Java 7 Ships With Severe Bug

Lisandro writes "Lucid Imagination just posted an announcement about a severe bug in the recently released Java 7. Apparently some loops are mis-compiled due to errors in the HotSpot compiler optimizations, which causes programs to fail. This bug affects several Apache projects directly — Apache Lucene Core and Apache Solr have already raised a warning, noting that the bug might be present in Java 6 as well."

Sounds just about right for Oracle.

[Nadaka]

So well known for product "quality"

Re:Sounds just about right for Oracle.

[HarrySquatter]

Yeah because the numerous bugs and security vulnerabilities in the Sun version of the JVM was such great "quality" in itself, right?

Re:Sounds just about right for Oracle.

[Tridus]

Can you name an instance where Sun knew the thing miscompiled loops before release and put it out anyway with no warning to users about the error?

I can't. Sun got stuff wrong sometimes, but this is an incredible level of actively poor judgement from Oracle. Anybody sane would have delayed this release.

Re:Sounds just about right for Oracle.

[lennier1]

Sounds all too familiar.

Just finished a project where several workarounds were needed because a well-known bug in Oracle's own damn JDBC driver hasn't been fixed in over three years.

Re:Sounds just about right for Oracle.

[NoNonAlphaCharsHere]

I know it's unfashionable to RTFA, but this quote might help:

Also Java 6 users are affected, if they use one of those JVM options, which are not enabled by default: -XX:+OptimizeStringConcat or -XX:+AggressiveOpts.

Emphasis in the original. So it looks more like Oracle turned on more aggressive optimizations by default. And if it's such an obvious bug, one would think it would have turned up in the last 29 version 6 releases?

Re:Sounds just about right for Oracle.

[HarrySquatter]

Did you miss the part from the article that this was a bug in the JVM since well before Oracle even took over? Oh right, you probably didn't. Who cares about pesky facts when we can bash Oracle instead.

Re:Sounds just about right for Oracle.

[Nadaka]

Yea... Their most recent JDBC driver is also significantly slower than the previous version and contains a boolean conversion error.

Re:Sounds just about right for Oracle.

[locopuyo]

Oracle is an evil corporation bent on world domination. They deserve it anyways.

Re:Sounds just about right for Oracle.

If I'm not mistaken, mis-compiled loops are patented!

Re:Sounds just about right for Oracle.

Ellison did this on purpose because he's mad at Google, the petulant cuntbag.

Re:Sounds just about right for Oracle.

[dgatwood]

And if it's such an obvious bug, one would think it would have turned up in the last 29 version 6 releases?

No, honestly. This wasn't caught before because nobody used those flags. Oracle decided that these flags should be turned on by default. Therefore, the onus was on Oracle to thoroughly and broadly test these flags before promoting them to be used by default.

I guarantee you'll find some hairy bugs if you enable lots of random, rarely enabled flags in just about any compiler. The difference between a good compiler and a bad compiler is that a good compiler tests flags thoroughly before either enabling any the flags by default or rolling them into a commonly used option. In effect, what Oracle did was to take an obscure, poorly tested code path and promote it into the hot path through their code. This is something that any first-year CS student should know is risky.

The best part of this is that (assuming other Slashdot comments are correct) this occurs in commonly used third-party libraries, and was disclosed to Oracle several days before the release shipped. Where I work, that's what is known as a P1 block-ship bug, and people will be called in to work on it day and night until the problem is resolved, and if necessary, features will get temporarily pulled (e.g. turning that optimization back off by default).

For shame, Oracle.

Re:Sounds just about right for Oracle.

If it's not enabled by default in Java 6, it's probably not used by very many people.

Re:Sounds just about right for Oracle.

[bill_mcgonigle]

So well known for product "quality"

I once had a heck of a time installing an Oracle product for a client. I finally figure out that the install script had a developer's home directory hard-coded into it. When I googled this path, I found an Oracle messageboard thread that had started almost three years earlier on the problem.

I had downloaded the package from Oracle that day.

Re:Sounds just about right for Oracle.

[Smallpond]

It was an Oracle product when they turned on the optimize flags that revealed the bug, were notified of the bug, and decided to ship with the flags on anyway.

If it had been Sun they would have delayed the release, because Java was Sun's poster product. Oracle has either canned or driven away so much talent that they probably have no clue what Java is at this point.

Re:Sounds just about right for Oracle.

Just Let Google fix it -

Re:Sounds just about right for Oracle.

[Plugh]

Accuseth locopuyo:
Oracle is an evil corporation bent on world domination.

Well, I work there, and speaking strictly for myself: No on 1, Yes on 2

Re:Sounds just about right for Oracle.

[jensend]

Nobody used aggressive optimizations? You're off your rocker. I think that's one of the first tweaks people go to when they're trying to tune Java performance. Yes, it wasn't used by the majority of people, but it would have been excusable to think that these options had seen enough testing from those enabling the option to catch any obvious bugs.

Re:Sounds just about right for Oracle.

[Amouth]

exactly - and to top it off according to Apache.. Oracle has put the fix in a timeline to be released on Java 7 update 2.. so something that should never have gone out the door isn't going to be fixed for this or the next update.. that's just stupid.

Re:Sounds just about right for Oracle.

[Applekid]

Nobody used aggressive optimizations? You're off your rocker. I think that's one of the first tweaks people go to when they're trying to tune Java performance. Yes, it wasn't used by the majority of people, but it would have been excusable to think that these options had seen enough testing from those enabling the option to catch any obvious bugs.

Obviously "nobody" is a sweeping generalization, but if someone is tuning Java performance, and it breaks when a particular switch is turned on, the switch is just going to be left off from then on. Maybe they'll turn revert a few other previously changed options, but unless it stops being broken as a result...

Re:Sounds just about right for Oracle.

[idontgno]

I think the distinction between 2 and 1 is generally illusory or propaganda. "World Domination" is generally held to be an evil goal. In fact, the people most interested in making and emphasizing the distinction are the ones in the second category but don't want (for PR or ego reasons) to believe they're in the first.

Re:Sounds just about right for Oracle.

[blair1q]

You'll find bugs in software every time you change software. Hopefully in alpha and regression testing. Or in Beta testing, if you do it old-school and dogfood it instead of pretending that the first release to the public is Beta testing, or just skip it altogether.

Re:Sounds just about right for Oracle.

[MrEricSir]

"Anybody sane would have delayed this release."

The last major version of Java came out in December 2006. If that's not enough of a delay, I don't know what is.

Re:Sounds just about right for Oracle.

[nedlohs]

Obviousness is irrelevant if the part of the article that says:

"""These problems were detected only 5 days before the official Java 7 release, so Oracle had no time to fix those bugs,"""

is accurate then Oracle are way past poor judgement.

You have a bug in your compiler/jvm/whatever which will cause some programs to crash and others to give the wrong output.Do you:

1. Release it anyway and hope no one notices.
2. Release it anyway and warn people about it.
3. Delay the release until it is fixed.
4. Disable that, purely performance related, feature for now.

 

Re:Sounds just about right for Oracle.

Yeah, that's one of the first things any physicist with huge data sets or simulations to grind will head for.

Re:Sounds just about right for Oracle.

[Svartalf]

Ah, but the problem is...Oracle knew about a week before release that this was going on- and did and said nothing about it and shipped it with that problem. Sorry, they're not getting an out just because it was the previous version where it wasn't the default behavior.

Re:Sounds just about right for Oracle.

[Svartalf]

Heh... Yeah, we have one of those severity levels in the tracking system too. Simply put, this shows you just what Oracle thinks about "quality", more than anything else.

Re:Sounds just about right for Oracle.

[Svartalf]

You should do 3 or 4, documenting things in the case of '4'. 1's not acceptable as is 2, really, when you get to brass tacks.

Re:Sounds just about right for Oracle.

[Svartalf]

Did you miss that it doesn't matter that they had it in the JVM before they took over. They turned it on as a default behavior for the release, didn't check that it broke anything, and then shipped it anyway when they found it out 5 days before the ship date .

No company that cares about quality would've EVER done things like this. Seriously. It's called delay ship or back out the default behavior and document the problem with the optimization flag. They knew within enough time to fix it enough to ship without the issue biting people like it's doing.

Re:Sounds just about right for Oracle.

[VGPowerlord]

If I'm not mistaken, mis-compiled loops are patented!

Yes, but by Microsoft, not Google. Since Microsoft consider Google to be Enemy #1, I doubt they'll help Google with it.

Then again, Oracle must be pretty high up on MS's enemy list, so maybe they'll sue over it themselves...

Re:Sounds just about right for Oracle.

[Svartalf]

To Ellison, it's something to strip mine profits from.

Re:Sounds just about right for Oracle.

[Svartalf]

Uh, that's not the point and if you're being honest, you know that to be the case. This is a "showstopper" bug where most other places would've delayed the release a bit further (yes...in addition to the "delay" you refer to...) or back that change out. Seriously.

Re:Sounds just about right for Oracle.

i know for a fact that all swiss moneymachines still use m$ java vm. because of some sun java vm problem (yes, in 2011).

Re:Sounds just about right for Oracle.

The Sun JDK spent the better part of 2008, spanning several JDK6 update releases, crashing eclipse because of bad compilation:

https://bugs.eclipse.org/bugs/show_bug.cgi?id=214092

Frankly, the JVM's reputation for stability isn't really all that well-deserved.

Re:Sounds just about right for Oracle.

[DamonHD]

Remarkable amount of spittle flying in this thread...

I expect most major technical artefacts from javac to SUVs to space ships go out the door with known defects; heck I worked on a major defence project where the ship had to ship without most of its code, with the significant risk of killing innocent passers-by. And 5 days may simply not be enough time to repackage everything for a bug that's going to affect very few people. (Except possibly some loud ones with an axe to grind?)

In fact, back in C/C++ land, building mission-critical and performance-critical apps globally across many OSes and years, I don't think that I encountered ANY release of any compiler (free/commercial/whatever) that didn't have some defects requiring us to turn down optimisation generally or off for some particular files. Because getting numbers wrong is problematic for banks, even worse than getting them slowly, usually.

And BTW, every time I have tried the G1 GC for my key Java app even with the personal help of the relevant Sun/Oracle engineers, it crashes the JVM reliably. Does that mean Java is crap or even G1? Not for most users; mine turns out to be a torture test. I'll stick with CMS for now and try G1 again in a while.

Rgds

Damon

Re:Sounds just about right for Oracle.

[sjames]

It's quite common for more aggressive optimization flags on any compiler to come with warnings that things may break in odd ways. It's even considered acceptable as long as those flags default to off.

It is NOT acceptable to set them on by default in that condition. At no point did Sun violate that, but Oracle just did.

Re:Sounds just about right for Oracle.

[Pieroxy]

Either you're joking, or you just have no idea what you're talking about.

Re:Sounds just about right for Oracle.

There is an update in the article saying it's targeted at Java 7 update 1 now.

Re:Sounds just about right for Oracle.

[hotdog.sk]

An information that appears to be missing in this discussion is, that according to Release notes, they went for option 2.

Re:Sounds just about right for Oracle.

[NateTech]

Name a single large software package that hasn't had at least one major serious screw-up like this in the last few years. The industry's retarded to keep allowing code to be handled as if it weren't real engineering with building codes, inspectors, etc.

Re:Sounds just about right for Oracle.

[cthulhu11]

It probably didn't contain Java, but ILOM 1.0 was horrid beyond belief. I've actually had multiple Sun CSO types admit to me that it was the worst thing they ever released. I'd put ypbind right up there with it, but I'm like that ;)

Re:Sounds just about right for Oracle.

[RockDoctor]

In effect, what Oracle did was to take an obscure, poorly tested code path and promote it into the hot path through their code. This is something that any first-year CS student should know is risky.

Excessive hyperbole is a good way of making an otherwise sound argument sound silly.

I remember when I was a Computing Science first-year student (18+ in my country, but 17+ in the educational system I went to university in). Compiler options beyond input and output files names were not on the agenda. "This is sequential execution" ; "this is a branch" ; "this is a loop" were on the agenda, followed by introduction to some languages (FORTRAN, along with "this is a GOTO ; it is considered dangerous"). By the end of first year we'd moved through some aspects of algorithm design, recursion, and why and how to remove recursion if possible.

Do computing science students these days get so close to particular languages that they actually even know what compiler flags are about? I'd suspect not, because that sort of implementation detail is going to be out of date before they finish their second year. Besides, they're studying Computing Science, not Programming, so they'd be learning three or four languages in their first year, as well as much more important algorithm design etc.

Re:Sounds just about right for Oracle.

[dgatwood]

Do computing science students these days get so close to particular languages that they actually even know what compiler flags are about?

I hope not. But they should have it drilled into their heads from day one that code has bugs, and you have to test code before you submit it to the teacher. If you decide to include that chunk of code that hasn't been tested when you turn it in to your teacher, you're risking getting a bad grade.

This is essentially what Oracle did when they enabled by default an option that hadn't been thoroughly vetted, and I maintain my original statement that this is something even a first year CS student should understand is a bad idea.

Re:Sounds just about right for Oracle.

[RockDoctor]

OK, from that aspect, yes, I see where you're coming from.

TBH though, as I get longer and longer in the tooth, I'm finding that I get more and more cautious about validating input. I see that the actual programmers in the sand pit do too, as the version number of our package edges upwards.

Re:Sounds just about right for Oracle.

[aled]

IMHO people that try to buy performance by turning on aggressive or little documented options like to play with fire. Profile your own code first and you'll get there faster and safer. No compiler trick will correct bad code.

Re:Sounds just about right for Oracle.

You'd have to be not just a complete novice with Java, but off your rocker yourself to think that "aggressive optimization" is the FIRST thing to do to tune Java performance.

The first thing to do to improve performance on any computer? Add memory.

The first thing to do to improve performance with Java? Increase heap space. The second? Start looking at where that heap space goes, and how you can reduce churn with garbage collector tuning.

Aggressive loop optimizations? Sure, once you've spent about 6 years doing everything else you can, and have another 5 years to verify what the hell the compiler will do afterwards. Ie, NEVER.

Re:Sounds just about right for Oracle.

Stop blaming and finger pointing guys... Releases are tough to manage and especially with something like Java it's a real gigantic task. Issues will occur and one should come to expect it, especially knowing that this is the first release of Java from Oracle's shed. Come on have a bigger heart, give the guys at Oracle some appreciation that they have managed to do a release just after a long storm.

As for the issues, until then you have Java 6 and nothings stopping you from continuing to use it. I'm sure the new processes and environment at Oracle will soon mature and we shall see our favourite language in a brighter form sooner.

Re:Sounds just about right for Oracle.

[epine]

This is essentially what Oracle did when they enabled by default an option that hadn't been thoroughly vetted, and I maintain my original statement that this is something even a first year CS student should understand is a bad idea.

You don't seem to understand what game you are playing here. You are militating for group-think, rather than relating truth on the ground. I wouldn't be against laughing people out of the profession for having no clue about release dynamics, but neither would I claim this is fait accompli at any level within the profession.

The first year student also understands that holding the assignment back to correct defects and submitting it late will result in an even larger reduction in droplets of holy water. This is the dominant lesson, no?

Let's imagine a CS program where every assignment you complete goes into a permanent foundry-forge where any other student (or member of the public) can report bugs against your past work (these would be confirmed bugs complete with a failed test result). At this school, you are not allowed to graduate while any bug remains unfixed in any assignment you've completed in your four year program. This would be cheap to implement at the registrar's office, since they can assign your outstanding bug count the same graduation code as your outstanding library fine. They're in the loop on code reuse.

The graduating class could be reasonably ranked by "patches against" when applying for continuity roles. Another group of people could be ranked by "days before deadline" of all initial submissions meeting a minimum quality requirement, no matter how much cheese ensued. Yet another group could be ranked by "bang for buck" on the total complexity of solutions passing the grade with the least amount of bloat. A final group would be unranked yet employed: for outstanding creativity, generality, and insight over and above the required norm, even if the other metrics fell short from time to time, as they must when you strive for great things. There's just enough employers out there tapping the cream to siphon these people off.

If we had more such schools and modes of discernment, your initial remark wouldn't have reached hyperbolic escape velocity on igniting the first booster rocket.

Re:The bug is widely known...

Says anonymous coward

Should I turn off javascript in my browser for now

[kotku]

Or is it only a desktop problem?

Re:The bug is widely known...

Java is amongst the world's most widely installed malware. For some reason, Oracle was even championing the fact that this malware had over 1 billion downloads.

Re:Should I turn off javascript in my browser for

[arth1]

java != javascript

An Warning

(/_-)

Re:an warning

[AkkarAnadyr]

Nah, it was just a memory leek.

Re:an warning

ITYM "Is it Welsh that we are now, lookyou?"

Re:Should I turn off javascript in my browser for

[leucadiadude]

Troll fail.

Try again next time.

Re:Should I turn off javascript in my browser for

Javascript is unrelated.

an warning

What are we now, Welsh?

Re:Should I turn off javascript in my browser for

[HarrySquatter]

He was a fail troll yet got multiple people to fall for it? It's amazing how easy it is for people like the GP to continue to bait people with such obvious trolling.

Re:Should I turn off javascript in my browser for

[DarkOx]

This has NOTHING to do with emca/java script, they are not in anyway related to Java other than the really really unfortunate sharing of a brand and a little syntax also common to many other languages.

It's not a bug

It's a feature.

Re:Should I turn off javascript in my browser for

o -- Joke

O -- You
\|/
/ \

They released this anyway

[Tridus]

Relevant part:

These problems were detected only 5 days before the official Java 7 release,
so Oracle had no time to fix those bugs, affecting also many more
applications. In response to our questions, they proposed to include the
fixes into service release u2 (eventually into service release u1, see [6]).
This means you cannot use Apache Lucene/Solr with Java 7 releases before
Update 2! If you do, please don't open bug reports, it is not the
committers' fault! At least disable loop optimizations using the
-XX:-UseLoopPredicate JVM option to not risk index corruptions.

If this was known before the release and it's as severe as it's being made out to be, why the hell didn't they postpone the release? It's not like the world is dependent on Java 7 being released on time.

This isn't a little issue, either. It's extremely irresponsible for Oracle to put this kind of release out knowing of a bug this severe without any kind of warning on it.

Re:They released this anyway

[JoeMerchant]

There's a manager at Oracle who would have lost his quarterly bonus if 7 didn't ship on time, you wouldn't have wanted him to do that, would you?

Re:They released this anyway

Or, you know, make -XX:-UseLoopPredicate the default - but couldn't have that, it might hurt artificial benchmark numbers...

Re:They released this anyway

There's a manager at Oracle who would have lost his quarterly bonus if 7 didn't ship on time, you wouldn't have wanted him to do that, would you?

Oh, the sums up how the software industry can be so fucking retarded.

Messing up the ROI was another fucked up reason the PHBs had for the release. I'm sure there are others here who can attest to this happening at any other fucking software vendor.

Re:They released this anyway

[ardle]

Would you go as far as to say "culpably" irresponsible? Would some kind of lawsuit help, or are Oracle too big for the law?

Re:They released this anyway

[Tridus]

Yeah that's probably the answer. Some suit somewhere decided on a release date and minor details like the product not working won't deter it.

Re:They released this anyway

[NoNonAlphaCharsHere]

Well, you wouldn't want them to have to deal with all the "Oracle misses ship date" headlines, would you? Some corner-case bug is only going to be reported in the tech media, not in the Wall Street Journal.

Re:They released this anyway

[jensend]

I don't see any sign that this is affecting many users other than the two Apache projects noted. The linked article says that the best case with the loop optimizations is a crash and worst case is incorrect behavior- but they're conveniently not mentioning how likely it is that your code would trigger this bug. I see no signs that the "Donâ(TM)t use Java 7 for anything" conclusion is anything other than totally overblown.

The fact that the bug is also present in Java 6 if you enable the (fairly common) non-default optimizations makes this whole thing sound basically non-newsworthy. "Some users have problems with new default options! News at 11!"

A bug which only affects a few existing pieces of software and can be worked around with a simple command line option doesn't seem to me to be a release blocker. I'd agree, though, that they should have put something in the release notes.

Re:They released this anyway

[Smallpond]

Would you go as far as to say "culpably" irresponsible? Would some kind of lawsuit help, or are Oracle too big for the law?

I believe they are willing to refund the entire purchase price for the compiler.

Re:They released this anyway

[Lisandro]

This ain't no "corner case" . These guys enabled broken optimizations that break loops, knowingly... in a production release. I completely agree with the parent poster, this is way irresponsible of Oracle. It's akin to releasing a new car model where the steering wheel doesn't work properly.

Re:They released this anyway

[bill_mcgonigle]

why the hell didn't they postpone the release?

You know the open source motto: Never show weakness to your enemies. Oh, no, wait, that's not how it works.

Re:They released this anyway

[idontgno]

Yeah, well, ok, but how many programs use these "loop" thingies? Right? You can code around them. Just do something else. I hear "recursion" is a good workaround. Amiright?

Good car analogy, btw, but I think it's more like the steering working just fine unless you want to turn. Then it snap-oversteers across the sidewalk and into the side of a building. Just keep steering straight and there'll be no problem. A steering system which permits turning, curving, or lane-changing is schedule for Q4 2011 or Q1 2012.

Re:They released this anyway

[boorack]

They could just turn off those two switches. But hey, this is Oracle. Everything they touch turns into crap.

Re:They released this anyway

[zlogic]

I read Slashdot and I didn't know the planned Java 7 release date. Which makes WSJ readers even less likely know or care when Java 7 should have been released.

Re:They released this anyway

[tixxit]

While Solr (& Lucene) are only a couple pieces of software, they also happen to be damn useful and widely deployed pieces of software. Pretty much every web site we make uses Solr to handle searching, so this problem is ours now too. Not that we'd put Java 7 in production on the first release anyways, but it certainly doesn't make me think highly of Oracle, since, as you noted, they didn't even bother to mention this bug in the release notes.

Re:They released this anyway

[sjames]

Not to mention, they were unable to change the defaults on a couple of options back to off in a few days time?

Re:They released this anyway

[Pieroxy]

Shitty products are not a crime.

Re:They released this anyway

[dkf]

Shitty products are not a crime.

They can be, but I wouldn't think that Java would be one of the cases where that is so. When dealing with programming tools, you're supposed to be careful. The licenses all say it, and for good reason. It's the user of those tools, the programmer (or deployer in some cases), who warrants that the produced piece of software is actually useful.

Re:They released this anyway

Of course it's a corner case! You should be using recursion, not loops!

Those were known bugs.

Damn those bugs where known but Oracle choose to ship Java 7, knowing that it would crash on some very known and used Apache libraries. (And most likely other code too).

To quote:
"These problems were detected only 5 days before the official Java 7 release,
so Oracle had no time to fix those bugs, affecting also many more. "

Here is a hint to Oracle: If you find a fatal bug 5 days before launch and don't have time to fix it, you either disable the specific optimization with the know bug, or you postpone the launch and start working on a fix. Just shipping like this is stupid.

Re:Those were known bugs.

[rossjudson]

Another way of looking at this is to realize that the pre-release versions of Java 7 have been out there for a long, long time, and nobody from these Apache projects felt like testing their (rather important) open source projects against it, so they could have found and reported the bug earlier.

It seems to me that fault lies in both directions here.

A more correct rewrite of the bug teaser would be, "Don't use Java 7 for anything if you are incapable of passing an extra command line argument to it".

Re:Those were known bugs.

[PickyH3D]

Agreed. If the release was too close to cancel, then it should have already been released.

Otherwise, they should have disabled the optimization and put it into the release notes, thus avoiding the issue (as, apparently, using the optimizations in Java 6's HotSpot also caused the same problem) until they had time to resolve it.

Re:Those were known bugs.

[blair1q]

How is 5 days "no time"?

Just how dumb are the people who write Java?

Re:Those were known bugs.

Nowhere near as dumb as you.

Re:Those were known bugs.

[gr8_phk]

Another way of looking at this is to realize that the pre-release versions of Java 7 have been out there for a long, long time, and nobody from these Apache projects felt like testing their (rather important) open source projects against it, so they could have found and reported the bug earlier.

Umm no. It's not the customers fault for not testing the product. It's Oracles fault. In fact, Oracle could have been using Apache in their test suite - it's not like it's a closed source product. This really raises the question - How does Oracle test Java prior to release?

Re:Those were known bugs.

[sjames]

They apparently also had no time to add a big fat warning to the release. I'm thinking the old skull and crossbones + Mr. Yuk would have done it.

Re:Those were known bugs.

[Pieroxy]

Ahahahahahahh! Made my day. This is the PERFECT answer !

Re:Those were known bugs.

[rmuir]

It seems to me that fault lies in both directions here.

Really? its my fault some Oracle software has a bug?
I don't have a paycheck in my mail from "ORACLE CORPORATION" so there is no "fault" here.

I volunteered my time on a Saturday, along with another developer, to test our open source project with the java 7 RC, and we happened to find it on that day. You *do* know we have other things to do than test Oracle's products for them, right?

Oracle had plenty of time to deal with this bug (http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=7070134). When we got no response from filing our bug report, we brought it straight to the hotspot-dev list: Openjdk developers told us how they did not know about the bug, because someone at oracle had filed the bug in the wrong category, runtime instead of compiler2 (http://mail.openjdk.java.net/pipermail/hotspot-compiler-dev/2011-July/005963.html). Then the Openjdk developers fixed the bug in one day, but told us there was no chance the bug fix would make it into the GA.

The problem is not us, the problem is that the bug report is "Priority 4: Low"

At Apache, when shit like this happens, we mark it "Blocker" and don't release until its fixed.

We sometimes do this even when its not our bug, such as in March when I spent another Saturday chasing down another Oracle hotspot bug (https://issues.apache.org/jira/browse/LUCENE-2975), that we found during our release vote.

Re:Those were known bugs.

And was it good move for Apache to remove themselves from the JCP Executive Committee?

Re:Those were known bugs.

[rossjudson]

I probably forgot to hit submit on my previously-written response to your note. I intended no disrespect to you or Apache's process. I'm just expressing the general frustration that Java programmers everywhere must feel at the prospect of having a broken JDK7 out there, when it seems like it was preventable. Of course, the devil is in the details, as always. Could the bug have been identified earlier? Was the bug exhibited by a failure of an automated test suite within the Apache project, or did it manifest only during exploratory testing?

The real question facing the Java community is understanding what parts of the process can be improved to avoid something like this happening again in the future.

Re:Should I turn off javascript in my browser for

[HarrySquatter]

Whoosh? GP was joking, bro.

Moderator Advice: mod parent +1 Funny

[JoshDM]

:-D

Timing is everything

I upgraded to Java 7 on Wednesday. Thursday I tried to fire up tomcat only to have it die on me. I spent a few hours trying to get it to work and eventually gave up and reverted back to Java 6. I realize it could be something completely unrelated (I'm developing a web app with a fair amount of ins and outs, so there are a lot of places for things to break), but somehow I wish I knew about this yesterday,

Re:Timing is everything

[JaneTheIgnorantSlut]

Frankly, upgrading to the latest version of your development environment, literally on the day of release, seems to be rather poor practice. Since "there are a lot of places for things to break," adding another one is unwise.

Re:Timing is everything

[shoppa]

I tend to keep my linux development machines on the bleeding edge of the distro and there is rarely a problem. To be fair I doubt that any distro would put Java 7 in its bleeding edge. The bleeding edge of any distro has some kind of QC process already.

Not just a malware trap

[JoeMerchant]

And I was only avoiding updating it because the last time our PCs were clamoring for Java updates it was actually a (well disguised) trojan.

The next thing Windows needs to add is a "don't bother me with this update" API where software vendors need to ask the OS permission before prompting the user for updates - and also allow preference settings like "don't install a damn desktop launch icon when you update" (looking at you Adobe.) Personally, I'd set my preferences to "don't tell me about updates until they are at least a month old." There is a balance to strike between getting the latest patches for security and waiting until a patch has proven itself in the wild.

Of course, we could all just stop using software from vendors who don't do these things voluntarily (like check for bugs before pushing an update, or making an easy to access preference for launch icon settings (hint: if I've deleted the last 12 of them, I likely don't want the 13th!) but the software that I'm talking about here is Java and Acrobat - kind of hard to get around the web without those.

Re:Not just a malware trap

[mark-t]

When you see a popup alerting you to an update for software you actually have installed being available, the best thing to do is go directly to the company's website and update from there...

I learned a long time ago to never trust *ANY* popups.. regardless of what they appear to be from.

Re:Not just a malware trap

[CynicTheHedgehog]

Perhaps a bit off-topic, but relevant to the OP...

In Linux everything I need comes from one or more trusted software repositories, and all of the updates are performed through the same tool in the same way, so I do not need to familiarize myself with the different update systems for different pieces of software.

In iOS everything is downloaded and installed through the app store, updates are similarly pushed through a single (presumably trusted) source. Same with Android and the various marketplaces and presumably with Windows-based smartphones. (Symbian and RIM aren't really in the game anymore, and it is likely related to this.)

So that leaves Mac OS X and Windows as really the only predominant platforms where you grab stuff from every which where and install it. And IIRC, even Mac OS X tries to consolidate the updates into a central tool (I remember Java and Adobe updates coming through the Mac OS X update tool).

I expect that this model will prevail and within 5 years the majority of software for any system (Windows included) will start coming through central repos (or "App Stores"). Linux has been there for over a decade, but hasn't got their act together with respect to branding, ease-of-use, and revenue sharing (Ubuntu is bridging that gap). So if we can get to a point where software is signed, or at least has a verifiable hash, and it all comes from the same trusted place, then a lot of these issues will be moot.

Re:Not just a malware trap

but the software that I'm talking about here is Java and Acrobat - kind of hard to get around the web without those.

Huh? The only thing I've ever used Java for is literally Minecraft, and it's well known that a lot of the bugs that infest Minecraft are actually Java bugs. If it weren't for Minecraft, I'd have no reason to have Java installed at all.

I don't use Acrobat under Linux at all, since there are two dozen PDF readers for Linux. For Windows, there's always FoxIt.

You meant Flash, right? Yes, you lose out on a massive amount of content online without Flash.

But Java? I haven't seen a Java applet in five years, and the only one I can remember for the past decade was ported to Flash about five years ago.

OK, I'm pulling that five years figure out of my ass. I think it's closer to a decade, but let's give Java the benefit of the doubt and say five years anyway.

Re:Not just a malware trap

[Kitsuneymg]

Mac OSX has the app store now.

Re:Not just a malware trap

I expect that this model will prevail and within 5 years the majority of software for any system (Windows included) will start coming through central repos (or "App Stores").

You don't need to go that far, just provide a built-in updater and an API to register new programs and update sources to it. The updater will go to a specified URL and download an XML following some schema to learn about updates and optional add-ons for the software. This gives you the freedom to install stuff that isn't officially vetted whilst still providing a single consistent update experience that keeps everything up to date rather than just some arbitrary subset. [Add code signing for seasoning, plugins for flavour in the more complicated software]

Re:Not just a malware trap

The only problem with this approach is it requires education and people to have the time to check. Joe Public will likely lack both.

Re:Not just a malware trap

[sjames]

Actually, the best thing is to wait a few days and watch relevant forums for people ripping their hair out about how the update killed their productivity (or PC) dead with nasty bugs.

Re:Not just a malware trap

Foxit, or another alternative PDF reader, will run circles around Adobe in both speed and usability. Don't try to create a PDF with 'em though...

Re:Not just a malware trap

the software that I'm talking about here is Java and Acrobat - kind of hard to get around the web without those.

I disagree. The web is fine without them. I read the occasional PDF with Evince.

Re:Not just a malware trap

[WWWWolf]

The next thing Windows needs to add is a "don't bother me with this update" API where software vendors need to ask the OS permission before prompting the user for updates - and also allow preference settings like "don't install a damn desktop launch icon when you update" (looking at you Adobe.)

This would be doable - if Windows had uniform package management infrastructure. Every installer ships as an executable that can do anything they want on the system, including messing things up and annoying the hell out of you.

Look at Linux distributions on how this is done right. While there are still executable scripts involved, at least there's a huge bunch of infrastructure that does a lot of stuff for you, and people hate you if you deviate from it. If you distribute software, you can set up your own package repository, and give out public keys so people can see that the updates really come from you. A software package may come with desktop icon, but the user can tell the icon to get the hell out of their sight.

I don't know why Microsoft never bothered with this. It's not like installer package software is huge business now that open-source Windows installers like NSIS exist...

Re:Not just a malware trap

[Wallslide]

Perhaps a bit off-topic, but relevant to the OP...

In Linux everything I need comes from one or more trusted software repositories, and all of the updates are performed through the same tool in the same way, so I do not need to familiarize myself with the different update systems for different pieces of software.

In iOS everything is downloaded and installed through the app store, updates are similarly pushed through a single (presumably trusted) source. Same with Android and the various marketplaces and presumably with Windows-based smartphones. (Symbian and RIM aren't really in the game anymore, and it is likely related to this.)

So that leaves Mac OS X and Windows as really the only predominant platforms where you grab stuff from every which where and install it. And IIRC, even Mac OS X tries to consolidate the updates into a central tool (I remember Java and Adobe updates coming through the Mac OS X update tool).

I expect that this model will prevail and within 5 years the majority of software for any system (Windows included) will start coming through central repos (or "App Stores"). Linux has been there for over a decade, but hasn't got their act together with respect to branding, ease-of-use, and revenue sharing (Ubuntu is bridging that gap). So if we can get to a point where software is signed, or at least has a verifiable hash, and it all comes from the same trusted place, then a lot of these issues will be moot.

On Android you can download from third-party sources, including app stores which operate separately from the Android Market. Additionally, those applications have free reign to update themselves. The Amazon App Store must be downloaded outside of the Android Market (due to it being a competing service), and updates itself independently.

Re:The bug is widely known...

Hilarious AND original. You sir, are the total package.

Starbucks

I get my java only from a place that is evaluated by licensed inspectors: Starbucks. Why trust anyone else?

Re:Should I turn off javascript in my browser for

[leucadiadude]

Hehe, when I replied there were no other replies to him. Sad.

Larry Ellison can't hear you

[ThatsNotPudding]

over the seabreeze whipping past his yacht (not that he'd give a fsck about you, anyway).

Re:Should I turn off javascript in my browser for

If a man tells a joke, and nobody understands it, is it still funny?

Re:Should I turn off javascript in my browser for

[arth1]

You may think that the joke was obvious, but today is System Administrator Day. People who don't know that difference (or the difference between a CPU and hard drive, for that matter) is what sysadmins deal with every day. Nine times out of ten when users ask a really stupid question it's because they really don't know.

You would probably think I was joking if I told you that a user was worried because his java had a hot spot. The joke would be on you.

Oracle DB

[roman_mir]

So how often is this practice of releasing knowingly faulty software and not notifying the users is used to release other Oracle products, such as their database, weblogic, etc.etc?

Re:Oracle DB

The answer is yes. Always and frequently.

They key with Oracle is not to be an early adopter and let those suckers deal with all the shit software they release. Wait a year and it might be OK.

I have a weird love hate relationship with Oracle. I like their stuff when it works, but when it don't work, man it sucks.

Re:Oracle DB

[sjames]

Yep, there's your deep concern for the stability of the customer's operations that every great enterprise grade vendor should have!

Perhaps it's time to reconsider PostgreSQL. They seem to have a pretty good release testing policy.

Re:Oracle DB

[roman_mir]

I am using PostgreSQL for my line of products, all in retail, would never consider Oracle based on cost and ability to talk to support in IRC online at any time.

Pity java is such a death trap.

Java is a awesome plugin and utility with hundreds of great uses in all kinds of devices but sadly java is a deathtrap in terms of trojans, malware and viruses because its always so shoddily slapped together. Only thing worse is acrobat.

Pity sun cant hire competant developers to make the software more secure and dependable.

Re:Pity java is such a death trap.

Pity you're such a moron.

I noticed a shipping bug too

[da5id]

Except I called it the "it's still fucking Java" bug. That bug report didn't go over too well :P

Re:I noticed a shipping bug too

[VGPowerlord]

Except I called it the "it's still fucking Java" bug. That bug report didn't go over too well :P

Brendan Eich didn't like it when I filed a similar bug about JavaScript. And yes, I know the two aren't related.

Re:Should I turn off javascript in my browser for

Cool stary bra

Re:Should I turn off javascript in my browser for

[NoNonAlphaCharsHere]

You misspelled "unrelenting".

Oracle is a bug factory

You can see a lot of this kind of bugs on Oracle products which receive the seal of "ready for production". People who work with Oracle softwares are used with this situation. Here where I work we have several bugs filled and confirmed for products like Oracle Fusion Middleware 11.1.1.5, Oracle Identity Management 11.1.1.4 and many others.

I frankly believe that Oracle has serious issues with his Q&A team.

Re:Oracle is a bug factory

[srobring]

The customers are Oracle's QA team.

God,talk about Sensitizing

There are a couple of flags for hotspot then enable/disable the relevant optimizations. You could, you know, just turn them off by flicking -XX:+OptimizeStringConcat and/or -XX:+AggressiveOpts

I can’t help feeling Apache are going for some cheap political point scoring here. It isn’t like the beta of Java 7 wasn’t publicly available for months.

Re:God,talk about Sensitizing

[thehossman]

a) some of these bugs where filed months ago, and yet those hotspot "optimizations" are still on by default

b) it's true that some problems can be avoided by deliberately disabling these optimizations, but w/o raising big warning alarms to users, people aren't going to know they need to go out of their way to do that. For crash bugs, it may not be so bad -- they see the crash and google to find out why it crashed. For miss-evaluation of loops that can lead to silent data corruption it's a different story -- how would users ever know that they need to disable those options if developers don't yell and holler from the roof tops?

Re:The bug is widely known...

[Dexter+Herbivore]

Score 0, Informative anonymous coward.

7 days before the release?!

Java 7 has been in beta/RC/etc for a long, long time. I'm shocked such a fundamental issues(s -- there's also a nasty change that affects tokenization and may require a reindex once you upgrade) wasn't spotted sooner that 7 days prior to the official release...

God,talk about Sensitizing

There are a couple of flags for hotspot then enable/disable the relevant optimizations. You could, you know, just turn them off by flicking -XX:+OptimizeStringConcat or
-XX:+AggressiveOpts

I can’t help feeling Apache are going for some cheap political point scoring here. It isn’t like the beta of Java 7 wasn’t publicly available for months.

Re:Should I turn off javascript in my browser for

[lucidlyTwisted]

No, but you should check your cafetiere for overflows.

Bug?

[roc97007]

> This bug affects several Apache projects directly — Apache Lucene Core

So... from Oracle's standpoint, it's a feature?

Re:Bug?

> This bug affects several Apache projects directly — Apache Lucene Core

So... from Oracle's standpoint, it's a feature?

Bingo

Re:Bug?

[idontgno]

Eerie. I thought I heard someone chanting something over by Redwood City. It sounded like "Java's ain't done til Apache won't run!"

How else???

[FranTaylor]

"upgrading to the latest version of your development environment, literally on the day of release, seems to be rather poor practice."

It's THE ONLY REASONABLE practice if you wish to actually find the bugs in your system.

If you were talking about "production environment" I would agree with you.

If the software on your development system is not working right, the only one impacted is YOU.

The sooner you install that new software and fire it up, the sooner you can submit your bug reports and the sooner they will be fixed.

And if it's your own code that is having a problem you would also rather know about this sooner than later.

If your development environment won't handle multiple JDKs then you need a new development environment. You NEED to be testing with ALL of the shipping and supported JDKs if you actually have a real product that real people use.

Most of us developers have been testing with the JDK7 beta builds for quite some time now, so your "poor practice" remark seems even more odd.

Re:Should I turn off javascript in my browser for

[RichardJenkins]

Of course it does! I love a good cup of java in the morning, but my assistant keeps making it wrong. I tried explaining how to get it Done Right, but he just doesn't listen.

In the end I had to write out a script for him to follow. So yeah, in my experience, good Java comes from a good Javascript.

Java script means Everyday coffee made acceptably!

Not in the windows world

software vendors need to ask the OS permission before prompting the user for updates

That's not how it works in the windows world. Every windows software vendor has their own special install routine, their own special file locations and naming conventions, and their own special modifications to the registry. There is no standard convention, even through there is now supposed to be one. If a vendor can't find a valid technical reason to buck the system, they will do it simply because it can be done, or perhaps it offers a cheap way to make their product stand out.

If you want consistency and correctness in the packaging/installing system, where every software package is subject to the same rules and process, then you want a unix-based system. Car analogy: Windows package mangement is like driving in Singapore, where nobody follows the rules (or even knows what the rules are), horns are constantly honking for no apparent reason, people are getting cut off left and right, and cows are grazing on the highway. Unix package managment is more like riding the tomorrowland people mover in Disney World. Every car looks the same, goes the same speed, follows the same path, arrives on time, and never falls off the track. It's not quite as exciting, but excitement was never the goal.

Horse-puckey

[FranTaylor]

Yeah because applications out there are magic, they read the release notes for each java release and they automatically use the correct command line switches for each of the different versions of java.

don't get smart with me, young man

[jensend]

No, but if you're a sysadmin you should read release notes before making major upgrades. Not too many end-users out there using Lucene or Solr. It's also not like Sun has pushed Java 7 to end users through Java Update either (I imagine it will be quite some time before they do that).

So only the dedicated early adopters who replace what all their enterprise search software is running on with a brand-new release branch immediately after its release without reading the release notes would be affected.

Seems Oracle should have had test cases for these

[mrflash818]

If not, I hope they update their validation testing suite to compile and run the code giving problems everyone is finding and sharing.

The bug is called "Java"

[djp928]

And unfortunately it infects many, many computers.

Can anybody honestly tell me why people still develop in Java? It's nothing but a gigantic pain in the ass. And why does each new version of the JVM break programs written for previous versions? Is there no backwards compatibility at all??

Re:The bug is called "Java"

[sourcerror]

Please, can you name a programming language/compiler that's more backwards compatible?

Re:The bug is called "Java"

[Ant+P.]

sh, Perl 5, Lisp, Javascript, everything IBM produces, ...

Re:The bug is called "Java"

And what language would you recommend for enterprise web development and business logic?

Re:The bug is called "Java"

[DamonHD]

Nonsense. I have Java code that I knocked out for Netscape 2 that basically still runs happily in current browsers, and is non-trivial.

And I fold that same code into a current Java application, and optimise across the old and new with Progard.

Couldn't really do that with (say) C or C++, and I've been paid shedloads to port them over the years.

The only other language that I know and use with the practical backward compatibility of Java (ie stuff more than an decade old runs perfectly surviving many OS changes/upgrades) is /bin/sh.

Rgds

Damon

Re:The bug is called "Java"

Yes, because web browsers are a bastion of Javascript backwards compatibility. Oh, you mean just the language itself, not the interpreter or JVM.. in which case Java is just as backwards compatible.

The bug we are talking about here is with the JVM and nothing to do with the language itself. Furthermore, it is a bug, and not a backwards compatibility issue (it affects new code as well as old code).

Re:The bug is called "Java"

[djp928]

Well, then explain to me why every place I've ever worked I've had to maintain several different versions of Java on most servers/desktops because certain apps refuse to work correctly with the most recent version and require an older version? Hell, many apps now go as far as to just install their own version of Java somewhere to get around the fact that their shit probably won't work with whatever version you have have installed.

Currently where I work our time and attendance software (from a major vendor) simply won't work with any version of Java past 1.5. And we keep installs for several different update levels around just in case. I've seen apps that literally will refuse to run unless a very specific version of Java is installed (as in, the code actually checks the Java version, and if it isn't the specific one it wants--not "this version or newer" but literally the specific version it was written for--it bails.)

You've never been a system admin if you think Java is anything but a gigantic pain in the ass.

Re:The bug is called "Java"

[sproketboy]

WTF are you talking about? I've use Java 2 through Java 6 and All I've ever had to do was recompile.

Re:The bug is called "Java"

[bongey]

Most likely it one of the following:
1) They wrote some low level C hooks that makes the application not "pure" java.
2) They want to milk you for a new version of the software that "supports java X now" .
3) They have bad programmers that don't really understand there code, there is some voodoo magic in that specific version of java is needed.
4) The company wants to assume no deviation in run time environment such to lower any support cost for there number 3 mistakes. Most likely is number 3, they just have bad programmers that are defeating the reason to code something in java in the first place.

Re:The bug is called "Java"

[djp928]

I'm just telling you my experience. Hey, I'm glad it's always "just worked" for you. That's not ever been my experience.

Re:The bug is called "Java"

[JoeMerchant]

gcc

Re:The bug is called "Java"

[DamonHD]

I am a sysadmin and have been for over 25 years, as well as a developer and consultant and architect, and I eat my own dogfood.

A Java runtime is no worse than (say) a C++ one from an admin point of view, IMHO.

Rgds

Damon

Re:The bug is called "Java"

[Lisandro]

Are you serious? I think Java is the only modern language i can think of that forces you to be careful when updating versions. Or porting to different platforms - hell, Perl and Python are, in many ways, much more stable and portable than Java.

Re:The bug is called "Java"

[peppepz]

sh,

At least bash breaks compatibility even at minor releases.

Perl 5,

Perl breaks binary compatibility even if you don't change Perl version but do change the flags used to compile the Perl interpreter.

Javascript,

JS breaks both at new releases and across different vendors.

everything IBM produces, ...

Are you refering to the IBM VM for Java?

Re:The bug is called "Java"

[sourcerror]

IIRC java 6 is bytecode compatible with java 1.1, but correct me if I'm wrong. Citing Python seems weird, as the Python 3.x breaks nearly all 2.x libraries.

Re:The bug is called "Java"

[Lisandro]

Python recompiles files to .pyc bytecode dynamically, so you don't even have to care about it. I haven't had any issues migrating code from 2.x to 3.x.

Re:The bug is called "Java"

[FormOfActionBanana]

IBM produces a Java. sh is not a programming language.

Re:The bug is called "Java"

[aled]

sh is not a programming language.

I knew all those shell scripts wasn't programming! mmh wait a minute...

Re:The bug is called "Java"

[FormOfActionBanana]

I mean get real. It's a shell interpreter. It runs commands for you. It's not a programming language.
In sh you wouldn't even be able to sort a list if the 'sort' command wasn't installed. Let alone incrementing an integer without 'bc' or whatever.

Workaround

run with -XX:-UseLoopPredicate

Re:Workaround

[sapgau]

+1

JAVA...why

So why isn't HTML or HTML 5 coding standards adhered to so we don't need Java?

Java is a bug

[supercell]

Java itself is a bug. A slow, cpu wasting bug that should be done away with. I can't stand java. Every application I have ever used that was written in Java runs 10x slower than a similar app that was designed to work on the native OS.

Re:Java is a bug

[aled]

Server side applications are usually competitive with native applications. And millions of applications beg to differ. Java has its problems but to say that it is a bug is a little too much.

Re:Should I turn off javascript in my browser for

[mswhippingboy]

So you're a sysadmin? Great! I have a couple of questions maybe you could help me with.

First, how do I work this foot-peddle thingy with the two buttons and a little roller on it?

Second, where can I get a new coffee cup holder? I broke mine off. You know, the cup holder that pops out of the computer when you press the little button thingy on the front.

Thanks in advance.

Write once, test everywhere

[alexmin]

Nothing has changed in 15 years

Re:Should I turn off javascript in my browser for

a user was worried because his java had a hot spot.

If the user was of Russian descent the worrying was perfectly understandable.

purposely done by oracle to taint java and android

[hof]

must be it

Re:purposely done by oracle to taint java and andr

[ChrisDolan]

Ha ha, but seriously: Android's Dalvik virtual machine does not use the Hotspot compiler, so I think it should be unaffected by this bug.

Easy fix...

[sigzero]

It is so severe that: -XX:-UseLoopPredicate fixes it.... Wow, the world is going to end.

Re:Easy fix...

[aled]

May be but it isn't nice of Oracle to set it to be the default without enough testing.

Re:Should I turn off javascript in my browser for

[DaVince21]

Why, he was talking about his coffee, of course! You crazy sysadmins just have to assume it's always about computers.

(I joke, of course.)

I wonder how much Oracles owes itself for damages

[mark0978]

If Google is hurting them to the tune of a Billion $ in damages for android, how much did Oracle just cost itself in terms of reputation?

The real story with more background information

If you are interested, the whole story is posted here, that lists in chronological order what happened in the last week: http://blog.thetaphi.de/2011/07/real-story-behind-java-7-ga-bugs.html

The whole story behind the issue

[thetaphi]

Hi, I wrote a blog article about the whole Java 7 problem with Apache Lucene and Solr. You can read it here.

Oracle aren't known for quality

What do you expect from a company whose flagship product can't even tell the difference between an empty string and a NULL? :-)