This is a Critical Patch Update (CPU) release for the 19.1.0 GraalVM release induced by the update to OracleJDK 8u221 and OpenJDK 8u222 as the base JDKs. More details can be found here and here. We recommend upgrading to it from the 19.1.x and older releases.

This CPU release includes fixes for the following CVEs:

  • CVE-2019-2813
  • CVE-2019-2862

For more information please see the Oracle July 2019 Security Advisory.

Critical fixes to GraalVM Native Image listed below went also into this version:

  • Fixed Reflection.getCallerClass methods sometimes failing to acquire the correct frame in the native images (#1479).

  • Fixed an issue that could cause header files not being generated in the working directory when compiling shared libraries ahead-of-time.



This is a feature release, we recommend upgrading to it from the 19.0.x releases.


  • Improved speed of just-in-time (JIT) compilation in GraalVM, which significantly improves the performance on medium length workloads.
  • Applied profile-guided optimization (PGO) when building the ahead-of-time (AOT) image of the compiler. This enables more aggressive optimization of the compiler itself providing better compilation throughput.

Native image

We fixed many issues that were reported on GitHub. You can browse the full list here.


  • Added an experimental option js.locale to set the default locale for locale-sensitive operations.
  • Allow making evaluated sources internal using the sourceURL directive by prefixing the URL with internal:, e.g., //# sourceURL=internal:myname.js.
  • Improved code sharing across threads. Prior to this one context had to be closed before the code in it could be reused in another context , now for JavaScript contexts one can share code using ContextPolicy.SHARED without closing the context. In the following example the source code is shared between context1 and context2:
public static void main(String[] args) {
        try (Engine engine = Engine.create()) {
            Source source = Source.create("js", "21 + 21");
            try (
              Context context1 = Context.newBuilder().engine(engine).build();
              Context context2 = Context.newBuilder().engine(engine).build()) {

LLVM interpreter

  • Calling exit(...) in an embedded context is now a catchable PolyglotException.
  • Skip source path entries that we are not allowed to access. Previously, when running in an embedded context with restricted access to the file system, the LLVM engine threw an exception when it could not read the source files, even if no debugger was attached. Now it will still run. Only when a debugger is attached, an error is reported when the source file can’t be accessed.


The GraalVM Ruby implementation in this version targets performance and compatibility improvements, new features implementations and multiple bug fixes. The most notable include:

  • Interactive sources (like the GraalVM polyglot shell) now all share the same binding (#1695).
  • Hash code calculation has been improved to reduce hash collisions for Hash and other cases.
  • eval(code, binding) for a fixed code containing blocks is now much faster. This improves the performance of rendering ERB templates containing loops.
  • rb_str_cat is faster due to the C string now being concatenated without first being converted to a Ruby string or having its encoding checked.

A complete changelog for the Ruby component is available on GitHub.


  • Strings -Inf, +NaN, and -NaN are correctly parsed to doubles including ignoring leading and trailing whitespaces.
  • For loop creates and initializes the control variable even if there are no iterations (#77).
  • Updated the output of the capabilities builtin (#78).
  • is.function returns true for foreign executables.

The complete project changelog is available on GitHub.


  • Updated Python standard library files from 3.7.0 to 3.7.3.
  • Improved performance of exceptions that do not escape.
  • Fixed caching of core sources in a native image with a preinitialized context for pre-built images and libpolyglot fast startup.
  • Implemented support for pwd.getpwuid, os.exec, os.execv, and os.execl modules.

To see a complete list of changes, please refer to the project changelog.

Connect with us