This is a Critical Patch Update (CPU) for GraalVM Enterprise and Community Editions following a regular Oracle CPUs cycle. The update is to address security vulnerabilities announced in the October 2019 Oracle Critical Patch Update Advisory. The 19.2.1 version is a full distribution and and it is recommended to upgrade to it from older GraalVM versions.
Oracle GraalVM Enterprise Edition 19.2.1 includes all the Java security fixes released as part of that CPU and mentioned in the Java SE 8 Release notes. It also includes the following:
- Update GraalVM Enterprise base Java to the 8u231 Oracle JDK version
- Update GraalVM Community base Java to the 8u232 OpenJDK version
- Update Node.js to 10.16.3
Listed below are critical fixes that also went into this version:
java.lang.CharSequenceimplementations that have non-trivial implementations of the
charAtmethods (see #1625).
- Fixed a problem that could allow an exception to propagate past a
catchclause that should handle it.
Oracle Cloud Infrastructure customers can use GraalVM Enterprise environment in their cloud instances by simply installing it with
yum. For more details, please see
GraalVM on OCI.
Note: We currently do not recommend macOS users to upgrade to Catalina – a next major release of macOS desktop operating system. We can not guarantee complete compatibility with GraalVM 19.2.1 or older versions yet.
We prepared a high severity update for GraalVM to address the following issues:
- Fixed a critical compiler bug that caused
String.indexOfto be executed incorrectly on older machines that do not support the
TZCNTinstruction. The problem causes incorrect string operations and typically shows up as truncated string values.
- Fixed a bug causing the bounds check in Native Image’s implementation of
System.arraycopyto overflow with large indices which typically causes process termination.
- Fixed a bounds check for
System.arraycopyin cases where the array is “virtualized” (i.e., can be in registers and stack slots instead of on the heap).
- Removed declaration of otherwise unused SIOCGSTAMP symbol in Native Image. This allows use of Native Image on any Linux distro using a 5.2.x kernel such as the latest versions of Fedora, Ubuntu (except LTS release users), Arch, openSUSE (tumbleweed).
This is a GraalVM feature release, we recommend upgrading to it from the 19.1.x or older releases.
We simplified the process of collecting data for profile-guided optimizations (PGO) for GraalVM Enterprise native images. PGO allows to optimize performance of native images by analyzing collected profiles during the image generation process. Since 19.2.0 you can collect data for PGO while running your application in a just-in-time (JIT) compiled mode:
$ /graal-ee-19.2.0/bin/java -Dgraal.PGOInstrument=myclass.iprof MyClass $ /graal-ee-19.2.0/bin/native-image --pgo=myclass.iprof MyClass $ ./myclass
We improved throughput for native image in GraalVM Enterprise when no profiles are available. Running the Micronaut GraalVM example shows spending ~10% less CPU time and achieving a ~10% higher throughput of requests per CPU second in 19.2.
We also solved a common usability problem when a class marked for
initialization at runtime gets inadvertently initialized at build time. The flag
-H:+TraceClassInitialization was introduced to help tracing what classes got initialized at runtime.
- We added support for date, time, timezone, instant and duration interoperability types to distinguish date-like objects from multiple languages in polyglot contexts (see changes to GraalVM SDK and Truffle APIs).
Context.Builder.timeZoneto set the time zone.
- We implemented the Numeric separators TC39 proposal. It is
available in ECMAScript 2020 mode (
- We moved ICU data for internationalization APIs, e.g., date and time formatting, number formatting, collation for each individual supported language, previously distributed as separate files in
We added preliminary support for compiling native programs to bitcode using the LLVM toolchain. The LLVM toolchain is a set of tools and APIs for compiling native projects, such as C and C++, to bitcode that can be executed with the GraalVM LLVM runtime. It is aimed to simplify ahead-of-time compilation for users and language implementers who want to use the GraalVM LLVM runtime. To do so, we provide launchers that invoke the C/C++ compiler with special flags to produce results that can be executed by the GraalVM LLVM runtime. For more details, please consult the LLVM reference documentation.
A comprehensive list of changes to Ruby language component is available on GitHub. Major changes include:
- Implemented support for Fiddle – an extension to translate a foreign function interface (FFI) and libffi wrapper for Ruby.
- In terms of compatibility,
trueby default like MRI 2.5+;
BigDecimalcompatibility has been generally improved in several ways.
- Improved the performance by optimizing
Stringmethods to use the vector instructions when searching for a single-byte character in a
- Fixed several bugs reported by community:
- Added a new
fastRClusterpackage that allows to run FastR inside GNU-R:
- install in GNU-R or RStudio with:
?fastRClusterto learn more.
- install in GNU-R or RStudio with:
- The problem that
SET_ATTRIBdoes not validate the attributes as expected was resolved.
The changelog is available on GitHub.
The GraalVM Python implementation is still experimental and we are working towards improving completeness.
PyStructSequence_*C API – standard structured prediction functions.
- Added support for more C API functions as
PyEval_ThreadsInitialized, type attributes i.e.
recursion_depththread state fields.
- Fixed printing of errors in the REPL and full paths in tracebacks.
More details are available in the project changelog on GitHub.
API Changes for GraalVM Integrators (SDK + Truffle)
We implemented the ability to configure custom polyglot access configuration with
PolyglotAccess.newBuilder(). It allows to configure fine-grained access
control for polyglot bindings and between polyglot languages. For example, given
TruffleObject as a value, there is a need to determine language and type of
that object. This feature is significant for GraalVM execution inside Oracle
GraalVM 19.2.0 release also added support for date, time, timezone, duration
values in polyglot APIs, and introduced the
class to configure the default timezone of polyglot contexts.
The major GraalVM SDK and Truffle APIs changes between the versions are summarized in:
A preview version of Java Flight Recorder (JFR) support has been released as a plugin for the VisualVM tool bundled with GraalVM 19.2.0. The plugin reads all JFR snapshots created from Java 7 and newer and presents the data in typical VisualVM views familiar for its users.
To install the JFR support, download GraalVM 19.2.0 from graalvm.org/downloads, unzip it and run
JFR support is currently an experimental feature. Some advanced features like analyzing JVM internals, showing event stack traces or support for creating JFR snapshots from live processes are not available in the preview version and will be addressed incrementally in the following releases.
GraalVM Updater Utility
We fixed an issue where GraalVM Enterprise would by default download the GraalVM Community components from GitHub. If you are using GraalVM Community – nothing changes, you can still install the components as before, and the
gu will locate the necessary jar files on GitHub and correctly install them:
gu install native-image ruby R python
If you are using GraalVM Enterprise, you can install
llvm-toolchain components from GitHub, for example:
gu install R
The other components are available from the OTN page, and can be installed from a manually downloaded file, for example to install
native-image support run:
gu -L install native-image-installable-svm-svmee-darwin-amd64-19.2.0.jar
You can now refer to GraalVM version calendar to learn more about the GraalVM release model and prepare for upcoming releases.