This is a Critical Patch Update (CPU) for GraalVM Enterprise and Community Editions following a regular Oracle CPUs cycle. The update is to address security vulnerabilities announced in the October 2019 Oracle Critical Patch Update Advisory. The 19.2.1 version is a full distribution and and it is recommended to upgrade to it from older GraalVM versions.

Oracle GraalVM Enterprise Edition 19.2.1 includes all the Java security fixes released as part of that CPU and mentioned in the Java SE 8 Release notes. It also includes the following:

  • Update GraalVM Enterprise base Java to the 8u231 Oracle JDK version
  • Update GraalVM Community base Java to the 8u232 OpenJDK version
  • Update Node.js to 10.16.3

Listed below are critical fixes that also went into this version:

  • Fixed a problem that prevented creating a native image including the GraalVM JavaScript engine combined with java.lang.CharSequence implementations that have non-trivial implementations of the length and charAt methods (see #1625).
  • Fixed a problem that could allow an exception to propagate past a catch clause that should handle it.

Oracle Cloud Infrastructure customers can use GraalVM Enterprise environment in their cloud instances by simply installing it with yum. For more details, please see GraalVM on OCI

Note: We currently do not recommend macOS users to upgrade to Catalina – a next major release of macOS desktop operating system. We can not guarantee complete compatibility with GraalVM 19.2.1 or older versions yet.


We prepared a high severity update for GraalVM to address the following issues:

  • Fixed a critical compiler bug that caused String.indexOf to be executed incorrectly on older machines that do not support the TZCNT instruction. The problem causes incorrect string operations and typically shows up as truncated string values.
  • Fixed a bug causing the bounds check in Native Image’s implementation of System.arraycopy to overflow with large indices which typically causes process termination.
  • Fixed a bounds check for System.arraycopy in cases where the array is “virtualized” (i.e., can be in registers and stack slots instead of on the heap).
  • Removed declaration of otherwise unused SIOCGSTAMP symbol in Native Image. This allows use of Native Image on any Linux distro using a 5.2.x kernel such as the latest versions of Fedora, Ubuntu (except LTS release users), Arch, openSUSE (tumbleweed).



This is a GraalVM feature release, we recommend upgrading to it from the 19.1.x or older releases.

Native Image

We simplified the process of collecting data for profile-guided optimizations (PGO) for GraalVM Enterprise native images. PGO allows to optimize performance of native images by analyzing collected profiles during the image generation process. Since 19.2.0 you can collect data for PGO while running your application in a just-in-time (JIT) compiled mode:

$ /graal-ee-19.2.0/bin/java -Dgraal.PGOInstrument=myclass.iprof MyClass
$ /graal-ee-19.2.0/bin/native-image --pgo=myclass.iprof MyClass
$ ./myclass


We improved throughput for native image in GraalVM Enterprise when no profiles are available. Running the Micronaut GraalVM example shows spending ~10% less CPU time and achieving a ~10% higher throughput of requests per CPU second in 19.2.

We also solved a common usability problem when a class marked for initialization at runtime gets inadvertently initialized at build time. The flag -H:+TraceClassInitialization was introduced to help tracing what classes got initialized at runtime.


  • We added support for date, time, timezone, instant and duration interoperability types to distinguish date-like objects from multiple languages in polyglot contexts (see changes to GraalVM SDK and Truffle APIs).
  • Added Context.Builder.timeZone to set the time zone.
  • We implemented the Numeric separators TC39 proposal. It is available in ECMAScript 2020 mode (--js.ecmascript-version=2020).
  • We moved ICU data for internationalization APIs, e.g., date and time formatting, number formatting, collation for each individual supported language, previously distributed as separate files in <JAVA_HOME>/jre/languages/js/icu4j/icudt to the executable of JavaScript (js).

More changes are listed in the JavaScript component changelog.

LLVM Interpreter

We added preliminary support for compiling native programs to bitcode using the LLVM toolchain. The LLVM toolchain is a set of tools and APIs for compiling native projects, such as C and C++, to bitcode that can be executed with the GraalVM LLVM runtime. It is aimed to simplify ahead-of-time compilation for users and language implementers who want to use the GraalVM LLVM runtime. To do so, we provide launchers that invoke the C/C++ compiler with special flags to produce results that can be executed by the GraalVM LLVM runtime. For more details, please consult the LLVM reference documentation.

The toolchain is an experimental feature in this release. A complete list of changes to GraalVM LLVM runtime can be found in the changelog.


A comprehensive list of changes to Ruby language component is available on GitHub. Major changes include:

  • Implemented support for Fiddle – an extension to translate a foreign function interface (FFI) and libffi wrapper for Ruby.
  • In terms of compatibility, Thread.report_on_exception is now true by default like MRI 2.5+; BigDecimal compatibility has been generally improved in several ways.
  • Improved the performance by optimizing String methods to use the vector instructions when searching for a single-byte character in a String.
  • Fixed several bugs reported by community:
    • Set RbConfig::CONFIG['ruby_version'] to the same value as the TruffleRuby version. This fixes reusing C extensions between different versions of TruffleRuby with Bundler (#1715).
    • Improved errors when interacting with single-threaded languages (#1709).


  • Added a new fastRCluster package that allows to run FastR inside GNU-R:
    1. install in GNU-R or RStudio with: devtools::install_github('oracle/fastr/com.oracle.truffle.r.pkgs/fastRCluster');
    2. use ?fastRCluster to learn more.
  • The problem that SET_ATTRIB does not validate the attributes as expected was resolved.

The changelog is available on GitHub.


The GraalVM Python implementation is still experimental and we are working towards improving completeness.

  • Implemented PyStructSequence_* C API – standard structured prediction functions.
  • Added support for more C API functions as PyEval_InitThreads and PyEval_ThreadsInitialized, type attributes i.e. nb_remainder, nb_subtract, overflowed and recursion_depth thread state fields.
  • Fixed printing of errors in the REPL and full paths in tracebacks.

More details are available in the project changelog on GitHub.

API Changes for GraalVM Integrators (SDK + Truffle)

We implemented the ability to configure custom polyglot access configuration with PolyglotAccess.newBuilder(). It allows to configure fine-grained access control for polyglot bindings and between polyglot languages. For example, given a TruffleObject as a value, there is a need to determine language and type of that object. This feature is significant for GraalVM execution inside Oracle RDBMS.

GraalVM 19.2.0 release also added support for date, time, timezone, duration values in polyglot APIs, and introduced the Context.Builder.timeZone(ZoneId) class to configure the default timezone of polyglot contexts.

The major GraalVM SDK and Truffle APIs changes between the versions are summarized in:


A preview version of Java Flight Recorder (JFR) support has been released as a plugin for the VisualVM tool bundled with GraalVM 19.2.0. The plugin reads all JFR snapshots created from Java 7 and newer and presents the data in typical VisualVM views familiar for its users.

To install the JFR support, download GraalVM 19.2.0 from graalvm.org/downloads, unzip it and run /bin/jvisualvm to start VisualVM. Use `Tools | Plugins | Available Plugins` to list all available plugins and install the VisualVM-JFR and VisualVM-JFR-Generic modules. The JFR snapshots can be opened using either the File | Load… action or by double-clicking the JFR Snapshots node and adding the snapshot into the JFR repository permanently. Please follow the documentation of your Java installation how to create JFR snapshots.

JFR support is currently an experimental feature. Some advanced features like analyzing JVM internals, showing event stack traces or support for creating JFR snapshots from live processes are not available in the preview version and will be addressed incrementally in the following releases.

GraalVM Updater Utility

We fixed an issue where GraalVM Enterprise would by default download the GraalVM Community components from GitHub. If you are using GraalVM Community – nothing changes, you can still install the components as before, and the gu will locate the necessary jar files on GitHub and correctly install them:

gu install native-image ruby R python

If you are using GraalVM Enterprise, you can install R and llvm-toolchain components from GitHub, for example:

gu install R

The other components are available from the OTN page, and can be installed from a manually downloaded file, for example to install native-image support run:

gu -L install native-image-installable-svm-svmee-darwin-amd64-19.2.0.jar

Version Calendar

You can now refer to GraalVM version calendar to learn more about the GraalVM release model and prepare for upcoming releases.

Connect with us