JDK 24 Early-Access Release Notes

Two commands have been added to the jcmd command line tool to print information that may be useful when diagnosing issues with virtual threads.

jcmd <pid> Thread.vthread_scheduler prints the virtual thread scheduler, the target parallelism, number of threads, and other useful counters. The output also includes the delayed task schedulers that support virtual threads doing timed operations.

jcmd <pid> Thread.vthread_pollers prints the I/O pollers that support virtual threads doing blocking network I/O operations.

The Local Computer key store is accessed using the CERT_STORE_MAXIMUM_ALLOWED_FLAG. Since this store is typically managed by administrators for security reasons, processes are only given read-only access to specific private keys. By opening the store in read-only mode, non-elevated processes can now securely use these keys without requiring elevated permissions.

When redefining a class with JVMTI RedefineClasses, the new bytecodes are verified with the Class File Verifier regardless of the setting of the deprecated -Xverify option.

The Java Virtual Machine (JVM) option MaxDirectMemorySize controls the maximum total size of memory that may be used for direct buffers in an instance of the JVM. Its default value is the maximum size of the heap. Prior to JDK 24, the amount of memory allocated for internal temporary direct buffers such as used, for example, when reading from or writing to a java.nio.channels.FileChannel, was included in this total. As of JDK 24, internal use of temporary direct buffers is no longer included in the total.

The TLS_RSA cipher suites have been disabled by default, by adding "TLS_RSA_" to the jdk.tls.disabledAlgorithms security property in the java.security configuration file. The TLS_RSA cipher suites do not preserve forward-secrecy and are not commonly used. Some TLS_RSA cipher suites are already disabled because they use DES, 3DES, RC4 or NULL, which are disabled. This action disables all remaining TLS_RSA cipher suites. Any attempts to use cipher suites starting with "TLS_RSA_" will fail with an SSLHandshakeException. Users can, at their own risk, re-enable these cipher suites by removing "TLS_RSA_" from the jdk.tls.disabledAlgorithms security property.

This release upgrades the Unicode version to 16.0, which includes updated versions of the Unicode Character Database and Unicode Standard Annexes #9, #15, and #29:

• The java.lang.Character class supports the Unicode Character Database, which adds 5,185 characters, for a total of 154,998 characters. The new additions include seven new scripts:
  • Garay is a modern-use script from West Africa.
  • Gurung Khema, Kirat Rai, Ol Onal and Sunuwar are four modern-use scripts from Northeast India and Nepal.
  • Todhri is an historic script used for Albanian.
  • Tulu-Tigalari is an historic script from Southwest India.
• The java.text.Bidi and java.text.Normalizer classes support Unicode Standard Annexes, #9 and #15, respectively.
• The java.util.regex package supports Extended Grapheme Clusters based on the Unicode Standard Annex #29.

For more details about Unicode 16.0, refer to the Unicode Consortium’s release note.

TLS cipher suites can be disabled with the jdk.tls.disabledAlgorithms security property in the java.security configuration file using one or more "" wildcard characters. For example, "TLS_RSA_" disables all cipher suites that start with "TLS_RSA_". Only cipher suites starting with "TLS_" are allowed to have wildcard characters.

DocLint in javac/javadoc no longer warns about a /// single-line dangling comment that starts a file. This is to accommodate systems that support a stylized comment on the first line of a source file as a way to "auto-execute" the file.

Unified Logging now outputs a special empty decorator [ ] followed by a space after newlines in multiline log messages. This change allows unambiguous parsing of Unified Logging output.

To illustrate the change, consider the output of log_info(gc)("An[gc] B");:

[gc] A
[  ] [gc] B

It is possible to parse this multiline message unambiguously. This was previously not possible, as the output was

[gc] A
[gc] B

which could (and likely would be) parsed as two distinct log messages A and B.

Tools that currently deal with multiline parsing ambiguities in Unified Logging require an update. The updates will likely result in simpler and more robust implementations.

This release adds the experimental support for compact object headers. In current 64-bit implementations, Java objects have 12-byte header. Compact object headers reduce header sizes to 8 bytes, improving Java heap footprint. This experimental feature can be enabled with -XX:+UnlockExperimentalVMOptions -XX:+UseCompactObjectHeaders. See more details in JEP 450.

The locale data based on the Unicode Consortium's CLDR has been upgraded to version 46. Besides the usual addition of new locale data and translation changes, there are notable changes from the upstream CLDR, affecting Date/Time/Number formattings:

• First day of week is Monday in UAE CLDR-15697
• Default numbering system for Arabic in non-Arabic-speaking locations CLDR-17553
• Comma is added for some date formatting patterns CLDR-17812 -
• Some time zone names changed due to them becoming links to other zones CLDR-17960

Note that locale data is subject to change in a future release of the CLDR. Although not all locale data changes affect the JDK, users should not assume stability across releases. For more details, please refer to the Unicode Consortium's CLDR release notes and their locale data deltas.

The static factory method java.io.Reader.of(CharSequence) has been added to get a Reader that reads characters from a CharSequence (String and StringBuilder are examples of a CharSequence). The returned Reader is more efficient than using a java.io.StringReader in some cases, as the latter requires conversion to String and synchronization.

The jar tool's extract operation has been enhanced to allow the --keep-old-files or the -k options to be used to preventing overwriting existing files.

Example Usages:

jar xkf foo.jar

or

jar --extract --keep-old-files --file foo.jar

Either of these commands will extract the foo.jar, and if an entry with the same name already exist in the target directory, then the existing file will not be overwritten.

The java.net.http.HttpClient will now report HTTP/2 flow control errors to the server when they are detected. This is an implementation detail that should be transparent to users of the HttpClient API, but could result in streams being reset or connections being closed if connecting to a non-conformant HTTP/2 server.

The jar tool's extract operation has been enhanced to allow the --dir or the -C options to be used to specify the directory where the archive will be extracted.

Example Usages:

jar -xf foo.jar -C /tmp/bar/

or

jar --extract --file foo.jar --dir /tmp/bar/

Either of these commands will extract the foo.jar to the /tmp/bar directory.

jrunscript tool has been deprecated and will be removed in a future release. Usage of this tool will now print a deprecation warning.

The JDK1.1 compatible behavior for "EST", "MST", and "HST" time zones has been removed. The behavior was enabled by setting the sun.timezone.ids.oldmapping system property, which is a no-op in this release.

IANA Time Zone Database has been upgraded to 2024b. This version mainly includes changes to improve historical data for Mexico, Mongolia, and Portugal. It also changes one timestamp abbreviation, for the time zone 'MET'. Also Asia/Choibalsan is now an alias for Asia/Ulaanbaatar.

The new tzdata changes also impact some legacy zone IDs. Mapping of EST/MST/HST in java.time.ZoneId.SHORT_IDS have changed from fixed offset zones to links to other existing time zones with 2024b. "EST" now links to "America/Panama", "HST" links to "Pacific/Honolulu" and "MST" links to "America/Phoenix". Parsing of the short zone names "EST", "MST", and "HST" is not affected by this change. Further details are available at JDK-8340138

java.util.zip.ZipError has been deprecated for removal. This error class has been obsolete for many releases and has not been used by the reference implementation since Java 8.

Any existing code that used to throw java.util.zip.ZipError should consider throwing java.util.zip.ZipException instead. Code needing to catch this error when running on releases prior to Java 9 may be updated to catch the parent java.lang.InternalError class instead.

The following root certificates have been added to the cacerts truststore:

+ SSL.com
  + ssltlsrootecc2022
    DN: CN=SSL.com TLS ECC Root CA 2022, O=SSL Corporation, C=US

+ SSL.com
  + ssltlsrootrsa2022
    DN: CN=SSL.com TLS RSA Root CA 2022, O=SSL Corporation, C=US

If an entry is removed from a signed JAR file, there is no mechanism to detect that it has been removed using the JarFile API, since the getJarEntry method returns null as if the entry had never existed. With this change, the jarsigner -verify command analyzes the signature files and if some sections do not have matching file entries, it prints out the following warning: "This JAR contains signed entries for files that do not exist". Users can further find out the names of these entries by adding the -verbose option to the command.

The java.security security properties file and those referred to by the java.security.properties system property now support including other properties files. The directive include <path-to-a-file> can be used for this purpose. The effect of including a file is equivalent to defining its properties inline at the inclusion point. See more information and examples in the Security Properties Files Inclusion section of the Security Developer Guide and in JDK-8319333.

As a result of this change, the name include can no longer be used to define a property in a security properties file. If the name include is passed to the java.security.Security::getProperty or ::setProperty APIs, an IllegalArgumentException is thrown.

The debugd subcommand of the jhsdb tool is deprecated, for removal in a future release. jhsdb debugd is an RMI server which provides a remote interface for other jhsdb commands. Those commands use the --connect option which is therefore also deprecated for removal. This will not affect usage of jhsdb for debugging local VMs or core files.

A new JDK-specific monitoring and management interface jdk.management.VirtualThreadSchedulerMXBean has been added to allow Java Management Extension (JMX) based tooling monitor and manage the virtual thread scheduler. The interface supports monitoring the virtual thread scheduler's target parallelism, the threads used by the scheduler, and the number of virtual threads queued to the scheduler. It also supports dynamically changing the scheduler's target parallelism.

Some javax.management classes contained a feature for Serialization compatibility with very old JMX releases (1.0, 1.1, 1.2), which are from before JMX was an integrated part of the JDK (in JDK 5). This was enabled using the jmx.serial.form system property.

This compatibility logic offered no value, and only added complexity, so has been removed. This will not affect any JMX features, or any interactions between JMX features in different JDKs.

The Java Virtual Machine Specification is permissive regarding the number of entries of the RuntimeVisibleParameterAnnotations and RuntimeInvisibleParameterAnnotations attributes in the class file format. The javac tool was less permissive, and was rejecting class files that had a different number of entries than javac expected.

With JDK 24, this is fixed, and javac now accepts class files with any number of entries in the RuntimeVisibleParameterAnnotations and RuntimeInvisibleParameterAnnotations attributes. A compile-time warning is produced if the content of the attributes cannot be mapped to the corresponding method's parameters.

The JDK will stop trusting TLS server certificates issued after November 11, 2024 and anchored by Entrust root certificates, in line with similar plans recently announced by Google and Mozilla. The list of affected certificates includes certificates branded as AffirmTrust, which are managed by Entrust.

TLS server certificates issued on or before November 11, 2024 will continue to be trusted until they expire. Certificates issued after that date, and anchored by any of the Certificate Authorities in the table below, will be rejected.

The restrictions will be enforced in the JDK implementation (the SunJSSE Provider) of the Java Secure Socket Extension (JSSE) API. A TLS session will not be negotiated if the server's certificate chain is anchored by any of the Certificate Authorities in the table below and the certificate has been issued after November 11, 2024.

An application will receive an Exception with a message indicating the trust anchor is not trusted, for example:

TLS server certificate issued after 2024-11-11 and anchored by a distrusted legacy Entrust root CA: CN=Entrust.net Certification Authority (2048), OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), O=Entrust.net

If necessary, and at your own risk, you can work around the restrictions by removing "ENTRUST_TLS" from the jdk.security.caDistrustPolicies security property in the java.security configuration file.

The restrictions are imposed on the following Entrust Root certificates included in the JDK:

You can also use the keytool utility from the JDK to print out details of the certificate chain, as follows:

keytool -v -list -alias <your_server_alias> -keystore <your_keystore_filename>

If any of the certificates in the chain are issued by one of the root CAs in the table above are listed in the output you will need to update the certificate or contact the organization that manages the server.

A new system property, jdk.tls.server.newSessionTicket, sets the number of TLSv1.3 resumption tickets sent by a JSSE server per session. It can be set on the command line with -Djdk.tls.server.newSessionTicket=#, where # ranges from 0 to 10. The default is 1.

java.net.http.HttpClient would previously timeout if a server didn’t respond to a request which included a Expect: 100-Continue header. 
This release updates HttpClient to send the request body if the server doesn’t respond and brings the implementation in line with RFC 9110

JDK's java.desktop module has internal code that interoperates with multiple versions of the GTK platform library. This is primarily to support the Swing GTK LookAndFeel.

The JDK previously included support for interoperating with the GTK 2 version of the library, which is reaching the end of its life. GTK 3 long ago superseded it and is supported by JDK as the preferred default, in which case to use GTK 2, apps must request it using the jdk.gtk.version System property. And since many recent distros make GTK 2 only an optional install, it may require extra work to use it, and future distros will likely not provide any way to install it.

Since all versions of Linux to be supported by JDK 24 provide GTK3, GTK2 support in JDK is now removed.

Setting the jdk.gtk.version System property to 2 or 2.2 will no longer have any effect, GTK 3 will be loaded.

Reflectively invoking VarHandle signature polymorphic methods is specified to throw UnsupportedOperationException. However, the implementation previously threw UnsatisfiedLinkError in such case. The behavior was adjusted to conform to the specification.

Command line arguments to the Java launcher are no longer converted with Windows' "best-fit" mapping when the arguments include unmappable characters for the ANSI code page. This mapping has been intervening in the Java launcher's argument parsing. Unmappable characters are now replaced with the default replacement character, such as '?' in some cases. For rare cases, where applications need those unmappable characters on the command line, select UTF-8 in Windows Regional Settings.

The javadoc for SSLSessionContext has been reworded to make it clear that when the timeout limit is exceeded for a session, the object is marked so that future connections cannot resume or rejoin the session. Active sessions can continue to be used so long as resume and rejoin operations are not attempted.

In previous releases, MethodTypeDesc.resolveConstantDesc threw an unchecked TypeNotPresentException instead of a checked ReflectiveOperationException when a component class was not found. This behavior is now corrected to throw a ClassNotFoundException, conforming to the specification.

Code that previously handled TypeNotPresentException in addition to ReflectiveOperationException can consolidate the exception handling into the existing ReflectiveOperationException handling.

A new overloaded method java.lang.Process#waitFor(Duration) has been added. Existing waitFor() method with timeout needs both a primitive time out value and its unit. The new method uses java.time.Duration so that the user will not be confused with the unit.

udp_preference_limit is a krb5.conf setting to control how a KDC-REQ message is sent. If the size of the message is greater than the value of udp_preference_limit, TCP will be used; otherwise UDP will be used. Before this change, setting it to zero is ignored and the message is sent with UDP. With this change, setting it to zero forces the message to be sent with TCP. This behavior is consistent with other Kerberos 5 vendors.

The SunPKCS11 provider has been enhanced to support the following AES CTS transformations for the Cipher service type:

• AES/CTS/NoPadding
• AES_128/CTS/NoPadding
• AES_192/CTS/NoPadding
• AES_256/CTS/NoPadding

The Addendum to NIST Special Publication 800-38A defines three variants of Ciphertext Stealing for CBC mode: CBC-CS1, CBC-CS2, and CBC-CS3. To ensure interoperability with SunJCE and Kerberos which use the CS3 variant, the SunPKCS11 provider needs to know the variant implemented by the underlying PKCS #11 library and convert the data if it is not in the CS3 variant. A new SunPKCS11 provider configuration attribute named cipherTextStealingVariant is introduced and must be set with any of the following values: CS1, CS2 or CS3 to indicate the CTS variant of the underlying PKCS #11 library, except for NSS as it is known to be CS1. Otherwise, the PKCS #11 CKM_AES_CTS mechanism is disabled.

The performance of the MessageDigest implementations that belong to the SHA3 family (SHA3-224, SHA3-256, SHA3-384 and SHA3-512) has been improved by 6-27 % (depending on digested message length and on the platform used), and an additional 30-40% on AVX-512 capable platforms due to new intrinsic implementations on that platform.

A new section for PSSParameterSpec algorithm names has been added to the Java Security Standard Algorithm Names specification. This section lists the standard hash and message generation function (MGF) algorithms that can be specified when initializing an RSASSA-PSS signature with a PSSParameterSpec object.

DecimalFormat, when the format expects a suffix, now parses correctly when the parse value contains a decimal symbol and isParseIntegerOnly() would return true. Previously, parsing would fail for such cases and the correct value never returned.

For example, in the following snippet, 5 will now be returned by the parse(String) invocation, instead of a ParseException thrown.

    NumberFormat fmt = NumberFormat.getPercentInstance(Locale.US);
    fmt.setParseIntegerOnly(true);
    fmt.parse("500.55%");

The jstatd tool is deprecated, for removal in a future release. jstatd is an RMI server application which monitors HotSpot VMs, and provides a remote interface for jstat. This will not affect usage of jstat for monitoring local VMs using the Attach API.

A new lightweight locking mechanism for object monitor locking was introduced in JDK 21 under JDK-8291555. The LockingMode flag was introduced to allow selection of this new mechanism (LM_LIGHTWEIGHT, value 2) in place of the default mechanism (LM_LEGACY, value 1). In JDK 23, the LockingMode default was changed to LM_LIGHTWEIGHT.

In JDK 24, the LockingMode flag, along with the LM_LEGACY (1) and LM_MONITOR (0) modes are deprecated. The default locking mode LM_LIGHTWEIGHT will be the only internal implementation that is supported when these locking modes become obsolete in a future release.

This is not expected to change any semantic behavior of Java monitor locking and it is expected to be performance neutral for almost all applications.

jpackage can use WiX Toolset v4 and v5 in addition to v3 on Windows. It will automatically choose the newest installed version.

jpackage supports custom WiX sources in both WiX v3 and v4 formats.

If WiX Toolset v4 or v5 is used, jpackage will automatically convert custom WiX sources in WiX v3 format to WiX v4 format.

The 32-bit x86 port is deprecated in JDK 24, with the intent to remove it in a future release. This effectively deprecates support for 32-bit x86 on all operating systems. The architecture-agnostic Zero port would be the only remaining way to run Java programs on 32-bit x86 processors going forward. Systems that run on 32-bit x86 today, would need to either consider upgrading to 64-bit x86, or qualify 32-bit x86 Zero, or stay on previous JDKs.