perl5260cdelta - what is new for cperl v5.26.0


This document describes the differences between the cperl 5.24.2 and the cperl 5.26.0 releases.

If you are upgrading from an earlier release such as v5.24.1c, first read the perl5242cdelta documentation, which describes differences between v5.24.2c and v5.24.1c.


cperl v5.26.0c was merged with perl v5.26.0 (as all previous major cperl releases). The rejected upstream commits for the differences have been documented at the github issues [cperl #165] and [cperl #256].

${^ENCODING} and the encoding pragma was not removed, rather fixed instead.

User-type support is greatly enhanced. See "Type-check assignments", "HvCLASS", "Type-infer bless", and "Type-infer subroutine return types". Before just coretypes were properly checked, now use types adds warnings for all other types.

The still incomplete and slow implementation for the experimental subroutine signatures feature from 5.25.4 was not added, as cperl's signatures are over 50% faster for over a year already and have many more features. In detail the new OP_ARGELEM, OP_ARGDEFELEM and OP_ARGCHECK are not used, cperl still uses a single OP_SIGNATURE op and passes its arguments properly as in XS on the stack, not via @_.

cperl doesn't use the slow Siphash 1-3 as default on 64bit, and no hybrid hash function as introduced with 5.25.8. cperl rather uses a short and fast hash function and other typical hash table optimizations, while adding proper security in the collision resolution instead. A secure PRF (pseudo random function) can never ensure DoS safety for a hash table, contrary to the Siphash paper claims.

Core Enhancements

No magic to undef/yes/no/placeholder SVs

cperl silently forbids attaching magic to the four major builtin SV sentinels undef, yes, no and placeholder, which are mostly compared to by pointer. Adding magic to them will break that comparison.

Type-check assignments

Assignment type violations are now also warned, with use warnings 'types' enabled, previously only signature types were checked. Only signature type violations or use types 'strict' violations are fatal.

Note that the type system is still completely unsound. So far it is only there to catch the most common errors and enable coretype optimizations. cperl only.


With cperl use base or use fields now closes the @ISA and hereby enable compile-time checks and optimizations. The new Internals::HvCLASS function gets or sets the same type for base/field classes as with the upcoming class keyword. See [cperl #249]. cperl only.

Type-infer bless

bless with a constant 2nd argument, the classname, infers this type to the enclosing sub if its the last statement in a body, or to the left-side assignment of a lexical variable. cperl only.

Type-infer subroutine return types

Subroutine types, either declared or inferred, are now passed through to the type-checker at compile-time. cperl only.

perl5.14 deprecated and 5.18 started disallowing a for loop with a qw() list, "qw-as-parens".

The rationale to remove the handy for qw() syntax was technical and trivial to fix. cperl 5.25.3 re-instated it for for loops, but not for the rest. cperl does not insist on the backwards syntax to require (qw( ... )) around the for list.

   cperl5.25.3 -e'for qw(a b c) { print $_ }'

   perl5.18 -e'for (qw(a b c)) { print $_ }'

   perl5.14 -e'for $_ qw(a b c) { print $_ }'
   => Use of qw(...) as parentheses is deprecated at -e line 1

   perl5.12  -e'for $_ qw(a b c) { print $_ }'

The new additional cperl syntax is even easier to use than before. See [cperl #26]. cperl only.

Perl can now do default collation in UTF-8 locales on platforms that support it

Some platforms natively do a reasonable job of collating and sorting in UTF-8 locales. Perl now works with those. For portability and full control, Unicode::Collate is still recommended, but now you may not need to do anything special to get good-enough results, depending on your application. See "Category LC_COLLATE: Collation: Text Comparisons and Sorting" in perllocale

Better locale collation of strings containing embedded NUL characters

In locales that have multi-level character weights, these are now ignored at the higher priority ones. There are still some gotchas in some strings, though. See "Collation of strings containing embedded NUL characters" in perllocale.

Unescaped literal "{" characters in regular expression patterns are no longer permissible

You have to now say something like "\{" or "[{]" to specify to match a LEFT CURLY BRACKET. This will allow future extensions to the language. This restriction is not enforced, nor are there current plans to enforce it, if the "{" is the first character in the pattern.

These have been deprecated since v5.16, with a deprecation message displayed starting in v5.22.

Literal control character variable names are no longer permissible

A variable name may no longer contain a literal control character under any circumstances. These previously were allowed in single-character names on ASCII platforms, but have been deprecated there since Perl v5.20. This affects things like $\cT, where \cT is a literal control (such as a NAK or NEGATIVE ACKNOWLEDGE character) in the source code.

New regular expression modifier /xx

Specifying two x characters to modify a regular expression pattern does everything that a single one does, but additionally TAB and SPACE characters within a bracketed character class are generally ignored and can be added to improve readability, like /[ ^ A-Z d-f p-x ]/xx. Details are at "/x and /xx" in perlre.

NBSP is no longer permissible in \N{...}

The name of a character may no longer contain non-breaking spaces. It has been deprecated to do so since Perl v5.22.

CORE subroutines for hash and array functions callable via reference

The hash and array functions in the CORE namespace--keys, each, values, push, pop, shift, unshift and splice--, can now be called with ampersand syntax (&CORE::keys(\%hash) and via reference (my $k = \&CORE::keys; $k->(\%hash)). Previously they could only be used when inlined.

Unicode 9.0 is now supported

A list of changes is at Modules that are shipped with core Perl but not maintained by p5p do not necessarily support Unicode 9.0. Unicode::Normalize does work on 9.0.

Note that some changed UCD database files in 9.0 stayed renamed to their shortened name in perl.

Use of \p{script} uses the improved Script_Extensions property

Unicode 6.0 introduced an improved form of the Script (sc) property, and called it Script_Extensions (scx). As of now, Perl uses this improved version when a property is specified as just \p{script}. The meaning of compound forms, like \p{sc=script} are unchanged. This should make programs be more accurate when determining if a character is used in a given script, but there is a slight chance of breakage for programs that very specifically needed the old behavior. See "Scripts" in perlunicode.

Declaring a reference to a variable

As an experimental feature, Perl now allows the referencing operator to come after my(), state(), our(), or local(). This syntax must be enabled with use feature 'declared_refs'. It is experimental, and will warn by default unless no warnings 'experimental::refaliasing' is in effect. It is intended mainly for use in assignments to references. For example:

    use experimental 'refaliasing', 'declared_refs';
    my \$a = \$b;

See "Assigning to References" in perlref for slightly more detail.

Note that this still looks much worse than the perl6 bind operator: my $a := $b;

Indented Here-documents

This adds a new modifier '~' to here-docs that tells the parser that it should look for /^\s*$DELIM\n/ as the closing delimiter.

These syntaxes are all supported:

    <<~ 'EOF';
    <<~ "EOF";
    <<~ `EOF`;

The '~' modifier will strip, from each line in the here-doc, the same whitespace that appears before the delimiter.

Newlines will be copied as is, and lines that don't include the proper beginning whitespace will cause perl to croak.

For example:

    if (1) {
      print <<~EOF;
        Hello there

prints "Hello there\n" with no leading whitespace.

'.' and @INC

The old cperl -Dfortify_inc security feature was now also introduced by perl5 and renamed to -Ddefault_inc_excludes_dot.

Because the testing and make process for perl modules does not work well with . missing from @INC, cperl and perl5 still support the environment variable PERL_USE_UNSAFE_INC=1 which makes Perl behave as it previously did, returning . to @INC in all child processes.

create a safer utf8_hop() called utf8_hop_safe()

Unlike utf8_hop(), utf8_hop_safe() won't navigate before the beginning or after the end of the supplied buffer.


@{^CAPTURE} exposes the capture buffers of the last match as an array. So $1 is ${^CAPTURE}[0].

%{^CAPTURE} is the equivalent to %+ (ie named captures)

%{^CAPTURE_ALL} is the equivalent to %- (ie all named captures).

Improved .pmc loading

cperl now sets the correct .pmc filename for __FILE__ and CopFILE, when it was loaded from it.

cperl also allows bypassing a .pmc if loaded explicitly via do and an absolute pathname.

This allows improved .pmc file caching of only selective parts of a module. Such as a method jit, which stores onlt some subs, but not the whole module in it's cache. Hence the Cache logic in the .pmc can now first load the parallel source .pm and then apply the .pmc optimizations. E.g. by loading a LLVM .bc file contents with only some subs.

The impact for existing code is low. If you loaded a .pmc via do "/abspath/" you need to add now a final "c" explictly: do "/abspath/module.pmc".

With perl5 upstream those two longstanding PMC bugs made it impossible to use a partial Byte- or JitCache. It also makes it possible to re-instate the old python-like timestamp logic which was removed for pugs 2006 with commit a91233bf4cf.

See [cperl #244]. cperl only.

Added SAFE_RX_ substrs accessors


Other regex engines don't fill rx->substrs->data[], so it is unsafe to access it. Only allow ext/re and Perl_core_reg_engine. Currently only used in op_dump().


Storable stack overflows

By reading malcrafted local Storable files or memory you could easily overwrite the local stack with controlled data. With bigger values you could cause an immediate exit, without backtrace or an exception being caught.

Another major stack-overflow fix is for [cpan #97526], limiting the maximal number of nested hash or arrays to 3000. Cpanel::JSON::XS has it at 512.

Note that p5p doesn't think that these are security issues. [perl #130635] (even if similar less severe attacks had a CVE and a metasploit module, which cperl detects).

cperl only so far. Uploaded to CPAN, but at this date still unauthorized.

"Escaped" colons and relative paths in PATH

On Unix systems, Perl treats any relative paths in the PATH environment variable as tainted when starting a new process. Previously, it was allowing a backslash to escape a colon (unlike the OS), consequently allowing relative paths to be considered safe if the PATH was set to something like /\:.. The check has been fixed to treat . as tainted in that example.

Unicode identifiers: Moderately Restrictive Level

cperl as first dynamic scripting language follows the General Security Profile for identifiers in programming languages.

Moderately Restrictive: Allow Latin with other Recommended or Aspirational scripts except Cyrillic and Greek. Otherwise, the same as Highly Restrictive, i.e. allow :Japanese, :Korean and :Hanb.

"Some characters are not in modern customary use, and thus implementations may want to exclude them from identifiers. These include characters in historic and obsolete scripts, scripts used mostly liturgically, and regional scripts used only in very small communities or with very limited current usage. The set of characters in Table 4, Candidate Characters for Exclusion from Identifiers provides candidates of these."

cperl honors the TR31 Candidate Characters for Exclusion from Identifiers

I.e. You may still declare those scripts as valid, but they are not automatically allowed, similar to the need to declare mixed scripts.

    use utf8;
    my $ᭅ = 1; # \x{1b45} BALINESE LETTER KAF SASAK

=> Invalid script Balinese in identifier ᭅ for U+1B45

    use utf8 'Balinese';
    my $ᭅ = 1; # \x{1b45} BALINESE LETTER KAF SASAK
    print "ok";



The scripts listed at "Table 6, Aspirational Use Scripts": Canadian_Aboriginal, Miao, Mongolian, Tifinagh and Yi are included, i.e. need not to be declared.

With this restriction cperl fulfills the Moderately Restrictive level for identifiers by default. See and

Missing for more unicode security are warnings on single-, mixed and whole-script confusables, with a new utf8 warnings 'confusables' subcategory [cperl #265].

With special declarations of the used scripts or turning off no warnings 'utf8', you can weaken the restriction level to Minimally Restrictive.

All utf8 encoded names are checked for wellformed-ness.

chdir heap-buffer-overflow on the perl stack

When called without argument it overwrote subsequent stack entries with the easily controllable result. [perl #129130]

Improved Hash DDoS prevention

This is merely a theoretical problem, improving on the previous sleep solution against hash floods. Distributed hashflood attacks could lead to memory exhaustion and denial of service in threaded servers, which would bypass the original FAIL_DELAY-like intrusion detection and mitigation.

First sleep, but if >128 concurrent attacks are detected, exit hard. Use a global hash_slowdos counter. Note that this is also triggered by a 128*8*128 hash collision single source attack (=131072). This is still better, faster and smaller than the java solution to convert the linked list to a tree. We log the attackers and can block them. [cperl #246]. cperl only.

@{ \327 \n } buffer overflows

Fixed @{ \327 \n } tokenizer failures and heap buffer overflows in sv_vcatpvfn_flags() with wrong tracking of PL_linestr, the currently parsed line buffer. This can easily lead to security relevant exploits.

[perl #128951]

eval "q" . chr(overlarge) stack overflow

In eval "q" . chr(100000000064) generating the error message Can't find string terminator "XXX"' was overrunning a local buffer designed to hold a single utf8 char, since it wasn't allowing for the \0 at the end.

[perl #128952]

Protect and warn on hash flood DoS

If the collisions for a hash key lookup exceeds 128 tries (i.e. a linear search in a linked list), this qualifies as a malicious hash DoS (Denial of Service) attack. Generally maximal 8-10 collisions appear in normal hash table usage. Every 8th such hash flood attack performs a sleep(2) to limit the impact.

Detect and protect against it, also call the new warn_security("Hash flood").

This security scheme is much easier and faster than trying to hide the random hash seed with randomized iterators and collisions lists, which cperl doesn't use.

See "New Diagnostics".

use utf8 'Script'

In order to avoid TR39 confusable security hacks, we add the following unicode rules for identifiers and literals with mixed script properties:

See and [cperl #229]

This holds for all identifiers (i.e. all names: package, gv, sub, variables) and literal numbers.

Currently there exist 131 scripts, see "Valid scripts" in utf8.

Unicode normalization of identifiers/names

All stored utf8 names, identifiers and literals are parsed and stored as normalized NFC unicode, which prevents from various TR39 and TR36 unicode confusable and spoofing security problems.

However, dynamically created symbols via string refs are not normalized. ${"$decomposed"} stays decomposed.

Note that even perl6 stores different names for confusables, which match each other due to their NFG rules on their string matchers. perl5 matches strictly binary, which leads to confusable and spoofing security problems.

See [cperl #228],,, and the Python 3 discussion 2007 on PEP 3131

Python 3 normalizes to NFKC (Compatibility Decomposition, followed by Canonical Composition), cperl uses both canonical transformations. See for the difference. Basically NFKC transforms to shorter ligatures. NFC is recommended by TR15.

No binary symbols

Fallback to the secure behvaiour as before v5.16 and strip symbol names of everything after the first \0 character. This protects from creating binary symbols as with no strict 'refs'; ${"a\0\hidden"}, which were especially problematic for package names, which were mapped 1:1 to filenames. With the default warning 'security' in effect, a warning is produced by the "warn_security" in perlapi API, same as for unsafe syscalls since 5.20.

See "Invalid \0 character in string for SYMBOL: %s" in perldiag and [cperl #233].

hash seed exposure

cperl5.22.2 added a restraint to expose the internal hash secret seed via the environment variable PERL_HASH_SEED_DEBUG=1 to be hidden in taint mode. See [cperl #114] and "Core Enhancements" in perl5222cdelta.

    PERL_HASH_SEED_DEBUG=1 cperl5.22.2 -e1 =>

    PERL_HASH_SEED_DEBUG=1 cperl5.22.2 -t -e1 => empty

But unfortunately not many perl services are actually protected with -t, even if cperl fixed taint mode to be actually secure. The seed exposure is only needed for a debugging perl, and actually is security relevant.

So PERL_HASH_SEED_DEBUG=1 will now hide the seed value in non-DEBUGGING builds.

    PERL_HASH_SEED_DEBUG=1 cperl5.25.2 -e1 =>

Note that the seed is still trivially exposable via other means if a local script can be executed, as the seed value is readable from a fixed memory offset via unpack "P". That's why cperl fixed hash table security via proper means in the collision resolution, not via a slow hash function, and not via order hiding as perl5 believes in.

More discussion at and

Warn on metasploit CVE-2015-1592

Detection of the destructive attack against Movable-Type, the third vector only, which tries to delete mt-config.cgi was added to was added to Storable 3.01c.

Calls warn_security("Movable-Type CVE-2015-1592 Storable metasploit attack"), but does not protect against it.

Warn on metasploit reverse shells

Detect the metasploit payload unix/reverse_perl and some existing variants. This is just a dumb match at startup against existing exploits in the wild, but not future variants. Calls warn_security("metasploit reverse/bind shell payload"), but do not protect against it. This warning is thrown even without -w.

Also detects the CVE-2012-1823 reverse/bind shell payload, which is widely exploited too. The security warning is called "CVE-2012-1823 reverse/bind shell payload".

syscalls warnings also security

With a warnings 'syscalls' violation, i.e. detecting \0 in arguments to C API syscalls, the new 'security' warnings category overrides the 'syscalls' category. I.e. the warning is produced by the "warn_security" in perlapi API, and to turn it off, you have to turn off both categories.


See the new perldeprecation pod.

Many old deprecations got now a fixed final date, but several perl5 deprecations were undeprecated in cperl and rather fixed. (as in previous cperl releases.)

do_open, do_close macros

Those macros clash on darwin XTools with the system iostream _OutputIterator methods. We need to use the fullname Perl_do_open and Perl_do_close functions whenever perl needs to be embedded into C++ projects.

With the system C++ compiler on darwin do_open, do_close are now undefined. See [cperl #227]

Removed ' as package seperator

Made something like sub foo'bar; a syntax error. ' is not replaced by :: anymore when used as package seperator. This was deprecated 10 years ago.

cperl fixed the "c2ph" core utility using this last remaining perl4'ism, and removed the isn't method from Test::More. In a later versions ' can be reenabled as proper IDContinue character for identifiers, e.g. for Test::More isn't.

See [cperl #217].

New items in perldeprecation

Incompatible Changes

String delimiters that aren't stand-alone graphemes are illegal

In order for Perl to eventually allow string delimiters to be Unicode grapheme clusters (which look like a single character, but may be a sequence of several ones), we stop allowing a single char delimiter that isn't a grapheme by itself. These are unlikely to exist in actual code, as they would typically display as attached to the character in front of them.

E.g. qr ̂foobar̂; is now an error, it is only deprecated with v5.25.9 upstream and will be illegal in perl5 v5.30. cperl only.

for state loops still illegal

perl5.25.3 started allowing state variables in loops. cperl still disallows them.

    perl5.25.3 -E'use feature "declared_refs","refaliasing";
                 for state \$x (\$y) { print $x }'
    => warnings: Declaring references is experimental at -e line 1.
    Aliasing via reference is experimental at -e line 1.

    cperl5.25.3 -E'use feature "declared_refs","refaliasing";
                 for state \$x (\$y) { print $x }'
    => error: Missing $ on loop variable at -e line 1.

and without declared_refs:

    perl5.25.3 -E'for state $x ($y) { print $x }'

    cperl5.25.3 -E'for state $x ($y) { print $x }'
    => error: Missing $ on loop variable at -e line 1.

scalar(%hash) return value changed

The value returned for scalar(%hash) will no longer show information about the buckets allocated in the hash. It will simply return the count of used keys. It is thus equivalent to 0+keys(%hash).

A form of backwards compatibility is provided via Hash::Util::bucket_ratio() which provides the same behavior as scalar(%hash) provided prior to Perl 5.25.

keys returned from an lvalue subroutine

keys returned from an lvalue subroutine can no longer be assigned to in list context.

    sub foo : lvalue { keys(%INC) }
    (foo) = 3; # death
    sub bar : lvalue { keys(@_) }
    (bar) = 3; # also an error

This makes the lvalue sub case consistent with (keys %hash) = ... and (keys @_) = ..., which are also errors. [perl #128187]

Performance Enhancements

Faster scalar assignments

Seperate an unlikely codepath in scalar assignments (ASSIGN_CV_TO_GV) to another function, helping the CPU instruction cache. 10% faster on Intel.

Bigger lexer buffers allowing faster memcmp

Ensure that the lexer always sees large enough buffers to do fast wordwise memcmp comparisons, esp. with constant lengths.

Less initial array elements

The initial size of empty arrays went in cperl from 4 to 2, AvMAX = 1. Array speed is 2-15% faster on perlbench, overall speed the fastest of all so far. Memory win: <0.1%

if length($str) is faster

length in boolean context without get magic doesn't need to calculate the utf8 length, it only needs to check if SvCUR field is empty. And it doesn't need to allocate a new IV for the result, just use the existing sv_yes or sv_no. Analog to [cperl #245] for ref. cperl only.

if ref() is faster

ref in boolean context doesn't need to allocate a string. 2-3x faster. See [cperl #245] and [perl #78288] cperl only. in perl5 announced for 5.28.

readline is faster

Reading from a file line-by-line with readline() or <> should now typically be faster due to a better implementation of the code that searches for the next newline character.

$ref1 = $ref2 has been optimized.
Array and hash assignment are faster


    (..., @a) = (...);
    (..., %h) = (...);

especially when the RHS is empty.

Note that perl5 hash assignment is still inferior to cperl hash assignment.


Reduce the number of odd special cases for the SvSCREAM flag.

Better do_vop

Avoid sv_catpvn() in do_vop() when unneeded.

Better COW in Regex

Enhancements in Regex concat COW implementation.

Speed up AV and HV clearing/undeffing.
Converting a single-digit string to a number is now substantially faster.
Simplified split

The internal op implementing the split builtin has been simplified and sped up. Firstly, it no longer requires a subsidiary internal pushre op to do its work. Secondly, code of the form my @x = split(...) is now optimised in the same way as @x = split(...), and is therefore a few percent faster. This required B::* compiler changes.

Constant fold with barewords

Bareword constant strings are now permitted to take part in constant folding. They were originally exempted from constant folding in August 1999, during the development of Perl 5.6, to ensure that use strict "subs" would still apply to bareword constants. That has now been accomplished a different way, so barewords, like other constants, now gain the performance benefits of constant folding.

This also means that void-context warnings on constant expressions of barewords now report the folded constant operand, rather than the operation; this matches the behaviour for non-bareword constants.

Less NULL ops

Most NULL ops are now removed in the peephole optimizer. Check for #if defined(PERL_REMOVE_OP_NULL) in your XS module if you hardcoded any NULL-sensitive op-tree structure. See how many with -Dk.


-DPERL_FAKE_SIGNATURE is now default, making most function calls 2x faster. See "fake_signatures"

-flto support

The new compiler option support allows generation of much faster code. I.e. clang-4.0 with -flto or zapcc produce ~20% faster code.

for loops

for loops got several enhancements:

new special iter_ary for (@ary) and iter_lazyiv for (0..9) ops to avoid a run-time switch in the generic iter op.

more aelem_u optimizations, less run-time out of bounds checks for shaped arrays in loops. E.g. in my @a[5]; $a[$_] for (0..4); the compilers knows that the max index for @a will be 4, which is within the allowed shape of @a.

omit bounds checks for multideref

The multideref OP has a new MDEREF_INDEX_uoob flag. This is used for unchecked out-of-bounds checks for arrays, to use the previous AvSHAPED array optimizations (aelem_u, aelemfast_lex_u) or loop out-of-bounds elimination with multideref OPs also. Such multideref ops appear pretty often even with single indices. E.g. in my @b=(0..4); for (0..$#b) { $b[$_] = 0; } $b[$_] is converted to a multideref, which previously was not optimized.

Those optimized indices are marked with a new " _u" suffix in the dumped multideref stringification.

MDEREF_MASK changed to 0x10F, the MDEREF_SHIFT size from 7 to 8. The shift can also use faster intrinsics now.

The loop out-of-bounds elimination was fixed for simple lexical indices (e.g. for my $i (0..$#a){ $a[$i] }, which leads now to more aelem_u ops and subsequent mderef_u optimizations also.

strEQc, strNEc

The new strEQc/strNEc macros are used instead of strEQ(s,"constant"). This enables word-wise comparison via memcpy, in opposite of byte-wise comparisons via strcmp with already known sizes. This is a 10% performance improvement under most optimization levels.

Use more strEQc, strNEc macros, when safe to use, i.e. the left buffer is big enough, now with Address Sanitizer fallbacks.

The new fast buffer comparison macros strEQc and strNEc compare a full string including the final \0, memEQc and memNEc just the start of a buffer, with constants strings. Note that valgrind and Address Sanitizer will complain about out of range access of the left side of the buffer. To access these buffers however is safe and will not lead to SIGBUS on stricter platforms. To prevent valgrind from warning on this, you may want to define -DVALGRIND, which uses a safe and slower fallback macro.


Make all padnames not UTF8 per default, only the ones which are really UTF8. See "Internal Changes" and [cperl #208]


Improvements when reading from arrays have been imported from perl5. av_fetch() uses less branches reading from the end (negative indices), and a branch checking for freed @_ elements has been removed,


Extract hv_common_magical() to a seperate function. Extracts uncommon magical code in hot code to an extra static function to help keep the icache smaller. Only in rare cases this branch is taken. I.e filling ENV at startup, or using tied hashes.

Measured 2-15% faster with normal scripts, not using tied hashes.

pre-allocated hash sizes with aassign

aassign: pre-allocate needed hash size with aassign, similar to arrays, avoiding run-time hash splits. e.g. my %h = (.. = .., .. => ..)>

This version is 30% faster overall in the Mail::SpamAssassin testsuite than cperl-5.25.0.

pre-allocate more hashes and stashes

Pre-extend internal hashes and stashes to avoid unnecessary boot-time hash splits. %warnings::, %Config::, %utf8::, %version::.

Faster get_[sah]vs API

Added new get_svs, get_avs, get_hvs macros, and accompanied get_[ash]vn_flags API functions, to omit the run-time strlen(name) for constant names. (#191)

Modules and Pragmata

New Modules and Pragmata

types 0.01

Controls the type-checker. See types or perltypes.

Updated Modules and Pragmata

Archive-Tar 2.24

Better 09_roundtrip.t tests.

Handle tarballs compressed with pbzip2 (RT #119262)

Add missing strict/warnings pragma to

Check for gzip/bzip2 before round tripping gz/bz2 files in tests

B 1.68_06

Use op_class API

Allow a 2nd optional CV argument for B::OP::aux_list, fixing B::Deparse and thereby Data::Dumper and Test2 is_deeply.

use the new get_svs, get_avs, get_hvs macros.

B-C 1.55_02

Fixes for PERL_OP_PARENT: moresib, sibling, parent.

Fix hints/ dependency on [cpan #120161]

PUSHRE replaced by SPLIT, no xpad_cop_seq, SVpbm_VALID

Improved dl_module_to_sofile without 2nd arg

Fixed IsCOW savepvn, store the last cowrefcnt.

Fixed wrong savepvn length, failing with asan.

Optimized mro_isa_changed_in initialization.

Better CopFILE_set, Fixup arenasize refcnt. Delay cvref to init2, properly set a SvRV to a XS sub. Optimize constpv for CvFILE (less constants to merge for gcc). Improve NV precision by one digit. Fix to compile in, abstract and set %INC. Fix generation of @B::C::Config::deps on Windows. Fix !C99 precedence bug (e.g. MSVC). Minor refactor to simplify save_hek. Use the new get_svs, get_avs, get_hvs macros. perlcc add --debug|-D Improve endav XSUB bump Abstract RITER_T and HVMAX_T for the various sizes, compat HEK_STATIC Defer REGCOMP for \P{} properties Change $sv->EXTFLAGS to compflags since 5.22 for CALLREGCOMP(). Turn off MGf_REFCOUNTED. global-buffer-overflow with dynamic COW strings, wrong savepvn args.

B-Debug 1.24

Support 5.25.6 split optimization

bignum 0.47c


B::Terse 1.07

Update deprecation message

Carp 1.42c

Handle chunk errors phrases

Config::Perl::V 0.27_01
Compress-Raw-Bzip2 2.074

Need Fix for Makefile.PL depending on . in @INC RT #120084

Compress-Raw-Zlib 2.074

Comment out unused variables & remove C++-ism. RT #120272

CPAN::Meta 2.150010c

And merge cpan/Parse-CPAN-Meta into it. cpan/Parse-CPAN-Meta is gone.

Parse-CPAN-Meta security: set $YAML::XS::DisableCode, $YAML::XS::DisableBlessed.

Add support for all known YAML and JSON modules: *::Syck, JSON::MaybeXS, Mojo::JSON. But JSON::Any is broken.

fixed UTF-8 issues, passes now all Test-CPAN-Meta tests.

CPAN 2.17

with full cperl support. reapply most of our patches. skip cperl builtin prereqs.



Moved from cpan to dist. [cperl #154].

Cpanel-JSON-XS 3.0231

- Fix need() overallocation (#84 Matthew Horsfall) and missing need() calls.

- Fix decode_prefix offset when the string was re-allocated. rather return the relative offset not the pointer to the old start.

- Fixes for g++-6, stricter -fpermissive and -Wc++11-compat.

- Added tests for ill-formed utf8 sequences from Encode.

- modfl() mingw 4.0 runtime bug [perl #125924]

- Tested with the comprehensive JSON decode spectests from Not added to core. #72

- decode with BOM: UTF-8, UTF-16, or UTF-32.

- fixed detection of final \0 as illegal non-whitespace garbage. Fixes spectest 'n_number_then_00'. #72

- warn with unicode noncharacters as in core when not in relaxed mode. #74

- fail decode of non-unicode raw characters above U+10FFFF when not in relaxed mode.

- New stringify_infnan(3) infnan_mode.

- Fix inf/nan detection on HP-UX and others.

- Use faster strEQc macros.

- Prefer memEQ for systems without memcmp, to use bcmp there.

- Add more expect_false() to inf/nan branches.

- Fix av and hv length types: protect from security sensitive overflows, add HVMAX_T and RITER_T

- Add new "Hash key too large" error. perl5 silently truncates it, but we prefer errors.

Config 6.22

protect sv in END during global destruction, esp. with B::C. fixes for missing . in @INC (cperl or -Dfortify_inc).

Cwd 4.65c

Fix -Wc++11-compat warnings

Data-Dumper 2.163

Fix -Wc++11-compat warnings

strEQc improvements

fix correct indentation for utf-8 key hash elements, [perl #128524].

Devel-NYTProf 6.04

Fix -Wc++11-compat warnings, and various minor issues.

Devel::Peek 1.23_02

use the new get_svs, get_avs, get_hvs macros. The flags where harmonized, missing names were added, most fields are now print in natural order as in the struct.

Devel-PPPort 3.35_02

Fix -Wc++11-compat warnings

Digest::SHA 5.96

prevented shasum from possibly running malicious code, remove '.' from @INC before module loading RT #116513, namespace cleanup (RT #105371 and #105372), minor code and documentation tweaks

DB_File 1.840

unused arg warnings RT #107642

The other 2 fixes were already in cperl, plus a fix for reproducible builds.

DynaLoader 2.07c

Fixed dl_findfile refcounts, "panic: attempt to copy freed scalar" errors.

Fixed build dependency for dlboot.c. No excessive rebuilds anymore.

no mathoms: call_sv instead of call_pv, get_cvs where available.

use the new get_svs, get_avs, get_hvs macros.

Encode 2.88

various upstream fixes. plus g++-6 -fpermissive and -Wc++11-compat fixes. our local make -s silent patches and various others are now all upstream.


Exporter remained unchanged. But CORE support for the "used only once" warnings has been to restricted to the four magic names "EXPORT", "EXPORT_OK", "EXPORT_FAIL" and "EXPORT_TAGS". Other names starting with "EXPORT" will now throw the "used only once" warning as all other symbols.

ExtUtils-Constant 0.23_08

Fix ProxySubs to generate code also valid for 5.6 - 5.14. Add testcases for all ProxySubs options.

Fix -Wc++11-compat warnings in generated code.


fix \Q$archname\E in t/basic.t

skip cperl builtin prereqs.


one more darwin fix for the wrong no library found warning for symlinked darwin libSystem.dylib libraries.

ExtUtils::Install 2.04_01

support make -s => PERL_INSTALL_QUIET

ExtUtils::ParseXS 3.34_02

XS_EXTERNAL does now extern "C"

Fix visibility declaration of XS_EXTERNAL for -flto and -fvisibility=hidden.

feature 1.47_01

Revise documentation of eval and evalbytes

File::DosGlob 1.12_01

use the new get_svs, get_avs, get_hvs macros.

File::Fetch 2.52

* Set a cleaned env when running git clone * Changed git repository link in tests * Removed consistently failing tests * Require Module::Load::Conditional 0.66 * Fix FTP tests for ipv6

File::Glob 1.28

Deprecated File::Glob::glob()

use the new get_svs, get_avs, get_hvs macros.

Filter 1.57

added 2 more pure tests

Fixes for . in @INC

added to t/

fixed INSTALLDIRS back to site since 5.12 [gh #2]

Getopt::Std 1.12

Changed pod NAME to follow convention.

Getopt::Long 2.49.1

* RT #114999 fix :number * RT #113748 fix VersionMessage ignores -output argument * RT #39052 sanify gnu_getopt

HTTP::Tiny 0.070

Many fixes und improvements

Internals::DumpArenas 0.12_07

fix for PERL_GLOBAL_STRUCT_PRIVATE Fix -Wc++11-compat warnings

IO-Compress 2.074

ISA fixes for c3 [perl #120239

IO::Socket::IP 0.39_01

protect sv in END during global destruction, esp. with B::C. fixes for missing . in @INC (cperl or -Dfortify_inc).


- Support setting custom socket options with new Sockopts constructor parameter

- Restore blocking mode after ->connect errors RT #112334

- Keep demand-load Carp patch.

IPC::Cmd 0.96

set $Module::Load::Conditional::FORCE_SAFE_INC = 1

JSON::PP 2.27400_02

Fixed true/false redefinition warnings.

Locale-Codes 3.51

Added Czech republic aliases back in. Lot of new codes and code changes.

Made many private API calls public. See Locale::Codes::Changes

Locale::Maketext 1.28

Fix optional runtime load for CVE-2016-1238

Add blacklist and whitelist support, with [perl #127923 priority. See "BRACKET NOTATION SECURITY" in Locale::Maketext

Math-BigInt 1.999811_01

Merged CPAN updates with stricter tests and . in @INC fixes.

Math-BigInt-FastCalc 0.5006

Updated from CPAN:

2 new tests files from Math-BigInt.

Math::BigInt::FastCalc is now a subclass of Math::BigInt::Calc, so remove aliases like *Math::BigInt::FastCalc::_xxx = \&Math::BigInt::Calc::_xxx.

Use OO-calls rather than function calls. (i.e slower but overridable)

Math-BigRat 0.2612

Updated from CPAN: No functional changes, and the few actual changes in the test lib were for the worse. The tests are still broken and skipped, however I improved it.

Module-Load-Conditional 0.68

Fix unconditional @INC localisation, Add FORCE_SAFE_INC option to fix CVE-2016-1238.

Module-Metadata 1.000033

- Fix file operation in tests for VMS

- use a more strict matching heuristic when attempting to infer the "primary" module name in a parsed .pm file

- only report "main" as the module name if code was seen outside another namespace, fixing bad results for pod files (RT#107525)

Net-Ping 2.59

Stabilized test, is down.

Return the port num as 5th return value with ack (jfraire).

Todo 010_pingecho.t on EBCDIC and os390. Skip udp ping tests on more platforms: hpux, irix, aix (all from perl5)

Fixed missing _unpack_sockaddr_in family, which took AF_INET6 for a AF_INET addr in t/500_ping_icmp.t and t/500_ping_icmp_ttl.t. Use now a proper default. Detected by the new gitlab ci.

Fixed _pack_sockaddr_in for a proper 2nd argument type, hash or packed address.

Improved 500_ping_icmp.t to try sudo -n for tests requiring root, plus adding -n fir fixing [RT #118451]. Relaxed more tests failing with firewalled icmp on localhost. [RT #118441]

Fixed ping_external argument type, either packed ip or hostname. [RT #113825]

Fixed wrong skip message in t/020_external.t

NEXT 0.67

Doc and meta changes only.

libnet 3.10

- Remove . from @INC when loading optional modules. [Tony Cook, Perl RT#127834, CVE-2016-1238]

- Increased minimum required version of IO::Socket::IP to 0.25 to hopefully stop t/pop3_ipv6.t hanging. [CPAN RT#104545]

- Debug output now includes decoded (from base64) negotiation for SASL. [Philip Prindeville, PR#27]

- plus the suse utf8 fixes for Net::Cmd, see 5bd7010cb and our darwin performance fix for hostname.

Opcode 1.35_01c

New iter_ary and iter_lazyiv ops.

Add avhvswitch op

parent 0.236

improved t/parent-pmc.t, excluded new xt tests

open 1.11 =item PerlIO 1.10

pod: Suggest to use strict :encoding(UTF-8) PerlIO layer over not strict :encoding(utf8) For data exchange it is better to use strict UTF-8 encoding and not perl's utf8.

PathTools 4.67c

Add security note to File::Spec::no_upwards [RT #123754

PerlIO::encoding 0.24_01

use the new get_svs, get_avs, get_hvs macros.

PerlIO::via 0.17

Omit wrong if (gv) check, detected by coverity.

Perl-OSType 1.010

Added msys

Pod::Html 2.23002c

fix cache races with parallel tests. add the PID to the temp. cache file See [RT #118416].

Removed deprecated --libpods option.

podlators 4.09

Add the t/data/snippets tests.

Use Pod::Simple's logic to determine the native code points for NO BREAK SPACE and SOFT HYPHEN instead of hard-coding the ASCII values. Hopefully fixes the case of mysterious disappearing open brackets on EBCDIC systems. (#118240)

Many Pod::Man bugfixes and new tests, see

Pod-Perldoc 3.28

Fix broken test on Windows and FreeBSD (RT#116551) Fix CVE-2016-1238 by temporarily removing '.' from @INC in world writable directories. Fix =head3 appearing in some perlfunc lookups AmigaOS patches (RT#106798) (RT#110368) Fall back to an English perlfunc if translation doesn't exist (RT#104695) FreeBSD has mandoc too, with UTF-8 support. -U now documented and implied with -F (RT#87837) Fixes less -R flags insertion on Windows [perl #130759]

Pod-Simple 4.35c

Updated from CPAN 3.35: Turn off utf8 warnings when trying to see if a file is UTF-8 or not

Merged with our cperl signature modernizations, tracked at

Moved from cpan to dist. [cperl #154].

POSIX 1.76_02

changed speed_t to unsigned long. cannot be negative.

Fix -Wc++11-compat warnings

Several defects in making its symbols exportable. [perl #127821]

The POSIX::tmpnam() interface has been removed, see "POSIX::tmpnam() has been removed" in perl5251delta.

Trying to import POSIX subs that have no real implementations (like POSIX::atend()) now fails at import time, instead of waiting until runtime.

use the new get_svs, get_avs, get_hvs macros.

Safe 2.40_02c

Documentation only

Scalar-List-Util 1.47_01

Bumped version because upstream is still years behind: lexical $_ support, binary names, various other fixes.

Improved taint test.

sum/min/max need to call SvGETMAGIC

set_subname memory fix by @bluhm from Sub::Name 0.20 RT #117072

Fixes for older perls, esp. lexical $_ support.

Reinstate the &DB::sub setter, but no UTF8 support yet.

Socket 2.024_05

Fix -Wc++11-compat warnings

Merge cpan 2.024 with our 2.021_02, plus fix some problems in their new code.

Fixes for OpenBSD: Probe for netinet/in_systm.h Removed i_netinet6_in6 probe. This was never used due to a typo. It cannot be used due to RFC 2553.

Storable 3.05_12


Added some I32_MAX checks for tainted integers.

Fixed 3 null ptr dereferences leading to segfaults. [perl #130098]

Fixed some important security bugs with reading from Storable files or memory, directly controlling the stack (not the perl stack). See "Storable stack overflow or exit".

Another stack-overflow fix is for [cpan #97526], limiting the maximal number of nested hash or arrays to a computed number, ~3000-8000. Cpanel::JSON::XS has it at 512.

Fixed up early huge buffer and index support from 3.00c, which was failing with wrong malloc errors due to silently overwrap >2GB. t/huge.t works now correctly. Note that 2 cases are not relevant since v5.25.1c/v5.24.1c anymore as with these releases we limit the maximum number of elements for hashes and arrays, and fail with "Too many elements" before. Bumped up PERL_TEST_MEMORY requirements to 8 and 16 for arrays and hashes. In reality the VMM subsystem will kill the process on perl5 before. $a[9223372036854]=0 or %a=(0..4294967296) are easy ways to DoS a perl5 system. Only cperl is safe.

Skip or croak when reading or writing 64bit large objects on 32bit systems.

Fixed wrong recursion depth error with large arrays containing another array. Probe for valid max. stack sizes, and added 2 APIs. [cperl #257]

Update documentation from the CPAN version.

"Warn on metasploit CVE-2015-1592"

Sys-Syslog 0.35

CVE-2016-1238: avoid loading optional modules from default . (Tony Cook). Patch rewrote to no longer depend upon @INC. See

Kept our smoker logic in t/syslog.t, for slow darwin systems, the suse patch and disabled the lexical filehandle patch.

Term-ANSIColor 4.06

Add aliases ansi16 through ansi255 and on_ansi16 through on_ansi255 (plus the corresponding constants) for the grey and rgb colors so that one can refer to all of the 256 ANSI colors with consistent names. These are aliases; the colors returned by uncolor will still use the grey and rgb names. (#118267)

Term::ReadKey 2.37_01 renamed to ReadKey_pm.PL, expand blockoptions specific variants already at installation, no load-time eval, demand-load Carp, remove unneeded AutoLoader, harmonize formatting.

patch: use faster StructCopy and fixup the XS.

Test-Harness 3.39_01

Keeping our cperl and XSConfig fixes. See


Add doc and support for optional subtest @args.

Moved from cpan to dist. [cperl #154].

Test::More 1.401015c

Removed the deprecated isn't method, using the ' package seperator.

threads 2.15

Remove extra terminating semicolon. Clean up temporary directories after testing.

Thread-Queue 3.12

Calling any of the dequeue methods with COUNT greater than a queue's limit will generate an error.

But still have to keep our test fixes for . in @INC

Thread-Semaphore 2.13

Added down_timed method.

threads-shared 1.55

ifdef clang


Time-Local 1.25

Less runtime memory: demand-load Carp, Config.

Time-HiRes 1.9742_01

Fix -Wc++11-compat warnings Keep our better C++ fixes Keep our t/usleep.t, t/alarm.t, t/utime.t fixes. Keep our do_openn improvements in typemap.

from upstream:

- El Capitan compatibility - use CLOCK_REALTIME for clock_nanosleep scan - include file consistency in scans - use clockid_t consistently - use hv_fetchs() - scan for clockid_t (needed for macos Sierra) - darwin lacks clockid_t [cpan #129789]

More Darwin thread fixes for clock_gettime, Sierra support, test improvements, skip the t/utime.t on ext2/ext3

Unicode-Collate 1.19

Many new locales. Some major fixes.

version 0.9917_02c

Merge latest version with the '_' lyon concensus with the cperl extension of the optional final 'c' suffix. Extend version::regex for cperl. Now also parse the 'c' natively.

YAML::XS 0.75

merged with upstream libyaml 0.1.7 avoid duplicate checks against NULL fix libyaml clang -Wlogical-op warnings fix libyaml clang -Wlogical-not-parentheses warnings

fixed encoding issues: fixed wrong $YAML::XS::Encoding and $YAML::XS::LineBreak comparison logic. fixed utf8 input as handled as UTF8, non-utf8 honors $YAML::XS::Encoding.

fixed -Wunused value warnings

merged with upstream YAML-LibYAML, implemented $DisableBlessed (security).

XS::APItest 0.80_02

use the new get_svs, get_avs, get_hvs macros.

XSLoader 1.03c

coverity detected invalid branch: if (!module) is always false. we need to check if (!modlibname) instead.

Removed Modules and Pragmata

I18N-Collate 1.02

Compared 8-bit scalar data according to the current locale.

Deprecated with 5.003_06. Its functionality was integrated into the Perl core language in the release 5.003_06.

See perllocale for further information.


New Documentation


This file documents all upcoming deprecations, and some of the deprecations which already have been removed. The purpose of this documentation is two-fold: document what will disappear, and by which version, and serve as a guide for people dealing with code which has features that no longer work after an upgrade of their perl.

Changes to Existing Documentation















perlexperiment and perlref










perlintern and perlapi



The following additions or changes have been made to diagnostic output, including warnings and fatal error messages. For the complete list of diagnostic messages, see perldiag.

New Diagnostics

Added a new warnings category security which is default ON, using a special message.

A "SECURITY: " prefix, and as suffix the username, REMOTE_ADDR, full pathname to implement a service similar to fail2ban. Bypass $SIG{__WARN__} handlers. Prints to STDERR and if available to syslog.

A new -Dmv debugging mode for verbose arena memory debugging was added, similar to -Dm and env PERL_MEM_LOG=s.

New Errors

New Warnings

Changes to Existing Diagnostics

As of Perl 5.25.9, all new deprecations will come with a version in which the feature will disappear. And with a few exceptions, most existing deprecations will state when they'll disappear. As such, most deprecation messages have changed.

Configuration and Compilation

All changes but default_inc_excludes_do are cperl-only.

sysincpath, syslibpth

Those two new Config keys are needed for properly identifying the true compiler header and library search paths. The old libpth just assumed paths based in the calculated incpth. Several compilers have not matching search paths, which lead to wrong precedence orderings of e.g. /usr/local/ vs /opt/local, conflicting in ccflags and ldflags. syslibpth is now computed. The new keys don't add extra ccflags or ldflags directcories if they already exist in the compiler search paths. See [cperl #267] for more. Note that this doesn't fix other ordering issues, as -I and -L is evaluated before the system search paths.

This fixes serious problems with updated libraries in /usr/local/lib on macports, but probably everywhere with bad compiler search paths.


Added a post-dynamic rule for Storable, to probe for the max. stacksize and re-compile it with that.


Fixed dlopen probe and compilation with c++.

The dlopen probe with C++ needs -fPIC -shared, otherwise dlopen() will not be found. This will set ld=ld, leading to the problem below:


ld -f may not be used without -shared

Check ld=ld (caused by the failing dlopen probe from above) and ldflags without -shared and disable adding -fstack-protector to it.


Added default_inc_excludes_dot to perl -V and myconfig.


Probe for arflags, which do support D for deterministic static archives without member timestamps. On darwin we currently only have llvm-ar-mp-3.9 (since 3.7) which does support this.

ranlib is probed for the -D flag for reproducible build determinism.

fixed longdblinfbytes probe

With Intel long double it didn't clean random excess garbage bytes after the 10th byte.

cperl build helper scripts

Added the following release scripts to Porting: do-conf-clean do-conf-cperl-release do-make-cperl-release do-make-srctarball perl_version for Linux (debian and rpm) and Darwin.

Those builds are now reproducible, see below.

reproducible builds

cperl has now support for automatic reproducible builds on most platforms. A new cf_epoch config key was added.

The config key cf_time is now based on: 1. SOURCE_DATE_EPOCH, 2. with .git the newest file in the repository, or 3. the newest file in the MANIFEST.

Builds are done with LC_ALL=C and PERL_HASH_SEED=0, but builds are still LANGUAGE or compiler specific.

Those builds are reproducible when done on the same machine and user. Otherwise set the keys: cf_by, cf_email, mydomain, myhostname, myuname also.

See [cperl #169].


This suspicious Config key was removed from cperl. If you have a NIS database use ypcat passwd. passcat is not used in any public CPAN module.


Ask for fake_signatures being compiled in as default or not. Defaults to yes with cperl, no without. Sets $Config{fake_signatures} and defines PERL_FAKE_SIGNATURE.


Probe for llabs() needed for PERL_IABS on 32bit with -Duse64bitint, the default on mingw/cygwin. Defines HAS_LLABS.


Probe for setenv() needed on some platforms with strict linkage or -fvisibility=hidden.


Probe for __attribute__((always_inline)), which is helpful with clang -flto=thin for exported mathoms (b) and inlined functions.

The problem is that __attribute__((used)) functions are not inlined. With always_inline + global visibility, but not __attribute__((used)) we get inlined variants plus exported copies for the API. Add PERL_MATHOM_CALLCONV to use it.


Added a new sanitize_address config entry and probe, and matching USE_SANITIZE_ADDRESS config.h definition.


Added a new d_attribute_used config entry and probe, and matching HASATTRIBUTE_USED config.h definition.


Added a new i_netinet_in_systm config entry and probe, and matching config.h define for Socket.


Removed the i_netinet6_in6 Config entry and probe, and matching I_NETINET6_I6 config.h define, which was a typo. This was added with cperl-5.22.2 and was never used due to the typo. It cannot be used due to RFC 2553.


Fixed the __builtin_prefetch probe, not yet used.


Added a new __builtin_ctz probe, $Config{d_builtin_ctz} key, used for faster DO_HSPLIT() calculations. About 30% faster for hash intensive tests.


Utility Changes


Platform Support

Platform-Specific Notes


The hints for Hurd have been improved enabling malloc wrap and reporting the GNU libc used (previously it was an empty string when reported). [perl #128954]


VAX floating point formats are now supported.


Several tests have been updated to work (or be skipped) on EBCDIC platforms.


Net::Ping UDP test is skipped on HP-UX.

OpenBSD 6

OpenBSD 6 still does not support returning pid, gid or uid with SA_SIGINFO. Make sure this is accounted for.


With the SunPro cc compiler we use now the __global declaration for exported functions, similar to Windows __declspec(dllexport).

This is hidden under the new GLOBAL macro.

Internal Changes

Selected Bug Fixes

No double-free of $_ in loops

Fixed [perl #131101] crash with something like

  map /x/g, (%h = ("y", 0)), (%h = ("y", 0))


packaging: protect sitelib dirs from being uninstalled

The cperl packaging recipe in do-make-cperl-release allowed empty directories to be created, which is a huge problem with debian/rpm like installations, potentially removing all files and subdirectories manually installed via cpan into sitelib and sitearch when updating or removing the package.

type-check list assignments and types

These list assignments now properly type check:

  package Bla;
  my Bla @a;
  my int $i = $a[0];
  # => Type of scalar assignment to $i must be int (not Bla)
  $i = shift @a;
  # => Type of scalar assignment to $i must be int (not Bla)

  # implicit shift
  (my int $j) = @a;
  # => Type of list assignment to $j must be int (not Bla)

i.e. we descend into many list (array/hash) ops. mderef not yet.

Also more builtin variables are now type-checked, such as @ARGV as :Array(:Str) and as :Str $ARGV, $0 and $^X. Previously only $^O. These added types do now more internal type optimizations, e.g. using s_eq instead of the generic eq when comparing with constants.

See [cperl #258].

-d with tailcalls

Implemented a workaround for the debugger (-d) to step into most functions with signatures. Until the root cause with debugging tailcalls is fixed, we convert back a signature to old-style assignments under the debugger. This was the only perl5 regression. See [cperl #167].

Restore C++ compatibility

perl5 is compileable with recent C++ compilers, but cperl since v5.24.0c not so. We fixed more wrong goto's and wrong const declarations leading to C++ errors with -fpermissive, which is basically used as stricter C mode.

E.g. error: invalid conversion from 'const HEK* {aka const hek*}' to 'HEK* {aka hek*} [-fpermissive]. error: jump to label 'float_ipow'. crosses initialization of 'unsigned int diff'

Regression since v5.24.0c, a cperl problem only. [cperl #224]

$-{$name} leak

$-{$name} would leak an AV on each access if the regular expression had no named captures. The same applies to access to any hash tied with Tie::Hash::NamedCapture and all => 1. [perl #130822]

split ' ' under use unicode_strings

split ' ' now handles the argument being split correctly when in the scope of the unicode_strings feature. Previously, when a string using the single-byte internal representation contained characters that are whitespace by Unicode rules but not by ASCII rules, it treated those characters as part of fields rather than as field separators. This resolves [perl #130907].

Fix $# use after free or buffer overflow

Attempting to use the deprecated variable $# as the object in an indirect object method call could cause a heap use after free or buffer overflow. [perl #129274]

Fix lexer with indirect object method calls

When checking for an indirect object method call in some rare cases the parser could reallocate the line buffer but then continue to use pointers to the old buffer. [perl #129190]

Forbid glob as format argument

Supplying a glob as the format argument to "formline" in perlfunc would cause an assertion failure. [perl #130722]

Fix optimized match to qr

Code like $value1 =~ qr/.../ ~~ $value2 would have the match converted into a qr// operator, leaving extra elements on the stack to confuse any surrounding expression. [perl #130705]

Fix pad access in regex eval code blocks

Since 5.24.0 in some obscure cases, a regex which included code blocks from multiple sources (e.g. via embedded via qr// objects) could end up with the wrong current pad and crash or give weird results. [perl #129881]

Fix local in regex eval code blocks

Occasionally local()s in a code block within a patterns weren't being undone when the pattern matching backtracked over the code block. [perl #126697]

Fix substr with a magic variable

Using substr() to modify a magic variable could access freed memory in some cases. [perl #129340]

Fix some missing Malformed UTF-8 character warnings

Perl 5.25.9 was fixed so that under use utf8, the entire Perl program is checked that the UTF-8 is wellformed. It turns out that several edge cases were missed, and are now fixed. [perl #126310] was the original ticket.

SvREADONLY_off: allow calls as argument

No multiple evaluation of its argument anymore.

ref assert

Fixed an assertion error with DEBUGGING builds in the ref op, detected with -T in pod testing. Turn off taint magic for the return value of ref with fixed ref names. [cperl #254].

c3 linerarization

Fix c3 ISA linearization with deleted ISA elements, leaving "main" plus an empty name.

    cperl -Mmro=c3 -e'
        @ISACLEAR::ISA=qw/XX YY ZZ/;
        print join",",@{mro::get_linear_isa('ISACLEAR')}'
    => XX,main,,ZZ # wrong

[cperl #251].


Fix and explain sv_dump (also via Devel::Peek Dump) that maxnested means also maxelems, by printing now "... (skipping Elt 5-20)". [cperl #243].

use utf8

Under use utf8, the entire Perl program is now checked that the UTF-8 is wellformed. [perl #126310].


Handle SvIMMORTALs in LHS of list assign. [perl #129991]

user-defined Unicode properties broke texinfo

[perl #130010] a5540cf breaks texinfo

This involved user-defined Unicode properties.

Fix error message for unclosed \N{ in regcomp.

An unclosed \N{ could give the wrong error message "\N{NAME} must be resolved by the lexer".

Fix scalar lvalues in list assignment

List assignment in list context where the LHS contained aggregates and where there were not enough RHS elements, used to skip scalar lvalues. Previously, (($a,$b,@c,$d) = (1)) in list context returned ($a); now it returns ($a,$b,$d). (($a,$b,$c) = (1)) is unchanged: it still returns ($a,$b,$c). This can be seen in the following:

    sub inc { $_++ for @_ }
    inc(($a,$b,@c,$d) = (10))

Formerly, the values of ($a,$b,$d) would be left as (11,undef,undef); now they are (11,1,1).

Fix /(?{ s!!! })/

[perl #129903]

The basic problem is that code like this: /(?{ s!!! })/ can trigger infinite recursion on the C stack (not the normal perl stack) when the last successful pattern in scope is itself. Since the C stack overflows this manifests as an untrappable error/segfault, which then kills perl.

We avoid the segfault by simply forbidding the use of the empty pattern when it would resolve to the currently executing pattern.

Fix utf8 parsing

Avoid reading beyond the end of the line buffer when there's a short UTF-8 character at the end. [perl #128997]

Fix firstchar bitmap under utf8 with prefix optimisation.

[perl #129950]

Carp/t/arg_string.t: be liberal in f/p formats.

[perl #129954]

Make do "a\0b" fail silently instead of throwing.

[perl #129928]

Fix nested forward sub declarations

A sub containing a "forward" declaration with the same name (e.g., sub c { sub c; }) could sometimes crash or loop infinitely. [perl #129090]

regex crash utf8 =~ utf8

A crash in executing a regex with a floating UTF-8 substring against a target string that also used UTF-8 has been fixed.

[perl #129350]

#!perl -i u vs. -u

Previously, a shebang line like #!perl -i u could be erroneously interpreted as requesting the -u option. This has been fixed.

[perl #129336]

Wrong regex backtracking

The regex engine was previously producing incorrect results in some rare situations when backtracking past a trie that matches only one thing; this showed up as capture buffers ($1, $2, etc) erroneously containing data from regex execution paths that weren't actually executed for the final match. [perl #129897]

regex_sets assertions

Certain regexes making use of the experimental regex_sets feature could trigger an assertion failure. This has been fixed.

[perl #129322]

Invalid ref assignments

Invalid assignments to a reference constructor (e.g., \eval=time) could sometimes crash in addition to giving a syntax error. [perl #125679]

evalbytes bareword crash

The parser could sometimes crash if a bareword came after evalbytes. [perl #129196]

Wrong Use of inherited AUTOLOAD for non-method warning

Autoloading via a method call would warn erroneously ("Use of inherited AUTOLOAD for non-method") if there was a stub present in the package into which the invocant had been blessed. The warning is no longer emitted in such circumstances. [perl #47047]

Fix crash with illegal splice

The use of splice on arrays with nonexistent elements could cause other operators to crash. [perl #129164]

Fix re_untuit_start overflow

Fixed case where re_untuit_start will overshoot the length of a utf8 string. [perl #129012]

Improve deb_stack_all

Handle CXt_SUBST better in Perl_deb_stack_all, previously it wasn't checking that the current cx is the right type, and instead was always checking the base cx (effectively a noop). [perl #129029]

Fixed some UAF bugs in yylex

Fixed two possible use-after-free bugs in Perl_yylex. Perl_yylex maintains up to two pointers into the parser buffer, one of which can become stale under the right conditions.

[perl #129069]

Fixed s///l crash with utf8

Fixed a crash with s///l where it thought it was dealing with UTF-8 when it wasn't. [perl #129038]

Unexpected binary operator '+' with no preceding operand in regex

Fixed place where regex was not setting the syntax error correctly. [perl #129122]

Fixed &. assert with utf8 and missing nul byte

The &. operator (and the & operator, when it treats its arguments as strings) were failing to append a trailing null byte if at least one string was marked as utf8 internally. Many code paths (system calls, regexp compilation) still expect there to be a null byte in the string buffer just past the end of the logical string. An assertion failure was the result. [perl #129287]

Check pack_sockaddr_un

Check pack_sockaddr_un()'s return value because pack_sockaddr_un() silently truncates the supplied path if it won't fit into the sun_path member of sockaddr_un. This may change in the future, but for now check the path in thesockaddr matches the desired path, and skip if it doesn't. [perl #128095]

Fix scan_heredoc

Make sure PL_oldoldbufptr is preserved in scan_heredoc(). In some cases this is used in building error messages. [perl #128988]


Check for null PL_curcop in IN_LC() [perl #129106]

Fix parser error with :attr(foo

Fixed the parser error handling for an ':attr(foo' that does not have an ending ')'.

Fix delimcpy

Fix Perl_delimcpy() to handle a backslash as last char, this actually fixed two bugs, [perl #129064] and [perl #129176].

Fix gv_fetchmethod_pvn_flags seperator parsing

[perl #129267] rework gv_fetchmethod_pvn_flags separator parsing to prevent possible string overrun with invalid len in gv.c

Fix some in-place array sorts cases

Problems with in-place array sorts: code like @a = sort { ... } @a, where the source and destination of the sort are the same plain array, are optimised to do less copying around. Two side-effects of this optimisation were that the contents of @a as visible to to sort routine were partially sorted, and under some circumstances accessing @a during the sort could crash the interpreter. Both these issues have been fixed, and Sort functions see the original value of @a.

Wrong Attempt to pack pointer to temporary value warning

pack("p", ...) used to emit its warning ("Attempt to pack pointer to temporary value") erroneously in some cases, but has been fixed.

Wrong used once warning in the debugger

@DB::args is now exempt from "used once" warnings. The warnings only occurred under -w, because itself uses @DB::args multiple times.

Wrong Possible unintended interpolation... warnings

The use of built-in arrays or hash slices in a double-quoted string no longer issues a warning ("Possible unintended interpolation...") if the variable has not been mentioned before. This affected code like qq|@DB::args| and qq|@SIG{'CHLD', 'HUP'}|. (The special variables @- and @+ were already exempt from the warning.)

Fixed gethostent checks for NUL bytes regression

gethostent and similar functions now perform a null check internally, to avoid crashing with torsocks. This was a regression from 5.22. [perl #128740]

Fix some defined typeglob leaks

defined *{'!'}, defined *{'['}, and defined *{'-'} no longer leak memory if the typeglob in question has never been accessed before.


In 5.25.4 fchown() was changed not to accept negative one as an argument because in some platforms that is an error. However, in some other platforms that is an acceptable argument. This change has been reverted [perl #128967].

Wrong constant assertion with sub ub(){0} ub ub

Mentioning the same constant twice in a row (which is a syntax error) no longer fails an assertion under debugging builds. This was a regression from 5.20. [perl #126482]

Many hexadecimal floating point printing fixes

Many issues relating to printf "%a" of hexadecimal floating point were fixed. In addition, the "subnormals" (formerly known as "denormals") floating point anumbers are now supported both with the plain IEEE 754 floating point numbers (64-bit or 128-bit) and the x86 80-bit "extended precision". Note that subnormal hexadecimal floating point literals will give a warning about "exponent underflow". [perl #128843], [perl #128889], [perl #128890], [perl #128893], [perl #128909], [perl #128919].

tr/\N{U+...}/foo/ regression

A regression in 5.24 with tr/\N{U+...}/foo/ when the code point was between 128 and 255 has been fixed. [perl #128734].

S__invlist_len assertion

A regression from the previous development release, 5.23.3, where compiling a regular expression could crash the interpreter has been fixed. [perl #128686].

Invalid utf8 string delimiters

Use of a string delimiter whose code point is above 2**31 now works correctly on platforms that allow this. Previously, certain characters, due to truncation, would be confused with other delimiter characters with special meaning (such as ? in m?...?), resulting in inconsistent behaviour. Note that this is non-portable, and is based on Perl's extension to UTF-8, and is probably not displayable nor enterable by any editor. [perl #128738]

@{x\n crash

@{x followed by a newline where x represents a control or non-ASCII character no longer produces a garbled syntax error message or a crash. [perl #128951]

%: = 0 assertion

An assertion failure with %: = 0 has been fixed. [perl #128238]

"$foo::$bar" vs "$foo\::$bar" 5.18 parsing regression

In Perl 5.18, the parsing of "$foo::$bar" was accidentally changed, such that it would be treated as $foo."::".$bar. The previous behavior, which was to parse it as $foo:: . $bar, has been restored. [perl #128478]

-x off by one 5.20 regression

Since Perl 5.20, line numbers have been off by one when perl is invoked with the -x switch. This has been fixed. [perl #128508]

delete $My::{"Foo::"}; \&My::Foo::foo no longer crashes

Vivifying a subroutine stub in a deleted stash (e.g., delete $My::{"Foo::"}; \&My::Foo::foo) no longer crashes. It had begun crashing in Perl 5.18. [perl #128532]

Wrong sub and filehandle deletion crashes

Some obscure cases of subroutines and file handles being freed at the same time could result in crashes, but have been fixed. The crash was introduced in Perl 5.22. The cperl fix doesn't hurt run-time performance as the perl5.26 fix does. [perl #128597]

No $ISA[0][0] assertion

Code that looks for a variable name associated with an uninitialized value could cause an assertion in cases where magic is involved, such as $ISA[0][0]. This has now been fixed. [perl #128253]

No Subroutine STASH::NAME redefined crash

A crash caused by code generating the warning "Subroutine STASH::NAME redefined" in cases such as sub P::f{} undef *P::; *P::f =sub{}; has been fixed. In these cases, where the STASH is missing, the warning will now appear as "Subroutine NAME redefined". [perl #128257]

No format deprecation assertions

Fixed an assertion triggered by some code that handles deprecated behavior in formats, e.g. in cases like this:

    format STDOUT =

[perl #128255]

Fixed divide by zero crash on windows with collate

A possible divide by zero in string transformation code on Windows has been avoided, fixing a crash when collating an empty string. [perl #128618]

Fixed assertions with /(?<=/ or /(?<!/

Some regular expression parsing glitches could lead to assertion failures with regular expressions such as /(?<=/ and /(?<!/. This has now been fixed. [perl #128170]

Non-ASCII string delimiters are now reported correctly in error messages for unterminated strings

[perl #128701]

Allow lvalue keys %hash

Scalar keys %hash can now be assigned to consistently in all scalar lvalue contexts. Previously it worked for some contexts but not others.

Fixed ${\vec %h, 0, 1}, ${\substr %h, 0}

${\vec %h, 0, 1} and ${\substr %h, 0} do not segfault anymore, rather the lvalue context is propagated, and list context properly handled. [perl #128260]

Fixed the range unicode bug

When the right side of the range is a UTF-8 encoded string, but the left side not, downgrade the right side to native octets. E.g.

    my $r = chr 255; utf8::upgrade $r; my $num = ("a" .. $r);
    print $num

should print 26 but does 702, because the utf-8 repr. of \x{ff} is "\303\277" [UTF8 "\x{ff}"], and the range was incremented from "a" to "\x{c3}\x{bf}" instead. See [cperl #218].

Fixed -Duseshrplib, a shared libcperl.$so

Fixed several issues with -Duseshrplib, a shared libcperl.$so: install it (!!), fix ExtUtils::Embed and B-C compilation and testing, fix tests on darwin, fix configuration probe of Term::ReadKey.

Fixed sv_dump of VALID,EVALED

Fixed sv_dump of fbm-magic strings which did previously contain the wrong "VALID,EVALED" string for a flag which is either VALID or EVALED. cperl only.

Fixed cperl signatures with default blocks

Fixed a cperl-only failure in signatures with default blocks introducing a new lexical variable. As in sub t151($a,$b=do{my $f},$c=1){} t151($x,$x,$x). This failure was only fatal on 32bit + -Duse64bitint systems.

SIGNATURE_arg_default_op does not have a items arg. See [cperl #164]. and [cperl #213].

v-strings with a 'c' suffix can now be parsed natively

In scan_vstring(). See [cperl #211].

More I32/IV/SSize_t fixes

against huge data (2GB) overflows on 64bit.

We are now in a 64bit world and need to get rid of all the wrong 32bit (2GB) size limits. Some of these fixes seem to be even security relevant, as in the last 2GB series from [cperl #123].

chop/chomp of only half of overlarge arrays.

Or ~"a"x2G complement of overlarge strings, silently processing only the half - as with overlong hash keys.

There was also a smartmatch Array - CodeRef rule, which passed only over half the array elements. The Hash part was also wrong, but the wrong number was not used.

regex match group of >2GB string len.

Allow repeat count >2GB and don't silently cap it at IV_MAX. Which was at least better then silent wrap around.

Missing optimization of inplace substitution via clen overflow.

Fixed several heap-buffer-overflows detected by asan

use-after-free in Dynaloader (ReadKey probe with -DDEBUG_LEAKING_SCALAR), heap-overflow in gv_fetchfile (t/comp/parser.t), heap-overflow with signatures, heap-overflow in XSLoader, invalid memEQc in toke.c missing out on parsing #!perl -opts, B-C global-buffer-overflow with dynamic COW strings, wrong savepvn args.

There are still heap-use-after-free problems with perlcc and PERL_DESTRUCT_LEVEL=2.

See [cperl #207]

Fix -DNODEFAULT_SHAREKEYS regression from 5.9

Fixed overwriting the HVhek_UNSHARED bit in the hash loop broken with v5.9.

This fixed -DNODEFAULT_SHAREKEYS. In the default configuration without NODEFAULT_SHAREKEYS since 5.003_001 all hash keys are stored twice, once in the hash and once again in PL_strtab, the global string table, with the benefit of faster hash loops and copies. Almost all hashtables get the SHAREKEYS bit. With -Accflags=-DNODEFAULT_SHAREKEYS simple scripts are 20-30% faster. [cperl #201]

Fix HEK_TAINTED check for HEf_SVKEY values

A HEf_SVKEY hek has no tainted flag, the pointed to SV has. This is a cperl-only security feature.

Only clear LS_COLORS for glob

When miniperl calls csh to implement glob(), we cleared %ENV temporarily to avoid csh dying on invalid values for things like LS_COLORS. That has proven to have far too many problems, since many system-dependent env vars are necessary for calling an external process. See the [perl #126041] ticket for details.

A better solution is temporarily to clear only those vars that are known to be problematic and make csh possibly fail. There only hap- pens to be one of those at present, namely LS_COLORS.

Fixed error in error during global destruction

A SEGV in mess_sv during global destruction with a DEBUGGING perl and -DS been fixed, occuring when we wanted to report the location of an error when curcop has already been freed.

Testcase: ./miniperl -DS -e '$_="f"; s/./"&".$&/ee'

[perl #129027]

Fixed ck_chift segfault

A SEGV in ck_shift with an empty/wrong current function, caused by a syntax error has been fixed. The syntax error is now reported lateron. Testcase: 'qq{@{sub{q}}]]}}; s0{shift'

[perl #125351]

Handle missing Unicode heredoc terminators correctly

E.g. perl -CS -e 'use utf8; q«' prints now Can't find string terminator "«" anywhere before EOF at -e line 1.

[perl #128701]

Syntax warnings with until ($x = 1) { ... }

until ($x = 1) { ... } and ... until $x = 1 now properly warn when syntax warnings are enabled. [perl #127333]

Fixed require : parsing

require followed by a single colon (as in foo() ? require : ... is now parsed correctly as require with implicit $_, rather than require "". [perl #128307]

Known Problems

For open cperl problems see [issues].

Some of these fixes also can to be backported from perl5.25.x upstream.

Errata From Previous Releases


Jon Portnoy (AVENJ), a prolific Perl author and admired Gentoo community member, has passed away on August 10, 2016. He will be remembered and missed by all those with which he came in contact and enriched with his intellect, wit, and spirit.


cperl 5.26.0 represents approximately 1 year of development since Perl 5.24.2c and contains approximately 420,000 lines of changes across 2,800 files from 75 authors.

Excluding auto-generated files, documentation and release tools, there were approximately 260,000 lines of changes to 1,900 .pm, .t, .c and .h files.

The following people are known to have contributed the improvements that became cperl 5.26.0:

Reini Urban, Karl Williamson, David Mitchell, Father Chrysostomos, Yves Orton, Jarkko Hietaniemi, Aaron Crane, Tony Cook, Abigail, Dan Collins, Lukas Mai, Craig A. Berry, James E Keenan, Hugo van der Sanden, Andy Lester, Dagfinn Ilmari Mannsåker, Jim Cromie, Matthew Horsfall, Sawyer X, Aristotle Pagaltzis, H.Merijn Brand, Daniel Dragan, Steve Hay, Niko Tyni, Pali, Zefram, Dominic Hargreaves, Chris 'BinGOs' Williams, Renee Baecker, Ricardo Signes, E. Choroba, Petr Písař, Steffen Müller, John Lightsey, Nicolas Rochelemagne, Karen Etheridge, Shlomi Fish, Dave Rolsky, Smylers, Christian Hansen, Yaroslav Kuzmin, Misty De Meo, Ævar Arnfjörð Bjarmason, Alex Vandiver, Stefan Seifert, Tomasz Konojacki, James Raspass, Ed Avis, Steven Humphrey, Neil Bowers, Rafael Garcia-Suarez, Theo Buehler, Thomas Sibley, Doug Bell, Jerry D. Hedden, Samuel Thibault, Unicode Consortium, J. Nick Koston, Colin Newell, Sergey Aleynikov, Leon Timmermans, Maxwell Carey, Christian Millour, Chase Whitener, Pino Toscano, Peter Avalos, Salvador Fandiño, Dave Cross, Andrew Fresh, Andreas Voegele, Hauke D, Rick Delaney, François Perrad, Richard Levitte, vendethiel.

The list above is almost certainly incomplete as it is automatically generated from version control history. In particular, it does not include the names of the (very much appreciated) contributors who reported issues to the Perl bug tracker.

Many of the changes included in this version originated in the CPAN modules included in Perl's core. We're grateful to the entire CPAN community for helping Perl to flourish.

For a more complete list of all of Perl's historical contributors, please see the AUTHORS file in the Perl source distribution.

Generated with:

    cperl Porting/ cperl-5.24.2..HEAD

Reporting Bugs

If you find what you think is a bug, you might check the articles recently posted to the comp.lang.perl.misc newsgroup and the perl bug database at . There may also be information at , the Perl Home Page.

If you believe you have an unreported bug, please run the perlbug program included with your release. Be sure to trim your bug down to a tiny but sufficient test case. Your bug report, along with the output of perl -V, will be sent off to to be analysed by the Perl porting team.

If you think it's a cperl specific bug or trust the cperl developers more please file an issue at

If the bug you are reporting has security implications which make it inappropriate to send to a publicly archived mailing list, then see "SECURITY VULNERABILITY CONTACT INFORMATION" in perlsec For details of how to report the issue.


The Changes file for an explanation of how to view exhaustive details on what changed.

The INSTALL file for how to build Perl.

The README file for general stuff.

The Artistic and Copying files for copyright information.