perl5252cdelta - what is new for cperl v5.25.2


This document describes the differences between the cperl 5.25.1 and the cperl 5.25.2 development releases.


use utf8 'Script'

In order to avoid TR39 confusable security hacks, we add the following unicode rules for identifiers and literals with mixed script properties:

See and [cperl #229]

This holds for all identifiers (i.e. all names: package, gv, sub, variables) and literal numbers.

Currently there exist 131 scripts, see "Valid scripts" in utf8.

Unicode normalization of identifiers/names

All stored utf8 names, identifiers and literals are parsed and stored as normalized NFC unicode, which prevents from various TR39 and TR36 unicode confusable and spoofing security problems.

However, dynamically created symbols via string refs are not normalized. ${"$decomposed"} stays decomposed.

Note that even perl6 stores different names for confusables, which match each other due to their NFG rules on their string matchers. perl5 matches strictly binary, which leads to confusable and spoofing security problems.

See [cperl #228],,, and the Python 3 discussion 2007 on PEP 3131

Python 3 normalizes to NFKC (Compatibility Decomposition, followed by Canonical Composition), cperl uses both canonical transformations. See for the difference. Basically NFKC transforms to shorter ligatures. NFC is recommended by TR15.

No binary symbols

Fallback to the secure behvaiour as before v5.16 and strip symbol names of everything after the first \0 character. This protects from creating binary symbols as with no strict 'refs'; ${"a\0\hidden"}, which were especially problematic for package names, which were mapped 1:1 to filenames. With the default warning 'security' in effect, a warning is produced by the "warn_security" in perlapi API, same as for unsafe syscalls since 5.20.

See "Invalid \0 character in string for SYMBOL: %s" in perldiag and [cperl #233].

hash seed exposure

cperl5.22.2 added a restraint to expose the internal hash secret seed via the environment variable PERL_HASH_SEED_DEBUG=1 to be hidden in taint mode. See [cperl #114] and "Core Enhancements" in perl5222cdelta.

    PERL_HASH_SEED_DEBUG=1 cperl5.22.2 -e1 =>

    PERL_HASH_SEED_DEBUG=1 cperl5.22.2 -t -e1 => empty

But unfortunately not many perl services are actually protected with -t, even if cperl fixed taint mode to be actually secure. The seed exposure is only needed for a debugging perl, and actually is security relevant.

So PERL_HASH_SEED_DEBUG=1 will now hide the seed value in non-DEBUGGING builds.

    PERL_HASH_SEED_DEBUG=1 cperl5.25.2 -e1 =>

Note that the seed is still trivially exposable via other means if a local script can be executed, as the seed value is readable from a fixed memory offset via unpack "P". That's why cperl fixed hash table security via proper means in the collision resolution, not via a slow hash function, and not via order hiding as perl5 believes in.

More discussion at and

chdir heap-buffer-overflow

Fixed heap-buffer-overflow in chdir without argument. make chdir allocate the stack it needs for the result, overwriting one stack entry. Note that the perl stack is on the heap, so it's not that dramatic. [perl #129130]


do_open, do_close macros

Those macros clash on darwin XTools with the system iostream _OutputIterator methods. We need to use the fullname Perl_do_open and Perl_do_close functions whenever perl needs to be embedded into C++ projects.

With the system C++ compiler on darwin do_open, do_close are now undefined. See [cperl #227]

Removed ' as package seperator

Made something like sub foo'bar; a syntax error. ' is not replaced by :: anymore when used as package seperator. This was deprecated 10 years ago.

cperl fixed the "c2ph" core utility using this last remaining perl4'ism, and removed the isn't method from Test::More. In a later versions ' can be reenabled as proper IDContinue character for identifiers, e.g. for Test::More isn't.

See [cperl #217].

Performance Enhancements

Modules and Pragmata

Updated Modules and Pragmata

Term-ANSIColor 4.06

Add aliases ansi16 through ansi255 and on_ansi16 through on_ansi255 (plus the corresponding constants) for the grey and rgb colors so that one can refer to all of the 256 ANSI colors with consistent names. These are aliases; the colors returned by uncolor will still use the grey and rgb names. (#118267)

podlators 4.09

Add the t/data/snippets tests.

Use Pod::Simple's logic to determine the native code points for NO BREAK SPACE and SOFT HYPHEN instead of hard-coding the ASCII values. Hopefully fixes the case of mysterious disappearing open brackets on EBCDIC systems. (#118240)

Locale-Codes 3.42

Added Czech republic aliases back in

Archive-Tar 2.18

Better 09_roundtrip.t tests.

B-Debug 1.24

Support 5.25.6 split optimization

Devel-NYTProf 6.04

Fix -Wc++11-compat warnings, and various minor issues.

Devel-PPPort 3.35_02

Fix -Wc++11-compat warnings

Internals-DumpArenas 0.12_05

Fix -Wc++11-compat warnings

Socket 2.024_05

Fix -Wc++11-compat warnings

POSIX 1.65_02

Fix -Wc++11-compat warnings

Scalar-List-Utils 1.46_08

Fix -Wc++11-compat warnings.

Warn and strip \0 in names. [cperl #233]

Cwd 4.65c

Fix -Wc++11-compat warnings

Data-Dumper 2.163

Fix -Wc++11-compat warnings

Time-Local 1.25

Less runtime memory: demand-load Carp, Config.

Time-HiRes 1.9741_01

Fix -Wc++11-compat warnings Keep our better C++ fixes Keep our t/usleep.t, t/alarm.t, t/utime.t fixes. Keep our do_openn improvements in typemap.

from upstream:

- El Capitan compatibility - use CLOCK_REALTIME for clock_nanosleep scan - include file consistency in scans - use clockid_t consistently - use hv_fetchs() - scan for clockid_t (needed for macos Sierra) - darwin lacks clockid_t [ #129789]

Storable 3.02c

Fix -Wc++11-compat warnings

Encode 2.88

various upstream fixes. plus g++-6 -fpermissive and -Wc++11-compat fixes. our local make -s silent patches and various others are now all upstream.

ExtUtils-Constant 0.23_04

Fix -Wc++11-compat warnings in generated code.

ExtUtils-ParseXS 3.32_01

Fix visibility declaration of XS_EXTERNAL for -flto and -fvisibility=hidden.

Test::More 1.401015c

Removed the deprecated isn't method, using the ' package seperator.

App::Cpan 1.64_01

Fixed CPAN::Shell-expand("Module", "Bundle::...")> error with Bundles, a regression from 1.63 and prev. cperl releases up to 5.25.0c. cperl only. cpan . in local directory still broken (upstream).

DynaLoader 2.06c

Fixed build dependency for dlboot.c. No excessive rebuilds anymore.

Cpanel-JSON-XS 3.0225

- Fixes for g++-6, stricter -fpermissive and -Wc++11-compat.

- Added tests for ill-formed utf8 sequences from Encode.

- modfl() mingw 4.0 runtime bug [perl #125924]

- Tested with the comprehensive JSON decode spectests from Not added to core. #72

- decode with BOM: UTF-8, UTF-16, or UTF-32.

- fixed detection of final \0 as illegal non-whitespace garbage. Fixes spectest 'n_number_then_00'. #72

- warn with unicode noncharacters as in core when not in relaxed mode. #74

- fail decode of non-unicode raw characters above U+10FFFF when not in relaxed mode.

B-C 1.54_15

Fixed IsCOW savepvn, store the last cowrefcnt.

Fixed wrong savepvn length, failing with asan.

Optimized mro_isa_changed_in initialization.

Net-Ping 2.55

Fixed missing _unpack_sockaddr_in family, which took AF_INET6 for a AF_INET addr in t/500_ping_icmp.t and t/500_ping_icmp_ttl.t. Use now a proper default. Detected by the new gitlab ci.

Fixed _pack_sockaddr_in for a proper 2nd argument type, hash or packed address.

Improved 500_ping_icmp.t to try sudo -n for tests requiring root, plus adding -n fir fixing [RT #118451]. Relaxed more tests failing with firewalled icmp on localhost. [RT #118441]

Fixed ping_external argument type, either packed ip or hostname. [RT #113825]

Fixed wrong skip message in t/020_external.t

Pod-HTML 2.22c

Improved parallel testing, relative testdir/test$$.lib. See [RT #118416].

Unicode-Collate 1.19

Many new locales. Some major fixes.

version 0.9917_02c

Merge latest version with the '_' lyon concensus with the cperl extension of the optional final 'c' suffix. Extend version::regex for cperl. Now also parse the 'c' natively.


Changes to Existing Documentation



The following additions or changes have been made to diagnostic output, including warnings and fatal error messages. For the complete list of diagnostic messages, see perldiag.

New Diagnostics

A new -Dmv debugging mode for verbose arena memory debugging was added, similar to -Dm and env PERL_MEM_LOG=s.

New Errors

New Warnings

Utility Changes


Platform Support

Platform-Specific Notes


With the SunPro cc compiler we use now the __global declaration for exported functions, similar to Windows __declspec(dllexport).

This is hidden under the new GLOBAL macro.

Configuration and Compilation


Probe for arflags, which do support D for deterministic static archives without member timestamps. On darwin we currently only have llvm-ar-mp-3.9 (since 3.7) which does support this.

ranlib is probed for the -D flag for reproducible build determinism.

fixed longdblinfbytes probe

With Intel long double it didn't clean random excess garbage bytes after the 10th byte.

cperl build helper scripts

Added the following release scripts to Porting: do-conf-clean do-conf-cperl-release do-make-cperl-release do-make-srctarball perl_version for Linux (debian and rpm) and Darwin.

Those builds are now reproducible, see below.

reproducible builds

cperl has now support for automatic reproducible builds on most platforms. A new cf_epoch config key was added.

The config key cf_time is now based on: 1. SOURCE_DATE_EPOCH, 2. with .git the newest file in the repository, or 3. the newest file in the MANIFEST.

Builds are done with LC_ALL=C and PERL_HASH_SEED=0, but builds are still LANGUAGE or compiler specific.

Those builds are reproducible when done on the same machine and user. Otherwise set the keys: cf_by, cf_email, mydomain, myhostname, myuname also.

See [cperl #169].


This suspicious Config key was removed from cperl. If you have a NIS database use ypcat passwd. passcat is not used in any public CPAN module.


Ask for fake_signatures being compiled in as default or not. Defaults to yes with cperl, no without. Sets $Config{fake_signatures} and defines PERL_FAKE_SIGNATURE.


Probe for llabs() needed for PERL_IABS on 32bit with -Duse64bitint, the default on mingw/cygwin. Defines HAS_LLABS.


Probe for setenv() needed on some platforms with strict linkage or -fvisibility=hidden.


Probe for __attribute__((always_inline)), which is helpful with clang -flto=thin for exported mathoms (b) and inlined functions.

The problem is that __attribute__((used)) functions are not inlined. With always_inline + global visibility, but not __attribute__((used)) we get inlined variants plus exported copies for the API. Add PERL_MATHOM_CALLCONV to use it.


Internal Changes

Selected Bug Fixes

Known Problems

For open cperl problems see [issues].

Some of these fixes also can to be backported from perl5.25.x upstream.


cperl 5.25.2 represents approximately 2 months of development since cperl 5.25.1c and contains approximately 44,000 lines of changes across 400 files from 5 authors.

Excluding auto-generated files, documentation and release tools, there were approximately 31,000 lines of changes to 260 .pm, .t, .c and .h files.

The following people are known to have contributed the improvements that became Perl 5.25.2:

Reini Urban, Tony Cook, Yves Orton, Hugo van der Sanden, Karl Williamson.

The list above is almost certainly incomplete as it is automatically generated from version control history. In particular, it does not include the names of the (very much appreciated) contributors who reported issues to the Perl bug tracker.

Many of the changes included in this version originated in the CPAN modules included in Perl's core. We're grateful to the entire CPAN community for helping Perl to flourish.

For a more complete list of all of Perl's historical contributors, please see the AUTHORS file in the Perl source distribution.

Generated with:

    cperl Porting/ cperl-5.25.1..HEAD

Reporting Bugs

If you find what you think is a bug, you might check the articles recently posted to the comp.lang.perl.misc newsgroup and the perl bug database at . There may also be information at , the Perl Home Page.

If you believe you have an unreported bug, please run the cperlbug program included with your release. Be sure to trim your bug down to a tiny but sufficient test case. Your bug report, along with the output of perl -V, will be sent off to to be analysed by the Perl porting team.

If you think it's a cperl specific bug or trust the cperl developers more please file an issue at

If the bug you are reporting has security implications which make it inappropriate to send to a publicly archived mailing list, then see "SECURITY VULNERABILITY CONTACT INFORMATION" in perlsec For details of how to report the issue.


The Changes file for an explanation of how to view exhaustive details on what changed.

The INSTALL file for how to build Perl.

The README file for general stuff.

The Artistic and Copying files for copyright information.