) {
-                    chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                    throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                         "Invalid renegotiation_info in ServerHello: " +
                         "invalid renegotiated_connection length (" +
                         spec.renegotiatedConnection.length + ")");
@@ -476,14 +472,14 @@
                 byte[] cvd = chc.conContext.clientVerifyData;
                 if (!Arrays.equals(spec.renegotiatedConnection,
                         0, cvd.length, cvd, 0, cvd.length)) {
-                    chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                    throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                         "Invalid renegotiation_info in ServerHello: " +
                         "unmatched client_verify_data value");
                 }
                 byte[] svd = chc.conContext.serverVerifyData;
                 if (!Arrays.equals(spec.renegotiatedConnection,
                         cvd.length, infoLen, svd, 0, svd.length)) {
-                    chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                    throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                         "Invalid renegotiation_info in ServerHello: " +
                         "unmatched server_verify_data value");
                 }
@@ -516,7 +512,7 @@
             if (requestedSpec == null &&
                     !chc.activeCipherSuites.contains(
                             CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV)) {
-                chc.conContext.fatal(Alert.INTERNAL_ERROR,
+                throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
                     "Missing renegotiation_info and SCSV detected in " +
                     "ClientHello");
             }
@@ -524,7 +520,7 @@
             if (!chc.conContext.isNegotiated) {
                 // initial handshaking.
                 if (!HandshakeContext.allowLegacyHelloMessages) {
-                    chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                    throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                         "Failed to negotiate the use of secure renegotiation");
                 }   // otherwise, allow legacy hello message
 
@@ -536,7 +532,7 @@
                 chc.conContext.secureRenegotiation = false;
             } else if (chc.conContext.secureRenegotiation) {
                 // Require secure renegotiation, terminate the connection.
-                chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                         "Inconsistent secure renegotiation indication");
             } else {    // renegotiation, not secure
                 if (HandshakeContext.allowUnsafeRenegotiation) {
@@ -549,7 +545,7 @@
                     if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
                         SSLLogger.fine("Terminate insecure renegotiation");
                     }
-                    chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                    throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                         "Unsafe renegotiation is not allowed");
                 }
             }
--- a/src/java.base/share/classes/sun/security/ssl/SSLConfiguration.java	Wed Dec 19 11:44:57 2018 -0800
+++ b/src/java.base/share/classes/sun/security/ssl/SSLConfiguration.java	Wed Dec 19 20:53:30 2018 +0100
@@ -29,8 +29,6 @@
 import java.security.AccessController;
 import java.security.AlgorithmConstraints;
 import java.security.NoSuchAlgorithmException;
-import java.security.PrivilegedActionException;
-import java.security.PrivilegedExceptionAction;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collection;
--- a/src/java.base/share/classes/sun/security/ssl/SSLEngineImpl.java	Wed Dec 19 11:44:57 2018 -0800
+++ b/src/java.base/share/classes/sun/security/ssl/SSLEngineImpl.java	Wed Dec 19 20:53:30 2018 +0100
@@ -102,10 +102,10 @@
         try {
             conContext.kickstart();
         } catch (IOException ioe) {
-            conContext.fatal(Alert.HANDSHAKE_FAILURE,
+            throw conContext.fatal(Alert.HANDSHAKE_FAILURE,
                 "Couldn't kickstart handshaking", ioe);
         } catch (Exception ex) {     // including RuntimeException
-            conContext.fatal(Alert.INTERNAL_ERROR,
+            throw conContext.fatal(Alert.INTERNAL_ERROR,
                 "Fail to begin handshake", ex);
         }
     }
@@ -137,16 +137,14 @@
                 srcs, srcsOffset, srcsLength, dsts, dstsOffset, dstsLength);
         } catch (SSLProtocolException spe) {
             // may be an unexpected handshake message
-            conContext.fatal(Alert.UNEXPECTED_MESSAGE, spe);
+            throw conContext.fatal(Alert.UNEXPECTED_MESSAGE, spe);
         } catch (IOException ioe) {
-            conContext.fatal(Alert.INTERNAL_ERROR,
+            throw conContext.fatal(Alert.INTERNAL_ERROR,
                 "problem wrapping app data", ioe);
         } catch (Exception ex) {     // including RuntimeException
-            conContext.fatal(Alert.INTERNAL_ERROR,
+            throw conContext.fatal(Alert.INTERNAL_ERROR,
                 "Fail to wrap application data", ex);
         }
-
-        return null;    // make compiler happy
     }
 
     private SSLEngineResult writeRecord(
@@ -275,9 +273,9 @@
                 srcs, srcsOffset, srcsLength, dsts, dstsOffset, dstsLength);
         } catch (SSLHandshakeException she) {
             // may be record sequence number overflow
-            conContext.fatal(Alert.HANDSHAKE_FAILURE, she);
+            throw conContext.fatal(Alert.HANDSHAKE_FAILURE, she);
         } catch (IOException e) {
-            conContext.fatal(Alert.UNEXPECTED_MESSAGE, e);
+            throw conContext.fatal(Alert.UNEXPECTED_MESSAGE, e);
         }
 
         if (ciphertext == null) {
@@ -444,7 +442,7 @@
                 srcs, srcsOffset, srcsLength, dsts, dstsOffset, dstsLength);
         } catch (SSLProtocolException spe) {
             // may be an unexpected handshake message
-            conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+            throw conContext.fatal(Alert.UNEXPECTED_MESSAGE,
                     spe.getMessage(), spe);
         } catch (IOException ioe) {
             /*
@@ -453,14 +451,12 @@
              * got us into this situation, so report that much back.
              * Our days of consuming are now over anyway.
              */
-            conContext.fatal(Alert.INTERNAL_ERROR,
+            throw conContext.fatal(Alert.INTERNAL_ERROR,
                     "problem unwrapping net record", ioe);
         } catch (Exception ex) {     // including RuntimeException
-            conContext.fatal(Alert.INTERNAL_ERROR,
+            throw conContext.fatal(Alert.INTERNAL_ERROR,
                 "Fail to unwrap network record", ex);
         }
-
-        return null;    // make compiler happy
     }
 
     private SSLEngineResult readRecord(
@@ -721,7 +717,7 @@
         if (!conContext.isInputCloseNotified &&
             (conContext.isNegotiated || conContext.handshakeContext != null)) {
 
-            conContext.fatal(Alert.INTERNAL_ERROR,
+            throw conContext.fatal(Alert.INTERNAL_ERROR,
                     "closing inbound before receiving peer's close_notify");
         }
 
--- a/src/java.base/share/classes/sun/security/ssl/SSLExtensions.java	Wed Dec 19 11:44:57 2018 -0800
+++ b/src/java.base/share/classes/sun/security/ssl/SSLExtensions.java	Wed Dec 19 20:53:30 2018 +0100
@@ -60,7 +60,8 @@
             int extId = Record.getInt16(m);
             int extLen = Record.getInt16(m);
             if (extLen > m.remaining()) {
-                hm.handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw hm.handshakeContext.conContext.fatal(
+                        Alert.ILLEGAL_PARAMETER,
                         "Error parsing extension (" + extId +
                         "): no sufficient data");
             }
@@ -86,7 +87,7 @@
                                 "in the ServerHello handshake message");
                     }
                 } else {
-                    hm.handshakeContext.conContext.fatal(
+                    throw hm.handshakeContext.conContext.fatal(
                         Alert.UNSUPPORTED_EXTENSION,
                         "extension (" + extId +
                         ") should not be presented in " + handshakeType.name);
@@ -102,7 +103,7 @@
                     }
 
                     if (extension.handshakeType != handshakeType) {
-                        hm.handshakeContext.conContext.fatal(
+                        throw hm.handshakeContext.conContext.fatal(
                                 Alert.UNSUPPORTED_EXTENSION,
                                 "extension (" + extId + ") should not be " +
                                 "presented in " + handshakeType.name);
--- a/src/java.base/share/classes/sun/security/ssl/SSLSocketImpl.java	Wed Dec 19 11:44:57 2018 -0800
+++ b/src/java.base/share/classes/sun/security/ssl/SSLSocketImpl.java	Wed Dec 19 20:53:30 2018 +0100
@@ -402,7 +402,7 @@
                     readHandshakeRecord();
                 }
             } catch (IOException ioe) {
-                conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                throw conContext.fatal(Alert.HANDSHAKE_FAILURE,
                     "Couldn't kickstart handshaking", ioe);
             } catch (Exception oe) {    // including RuntimeException
                 handleException(oe);
@@ -608,7 +608,12 @@
             }
         } else {
             if (!conContext.isInboundClosed()) {
-                conContext.inputRecord.close();
+                try (conContext.inputRecord) {
+                    // Try the best to use up the input records and close the
+                    // socket gracefully, without impact the performance too
+                    // much.
+                    appInput.deplete();
+                }
             }
 
             if ((autoClose || !isLayered()) && !super.isInputShutdown()) {
@@ -642,7 +647,7 @@
         if (checkCloseNotify && !conContext.isInputCloseNotified &&
             (conContext.isNegotiated || conContext.handshakeContext != null)) {
 
-            conContext.fatal(Alert.INTERNAL_ERROR,
+            throw conContext.fatal(Alert.INTERNAL_ERROR,
                     "closing inbound before receiving peer's close_notify");
         }
 
@@ -907,6 +912,30 @@
 
             return false;
         }
+
+        /**
+         * Try the best to use up the input records so as to close the
+         * socket gracefully, without impact the performance too much.
+         */
+        private synchronized void deplete() {
+            if (!conContext.isInboundClosed()) {
+                if (!(conContext.inputRecord instanceof SSLSocketInputRecord)) {
+                    return;
+                }
+
+                SSLSocketInputRecord socketInputRecord =
+                        (SSLSocketInputRecord)conContext.inputRecord;
+                try {
+                    socketInputRecord.deplete(
+                        conContext.isNegotiated && (getSoTimeout() > 0));
+                } catch (IOException ioe) {
+                    if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
+                        SSLLogger.warning(
+                            "input stream close depletion failed", ioe);
+                    }
+                }
+            }
+        }
     }
 
     @Override
@@ -982,9 +1011,9 @@
                 conContext.outputRecord.deliver(b, off, len);
             } catch (SSLHandshakeException she) {
                 // may be record sequence number overflow
-                conContext.fatal(Alert.HANDSHAKE_FAILURE, she);
+                throw conContext.fatal(Alert.HANDSHAKE_FAILURE, she);
             } catch (IOException e) {
-                conContext.fatal(Alert.UNEXPECTED_MESSAGE, e);
+                throw conContext.fatal(Alert.UNEXPECTED_MESSAGE, e);
             }
 
             // Is the sequence number is nearly overflow, or has the key usage
@@ -1309,7 +1338,8 @@
                 alert = Alert.INTERNAL_ERROR;
             }
         }
-        conContext.fatal(alert, cause);
+
+        throw conContext.fatal(alert, cause);
     }
 
     private Plaintext handleEOF(EOFException eofe) throws IOException {
--- a/src/java.base/share/classes/sun/security/ssl/SSLSocketInputRecord.java	Wed Dec 19 11:44:57 2018 -0800
+++ b/src/java.base/share/classes/sun/security/ssl/SSLSocketInputRecord.java	Wed Dec 19 20:53:30 2018 +0100
@@ -463,4 +463,17 @@
 
         return n;
     }
+
+    // Try to use up the input stream without impact the performance too much.
+    void deplete(boolean tryToRead) throws IOException {
+        int remaining = is.available();
+        if (tryToRead && (remaining == 0)) {
+            // try to wait and read one byte if no buffered input
+            is.read();
+        }
+
+        while ((remaining = is.available()) != 0) {
+            is.skip(remaining);
+        }
+    }
 }
--- a/src/java.base/share/classes/sun/security/ssl/SSLTransport.java	Wed Dec 19 11:44:57 2018 -0800
+++ b/src/java.base/share/classes/sun/security/ssl/SSLTransport.java	Wed Dec 19 20:53:30 2018 +0100
@@ -115,7 +115,7 @@
                 }
             }
 
-            context.fatal(Alert.UNEXPECTED_MESSAGE, unsoe);
+            throw context.fatal(Alert.UNEXPECTED_MESSAGE, unsoe);
         } catch (BadPaddingException bpe) {
             /*
              * The basic SSLv3 record protection involves (optional)
@@ -126,15 +126,15 @@
             Alert alert = (context.handshakeContext != null) ?
                     Alert.HANDSHAKE_FAILURE :
                     Alert.BAD_RECORD_MAC;
-            context.fatal(alert, bpe);
+            throw context.fatal(alert, bpe);
         } catch (SSLHandshakeException she) {
             // may be record sequence number overflow
-            context.fatal(Alert.HANDSHAKE_FAILURE, she);
+            throw context.fatal(Alert.HANDSHAKE_FAILURE, she);
         } catch (EOFException eofe) {
             // rethrow EOFException, the call will handle it if neede.
             throw eofe;
         } catch (IOException ioe) {
-            context.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
+            throw context.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
         }
 
         if (plaintexts == null || plaintexts.length == 0) {
@@ -191,7 +191,7 @@
                     }
 
                     if (remains > 0) {
-                        context.fatal(Alert.INTERNAL_ERROR,
+                        throw context.fatal(Alert.INTERNAL_ERROR,
                             "no sufficient room in the destination buffers");
                     }
                 }
--- a/src/java.base/share/classes/sun/security/ssl/ServerHello.java	Wed Dec 19 11:44:57 2018 -0800
+++ b/src/java.base/share/classes/sun/security/ssl/ServerHello.java	Wed Dec 19 20:53:30 2018 +0100
@@ -133,7 +133,7 @@
             this.serverVersion = ProtocolVersion.valueOf(major, minor);
             if (this.serverVersion == null) {
                 // The client should only request for known protocol versions.
-                context.conContext.fatal(Alert.PROTOCOL_VERSION,
+                throw context.conContext.fatal(Alert.PROTOCOL_VERSION,
                     "Unsupported protocol version: " +
                     ProtocolVersion.nameOf(major, minor));
             }
@@ -143,20 +143,21 @@
             try {
                 sessionId.checkLength(serverVersion.id);
             } catch (SSLProtocolException ex) {
-                handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER, ex);
+                throw handshakeContext.conContext.fatal(
+                        Alert.ILLEGAL_PARAMETER, ex);
             }
 
             int cipherSuiteId = Record.getInt16(m);
             this.cipherSuite = CipherSuite.valueOf(cipherSuiteId);
             if (cipherSuite == null || !context.isNegotiable(cipherSuite)) {
-                context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                     "Server selected improper ciphersuite " +
                     CipherSuite.nameOf(cipherSuiteId));
             }
 
             this.compressionMethod = m.get();
             if (compressionMethod != 0) {
-                context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                     "compression type not supported, " + compressionMethod);
             }
 
@@ -293,10 +294,8 @@
                 KeyExchangeProperties credentials =
                         chooseCipherSuite(shc, clientHello);
                 if (credentials == null) {
-                    shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                    throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                             "no cipher suites in common");
-
-                    return null;    // make the compiler happy
                 }
                 shc.negotiatedCipherSuite = credentials.cipherSuite;
                 shc.handshakeKeyExchange = credentials.keyExchange;
@@ -374,7 +373,7 @@
                     SSLTrafficKeyDerivation.valueOf(shc.negotiatedProtocol);
                 if (kdg == null) {
                     // unlikely
-                    shc.conContext.fatal(Alert.INTERNAL_ERROR,
+                    throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
                             "Not supported key derivation: " +
                             shc.negotiatedProtocol);
                 } else {
@@ -458,10 +457,8 @@
                 }
             }
 
-            shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+            throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                     "no cipher suites in common");
-
-            return null;    // make the compiler happy.
         }
 
         private static final class KeyExchangeProperties {
@@ -524,9 +521,8 @@
                 // negotiate the cipher suite.
                 CipherSuite cipherSuite = chooseCipherSuite(shc, clientHello);
                 if (cipherSuite == null) {
-                    shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                    throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                             "no cipher suites in common");
-                    return null;    // make the compiler happy
                 }
                 shc.negotiatedCipherSuite = cipherSuite;
                 shc.handshakeSession.setSuite(cipherSuite);
@@ -592,9 +588,8 @@
             SSLKeyExchange ke = shc.handshakeKeyExchange;
             if (ke == null) {
                 // unlikely
-                shc.conContext.fatal(Alert.INTERNAL_ERROR,
+                throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
                         "Not negotiated key shares");
-                return null;    // make the compiler happy
             }
 
             SSLKeyDerivation handshakeKD = ke.createKeyDerivation(shc);
@@ -605,10 +600,9 @@
                 SSLTrafficKeyDerivation.valueOf(shc.negotiatedProtocol);
             if (kdg == null) {
                 // unlikely
-                shc.conContext.fatal(Alert.INTERNAL_ERROR,
+                throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
                         "Not supported key derivation: " +
                         shc.negotiatedProtocol);
-                return null;    // make the compiler happy
             }
 
             SSLKeyDerivation kd =
@@ -634,9 +628,15 @@
                         shc.sslContext.getSecureRandom());
             } catch (GeneralSecurityException gse) {
                 // unlikely
-                shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                         "Missing cipher algorithm", gse);
-                return null;    // make the compiler happy
+            }
+
+            if (readCipher == null) {
+                throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                    "Illegal cipher suite (" + shc.negotiatedCipherSuite +
+                    ") and protocol version (" + shc.negotiatedProtocol +
+                    ")");
             }
 
             shc.baseReadSecret = readSecret;
@@ -662,9 +662,15 @@
                         shc.sslContext.getSecureRandom());
             } catch (GeneralSecurityException gse) {
                 // unlikely
-                shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                         "Missing cipher algorithm", gse);
-                return null;    //  make the compiler happy
+            }
+
+            if (writeCipher == null) {
+                throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                    "Illegal cipher suite (" + shc.negotiatedCipherSuite +
+                    ") and protocol version (" + shc.negotiatedProtocol +
+                    ")");
             }
 
             shc.baseWriteSecret = writeSecret;
@@ -746,9 +752,8 @@
             CipherSuite cipherSuite =
                     T13ServerHelloProducer.chooseCipherSuite(shc, clientHello);
             if (cipherSuite == null) {
-                shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                         "no cipher suites in common for hello retry request");
-                return null;    // make the compiler happy
             }
 
             ServerHelloMessage hhrm = new ServerHelloMessage(shc,
@@ -857,7 +862,7 @@
                         SSLHandshake.HELLO_VERIFY_REQUEST.id);
             }
             if (!chc.handshakeConsumers.isEmpty()) {
-                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
                     "No more message expected before ServerHello is processed");
             }
 
@@ -895,14 +900,14 @@
             }
 
             if (!chc.activeProtocols.contains(serverVersion)) {
-                chc.conContext.fatal(Alert.PROTOCOL_VERSION,
+                throw chc.conContext.fatal(Alert.PROTOCOL_VERSION,
                     "The server selected protocol version " + serverVersion +
                     " is not accepted by client preferences " +
                     chc.activeProtocols);
             }
 
             if (!serverVersion.useTLS13PlusSpec()) {
-                chc.conContext.fatal(Alert.PROTOCOL_VERSION,
+                throw chc.conContext.fatal(Alert.PROTOCOL_VERSION,
                     "Unexpected HelloRetryRequest for " + serverVersion.name);
             }
 
@@ -947,7 +952,7 @@
             }
 
             if (!chc.activeProtocols.contains(serverVersion)) {
-                chc.conContext.fatal(Alert.PROTOCOL_VERSION,
+                throw chc.conContext.fatal(Alert.PROTOCOL_VERSION,
                     "The server selected protocol version " + serverVersion +
                     " is not accepted by client preferences " +
                     chc.activeProtocols);
@@ -964,7 +969,7 @@
             }
 
             if (serverHello.serverRandom.isVersionDowngrade(chc)) {
-                chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                     "A potential protocol version downgrade attack");
             }
 
@@ -1007,7 +1012,7 @@
             ClientHandshakeContext chc = (ClientHandshakeContext)context;
             ServerHelloMessage serverHello = (ServerHelloMessage)message;
             if (!chc.isNegotiable(serverHello.serverVersion)) {
-                chc.conContext.fatal(Alert.PROTOCOL_VERSION,
+                throw chc.conContext.fatal(Alert.PROTOCOL_VERSION,
                     "Server chose " + serverHello.serverVersion +
                     ", but that protocol version is not enabled or " +
                     "not supported by the client.");
@@ -1019,7 +1024,7 @@
                     chc.negotiatedProtocol, chc.negotiatedCipherSuite);
             chc.serverHelloRandom = serverHello.serverRandom;
             if (chc.negotiatedCipherSuite.keyExchange == null) {
-                chc.conContext.fatal(Alert.PROTOCOL_VERSION,
+                throw chc.conContext.fatal(Alert.PROTOCOL_VERSION,
                     "TLS 1.2 or prior version does not support the " +
                     "server cipher suite: " + chc.negotiatedCipherSuite.name);
             }
@@ -1045,7 +1050,7 @@
                     // Verify that the session ciphers are unchanged.
                     CipherSuite sessionSuite = chc.resumingSession.getSuite();
                     if (chc.negotiatedCipherSuite != sessionSuite) {
-                        chc.conContext.fatal(Alert.PROTOCOL_VERSION,
+                        throw chc.conContext.fatal(Alert.PROTOCOL_VERSION,
                             "Server returned wrong cipher suite for session");
                     }
 
@@ -1053,7 +1058,7 @@
                     ProtocolVersion sessionVersion =
                             chc.resumingSession.getProtocolVersion();
                     if (chc.negotiatedProtocol != sessionVersion) {
-                        chc.conContext.fatal(Alert.PROTOCOL_VERSION,
+                        throw chc.conContext.fatal(Alert.PROTOCOL_VERSION,
                             "Server resumed with wrong protocol version");
                     }
 
@@ -1072,7 +1077,7 @@
                     }
                     chc.isResumption = false;
                     if (!chc.sslConfig.enableSessionCreation) {
-                        chc.conContext.fatal(Alert.PROTOCOL_VERSION,
+                        throw chc.conContext.fatal(Alert.PROTOCOL_VERSION,
                             "New session creation is disabled");
                     }
                 }
@@ -1091,7 +1096,7 @@
                 }
 
                 if (!chc.sslConfig.enableSessionCreation) {
-                    chc.conContext.fatal(Alert.PROTOCOL_VERSION,
+                    throw chc.conContext.fatal(Alert.PROTOCOL_VERSION,
                         "New session creation is disabled");
                 }
                 chc.handshakeSession = new SSLSessionImpl(chc,
@@ -1112,7 +1117,7 @@
                         SSLTrafficKeyDerivation.valueOf(chc.negotiatedProtocol);
                 if (kdg == null) {
                     // unlikely
-                    chc.conContext.fatal(Alert.INTERNAL_ERROR,
+                    throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
                             "Not supported key derivation: " +
                             chc.negotiatedProtocol);
                 } else {
@@ -1183,7 +1188,7 @@
             ClientHandshakeContext chc = (ClientHandshakeContext)context;
             ServerHelloMessage serverHello = (ServerHelloMessage)message;
             if (serverHello.serverVersion != ProtocolVersion.TLS12) {
-                chc.conContext.fatal(Alert.PROTOCOL_VERSION,
+                throw chc.conContext.fatal(Alert.PROTOCOL_VERSION,
                     "The ServerHello.legacy_version field is not TLS 1.2");
             }
 
@@ -1208,7 +1213,7 @@
                 }
 
                 if (!chc.sslConfig.enableSessionCreation) {
-                    chc.conContext.fatal(Alert.PROTOCOL_VERSION,
+                    throw chc.conContext.fatal(Alert.PROTOCOL_VERSION,
                         "New session creation is disabled");
                 }
                 chc.handshakeSession = new SSLSessionImpl(chc,
@@ -1221,7 +1226,7 @@
                 Optional<SecretKey> psk =
                         chc.resumingSession.consumePreSharedKey();
                 if(!psk.isPresent()) {
-                    chc.conContext.fatal(Alert.INTERNAL_ERROR,
+                    throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
                     "No PSK available. Unable to resume.");
                 }
 
@@ -1242,9 +1247,8 @@
             SSLKeyExchange ke = chc.handshakeKeyExchange;
             if (ke == null) {
                 // unlikely
-                chc.conContext.fatal(Alert.INTERNAL_ERROR,
+                throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
                         "Not negotiated key shares");
-                return;     // make the compiler happy
             }
 
             SSLKeyDerivation handshakeKD = ke.createKeyDerivation(chc);
@@ -1254,10 +1258,9 @@
                 SSLTrafficKeyDerivation.valueOf(chc.negotiatedProtocol);
             if (kdg == null) {
                 // unlikely
-                chc.conContext.fatal(Alert.INTERNAL_ERROR,
+                throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
                         "Not supported key derivation: " +
                         chc.negotiatedProtocol);
-                return;     // make the compiler happy
             }
 
             SSLKeyDerivation secretKD =
@@ -1284,9 +1287,15 @@
                         chc.sslContext.getSecureRandom());
             } catch (GeneralSecurityException gse) {
                 // unlikely
-                chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                         "Missing cipher algorithm", gse);
-                return;     // make the compiler happy
+            }
+
+            if (readCipher == null) {
+                throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                    "Illegal cipher suite (" + chc.negotiatedCipherSuite +
+                    ") and protocol version (" + chc.negotiatedProtocol +
+                    ")");
             }
 
             chc.baseReadSecret = readSecret;
@@ -1312,9 +1321,15 @@
                         chc.sslContext.getSecureRandom());
             } catch (GeneralSecurityException gse) {
                 // unlikely
-                chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                         "Missing cipher algorithm", gse);
-                return;     //  make the compiler happy
+            }
+
+            if (writeCipher == null) {
+                throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                    "Illegal cipher suite (" + chc.negotiatedCipherSuite +
+                    ") and protocol version (" + chc.negotiatedProtocol +
+                    ")");
             }
 
             chc.baseWriteSecret = writeSecret;
@@ -1376,7 +1391,7 @@
             ClientHandshakeContext chc = (ClientHandshakeContext)context;
             ServerHelloMessage helloRetryRequest = (ServerHelloMessage)message;
             if (helloRetryRequest.serverVersion != ProtocolVersion.TLS12) {
-                chc.conContext.fatal(Alert.PROTOCOL_VERSION,
+                throw chc.conContext.fatal(Alert.PROTOCOL_VERSION,
                     "The HelloRetryRequest.legacy_version is not TLS 1.2");
             }
 
@@ -1406,7 +1421,7 @@
                 chc.initialClientHelloMsg.write(hos);
             } catch (IOException ioe) {
                 // unlikely
-                chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                     "Failed to construct message hash", ioe);
             }
             chc.handshakeHash.deliver(hos.toByteArray());
--- a/src/java.base/share/classes/sun/security/ssl/ServerHelloDone.java	Wed Dec 19 11:44:57 2018 -0800
+++ b/src/java.base/share/classes/sun/security/ssl/ServerHelloDone.java	Wed Dec 19 20:53:30 2018 +0100
@@ -50,7 +50,7 @@
                 ByteBuffer m) throws IOException {
             super(handshakeContext);
             if (m.hasRemaining()) {
-                handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                throw handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                     "Error parsing ServerHelloDone message: not empty");
             }
         }
--- a/src/java.base/share/classes/sun/security/ssl/ServerKeyExchange.java	Wed Dec 19 11:44:57 2018 -0800
+++ b/src/java.base/share/classes/sun/security/ssl/ServerKeyExchange.java	Wed Dec 19 20:53:30 2018 +0100
@@ -68,9 +68,8 @@
             }
 
             // not producer defined.
-            shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+            throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                     "No ServerKeyExchange handshake message can be produced.");
-            return null;    // make the compiler happe
         }
     }
 
@@ -107,7 +106,7 @@
             }
 
             // no consumer defined.
-            chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+            throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
                         "Unexpected ServerKeyExchange handshake message.");
         }
     }
--- a/src/java.base/share/classes/sun/security/ssl/ServerNameExtension.java	Wed Dec 19 11:44:57 2018 -0800
+++ b/src/java.base/share/classes/sun/security/ssl/ServerNameExtension.java	Wed Dec 19 20:53:30 2018 +0100
@@ -295,8 +295,7 @@
             try {
                 spec = new CHServerNamesSpec(buffer);
             } catch (IOException ioe) {
-                shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
-                return;     // fatal() always throws, make the compiler happy.
+                throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
             }
 
             // Update the context.
@@ -314,7 +313,7 @@
                     }
                 } else {
                     // We do not reject client without SNI extension currently.
-                    shc.conContext.fatal(Alert.UNRECOGNIZED_NAME,
+                    throw shc.conContext.fatal(Alert.UNRECOGNIZED_NAME,
                             "Unrecognized server name indication");
                 }
             } else {
@@ -483,13 +482,13 @@
             CHServerNamesSpec spec = (CHServerNamesSpec)
                     chc.handshakeExtensions.get(CH_SERVER_NAME);
             if (spec == null) {
-                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
                     "Unexpected ServerHello server_name extension");
             }
 
             // Parse the extension.
             if (buffer.remaining() != 0) {
-                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
                     "Invalid ServerHello server_name extension");
             }
 
@@ -570,13 +569,13 @@
             CHServerNamesSpec spec = (CHServerNamesSpec)
                     chc.handshakeExtensions.get(CH_SERVER_NAME);
             if (spec == null) {
-                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
                     "Unexpected EncryptedExtensions server_name extension");
             }
 
             // Parse the extension.
             if (buffer.remaining() != 0) {
-                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
                     "Invalid EncryptedExtensions server_name extension");
             }
 
--- a/src/java.base/share/classes/sun/security/ssl/SignatureAlgorithmsExtension.java	Wed Dec 19 11:44:57 2018 -0800
+++ b/src/java.base/share/classes/sun/security/ssl/SignatureAlgorithmsExtension.java	Wed Dec 19 20:53:30 2018 +0100
@@ -238,8 +238,7 @@
             try {
                 spec = new SignatureSchemesSpec(buffer);
             } catch (IOException ioe) {
-                shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
-                return;     // fatal() always throws, make the compiler happy.
+                throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
             }
 
             // Update the context.
@@ -329,7 +328,7 @@
             // We may support the server authentication other than X.509
             // certificate later.
             if (shc.negotiatedProtocol.useTLS13PlusSpec()) {
-                shc.conContext.fatal(Alert.MISSING_EXTENSION,
+                throw shc.conContext.fatal(Alert.MISSING_EXTENSION,
                     "No mandatory signature_algorithms extension in the " +
                     "received CertificateRequest handshake message");
             }
@@ -403,10 +402,9 @@
             // handshake message in TLS 1.3.
             if (!shc.sslConfig.isAvailable(
                     SSLExtension.CR_SIGNATURE_ALGORITHMS)) {
-                shc.conContext.fatal(Alert.MISSING_EXTENSION,
+                throw shc.conContext.fatal(Alert.MISSING_EXTENSION,
                         "No available signature_algorithms extension " +
                         "for client certificate authentication");
-                return null;    // make the compiler happy
             }
 
             // Produce the extension.
@@ -454,10 +452,9 @@
             // handshake message in TLS 1.3.
             if (!chc.sslConfig.isAvailable(
                     SSLExtension.CR_SIGNATURE_ALGORITHMS)) {
-                chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                         "No available signature_algorithms extension " +
                         "for client certificate authentication");
-                return;     // make the compiler happy
             }
 
             // Parse the extension.
@@ -465,8 +462,7 @@
             try {
                 spec = new SignatureSchemesSpec(buffer);
             } catch (IOException ioe) {
-                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
-                return;     // fatal() always throws, make the compiler happy.
+                throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
             }
 
             List<SignatureScheme> knownSignatureSchemes = new LinkedList<>();
@@ -545,7 +541,7 @@
 
             // This is a mandatory extension for CertificateRequest handshake
             // message in TLS 1.3.
-            chc.conContext.fatal(Alert.MISSING_EXTENSION,
+            throw chc.conContext.fatal(Alert.MISSING_EXTENSION,
                     "No mandatory signature_algorithms extension in the " +
                     "received CertificateRequest handshake message");
         }
--- a/src/java.base/share/classes/sun/security/ssl/SupportedGroupsExtension.java	Wed Dec 19 11:44:57 2018 -0800
+++ b/src/java.base/share/classes/sun/security/ssl/SupportedGroupsExtension.java	Wed Dec 19 20:53:30 2018 +0100
@@ -900,8 +900,7 @@
             try {
                 spec = new SupportedGroupsSpec(buffer);
             } catch (IOException ioe) {
-                shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
-                return;     // fatal() always throws, make the compiler happy.
+                throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
             }
 
             // Update the context.
@@ -1024,8 +1023,7 @@
             try {
                 spec = new SupportedGroupsSpec(buffer);
             } catch (IOException ioe) {
-                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
-                return;     // fatal() always throws, make the compiler happy.
+                throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
             }
 
             // Update the context.
--- a/src/java.base/share/classes/sun/security/ssl/SupportedVersionsExtension.java	Wed Dec 19 11:44:57 2018 -0800
+++ b/src/java.base/share/classes/sun/security/ssl/SupportedVersionsExtension.java	Wed Dec 19 20:53:30 2018 +0100
@@ -225,8 +225,7 @@
             try {
                 spec = new CHSupportedVersionsSpec(buffer);
             } catch (IOException ioe) {
-                shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
-                return;     // fatal() always throws, make the compiler happy.
+                throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
             }
 
             // Update the context.
@@ -368,8 +367,7 @@
             try {
                 spec = new SHSupportedVersionsSpec(buffer);
             } catch (IOException ioe) {
-                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
-                return;     // fatal() always throws, make the compiler happy.
+                throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
             }
 
             // Update the context.
@@ -458,8 +456,7 @@
             try {
                 spec = new SHSupportedVersionsSpec(buffer);
             } catch (IOException ioe) {
-                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
-                return;     // fatal() always throws, make the compiler happy.
+                throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
             }
 
             // Update the context.
--- a/src/java.base/share/classes/sun/security/ssl/TransportContext.java	Wed Dec 19 11:44:57 2018 -0800
+++ b/src/java.base/share/classes/sun/security/ssl/TransportContext.java	Wed Dec 19 20:53:30 2018 +0100
@@ -148,9 +148,8 @@
 
         ContentType ct = ContentType.valueOf(plaintext.contentType);
         if (ct == null) {
-            fatal(Alert.UNEXPECTED_MESSAGE,
+            throw fatal(Alert.UNEXPECTED_MESSAGE,
                 "Unknown content type: " + plaintext.contentType);
-            return;
         }
 
         switch (ct) {
@@ -164,7 +163,7 @@
                                 protocolVersion.useTLS13PlusSpec()) {
                             handshakeContext = new PostHandshakeContext(this);
                         } else {
-                            fatal(Alert.UNEXPECTED_MESSAGE,
+                            throw fatal(Alert.UNEXPECTED_MESSAGE,
                                     "Unexpected post-handshake message: " +
                                     SSLHandshake.nameOf(type));
                         }
@@ -185,7 +184,7 @@
                 if (consumer != null) {
                     consumer.consume(this, plaintext.fragment);
                 } else {
-                    fatal(Alert.UNEXPECTED_MESSAGE,
+                    throw fatal(Alert.UNEXPECTED_MESSAGE,
                         "Unexpected content: " + plaintext.contentType);
                 }
         }
@@ -250,22 +249,22 @@
         }
     }
 
-    void fatal(Alert alert,
+    SSLException fatal(Alert alert,
             String diagnostic) throws SSLException {
-        fatal(alert, diagnostic, null);
+        return fatal(alert, diagnostic, null);
     }
 
-    void fatal(Alert alert, Throwable cause) throws SSLException {
-        fatal(alert, null, cause);
+    SSLException fatal(Alert alert, Throwable cause) throws SSLException {
+        return fatal(alert, null, cause);
     }
 
-    void fatal(Alert alert,
+    SSLException fatal(Alert alert,
             String diagnostic, Throwable cause) throws SSLException {
-        fatal(alert, diagnostic, false, cause);
+        return fatal(alert, diagnostic, false, cause);
     }
 
     // Note: close_notify is not delivered via fatal() methods.
-    void fatal(Alert alert, String diagnostic,
+    SSLException fatal(Alert alert, String diagnostic,
             boolean recvFatalAlert, Throwable cause) throws SSLException {
         // If we've already shutdown because of an error, there is nothing we
         // can do except rethrow the exception.
@@ -328,6 +327,8 @@
             if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
                 SSLLogger.warning("Fatal: input record closure failed", ioe);
             }
+
+            closeReason.addSuppressed(ioe);
         }
 
         // invalidate the session
@@ -353,6 +354,8 @@
                     SSLLogger.warning(
                         "Fatal: failed to send fatal alert " + alert, ioe);
                 }
+
+                closeReason.addSuppressed(ioe);
             }
         }
 
@@ -363,6 +366,8 @@
             if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
                 SSLLogger.warning("Fatal: output record closure failed", ioe);
             }
+
+            closeReason.addSuppressed(ioe);
         }
 
         // terminate the handshake context
@@ -377,6 +382,8 @@
             if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
                 SSLLogger.warning("Fatal: transport closure failed", ioe);
             }
+
+            closeReason.addSuppressed(ioe);
         } finally {
             isBroken = true;
         }
--- a/src/java.base/share/classes/sun/security/util/SignatureUtil.java	Wed Dec 19 11:44:57 2018 -0800
+++ b/src/java.base/share/classes/sun/security/util/SignatureUtil.java	Wed Dec 19 20:53:30 2018 +0100
@@ -28,8 +28,6 @@
 import java.io.IOException;
 import java.security.*;
 import java.security.spec.*;
-import sun.security.util.ObjectIdentifier;
-import sun.security.x509.AlgorithmId;
 import sun.security.rsa.RSAUtil;
 
 /**
@@ -86,13 +84,12 @@
     // specified Signature object as signature parameters.
     public static void specialSetParameter(Signature sig, byte[] paramBytes)
             throws InvalidAlgorithmParameterException, ProviderException {
-
-        AlgorithmParameters params = null;
         if (paramBytes != null) {
             String sigName = sig.getAlgorithm();
-            params = createAlgorithmParameters(sigName, paramBytes);
+            AlgorithmParameters params =
+                createAlgorithmParameters(sigName, paramBytes);
+            specialSetParameter(sig, params);
         }
-        specialSetParameter(sig, params);
     }
 
     // Special method for setting the specified AlgorithmParameter object
@@ -100,16 +97,9 @@
     public static void specialSetParameter(Signature sig,
             AlgorithmParameters params)
             throws InvalidAlgorithmParameterException, ProviderException {
-
-        String sigName = sig.getAlgorithm();
         if (params != null) {
+            String sigName = sig.getAlgorithm();
             sig.setParameter(getParamSpec(sigName, params));
-        } else {
-            try {
-                sig.setParameter(null);
-            } catch (UnsupportedOperationException e) {
-                // ignore for maintaining backward compatibility
-            }
         }
     }
 }
--- a/src/java.base/share/native/libjava/AccessController.c	Wed Dec 19 11:44:57 2018 -0800
+++ b/src/java.base/share/native/libjava/AccessController.c	Wed Dec 19 20:53:30 2018 +0100
@@ -59,3 +59,12 @@
 {
     return JVM_GetInheritedAccessControlContext(env, this);
 }
+
+JNIEXPORT void JNICALL
+Java_java_security_AccessController_ensureMaterializedForStackWalk(
+                                                              JNIEnv *env,
+                                                              jclass cls,
+                                                              jobject value)
+{
+    JVM_EnsureMaterializedForStackWalk(env, value);
+}
--- a/src/java.base/unix/native/libjsig/jsig.c	Wed Dec 19 11:44:57 2018 -0800
+++ b/src/java.base/unix/native/libjsig/jsig.c	Wed Dec 19 20:53:30 2018 +0100
@@ -5,7 +5,9 @@
  *
  * This code is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
  *
  * This code is distributed in the hope that it will be useful, but WITHOUT
  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
--- a/src/java.base/unix/native/libnet/net_util_md.c	Wed Dec 19 11:44:57 2018 -0800
+++ b/src/java.base/unix/native/libnet/net_util_md.c	Wed Dec 19 20:53:30 2018 +0100
@@ -803,12 +803,8 @@
 
 #ifdef __linux__
         /*
-         * On Linux if we are connecting to a
-         *
-         *   - link-local address
-         *   - multicast interface-local or link-local address
-         *
-         * we need to specify the interface in the scope_id.
+         * On Linux if we are connecting to a link-local address
+         * we need to specify the interface in the scope_id (2.4 kernel only)
          *
          * If the scope was cached then we use the cached value. If not cached but
          * specified in the Inet6Address we use that, but we first check if the
@@ -818,9 +814,7 @@
          * we try to determine a value from the routing table. In all these
          * cases the used value is cached for further use.
          */
-        if (IN6_IS_ADDR_LINKLOCAL(&sa->sa6.sin6_addr)
-            || IN6_IS_ADDR_MC_NODELOCAL(&sa->sa6.sin6_addr)
-            || IN6_IS_ADDR_MC_LINKLOCAL(&sa->sa6.sin6_addr)) {
+        if (IN6_IS_ADDR_LINKLOCAL(&sa->sa6.sin6_addr)) {
             unsigned int cached_scope_id = 0, scope_id = 0;
 
             if (ia6_cachedscopeidID) {
--- a/src/java.smartcardio/share/classes/javax/smartcardio/TerminalFactory.java	Wed Dec 19 11:44:57 2018 -0800
+++ b/src/java.smartcardio/share/classes/javax/smartcardio/TerminalFactory.java	Wed Dec 19 20:53:30 2018 +0100
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2005, 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2005, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -182,7 +182,7 @@
      * <p>It is determined as follows:
      *
      * when this class is initialized, the system property
-     * <code>javax.smartcardio.TerminalFactory.DefaultType</code>
+     * {@systemProperty javax.smartcardio.TerminalFactory.DefaultType}
      * is examined. If it is set, a TerminalFactory of this type is
      * instantiated by calling the {@linkplain #getInstance
      * getInstance(String,Object)} method passing
--- a/src/jdk.aot/share/classes/jdk.tools.jaotc/src/jdk/tools/jaotc/Main.java	Wed Dec 19 11:44:57 2018 -0800
+++ b/src/jdk.aot/share/classes/jdk.tools.jaotc/src/jdk/tools/jaotc/Main.java	Wed Dec 19 20:53:30 2018 +0100
@@ -29,11 +29,18 @@
 import static org.graalvm.compiler.core.common.GraalOptions.ImmutableCode;
 import static org.graalvm.compiler.hotspot.meta.HotSpotAOTProfilingPlugin.Options.TieredAOT;
 
+import java.io.IOException;
 import java.io.PrintWriter;
 import java.text.MessageFormat;
+import java.util.ArrayList;
+import java.util.Collections;
 import java.util.List;
 import java.util.ListIterator;
 import java.util.Set;
+import java.util.StringTokenizer;
+import java.util.stream.Stream;
+import java.nio.file.Files;
+import java.nio.file.Paths;
 
 import org.graalvm.compiler.api.replacements.SnippetReflectionProvider;
 import org.graalvm.compiler.api.runtime.GraalJVMCICompiler;
@@ -78,10 +85,33 @@
 
     public static void main(String[] args) throws Exception {
         Main t = new Main();
-        final int exitCode = t.run(args);
+        final int exitCode = t.run(parse(args));
         System.exit(exitCode);
     }
 
+    /**
+     * Expands '@file' in command line arguments by replacing '@file' with the content of 'file'
+     * parsed by StringTokenizer. '@' character can be quoted as '@@'.
+     */
+    private static String[] parse(String[] args) throws IOException {
+        List<String> result = new ArrayList<>();
+        for (String arg : args) {
+            if (arg.length() > 1 && arg.charAt(0) == '@') {
+                String v = arg.substring(1);
+                if (v.charAt(0) == '@') {
+                    result.add(v);
+                } else {
+                    try (Stream<String> file = Files.lines(Paths.get(v))) {
+                        file.map(StringTokenizer::new).map(Collections::list).flatMap(l -> l.stream().map(o -> (String) o)).forEachOrdered(result::add);
+                    }
+                }
+            } else {
+                result.add(arg);
+            }
+        }
+        return result.toArray(String[]::new);
+    }
+
     private int run(String[] args) {
         log = new PrintWriter(System.out);
         printer = new LogPrinter(this, log);
--- a/src/jdk.jshell/share/classes/jdk/internal/jshell/tool/resources/l10n.properties	Wed Dec 19 11:44:57 2018 -0800
+++ b/src/jdk.jshell/share/classes/jdk/internal/jshell/tool/resources/l10n.properties	Wed Dec 19 20:53:30 2018 +0100
@@ -187,12 +187,12 @@
 jshell.console.resolvable = \nThe identifier is resolvable in this context.
 jshell.console.no.candidate = \nNo candidate fully qualified names found to import.
 jshell.console.incomplete = \nResults may be incomplete; try again later for complete results.
-jshell.console.erroneous = \nIncomplete or erroneous. A single valid expression or statement must proceed Shift-<tab> m.
-jshell.console.exprstmt = \nA single valid expression or statement must proceed Shift-<tab> m.
-jshell.console.empty = \nEmpty entry. A single valid expression or statement must proceed Shift-<tab> m..
+jshell.console.erroneous = \nIncomplete or erroneous. A single valid expression or statement must precede Shift+Tab m.
+jshell.console.exprstmt = \nA single valid expression or statement must precede Shift+Tab m.
+jshell.console.empty = \nEmpty entry. A single valid expression or statement must precede Shift+Tab m.
 
 jshell.fix.wrong.shortcut =\
-Unexpected character after Shift-Tab.\n\
+Unexpected character after Shift+Tab.\n\
 Use "i" for auto-import, "v" for variable creation, or "m" for method creation.\n\
 For more information see:\n\
    /help shortcuts
@@ -579,92 +579,92 @@
 This support is similar to readline/editline with simple emacs-like bindings.\n\
 There are also jshell tool specific key sequences.\n\
 \n\
---- Line and history navigation ---\n\
-\n\
-Return\n\t\
-  Enters the current snippet\n\
-Left-arrow or Ctrl+B\n\t\
-  Moves backward one character\n\
-Right-arrow or Ctrl+F\n\t\
-  Moves forward one character\n\
-Up-arrow or Ctrl+P\n\t\
-  Moves up one line, backward through history\n\
-Down arrow or Ctrl+N\n\t\
-  Moves down one line, forward through history\n\
-Ctrl+A\n\t\
-  Moves to the beginning of the line\n\
-Ctrl+E\n\t\
-  Moves to the end of the line\n\
-Meta+B\n\t\
-  Moves backward one word\n\
-Meta+F\n\t\
-  Moves forward one word\n\
-Ctrl+R\n\t\
+Line and history navigation:\n\
+\n\t\
+Return\n\t\t\
+  Enters the current snippet\n\t\
+Left-arrow or Ctrl+B\n\t\t\
+  Moves backward one character\n\t\
+Right-arrow or Ctrl+F\n\t\t\
+  Moves forward one character\n\t\
+Up-arrow or Ctrl+P\n\t\t\
+  Moves up one line, backward through history\n\t\
+Down arrow or Ctrl+N\n\t\t\
+  Moves down one line, forward through history\n\t\
+Ctrl+A\n\t\t\
+  Moves to the beginning of the line\n\t\
+Ctrl+E\n\t\t\
+  Moves to the end of the line\n\t\
+Meta+B\n\t\t\
+  Moves backward one word\n\t\
+Meta+F\n\t\t\
+  Moves forward one word\n\t\
+Ctrl+R\n\t\t\
   Search backward through history\n\
 \n\
 \n\
---- Line and history basic editing ---\n\
-\n\
-Meta+Return or Ctrl+Return (depending on platform)\n\t\
-  Insert a new line in snippet\n\
-Ctrl+_ (underscore may require shift key) or Ctrl+X then Ctrl+U\n\t\
-  Undo edit - repeat to undo more edits\n\
-Delete\n\t\
-  Deletes the character at or after the cursor, depending on the operating system\n\
-Backspace\n\t\
-  Deletes the character before the cursor\n\
-Ctrl+K\n\t\
-  Deletes the text from the cursor to the end of the line\n\
-Meta+D\n\t\
-  Deletes the text from the cursor to the end of the word\n\
-Ctrl+W\n\t\
-  Deletes the text from the cursor to the previous white space\n\
-Ctrl+Y\n\t\
-  Pastes the most recently deleted text into the line\n\
-Meta+Y\n\t\
-  After Ctrl+Y, Meta+Y cycles through previously deleted text\n\
-Ctrl+X then Ctrl+K\n\t\
+Line and history basic editing:\n\
+\n\t\
+Meta+Return or Ctrl+Return (depending on platform)\n\t\t\
+  Insert a new line in snippet\n\t\
+Ctrl+_ (underscore may require the Shift key) or Ctrl+X then Ctrl+U\n\t\t\
+  Undo edit - repeat to undo more edits\n\t\
+Delete\n\t\t\
+  Deletes the character at or after the cursor, depending on the operating system\n\t\
+Backspace\n\t\t\
+  Deletes the character before the cursor\n\t\
+Ctrl+K\n\t\t\
+  Deletes the text from the cursor to the end of the line\n\t\
+Meta+D\n\t\t\
+  Deletes the text from the cursor to the end of the word\n\t\
+Ctrl+W\n\t\t\
+  Deletes the text from the cursor to the previous white space\n\t\
+Ctrl+Y\n\t\t\
+  Pastes the most recently deleted text into the line\n\t\
+Meta+Y\n\t\t\
+  After Ctrl+Y, Meta+Y cycles through previously deleted text\n\t\
+Ctrl+X then Ctrl+K\n\t\t\
   Delete whole snippet\n\
 \n\
 \n\
---- Shortcuts for jshell tool ---\n\
+Shortcuts for jshell tool:\n\
+\n\t\
+For details, see: /help shortcuts\n\
+\n\t\
+Tab\n\t\t\
+  Complete Java identifier or jshell command\n\t\
+Shift+Tab then v\n\t\t\
+  Convert expression to variable declaration\n\t\
+Shift+Tab then m\n\t\t\
+  Convert statement to method declaration\n\t\
+Shift+Tab then i\n\t\t\
+  Add imports for this identifier\n\t\
 \n\
-For details, see: /help shortcuts\n\
 \n\
-Tab\n\t\
-  Complete Java identifier or jshell command\n\
-Shift+Tab then v\n\t\
-  Convert expression to variable declaration\n\
-Shift+Tab then m\n\t\
-  Convert statement to method declaration\n\
-Shift+Tab then i\n\t\
-  Add imports for this identifier\n\
-\n\
-\n\
---- More line and history editing ---\n\
-\n\
-Ctrl+L\n\t\
-  Clear screen and reprint snippet\n\
-Ctrl+U\n\t\
-  Kill whole line\n\
-Ctrl+T\n\t\
-  Transpose characters\n\
-Ctrl+X then Ctrl+B\n\t\
-  Navigate to matching bracket, parenthesis, ...\n\
-Ctrl+X then =\n\t\
-  Enter show current character position mode\n\
-Ctrl+X then Ctrl+O\n\t\
-  Toggle overwrite characters vs insert characters\n\
-Meta+C\n\t\
-  Capitalize word\n\
-Meta+U\n\t\
-  Convert word to uppercase\n\
-Meta+L\n\t\
-  Convert word to lowercase\n\
-Meta+0 through Meta+9 then key\n\t\
+More line and history editing:\n\
+\n\t\
+Ctrl+L\n\t\t\
+  Clear screen and reprint snippet\n\t\
+Ctrl+U\n\t\t\
+  Kill whole line\n\t\
+Ctrl+T\n\t\t\
+  Transpose characters\n\t\
+Ctrl+X then Ctrl+B\n\t\t\
+  Navigate to matching bracket, parenthesis, ...\n\t\
+Ctrl+X then =\n\t\t\
+  Enter show current character position mode\n\t\
+Ctrl+X then Ctrl+O\n\t\t\
+  Toggle overwrite characters vs insert characters\n\t\
+Meta+C\n\t\t\
+  Capitalize word\n\t\
+Meta+U\n\t\t\
+  Convert word to uppercase\n\t\
+Meta+L\n\t\t\
+  Convert word to lowercase\n\t\
+Meta+0 through Meta+9 then key\n\t\t\
   Repeat the specified number of times\n\
 \n\
-Where, for example, "Ctrl+A" means hold down the control key and press A.\n\
+Where, for example, "Ctrl+A" means hold down the Control key and press A.\n\
 Where "Meta" is "Alt" on many keyboards.\n\
 Line editing support is derived from JLine 3.
 
@@ -672,26 +672,34 @@
 information access, and automatic code generation
 help.shortcuts =\
 Supported shortcuts include:\n\
+\n\t\
+Tab\n\t\t\
+        After entering the first few letters of a Java identifier,\n\t\t\
+        a jshell tool command, or, in some cases, a jshell tool\n\t\t\
+        command argument, press the Tab key to complete the input.\n\t\t\
+        If there is more than one completion, then possible completions\n\t\t\
+        will be shown.\n\t\t\
+        Another Tab will show documentation if available and appropriate.\n\n\t\
+Shift+Tab then v\n\t\t\
+        After a complete expression, hold down the Shift key while\n\t\t\
+        pressing the Tab key, then release and press the "v" key,\n\t\t\
+        the expression will be converted to a variable declaration \n\t\t\
+        whose type is based on the type of the expression.\n\n\t\
+Shift+Tab then m\n\t\t\
+        After a complete expression or statement, hold down the\n\t\t\
+        Shift key while pressing the Tab key, then release and press\n\t\t\
+        the "m" key, the expression or statement will be converted\n\t\t\
+        to a method declaration. If it is an expression, the method\n\t\t\
+        return type will be based on the type of the expression.\n\n\t\
+Shift+Tab then i\n\t\t\
+        After an unresolvable identifier, hold down the Shift key\n\t\t\
+        while pressing the Tab key, then release and press the "i" key,\n\t\t\
+        and the jshell tool will propose possible imports which will\n\t\t\
+        resolve the identifier based on the content of the specified\n\t\t\
+        classpath. Enter the digit corresponding to the desired import,\n\t\t\
+        or press the "0" key to add no imports.\n\
 \n\
-<tab>\n\t\t\
-        After entering the first few letters of a Java identifier,\n\t\t\
-        a jshell tool command, or, in some cases, a jshell tool command argument,\n\t\t\
-        press the <tab> key to complete the input.\n\t\t\
-        If there is more than one completion, then possible completions will be shown.\n\t\t\
-        Will show documentation if available and appropriate.\n\n\
-Shift-<tab> v\n\t\t\
-        After a complete expression, hold down <shift> while pressing <tab>,\n\t\t\
-        then release and press "v", the expression will be converted to\n\t\t\
-        a variable declaration whose type is based on the type of the expression.\n\n\
-Shift-<tab> m\n\t\t\
-        After a complete expression or statement, hold down <shift> while pressing <tab>,\n\t\t\
-        then release and press "m", the expression or statement will be converted to\n\t\t\
-        a method declaration. If an expression, the return type is based on the type\n\t\t\
-        of the expression.\n\n\
-Shift-<tab> i\n\t\t\
-        After an unresolvable identifier, hold down <shift> while pressing <tab>,\n\t\t\
-        then release and press "i", and the jshell tool will propose possible imports\n\t\t\
-        which will resolve the identifier based on the content of the specified classpath.
+For information onother special keys see: /help keys
 
 help.context.summary = a description of the evaluation context options for /env /reload and /reset
 help.context =\
@@ -789,7 +797,7 @@
 Any number of IDs or ID ranges may be used, e.g.:  /3-7 s4 14-16 e2\n\
 See also '/help id'.\n\
 \n\
-Finally, you can search backwards through history by entering ctrl-R followed by the string to search for.
+Finally, you can search backwards through history by entering Ctrl+R followed by the string to search for.
 
 help.set._retain = \
 The '-retain' option saves a setting so that it is used in future sessions.\n\
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/hotspot/jtreg/compiler/aot/cli/jaotc/AtFileTest.java	Wed Dec 19 20:53:30 2018 +0100
@@ -0,0 +1,60 @@
+/*
+ * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/*
+ * @test
+ * @summary check at-file jaotc support
+ * @comment based on CompileClassTest with arguments wrote in 'jaotc.cmd' file
+ * @requires vm.aot
+ * @bug 8215322
+ * @library / /test/lib /testlibrary
+ * @modules java.base/jdk.internal.misc
+ * @build compiler.aot.cli.jaotc.AtFileTest
+ * @run driver ClassFileInstaller compiler.aot.cli.jaotc.data.HelloWorldOne
+ * @run driver compiler.aot.cli.jaotc.AtFileTest
+ */
+
+package compiler.aot.cli.jaotc;
+
+import compiler.aot.cli.jaotc.data.HelloWorldOne;
+import java.io.File;
+import java.nio.file.Path;
+import java.nio.file.Paths;
+import java.nio.file.Files;
+import java.util.List;
+import jdk.test.lib.Asserts;
+import jdk.test.lib.process.OutputAnalyzer;
+
+public class AtFileTest {
+    public static void main(String[] args) throws Exception {
+        Path file = Paths.get("jatoc.cmd");
+        Files.write(file, List.of("--class-name",
+                JaotcTestHelper.getClassAotCompilationName(HelloWorldOne.class)));
+        OutputAnalyzer oa = JaotcTestHelper.compileLibrary("@" + file.toString());
+        oa.shouldHaveExitValue(0);
+        File compiledLibrary = new File(JaotcTestHelper.DEFAULT_LIB_PATH);
+        Asserts.assertTrue(compiledLibrary.exists(), "Compiled library file missing");
+        Asserts.assertGT(compiledLibrary.length(), 0L, "Unexpected compiled library size");
+        JaotcTestHelper.checkLibraryUsage(HelloWorldOne.class.getName());
+    }
+}
--- a/test/hotspot/jtreg/compiler/c2/cr6340864/TestByteVect.java	Wed Dec 19 11:44:57 2018 -0800
+++ b/test/hotspot/jtreg/compiler/c2/cr6340864/TestByteVect.java	Wed Dec 19 20:53:30 2018 +0100
@@ -27,6 +27,9 @@
  * @summary Implement vectorization optimizations in hotspot-server
  *
  * @run main/othervm/timeout=400 -Xbatch -Xmx128m compiler.c2.cr6340864.TestByteVect
+ * @run main/othervm/timeout=400 -Xbatch -Xmx128m -XX:MaxVectorSize=8 compiler.c2.cr6340864.TestByteVect
+ * @run main/othervm/timeout=400 -Xbatch -Xmx128m -XX:MaxVectorSize=16 compiler.c2.cr6340864.TestByteVect
+ * @run main/othervm/timeout=400 -Xbatch -Xmx128m -XX:MaxVectorSize=32 compiler.c2.cr6340864.TestByteVect
  */
 
 package compiler.c2.cr6340864;
--- a/test/hotspot/jtreg/compiler/c2/cr6340864/TestDoubleVect.java	Wed Dec 19 11:44:57 2018 -0800
+++ b/test/hotspot/jtreg/compiler/c2/cr6340864/TestDoubleVect.java	Wed Dec 19 20:53:30 2018 +0100
@@ -27,6 +27,9 @@
  * @summary Implement vectorization optimizations in hotspot-server
  *
  * @run main/othervm/timeout=400 -Xbatch -Xmx128m compiler.c2.cr6340864.TestDoubleVect
+ * @run main/othervm/timeout=400 -Xbatch -Xmx128m -XX:MaxVectorSize=8 compiler.c2.cr6340864.TestDoubleVect
+ * @run main/othervm/timeout=400 -Xbatch -Xmx128m -XX:MaxVectorSize=16 compiler.c2.cr6340864.TestDoubleVect
+ * @run main/othervm/timeout=400 -Xbatch -Xmx128m -XX:MaxVectorSize=32 compiler.c2.cr6340864.TestDoubleVect
  */
 
 package compiler.c2.cr6340864;
--- a/test/hotspot/jtreg/compiler/c2/cr6340864/TestFloatVect.java	Wed Dec 19 11:44:57 2018 -0800
+++ b/test/hotspot/jtreg/compiler/c2/cr6340864/TestFloatVect.java	Wed Dec 19 20:53:30 2018 +0100
@@ -27,6 +27,9 @@
  * @summary Implement vectorization optimizations in hotspot-server
  *
  * @run main/othervm/timeout=400 -Xbatch -Xmx128m compiler.c2.cr6340864.TestFloatVect
+ * @run main/othervm/timeout=400 -Xbatch -Xmx128m -XX:MaxVectorSize=8 compiler.c2.cr6340864.TestFloatVect
+ * @run main/othervm/timeout=400 -Xbatch -Xmx128m -XX:MaxVectorSize=16 compiler.c2.cr6340864.TestFloatVect
+ * @run main/othervm/timeout=400 -Xbatch -Xmx128m -XX:MaxVectorSize=32 compiler.c2.cr6340864.TestFloatVect
  */
 
 package compiler.c2.cr6340864;
--- a/test/hotspot/jtreg/compiler/c2/cr6340864/TestIntVect.java	Wed Dec 19 11:44:57 2018 -0800
+++ b/test/hotspot/jtreg/compiler/c2/cr6340864/TestIntVect.java	Wed Dec 19 20:53:30 2018 +0100
@@ -27,6 +27,9 @@
  * @summary Implement vectorization optimizations in hotspot-server
  *
  * @run main/othervm/timeout=400 -Xbatch -Xmx128m compiler.c2.cr6340864.TestIntVect
+ * @run main/othervm/timeout=400 -Xbatch -Xmx128m -XX:MaxVectorSize=8 compiler.c2.cr6340864.TestIntVect
+ * @run main/othervm/timeout=400 -Xbatch -Xmx128m -XX:MaxVectorSize=16 compiler.c2.cr6340864.TestIntVect
+ * @run main/othervm/timeout=400 -Xbatch -Xmx128m -XX:MaxVectorSize=32 compiler.c2.cr6340864.TestIntVect
  */
 
 package compiler.c2.cr6340864;
--- a/test/hotspot/jtreg/compiler/c2/cr6340864/TestLongVect.java	Wed Dec 19 11:44:57 2018 -0800
+++ b/test/hotspot/jtreg/compiler/c2/cr6340864/TestLongVect.java	Wed Dec 19 20:53:30 2018 +0100
@@ -27,6 +27,9 @@
  * @summary Implement vectorization optimizations in hotspot-server
  *
  * @run main/othervm/timeout=400 -Xbatch -Xmx128m compiler.c2.cr6340864.TestLongVect
+ * @run main/othervm/timeout=400 -Xbatch -Xmx128m -XX:MaxVectorSize=8 compiler.c2.cr6340864.TestLongVect
+ * @run main/othervm/timeout=400 -Xbatch -Xmx128m -XX:MaxVectorSize=16 compiler.c2.cr6340864.TestLongVect
+ * @run main/othervm/timeout=400 -Xbatch -Xmx128m -XX:MaxVectorSize=32 compiler.c2.cr6340864.TestLongVect
  */
 
 package compiler.c2.cr6340864;
--- a/test/hotspot/jtreg/compiler/c2/cr6340864/TestShortVect.java	Wed Dec 19 11:44:57 2018 -0800
+++ b/test/hotspot/jtreg/compiler/c2/cr6340864/TestShortVect.java	Wed Dec 19 20:53:30 2018 +0100
@@ -27,6 +27,9 @@
  * @summary Implement vectorization optimizations in hotspot-server
  *
  * @run main/othervm/timeout=400 -Xbatch -Xmx128m compiler.c2.cr6340864.TestShortVect
+ * @run main/othervm/timeout=400 -Xbatch -Xmx128m -XX:MaxVectorSize=8 compiler.c2.cr6340864.TestShortVect
+ * @run main/othervm/timeout=400 -Xbatch -Xmx128m -XX:MaxVectorSize=16 compiler.c2.cr6340864.TestShortVect
+ * @run main/othervm/timeout=400 -Xbatch -Xmx128m -XX:MaxVectorSize=32 compiler.c2.cr6340864.TestShortVect
  */
 
 package compiler.c2.cr6340864;
--- a/test/hotspot/jtreg/compiler/codegen/TestCharVect2.java	Wed Dec 19 11:44:57 2018 -0800
+++ b/test/hotspot/jtreg/compiler/codegen/TestCharVect2.java	Wed Dec 19 20:53:30 2018 +0100
@@ -27,6 +27,9 @@
  * @summary incorrect results of char vectors right shift operaiton
  *
  * @run main/othervm/timeout=400 -Xbatch -Xmx128m compiler.codegen.TestCharVect2
+ * @run main/othervm/timeout=400 -Xbatch -Xmx128m -XX:MaxVectorSize=8 compiler.codegen.TestCharVect2
+ * @run main/othervm/timeout=400 -Xbatch -Xmx128m -XX:MaxVectorSize=16 compiler.codegen.TestCharVect2
+ * @run main/othervm/timeout=400 -Xbatch -Xmx128m -XX:MaxVectorSize=32 compiler.codegen.TestCharVect2
  */
 
 package compiler.codegen;
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/hotspot/jtreg/compiler/loopopts/Test8211698.java	Wed Dec 19 20:53:30 2018 +0100
@@ -0,0 +1,57 @@
+/*
+ * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/*
+ * @test
+ * @bug 8211698
+ * @summary Crash in C2 compiled code during execution of double array heavy processing code
+ *
+ * @run main/othervm -XX:CompileOnly=Test8211698.test Test8211698
+ *
+ */
+
+public class Test8211698 {
+
+    public static void main(String[] args) {
+        Test8211698 issue = new Test8211698();
+        for (int i = 0; i < 10000; i++) {
+            issue.test();
+        }
+    }
+
+    public void test() {
+        int[] iarr1 = new int[888];
+        for (int i = 5; i > 0; i--) {
+            for (int j = 0; j <= i - 1; j++) {
+                int istep = 2 * j - i;
+                int iadj = 0;
+                if (istep < 0) {
+                    iadj = iarr1[-istep];
+                } else {
+                    iadj = iarr1[istep];
+                }
+            }
+        }
+    }
+}
+
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/hotspot/jtreg/compiler/loopopts/TestSplitIfOpaque1.java	Wed Dec 19 20:53:30 2018 +0100
@@ -0,0 +1,97 @@
+/*
+ * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/**
+ * @test
+ * @bug 8214994
+ * @summary The split-if optimization fails because an unexpected Opaque1 is encountered.
+ * @run main/othervm -XX:+IgnoreUnrecognizedVMOptions -XX:-UseOnStackReplacement -XX:-BackgroundCompilation
+ *                   compiler.loopopts.TestSplitIfOpaque1
+ */
+
+package compiler.loopopts;
+
+public class TestSplitIfOpaque1 {
+
+    static class MyClass {
+        int f;
+        MyClass(int f) {
+            this.f = f;
+        }
+    }
+
+    // The inner loop is found to be a counted loop and a loop limit check
+    // is added by updating the Opaque1 input of the predicate template.
+    // This Opaque1 node is then pushed upwards to before the predicates of
+    // the outer loop and ends up right after the second 'if (b)'.
+    // The split-if optimization kicks in and splits the first predicate of
+    // the outer loop (an "obj != NULL" check) through the 'if (b)' region.
+    // We fail because the region contains an unexpected Opaque1 node.
+    static int test1(boolean b, int limit, MyClass obj) {
+        int res = 0;
+        MyClass notNull = new MyClass(42);
+        if (b) {
+            limit = 100;
+        }
+        if (b) {
+            obj = notNull;
+        }
+        for (int i = 0; i < 1000; ++i) {
+            res += obj.f;
+            for (int j = 0; j <= limit; ++j) {
+                // Empty
+            }
+        }
+        return res;
+    }
+
+    // Same as test1 but triggers slightly different failure mode
+    static int test2(boolean b, int limit, MyClass obj, int[] array) {
+        int res = 0;
+        MyClass notNull = new MyClass(12);
+        if (b) {
+            limit = 100;
+        }
+        if (b) {
+            obj = notNull;
+        }
+        for (int i = 0; i < 1000; ++i) {
+            res += obj.f;
+            for (int j = 0; j <= limit; ++j) {
+                array[j] = j;
+            }
+        }
+        return res;
+    }
+
+    public static void main(String[] args) {
+        MyClass obj = new MyClass(42);
+        int[] array = new int[101];
+        for (int i = 0; i < 20_000; i++) {
+            test1(true, 50, obj);
+            test1(false, 100, obj);
+            test2(true, 50, obj, array);
+            test2(false, 100, obj, array);
+        }
+    }
+}
--- a/test/hotspot/jtreg/serviceability/jvmti/HeapMonitor/MyPackage/HeapMonitorThreadTest.java	Wed Dec 19 11:44:57 2018 -0800
+++ b/test/hotspot/jtreg/serviceability/jvmti/HeapMonitor/MyPackage/HeapMonitorThreadTest.java	Wed Dec 19 20:53:30 2018 +0100
@@ -30,7 +30,6 @@
  * @summary Verifies the JVMTI Heap Monitor Thread information sanity.
  * @compile HeapMonitorThreadTest.java
  * @run main/othervm/native -Xmx512m -agentlib:HeapMonitorTest MyPackage.HeapMonitorThreadTest
- * @requires vm.gc != "Z"
  */
 
 import java.util.List;
--- a/test/jdk/java/net/MulticastSocket/PromiscuousIPv6.java	Wed Dec 19 11:44:57 2018 -0800
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,162 +0,0 @@
-/*
- * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
- * or visit www.oracle.com if you need additional information or have any
- * questions.
- *
-
-/*
- * @test
- * @bug 8210493
- * @requires os.family == "linux"
- * @library /test/lib
- * @build jdk.test.lib.NetworkConfiguration
- *        PromiscuousIPv6
- * @run main PromiscuousIPv6
- */
-import jdk.test.lib.NetworkConfiguration;
-import jtreg.SkippedException;
-
-import java.io.IOException;
-import java.net.DatagramPacket;
-import java.net.DatagramSocket;
-import java.net.InetAddress;
-import java.net.InetSocketAddress;
-import java.net.MulticastSocket;
-import java.net.SocketTimeoutException;
-
-import static java.lang.System.out;
-
-/*
- * This test was created as a copy of the Promiscuous test and adapted for
- * IPv6 node-local and link-local multicast addresses on Linux.
- */
-public class PromiscuousIPv6 {
-
-    static final int TIMEOUT =  5 * 1000; // 5 secs
-    static int id = 1000;
-
-    static void receive(DatagramSocket mc, boolean datagramExpected, int id)
-            throws IOException
-    {
-        byte[] ba = new byte[100];
-        DatagramPacket p = new DatagramPacket(ba, ba.length);
-        try {
-            mc.receive(p);
-            int recvId = Integer.parseInt(
-                    new String(p.getData(), 0, p.getLength(), "UTF-8"));
-            if (datagramExpected) {
-                if (recvId != id)
-                    throw new RuntimeException("Unexpected id, got " + recvId
-                                                       + ", expected: " + id);
-                out.printf("Received message as expected, %s\n", p.getAddress());
-            } else {
-                throw new RuntimeException("Unexpected message received, "
-                                                   + p.getAddress());
-            }
-        } catch (SocketTimeoutException e) {
-            if (datagramExpected)
-                throw new RuntimeException("Expected message not received, "
-                                                   + e.getMessage());
-            else
-                out.printf("Message not received, as expected\n");
-        }
-    }
-
-    static void test(InetAddress group1, InetAddress group2)
-            throws IOException
-    {
-        try (MulticastSocket mc1 = new MulticastSocket(new InetSocketAddress(group1, 0));
-             MulticastSocket mc2 = new MulticastSocket(new InetSocketAddress(group2, mc1.getLocalPort()));
-             DatagramSocket ds = new DatagramSocket()) {
-
-            final int port = mc1.getLocalPort();
-            out.printf("Using port: %d\n", port);
-
-            mc1.setSoTimeout(TIMEOUT);
-            mc2.setSoTimeout(TIMEOUT);
-            int nextId = id;
-            byte[] msg = Integer.toString(nextId).getBytes("UTF-8");
-            DatagramPacket p = new DatagramPacket(msg, msg.length);
-            p.setAddress(group1);
-            p.setPort(port);
-
-            mc1.joinGroup(group1);
-            out.printf("mc1 joined the MC group: %s\n", group1);
-            mc2.joinGroup(group2);
-            out.printf("mc2 joined the MC group: %s\n", group2);
-
-            out.printf("Sending datagram to: %s/%d\n", group1, port);
-            ds.send(p);
-
-            // the packet should be received by mc1 only
-            receive(mc1, true, nextId);
-            receive(mc2, false, 0);
-
-            nextId = ++id;
-            msg = Integer.toString(nextId).getBytes("UTF-8");
-            p = new DatagramPacket(msg, msg.length);
-            p.setAddress(group2);
-            p.setPort(port);
-
-            out.printf("Sending datagram to: %s/%d\n", group2, port);
-            ds.send(p);
-
-            // the packet should be received by mc2 only
-            receive(mc2, true, nextId);
-            receive(mc1, false, 0);
-
-            mc1.leaveGroup(group1);
-            mc2.leaveGroup(group2);
-        }
-    }
-
-    public static void main(String args[]) throws IOException {
-        String os = System.getProperty("os.name");
-
-        if (!os.equals("Linux")) {
-            throw new SkippedException("This test should be run only on Linux");
-        } else {
-            String osVersion = System.getProperty("os.version");
-            String prefix = "3.10.0";
-            if (osVersion.startsWith(prefix)) {
-                throw new SkippedException(
-                        String.format("The behavior under test is known NOT to work on '%s' kernels", prefix));
-            }
-        }
-
-        NetworkConfiguration.printSystemConfiguration(System.out);
-
-        if (NetworkConfiguration.probe()
-                                .ip6MulticastInterfaces()
-                                .findAny()
-                                .isEmpty()) {
-            throw new SkippedException(
-                    "No IPv6 interfaces that support multicast found");
-        }
-
-        InetAddress interfaceLocal1 = InetAddress.getByName("ff11::2.3.4.5");
-        InetAddress interfaceLocal2 = InetAddress.getByName("ff11::6.7.8.9");
-        test(interfaceLocal1, interfaceLocal2);
-
-        InetAddress linkLocal1 = InetAddress.getByName("ff12::2.3.4.5");
-        InetAddress linkLocal2 = InetAddress.getByName("ff12::6.7.8.9");
-        test(linkLocal1, linkLocal2);
-    }
-}
--- a/test/jdk/java/nio/channels/DatagramChannel/PromiscuousIPv6.java	Wed Dec 19 11:44:57 2018 -0800
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,230 +0,0 @@
-/*
- * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
- * or visit www.oracle.com if you need additional information or have any
- * questions.
- *
-
-/*
- * @test
- * @bug 8210493
- * @requires os.family == "linux"
- * @library /test/lib
- * @build jdk.test.lib.NetworkConfiguration
- *        PromiscuousIPv6
- * @run main PromiscuousIPv6
- * @key randomness
- */
-
-import java.nio.ByteBuffer;
-import java.nio.channels.*;
-import java.net.*;
-import static java.net.StandardProtocolFamily.*;
-import java.util.*;
-import java.io.IOException;
-import java.util.stream.Collectors;
-
-import jdk.test.lib.NetworkConfiguration;
-import jtreg.SkippedException;
-
-/*
- * This test was created as a copy of the Promiscuous test and adapted for
- * IPv6 node-local and link-local multicast addresses on Linux.
- */
-public class PromiscuousIPv6 {
-
-    static final Random rand = new Random();
-
-    static final ProtocolFamily UNSPEC = () -> "UNSPEC";
-
-    /**
-     * Sends a datagram to the given multicast group
-     */
-    static int sendDatagram(NetworkInterface nif,
-                            InetAddress group,
-                            int port)
-            throws IOException
-    {
-        ProtocolFamily family = (group instanceof Inet6Address) ?
-                StandardProtocolFamily.INET6 : StandardProtocolFamily.INET;
-        DatagramChannel dc = DatagramChannel.open(family)
-                .setOption(StandardSocketOptions.IP_MULTICAST_IF, nif);
-        int id = rand.nextInt();
-        byte[] msg = Integer.toString(id).getBytes("UTF-8");
-        ByteBuffer buf = ByteBuffer.wrap(msg);
-        System.out.format("Send message -> group %s (id=0x%x)\n",
-                          group.getHostAddress(), id);
-        dc.send(buf, new InetSocketAddress(group, port));
-        dc.close();
-        return id;
-    }
-
-    /**
-     * Wait (with timeout) for datagram. The {@code datagramExpected}
-     * parameter indicates whether a datagram is expected, and if
-     * {@code true} then {@code id} is the identifier in the payload.
-     */
-    static void receiveDatagram(DatagramChannel dc,
-                                String name,
-                                boolean datagramExpected,
-                                int id)
-            throws IOException
-    {
-        System.out.println("Checking if received by " + name);
-
-        Selector sel = Selector.open();
-        dc.configureBlocking(false);
-        dc.register(sel, SelectionKey.OP_READ);
-        ByteBuffer buf = ByteBuffer.allocateDirect(100);
-
-        try {
-            for (;;) {
-                System.out.println("Waiting to receive message");
-                sel.select(5*1000);
-                SocketAddress sa = dc.receive(buf);
-
-                // no datagram received
-                if (sa == null) {
-                    if (datagramExpected) {
-                        throw new RuntimeException("Expected message not received");
-                    }
-                    System.out.println("No message received (correct)");
-                    return;
-                }
-
-                // datagram received
-
-                InetAddress sender = ((InetSocketAddress)sa).getAddress();
-                buf.flip();
-                byte[] bytes = new byte[buf.remaining()];
-                buf.get(bytes);
-                String s = new String(bytes, "UTF-8");
-                int receivedId = -1;
-                try {
-                    receivedId = Integer.parseInt(s);
-                    System.out.format("Received message from %s (id=0x%x)\n",
-                                      sender, receivedId);
-                } catch (NumberFormatException x) {
-                    System.out.format("Received message from %s (msg=%s)\n", sender, s);
-                }
-
-                if (!datagramExpected) {
-                    if (receivedId == id)
-                        throw new RuntimeException("Message not expected");
-                    System.out.println("Message ignored (has wrong id)");
-                } else {
-                    if (receivedId == id) {
-                        System.out.println("Message expected");
-                        return;
-                    }
-                    System.out.println("Message ignored (wrong sender)");
-                }
-
-                sel.selectedKeys().clear();
-                buf.rewind();
-            }
-        } finally {
-            sel.close();
-        }
-    }
-
-    static void test(ProtocolFamily family,
-                     NetworkInterface nif,
-                     InetAddress group1,
-                     InetAddress group2)
-            throws IOException
-    {
-
-        System.out.format("%nTest family=%s%n", family.name());
-
-        DatagramChannel dc1 = (family == UNSPEC) ?
-                DatagramChannel.open() : DatagramChannel.open(family);
-        DatagramChannel dc2 = (family == UNSPEC) ?
-                DatagramChannel.open() : DatagramChannel.open(family);
-
-        try {
-            dc1.setOption(StandardSocketOptions.SO_REUSEADDR, true);
-            dc2.setOption(StandardSocketOptions.SO_REUSEADDR, true);
-
-            dc1.bind(new InetSocketAddress(group1, 0));
-            int port = dc1.socket().getLocalPort();
-            dc2.bind(new InetSocketAddress(group2, port));
-
-            System.out.format("dc1 joining [%s]:%d @ %s\n",
-                              group1.getHostAddress(), port, nif.getName());
-            System.out.format("dc2 joining [%s]:%d @ %s\n",
-                              group2.getHostAddress(), port, nif.getName());
-
-            dc1.join(group1, nif);
-            dc2.join(group2, nif);
-
-            int id = sendDatagram(nif, group1, port);
-
-            receiveDatagram(dc1, "dc1", true, id);
-            receiveDatagram(dc2, "dc2", false, id);
-
-            id = sendDatagram(nif, group2, port);
-
-            receiveDatagram(dc1, "dc1", false, id);
-            receiveDatagram(dc2, "dc2", true, id);
-
-        } finally {
-            dc1.close();
-            dc2.close();
-        }
-    }
-
-    public static void main(String[] args) throws IOException {
-
-        String os = System.getProperty("os.name");
-
-        if (!os.equals("Linux")) {
-            throw new SkippedException("This test should be run only on Linux");
-        } else {
-            String osVersion = System.getProperty("os.version");
-            String prefix = "3.10.0";
-            if (osVersion.startsWith(prefix)) {
-                throw new SkippedException(
-                        String.format("The behavior under test is known NOT to work on '%s' kernels", prefix));
-            }
-        }
-
-        NetworkConfiguration.printSystemConfiguration(System.out);
-
-        InetAddress interfaceLocal1 = InetAddress.getByName("ff11::2.3.4.5");
-        InetAddress interfaceLocal2 = InetAddress.getByName("ff11::6.7.8.9");
-
-        InetAddress linkLocal1 = InetAddress.getByName("ff12::2.3.4.5");
-        InetAddress linkLocal2 = InetAddress.getByName("ff12::6.7.8.9");
-
-        // get local network configuration to use
-        NetworkConfiguration config = NetworkConfiguration.probe();
-        boolean foundAtLeastOne = false;
-        for (NetworkInterface nif: config.ip6MulticastInterfaces()
-                .collect(Collectors.toList())) {
-            foundAtLeastOne = true;
-            test(INET6, nif, interfaceLocal1, interfaceLocal2);
-            test(INET6, nif, linkLocal1, linkLocal2);
-        }
-        if (!foundAtLeastOne) {
-            throw new SkippedException(
-                    "No IPv6 interfaces that support multicast found");
-        }
-    }
-}
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/jdk/java/security/AccessController/DoPriv.java	Wed Dec 19 20:53:30 2018 +0100
@@ -0,0 +1,68 @@
+/*
+ * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/*
+ * @test
+ * @bug 8214583
+ * @summary Check that getContext works after JIT compiler escape analysis.
+ */
+import java.security.AccessControlContext;
+import java.security.AccessController;
+import java.security.DomainCombiner;
+import java.security.ProtectionDomain;
+import java.security.PrivilegedActionException;
+import java.security.PrivilegedExceptionAction;
+import java.net.URL;
+import java.util.Collections;
+import java.util.HashSet;
+import java.util.Set;
+
+public class DoPriv {
+
+    static void go(final DomainCombiner dc0, final AccessControlContext co, final int index) throws Exception {
+        final AccessControlContext ci = new AccessControlContext(co, dc0);
+        AccessController.doPrivileged((PrivilegedExceptionAction<Integer>)() -> {
+            AccessControlContext c1 = AccessController.getContext();
+            DomainCombiner dc = c1.getDomainCombiner();
+            if (dc != dc0 || dc == null) {
+                throw new AssertionError("iteration " + index + " " + dc + " != " + dc0);
+            }
+            return 0;
+        }, ci);
+    }
+
+    public static void main(String[] args) throws Exception {
+        final DomainCombiner dc0 = new DomainCombiner() {
+            public ProtectionDomain[] combine(ProtectionDomain[] currentDomains,
+                                            ProtectionDomain[] assignedDomains) {
+                return null;
+            }
+        };
+
+        final AccessControlContext co = AccessController.getContext();
+
+        for (int i = 0; i < 500_000; ++i) {
+            go(dc0, co, i);
+        }
+    }
+}
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/jdk/javax/net/ssl/templates/SSLContextTemplate.java	Wed Dec 19 20:53:30 2018 +0100
@@ -0,0 +1,518 @@
+/*
+ * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+//
+// Please run in othervm mode.  SunJSSE does not support dynamic system
+// properties, no way to re-use system properties in samevm/agentvm mode.
+//
+
+import java.io.ByteArrayInputStream;
+import java.security.KeyFactory;
+import java.security.KeyStore;
+import java.security.PrivateKey;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateFactory;
+import java.security.spec.PKCS8EncodedKeySpec;
+import java.util.Base64;
+import javax.net.ssl.KeyManagerFactory;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.TrustManagerFactory;
+
+/**
+ * SSLContext template to speed up JSSE tests.
+ */
+public interface SSLContextTemplate {
+    /*
+     * Create an instance of SSLContext for client use.
+     */
+    default SSLContext createClientSSLContext() throws Exception {
+        return createSSLContext(trustedCertStrs,
+                endEntityCertStrs, endEntityPrivateKeys,
+                endEntityPrivateKeyAlgs,
+                endEntityPrivateKeyNames,
+                getClientContextParameters());
+    }
+
+    /*
+     * Create an instance of SSLContext for server use.
+     */
+    default SSLContext createServerSSLContext() throws Exception {
+        return createSSLContext(trustedCertStrs,
+                endEntityCertStrs, endEntityPrivateKeys,
+                endEntityPrivateKeyAlgs,
+                endEntityPrivateKeyNames,
+                getServerContextParameters());
+    }
+
+    /*
+     * The parameters used to configure SSLContext.
+     */
+    static final class ContextParameters {
+        final String contextProtocol;
+        final String tmAlgorithm;
+        final String kmAlgorithm;
+
+        ContextParameters(String contextProtocol,
+                String tmAlgorithm, String kmAlgorithm) {
+
+            this.contextProtocol = contextProtocol;
+            this.tmAlgorithm = tmAlgorithm;
+            this.kmAlgorithm = kmAlgorithm;
+        }
+    }
+
+    /*
+     * Get the client side parameters of SSLContext.
+     */
+    default ContextParameters getClientContextParameters() {
+        return new ContextParameters("TLS", "PKIX", "NewSunX509");
+    }
+
+    /*
+     * Get the server side parameters of SSLContext.
+     */
+    default ContextParameters getServerContextParameters() {
+        return new ContextParameters("TLS", "PKIX", "NewSunX509");
+    }
+
+    /*
+     * =======================================
+     * Certificates and keys used in the test.
+     */
+    // Trusted certificates.
+    final static String[] trustedCertStrs = {
+        // SHA256withECDSA, curve prime256v1
+        // Validity
+        //     Not Before: May 22 07:18:16 2018 GMT
+        //     Not After : May 17 07:18:16 2038 GMT
+        // Subject Key Identifier:
+        //     60:CF:BD:73:FF:FA:1A:30:D2:A4:EC:D3:49:71:46:EF:1A:35:A0:86
+        "-----BEGIN CERTIFICATE-----\n" +
+        "MIIBvjCCAWOgAwIBAgIJAIvFG6GbTroCMAoGCCqGSM49BAMCMDsxCzAJBgNVBAYT\n" +
+        "AlVTMQ0wCwYDVQQKDARKYXZhMR0wGwYDVQQLDBRTdW5KU1NFIFRlc3QgU2VyaXZj\n" +
+        "ZTAeFw0xODA1MjIwNzE4MTZaFw0zODA1MTcwNzE4MTZaMDsxCzAJBgNVBAYTAlVT\n" +
+        "MQ0wCwYDVQQKDARKYXZhMR0wGwYDVQQLDBRTdW5KU1NFIFRlc3QgU2VyaXZjZTBZ\n" +
+        "MBMGByqGSM49AgEGCCqGSM49AwEHA0IABBz1WeVb6gM2mh85z3QlvaB/l11b5h0v\n" +
+        "LIzmkC3DKlVukZT+ltH2Eq1oEkpXuf7QmbM0ibrUgtjsWH3mULfmcWmjUDBOMB0G\n" +
+        "A1UdDgQWBBRgz71z//oaMNKk7NNJcUbvGjWghjAfBgNVHSMEGDAWgBRgz71z//oa\n" +
+        "MNKk7NNJcUbvGjWghjAMBgNVHRMEBTADAQH/MAoGCCqGSM49BAMCA0kAMEYCIQCG\n" +
+        "6wluh1r2/T6L31mZXRKf9JxeSf9pIzoLj+8xQeUChQIhAJ09wAi1kV8yePLh2FD9\n" +
+        "2YEHlSQUAbwwqCDEVB5KxaqP\n" +
+        "-----END CERTIFICATE-----",
+        // -----BEGIN PRIVATE KEY-----
+        // MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQg/HcHdoLJCdq3haVd
+        // XZTSKP00YzM3xX97l98vGL/RI1KhRANCAAQc9VnlW+oDNpofOc90Jb2gf5ddW+Yd
+        // LyyM5pAtwypVbpGU/pbR9hKtaBJKV7n+0JmzNIm61ILY7Fh95lC35nFp
+        // -----END PRIVATE KEY-----
+
+        // SHA256withRSA, 2048 bits
+        // Validity
+        //     Not Before: May 22 07:18:16 2018 GMT
+        //     Not After : May 17 07:18:16 2038 GMT
+        // Subject Key Identifier:
+        //     0D:DD:93:C9:FE:4B:BD:35:B7:E8:99:78:90:FB:DB:5A:3D:DB:15:4C
+        "-----BEGIN CERTIFICATE-----\n" +
+        "MIIDSTCCAjGgAwIBAgIJAI4ZF3iy8zG+MA0GCSqGSIb3DQEBCwUAMDsxCzAJBgNV\n" +
+        "BAYTAlVTMQ0wCwYDVQQKDARKYXZhMR0wGwYDVQQLDBRTdW5KU1NFIFRlc3QgU2Vy\n" +
+        "aXZjZTAeFw0xODA1MjIwNzE4MTZaFw0zODA1MTcwNzE4MTZaMDsxCzAJBgNVBAYT\n" +
+        "AlVTMQ0wCwYDVQQKDARKYXZhMR0wGwYDVQQLDBRTdW5KU1NFIFRlc3QgU2VyaXZj\n" +
+        "ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALpMcY7aWieXDEM1/YJf\n" +
+        "JW27b4nRIFZyEYhEloyGsKTuQiiQjc8cqRZFNXe2vwziDB4IyTEl0Hjl5QF6ZaQE\n" +
+        "huPzzwvQm1pv64KrRXrmj3FisQK8B5OWLty9xp6xDqsaMRoyObLK+oIb20T5fSlE\n" +
+        "evmo1vYjnh8CX0Yzx5Gr5ye6YSEHQvYOWEws8ad17OlyToR2KMeC8w4qo6rs59pW\n" +
+        "g7Mxn9vo22ImDzrtAbTbXbCias3xlE0Bp0h5luyf+5U4UgksoL9B9r2oP4GrLNEV\n" +
+        "oJk57t8lwaR0upiv3CnS8LcJELpegZub5ggqLY8ZPYFQPjlK6IzLOm6rXPgZiZ3m\n" +
+        "RL0CAwEAAaNQME4wHQYDVR0OBBYEFA3dk8n+S701t+iZeJD721o92xVMMB8GA1Ud\n" +
+        "IwQYMBaAFA3dk8n+S701t+iZeJD721o92xVMMAwGA1UdEwQFMAMBAf8wDQYJKoZI\n" +
+        "hvcNAQELBQADggEBAJTRC3rKUUhVH07/1+stUungSYgpM08dY4utJq0BDk36BbmO\n" +
+        "0AnLDMbkwFdHEoqF6hQIfpm7SQTmXk0Fss6Eejm8ynYr6+EXiRAsaXOGOBCzF918\n" +
+        "/RuKOzqABfgSU4UBKECLM5bMfQTL60qx+HdbdVIpnikHZOFfmjCDVxoHsGyXc1LW\n" +
+        "Jhkht8IGOgc4PMGvyzTtRFjz01kvrVQZ75aN2E0GQv6dCxaEY0i3ypSzjUWAKqDh\n" +
+        "3e2OLwUSvumcdaxyCdZAOUsN6pDBQ+8VRG7KxnlRlY1SMEk46QgQYLbPDe/+W/yH\n" +
+        "ca4PejicPeh+9xRAwoTpiE2gulfT7Lm+fVM7Ruc=\n" +
+        "-----END CERTIFICATE-----",
+
+        // -----BEGIN PRIVATE KEY-----
+        // MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQC6THGO2lonlwxD
+        // Nf2CXyVtu2+J0SBWchGIRJaMhrCk7kIokI3PHKkWRTV3tr8M4gweCMkxJdB45eUB
+        // emWkBIbj888L0Jtab+uCq0V65o9xYrECvAeTli7cvcaesQ6rGjEaMjmyyvqCG9tE
+        // +X0pRHr5qNb2I54fAl9GM8eRq+cnumEhB0L2DlhMLPGndezpck6EdijHgvMOKqOq
+        // 7OfaVoOzMZ/b6NtiJg867QG0212womrN8ZRNAadIeZbsn/uVOFIJLKC/Qfa9qD+B
+        // qyzRFaCZOe7fJcGkdLqYr9wp0vC3CRC6XoGbm+YIKi2PGT2BUD45SuiMyzpuq1z4
+        // GYmd5kS9AgMBAAECggEAFHSoU2MuWwJ+2jJnb5U66t2V1bAcuOE1g5zkWvG/G5z9
+        // rq6Qo5kmB8f5ovdx6tw3MGUOklLwnRXBG3RxDJ1iokz3AvkY1clMNsDPlDsUrQKF
+        // JSO4QUBQTPSZhnsyfR8XHSU+qJ8Y+ohMfzpVv95BEoCzebtXdVgxVegBlcEmVHo2
+        // kMmkRN+bYNsr8eb2r+b0EpyumS39ZgKYh09+cFb78y3T6IFMGcVJTP6nlGBFkmA/
+        // 25pYeCF2tSki08qtMJZQAvKfw0Kviibk7ZxRbJqmc7B1yfnOEHP6ftjuvKl2+RP/
+        // +5P5f8CfIP6gtA0LwSzAqQX/hfIKrGV5j0pCqrD0kQKBgQDeNR6Xi4sXVq79lihO
+        // a1bSeV7r8yoQrS8x951uO+ox+UIZ1MsAULadl7zB/P0er92p198I9M/0Jth3KBuS
+        // zj45mucvpiiGvmQlMKMEfNq4nN7WHOu55kufPswQB2mR4J3xmwI+4fM/nl1zc82h
+        // De8JSazRldJXNhfx0RGFPmgzbwKBgQDWoVXrXLbCAn41oVnWB8vwY9wjt92ztDqJ
+        // HMFA/SUohjePep9UDq6ooHyAf/Lz6oE5NgeVpPfTDkgvrCFVKnaWdwALbYoKXT2W
+        // 9FlyJox6eQzrtHAacj3HJooXWuXlphKSizntfxj3LtMR9BmrmRJOfK+SxNOVJzW2
+        // +MowT20EkwKBgHmpB8jdZBgxI7o//m2BI5Y1UZ1KE5vx1kc7VXzHXSBjYqeV9FeF
+        // 2ZZLP9POWh/1Fh4pzTmwIDODGT2UPhSQy0zq3O0fwkyT7WzXRknsuiwd53u/dejg
+        // iEL2NPAJvulZ2+AuiHo5Z99LK8tMeidV46xoJDDUIMgTG+UQHNGhK5gNAoGAZn/S
+        // Cn7SgMC0CWSvBHnguULXZO9wH1wZAFYNLL44OqwuaIUFBh2k578M9kkke7woTmwx
+        // HxQTjmWpr6qimIuY6q6WBN8hJ2Xz/d1fwhYKzIp20zHuv5KDUlJjbFfqpsuy3u1C
+        // kts5zwI7pr1ObRbDGVyOdKcu7HI3QtR5qqyjwaUCgYABo7Wq6oHva/9V34+G3Goh
+        // 63bYGUnRw2l5BD11yhQv8XzGGZFqZVincD8gltNThB0Dc/BI+qu3ky4YdgdZJZ7K
+        // z51GQGtaHEbrHS5caV79yQ8QGY5mUVH3E+VXSxuIqb6pZq2DH4sTAEFHyncddmOH
+        // zoXBInYwRG9KE/Bw5elhUw==
+        // -----END PRIVATE KEY-----
+
+
+        // SHA256withDSA, 2048 bits
+        // Validity
+        //     Not Before: May 22 07:18:18 2018 GMT
+        //     Not After : May 17 07:18:18 2038 GMT
+        // Subject Key Identifier:
+        //     76:66:9E:F7:3B:DD:45:E5:3B:D9:72:3C:3F:F0:54:39:86:31:26:53
+        "-----BEGIN CERTIFICATE-----\n" +
+        "MIIErjCCBFSgAwIBAgIJAOktYLNCbr02MAsGCWCGSAFlAwQDAjA7MQswCQYDVQQG\n" +
+        "EwJVUzENMAsGA1UECgwESmF2YTEdMBsGA1UECwwUU3VuSlNTRSBUZXN0IFNlcml2\n" +
+        "Y2UwHhcNMTgwNTIyMDcxODE4WhcNMzgwNTE3MDcxODE4WjA7MQswCQYDVQQGEwJV\n" +
+        "UzENMAsGA1UECgwESmF2YTEdMBsGA1UECwwUU3VuSlNTRSBUZXN0IFNlcml2Y2Uw\n" +
+        "ggNHMIICOQYHKoZIzjgEATCCAiwCggEBAO5GyPhSm0ze3LSu+gicdULLj05iOfTL\n" +
+        "UvZQ29sYz41zmqrLBQbdKiHqgJu2Re9sgTb5suLNjF047TOLPnU3jhPtWm2X8Xzi\n" +
+        "VGIcHym/Q/MeZxStt/88seqroI3WOKzIML2GcrishT+lcGrtH36Tf1+ue2Snn3PS\n" +
+        "WyxygNqPjllP5uUjYmFLvAf4QLMldkd/D2VxcwsHjB8y5iUZsXezc/LEhRZS/02m\n" +
+        "ivqlRw3AMkq/OVe/ZtxFWsP0nsfxEGdZuaUFpppGfixxFvymrB3+J51cTt+pZBDq\n" +
+        "D2y0DYfc+88iCs4jwHTfcDIpLb538HBjBj2rEgtQESQmB0ooD/+wsPsCIQC1bYch\n" +
+        "gElNtDYL3FgpLgNSUYp7gIWv9ehaC7LO2z7biQKCAQBitvFOnDkUja8NAF7lDpOV\n" +
+        "b5ipQ8SicBLW3kQamxhyuyxgZyy/PojZ/oPorkqW/T/A0rhnG6MssEpAtdiwVB+c\n" +
+        "rBYGo3bcwmExJhdOJ6dYuKFppPWhCwKMHs9npK+lqBMl8l5j58xlcFeC7ZfGf8GY\n" +
+        "GkhFW0c44vEQhMMbac6ZTTP4mw+1t7xJfmDMlLEyIpTXaAAk8uoVLWzQWnR40sHi\n" +
+        "ybvS0u3JxQkb7/y8tOOZu8qlz/YOS7lQ6UxUGX27Ce1E0+agfPphetoRAlS1cezq\n" +
+        "Wa7r64Ga0nkj1kwkcRqjgTiJx0NwnUXr78VAXFhVF95+O3lfqhvdtEGtkhDGPg7N\n" +
+        "A4IBBgACggEBAMmSHQK0w2i+iqUjOPzn0yNEZrzepLlLeQ1tqtn0xnlv5vBAeefD\n" +
+        "Pm9dd3tZOjufVWP7hhEz8xPobb1CS4e3vuQiv5UBfhdPL3f3l9T7JMAKPH6C9Vve\n" +
+        "OQXE5eGqbjsySbcmseHoYUt1WCSnSda1opX8zchX04e7DhGfE2/L9flpYEoSt8lI\n" +
+        "vMNjgOwvKdW3yvPt1/eBBHYNFG5gWPv/Q5KoyCtHS03uqGm4rNc/wZTIEEfd66C+\n" +
+        "QRaUltjOaHmtwOdDHaNqwhYZSVOip+Mo+TfyzHFREcdHLapo7ZXqbdYkRGxRR3d+\n" +
+        "3DfHaraJO0OKoYlPkr3JMvM/MSGR9AnZOcejUDBOMB0GA1UdDgQWBBR2Zp73O91F\n" +
+        "5TvZcjw/8FQ5hjEmUzAfBgNVHSMEGDAWgBR2Zp73O91F5TvZcjw/8FQ5hjEmUzAM\n" +
+        "BgNVHRMEBTADAQH/MAsGCWCGSAFlAwQDAgNHADBEAiBzriYE41M2y9Hy5ppkL0Qn\n" +
+        "dIlNc8JhXT/PHW7GDtViagIgMko8Qoj9gDGPK3+O9E8DC3wGiiF9CObM4LN387ok\n" +
+        "J+g=\n" +
+        "-----END CERTIFICATE-----"
+        // -----BEGIN PRIVATE KEY-----
+        // MIICZQIBADCCAjkGByqGSM44BAEwggIsAoIBAQDuRsj4UptM3ty0rvoInHVCy49O
+        // Yjn0y1L2UNvbGM+Nc5qqywUG3Soh6oCbtkXvbIE2+bLizYxdOO0ziz51N44T7Vpt
+        // l/F84lRiHB8pv0PzHmcUrbf/PLHqq6CN1jisyDC9hnK4rIU/pXBq7R9+k39frntk
+        // p59z0lsscoDaj45ZT+blI2JhS7wH+ECzJXZHfw9lcXMLB4wfMuYlGbF3s3PyxIUW
+        // Uv9Npor6pUcNwDJKvzlXv2bcRVrD9J7H8RBnWbmlBaaaRn4scRb8pqwd/iedXE7f
+        // qWQQ6g9stA2H3PvPIgrOI8B033AyKS2+d/BwYwY9qxILUBEkJgdKKA//sLD7AiEA
+        // tW2HIYBJTbQ2C9xYKS4DUlGKe4CFr/XoWguyzts+24kCggEAYrbxTpw5FI2vDQBe
+        // 5Q6TlW+YqUPEonAS1t5EGpsYcrssYGcsvz6I2f6D6K5Klv0/wNK4ZxujLLBKQLXY
+        // sFQfnKwWBqN23MJhMSYXTienWLihaaT1oQsCjB7PZ6SvpagTJfJeY+fMZXBXgu2X
+        // xn/BmBpIRVtHOOLxEITDG2nOmU0z+JsPtbe8SX5gzJSxMiKU12gAJPLqFS1s0Fp0
+        // eNLB4sm70tLtycUJG+/8vLTjmbvKpc/2Dku5UOlMVBl9uwntRNPmoHz6YXraEQJU
+        // tXHs6lmu6+uBmtJ5I9ZMJHEao4E4icdDcJ1F6+/FQFxYVRfefjt5X6ob3bRBrZIQ
+        // xj4OzQQjAiEAsceWOM8do4etxp2zgnoNXV8PUUyqWhz1+0srcKV7FR4=
+        // -----END PRIVATE KEY-----
+    };
+
+    // End entity certificate.
+    final static String[] endEntityCertStrs = {
+        // SHA256withECDSA, curve prime256v1
+        // Validity
+        //     Not Before: May 22 07:18:16 2018 GMT
+        //     Not After : May 17 07:18:16 2038 GMT
+        // Authority Key Identifier:
+        //     60:CF:BD:73:FF:FA:1A:30:D2:A4:EC:D3:49:71:46:EF:1A:35:A0:86
+        "-----BEGIN CERTIFICATE-----\n" +
+        "MIIBqjCCAVCgAwIBAgIJAPLY8qZjgNRAMAoGCCqGSM49BAMCMDsxCzAJBgNVBAYT\n" +
+        "AlVTMQ0wCwYDVQQKDARKYXZhMR0wGwYDVQQLDBRTdW5KU1NFIFRlc3QgU2VyaXZj\n" +
+        "ZTAeFw0xODA1MjIwNzE4MTZaFw0zODA1MTcwNzE4MTZaMFUxCzAJBgNVBAYTAlVT\n" +
+        "MQ0wCwYDVQQKDARKYXZhMR0wGwYDVQQLDBRTdW5KU1NFIFRlc3QgU2VyaXZjZTEY\n" +
+        "MBYGA1UEAwwPUmVncmVzc2lvbiBUZXN0MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcD\n" +
+        "QgAEb+9n05qfXnfHUb0xtQJNS4JeSi6IjOfW5NqchvKnfJey9VkJzR7QHLuOESdf\n" +
+        "xlR7q8YIWgih3iWLGfB+wxHiOqMjMCEwHwYDVR0jBBgwFoAUYM+9c//6GjDSpOzT\n" +
+        "SXFG7xo1oIYwCgYIKoZIzj0EAwIDSAAwRQIgWpRegWXMheiD3qFdd8kMdrkLxRbq\n" +
+        "1zj8nQMEwFTUjjQCIQDRIrAjZX+YXHN9b0SoWWLPUq0HmiFIi8RwMnO//wJIGQ==\n" +
+        "-----END CERTIFICATE-----",
+
+        // SHA256withRSA, 2048 bits
+        // Validity
+        //     Not Before: May 22 07:18:16 2018 GMT
+        //     Not After : May 17 07:18:16 2038 GMT
+        // Authority Key Identifier:
+        //     0D:DD:93:C9:FE:4B:BD:35:B7:E8:99:78:90:FB:DB:5A:3D:DB:15:4C
+        "-----BEGIN CERTIFICATE-----\n" +
+        "MIIDNjCCAh6gAwIBAgIJAO2+yPcFryUTMA0GCSqGSIb3DQEBCwUAMDsxCzAJBgNV\n" +
+        "BAYTAlVTMQ0wCwYDVQQKDARKYXZhMR0wGwYDVQQLDBRTdW5KU1NFIFRlc3QgU2Vy\n" +
+        "aXZjZTAeFw0xODA1MjIwNzE4MTZaFw0zODA1MTcwNzE4MTZaMFUxCzAJBgNVBAYT\n" +
+        "AlVTMQ0wCwYDVQQKDARKYXZhMR0wGwYDVQQLDBRTdW5KU1NFIFRlc3QgU2VyaXZj\n" +
+        "ZTEYMBYGA1UEAwwPUmVncmVzc2lvbiBUZXN0MIIBIjANBgkqhkiG9w0BAQEFAAOC\n" +
+        "AQ8AMIIBCgKCAQEAszfBobWfZIp8AgC6PiWDDavP65mSvgCXUGxACbxVNAfkLhNR\n" +
+        "QOsHriRB3X1Q3nvO9PetC6wKlvE9jlnDDj7D+1j1r1CHO7ms1fq8rfcQYdkanDtu\n" +
+        "4AlHo8v+SSWX16MIXFRYDj2VVHmyPtgbltcg4zGAuwT746FdLI94uXjJjq1IOr/v\n" +
+        "0VIlwE5ORWH5Xc+5Tj+oFWK0E4a4GHDgtKKhn2m72hN56/GkPKGkguP5NRS1qYYV\n" +
+        "/EFkdyQMOV8J1M7HaicSft4OL6eKjTrgo93+kHk+tv0Dc6cpVBnalX3TorG8QI6B\n" +
+        "cHj1XQd78oAlAC+/jF4pc0mwi0un49kdK9gRfQIDAQABoyMwITAfBgNVHSMEGDAW\n" +
+        "gBQN3ZPJ/ku9NbfomXiQ+9taPdsVTDANBgkqhkiG9w0BAQsFAAOCAQEApXS0nKwm\n" +
+        "Kp8gpmO2yG1rpd1+2wBABiMU4JZaTqmma24DQ3RzyS+V2TeRb29dl5oTUEm98uc0\n" +
+        "GPZvhK8z5RFr4YE17dc04nI/VaNDCw4y1NALXGs+AHkjoPjLyGbWpi1S+gfq2sNB\n" +
+        "Ekkjp6COb/cb9yiFXOGVls7UOIjnVZVd0r7KaPFjZhYh82/f4PA/A1SnIKd1+nfH\n" +
+        "2yk7mSJNC7Z3qIVDL8MM/jBVwiC3uNe5GPB2uwhd7k5LGAVN3j4HQQGB0Sz+VC1h\n" +
+        "92oi6xDa+YBva2fvHuCd8P50DDjxmp9CemC7rnZ5j8egj88w14X44Xjb/Fd/ApG9\n" +
+        "e57NnbT7KM+Grw==\n" +
+        "-----END CERTIFICATE-----",
+
+        // SHA256withRSA, curv prime256v1
+        // Validity
+        //     Not Before: May 22 07:18:16 2018 GMT
+        //     Not After : May 21 07:18:16 2028 GMT
+        // Authority Key Identifier:
+        //     0D:DD:93:C9:FE:4B:BD:35:B7:E8:99:78:90:FB:DB:5A:3D:DB:15:4C
+        "-----BEGIN CERTIFICATE-----\n" +
+        "MIICazCCAVOgAwIBAgIJAO2+yPcFryUUMA0GCSqGSIb3DQEBCwUAMDsxCzAJBgNV\n" +
+        "BAYTAlVTMQ0wCwYDVQQKDARKYXZhMR0wGwYDVQQLDBRTdW5KU1NFIFRlc3QgU2Vy\n" +
+        "aXZjZTAeFw0xODA1MjIwNzE4MTZaFw0yODA1MjEwNzE4MTZaMFUxCzAJBgNVBAYT\n" +
+        "AlVTMQ0wCwYDVQQKDARKYXZhMR0wGwYDVQQLDBRTdW5KU1NFIFRlc3QgU2VyaXZj\n" +
+        "ZTEYMBYGA1UEAwwPUmVncmVzc2lvbiBUZXN0MFkwEwYHKoZIzj0CAQYIKoZIzj0D\n" +
+        "AQcDQgAE59MERNTlVZ1eeps8Z3Oue5ZkgQdPtD+WIE6tj3PbIKpxGPDxvfNP959A\n" +
+        "yQjEK/ehWQVrCMmNoEkIzY+IIBgB06MjMCEwHwYDVR0jBBgwFoAUDd2Tyf5LvTW3\n" +
+        "6Jl4kPvbWj3bFUwwDQYJKoZIhvcNAQELBQADggEBAFOTVEqs70ykhZiIdrEsF1Ra\n" +
+        "I3B2rLvwXZk52uSltk2/bzVvewA577ZCoxQ1pL7ynkisPfBN1uVYtHjM1VA3RC+4\n" +
+        "+TAK78dnI7otYjWoHp5rvs4l6c/IbOspS290IlNuDUxMErEm5wxIwj+Aukx/1y68\n" +
+        "hOyCvHBLMY2c1LskH1MMBbDuS1aI+lnGpToi+MoYObxGcV458vxuT8+wwV8Fkpvd\n" +
+        "ll8IIFmeNPRv+1E+lXbES6CSNCVaZ/lFhPgdgYKleN7sfspiz50DG4dqafuEAaX5\n" +
+        "xaK1NWXJxTRz0ROH/IUziyuDW6jphrlgit4+3NCzp6vP9hAJQ8Vhcj0n15BKHIQ=\n" +
+        "-----END CERTIFICATE-----",
+
+        // SHA256withDSA, 2048 bits
+        // Validity
+        //     Not Before: May 22 07:18:20 2018 GMT
+        //     Not After : May 17 07:18:20 2038 GMT
+        // Authority Key Identifier:
+        //     76:66:9E:F7:3B:DD:45:E5:3B:D9:72:3C:3F:F0:54:39:86:31:26:53
+        "-----BEGIN CERTIFICATE-----\n" +
+        "MIIEnDCCBEGgAwIBAgIJAP/jh1qVhNVjMAsGCWCGSAFlAwQDAjA7MQswCQYDVQQG\n" +
+        "EwJVUzENMAsGA1UECgwESmF2YTEdMBsGA1UECwwUU3VuSlNTRSBUZXN0IFNlcml2\n" +
+        "Y2UwHhcNMTgwNTIyMDcxODIwWhcNMzgwNTE3MDcxODIwWjBVMQswCQYDVQQGEwJV\n" +
+        "UzENMAsGA1UECgwESmF2YTEdMBsGA1UECwwUU3VuSlNTRSBUZXN0IFNlcml2Y2Ux\n" +
+        "GDAWBgNVBAMMD1JlZ3Jlc3Npb24gVGVzdDCCA0cwggI6BgcqhkjOOAQBMIICLQKC\n" +
+        "AQEAmlavgoJrMcjqWRVcDE2dmWAPREgnzQvneEDef68cprDzjSwvOs5QeFyx75ib\n" +
+        "ado1e6jO/rW1prCGWHDD1oA/Tn4Pk3vu0nUxzvl1qATc+aJbpUU5Op0bvp6LbCsQ\n" +
+        "QslV9FeRh7Eb7bP6gpc/kHCBzEgC1VCK7prccXWy+t6SMOHbND3h+UbckfSaUuaV\n" +
+        "sVJNTD1D6GElfRj4Nmz1BGPfSYvKorwNZEU3gXwFgtDoAcGx7tcyClLpDHfqRfw/\n" +
+        "7yiqLyeiP7D4hl5lMNouJWDlAdMFp0FMgS3s9VDFinIcr6VtBWMTG7+4+czHAB+3\n" +
+        "fvrwlqNzhBn3uFHrekN/w8fNxwIhAJo7Sae1za7IMW0Q6hE5B4b+s2B/FaKPoA4E\n" +
+        "jtZu13B9AoIBAQCOZqLMKfvqZWUgT0PQ3QjR7dAFdd06I9Y3+TOQzZk1+j+vw/6E\n" +
+        "X4vFItX4gihb/u5Q9CdmpwhVGi7bvo+7+/IKeTgoQ6f5+PSug7SrWWUQ5sPwaZui\n" +
+        "zXZJ5nTeZDucFc2yFx0wgnjbPwiUxZklOT7xGiOMtzOTa2koCz5KuIBL+/wPKKxm\n" +
+        "ypo9VoY9xfbdU6LMXZv/lpD5XTM9rYHr/vUTNkukvV6Hpm0YMEWhVZKUJiqCqTqG\n" +
+        "XHaleOxSw6uQWB/+TznifcC7gB48UOQjCqOKf5VuwQneJLhlhU/jhRV3xtr+hLZa\n" +
+        "hW1wYhVi8cjLDrZFKlgEQqhB4crnJU0mJY+tA4IBBQACggEAID0ezl00/X8mv7eb\n" +
+        "bzovum1+DEEP7FM57k6HZEG2N3ve4CW+0m9Cd+cWPz8wkZ+M0j/Eqa6F0IdbkXEc\n" +
+        "Q7CuzvUyJ57xQ3L/WCgXsiS+Bh8O4Mz7GwW22CGmHqafbVv+hKBfr8MkskO6GJUt\n" +
+        "SUF/CVLzB4gMIvZMH26tBP2xK+i7FeEK9kT+nGdzQSZBAhFYpEVCBplHZO24/OYq\n" +
+        "1DNoU327nUuXIhmsfA8N0PjiWbIZIjTPwBGr9H0LpATI7DIDNcvRRvtROP+pBU9y\n" +
+        "fuykPkptg9C0rCM9t06bukpOSaEz/2VIQdLE8fHYFA6pHZ6CIc2+5cfvMgTPhcjz\n" +
+        "W2jCt6MjMCEwHwYDVR0jBBgwFoAUdmae9zvdReU72XI8P/BUOYYxJlMwCwYJYIZI\n" +
+        "AWUDBAMCA0gAMEUCIQCeI5fN08b9BpOaHdc3zQNGjp24FOL/RxlBLeBAorswJgIg\n" +
+        "JEZ8DhYxQy1O7mmZ2UIT7op6epWMB4dENjs0qWPmcKo=\n" +
+        "-----END CERTIFICATE-----"
+    };
+
+    // Private key in the format of PKCS#8.
+    final static String[] endEntityPrivateKeys = {
+        //
+        // EC private key related to cert endEntityCertStrs[0].
+        //
+        "MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgn5K03bpTLjEtFQRa\n" +
+        "JUtx22gtmGEvvSUSQdimhGthdtihRANCAARv72fTmp9ed8dRvTG1Ak1Lgl5KLoiM\n" +
+        "59bk2pyG8qd8l7L1WQnNHtAcu44RJ1/GVHurxghaCKHeJYsZ8H7DEeI6",
+
+        //
+        // RSA private key related to cert endEntityCertStrs[1].
+        //
+        "MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCzN8GhtZ9kinwC\n" +
+        "ALo+JYMNq8/rmZK+AJdQbEAJvFU0B+QuE1FA6weuJEHdfVDee870960LrAqW8T2O\n" +
+        "WcMOPsP7WPWvUIc7uazV+ryt9xBh2RqcO27gCUejy/5JJZfXowhcVFgOPZVUebI+\n" +
+        "2BuW1yDjMYC7BPvjoV0sj3i5eMmOrUg6v+/RUiXATk5FYfldz7lOP6gVYrQThrgY\n" +
+        "cOC0oqGfabvaE3nr8aQ8oaSC4/k1FLWphhX8QWR3JAw5XwnUzsdqJxJ+3g4vp4qN\n" +
+        "OuCj3f6QeT62/QNzpylUGdqVfdOisbxAjoFwePVdB3vygCUAL7+MXilzSbCLS6fj\n" +
+        "2R0r2BF9AgMBAAECggEASIkPkMCuw4WdTT44IwERus3IOIYOs2IP3BgEDyyvm4B6\n" +
+        "JP/iihDWKfA4zEl1Gqcni1RXMHswSglXra682J4kui02Ov+vzEeJIY37Ibn2YnP5\n" +
+        "ZjRT2s9GtI/S2o4hl8A/mQb2IMViFC+xKehTukhV4j5d6NPKk0XzLR7gcMjnYxwn\n" +
+        "l21fS6D2oM1xRG/di7sL+uLF8EXLRzfiWDNi12uQv4nwtxPKvuKhH6yzHt7YqMH0\n" +
+        "46pmDKDaxV4w1JdycjCb6NrCJOYZygoQobuZqOQ30UZoZsPJrtovkncFr1e+lNcO\n" +
+        "+aWDfOLCtTH046dEQh5oCShyXMybNlry/QHsOtHOwQKBgQDh2iIjs+FPpQy7Z3EX\n" +
+        "DGEvHYqPjrYO9an2KSRr1m9gzRlWYxKY46WmPKwjMerYtra0GP+TBHrgxsfO8tD2\n" +
+        "wUAII6sd1qup0a/Sutgf2JxVilLykd0+Ge4/Cs51tCdJ8EqDV2B6WhTewOY2EGvg\n" +
+        "JiKYkeNwgRX/9M9CFSAMAk0hUQKBgQDLJAartL3DoGUPjYtpJnfgGM23yAGl6G5r\n" +
+        "NSXDn80BiYIC1p0bG3N0xm3yAjqOtJAUj9jZbvDNbCe3GJfLARMr23legX4tRrgZ\n" +
+        "nEdKnAFKAKL01oM+A5/lHdkwaZI9yyv+hgSVdYzUjB8rDmzeVQzo1BT7vXypt2yV\n" +
+        "6O1OnUpCbQKBgA/0rzDChopv6KRcvHqaX0tK1P0rYeVQqb9ATNhpf9jg5Idb3HZ8\n" +
+        "rrk91BNwdVz2G5ZBpdynFl9G69rNAMJOCM4KZw5mmh4XOEq09Ivba8AHU7DbaTv3\n" +
+        "7QL7KnbaUWRB26HHzIMYVh0el6T+KADf8NXCiMTr+bfpfbL3dxoiF3zhAoGAbCJD\n" +
+        "Qse1dBs/cKYCHfkSOsI5T6kx52Tw0jS6Y4X/FOBjyqr/elyEexbdk8PH9Ar931Qr\n" +
+        "NKMvn8oA4iA/PRrXX7M2yi3YQrWwbkGYWYjtzrzEAdzmg+5eARKAeJrZ8/bg9l3U\n" +
+        "ttKaItJsDPlizn8rngy3FsJpR9aSAMK6/+wOiYkCgYEA1tZkI1rD1W9NYZtbI9BE\n" +
+        "qlJVFi2PBOJMKNuWdouPX3HLQ72GJSQff2BFzLTELjweVVJ0SvY4IipzpQOHQOBy\n" +
+        "5qh/p6izXJZh3IHtvwVBjHoEVplg1b2+I5e3jDCfqnwcQw82dW5SxOJMg1h/BD0I\n" +
+        "qAL3go42DYeYhu/WnECMeis=",
+
+        //
+        // EC private key related to cert endEntityCertStrs[2].
+        //
+        "MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgGVc7hICpmp91jbYe\n" +
+        "nrr8nYHD37RZP3VENY+szuA7WjuhRANCAATn0wRE1OVVnV56mzxnc657lmSBB0+0\n" +
+        "P5YgTq2Pc9sgqnEY8PG980/3n0DJCMQr96FZBWsIyY2gSQjNj4ggGAHT",
+
+        //
+        // DSA private key related to cert endEntityCertStrs[3].
+        //
+        "MIICZQIBADCCAjoGByqGSM44BAEwggItAoIBAQCaVq+CgmsxyOpZFVwMTZ2ZYA9E\n" +
+        "SCfNC+d4QN5/rxymsPONLC86zlB4XLHvmJtp2jV7qM7+tbWmsIZYcMPWgD9Ofg+T\n" +
+        "e+7SdTHO+XWoBNz5olulRTk6nRu+notsKxBCyVX0V5GHsRvts/qClz+QcIHMSALV\n" +
+        "UIrumtxxdbL63pIw4ds0PeH5RtyR9JpS5pWxUk1MPUPoYSV9GPg2bPUEY99Ji8qi\n" +
+        "vA1kRTeBfAWC0OgBwbHu1zIKUukMd+pF/D/vKKovJ6I/sPiGXmUw2i4lYOUB0wWn\n" +
+        "QUyBLez1UMWKchyvpW0FYxMbv7j5zMcAH7d++vCWo3OEGfe4Uet6Q3/Dx83HAiEA\n" +
+        "mjtJp7XNrsgxbRDqETkHhv6zYH8Voo+gDgSO1m7XcH0CggEBAI5moswp++plZSBP\n" +
+        "Q9DdCNHt0AV13Toj1jf5M5DNmTX6P6/D/oRfi8Ui1fiCKFv+7lD0J2anCFUaLtu+\n" +
+        "j7v78gp5OChDp/n49K6DtKtZZRDmw/Bpm6LNdknmdN5kO5wVzbIXHTCCeNs/CJTF\n" +
+        "mSU5PvEaI4y3M5NraSgLPkq4gEv7/A8orGbKmj1Whj3F9t1Tosxdm/+WkPldMz2t\n" +
+        "gev+9RM2S6S9XoembRgwRaFVkpQmKoKpOoZcdqV47FLDq5BYH/5POeJ9wLuAHjxQ\n" +
+        "5CMKo4p/lW7BCd4kuGWFT+OFFXfG2v6EtlqFbXBiFWLxyMsOtkUqWARCqEHhyucl\n" +
+        "TSYlj60EIgIgLfA75+8KcKxdN8mr6gzGjQe7jPFGG42Ejhd7Q2F4wuw="
+        };
+
+    // Private key algorithm of endEntityPrivateKeys.
+    final static String[] endEntityPrivateKeyAlgs = {
+        "EC",
+        "RSA",
+        "EC",
+        "DSA",
+    };
+
+    // Private key names of endEntityPrivateKeys.
+    static final String[] endEntityPrivateKeyNames = {
+        "ecdsa",
+        "rsa",
+        "ec-rsa",
+        "dsa",
+    };
+
+    /*
+     * Create an instance of SSLContext with the specified trust/key materials.
+     */
+    private SSLContext createSSLContext(
+            String[] trustedMaterials,
+            String[] keyMaterialCerts,
+            String[] keyMaterialKeys,
+            String[] keyMaterialKeyAlgs,
+            String[] keyMaterialKeyNames,
+            ContextParameters params) throws Exception {
+
+        KeyStore ts = null;     // trust store
+        KeyStore ks = null;     // key store
+        char passphrase[] = "passphrase".toCharArray();
+
+        // Generate certificate from cert string.
+        CertificateFactory cf = CertificateFactory.getInstance("X.509");
+
+        // Import the trused certs.
+        ByteArrayInputStream is;
+        if (trustedMaterials != null && trustedMaterials.length != 0) {
+            ts = KeyStore.getInstance("JKS");
+            ts.load(null, null);
+
+            Certificate[] trustedCert =
+                    new Certificate[trustedMaterials.length];
+            for (int i = 0; i < trustedMaterials.length; i++) {
+                String trustedCertStr = trustedMaterials[i];
+
+                is = new ByteArrayInputStream(trustedCertStr.getBytes());
+                try {
+                    trustedCert[i] = cf.generateCertificate(is);
+                } finally {
+                    is.close();
+                }
+
+                ts.setCertificateEntry("trusted-cert-" + i, trustedCert[i]);
+            }
+        }
+
+        // Import the key materials.
+        //
+        // Note that certification pathes bigger than one are not supported yet.
+        boolean hasKeyMaterials =
+            (keyMaterialCerts != null) && (keyMaterialCerts.length != 0) &&
+            (keyMaterialKeys != null) && (keyMaterialKeys.length != 0) &&
+            (keyMaterialKeyAlgs != null) && (keyMaterialKeyAlgs.length != 0) &&
+            (keyMaterialCerts.length == keyMaterialKeys.length) &&
+            (keyMaterialCerts.length == keyMaterialKeyAlgs.length);
+        if (hasKeyMaterials) {
+            ks = KeyStore.getInstance("JKS");
+            ks.load(null, null);
+
+            for (int i = 0; i < keyMaterialCerts.length; i++) {
+                String keyCertStr = keyMaterialCerts[i];
+
+                // generate the private key.
+                PKCS8EncodedKeySpec priKeySpec = new PKCS8EncodedKeySpec(
+                    Base64.getMimeDecoder().decode(keyMaterialKeys[i]));
+                KeyFactory kf =
+                    KeyFactory.getInstance(keyMaterialKeyAlgs[i]);
+                PrivateKey priKey = kf.generatePrivate(priKeySpec);
+
+                // generate certificate chain
+                is = new ByteArrayInputStream(keyCertStr.getBytes());
+                Certificate keyCert = null;
+                try {
+                    keyCert = cf.generateCertificate(is);
+                } finally {
+                    is.close();
+                }
+
+                Certificate[] chain = new Certificate[] { keyCert };
+
+                // import the key entry.
+                ks.setKeyEntry("cert-" + keyMaterialKeyNames[i],
+                        priKey, passphrase, chain);
+            }
+        }
+
+        // Create an SSLContext object.
+        TrustManagerFactory tmf =
+                TrustManagerFactory.getInstance(params.tmAlgorithm);
+        tmf.init(ts);
+
+        SSLContext context = SSLContext.getInstance(params.contextProtocol);
+        if (hasKeyMaterials && ks != null) {
+            KeyManagerFactory kmf =
+                    KeyManagerFactory.getInstance(params.kmAlgorithm);
+            kmf.init(ks, passphrase);
+
+            context.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
+        } else {
+            context.init(null, tmf.getTrustManagers(), null);
+        }
+
+        return context;
+    }
+}
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/jdk/javax/security/auth/Subject/DoAs.java	Wed Dec 19 20:53:30 2018 +0100
@@ -0,0 +1,57 @@
+/*
+ * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/*
+ * @test
+ * @bug 8214583
+ * @summary Check that getSubject works after JIT compiler escape analysis.
+ */
+import java.security.AccessControlContext;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
+import java.security.PrivilegedExceptionAction;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.HashSet;
+import java.util.Set;
+import javax.security.auth.Subject;
+
+public class DoAs {
+
+    public static void main(String[] args) throws Exception {
+        final Set<String> outer = new HashSet<>(Arrays.asList("Outer"));
+        final Subject subject = new Subject(true, Collections.EMPTY_SET, outer, Collections.EMPTY_SET);
+
+        for (int i = 0; i < 100_000; ++i) {
+            final int index = i;
+            Subject.doAs(subject, (PrivilegedExceptionAction<Integer>)() -> {
+                AccessControlContext c1 = AccessController.getContext();
+                Subject s = Subject.getSubject(c1);
+                if (s != subject) {
+                    throw new AssertionError("outer Oops! " + "iteration " + index + " " + s + " != " + subject);
+                }
+                return 0;
+            });
+        }
+    }
+}
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/jdk/sun/security/ssl/SSLSocketImpl/SSLExceptionForIOIssue.java	Wed Dec 19 20:53:30 2018 +0100
@@ -0,0 +1,162 @@
+/*
+ * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+//
+// Please run in othervm mode.  SunJSSE does not support dynamic system
+// properties, no way to re-use system properties in samevm/agentvm mode.
+//
+
+/*
+ * @test
+ * @bug 8214339
+ * @summary SSLSocketImpl erroneously wraps SocketException
+ * @library /javax/net/ssl/templates
+ * @run main/othervm SSLExceptionForIOIssue
+ */
+
+import javax.net.ssl.*;
+import java.io.*;
+import java.net.InetAddress;
+
+public class SSLExceptionForIOIssue implements SSLContextTemplate {
+
+    public static void main(String[] args) throws Exception {
+        System.err.println("===================================");
+        new SSLExceptionForIOIssue().test();
+    }
+
+    private void test() throws Exception {
+        SSLServerSocket listenSocket = null;
+        SSLSocket serverSocket = null;
+        ClientSocket clientSocket = null;
+        try {
+            SSLServerSocketFactory serversocketfactory =
+                    createServerSSLContext().getServerSocketFactory();
+            listenSocket =
+                    (SSLServerSocket)serversocketfactory.createServerSocket(0);
+            listenSocket.setNeedClientAuth(false);
+            listenSocket.setEnableSessionCreation(true);
+            listenSocket.setUseClientMode(false);
+
+            System.err.println("Starting client");
+            clientSocket = new ClientSocket(listenSocket.getLocalPort());
+            clientSocket.start();
+
+            System.err.println("Accepting client requests");
+            serverSocket = (SSLSocket)listenSocket.accept();
+
+            if (!clientSocket.isDone) {
+                System.err.println("Waiting 3 seconds for client ");
+                Thread.sleep(3000);
+            }
+
+            System.err.println("Sending data to client ...");
+            String serverData = "Hi, I am server";
+            BufferedWriter os = new BufferedWriter(
+                    new OutputStreamWriter(serverSocket.getOutputStream()));
+            os.write(serverData, 0, serverData.length());
+            os.newLine();
+            os.flush();
+        } catch (SSLProtocolException | SSLHandshakeException sslhe) {
+            throw sslhe;
+        } catch (SSLException ssle) {
+            // the expected exception, ignore it
+            System.err.println("server exception: " + ssle);
+        } finally {
+            if (listenSocket != null) {
+                listenSocket.close();
+            }
+
+            if (serverSocket != null) {
+                serverSocket.close();
+            }
+        }
+
+        if (clientSocket != null && clientSocket.clientException != null) {
+            throw clientSocket.clientException;
+        }
+    }
+
+
+
+    private class ClientSocket extends Thread{
+        boolean isDone = false;
+        int serverPort = 0;
+        Exception clientException;
+
+        public ClientSocket(int serverPort) {
+            this.serverPort = serverPort;
+        }
+
+        @Override
+        public void run() {
+            SSLSocket clientSocket = null;
+            String clientData = "Hi, I am client";
+            try {
+                System.err.println(
+                        "Connecting to server at port " + serverPort);
+                SSLSocketFactory sslSocketFactory =
+                        createClientSSLContext().getSocketFactory();
+                clientSocket = (SSLSocket)sslSocketFactory.createSocket(
+                        InetAddress.getLocalHost(), serverPort);
+                clientSocket.setSoLinger(true, 3);
+                clientSocket.setSoTimeout(100);
+
+
+                System.err.println("Sending data to server ...");
+
+                BufferedWriter os = new BufferedWriter(
+                        new OutputStreamWriter(clientSocket.getOutputStream()));
+                os.write(clientData, 0, clientData.length());
+                os.newLine();
+                os.flush();
+
+                System.err.println("Reading data from server");
+                BufferedReader is = new BufferedReader(
+                        new InputStreamReader(clientSocket.getInputStream()));
+                String data = is.readLine();
+                System.err.println("Received Data from server: " + data);
+            } catch (SSLProtocolException | SSLHandshakeException sslhe) {
+                clientException = sslhe;
+                System.err.println("unexpected client exception: " + sslhe);
+            } catch (SSLException ssle) {
+                // the expected exception, ignore it
+                System.err.println("expected client exception: " + ssle);
+            } catch (Exception e) {
+                clientException = e;
+                System.err.println("unexpected client exception: " + e);
+            } finally {
+                if (clientSocket != null) {
+                    try {
+                        clientSocket.close();
+                        System.err.println("client socket closed");
+                    } catch (IOException ioe) {
+                        clientException = ioe;
+                    }
+                }
+
+                isDone = true;
+            }
+        }
+    }
+}
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/jdk/sun/security/ssl/SSLSocketImpl/SSLSocketBruceForceClose.java	Wed Dec 19 20:53:30 2018 +0100
@@ -0,0 +1,147 @@
+/*
+ * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+//
+// Please run in othervm mode.  SunJSSE does not support dynamic system
+// properties, no way to re-use system properties in samevm/agentvm mode.
+//
+
+/*
+ * @test
+ * @bug 8209333
+ * @summary Socket reset issue for TLS 1.3 socket close
+ * @library /javax/net/ssl/templates
+ * @run main/othervm SSLSocketBruceForceClose
+ */
+
+import javax.net.ssl.*;
+import java.io.*;
+import java.net.InetAddress;
+
+public class SSLSocketBruceForceClose implements SSLContextTemplate {
+
+    public static void main(String[] args) throws Exception {
+        for (int i = 0; i<= 10; i++) {
+            System.err.println("===================================");
+            System.err.println("loop " + i);
+            System.err.println("===================================");
+            new SSLSocketBruceForceClose().test();
+        }
+    }
+
+    private void test() throws Exception {
+        SSLServerSocket listenSocket = null;
+        SSLSocket serverSocket = null;
+        ClientSocket clientSocket = null;
+        try {
+            SSLServerSocketFactory serversocketfactory =
+                    createServerSSLContext().getServerSocketFactory();
+            listenSocket =
+                    (SSLServerSocket)serversocketfactory.createServerSocket(0);
+            listenSocket.setNeedClientAuth(false);
+            listenSocket.setEnableSessionCreation(true);
+            listenSocket.setUseClientMode(false);
+
+
+            System.err.println("Starting client");
+            clientSocket = new ClientSocket(listenSocket.getLocalPort());
+            clientSocket.start();
+
+            System.err.println("Accepting client requests");
+            serverSocket = (SSLSocket) listenSocket.accept();
+
+            System.err.println("Reading data from client");
+            BufferedReader serverReader = new BufferedReader(
+                    new InputStreamReader(serverSocket.getInputStream()));
+            String data = serverReader.readLine();
+            System.err.println("Received data from client: " + data);
+
+            System.err.println("Reading more data from client");
+            data = serverReader.readLine();
+            System.err.println("Received data from client: " + data);
+        } finally {
+            if (listenSocket != null) {
+                listenSocket.close();
+            }
+
+            if (serverSocket != null) {
+                serverSocket.close();
+            }
+        }
+
+        if (clientSocket != null && clientSocket.clientException != null) {
+            throw clientSocket.clientException;
+        }
+    }
+
+    private class ClientSocket extends Thread{
+        int serverPort = 0;
+        Exception clientException;
+
+        public ClientSocket(int serverPort) {
+            this.serverPort = serverPort;
+        }
+
+        @Override
+        public void run() {
+            SSLSocket clientSocket = null;
+            String clientData = "Hi, I am client";
+            try {
+                System.err.println(
+                        "Connecting to server at port " + serverPort);
+                SSLSocketFactory sslSocketFactory =
+                        createClientSSLContext().getSocketFactory();
+                clientSocket = (SSLSocket)sslSocketFactory.createSocket(
+                        InetAddress.getLocalHost(), serverPort);
+                clientSocket.setSoLinger(true, 3);
+                clientSocket.setSoTimeout(1000);
+
+
+                System.err.println("Sending data to server ...");
+
+                BufferedWriter os = new BufferedWriter(
+                        new OutputStreamWriter(clientSocket.getOutputStream()));
+                os.write(clientData, 0, clientData.length());
+                os.newLine();
+                os.flush();
+
+                System.err.println("Sending more data to server ...");
+                os.write(clientData, 0, clientData.length());
+                os.newLine();
+                os.flush();
+            } catch (Exception e) {
+                clientException = e;
+            } finally {
+                if (clientSocket != null) {
+                    try{
+                        clientSocket.close();
+                        System.err.println("client socket closed");
+                    } catch (IOException ioe) {
+                        clientException = ioe;
+                    }
+                }
+            }
+        }
+    }
+}
+
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/jdk/sun/security/ssl/SSLSocketImpl/SSLSocketClose.java	Wed Dec 19 20:53:30 2018 +0100
@@ -0,0 +1,159 @@
+/*
+ * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+//
+// Please run in othervm mode.  SunJSSE does not support dynamic system
+// properties, no way to re-use system properties in samevm/agentvm mode.
+//
+
+/*
+ * @test
+ * @bug 8209333
+ * @summary Socket reset issue for TLS 1.3 socket close
+ * @library /javax/net/ssl/templates
+ * @run main/othervm SSLSocketClose
+ */
+
+import javax.net.ssl.*;
+import java.io.*;
+import java.net.InetAddress;
+
+public class SSLSocketClose implements SSLContextTemplate {
+
+    public static void main(String[] args) throws Exception {
+        for (int i = 0; i<= 10; i++) {
+            System.err.println("===================================");
+            System.err.println("loop " + i);
+            System.err.println("===================================");
+            new SSLSocketClose().test();
+        }
+    }
+
+    private void test() throws Exception {
+        SSLServerSocket listenSocket = null;
+        SSLSocket serverSocket = null;
+        ClientSocket clientSocket = null;
+        try {
+            SSLServerSocketFactory serversocketfactory =
+                    createServerSSLContext().getServerSocketFactory();
+            listenSocket =
+                    (SSLServerSocket)serversocketfactory.createServerSocket(0);
+            listenSocket.setNeedClientAuth(false);
+            listenSocket.setEnableSessionCreation(true);
+            listenSocket.setUseClientMode(false);
+
+
+            System.err.println("Starting client");
+            clientSocket = new ClientSocket(listenSocket.getLocalPort());
+            clientSocket.start();
+
+            System.err.println("Accepting client requests");
+            serverSocket = (SSLSocket) listenSocket.accept();
+
+            System.err.println("Reading data from client");
+            BufferedReader serverReader = new BufferedReader(
+                    new InputStreamReader(serverSocket.getInputStream()));
+            String data = serverReader.readLine();
+            System.err.println("Received data from client: " + data);
+
+            System.err.println("Sending data to client ...");
+            String serverData = "Hi, I am server";
+            BufferedWriter os = new BufferedWriter(
+                    new OutputStreamWriter(serverSocket.getOutputStream()));
+            os.write(serverData, 0, serverData.length());
+            os.newLine();
+            os.flush();
+
+            System.err.println("Reading more data from client");
+            data = serverReader.readLine();
+            System.err.println("Received data from client: " + data);
+        } finally {
+            if (listenSocket != null) {
+                listenSocket.close();
+            }
+
+            if (serverSocket != null) {
+                serverSocket.close();
+            }
+        }
+
+        if (clientSocket != null && clientSocket.clientException != null) {
+            throw clientSocket.clientException;
+        }
+    }
+
+    private class ClientSocket extends Thread{
+        int serverPort = 0;
+        Exception clientException;
+
+        public ClientSocket(int serverPort) {
+            this.serverPort = serverPort;
+        }
+
+        @Override
+        public void run() {
+            SSLSocket clientSocket = null;
+            String clientData = "Hi, I am client";
+            try {
+                System.err.println(
+                        "Connecting to server at port " + serverPort);
+                SSLSocketFactory sslSocketFactory =
+                        createClientSSLContext().getSocketFactory();
+                clientSocket = (SSLSocket)sslSocketFactory.createSocket(
+                        InetAddress.getLocalHost(), serverPort);
+                clientSocket.setSoLinger(true, 3);
+
+                System.err.println("Sending data to server ...");
+
+                BufferedWriter os = new BufferedWriter(
+                        new OutputStreamWriter(clientSocket.getOutputStream()));
+                os.write(clientData, 0, clientData.length());
+                os.newLine();
+                os.flush();
+
+                System.err.println("Reading data from server");
+                BufferedReader is = new BufferedReader(
+                        new InputStreamReader(clientSocket.getInputStream()));
+                String data = is.readLine();
+                System.err.println("Received Data from server: " + data);
+
+                System.err.println("Sending more data to server ...");
+                os.write(clientData, 0, clientData.length());
+                os.newLine();
+                os.flush();
+            } catch (Exception e) {
+                clientException = e;
+            } finally {
+                if (clientSocket != null) {
+                    try{
+                        clientSocket.close();
+                        System.err.println("client socket closed");
+                    } catch (IOException ioe) {
+                        clientException = ioe;
+                    }
+                }
+            }
+        }
+    }
+}
+
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/jdk/sun/security/util/misc/SetNullSigParams.java	Wed Dec 19 20:53:30 2018 +0100
@@ -0,0 +1,78 @@
+/*
+ * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/*
+ * @test
+ * @bug 8214096
+ * @summary Make sure SignatureUtil can accept null algorithm parameters
+ * @modules java.base/sun.security.util
+ */
+import java.security.*;
+import java.security.spec.AlgorithmParameterSpec;
+import sun.security.util.SignatureUtil;
+
+public class SetNullSigParams {
+
+    public static void main(String[] args) throws Exception {
+        Signature sig = new SpecialSigImpl();
+        SignatureUtil.specialSetParameter(sig, (byte[]) null);
+        SignatureUtil.specialSetParameter(sig, (AlgorithmParameters) null);
+    }
+
+    // Sample Signature impl class which simulates 3rd party provider behavior
+    // and throws NPE when given null algorithm parameters
+    // For max backward-compatibility, sun.security.util.SignatureUtil class
+    // now calls setParameter() only when algorithm parameters is non-null
+    private static class SpecialSigImpl extends Signature {
+        SpecialSigImpl() {
+            super("ANY");
+        }
+        @Override
+        protected void engineInitVerify(PublicKey publicKey)
+                throws InvalidKeyException {}
+        @Override
+        protected void engineInitSign(PrivateKey privateKey)
+                throws InvalidKeyException {}
+        @Override
+        protected void engineUpdate(byte b) throws SignatureException {}
+        @Override
+        protected void engineUpdate(byte[] b, int off, int len)
+                throws SignatureException {}
+        @Override
+        protected byte[] engineSign() throws SignatureException { return null; }
+        @Override
+        protected boolean engineVerify(byte[] sigBytes)
+                throws SignatureException { return false; }
+        @Override
+        protected void engineSetParameter(String param, Object value)
+                throws InvalidParameterException {}
+        @Override
+        protected void engineSetParameter(AlgorithmParameterSpec params)
+                throws InvalidAlgorithmParameterException {
+            if (params == null) throw new NullPointerException("Test Failed");
+        }
+        @Override
+        protected Object engineGetParameter(String param)
+                throws InvalidParameterException { return null; }
+    }
+}
--- a/test/langtools/jdk/jshell/ToolShiftTabTest.java	Wed Dec 19 11:44:57 2018 -0800
+++ b/test/langtools/jdk/jshell/ToolShiftTabTest.java	Wed Dec 19 20:53:30 2018 +0100
@@ -126,7 +126,7 @@
         doRunTest((inputSink, out) -> {
             inputSink.write("123");
             inputSink.write(FIX + "z");
-            waitOutput(out, "Unexpected character after Shift-Tab");
+            waitOutput(out, "Unexpected character after Shift\\+Tab");
         });
     }
 }
--- a/test/langtools/jdk/jshell/ToolSimpleTest.java	Wed Dec 19 11:44:57 2018 -0800
+++ b/test/langtools/jdk/jshell/ToolSimpleTest.java	Wed Dec 19 20:53:30 2018 +0100
@@ -23,7 +23,7 @@
 
 /*
  * @test
- * @bug 8153716 8143955 8151754 8150382 8153920 8156910 8131024 8160089 8153897 8167128 8154513 8170015 8170368 8172102 8172103  8165405 8173073 8173848 8174041 8173916 8174028 8174262 8174797 8177079 8180508 8177466 8172154 8192979 8191842 8198573 8198801 8210596 8210959
+ * @bug 8153716 8143955 8151754 8150382 8153920 8156910 8131024 8160089 8153897 8167128 8154513 8170015 8170368 8172102 8172103  8165405 8173073 8173848 8174041 8173916 8174028 8174262 8174797 8177079 8180508 8177466 8172154 8192979 8191842 8198573 8198801 8210596 8210959 8215099
  * @summary Simple jshell tool tests
  * @modules jdk.compiler/com.sun.tools.javac.api
  *          jdk.compiler/com.sun.tools.javac.main
@@ -448,7 +448,8 @@
         test(
                 (a) -> assertHelp(a, "/?", "/list", "/help", "/exit", "intro"),
                 (a) -> assertHelp(a, "/help", "/list", "/help", "/exit", "intro"),
-                (a) -> assertHelp(a, "/help short", "shortcuts", "<tab>"),
+                (a) -> assertHelp(a, "/help short", "shortcuts", "Tab"),
+                (a) -> assertHelp(a, "/help keys", "line", "Shift", "imports", "history"),
                 (a) -> assertHelp(a, "/? /li", "/list -all", "snippets"),
                 (a) -> assertHelp(a, "/help /set prompt", "optionally contain '%s'", "quoted"),
                 (a) -> assertHelp(a, "/help /help", "/help <command>"),