--- old/make/autoconf/buildjdk-spec.gmk.in	2018-06-08 14:40:34.487835828 -0700
+++ new/make/autoconf/buildjdk-spec.gmk.in	2018-06-08 14:40:34.271835836 -0700
@@ -75,6 +75,8 @@
 JVM_ASFLAGS := @OPENJDK_BUILD_JVM_ASFLAGS@
 JVM_LIBS := @OPENJDK_BUILD_JVM_LIBS@
 
+NO_SPECULATIVE_CTI_CFLAGS := @OPENJDK_BUILD_NO_SPECULATIVE_CTI_CFLAGS@
+
 # The compiler for the build platform is likely not warning compatible with the official
 # compiler.
 WARNINGS_AS_ERRORS := false
--- old/make/autoconf/configure.ac	2018-06-08 14:40:35.115835806 -0700
+++ new/make/autoconf/configure.ac	2018-06-08 14:40:34.895835814 -0700
@@ -219,6 +219,8 @@
 LIB_DETERMINE_DEPENDENCIES
 LIB_SETUP_LIBRARIES
 
+JDKOPT_SETUP_HARDENED_FLAGS
+
 # Hotspot setup depends on lib checks.
 
 HOTSPOT_SETUP_JVM_FEATURES
--- old/make/autoconf/flags-cflags.m4	2018-06-08 14:40:35.751835784 -0700
+++ new/make/autoconf/flags-cflags.m4	2018-06-08 14:40:35.527835792 -0700
@@ -764,6 +764,26 @@
     $1_WARNING_CFLAGS_JVM="-Wno-format-zero-length -Wtype-limits -Wuninitialized"
   fi
 
+  case $TOOLCHAIN_TYPE in
+    gcc)
+      $2NO_SPECULATIVE_CTI_CFLAGS="-mindirect-branch=thunk \
+          -mfunction-return=thunk -mindirect-branch-register"
+      ;;
+    microsoft)
+      $2NO_SPECULATIVE_CTI_CFLAGS="-Qspectre"
+      ;;
+    *)
+      $2NO_SPECULATIVE_CTI_CFLAGS=""
+      ;;
+  esac
+  if test -n "${$2NO_SPECULATIVE_CTI_CFLAGS}"; then
+    FLAGS_COMPILER_CHECK_ARGUMENTS(ARGUMENT: [${$2NO_SPECULATIVE_CTI_CFLAGS}],
+        IF_FALSE: [
+          $2NO_SPECULATIVE_CTI_CFLAGS=""
+        ]
+    )
+  fi
+
   # EXPORT to API
   CFLAGS_JVM_COMMON="$ALWAYS_CFLAGS_JVM $ALWAYS_DEFINES_JVM $TOOLCHAIN_CFLAGS_JVM \
       $OS_CFLAGS $OS_CFLAGS_JVM $CFLAGS_OS_DEF_JVM $DEBUG_CFLAGS_JVM \
@@ -782,8 +802,10 @@
   CFLAGS_JDK_COMMON_CXXONLY="$ALWAYS_DEFINES_JDK_CXXONLY $TOOLCHAIN_CFLAGS_JDK_CXXONLY \
       $WARNING_CFLAGS_JDK_CXXONLY ${$2EXTRA_CXXFLAGS}"
 
-  $1_CFLAGS_JVM="${$1_DEFINES_CPU_JVM} ${$1_CFLAGS_CPU} ${$1_CFLAGS_CPU_JVM} ${$1_TOOLCHAIN_CFLAGS} ${$1_WARNING_CFLAGS_JVM}"
-  $1_CFLAGS_JDK="${$1_DEFINES_CPU_JDK} ${$1_CFLAGS_CPU} ${$1_CFLAGS_CPU_JDK} ${$1_TOOLCHAIN_CFLAGS}"
+  $1_CFLAGS_JVM="${$1_DEFINES_CPU_JVM} ${$1_CFLAGS_CPU} ${$1_CFLAGS_CPU_JVM} \
+      ${$1_TOOLCHAIN_CFLAGS} ${$1_WARNING_CFLAGS_JVM}"
+  $1_CFLAGS_JDK="${$1_DEFINES_CPU_JDK} ${$1_CFLAGS_CPU} ${$1_CFLAGS_CPU_JDK} \
+      ${$1_TOOLCHAIN_CFLAGS}"
 
   $2JVM_CFLAGS="$CFLAGS_JVM_COMMON ${$1_CFLAGS_JVM} ${$2EXTRA_CXXFLAGS}"
 
@@ -797,6 +819,7 @@
   AC_SUBST($2CFLAGS_JDKEXE)
   AC_SUBST($2CXXFLAGS_JDKLIB)
   AC_SUBST($2CXXFLAGS_JDKEXE)
+  AC_SUBST($2NO_SPECULATIVE_CTI_CFLAGS)
 ])
 
 # FLAGS_SETUP_GCC6_COMPILER_FLAGS([PREFIX])
--- old/make/autoconf/hotspot.m4	2018-06-08 14:40:36.399835762 -0700
+++ new/make/autoconf/hotspot.m4	2018-06-08 14:40:36.171835770 -0700
@@ -26,13 +26,13 @@
 # All valid JVM features, regardless of platform
 VALID_JVM_FEATURES="compiler1 compiler2 zero minimal dtrace jvmti jvmci \
     graal vm-structs jni-check services management cmsgc g1gc parallelgc serialgc nmt cds \
-    static-build link-time-opt aot jfr"
+    static-build link-time-opt aot jfr no-speculative-cti"
 
 # Deprecated JVM features (these are ignored, but with a warning)
 DEPRECATED_JVM_FEATURES="trace"
 
 # All valid JVM variants
-VALID_JVM_VARIANTS="server client minimal core zero custom"
+VALID_JVM_VARIANTS="server client minimal hardened core zero custom"
 
 ###############################################################################
 # Check if the specified JVM variant should be built. To be used in shell if
@@ -61,6 +61,7 @@
 ###############################################################################
 # Check which variants of the JVM that we want to build. Available variants are:
 #   server: normal interpreter, and a tiered C1/C2 compiler
+#   hardened: same as server but compiled with speculative calls disabled
 #   client: normal interpreter, and C1 (no C2 compiler)
 #   minimal: reduced form of client with optional features stripped out
 #   core: normal interpreter only, no compiler
@@ -70,7 +71,7 @@
 AC_DEFUN_ONCE([HOTSPOT_SETUP_JVM_VARIANTS],
 [
   AC_ARG_WITH([jvm-variants], [AS_HELP_STRING([--with-jvm-variants],
-      [JVM variants (separated by commas) to build (server,client,minimal,core,zero,custom) @<:@server@:>@])])
+      [JVM variants (separated by commas) to build (server,hardened,client,minimal,core,zero,custom) @<:@server@:>@])])
 
   SETUP_HOTSPOT_TARGET_CPU_PORT
 
@@ -104,7 +105,7 @@
   fi
 
   # All "special" variants share the same output directory ("server")
-  VALID_MULTIPLE_JVM_VARIANTS="server client minimal"
+  VALID_MULTIPLE_JVM_VARIANTS="server client minimal hardened"
   BASIC_GET_NON_MATCHING_VALUES(INVALID_MULTIPLE_VARIANTS, $JVM_VARIANTS, $VALID_MULTIPLE_JVM_VARIANTS)
   if  test "x$INVALID_MULTIPLE_VARIANTS" != x && test "x$BUILDING_MULTIPLE_JVM_VARIANTS" = xtrue; then
     AC_MSG_ERROR([You cannot build multiple variants with anything else than $VALID_MULTIPLE_JVM_VARIANTS.])
@@ -113,7 +114,7 @@
   # The "main" variant is the one used by other libs to link against during the
   # build.
   if test "x$BUILDING_MULTIPLE_JVM_VARIANTS" = "xtrue"; then
-    MAIN_VARIANT_PRIO_ORDER="server client minimal"
+    MAIN_VARIANT_PRIO_ORDER="server client minimal hardened"
     for variant in $MAIN_VARIANT_PRIO_ORDER; do
       if HOTSPOT_CHECK_JVM_VARIANT($variant); then
         JVM_VARIANT_MAIN="$variant"
@@ -127,6 +128,7 @@
   AC_SUBST(JVM_VARIANTS)
   AC_SUBST(VALID_JVM_VARIANTS)
   AC_SUBST(JVM_VARIANT_MAIN)
+  AC_SUBST(VALID_MULTIPLE_JVM_VARIANTS)
 
   if HOTSPOT_CHECK_JVM_VARIANT(zero); then
     # zero behaves as a platform and rewrites these values. This is really weird. :(
@@ -409,6 +411,11 @@
     JVM_FEATURES_link_time_opt=""
   fi
 
+  JVM_FEATURES_HARDENED="no-speculative-cti"
+  if test "x$HARDENED_HOTSPOT" = "xtrue"; then
+    JVM_FEATURES="$JVM_FEATURES $JVM_FEATURES_HARDENED"
+  fi
+
   # All variants but minimal (and custom) get these features
   NON_MINIMAL_FEATURES="$NON_MINIMAL_FEATURES cmsgc g1gc parallelgc serialgc jni-check jvmti management nmt services vm-structs"
   if test "x$ENABLE_CDS" = "xtrue"; then
@@ -416,7 +423,9 @@
   fi
 
   # Enable features depending on variant.
-  JVM_FEATURES_server="compiler1 compiler2 $NON_MINIMAL_FEATURES $JVM_FEATURES $JVM_FEATURES_jvmci $JVM_FEATURES_aot $JVM_FEATURES_graal"
+  JVM_FEATURES_server="compiler1 compiler2 $NON_MINIMAL_FEATURES $JVM_FEATURES \
+      $JVM_FEATURES_jvmci $JVM_FEATURES_aot $JVM_FEATURES_graal"
+  JVM_FEATURES_hardened="$JVM_FEATURES_HARDENED"
   JVM_FEATURES_client="compiler1 $NON_MINIMAL_FEATURES $JVM_FEATURES $JVM_FEATURES_jvmci"
   JVM_FEATURES_core="$NON_MINIMAL_FEATURES $JVM_FEATURES"
   JVM_FEATURES_minimal="compiler1 minimal serialgc $JVM_FEATURES $JVM_FEATURES_link_time_opt"
@@ -424,12 +433,15 @@
   JVM_FEATURES_custom="$JVM_FEATURES"
 
   AC_SUBST(JVM_FEATURES_server)
+  AC_SUBST(JVM_FEATURES_hardened)
   AC_SUBST(JVM_FEATURES_client)
   AC_SUBST(JVM_FEATURES_core)
   AC_SUBST(JVM_FEATURES_minimal)
   AC_SUBST(JVM_FEATURES_zero)
   AC_SUBST(JVM_FEATURES_custom)
 
+  AC_SUBST(JVM_FEATURES_HARDENED)
+
   # Used for verification of Makefiles by check-jvm-feature
   AC_SUBST(VALID_JVM_FEATURES)
 
@@ -442,6 +454,10 @@
 #
 AC_DEFUN_ONCE([HOTSPOT_FINALIZE_JVM_FEATURES],
 [
+  # The hardened variant should have all the features of server. Add them here
+  # to catch any custom additions automatically.
+  JVM_FEATURES_hardened="$JVM_FEATURES_hardened $JVM_FEATURES_server"
+
   for variant in $JVM_VARIANTS; do
     AC_MSG_CHECKING([JVM features for JVM variant '$variant'])
     features_var_name=JVM_FEATURES_$variant
--- old/make/autoconf/jdk-options.m4	2018-06-08 14:40:37.027835740 -0700
+++ new/make/autoconf/jdk-options.m4	2018-06-08 14:40:36.811835747 -0700
@@ -582,3 +582,69 @@
 
   AC_SUBST(ENABLE_GENERATE_CLASSLIST)
 ])
+
+AC_DEFUN([JDKOPT_SETUP_HARDENED_FLAGS],
+[
+  AC_ARG_ENABLE([hardened-jdk], [AS_HELP_STRING([--enable-hardened-jdk],
+      [enable hardening compiler flags for all jdk libraries (except the JVM),
+      typically disabling speculative cti. @<:@disabled@:>@])])
+
+  HARDENED_JDK="false"
+  AC_MSG_CHECKING([if hardened flags should be used for jdk libraries])
+  if test "x$enable_hardened_jdk" = "xyes"; then
+    AC_MSG_RESULT([yes])
+    HARDENED_JDK="true"
+  elif test "x$enable_hardened_jdk" = "xno"; then
+    AC_MSG_RESULT([no])
+    HARDENED_JDK="false"
+  elif test "x$enable_hardened_jdk" = "x"; then
+    AC_MSG_RESULT([no, default])
+  else
+    AC_MSG_RESULT([no])
+    AC_MSG_ERROR([--enable-hardened-jdk does not take a value])
+  fi
+
+  if test "x$HARDENED_JDK" = "xtrue"; then
+    if test -z "$NO_SPECULATIVE_CTI_CFLAGS"; then
+      AC_MSG_ERROR([Speculative cti mitigations not available, cannot enable hardened jdk])
+    fi
+    CFLAGS_JDKEXE="$CFLAGS_JDKEXE $NO_SPECULATIVE_CTI_CFLAGS"
+    CXXFLAGS_JDKEXE="$CXXFLAGS_JDKEXE $NO_SPECULATIVE_CTI_CFLAGS"
+    CFLAGS_JDKLIB="$CFLAGS_JDKLIB $NO_SPECULATIVE_CTI_CFLAGS"
+    CXXFLAGS_JDKLIB="$CXXFLAGS_JDKLIB $NO_SPECULATIVE_CTI_CFLAGS"
+  fi
+
+  AC_ARG_ENABLE([hardened-hotspot], [AS_HELP_STRING([--enable-hardened-hotspot],
+      [enable hardening compiler flags for hotspot (all jvm variants),
+      typically disabling speculative cti. To make hardening of hotspot a runtime
+      choice, consider the "hardened" jvm variant instead of this option.
+      @<:@disabled@:>@])])
+
+  HARDENED_HOTSPOT="false"
+  AC_MSG_CHECKING([if hardened flags should be used for hotspot])
+  if test "x$enable_hardened_hotspot" = "xyes"; then
+    AC_MSG_RESULT([yes])
+    HARDENED_HOTSPOT="true"
+  elif test "x$enable_hardened_hotspot" = "xno"; then
+    AC_MSG_RESULT([no])
+    HARDENED_HOTSPOT="false"
+  elif test "x$enable_hardened_hotspot" = "x"; then
+    AC_MSG_RESULT([no, default])
+  else
+    AC_MSG_RESULT([no])
+    AC_MSG_ERROR([--enable-hardened-hotspot does not take a value])
+  fi
+
+  if test "x$HARDENED_HOTSPOT" = "xtrue" && HOTSPOT_CHECK_JVM_VARIANT([hardened]); then
+    AC_MSG_ERROR([Cannot enable both hardened hotspot as well as hardened jvm variant])
+  fi
+
+  if test "x$HARDENED_HOTSPOT" = "xtrue" || HOTSPOT_CHECK_JVM_VARIANT([hardened]); then
+    if test -z "$NO_SPECULATIVE_CTI_CFLAGS"; then
+      AC_MSG_ERROR([Speculative cti mitigations not available, cannot enable hardened hotspot])
+    fi
+  fi
+
+  AC_SUBST(HARDENED_JDK)
+  AC_SUBST(HARDENED_HOTSPOT)
+])
--- old/make/autoconf/spec.gmk.in	2018-06-08 14:40:37.655835718 -0700
+++ new/make/autoconf/spec.gmk.in	2018-06-08 14:40:37.431835726 -0700
@@ -259,6 +259,7 @@
 # Lists of features per variant. Only relevant for the variants listed in
 # JVM_VARIANTS.
 JVM_FEATURES_server := @JVM_FEATURES_server@
+JVM_FEATURES_hardened := @JVM_FEATURES_hardened@
 JVM_FEATURES_client := @JVM_FEATURES_client@
 JVM_FEATURES_core := @JVM_FEATURES_core@
 JVM_FEATURES_minimal := @JVM_FEATURES_minimal@
@@ -268,6 +269,7 @@
 # Used for make-time verifications
 VALID_JVM_FEATURES := @VALID_JVM_FEATURES@
 VALID_JVM_VARIANTS := @VALID_JVM_VARIANTS@
+VALID_MULTIPLE_JVM_VARIANTS := @VALID_MULTIPLE_JVM_VARIANTS@
 
 # Control wether Hotspot builds gtest tests
 BUILD_GTEST := @BUILD_GTEST@
@@ -428,6 +430,8 @@
 # Tools that potentially need to be cross compilation aware.
 CC:=@FIXPATH@ @CCACHE@ @ICECC@ @CC@
 
+NO_SPECULATIVE_CTI_CFLAGS := @NO_SPECULATIVE_CTI_CFLAGS@
+
 # CFLAGS used to compile the jdk native libraries (C-code)
 CFLAGS_JDKLIB:=@CFLAGS_JDKLIB@
 CXXFLAGS_JDKLIB:=@CXXFLAGS_JDKLIB@
--- old/make/conf/jib-profiles.js	2018-06-08 14:40:38.279835696 -0700
+++ new/make/conf/jib-profiles.js	2018-06-08 14:40:38.063835704 -0700
@@ -415,7 +415,9 @@
             target_cpu: "x64",
             dependencies: ["devkit", "autoconf", "graphviz", "pandoc"],
             configure_args: concat(common.configure_args_64bit,
-                "--enable-full-docs", "--with-zlib=system"),
+                "--enable-full-docs", "--with-zlib=system",
+                "--with-jvm-variants=server,hardened",
+                "--enable-hardened-jdk"),
             default_make_targets: ["docs-bundles"],
         },
 
@@ -449,14 +451,16 @@
             target_cpu: "sparcv9",
             dependencies: ["devkit", "autoconf", "cups"],
             configure_args: concat(common.configure_args_64bit,
-                "--with-zlib=system", "--enable-dtrace"),
+                "--with-zlib=system", "--enable-dtrace")
         },
 
         "windows-x64": {
             target_os: "windows",
             target_cpu: "x64",
             dependencies: ["devkit", "autoconf"],
-            configure_args: concat(common.configure_args_64bit),
+            configure_args: concat(common.configure_args_64bit,
+                "--with-jvm-variants=server,hardened",
+                "--enable-hardened-jdk"),
         },
 
         "windows-x86": {
--- old/make/copy/Copy-java.base.gmk	2018-06-08 14:40:38.899835675 -0700
+++ new/make/copy/Copy-java.base.gmk	2018-06-08 14:40:38.683835682 -0700
@@ -86,11 +86,10 @@
 endif
 DEFAULT_CFG_VARIANT ?= server
 
-# Any variant other than server, client or minimal is represented as server in
-# the cfg file.
-VALID_CFG_VARIANTS := server client minimal
-CFG_VARIANTS := $(filter $(VALID_CFG_VARIANTS), $(JVM_VARIANTS)) \
-    $(if $(filter-out $(VALID_CFG_VARIANTS), $(JVM_VARIANTS)), server)
+# Any variant other than the valid multiple jvm variants is represented as
+# server in the cfg file.
+CFG_VARIANTS := $(filter $(VALID_MULTIPLE_JVM_VARIANTS), $(JVM_VARIANTS)) \
+    $(if $(filter-out $(VALID_MULTIPLE_JVM_VARIANTS), $(JVM_VARIANTS)), server)
 
 # Change the order to put the default variant first if present.
 ORDERED_CFG_VARIANTS := \
--- old/make/hotspot/HotspotCommon.gmk	2018-06-08 14:40:39.527835653 -0700
+++ new/make/hotspot/HotspotCommon.gmk	2018-06-08 14:40:39.307835660 -0700
@@ -34,7 +34,7 @@
 DTRACE_SUPPORT_DIR := $(JVM_SUPPORT_DIR)/dtrace
 
 LIB_OUTPUTDIR := $(call FindLibDirForModule, java.base)
-ifneq ($(filter client minimal, $(JVM_VARIANT)), )
+ifneq ($(filter $(VALID_MULTIPLE_JVM_VARIANTS), $(JVM_VARIANT)), )
   JVM_VARIANT_SUBDIR := $(JVM_VARIANT)
 else
   # Use 'server' as default target directory name for all other variants.
--- old/make/hotspot/gensrc/GensrcJfr.gmk	2018-06-08 14:40:40.163835631 -0700
+++ new/make/hotspot/gensrc/GensrcJfr.gmk	2018-06-08 14:40:39.943835638 -0700
@@ -27,7 +27,7 @@
 # Build tools needed for the JFR source code generation
 
 JFR_TOOLS_SRCDIR := $(TOPDIR)/make/src/classes
-JFR_TOOLS_OUTPUTDIR := $(OUTPUTDIR)/buildtools/tools_classes
+JFR_TOOLS_OUTPUTDIR := $(JVM_VARIANT_OUTPUTDIR)/tools/jfr
 
 $(eval $(call SetupJavaCompiler, GENERATE_JFRBYTECODE, \
     JAVAC := $(JAVAC), \
@@ -41,6 +41,7 @@
     SETUP := GENERATE_JFRBYTECODE, \
     SRC := $(JFR_TOOLS_SRCDIR), \
     BIN := $(JFR_TOOLS_OUTPUTDIR), \
+    INCLUDES := build/tools/jfr, \
 ))
 
 TARGETS += $(BUILD_JFR_TOOLS)
--- old/make/hotspot/lib/JvmFeatures.gmk	2018-06-08 14:40:40.791835609 -0700
+++ new/make/hotspot/lib/JvmFeatures.gmk	2018-06-08 14:40:40.571835616 -0700
@@ -160,6 +160,10 @@
   JVM_EXCLUDE_PATTERNS += jfr
 endif
 
+ifeq ($(call check-jvm-feature, no-speculative-cti), true)
+  JVM_CFLAGS_FEATURES += $(NO_SPECULATIVE_CTI_CFLAGS) -DNO_SPECULATIVE_CTI=0
+endif
+
 ################################################################################
 
 ifeq ($(call check-jvm-feature, link-time-opt), true)