@@ -25,6 +25,16 @@ inputs:
 runs:
 using: composite
 steps:
+- name: Setup shell
+if: runner.os == 'macOS'
+shell: bash
+run: |
+brew install bash
+echo "/opt/homebrew/bin/bash" >> $_PATH || \
+echo "/usr/local/bin/bash" >> $_PATH
+brew install grep
+echo "/opt/homebrew/opt/grep/libexec/gnubin" >> $_PATH || \
+echo "/usr/local/opt/grep/libexec/gnubin" >> $_PATH
  - name: Read Gradle JDK toolchain version
 id: gradle_toolchain
 shell: bash

@@ -130,6 +130,7 @@ javadocs
 JBridge
 jcache
 JCP
+jcstress
 JDKs
 jemalloc
 jetbrains

@@ -3,7 +3,7 @@ set -eux
 
 ./gradlew \
 forbiddenApis -DforbiddenApis \
-ecjJavaPoet ecjMain ecjCodeGen ecjJmh ecjTest \
-pmdJavaPoet pmdMain pmdCodeGen pmdJmh pmdTest -Dpmd \
-spotbugsJavaPoet spotbugsMain spotbugsCodeGen spotbugsJmh spotbugsTest -Dspotbugs \
+ecjJavaPoet ecjMain ecjCodeGen ecjJmh ecjTest ecjJcstress \
+pmdJavaPoet pmdMain pmdCodeGen pmdJmh pmdTest pmdJcstress -Dpmd \
+spotbugsJavaPoet spotbugsMain spotbugsCodeGen spotbugsJmh spotbugsTest spotbugsJcstress -Dspotbugs \
 "$@"

@@ -56,7 +56,7 @@ jobs:
 GH_TOKEN: ${{ secrets._TOKEN }}
 run: uvx zizmor --pedantic --format sarif . > results.sarif
 - name: Upload SARIF file for Advanced Security Dasard
-uses: /codeql-action/upload-sarif@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18
+uses: /codeql-action/upload-sarif@fca7ace96b7d713c7035871441bd52efbe39e27e # v3.28.19
 with:
 sarif_file: results.sarif
 category: zizmor

@@ -43,7 +43,7 @@ jobs:
 with:
 java: ${{ env.JAVA_VERSION }}
 cache-encryption-key: ${{ secrets.GRADLE_ENCRYPTION_KEY }}
-arguments: ecjJavaPoet ecjMain ecjCodeGen ecjJmh ecjTest
+arguments: ecjJavaPoet ecjMain ecjCodeGen ecjJmh ecjTest ecjJcstress
 
 forbidden-apis:
 runs-on: ubuntu-latest
@@ -91,7 +91,7 @@ jobs:
 with:
 java: ${{ env.JAVA_VERSION }}
 cache-encryption-key: ${{ secrets.GRADLE_ENCRYPTION_KEY }}
-arguments: pmdJavaPoet pmdMain pmdCodeGen pmdJmh pmdTest -Dpmd
+arguments: pmdJavaPoet pmdMain pmdCodeGen pmdJmh pmdTest pmdJcstress -Dpmd
 - name: Upload Reports
 if: always()
 uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
@@ -123,7 +123,8 @@ jobs:
 java: ${{ env.JAVA_VERSION }}
 cache-encryption-key: ${{ secrets.GRADLE_ENCRYPTION_KEY }}
 arguments: >
-spotbugsJavaPoet spotbugsMain spotbugsCodeGen spotbugsJmh spotbugsTest -Dspotbugs
+spotbugsJavaPoet spotbugsMain spotbugsCodeGen
+spotbugsJmh spotbugsTest spotbugsJcstress -Dspotbugs
  - name: Upload Reports
 if: always()
 uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2

@@ -49,7 +49,7 @@ jobs:
 if: steps.check_files.outputs.files_exists == 'true'
 run: jq -c '.runs |= unique_by({tool, invocations, results})' < results.sarif > codacy.sarif
 - name: Upload result to Code Scanning
-uses: /codeql-action/upload-sarif@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18
+uses: /codeql-action/upload-sarif@fca7ace96b7d713c7035871441bd52efbe39e27e # v3.28.19
 if: steps.check_files.outputs.files_exists == 'true'
 continue-on-error: true
 with:

@@ -59,13 +59,13 @@ jobs:
 java: ${{ env.JAVA_VERSION }}
 cache-encryption-key: ${{ secrets.GRADLE_ENCRYPTION_KEY }}
 - name: Initialize CodeQL (Actions)
-uses: /codeql-action/init@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18
+uses: /codeql-action/init@fca7ace96b7d713c7035871441bd52efbe39e27e # v3.28.19
 if: ${{ matrix.language == 'actions' }}
 with:
 languages: actions
 dependency-caching: true
 - name: Initialize CodeQL (Java)
-uses: /codeql-action/init@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18
+uses: /codeql-action/init@fca7ace96b7d713c7035871441bd52efbe39e27e # v3.28.19
 if: ${{ matrix.language == 'java' }}
 with:
 queries: >
@@ -83,6 +83,6 @@ jobs:
  config: |
 threat-models: local
  - name: Autobuild
-uses: /codeql-action/autobuild@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18
+uses: /codeql-action/autobuild@fca7ace96b7d713c7035871441bd52efbe39e27e # v3.28.19
 - name: Perform CodeQL Analysis
-uses: /codeql-action/analyze@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18
+uses: /codeql-action/analyze@fca7ace96b7d713c7035871441bd52efbe39e27e # v3.28.19

@@ -66,7 +66,7 @@ jobs:
 with:
 files: build/reports/dependency-check-report.sarif
 - name: Upload result to Code Scanning
-uses: /codeql-action/upload-sarif@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18
+uses: /codeql-action/upload-sarif@fca7ace96b7d713c7035871441bd52efbe39e27e # v3.28.19
 if: steps.check_files.outputs.files_exists == 'true'
 with:
 sarif_file: build/reports/dependency-check-report.sarif

@@ -33,6 +33,6 @@ jobs:
 - name: Run DevSkim scanner
 uses: microsoft/DevSkim-Action@4b5047945a44163b94642a1cecc0d93a3f428cc6 # v1.0.16
 - name: Upload DevSkim scan results to Security tab
-uses: /codeql-action/upload-sarif@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18
+uses: /codeql-action/upload-sarif@fca7ace96b7d713c7035871441bd52efbe39e27e # v3.28.19
 with:
 sarif_file: devskim-results.sarif

@@ -0,0 +1,52 @@
+name: JCStress
+permissions: {}
+on:
+schedule:
+- cron: '0 0 * * 1'
+
+env:
+DEVELOCITY_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY }}
+ALLOWED_ENDPOINTS: >
+api.adoptium.net:443
+api.foojay.io:443
+api..com:443
+caffeine.gradle-enterprise.cloud:443
+downloads.gradle.org:443
+downloads.gradle-dn.com:443
+.com:443
+jcenter.bintray.com:443
+objects.usercontent.com:443
+plugins.gradle.org:443
+plugins-artifacts.gradle.org:443
+repo.maven.apache.org:443
+repo1.maven.org:443
+services.gradle.org:443
+
+jobs:
+jcstress:
+runs-on: ${{ matrix.os }}
+permissions:
+contents: read
+strategy:
+matrix:
+java: [ 11, 24, 25-ea ]
+os: [ubuntu-latest, ubuntu-24.04-arm, macos-latest]
+env:
+JAVA_VERSION: ${{ matrix.java }}
+steps:
+- name: Harden Runner
+uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
+with:
+allowed-endpoints: ${{ env.ALLOWED_ENDPOINTS }}
+disable-sudo-and-containers: true
+egress-policy: block
+- name: Checkout
+uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+with:
+persist-credentials: false
+- name: JCStress
+uses: ././actions/run-gradle
+with:
+cache-encryption-key: ${{ secrets.GRADLE_ENCRYPTION_KEY }}
+java: ${{ env.JAVA_VERSION }}
+arguments: jcstress

@@ -72,6 +72,6 @@ jobs:
 upload-result: true
 -token: ${{ secrets._TOKEN }}
 - name: Upload SARIF file for Advanced Security Dasard
-uses: /codeql-action/upload-sarif@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18
+uses: /codeql-action/upload-sarif@fca7ace96b7d713c7035871441bd52efbe39e27e # v3.28.19
 with:
 sarif_file: ${{ runner.temp }}/qodana/results/qodana.sarif.json

@@ -57,6 +57,6 @@ jobs:
 path: results.sarif
 retention-days: 5
 - name: Upload to code-scanning
-uses: /codeql-action/upload-sarif@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18
+uses: /codeql-action/upload-sarif@fca7ace96b7d713c7035871441bd52efbe39e27e # v3.28.19
 with:
 sarif_file: results.sarif

@@ -34,7 +34,7 @@ jobs:
 with:
 files: results.sarif
 - name: Upload SARIF file for Advanced Security Dasard
-uses: /codeql-action/upload-sarif@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18
+uses: /codeql-action/upload-sarif@fca7ace96b7d713c7035871441bd52efbe39e27e # v3.28.19
 if: steps.check_files.outputs.files_exists == 'true'
 continue-on-error: true
 with:

@@ -44,7 +44,7 @@ jobs:
 with:
 files: snyk.sarif
 - name: Upload result to Code Scanning
-uses: /codeql-action/upload-sarif@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18
+uses: /codeql-action/upload-sarif@fca7ace96b7d713c7035871441bd52efbe39e27e # v3.28.19
 if: steps.check_files.outputs.files_exists == 'true'
 with:
 sarif_file: snyk.sarif

@@ -103,4 +103,4 @@ jobs:
 with:
 persist-credentials: false
 - name: Typos
-uses: crate-ci/typos@0f0ccba9ed1df83948f0c15026e4f5ccfce46109 # v1.32.0
+uses: crate-ci/typos@b1ae8d918b6e85bd611117d3d9a3be4f903ee5e4 # v1.33.1

@@ -28,7 +28,7 @@ jobs:
 with:
 persist-credentials: false
 - name: Run Trivy vulnerability scanner
-uses: aquasecurity/trivy-action@6c175e9c4083a92bbca2f9724c8a5e33bc2d97a5 # v0.30.0
+uses: aquasecurity/trivy-action@76071ef0d7ec797419534a183b498b4d6366cf37 # v0.31.0
 continue-on-error: true
 with:
 scan-type: fs
@@ -40,7 +40,7 @@ jobs:
 with:
 files: results.sarif
 - name: Upload result to Code Scanning
-uses: /codeql-action/upload-sarif@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18
+uses: /codeql-action/upload-sarif@fca7ace96b7d713c7035871441bd52efbe39e27e # v3.28.19
 if: steps.check_files.outputs.files_exists == 'true'
 with:
 sarif_file: results.sarif

@@ -9,6 +9,7 @@ import org.gradle.plugins.ide.eclipse.model.Library
 
 plugins {
 id("jmh.caffeine")
+id("jcstress.caffeine")
 id("java-library.caffeine")
 }
 

@@ -19,6 +19,7 @@
 import static com..benmanes.caffeine.cache.Specifications.vTypeVar;
 import static com..benmanes.caffeine.cache.node.NodeContext.varHandleName;
 
+import java.lang.invoke.VarHandle;
 import java.lang.ref.Reference;
 import java.util.Objects;
 
@@ -87,6 +88,7 @@ private static MethodSpec makeGetValue(NodeContext context) {
 .beginControlFlow("if (referent != null)")
 .addStatement("return referent")
 .endControlFlow()
+.addStatement("$T.loadLoadFence()", VarHandle.class)
 .addStatement("$1T<V> current = ($1T<V>) $2L.getAcquire(this)", Reference.class, handle)
 .beginControlFlow("if (ref == current)")
 .addStatement("return null")
@@ -119,10 +121,10 @@ private static MethodSpec makeSetValue(NodeContext context) {
 } else {
 setter.addStatement("$1T<V> ref = ($1T<V>) $2L.getAcquire(this)",
 Reference.class, varHandleName("value"));
-setter.addComment("Can be setRelease in JDK 12+ (see JDK-8205523, JDK-8205523, JDK-8209697)");
-setter.addStatement("$L.setVolatile(this, new $T($L, $N, referenceQueue))",
+setter.addStatement("$L.setRelease(this, new $T($L, $N, referenceQueue))",
 varHandleName("value"), context.valueReferenceType(),
 "getKeyReference()", "value");
+setter.addStatement("$T.storeStoreFence()", VarHandle.class);
 setter.addStatement("ref.clear()");
 }
 

@@ -0,0 +1,100 @@
+/*
+* Copyright 2025 Ben Manes. All Rights Reserved.
+*
+* Licensed under the Apache License, Version 2.0 (the "License");
+* you may not use this file except in compliance with the License.
+* You may obtain a copy of the License at
+*
+* http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*/
+package com..benmanes.caffeine.cache;
+
+import java.lang.invoke.MethodHandles;
+import java.lang.invoke.VarHandle;
+
+import org.jspecify.annotations.Nullable;
+import org.openjdk.jcstress.annotations.Actor;
+import org.openjdk.jcstress.annotations.Expect;
+import org.openjdk.jcstress.annotations.JCStressTest;
+import org.openjdk.jcstress.annotations.Outcome;
+import org.openjdk.jcstress.annotations.State;
+import org.openjdk.jcstress.infra.results.L_Result;
+
+import com.google.errorprone.annotations.Var;
+
+/**
+* A stress test that simulates the behavior for {@link java.lang.ref.Reference} reads and writes in
+* weak or soft valued caches. The {@link Node#setValue} proactively clears the underlying referent
+* after updating the entry's value. This is done to assist cross-generational pollution which can
+* cause garbage collectors to unnecessarily promote young dead objects to an old collection and
+* increase pause times. The {@link Node#getValue} compensates by a re-check validation to determine
+* if the observed null referent is due to garbage collection or a stale read. Due to referent being
+* read and written with plain memory semantics, an additional memory barrier is required to ensure
+* the correct visibility ordering.
+* <p>
+* {@snippet lang="shell" :
+* // JAVA_VERSION=?? for an alternative jdk
+* ./gradlew caffeine:jcstress --rerun
+* }
+*
+* @author [email protected] (Ben Manes)
+*/
+@State
+@JCStressTest
+@Outcome(id = "ok", expect = Expect.ACCEPTABLE, desc = "Reference seen and valid")
+@Outcome(id = "null", expect = Expect.FORBIDDEN, desc = "Reference seen but field not visible")
+public class IntermittentNull {
+private static final VarHandle VALUE;
+
+volatile Value value = new Value("ok");
+
+@Actor
+public void writer() {
+var oldValue = (Value) VALUE.getAcquire(this);
+var newValue = new Value("ok");
+VALUE.setRelease(this, newValue);
+VarHandle.storeStoreFence();
+oldValue.data = null;
+}
+
+@Actor
+public void reader(L_Result r) {
+@Var var value = (Value) VALUE.getAcquire(this);
+for (;;) {
+var data = value.data;
+if (data != null) {
+r.r1 = data;
+return;
+}
+VarHandle.loadLoadFence();
+var current = (Value) VALUE.getAcquire(this);
+if (value == current) {
+r.r1 = null;
+return;
+}
+value = current;
+}
+}
+
+static {
+try {
+VALUE = MethodHandles.lookup().findVarHandle(IntermittentNull.class, "value", Value.class);
+} catch (ReflectiveOperationException e) {
+throw new ExceptionInInitializerError(e);
+}
+}
+
+static final class Value {
+@Nullable String data;
+
+Value(String data) {
+this.data = data;
+}
+}
+}

@@ -0,0 +1,6 @@
+@NullMarked
+@CheckReturnValue
+package com..benmanes.caffeine.cache;
+
+import com.google.errorprone.annotations.CheckReturnValue;
+import org.jspecify.annotations.NullMarked;

@@ -1,6 +1,6 @@
 [versions]
 caffeine = "3.2.0"
-junit = "5.13.0"
+junit = "5.13.1"
 reactor = "3.8.0-M3"
 truth = "1.4.4"
 versions = "0.52.0"

@@ -1,4 +1,4 @@
-distributionUrl=https\://services.gradle.org/distributions/gradle-8.14.1-bin.zip
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.14.2-bin.zip
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
 zipStoreBase=GRADLE_USER_HOME