perl5253cdelta - what is new for cperl v5.25.3


This document describes the differences between the cperl 5.25.2 and the cperl 5.25.3 development releases.

If you are upgrading from an earlier release such as v5.25.1c, first read perl5252cdelta, which describes differences between v5.25.1c and v5.25.2c


This cperl version is merged with the perl versions 5.25.3 - 5.25.9.

${^ENCODING} and the encoding pragma was not removed, rather fixed instead.

User-type support is greatly enhanced. See "Type-check assignments", "HvCLASS", "Type-infer bless", and "Type-infer subroutine return types". Before just coretypes were properly checked, now use types adds warnings for all other types.

The still incomplete and slow implementation for the experimental subroutine signatures feature from 5.25.4 was not added, as cperl's signatures are over 50% faster for over a year already and have many more features. In detail the new OP_ARGELEM, OP_ARGDEFELEM and OP_ARGCHECK are not used, cperl still uses OP_SIGNATURE only.

cperl doesn't use the slow Siphash 1-3 as default on 64bit, and no hybrid hash function as introduced with 5.25.8. cperl rather uses a short and fast hash function and other typical hash table optimizations, while adding proper security in the collision resolution instead. A secure PRF (pseudo random function) can never ensure DoS safety for a hash table, contrary to the Siphash paper claims.

Core Enhancements

No magic to undef/yes/no/placeholder SVs

cperl silently forbids attaching magic to the four major builtin SV sentinels undef, yes, no and placeholder, which are mostly compared to by pointer. Adding magic to them will break that comparison.

Type-check assignments

Assignment type violations are now also warned, with use warnings 'types' enabled, previously only signature types were checked. Only signature type violations or use types 'strict' violations are fatal.

Note that the type system is still completely unsound. So far it is only there to catch the most common errors and enable coretype optimizations. cperl only.


With cperl use base or use fields now closes the @ISA and hereby enable compile-time checks and optimizations. The new Internals::HvCLASS function gets or sets the same type for base/field classes as with the upcoming class keyword. See [cperl #249]. cperl only.

Type-infer bless

bless with a constant 2nd argument, the classname, infers this type to the enclosing sub if its the last statement in a body, or to the left-side assignment of a lexical variable. cperl only.

Type-infer subroutine return types

Subroutine types, either declared or inferred, are now passed through to the type-checker at compile-time. cperl only.

perl5.14 deprecated and 5.18 started disallowing a for loop with a qw() list, "qw-as-parens".

The rationale to remove the handy for qw() syntax was technical and trivial to fix. cperl 5.25.3 re-instated it for for loops, but not for the rest. cperl does not insist on the backwards syntax to require (qw( ... )) around the for list.

   cperl5.25.3 -e'for qw(a b c) { print $_ }'

   perl5.18 -e'for (qw(a b c)) { print $_ }'

   perl5.14 -e'for $_ qw(a b c) { print $_ }'
   => Use of qw(...) as parentheses is deprecated at -e line 1

   perl5.12  -e'for $_ qw(a b c) { print $_ }'

The new additional cperl syntax is even easier to use than before. See [cperl #26]. cperl only.

Perl can now do default collation in UTF-8 locales on platforms that support it

Some platforms natively do a reasonable job of collating and sorting in UTF-8 locales. Perl now works with those. For portability and full control, Unicode::Collate is still recommended, but now you may not need to do anything special to get good-enough results, depending on your application. See "Category LC_COLLATE: Collation: Text Comparisons and Sorting" in perllocale

Better locale collation of strings containing embedded NUL characters

In locales that have multi-level character weights, these are now ignored at the higher priority ones. There are still some gotchas in some strings, though. See "Collation of strings containing embedded NUL characters" in perllocale.

Unescaped literal "{" characters in regular expression patterns are no longer permissible

You have to now say something like "\{" or "[{]" to specify to match a LEFT CURLY BRACKET. This will allow future extensions to the language. This restriction is not enforced, nor are there current plans to enforce it, if the "{" is the first character in the pattern.

These have been deprecated since v5.16, with a deprecation message displayed starting in v5.22.

Literal control character variable names are no longer permissible

A variable name may no longer contain a literal control character under any circumstances. These previously were allowed in single-character names on ASCII platforms, but have been deprecated there since Perl v5.20. This affects things like $\cT, where \cT is a literal control (such as a NAK or NEGATIVE ACKNOWLEDGE character) in the source code.

New regular expression modifier /xx

Specifying two x characters to modify a regular expression pattern does everything that a single one does, but additionally TAB and SPACE characters within a bracketed character class are generally ignored and can be added to improve readability, like /[ ^ A-Z d-f p-x ]/xx. Details are at "/x and /xx" in perlre.

NBSP is no longer permissible in \N{...}

The name of a character may no longer contain non-breaking spaces. It has been deprecated to do so since Perl v5.22.

CORE subroutines for hash and array functions callable via reference

The hash and array functions in the CORE namespace--keys, each, values, push, pop, shift, unshift and splice--, can now be called with ampersand syntax (&CORE::keys(\%hash) and via reference (my $k = \&CORE::keys; $k->(\%hash)). Previously they could only be used when inlined.

Unicode 9.0 is now supported

A list of changes is at Modules that are shipped with core Perl but not maintained by p5p do not necessarily support Unicode 9.0. Unicode::Normalize does work on 9.0.

Note that some changed UCD database files in 9.0 stayed renamed to their shortened name in perl.

Use of \p{script} uses the improved Script_Extensions property

Unicode 6.0 introduced an improved form of the Script (sc) property, and called it Script_Extensions (scx). As of now, Perl uses this improved version when a property is specified as just \p{script}. The meaning of compound forms, like \p{sc=script} are unchanged. This should make programs be more accurate when determining if a character is used in a given script, but there is a slight chance of breakage for programs that very specifically needed the old behavior. See "Scripts" in perlunicode.

Declaring a reference to a variable

As an experimental feature, Perl now allows the referencing operator to come after my(), state(), our(), or local(). This syntax must be enabled with use feature 'declared_refs'. It is experimental, and will warn by default unless no warnings 'experimental::refaliasing' is in effect. It is intended mainly for use in assignments to references. For example:

    use experimental 'refaliasing', 'declared_refs';
    my \$a = \$b;

See "Assigning to References" in perlref for slightly more detail.

Note that this still looks much worse than the perl6 bind operator: my $a := $b;

Indented Here-documents

This adds a new modifier '~' to here-docs that tells the parser that it should look for /^\s*$DELIM\n/ as the closing delimiter.

These syntaxes are all supported:

    <<~ 'EOF';
    <<~ "EOF";
    <<~ `EOF`;

The '~' modifier will strip, from each line in the here-doc, the same whitespace that appears before the delimiter.

Newlines will be copied as is, and lines that don't include the proper beginning whitespace will cause perl to croak.

For example:

    if (1) {
      print <<~EOF;
        Hello there

prints "Hello there\n" with no leading whitespace.

'.' and @INC

The old cperl -Dfortify_inc security feature was now also introduced by perl5 and renamed to -Ddefault_inc_excludes_dot.

Because the testing and make process for perl modules does not work well with . missing from @INC, cperl and perl5 still support the environment variable PERL_USE_UNSAFE_INC=1 which makes Perl behave as it previously did, returning . to @INC in all child processes.

create a safer utf8_hop() called utf8_hop_safe()

Unlike utf8_hop(), utf8_hop_safe() won't navigate before the beginning or after the end of the supplied buffer.


@{^CAPTURE} exposes the capture buffers of the last match as an array. So $1 is ${^CAPTURE}[0].

%{^CAPTURE} is the equivalent to %+ (ie named captures)

%{^CAPTURE_ALL} is the equivalent to %- (ie all named captures).

Improved .pmc loading

cperl now sets the correct .pmc filename for __FILE__ and CopFILE, when it was loaded from it.

cperl also allows bypassing a .pmc if loaded explicitly via do and an absolute pathname.

This allows improved .pmc file caching of only selective parts of a module. Such as a method jit, which stores onlt some subs, but not the whole module in it's cache. Hence the Cache logic in the .pmc can now first load the parallel source .pm and then apply the .pmc optimizations. E.g. by loading a LLVM .bc file contents with only some subs.

The impact for existing code is low. If you loaded a .pmc via do "/abspath/" you need to add now a final "c" explictly: do "/abspath/module.pmc".

With perl5 upstream those two longstanding PMC bugs made it impossible to use a partial Byte- or JitCache. It also makes it possible to re-instate the old python-like timestamp logic which was removed for pugs 2006 with commit a91233bf4cf.

See [cperl #244]. cperl only.


Storable stack overflows

By reading malcrafted local Storable files or memory you could easily overwrite the local stack with controlled data. With bigger values you could cause an immediate exit, without backtrace or an exception being caught.

Another major stack-overflow fix is for [cpan #97526], limiting the maximal number of nested hash or arrays to 3000. Cpanel::JSON::XS has it at 512.

Note that p5p doesn't think that these are security issues. [perl #130635] (even if similar less severe attacks had a CVE and a metasploit module, which cperl detects).

cperl only so far. Uploaded to CPAN, but at this date still unauthorized.

"Escaped" colons and relative paths in PATH

On Unix systems, Perl treats any relative paths in the PATH environment variable as tainted when starting a new process. Previously, it was allowing a backslash to escape a colon (unlike the OS), consequently allowing relative paths to be considered safe if the PATH was set to something like /\:.. The check has been fixed to treat . as tainted in that example.

Unicode identifiers: Moderately Restrictive Level

cperl as first dynamic scripting language follows the General Security Profile for identifiers in programming languages.

Moderately Restrictive: Allow Latin with other Recommended or Aspirational scripts except Cyrillic and Greek. Otherwise, the same as Highly Restrictive, i.e. allow :Japanese, :Korean and :Hanb.

"Some characters are not in modern customary use, and thus implementations may want to exclude them from identifiers. These include characters in historic and obsolete scripts, scripts used mostly liturgically, and regional scripts used only in very small communities or with very limited current usage. The set of characters in Table 4, Candidate Characters for Exclusion from Identifiers provides candidates of these."

cperl honors the TR31 Candidate Characters for Exclusion from Identifiers

I.e. You may still declare those scripts as valid, but they are not automatically allowed, similar to the need to declare mixed scripts.

    use utf8;
    my $ᭅ = 1; # \x{1b45} BALINESE LETTER KAF SASAK

=> Invalid script Balinese in identifier ᭅ for U+1B45

    use utf8 'Balinese';
    my $ᭅ = 1; # \x{1b45} BALINESE LETTER KAF SASAK
    print "ok";



The scripts listed at "Table 6, Aspirational Use Scripts": Canadian_Aboriginal, Miao, Mongolian, Tifinagh and Yi are included, i.e. need not to be declared.

With this restriction we are close to the implementation of the Moderately Restrictive level for identifiers by default. See and

With special declarations of the used scripts you can weaken the restriction level to Minimally Restrictive.

Missing for the Moderately Restrictive level are warnings on single-, mixed and whole-script confusables, and warnings on certain incompatible mixed-script pairs such as Greek + Cyrillic.

All utf8 encoded names are checked for wellformed-ness.

chdir heap-buffer-overflow on the perl stack

When called without argument it overwrote subsequent stack entries with the easily controllable result. [perl #129130]

Improved Hash DDoS prevention

This is merely a theoretical problem, improving on the previous sleep solution against hash floods. Distributed hashflood attacks could lead to memory exhaustion and denial of service in threaded servers, which would bypass the original FAIL_DELAY-like intrusion detection and mitigation.

First sleep, but if >128 concurrent attacks are detected, exit hard. Use a global hash_slowdos counter. Note that this is also triggered by a 128*8*128 hash collision single source attack (=131072). This is still better, faster and smaller than the java solution to convert the linked list to a tree. We log the attackers and can block them. [cperl #246]. cperl only.

Incompatible Changes

String delimiters that aren't stand-alone graphemes are illegal

In order for Perl to eventually allow string delimiters to be Unicode grapheme clusters (which look like a single character, but may be a sequence of several ones), we stop allowing a single char delimiter that isn't a grapheme by itself. These are unlikely to exist in actual code, as they would typically display as attached to the character in front of them.

E.g. qr ̂foobar̂; is now an error, it is only deprecated with v5.25.9 upstream and will be illegal in perl5 v5.30. cperl only.

for state loops still illegal

perl5.25.3 started allowing state variables in loops. cperl still disallows them.

    perl5.25.3 -E'use feature "declared_refs","refaliasing";
                 for state \$x (\$y) { print $x }'
    => warnings: Declaring references is experimental at -e line 1.
    Aliasing via reference is experimental at -e line 1.

    cperl5.25.3 -E'use feature "declared_refs","refaliasing";
                 for state \$x (\$y) { print $x }'
    => error: Missing $ on loop variable at -e line 1.

and without declared_refs:

    perl5.25.3 -E'for state $x ($y) { print $x }'

    cperl5.25.3 -E'for state $x ($y) { print $x }'
    => error: Missing $ on loop variable at -e line 1.

scalar(%hash) return value changed

The value returned for scalar(%hash) will no longer show information about the buckets allocated in the hash. It will simply return the count of used keys. It is thus equivalent to 0+keys(%hash).

A form of backwards compatibility is provided via Hash::Util::bucket_ratio() which provides the same behavior as scalar(%hash) provided prior to Perl 5.25.

keys returned from an lvalue subroutine

keys returned from an lvalue subroutine can no longer be assigned to in list context.

    sub foo : lvalue { keys(%INC) }
    (foo) = 3; # death
    sub bar : lvalue { keys(@_) }
    (bar) = 3; # also an error

This makes the lvalue sub case consistent with (keys %hash) = ... and (keys @_) = ..., which are also errors. [perl #128187]

Performance Enhancements

Modules and Pragmata

New Modules and Pragmata

types 0.01

Controls the type-checker. See types or perltypes.

Updated Modules and Pragmata

Archive-Tar 2.24

Handle tarballs compressed with pbzip2 (RT #119262)

Add missing strict/warnings pragma to

Check for gzip/bzip2 before round tripping gz/bz2 files in tests

B-C 1.55_02

Fixes for PERL_OP_PARENT: moresib, sibling, parent.

Fix hints/ dependency on [cpan #120161]

PUSHRE replaced by SPLIT, no xpad_cop_seq, SVpbm_VALID

Improved dl_module_to_sofile without 2nd arg

B-Debug 1.24

No changes

Carp 1.42c

Handle chunk errors phrases

Compress-Raw-Bzip2 2.070

This was already fixed in cperl since 5.25.2: RT #119005: [PATCH] Wrong APPEND_OUTPUT logic

This was already fixed in cperl since 5.25.2: RT #119141: -Wlogical-not-parentheses

This was already fixed in cperl Dec 8 2015 but lost with the update to 2.069 Mar 28 2016. RT #100817 gcc 4.9.2 warning -Wmaybe-uninitialized for cost[3-5] Coped fix for same issue from RT #105647

Compress-Raw-Zlib 2.072

Better fix for the cperl APPEND logic.

inflate.c: Fixed -1L compilation warning RT #119580

More fixes needed for 2.072 which doesn't even compile.

inflateUndermine: subvert arg conditionally used/unused RT #120207

two gcc6-found problems RT #112829

fix deflateParams for zlib > 1.2.8 Tests broken with zlib-1.2.10 RT #119762

CPAN 2.17

with cperl support. See


Moved from cpan to dist. [cperl #154].

Cpanel-JSON-XS 3.0227

fix CLONE and END

relax longdouble Gconvert test on ppc64le and aarch64-linux-ld

DB_File 1.840

unused arg warnings RT #107642

The other 2 fixes were already in cperl, plus a fix for reproducible builds.

DynaLoader 2.07c

Fixed dl_findfile refcounts, "panic: attempt to copy freed scalar" errors.

Filter 1.57
  * added 2 more pure tests
  * Fixes for . in @INC
  * added to t/
  * fixed INSTALLDIRS back to site since 5.12 [gh #2]
IO-Compress 2.070

File::GlobMapper, Fix prototype errors while lazy loading the module RT #117675

zipdetails: CVE-2016-1238: avoid loading optional modules from default RT #116538

Math-BigInt 1.999809

Merged CPAN updates with cperl-specific c3, stricter tests and . in @INC fixes.

Math-BigInt-FastCalc 0.5006

Updated from CPAN:

2 new tests files from Math-BigInt.

Math::BigInt::FastCalc is now a subclass of Math::BigInt::Calc, so remove aliases like *Math::BigInt::FastCalc::_xxx = \&Math::BigInt::Calc::_xxx.

Use OO-calls rather than function calls. (i.e slower but overridable)

Math-BigRat 0.2611

Updated from CPAN: No functional changes, and the few actual changes in the test lib were for the worse.

Net-Ping 2.58

Stabilized test, is down.

Return the port num as 5th return value with ack (jfraire).

Opcode 1.35_01c

Add avhvswitch op

Pod-HTML 2.23c

fix cache races with parallel tests. add the PID to the temp. cache file

Pod-Simple 4.35c

Updated from CPAN 3.35: Turn off utf8 warnings when trying to see if a file is UTF-8 or not

Merged with our cperl signature modernizations, tracked at

Moved from cpan to dist. [cperl #154].

POSIX 1.69_01

Several defects in making its symbols exportable. [perl #127821]

The POSIX::tmpnam() interface has been removed, see "POSIX::tmpnam() has been removed" in perl5251delta.

Trying to import POSIX subs that have no real implementations (like POSIX::atend()) now fails at import time, instead of waiting until runtime.

Scalar-List-Util 1.47_01

Bumped version because upstream is still years behind: lexical $_ support, binary names, various other fixes.

Improved taint test.

Storable 3.05_03


Fixed 3 null ptr dereferences leading to segfaults. [perl #130098]

Fixed some important security bugs with reading from Storable files or memory, directly controlling the stack (not the perl stack). See "Storable stack overflow or exit".

Another stack-overflow fix is for [cpan #97526], limiting the maximal number of nested hash or arrays to 3000. Cpanel::JSON::XS has it at 512.

Fixed up early huge buffer and index support from 3.00c, which was failing with wrong malloc errors due to silently overwrap >2GB. t/huge.t works now correctly. Note that 2 cases are not relevant since v5.25.1c/v5.24.1c anymore as with these releases we limit the maximum number of elements for hashes and arrays, and fail with "Too many elements" before. Bumped up PERL_TEST_MEMORY requirements to 8 and 16 for arrays and hashes. In reality the VMM subsystem will kill the process on perl5 before. $a[9223372036854]=0 or %a=(0..4294967296) are easy ways to DoS a perl5 system. Only cperl is safe.

Skip or croak when reading or writing 64bit large objects on 32bit systems.


Add doc and support for optional subtest @args.

Moved from cpan to dist. [cperl #154].

threads 2.12_01

Upstream 2.12 had no changes (!) We keep our 2 added tests. Improve the modglobal init. Add a longer and more realistic threads DESCRIPTION.

Thread-Queue 3.12

Calling any of the dequeue methods with COUNT greater than a queue's limit will generate an error.

But still have to keep our test fixes for . in @INC

threads-shared 1.54

ifdef clang

Removed Modules and Pragmata

I18N-Collate 1.02

Compared 8-bit scalar data according to the current locale.

Deprecated with 5.003_06. Its functionality was integrated into the Perl core language in the release 5.003_06.

See perllocale for further information.


Changes to Existing Documentation















perlexperiment and perlref










perlintern and perlapi


The following additions or changes have been made to diagnostic output, including warnings and fatal error messages. For the complete list of diagnostic messages, see perldiag.

New Diagnostics

New Errors

New Warnings

Changes to Existing Diagnostics

Utility Changes








Configuration and Compilation


Platform Support

New Platforms


Perl now compiles under NetBSD on VAX machines. However, it's not possible for that platform to implement floating-point infinities and NaNs compatibly with most modern systems, which implement the IEEE-754 floating point standard. The hexadecimal floating point (0x...p[+-]n literals, printf %a) is not implemented, either. The make test passes 98% of tests.

Test fixes and minor updates.

Account for lack of inf, nan, and -0.0 support.

Platform-Specific Notes


Drop support for Linux a.out Linux has used ELF for over twenty years.


The hints for Hurd have been improved enabling malloc wrap and reporting the GNU libc used (previously it was an empty string when reported).


VAX floating point formats are now supported.


Similar to darwin with v5.25.2c the do_open and do_close macros are now undefined on clang++, which FreeBSD uses. do_close clashes on C++ with locale. We need to use the fullname Perl_do_open and Perl_do_close functions whenever perl needs to be embedded into C++ projects. See [cperl #227]

Also affected is modperl_io.c, which is not used with C++.


Several tests have been updated to work (or be skipped) on EBCDIC platforms.


Net::Ping UDP test is skipped on HP-UX.

OpenBSD 6

OpenBSD 6 still does not support returning pid, gid or uid with SA_SIGINFO. Make sure this is accounted for.


t/uni/overload.t: Skip hanging test on FreeBSD.

Internal Changes

Selected Bug Fixes

Errata From Previous Releases


Jon Portnoy (AVENJ), a prolific Perl author and admired Gentoo community member, has passed away on August 10, 2016. He will be remembered and missed by all those with which he came in contact and enriched with his intellect, wit, and spirit.


cperl 5.25.3c represents approximately 5 weeks of development since cperl 5.25.2c, merged 8 perl5 releases from 5.25.2 to 5.25.9 with approximately 6 months of development, and contains approximately 150,000 lines of changes across 1,100 files from 62 authors.

Excluding auto-generated files, documentation and release tools, there were approximately 64,000 lines of changes to 650 .pm, .t, .c and .h files.

The following people are known to have contributed the improvements that became cperl 5.25.3c:

Karl Williamson, David Mitchell, Father Chrysostomos, Reini Urban, Yves Orton, Jarkko Hietaniemi, Aaron Crane, Dan Collins, Tony Cook, Lukas Mai, Craig A. Berry, James E Keenan, Dagfinn Ilmari Mannsåker, Andy Lester, Jim Cromie, Sawyer X, Matthew Horsfall, H.Merijn Brand, Aristotle Pagaltzis, Niko Tyni, Hugo van der Sanden, Steve Hay, Chris 'BinGOs' Williams, Abigail, Dominic Hargreaves, Ricardo Signes, Karen Etheridge, Dave Rolsky, Daniel Dragan, John Lightsey, Petr Písař, E. Choroba, Unicode Consortium, Thomas Sibley, Yaroslav Kuzmin, Peter Avalos, Doug Bell, Dave Cross, François Perrad, Smylers, Salvador Fandiño, Rick Delaney, Rafael Garcia-Suarez, Samuel Thibault, Andreas Voegele, Theo Buehler, Alex Vandiver, Hauke D, Nicolas Rochelemagne, Ed Avis, Maxwell Carey, Jerry D. Hedden, Chase Whitener, Stefan Seifert, Tomasz Konojacki, Steven Humphrey, J. Nick Koston, Ævar Arnfjörð Bjarmason, Christian Hansen, Andrew Fresh, Richard Levitte, Shlomi Fish.

From 1952 commits imported from perl5.25 0-9 upstream, 1233 were merged/cherry-picked, 75 bad commits rejected and about the same amount fixed up to be acceptable. 777 commits were ignored: already done or ignored delta or cpan updates. The rejected commits came from Father Chrysostomos, David Mitchell, Yves Orton, Aaron Crane, Lukas Mai, Karl Williamson, H.Merijn Brand, Tony Cook, Todd Rinaldo, Nicolas R, James E Keenan and Craig A. Berry. See for details.

Many of the changes included in this version originated in the CPAN modules included in Perl's core. We're grateful to the entire CPAN community.

For a more complete list of all of Perl's historical contributors, please see the AUTHORS file in the Perl source distribution.

Generated with:

    cperl Porting/ cperl-5.25.2..HEAD

Reporting Bugs

If you find what you think is a bug, you might check the articles recently posted to the comp.lang.perl.misc newsgroup and the perl bug database at . There may also be information at , the Perl Home Page.

If you believe you have an unreported bug, please run the cperlbug program included with your release. Be sure to trim your bug down to a tiny but sufficient test case. Your bug report, along with the output of perl -V, will be sent off to to be analysed by the Perl porting team.

If you think it's a cperl specific bug or trust the cperl developers more please file an issue at

If the bug you are reporting has security implications which make it inappropriate to send to a publicly archived mailing list, then see "SECURITY VULNERABILITY CONTACT INFORMATION" in perlsec For details of how to report the issue.


The Changes file for an explanation of how to view exhaustive details on what changed.

The INSTALL file for how to build Perl.

The README file for general stuff.

The Artistic and Copying files for copyright information.


Hey! The above document had some coding errors, which are explained below:

Around line 1255:

Deleting unknown formatting code M<>