--- old/make/autoconf/buildjdk-spec.gmk.in	2018-09-06 15:43:50.842797264 -0700
+++ new/make/autoconf/buildjdk-spec.gmk.in	2018-09-06 15:43:50.626797271 -0700
@@ -75,6 +75,8 @@
 JVM_ASFLAGS := @OPENJDK_BUILD_JVM_ASFLAGS@
 JVM_LIBS := @OPENJDK_BUILD_JVM_LIBS@
 
+NO_SPECULATIVE_CTI_CFLAGS := @OPENJDK_BUILD_NO_SPECULATIVE_CTI_CFLAGS@
+
 # The compiler for the build platform is likely not warning compatible with the official
 # compiler.
 WARNINGS_AS_ERRORS := false
--- old/make/autoconf/flags-cflags.m4	2018-09-06 15:43:51.670797235 -0700
+++ new/make/autoconf/flags-cflags.m4	2018-09-06 15:43:51.454797242 -0700
@@ -776,6 +776,33 @@
     $1_WARNING_CFLAGS_JVM="-Wno-format-zero-length -Wtype-limits -Wuninitialized"
   fi
 
+  case $TOOLCHAIN_TYPE in
+    gcc)
+      $2NO_SPECULATIVE_CTI_CFLAGS="-mindirect-branch=thunk \
+          -mfunction-return=thunk -mindirect-branch-register"
+      ;;
+    microsoft)
+      $2NO_SPECULATIVE_CTI_CFLAGS="-Qspectre"
+      ;;
+    *)
+      $2NO_SPECULATIVE_CTI_CFLAGS=""
+      ;;
+  esac
+  if test -n "${$2NO_SPECULATIVE_CTI_CFLAGS}"; then
+    FLAGS_COMPILER_CHECK_ARGUMENTS(ARGUMENT: [${$2NO_SPECULATIVE_CTI_CFLAGS}],
+        IF_FALSE: [
+          AC_MSG_WARN([Speculative call mitigations not available with compiler version])
+          $2NO_SPECULATIVE_CTI_CFLAGS=""
+        ]
+    )
+  fi
+  AC_MSG_CHECKING([for speculative calls mitigation flags for $1])
+  if test -n "${$2NO_SPECULATIVE_CTI_CFLAGS}"; then
+    AC_MSG_RESULT(${$2NO_SPECULATIVE_CTI_CFLAGS})
+  else
+    AC_MSG_RESULT(no)
+  fi
+
   # EXPORT to API
   CFLAGS_JVM_COMMON="$ALWAYS_CFLAGS_JVM $ALWAYS_DEFINES_JVM $TOOLCHAIN_CFLAGS_JVM \
       $OS_CFLAGS $OS_CFLAGS_JVM $CFLAGS_OS_DEF_JVM $DEBUG_CFLAGS_JVM \
@@ -794,8 +821,12 @@
   CFLAGS_JDK_COMMON_CXXONLY="$ALWAYS_DEFINES_JDK_CXXONLY $TOOLCHAIN_CFLAGS_JDK_CXXONLY \
       $WARNING_CFLAGS_JDK_CXXONLY ${$2EXTRA_CXXFLAGS}"
 
-  $1_CFLAGS_JVM="${$1_DEFINES_CPU_JVM} ${$1_CFLAGS_CPU} ${$1_CFLAGS_CPU_JVM} ${$1_TOOLCHAIN_CFLAGS} ${$1_WARNING_CFLAGS_JVM}"
-  $1_CFLAGS_JDK="${$1_DEFINES_CPU_JDK} ${$1_CFLAGS_CPU} ${$1_CFLAGS_CPU_JDK} ${$1_TOOLCHAIN_CFLAGS}"
+  # The jdk libraries always use the speculative calls mitigations, while it's
+  # optional for the JVM.
+  $1_CFLAGS_JVM="${$1_DEFINES_CPU_JVM} ${$1_CFLAGS_CPU} ${$1_CFLAGS_CPU_JVM} \
+      ${$1_TOOLCHAIN_CFLAGS} ${$1_WARNING_CFLAGS_JVM}"
+  $1_CFLAGS_JDK="${$1_DEFINES_CPU_JDK} ${$1_CFLAGS_CPU} ${$1_CFLAGS_CPU_JDK} \
+      ${$1_TOOLCHAIN_CFLAGS} ${$2NO_SPECULATIVE_CTI_CFLAGS}"
 
   $2JVM_CFLAGS="$CFLAGS_JVM_COMMON ${$1_CFLAGS_JVM} ${$2EXTRA_CXXFLAGS}"
 
@@ -809,6 +840,7 @@
   AC_SUBST($2CFLAGS_JDKEXE)
   AC_SUBST($2CXXFLAGS_JDKLIB)
   AC_SUBST($2CXXFLAGS_JDKEXE)
+  AC_SUBST($2NO_SPECULATIVE_CTI_CFLAGS)
 ])
 
 # FLAGS_SETUP_GCC6_COMPILER_FLAGS([PREFIX])
--- old/make/autoconf/hotspot.m4	2018-09-06 15:43:52.606797202 -0700
+++ new/make/autoconf/hotspot.m4	2018-09-06 15:43:52.330797212 -0700
@@ -26,13 +26,13 @@
 # All valid JVM features, regardless of platform
 VALID_JVM_FEATURES="compiler1 compiler2 zero minimal dtrace jvmti jvmci \
     graal vm-structs jni-check services management cmsgc epsilongc g1gc parallelgc serialgc zgc nmt cds \
-    static-build link-time-opt aot jfr"
+    static-build link-time-opt aot jfr no-speculative-cti"
 
 # Deprecated JVM features (these are ignored, but with a warning)
 DEPRECATED_JVM_FEATURES="trace"
 
 # All valid JVM variants
-VALID_JVM_VARIANTS="server client minimal core zero custom"
+VALID_JVM_VARIANTS="server client minimal nonspeculative core zero custom"
 
 ###############################################################################
 # Check if the specified JVM variant should be built. To be used in shell if
@@ -61,6 +61,7 @@
 ###############################################################################
 # Check which variants of the JVM that we want to build. Available variants are:
 #   server: normal interpreter, and a tiered C1/C2 compiler
+#   nonspeculative: same as server but compiled with speculative calls disabled
 #   client: normal interpreter, and C1 (no C2 compiler)
 #   minimal: reduced form of client with optional features stripped out
 #   core: normal interpreter only, no compiler
@@ -70,7 +71,7 @@
 AC_DEFUN_ONCE([HOTSPOT_SETUP_JVM_VARIANTS],
 [
   AC_ARG_WITH([jvm-variants], [AS_HELP_STRING([--with-jvm-variants],
-      [JVM variants (separated by commas) to build (server,client,minimal,core,zero,custom) @<:@server@:>@])])
+      [JVM variants (separated by commas) to build (server,nonspeculative,client,minimal,core,zero,custom) @<:@server@:>@])])
 
   SETUP_HOTSPOT_TARGET_CPU_PORT
 
@@ -104,7 +105,7 @@
   fi
 
   # All "special" variants share the same output directory ("server")
-  VALID_MULTIPLE_JVM_VARIANTS="server client minimal"
+  VALID_MULTIPLE_JVM_VARIANTS="server client minimal nonspeculative"
   BASIC_GET_NON_MATCHING_VALUES(INVALID_MULTIPLE_VARIANTS, $JVM_VARIANTS, $VALID_MULTIPLE_JVM_VARIANTS)
   if  test "x$INVALID_MULTIPLE_VARIANTS" != x && test "x$BUILDING_MULTIPLE_JVM_VARIANTS" = xtrue; then
     AC_MSG_ERROR([You cannot build multiple variants with anything else than $VALID_MULTIPLE_JVM_VARIANTS.])
@@ -113,7 +114,7 @@
   # The "main" variant is the one used by other libs to link against during the
   # build.
   if test "x$BUILDING_MULTIPLE_JVM_VARIANTS" = "xtrue"; then
-    MAIN_VARIANT_PRIO_ORDER="server client minimal"
+    MAIN_VARIANT_PRIO_ORDER="server client minimal nonspeculative"
     for variant in $MAIN_VARIANT_PRIO_ORDER; do
       if HOTSPOT_CHECK_JVM_VARIANT($variant); then
         JVM_VARIANT_MAIN="$variant"
@@ -127,6 +128,7 @@
   AC_SUBST(JVM_VARIANTS)
   AC_SUBST(VALID_JVM_VARIANTS)
   AC_SUBST(JVM_VARIANT_MAIN)
+  AC_SUBST(VALID_MULTIPLE_JVM_VARIANTS)
 
   if HOTSPOT_CHECK_JVM_VARIANT(zero); then
     # zero behaves as a platform and rewrites these values. This is really weird. :(
@@ -481,6 +483,8 @@
     JVM_FEATURES_link_time_opt=""
   fi
 
+  JVM_FEATURES_NONSPECULATIVE="no-speculative-cti"
+
   # All variants but minimal (and custom) get these features
   NON_MINIMAL_FEATURES="$NON_MINIMAL_FEATURES cmsgc g1gc parallelgc serialgc epsilongc jni-check jvmti management nmt services vm-structs"
 
@@ -501,7 +505,9 @@
   fi
 
   # Enable features depending on variant.
-  JVM_FEATURES_server="compiler1 compiler2 $NON_MINIMAL_FEATURES $JVM_FEATURES $JVM_FEATURES_jvmci $JVM_FEATURES_aot $JVM_FEATURES_graal"
+  JVM_FEATURES_server="compiler1 compiler2 $NON_MINIMAL_FEATURES $JVM_FEATURES \
+      $JVM_FEATURES_jvmci $JVM_FEATURES_aot $JVM_FEATURES_graal"
+  JVM_FEATURES_nonspeculative="$JVM_FEATURES_NONSPECULATIVE"
   JVM_FEATURES_client="compiler1 $NON_MINIMAL_FEATURES $JVM_FEATURES"
   JVM_FEATURES_core="$NON_MINIMAL_FEATURES $JVM_FEATURES"
   JVM_FEATURES_minimal="compiler1 minimal serialgc $JVM_FEATURES $JVM_FEATURES_link_time_opt"
@@ -509,6 +515,7 @@
   JVM_FEATURES_custom="$JVM_FEATURES"
 
   AC_SUBST(JVM_FEATURES_server)
+  AC_SUBST(JVM_FEATURES_nonspeculative)
   AC_SUBST(JVM_FEATURES_client)
   AC_SUBST(JVM_FEATURES_core)
   AC_SUBST(JVM_FEATURES_minimal)
@@ -524,6 +531,19 @@
 #
 AC_DEFUN_ONCE([HOTSPOT_FINALIZE_JVM_FEATURES],
 [
+  # The nonspeculative variant should have all the features of server. Add them here
+  # to catch any custom additions automatically.
+  JVM_FEATURES_nonspeculative="$JVM_FEATURES_nonspeculative $JVM_FEATURES_server"
+
+  # Fail fast if either of JVM variant nonspeculative or JVM_FEATURES_NONSPECULATIVE are
+  # requested but the required flags are not available
+  if HOTSPOT_CHECK_JVM_VARIANT([nonspeculative]) \
+      || HOTSPOT_CHECK_JVM_FEATURE([no-speculative-cti]); then
+    if test -z "$NO_SPECULATIVE_CTI_CFLAGS"; then
+      AC_MSG_ERROR([Speculative calls mitigation flags not availble])
+    fi
+  fi
+
   for variant in $JVM_VARIANTS; do
     AC_MSG_CHECKING([JVM features for JVM variant '$variant'])
     features_var_name=JVM_FEATURES_$variant
--- old/make/autoconf/spec.gmk.in	2018-09-06 15:43:53.678797165 -0700
+++ new/make/autoconf/spec.gmk.in	2018-09-06 15:43:53.390797175 -0700
@@ -265,6 +265,7 @@
 # Lists of features per variant. Only relevant for the variants listed in
 # JVM_VARIANTS.
 JVM_FEATURES_server := @JVM_FEATURES_server@
+JVM_FEATURES_nonspeculative := @JVM_FEATURES_nonspeculative@
 JVM_FEATURES_client := @JVM_FEATURES_client@
 JVM_FEATURES_core := @JVM_FEATURES_core@
 JVM_FEATURES_minimal := @JVM_FEATURES_minimal@
@@ -274,6 +275,7 @@
 # Used for make-time verifications
 VALID_JVM_FEATURES := @VALID_JVM_FEATURES@
 VALID_JVM_VARIANTS := @VALID_JVM_VARIANTS@
+VALID_MULTIPLE_JVM_VARIANTS := @VALID_MULTIPLE_JVM_VARIANTS@
 
 # Control wether Hotspot builds gtest tests
 BUILD_GTEST := @BUILD_GTEST@
@@ -439,6 +441,8 @@
 # Tools that potentially need to be cross compilation aware.
 CC:=@FIXPATH@ @CCACHE@ @ICECC@ @CC@
 
+NO_SPECULATIVE_CTI_CFLAGS := @NO_SPECULATIVE_CTI_CFLAGS@
+
 # CFLAGS used to compile the jdk native libraries (C-code)
 CFLAGS_JDKLIB:=@CFLAGS_JDKLIB@
 CXXFLAGS_JDKLIB:=@CXXFLAGS_JDKLIB@
--- old/make/conf/jib-profiles.js	2018-09-06 15:43:54.678797130 -0700
+++ new/make/conf/jib-profiles.js	2018-09-06 15:43:54.462797138 -0700
@@ -381,7 +381,8 @@
             target_cpu: "x64",
             dependencies: ["devkit", "graphviz", "pandoc", "graalunit_lib"],
             configure_args: concat(common.configure_args_64bit,
-                "--enable-full-docs", "--with-zlib=system"),
+                "--enable-full-docs", "--with-zlib=system",
+                "--with-jvm-variants=server,nonspeculative"),
             default_make_targets: ["docs-bundles"],
         },
 
@@ -422,7 +423,8 @@
             target_os: "windows",
             target_cpu: "x64",
             dependencies: ["devkit", "graalunit_lib"],
-            configure_args: concat(common.configure_args_64bit),
+            configure_args: concat(common.configure_args_64bit,
+                "--with-jvm-variants=server,nonspeculative"),
         },
 
         "windows-x86": {
--- old/make/copy/Copy-java.base.gmk	2018-09-06 15:43:55.590797098 -0700
+++ new/make/copy/Copy-java.base.gmk	2018-09-06 15:43:55.318797108 -0700
@@ -86,11 +86,10 @@
 endif
 DEFAULT_CFG_VARIANT ?= server
 
-# Any variant other than server, client or minimal is represented as server in
-# the cfg file.
-VALID_CFG_VARIANTS := server client minimal
-CFG_VARIANTS := $(filter $(VALID_CFG_VARIANTS), $(JVM_VARIANTS)) \
-    $(if $(filter-out $(VALID_CFG_VARIANTS), $(JVM_VARIANTS)), server)
+# Any variant other than the valid multiple jvm variants is represented as
+# server in the cfg file.
+CFG_VARIANTS := $(filter $(VALID_MULTIPLE_JVM_VARIANTS), $(JVM_VARIANTS)) \
+    $(if $(filter-out $(VALID_MULTIPLE_JVM_VARIANTS), $(JVM_VARIANTS)), server)
 
 # Change the order to put the default variant first if present.
 ORDERED_CFG_VARIANTS := \
--- old/make/hotspot/HotspotCommon.gmk	2018-09-06 15:43:56.334797072 -0700
+++ new/make/hotspot/HotspotCommon.gmk	2018-09-06 15:43:56.062797082 -0700
@@ -34,7 +34,7 @@
 DTRACE_SUPPORT_DIR := $(JVM_SUPPORT_DIR)/dtrace
 
 LIB_OUTPUTDIR := $(call FindLibDirForModule, java.base)
-ifneq ($(filter client minimal, $(JVM_VARIANT)), )
+ifneq ($(filter $(VALID_MULTIPLE_JVM_VARIANTS), $(JVM_VARIANT)), )
   JVM_VARIANT_SUBDIR := $(JVM_VARIANT)
 else
   # Use 'server' as default target directory name for all other variants.
--- old/make/hotspot/gensrc/GensrcJfr.gmk	2018-09-06 15:43:57.122797045 -0700
+++ new/make/hotspot/gensrc/GensrcJfr.gmk	2018-09-06 15:43:56.850797054 -0700
@@ -41,6 +41,7 @@
     SETUP := GENERATE_JFRBYTECODE, \
     SRC := $(JFR_TOOLS_SRCDIR), \
     BIN := $(JFR_TOOLS_OUTPUTDIR), \
+    INCLUDES := build/tools/jfr, \
 ))
 
 TARGETS += $(BUILD_JFR_TOOLS)
--- old/make/hotspot/lib/JvmFeatures.gmk	2018-09-06 15:43:58.090797011 -0700
+++ new/make/hotspot/lib/JvmFeatures.gmk	2018-09-06 15:43:57.878797019 -0700
@@ -171,6 +171,10 @@
   JVM_EXCLUDE_PATTERNS += jfr
 endif
 
+ifeq ($(call check-jvm-feature, no-speculative-cti), true)
+  JVM_CFLAGS_FEATURES += $(NO_SPECULATIVE_CTI_CFLAGS) -DNO_SPECULATIVE_CTI=0
+endif
+
 ################################################################################
 
 ifeq ($(call check-jvm-feature, link-time-opt), true)