Java 7 Ships With Severe Bug

Lisandro writes "Lucid Imagination just posted an announcement about a severe bug in the recently released Java 7. Apparently some loops are mis-compiled due to errors in the HotSpot compiler optimizations, which causes programs to fail. This bug affects several Apache projects directly — Apache Lucene Core and Apache Solr have already raised a warning, noting that the bug might be present in Java 6 as well."

Sounds just about right for Oracle.

[Nadaka]

So well known for product "quality"

Re:Sounds just about right for Oracle.

[Tridus]

Can you name an instance where Sun knew the thing miscompiled loops before release and put it out anyway with no warning to users about the error?

I can't. Sun got stuff wrong sometimes, but this is an incredible level of actively poor judgement from Oracle. Anybody sane would have delayed this release.

Re:Sounds just about right for Oracle.

[dgatwood]

And if it's such an obvious bug, one would think it would have turned up in the last 29 version 6 releases?

No, honestly. This wasn't caught before because nobody used those flags. Oracle decided that these flags should be turned on by default. Therefore, the onus was on Oracle to thoroughly and broadly test these flags before promoting them to be used by default.

I guarantee you'll find some hairy bugs if you enable lots of random, rarely enabled flags in just about any compiler. The difference between a good compiler and a bad compiler is that a good compiler tests flags thoroughly before either enabling any the flags by default or rolling them into a commonly used option. In effect, what Oracle did was to take an obscure, poorly tested code path and promote it into the hot path through their code. This is something that any first-year CS student should know is risky.

The best part of this is that (assuming other Slashdot comments are correct) this occurs in commonly used third-party libraries, and was disclosed to Oracle several days before the release shipped. Where I work, that's what is known as a P1 block-ship bug, and people will be called in to work on it day and night until the problem is resolved, and if necessary, features will get temporarily pulled (e.g. turning that optimization back off by default).

For shame, Oracle.

Re:Sounds just about right for Oracle.

[sjames]

It's quite common for more aggressive optimization flags on any compiler to come with warnings that things may break in odd ways. It's even considered acceptable as long as those flags default to off.

It is NOT acceptable to set them on by default in that condition. At no point did Sun violate that, but Oracle just did.

Should I turn off javascript in my browser for now

[kotku]

Or is it only a desktop problem?

They released this anyway

[Tridus]

Relevant part:

These problems were detected only 5 days before the official Java 7 release,
so Oracle had no time to fix those bugs, affecting also many more
applications. In response to our questions, they proposed to include the
fixes into service release u2 (eventually into service release u1, see [6]).
This means you cannot use Apache Lucene/Solr with Java 7 releases before
Update 2! If you do, please don't open bug reports, it is not the
committers' fault! At least disable loop optimizations using the
-XX:-UseLoopPredicate JVM option to not risk index corruptions.

If this was known before the release and it's as severe as it's being made out to be, why the hell didn't they postpone the release? It's not like the world is dependent on Java 7 being released on time.

This isn't a little issue, either. It's extremely irresponsible for Oracle to put this kind of release out knowing of a bug this severe without any kind of warning on it.

Those were known bugs.

Damn those bugs where known but Oracle choose to ship Java 7, knowing that it would crash on some very known and used Apache libraries. (And most likely other code too).

To quote:
"These problems were detected only 5 days before the official Java 7 release,
so Oracle had no time to fix those bugs, affecting also many more. "

Here is a hint to Oracle: If you find a fatal bug 5 days before launch and don't have time to fix it, you either disable the specific optimization with the know bug, or you postpone the launch and start working on a fix. Just shipping like this is stupid.

Re:Those were known bugs.

[rossjudson]

Another way of looking at this is to realize that the pre-release versions of Java 7 have been out there for a long, long time, and nobody from these Apache projects felt like testing their (rather important) open source projects against it, so they could have found and reported the bug earlier.

It seems to me that fault lies in both directions here.

A more correct rewrite of the bug teaser would be, "Don't use Java 7 for anything if you are incapable of passing an extra command line argument to it".

Not just a malware trap

[JoeMerchant]

And I was only avoiding updating it because the last time our PCs were clamoring for Java updates it was actually a (well disguised) trojan.

The next thing Windows needs to add is a "don't bother me with this update" API where software vendors need to ask the OS permission before prompting the user for updates - and also allow preference settings like "don't install a damn desktop launch icon when you update" (looking at you Adobe.) Personally, I'd set my preferences to "don't tell me about updates until they are at least a month old." There is a balance to strike between getting the latest patches for security and waiting until a patch has proven itself in the wild.

Of course, we could all just stop using software from vendors who don't do these things voluntarily (like check for bugs before pushing an update, or making an easy to access preference for launch icon settings (hint: if I've deleted the last 12 of them, I likely don't want the 13th!) but the software that I'm talking about here is Java and Acrobat - kind of hard to get around the web without those.

Re:Should I turn off javascript in my browser for

[arth1]

You may think that the joke was obvious, but today is System Administrator Day. People who don't know that difference (or the difference between a CPU and hard drive, for that matter) is what sysadmins deal with every day. Nine times out of ten when users ask a really stupid question it's because they really don't know.

You would probably think I was joking if I told you that a user was worried because his java had a hot spot. The joke would be on you.

Re:God,talk about Sensitizing

[thehossman]

a) some of these bugs where filed months ago, and yet those hotspot "optimizations" are still on by default

b) it's true that some problems can be avoided by deliberately disabling these optimizations, but w/o raising big warning alarms to users, people aren't going to know they need to go out of their way to do that. For crash bugs, it may not be so bad -- they see the crash and google to find out why it crashed. For miss-evaluation of loops that can lead to silent data corruption it's a different story -- how would users ever know that they need to disable those options if developers don't yell and holler from the roof tops?