Slashdot Mirror

← Back to Stories (view on slashdot.org)

Java 7 Ships With Severe Bug

Posted by Soulskill on from the meeting-expectations dept.

Lisandro writes "Lucid Imagination just posted an announcement about a severe bug in the recently released Java 7. Apparently some loops are mis-compiled due to errors in the HotSpot compiler optimizations, which causes programs to fail. This bug affects several Apache projects directly — Apache Lucene Core and Apache Solr have already raised a warning, noting that the bug might be present in Java 6 as well."

27 of 180 comments (clear)

  1. Sounds just about right for Oracle. by Nadaka · · Score: 3, Insightful

    So well known for product "quality"

    1. Re:Sounds just about right for Oracle. by Tridus · · Score: 3, Insightful

      Can you name an instance where Sun knew the thing miscompiled loops before release and put it out anyway with no warning to users about the error?

      I can't. Sun got stuff wrong sometimes, but this is an incredible level of actively poor judgement from Oracle. Anybody sane would have delayed this release.

      --
      -- "So they told me that using the download page to download something was not something they anticipated." - Bill Gates
    2. Re:Sounds just about right for Oracle. by NoNonAlphaCharsHere · · Score: 2
      I know it's unfashionable to RTFA, but this quote might help:

      Also Java 6 users are affected, if they use one of those JVM options, which are not enabled by default: -XX:+OptimizeStringConcat or -XX:+AggressiveOpts.

      Emphasis in the original. So it looks more like Oracle turned on more aggressive optimizations by default. And if it's such an obvious bug, one would think it would have turned up in the last 29 version 6 releases?

    3. Re:Sounds just about right for Oracle. by dgatwood · · Score: 5, Informative

      And if it's such an obvious bug, one would think it would have turned up in the last 29 version 6 releases?

      No, honestly. This wasn't caught before because nobody used those flags. Oracle decided that these flags should be turned on by default. Therefore, the onus was on Oracle to thoroughly and broadly test these flags before promoting them to be used by default.

      I guarantee you'll find some hairy bugs if you enable lots of random, rarely enabled flags in just about any compiler. The difference between a good compiler and a bad compiler is that a good compiler tests flags thoroughly before either enabling any the flags by default or rolling them into a commonly used option. In effect, what Oracle did was to take an obscure, poorly tested code path and promote it into the hot path through their code. This is something that any first-year CS student should know is risky.

      The best part of this is that (assuming other Slashdot comments are correct) this occurs in commonly used third-party libraries, and was disclosed to Oracle several days before the release shipped. Where I work, that's what is known as a P1 block-ship bug, and people will be called in to work on it day and night until the problem is resolved, and if necessary, features will get temporarily pulled (e.g. turning that optimization back off by default).

      For shame, Oracle.

      --

      Check out my sci-fi/humor trilogy at PatriotsBooks.

    4. Re:Sounds just about right for Oracle. by idontgno · · Score: 2

      I think the distinction between 2 and 1 is generally illusory or propaganda. "World Domination" is generally held to be an evil goal. In fact, the people most interested in making and emphasizing the distinction are the ones in the second category but don't want (for PR or ego reasons) to believe they're in the first.

      --
      Welcome to the Panopticon. Used to be a prison, now it's your home.
    5. Re:Sounds just about right for Oracle. by sjames · · Score: 4, Interesting

      It's quite common for more aggressive optimization flags on any compiler to come with warnings that things may break in odd ways. It's even considered acceptable as long as those flags default to off.

      It is NOT acceptable to set them on by default in that condition. At no point did Sun violate that, but Oracle just did.

  2. Should I turn off javascript in my browser for now by kotku · · Score: 4, Funny

    Or is it only a desktop problem?

    --
    The bikini - security through obscurity since 1943
  3. Re:Should I turn off javascript in my browser for by HarrySquatter · · Score: 2

    He was a fail troll yet got multiple people to fall for it? It's amazing how easy it is for people like the GP to continue to bait people with such obvious trolling.

  4. They released this anyway by Tridus · · Score: 5, Insightful

    Relevant part:

    These problems were detected only 5 days before the official Java 7 release,
    so Oracle had no time to fix those bugs, affecting also many more
    applications. In response to our questions, they proposed to include the
    fixes into service release u2 (eventually into service release u1, see [6]).
    This means you cannot use Apache Lucene/Solr with Java 7 releases before
    Update 2! If you do, please don't open bug reports, it is not the
    committers' fault! At least disable loop optimizations using the
    -XX:-UseLoopPredicate JVM option to not risk index corruptions.

    If this was known before the release and it's as severe as it's being made out to be, why the hell didn't they postpone the release? It's not like the world is dependent on Java 7 being released on time.

    This isn't a little issue, either. It's extremely irresponsible for Oracle to put this kind of release out knowing of a bug this severe without any kind of warning on it.

    --
    -- "So they told me that using the download page to download something was not something they anticipated." - Bill Gates
    1. Re:They released this anyway by JoeMerchant · · Score: 2

      There's a manager at Oracle who would have lost his quarterly bonus if 7 didn't ship on time, you wouldn't have wanted him to do that, would you?

    2. Re:They released this anyway by NoNonAlphaCharsHere · · Score: 2

      Well, you wouldn't want them to have to deal with all the "Oracle misses ship date" headlines, would you? Some corner-case bug is only going to be reported in the tech media, not in the Wall Street Journal.

    3. Re:They released this anyway by Smallpond · · Score: 2

      Would you go as far as to say "culpably" irresponsible? Would some kind of lawsuit help, or are Oracle too big for the law?

      I believe they are willing to refund the entire purchase price for the compiler.

    4. Re:They released this anyway by boorack · · Score: 2

      They could just turn off those two switches. But hey, this is Oracle. Everything they touch turns into crap.

  5. Those were known bugs. by Anonymous Coward · · Score: 3, Insightful

    Damn those bugs where known but Oracle choose to ship Java 7, knowing that it would crash on some very known and used Apache libraries. (And most likely other code too).

    To quote:
    "These problems were detected only 5 days before the official Java 7 release,
    so Oracle had no time to fix those bugs, affecting also many more. "

    Here is a hint to Oracle: If you find a fatal bug 5 days before launch and don't have time to fix it, you either disable the specific optimization with the know bug, or you postpone the launch and start working on a fix. Just shipping like this is stupid.

    1. Re:Those were known bugs. by rossjudson · · Score: 3, Insightful

      Another way of looking at this is to realize that the pre-release versions of Java 7 have been out there for a long, long time, and nobody from these Apache projects felt like testing their (rather important) open source projects against it, so they could have found and reported the bug earlier.

      It seems to me that fault lies in both directions here.

      A more correct rewrite of the bug teaser would be, "Don't use Java 7 for anything if you are incapable of passing an extra command line argument to it".

    2. Re:Those were known bugs. by gr8_phk · · Score: 2

      Another way of looking at this is to realize that the pre-release versions of Java 7 have been out there for a long, long time, and nobody from these Apache projects felt like testing their (rather important) open source projects against it, so they could have found and reported the bug earlier.

      Umm no. It's not the customers fault for not testing the product. It's Oracles fault. In fact, Oracle could have been using Apache in their test suite - it's not like it's a closed source product. This really raises the question - How does Oracle test Java prior to release?

  6. Not just a malware trap by JoeMerchant · · Score: 4, Interesting

    And I was only avoiding updating it because the last time our PCs were clamoring for Java updates it was actually a (well disguised) trojan.

    The next thing Windows needs to add is a "don't bother me with this update" API where software vendors need to ask the OS permission before prompting the user for updates - and also allow preference settings like "don't install a damn desktop launch icon when you update" (looking at you Adobe.) Personally, I'd set my preferences to "don't tell me about updates until they are at least a month old." There is a balance to strike between getting the latest patches for security and waiting until a patch has proven itself in the wild.

    Of course, we could all just stop using software from vendors who don't do these things voluntarily (like check for bugs before pushing an update, or making an easy to access preference for launch icon settings (hint: if I've deleted the last 12 of them, I likely don't want the 13th!) but the software that I'm talking about here is Java and Acrobat - kind of hard to get around the web without those.

    1. Re:Not just a malware trap by CynicTheHedgehog · · Score: 2

      Perhaps a bit off-topic, but relevant to the OP...

      In Linux everything I need comes from one or more trusted software repositories, and all of the updates are performed through the same tool in the same way, so I do not need to familiarize myself with the different update systems for different pieces of software.

      In iOS everything is downloaded and installed through the app store, updates are similarly pushed through a single (presumably trusted) source. Same with Android and the various marketplaces and presumably with Windows-based smartphones. (Symbian and RIM aren't really in the game anymore, and it is likely related to this.)

      So that leaves Mac OS X and Windows as really the only predominant platforms where you grab stuff from every which where and install it. And IIRC, even Mac OS X tries to consolidate the updates into a central tool (I remember Java and Adobe updates coming through the Mac OS X update tool).

      I expect that this model will prevail and within 5 years the majority of software for any system (Windows included) will start coming through central repos (or "App Stores"). Linux has been there for over a decade, but hasn't got their act together with respect to branding, ease-of-use, and revenue sharing (Ubuntu is bridging that gap). So if we can get to a point where software is signed, or at least has a verifiable hash, and it all comes from the same trusted place, then a lot of these issues will be moot.

  7. Larry Ellison can't hear you by ThatsNotPudding · · Score: 2

    over the seabreeze whipping past his yacht (not that he'd give a fsck about you, anyway).

  8. Re:Should I turn off javascript in my browser for by arth1 · · Score: 3, Funny

    You may think that the joke was obvious, but today is System Administrator Day. People who don't know that difference (or the difference between a CPU and hard drive, for that matter) is what sysadmins deal with every day. Nine times out of ten when users ask a really stupid question it's because they really don't know.

    You would probably think I was joking if I told you that a user was worried because his java had a hot spot. The joke would be on you.

  9. Re:Timing is everything by JaneTheIgnorantSlut · · Score: 2

    Frankly, upgrading to the latest version of your development environment, literally on the day of release, seems to be rather poor practice. Since "there are a lot of places for things to break," adding another one is unwise.

  10. Re:The bug is widely known... by Dexter+Herbivore · · Score: 2

    Score 0, Informative anonymous coward.

  11. Bug? by roc97007 · · Score: 2

    > This bug affects several Apache projects directly — Apache Lucene Core

    So... from Oracle's standpoint, it's a feature?

    --
    Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
    1. Re:Bug? by idontgno · · Score: 2

      Eerie. I thought I heard someone chanting something over by Redwood City. It sounded like "Java's ain't done til Apache won't run!"

      --
      Welcome to the Panopticon. Used to be a prison, now it's your home.
  12. Re:God,talk about Sensitizing by thehossman · · Score: 4, Insightful

    a) some of these bugs where filed months ago, and yet those hotspot "optimizations" are still on by default

    b) it's true that some problems can be avoided by deliberately disabling these optimizations, but w/o raising big warning alarms to users, people aren't going to know they need to go out of their way to do that. For crash bugs, it may not be so bad -- they see the crash and google to find out why it crashed. For miss-evaluation of loops that can lead to silent data corruption it's a different story -- how would users ever know that they need to disable those options if developers don't yell and holler from the roof tops?

    --
    -- The Hoss Man
  13. don't get smart with me, young man by jensend · · Score: 2

    No, but if you're a sysadmin you should read release notes before making major upgrades. Not too many end-users out there using Lucene or Solr. It's also not like Sun has pushed Java 7 to end users through Java Update either (I imagine it will be quite some time before they do that).

    So only the dedicated early adopters who replace what all their enterprise search software is running on with a brand-new release branch immediately after its release without reading the release notes would be affected.

  14. Re:The bug is called "Java" by bongey · · Score: 2

    Most likely it one of the following:
    1) They wrote some low level C hooks that makes the application not "pure" java.
    2) They want to milk you for a new version of the software that "supports java X now" .
    3) They have bad programmers that don't really understand there code, there is some voodoo magic in that specific version of java is needed.
    4) The company wants to assume no deviation in run time environment such to lower any support cost for there number 3 mistakes. Most likely is number 3, they just have bad programmers that are defeating the reason to code something in java in the first place.