perl5260cdelta.html

<?xml version="1.0" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>perl5260cdelta - what is new for cperl v5.26.0</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<link rev="made" href="mailto:rurban@cpan.org" />
</head>

<body>



<ul id="index">
  <li><a href="#NAME">NAME</a></li>
  <li><a href="#DESCRIPTION">DESCRIPTION</a></li>
  <li><a href="#Notice">Notice</a></li>
  <li><a href="#Core-Enhancements">Core Enhancements</a>
    <ul>
      <li><a href="#No-magic-to-undef-yes-no-placeholder-SVs">No magic to undef/yes/no/placeholder SVs</a></li>
      <li><a href="#Type-check-assignments">Type-check assignments</a></li>
      <li><a href="#HvCLASS">HvCLASS</a></li>
      <li><a href="#Type-infer-bless">Type-infer bless</a></li>
      <li><a href="#Type-infer-subroutine-return-types">Type-infer subroutine return types</a></li>
      <li><a href="#for-qw-is-legal-again">for qw() is legal again</a></li>
      <li><a href="#Perl-can-now-do-default-collation-in-UTF-8-locales-on-platforms-that-support-it">Perl can now do default collation in UTF-8 locales on platforms that support it</a></li>
      <li><a href="#Better-locale-collation-of-strings-containing-embedded-NUL-characters">Better locale collation of strings containing embedded NUL characters</a></li>
      <li><a href="#Unescaped-literal-characters-in-regular-expression-patterns-are-no-longer-permissible">Unescaped literal &quot;{&quot; characters in regular expression patterns are no longer permissible</a></li>
      <li><a href="#Literal-control-character-variable-names-are-no-longer-permissible">Literal control character variable names are no longer permissible</a></li>
      <li><a href="#New-regular-expression-modifier-xx">New regular expression modifier /xx</a></li>
      <li><a href="#NBSP-is-no-longer-permissible-in-N">NBSP is no longer permissible in \N{...}</a></li>
      <li><a href="#CORE-subroutines-for-hash-and-array-functions-callable-via-reference">CORE subroutines for hash and array functions callable via reference</a></li>
      <li><a href="#Unicode-9.0-is-now-supported">Unicode 9.0 is now supported</a></li>
      <li><a href="#Use-of-p-script-uses-the-improved-Script_Extensions-property">Use of \p{script} uses the improved Script_Extensions property</a></li>
      <li><a href="#Declaring-a-reference-to-a-variable">Declaring a reference to a variable</a></li>
      <li><a href="#Indented-Here-documents">Indented Here-documents</a></li>
      <li><a href="#and-INC">&#39;.&#39; and @INC</a></li>
      <li><a href="#create-a-safer-utf8_hop-called-utf8_hop_safe">create a safer utf8_hop() called utf8_hop_safe()</a></li>
      <li><a href="#CAPTURE-CAPTURE-and-CAPTURE_ALL">@{^CAPTURE}, %{^CAPTURE}, and %{^CAPTURE_ALL}</a></li>
      <li><a href="#Improved-.pmc-loading">Improved .pmc loading</a></li>
      <li><a href="#Added-SAFE_RX_-substrs-accessors">Added SAFE_RX_ substrs accessors</a></li>
    </ul>
  </li>
  <li><a href="#Security">Security</a>
    <ul>
      <li><a href="#Storable-stack-overflows">Storable stack overflows</a></li>
      <li><a href="#Escaped-colons-and-relative-paths-in-PATH">&quot;Escaped&quot; colons and relative paths in PATH</a></li>
      <li><a href="#Unicode-identifiers:-Moderately-Restrictive-Level">Unicode identifiers: Moderately Restrictive Level</a></li>
      <li><a href="#chdir-heap-buffer-overflow-on-the-perl-stack">chdir heap-buffer-overflow on the perl stack</a></li>
      <li><a href="#Improved-Hash-DDoS-prevention">Improved Hash DDoS prevention</a></li>
      <li><a href="#n-buffer-overflows">@{ \327 \n } buffer overflows</a></li>
      <li><a href="#eval-q-.-chr-overlarge-stack-overflow">eval &quot;q&quot; . chr(overlarge) stack overflow</a></li>
      <li><a href="#Protect-and-warn-on-hash-flood-DoS">Protect and warn on hash flood DoS</a></li>
      <li><a href="#use-utf8-Script">use utf8 &#39;Script&#39;</a></li>
      <li><a href="#Unicode-normalization-of-identifiers-names">Unicode normalization of identifiers/names</a></li>
      <li><a href="#No-binary-symbols">No binary symbols</a></li>
      <li><a href="#hash-seed-exposure">hash seed exposure</a></li>
      <li><a href="#Warn-on-metasploit-CVE-2015-1592">Warn on metasploit CVE-2015-1592</a></li>
      <li><a href="#Warn-on-metasploit-reverse-shells">Warn on metasploit reverse shells</a></li>
      <li><a href="#syscalls-warnings-also-security">syscalls warnings also security</a></li>
    </ul>
  </li>
  <li><a href="#Deprecations">Deprecations</a>
    <ul>
      <li><a href="#do_open-do_close-macros">do_open, do_close macros</a></li>
      <li><a href="#Removed-as-package-seperator">Removed &#39; as package seperator</a></li>
      <li><a href="#New-items-in-perldeprecation">New items in perldeprecation</a></li>
    </ul>
  </li>
  <li><a href="#Incompatible-Changes">Incompatible Changes</a>
    <ul>
      <li><a href="#String-delimiters-that-arent-stand-alone-graphemes-are-illegal">String delimiters that aren&#39;t stand-alone graphemes are illegal</a></li>
      <li><a href="#for-state-loops-still-illegal">for state loops still illegal</a></li>
      <li><a href="#scalar-hash-return-value-changed">scalar(%hash) return value changed</a></li>
      <li><a href="#keys-returned-from-an-lvalue-subroutine">keys returned from an lvalue subroutine</a></li>
    </ul>
  </li>
  <li><a href="#Performance-Enhancements">Performance Enhancements</a></li>
  <li><a href="#Modules-and-Pragmata">Modules and Pragmata</a>
    <ul>
      <li><a href="#New-Modules-and-Pragmata">New Modules and Pragmata</a></li>
      <li><a href="#Updated-Modules-and-Pragmata">Updated Modules and Pragmata</a></li>
      <li><a href="#Removed-Modules-and-Pragmata">Removed Modules and Pragmata</a></li>
    </ul>
  </li>
  <li><a href="#Documentation">Documentation</a>
    <ul>
      <li><a href="#New-Documentation">New Documentation</a>
        <ul>
          <li><a href="#perldeprecation">perldeprecation</a></li>
        </ul>
      </li>
      <li><a href="#Changes-to-Existing-Documentation">Changes to Existing Documentation</a>
        <ul>
          <li><a href="#perlobj">perlobj</a></li>
          <li><a href="#perlop">perlop</a></li>
          <li><a href="#perllocale">perllocale</a></li>
          <li><a href="#perldiag">perldiag</a></li>
          <li><a href="#perldtrace">perldtrace</a></li>
          <li><a href="#perlguts">perlguts</a></li>
          <li><a href="#perlvar">perlvar</a></li>
          <li><a href="#perlootut">perlootut</a></li>
          <li><a href="#perlhack">perlhack</a></li>
          <li><a href="#perlre">perlre</a></li>
          <li><a href="#perlinterp">perlinterp</a></li>
          <li><a href="#perlcall">perlcall</a></li>
          <li><a href="#perltie">perltie</a></li>
          <li><a href="#perldata">perldata</a></li>
          <li><a href="#perlexperiment-and-perlref">perlexperiment and perlref</a></li>
          <li><a href="#perlfunc">perlfunc</a></li>
          <li><a href="#perlunicode">perlunicode</a></li>
          <li><a href="#perlvar1">perlvar</a></li>
          <li><a href="#perlcommunity">perlcommunity</a></li>
          <li><a href="#perldelta">perldelta</a></li>
          <li><a href="#perllocale1">perllocale</a></li>
          <li><a href="#perlmodinstall">perlmodinstall</a></li>
          <li><a href="#perlmodlib">perlmodlib</a></li>
          <li><a href="#perlnewmod">perlnewmod</a></li>
          <li><a href="#perlintern-and-perlapi">perlintern and perlapi</a></li>
          <li><a href="#perlsec">perlsec</a></li>
        </ul>
      </li>
    </ul>
  </li>
  <li><a href="#Diagnostics">Diagnostics</a>
    <ul>
      <li><a href="#New-Diagnostics">New Diagnostics</a>
        <ul>
          <li><a href="#New-Errors">New Errors</a></li>
          <li><a href="#New-Warnings">New Warnings</a></li>
        </ul>
      </li>
      <li><a href="#Changes-to-Existing-Diagnostics">Changes to Existing Diagnostics</a></li>
    </ul>
  </li>
  <li><a href="#Configuration-and-Compilation">Configuration and Compilation</a></li>
  <li><a href="#Testing">Testing</a></li>
  <li><a href="#Utility-Changes">Utility Changes</a>
    <ul>
      <li><a href="#c2ph">c2ph</a></li>
    </ul>
  </li>
  <li><a href="#Platform-Support">Platform Support</a>
    <ul>
      <li><a href="#Platform-Specific-Notes">Platform-Specific Notes</a></li>
    </ul>
  </li>
  <li><a href="#Internal-Changes">Internal Changes</a></li>
  <li><a href="#Selected-Bug-Fixes">Selected Bug Fixes</a></li>
  <li><a href="#Known-Problems">Known Problems</a></li>
  <li><a href="#Errata-From-Previous-Releases">Errata From Previous Releases</a></li>
  <li><a href="#Obituary">Obituary</a></li>
  <li><a href="#Acknowledgements">Acknowledgements</a></li>
  <li><a href="#Reporting-Bugs">Reporting Bugs</a></li>
  <li><a href="#SEE-ALSO">SEE ALSO</a></li>
</ul>

<h1 id="NAME">NAME</h1>

<p>perl5260cdelta - what is new for cperl v5.26.0</p>

<h1 id="DESCRIPTION">DESCRIPTION</h1>

<p>This document describes the differences between the cperl 5.24.2 and the cperl 5.26.0 releases.</p>

<p>If you are upgrading from an earlier release such as v5.24.1c, first read the <a href="/cperl/perl5242cdelta.html">perl5242cdelta</a> documentation, which describes differences between v5.24.2c and v5.24.1c.</p>

<h1 id="Notice">Notice</h1>

<p>cperl v5.26.0c was merged with perl v5.26.0 (as all previous major cperl releases). The rejected upstream commits for the differences have been documented at the github issues <a href="https://github.com/perl11/cperl/issues/165">[cperl #165]</a> and <a href="https://github.com/perl11/cperl/issues/256">[cperl #256]</a>.</p>

<p><code>${^ENCODING}</code> and the encoding pragma was not removed, rather fixed instead.</p>

<p>User-type support is greatly enhanced. See <a href="#Type-check-assignments">&quot;Type-check assignments&quot;</a>, <a href="#HvCLASS">&quot;HvCLASS&quot;</a>, <a href="#Type-infer-bless">&quot;Type-infer bless&quot;</a>, and <a href="#Type-infer-subroutine-return-types">&quot;Type-infer subroutine return types&quot;</a>. Before just coretypes were properly checked, now <code>use types</code> adds warnings for all other types.</p>

<p>The still incomplete and slow implementation for the experimental subroutine signatures feature from 5.25.4 was not added, as cperl&#39;s signatures are over 50% faster for over a year already and have many more features. In detail the new <code>OP_ARGELEM</code>, <code>OP_ARGDEFELEM</code> and <code>OP_ARGCHECK</code> are not used, cperl still uses a single <code>OP_SIGNATURE</code> op and passes its arguments properly as in XS on the stack, not via <code>@_</code>.</p>

<p>cperl doesn&#39;t use the slow Siphash 1-3 as default on 64bit, and no hybrid hash function as introduced with 5.25.8. cperl rather uses a short and fast hash function and other typical hash table optimizations, while adding proper security in the collision resolution instead. A secure PRF (pseudo random function) can never ensure DoS safety for a hash table, contrary to the Siphash paper claims.</p>

<h1 id="Core-Enhancements">Core Enhancements</h1>

<h2 id="No-magic-to-undef-yes-no-placeholder-SVs">No magic to undef/yes/no/placeholder SVs</h2>

<p>cperl silently forbids attaching magic to the four major builtin SV sentinels undef, yes, no and placeholder, which are mostly compared to by pointer. Adding magic to them will break that comparison.</p>

<h2 id="Type-check-assignments">Type-check assignments</h2>

<p>Assignment type violations are now also warned, with <code>use warnings &#39;types&#39;</code> enabled, previously only signature types were checked. Only signature type violations or <code>use types &#39;strict&#39;</code> violations are fatal.</p>

<p>Note that the type system is still completely unsound. So far it is only there to catch the most common errors and enable coretype optimizations. cperl only.</p>

<h2 id="HvCLASS">HvCLASS</h2>

<p>With cperl <code>use base</code> or <code>use fields</code> now closes the <code>@ISA</code> and hereby enable compile-time checks and optimizations. The new <code>Internals::HvCLASS</code> function gets or sets the same type for base/field classes as with the upcoming class keyword. See <a href="https://github.com/perl11/cperl/issues/249">[cperl #249]</a>. cperl only.</p>

<h2 id="Type-infer-bless">Type-infer bless</h2>

<p>bless with a constant 2nd argument, the classname, infers this type to the enclosing sub if its the last statement in a body, or to the left-side assignment of a lexical variable. cperl only.</p>

<h2 id="Type-infer-subroutine-return-types">Type-infer subroutine return types</h2>

<p>Subroutine types, either declared or inferred, are now passed through to the type-checker at compile-time. cperl only.</p>

<h2 id="for-qw-is-legal-again">for qw() is legal again</h2>

<p>perl5.14 deprecated and 5.18 started disallowing a <a href="/cperl/perlsyn.html#Statement-Modifiers">for</a> loop with a <a href="/cperl/perlop.html#qw-STRING">qw()</a> list, &quot;qw-as-parens&quot;.</p>

<p>The rationale to remove the handy <code>for qw()</code> syntax was technical and trivial to fix. cperl 5.25.3 re-instated it for <code>for</code> loops, but not for the rest. cperl does not insist on the backwards syntax to require <code>(qw( ... ))</code> around the <code>for</code> list.</p>

<pre><code>   cperl5.25.3 -e&#39;for qw(a b c) { print $_ }&#39;

   perl5.18 -e&#39;for (qw(a b c)) { print $_ }&#39;

   perl5.14 -e&#39;for $_ qw(a b c) { print $_ }&#39;
   =&gt; Use of qw(...) as parentheses is deprecated at -e line 1

   perl5.12  -e&#39;for $_ qw(a b c) { print $_ }&#39;</code></pre>

<p>The new additional cperl syntax is even easier to use than before. See <a href="https://github.com/perl11/cperl/issues/26">[cperl #26]</a>. cperl only.</p>

<h2 id="Perl-can-now-do-default-collation-in-UTF-8-locales-on-platforms-that-support-it">Perl can now do default collation in UTF-8 locales on platforms that support it</h2>

<p>Some platforms natively do a reasonable job of collating and sorting in UTF-8 locales. Perl now works with those. For portability and full control, <a href="/cperl/lib/Unicode/Collate.html">Unicode::Collate</a> is still recommended, but now you may not need to do anything special to get good-enough results, depending on your application. See <a href="/cperl/perllocale.html#Category-LC_COLLATE:-Collation:-Text-Comparisons-and-Sorting">&quot;Category <code>LC_COLLATE</code>: Collation: Text Comparisons and Sorting&quot; in perllocale</a></p>

<h2 id="Better-locale-collation-of-strings-containing-embedded-NUL-characters">Better locale collation of strings containing embedded <code>NUL</code> characters</h2>

<p>In locales that have multi-level character weights, these are now ignored at the higher priority ones. There are still some gotchas in some strings, though. See <a href="/cperl/perllocale.html#Collation-of-strings-containing-embedded-NUL-characters">&quot;Collation of strings containing embedded <code>NUL</code> characters&quot; in perllocale</a>.</p>

<h2 id="Unescaped-literal-characters-in-regular-expression-patterns-are-no-longer-permissible">Unescaped literal <code>&quot;{&quot;</code> characters in regular expression patterns are no longer permissible</h2>

<p>You have to now say something like <code>&quot;\{&quot;</code> or <code>&quot;[{]&quot;</code> to specify to match a LEFT CURLY BRACKET. This will allow future extensions to the language. This restriction is not enforced, nor are there current plans to enforce it, if the <code>&quot;{&quot;</code> is the first character in the pattern.</p>

<p>These have been deprecated since v5.16, with a deprecation message displayed starting in v5.22.</p>

<h2 id="Literal-control-character-variable-names-are-no-longer-permissible">Literal control character variable names are no longer permissible</h2>

<p>A variable name may no longer contain a literal control character under any circumstances. These previously were allowed in single-character names on ASCII platforms, but have been deprecated there since Perl v5.20. This affects things like <code>$<i>\cT</i></code>, where <i>\cT</i> is a literal control (such as a <code>NAK</code> or <code>NEGATIVE ACKNOWLEDGE</code> character) in the source code.</p>

<h2 id="New-regular-expression-modifier-xx">New regular expression modifier <code>/xx</code></h2>

<p>Specifying two <code>x</code> characters to modify a regular expression pattern does everything that a single one does, but additionally TAB and SPACE characters within a bracketed character class are generally ignored and can be added to improve readability, like <span style="white-space: nowrap;"><code>/[ ^ A-Z d-f p-x ]/xx</code></span>. Details are at <a href="/cperl/perlre.html#x-and-xx">&quot;/x and /xx&quot; in perlre</a>.</p>

<h2 id="NBSP-is-no-longer-permissible-in-N"><code>NBSP</code> is no longer permissible in <code>\N{...}</code></h2>

<p>The name of a character may no longer contain non-breaking spaces. It has been deprecated to do so since Perl v5.22.</p>

<h2 id="CORE-subroutines-for-hash-and-array-functions-callable-via-reference"><code>CORE</code> subroutines for hash and array functions callable via reference</h2>

<p>The hash and array functions in the <code>CORE</code> namespace--<code>keys</code>, <code>each</code>, <code>values</code>, <code>push</code>, <code>pop</code>, <code>shift</code>, <code>unshift</code> and <code>splice</code>--, can now be called with ampersand syntax (<code>&amp;CORE::keys(\%hash</code>) and via reference (<code>my $k = \&amp;CORE::keys; $k-&gt;(\%hash)</code>). Previously they could only be used when inlined.</p>

<h2 id="Unicode-9.0-is-now-supported">Unicode 9.0 is now supported</h2>

<p>A list of changes is at <a href="http://www.unicode.org/versions/Unicode9.0.0/">http://www.unicode.org/versions/Unicode9.0.0/</a>. Modules that are shipped with core Perl but not maintained by p5p do not necessarily support Unicode 9.0. <a href="/cperl/lib/Unicode/Normalize.html">Unicode::Normalize</a> does work on 9.0.</p>

<p>Note that some changed UCD database files in 9.0 stayed renamed to their shortened name in perl.</p>

<h2 id="Use-of-p-script-uses-the-improved-Script_Extensions-property">Use of <code>\p{<i>script</i>}</code> uses the improved Script_Extensions property</h2>

<p>Unicode 6.0 introduced an improved form of the Script (<code>sc</code>) property, and called it Script_Extensions (<code>scx</code>). As of now, Perl uses this improved version when a property is specified as just <code>\p{<i>script</i>}</code>. The meaning of compound forms, like <code>\p{sc=<i>script</i>}</code> are unchanged. This should make programs be more accurate when determining if a character is used in a given script, but there is a slight chance of breakage for programs that very specifically needed the old behavior. See <a href="/cperl/perlunicode.html#Scripts">&quot;Scripts&quot; in perlunicode</a>.</p>

<h2 id="Declaring-a-reference-to-a-variable">Declaring a reference to a variable</h2>

<p>As an experimental feature, Perl now allows the referencing operator to come after <a href="/cperl/perlfunc.html#my"><code>my()</code></a>, <a href="/cperl/perlfunc.html#state"><code>state()</code></a>, <a href="/cperl/perlfunc.html#our"><code>our()</code></a>, or <a href="/cperl/perlfunc.html#local"><code>local()</code></a>. This syntax must be enabled with <code>use feature &#39;declared_refs&#39;</code>. It is experimental, and will warn by default unless <code>no warnings &#39;experimental::refaliasing&#39;</code> is in effect. It is intended mainly for use in assignments to references. For example:</p>

<pre><code>    use experimental &#39;refaliasing&#39;, &#39;declared_refs&#39;;
    my \$a = \$b;</code></pre>

<p>See <a href="/cperl/perlref.html#Assigning-to-References">&quot;Assigning to References&quot; in perlref</a> for slightly more detail.</p>

<p>Note that this still looks much worse than the perl6 bind operator: my $a := $b;</p>

<h2 id="Indented-Here-documents">Indented Here-documents</h2>

<p>This adds a new modifier &#39;~&#39; to here-docs that tells the parser that it should look for /^\s*$DELIM\n/ as the closing delimiter.</p>

<p>These syntaxes are all supported:</p>

<pre><code>    &lt;&lt;~EOF;
    &lt;&lt;~\EOF;
    &lt;&lt;~&#39;EOF&#39;;
    &lt;&lt;~&quot;EOF&quot;;
    &lt;&lt;~`EOF`;
    &lt;&lt;~ &#39;EOF&#39;;
    &lt;&lt;~ &quot;EOF&quot;;
    &lt;&lt;~ `EOF`;</code></pre>

<p>The &#39;~&#39; modifier will strip, from each line in the here-doc, the same whitespace that appears before the delimiter.</p>

<p>Newlines will be copied as is, and lines that don&#39;t include the proper beginning whitespace will cause perl to croak.</p>

<p>For example:</p>

<pre><code>    if (1) {
      print &lt;&lt;~EOF;
        Hello there
        EOF
    }</code></pre>

<p>prints &quot;Hello there\n&quot; with no leading whitespace.</p>

<h2 id="and-INC">&#39;.&#39; and @INC</h2>

<p>The old cperl <code>-Dfortify_inc</code> security feature was now also introduced by perl5 and renamed to <code>-Ddefault_inc_excludes_dot</code>.</p>

<p>Because the testing and make process for perl modules does not work well with <code>.</code> missing from @INC, cperl and perl5 still support the environment variable <code>PERL_USE_UNSAFE_INC=1</code> which makes Perl behave as it previously did, returning <code>.</code> to @INC in all child processes.</p>

<h2 id="create-a-safer-utf8_hop-called-utf8_hop_safe">create a safer utf8_hop() called utf8_hop_safe()</h2>

<p>Unlike <code>utf8_hop()</code>, <code>utf8_hop_safe()</code> won&#39;t navigate before the beginning or after the end of the supplied buffer.</p>

<h2 id="CAPTURE-CAPTURE-and-CAPTURE_ALL">@{^CAPTURE}, %{^CAPTURE}, and %{^CAPTURE_ALL}</h2>

<p><code>@{^CAPTURE}</code> exposes the capture buffers of the last match as an array. So <code>$1</code> is <code>${^CAPTURE}[0]</code>.</p>

<p><code>%{^CAPTURE}</code> is the equivalent to <code>%+</code> (ie named captures)</p>

<p><code>%{^CAPTURE_ALL}</code> is the equivalent to <code>%-</code> (ie all named captures).</p>

<h2 id="Improved-.pmc-loading">Improved .pmc loading</h2>

<p>cperl now sets the correct <i>.pmc</i> filename for <code>__FILE__</code> and <code>CopFILE</code>, when it was loaded from it.</p>

<p>cperl also allows bypassing a <i>.pmc</i> if loaded explicitly via <a href="/cperl/perlfunc.html#do">do</a> and an absolute pathname.</p>

<p>This allows improved <i>.pmc</i> file caching of only selective parts of a module. Such as a method jit, which stores onlt some subs, but not the whole module in it&#39;s cache. Hence the Cache logic in the <i>.pmc</i> can now first load the parallel source <i>.pm</i> and then apply the <i>.pmc</i> optimizations. E.g. by loading a LLVM <i>.bc</i> file contents with only some subs.</p>

<p>The impact for existing code is low. If you loaded a .pmc via <code>do &quot;/abspath/module.pm&quot;</code> you need to add now a final &quot;c&quot; explictly: <code>do &quot;/abspath/module.pmc&quot;</code>.</p>

<p>With perl5 upstream those two longstanding PMC bugs made it impossible to use a partial Byte- or JitCache. It also makes it possible to re-instate the old python-like timestamp logic which was removed for pugs 2006 with commit <a href="https://github.com/perl11/cperl/commit/a91233bf4cf6a12df8935c3530a6ca900ca6ca2f">a91233bf4cf</a>.</p>

<p>See <a href="https://github.com/perl11/cperl/issues/244">[cperl #244]</a>. cperl only.</p>

<h2 id="Added-SAFE_RX_-substrs-accessors">Added SAFE_RX_ substrs accessors</h2>

<pre><code>    SAFE_RX_CHECK_SUBSTR(rx)
    SAFE_RX_ANCHORED_SUBSTR(rx)
    SAFE_RX_ANCHORED_UTF8(rx)
    SAFE_RX_FLOAT_SUBSTR(rx)
    SAFE_RX_FLOAT_UTF8(rx)</code></pre>

<p>Other regex engines don&#39;t fill <code>rx-&gt;substrs-&gt;data[]</code>, so it is unsafe to access it. Only allow ext/re and Perl_core_reg_engine. Currently only used in <a href="/cperl/perlapi.html#op_dump">op_dump()</a>.</p>

<h1 id="Security">Security</h1>

<h2 id="Storable-stack-overflows">Storable stack overflows</h2>

<p>By reading malcrafted local Storable files or memory you could easily overwrite the local stack with controlled data. With bigger values you could cause an immediate exit, without backtrace or an exception being caught.</p>

<p>Another major stack-overflow fix is for <a href="https://rt.cpan.org/Ticket/Display.html?id=97526">[cpan #97526]</a>, limiting the maximal number of nested hash or arrays to 3000. Cpanel::JSON::XS has it at 512.</p>

<p>Note that p5p doesn&#39;t think that these are security issues. <a href="https://rt.perl.org/Public/Bug/Display.html?id=130635">[perl #130635]</a> (even if similar less severe attacks had a CVE and a metasploit module, which cperl detects).</p>

<p>cperl only so far. Uploaded to CPAN, but at this date still unauthorized.</p>

<h2 id="Escaped-colons-and-relative-paths-in-PATH">&quot;Escaped&quot; colons and relative paths in PATH</h2>

<p>On Unix systems, Perl treats any relative paths in the PATH environment variable as tainted when starting a new process. Previously, it was allowing a backslash to escape a colon (unlike the OS), consequently allowing relative paths to be considered safe if the PATH was set to something like <code>/\:.</code>. The check has been fixed to treat <code>.</code> as tainted in that example.</p>

<h2 id="Unicode-identifiers:-Moderately-Restrictive-Level">Unicode identifiers: Moderately Restrictive Level</h2>

<p>cperl as first dynamic scripting language follows the <b>General Security Profile</b> for identifiers in programming languages.</p>

<p><b>Moderately Restrictive</b>: Allow <code>Latin</code> with other Recommended or Aspirational scripts except <code>Cyrillic</code> and <code>Greek</code>. Otherwise, the same as <a href="http://www.unicode.org/reports/tr39/#Identifier_Characters">Highly Restrictive</a>, i.e. allow <code>:Japanese</code>, <code>:Korean</code> and <code>:Hanb</code>.</p>

<p><i>&quot;Some characters are not in modern customary use, and thus implementations may want to exclude them from identifiers. These include characters in historic and obsolete scripts, scripts used mostly liturgically, and regional scripts used only in very small communities or with very limited current usage. The set of characters in Table 4, Candidate Characters for Exclusion from Identifiers provides candidates of these.&quot;</i></p>

<p>cperl honors the <a href="http://www.unicode.org/reports/tr31/#Table_Candidate_Characters_for_Exclusion_from_Identifiers">TR31 Candidate Characters for Exclusion from Identifiers </a></p>

<p>I.e. You may still declare those scripts as valid, but they are not automatically allowed, similar to the need to declare mixed scripts.</p>

<pre><code>    use utf8;
    my $&#x1B45; = 1; # \x{1b45} BALINESE LETTER KAF SASAK</code></pre>

<p>=&gt; Invalid script Balinese in identifier &#x1B45; for U+1B45</p>

<pre><code>    use utf8 &#39;Balinese&#39;;
    my $&#x1B45; = 1; # \x{1b45} BALINESE LETTER KAF SASAK
    print &quot;ok&quot;;</code></pre>

<p>=&gt;</p>

<pre><code>     ok</code></pre>

<p>The scripts listed at &quot;Table 6, Aspirational Use Scripts&quot;: <code>Canadian_Aboriginal</code>, <code>Miao</code>, <code>Mongolian</code>, <code>Tifinagh</code> and <code>Yi</code> are included, i.e. need not to be declared.</p>

<p>With this restriction cperl fulfills the Moderately Restrictive level for identifiers by default. See <a href="http://www.unicode.org/reports/tr39/#General_Security_Profile">http://www.unicode.org/reports/tr39/#General_Security_Profile</a> and <a href="http://www.unicode.org/reports/tr36/#Security_Levels_and_Alerts">http://www.unicode.org/reports/tr36/#Security_Levels_and_Alerts</a>.</p>

<p>Missing for more unicode security are warnings on single-, mixed and whole-script confusables, with a new utf8 warnings &#39;confusables&#39; subcategory <a href="https://github.com/perl11/cperl/issues/265">[cperl #265]</a>.</p>

<p>With special declarations of the used scripts or turning off no warnings &#39;utf8&#39;, you can weaken the restriction level to <b>Minimally Restrictive</b>.</p>

<p>All utf8 encoded names are checked for wellformed-ness.</p>

<h2 id="chdir-heap-buffer-overflow-on-the-perl-stack"><code>chdir</code> heap-buffer-overflow on the perl stack</h2>

<p>When called without argument it overwrote subsequent stack entries with the easily controllable result. <a href="https://rt.perl.org/Public/Bug/Display.html?id=129130">[perl #129130]</a></p>

<h2 id="Improved-Hash-DDoS-prevention">Improved Hash DDoS prevention</h2>

<p>This is merely a theoretical problem, improving on the previous sleep solution against hash floods. Distributed hashflood attacks could lead to memory exhaustion and denial of service in threaded servers, which would bypass the original FAIL_DELAY-like intrusion detection and mitigation.</p>

<p>First sleep, but if &gt;128 concurrent attacks are detected, exit hard. Use a global hash_slowdos counter. Note that this is also triggered by a 128*8*128 hash collision single source attack (=131072). This is still better, faster and smaller than the java solution to convert the linked list to a tree. We log the attackers and can block them. <a href="https://github.com/perl11/cperl/issues/246">[cperl #246]</a>. cperl only.</p>

<h2 id="n-buffer-overflows"><code>@{ \327 \n }</code> buffer overflows</h2>

<p>Fixed <code>@{ \327 \n }</code> tokenizer failures and heap buffer overflows in <code>sv_vcatpvfn_flags()</code> with wrong tracking of <code>PL_linestr</code>, the currently parsed line buffer. This can easily lead to security relevant exploits.</p>

<p><a href="https://rt.perl.org/Public/Bug/Display.html?id=128951">[perl #128951]</a></p>

<h2 id="eval-q-.-chr-overlarge-stack-overflow"><code>eval &quot;q&quot; . chr(overlarge)</code> stack overflow</h2>

<p>In <code>eval &quot;q&quot; . chr(100000000064)</code> generating the error message <code>Can&#39;t find string terminator &quot;XXX&quot;&#39;</code> was overrunning a local buffer designed to hold a single utf8 char, since it wasn&#39;t allowing for the <code>\0</code> at the end.</p>

<p><a href="https://rt.perl.org/Public/Bug/Display.html?id=128952">[perl #128952]</a></p>

<h2 id="Protect-and-warn-on-hash-flood-DoS">Protect and warn on hash flood DoS</h2>

<p>If the collisions for a hash key lookup exceeds 128 tries (i.e. a linear search in a linked list), this qualifies as a malicious hash DoS (<i>Denial of Service</i>) attack. Generally maximal 8-10 collisions appear in normal hash table usage. Every 8th such hash flood attack performs a <code>sleep(2)</code> to limit the impact.</p>

<p>Detect and protect against it, also call the new <code>warn_security(&quot;Hash flood&quot;)</code>.</p>

<p>This security scheme is much easier and faster than trying to hide the random hash seed with randomized iterators and collisions lists, which cperl doesn&#39;t use.</p>

<p>See <a href="#New-Diagnostics">&quot;New Diagnostics&quot;</a>.</p>

<h2 id="use-utf8-Script">use utf8 &#39;Script&#39;</h2>

<p>In order to avoid TR39 confusable security hacks, we add the following unicode rules for identifiers and literals with <b>mixed script</b> properties:</p>

<ul>

<li><p>The &#39;Common&#39;, &#39;Latin&#39; and &#39;Inherited&#39; scripts are always allowed and don&#39;t need to be declared.</p>

</li>
<li><p>The first non-default unicode script for an identifier is the only allowed one. This qualifies as single-script. More scripts lead to parsers errors.</p>

</li>
<li><p>Additional unicode scripts can and should be declared via <b>use utf8 &#39;Greek&#39;, &#39;script-name2&#39;...</b>. This allows mixed scripts in identifiers. This can be scoped in blocks.</p>

</li>
<li><p>To fulfill the Moderately Restrictive Level for the Unicode <a href="http://www.unicode.org/reports/tr39/#Restriction_Level_Detection">General Security Profile </a> you may not mix Greek with Cyrillic identifier characters in the same program.</p>

</li>
</ul>

<p>See <a href="http://www.unicode.org/reports/tr39/#Mixed_Script_Detection">http://www.unicode.org/reports/tr39/#Mixed_Script_Detection</a> and <a href="https://github.com/perl11/cperl/issues/229">[cperl #229]</a></p>

<p>This holds for all identifiers (i.e. all names: package, gv, sub, variables) and literal numbers.</p>

<p>Currently there exist 131 scripts, see <a href="/cperl/lib/utf8.html#Valid-scripts">&quot;Valid scripts&quot; in utf8</a>.</p>

<h2 id="Unicode-normalization-of-identifiers-names">Unicode normalization of identifiers/names</h2>

<p>All stored utf8 names, identifiers and literals are parsed and stored as normalized NFC unicode, which prevents from various TR39 and TR36 unicode confusable and spoofing security problems.</p>

<p>However, dynamically created symbols via string refs are not normalized. <code>${&quot;$decomposed&quot;}</code> stays decomposed.</p>

<p>Note that even perl6 stores different names for confusables, which match each other due to their NFG rules on their string matchers. perl5 matches strictly binary, which leads to confusable and spoofing security problems.</p>

<p>See <a href="https://github.com/perl11/cperl/issues/228">[cperl #228]</a>, <a href="http://www.unicode.org/reports/tr36/">http://www.unicode.org/reports/tr36/</a>, <a href="http://www.unicode.org/reports/tr39">http://www.unicode.org/reports/tr39</a>, <a href="http://www.unicode.org/reports/tr31/">http://www.unicode.org/reports/tr31/</a> and the Python 3 discussion 2007 on PEP 3131 <a href="https://docs.python.org/3/reference/lexical_analysis.html#identifiers">https://docs.python.org/3/reference/lexical_analysis.html#identifiers</a>.</p>

<p>Python 3 normalizes to NFKC (Compatibility Decomposition, followed by Canonical Composition), cperl uses both canonical transformations. See <a href="http://unicode.org/reports/tr15/#Norm_Forms">http://unicode.org/reports/tr15/#Norm_Forms</a> for the difference. Basically NFKC transforms to shorter ligatures. NFC is recommended by TR15.</p>

<h2 id="No-binary-symbols">No binary symbols</h2>

<p>Fallback to the secure behvaiour as before v5.16 and strip symbol names of everything after the first \0 character. This protects from creating binary symbols as with <code>no strict &#39;refs&#39;; ${&quot;a\0\hidden&quot;}</code>, which were especially problematic for package names, which were mapped 1:1 to filenames. With the default warning &#39;security&#39; in effect, a warning is produced by the <a href="/cperl/perlapi.html#warn_security">&quot;warn_security&quot; in perlapi</a> API, same as for unsafe syscalls since 5.20.</p>

<p>See <a href="/cperl/perldiag.html#Invalid-0-character-in-string-for-SYMBOL:-s">&quot;Invalid \0 character in string for SYMBOL: %s&quot; in perldiag</a> and <a href="https://github.com/perl11/cperl/issues/233">[cperl #233]</a>.</p>

<h2 id="hash-seed-exposure">hash seed exposure</h2>

<p>cperl5.22.2 added a restraint to expose the internal hash secret seed via the environment variable PERL_HASH_SEED_DEBUG=1 to be hidden in taint mode. See <a href="https://github.com/perl11/cperl/issues/114">[cperl #114]</a> and <a href="/cperl/perl5222cdelta.html#Core-Enhancements">&quot;Core Enhancements&quot; in perl5222cdelta</a>.</p>

<pre><code>    PERL_HASH_SEED_DEBUG=1 cperl5.22.2 -e1 =&gt;
    HASH_FUNCTION = FNV1A HASH_SEED = 0xecfb00eb PERTURB_KEYS = 0 (TOP)

    PERL_HASH_SEED_DEBUG=1 cperl5.22.2 -t -e1 =&gt; empty</code></pre>

<p>But unfortunately not many perl services are actually protected with <code>-t</code>, even if cperl fixed taint mode to be actually secure. The seed exposure is only needed for a debugging perl, and actually is security relevant.</p>

<p>So <code>PERL_HASH_SEED_DEBUG=1</code> will now hide the seed value in non-DEBUGGING builds.</p>

<pre><code>    PERL_HASH_SEED_DEBUG=1 cperl5.25.2 -e1 =&gt;
    HASH_FUNCTION = FNV1A HASH_SEED = &lt;hidden&gt; PERTURB_KEYS = 0 (TOP)</code></pre>

<p>Note that the seed is still trivially exposable via other means if a local script can be executed, as the seed value is readable from a fixed memory offset via unpack &quot;P&quot;. That&#39;s why cperl fixed hash table security via proper means in the collision resolution, not via a slow hash function, and not via order hiding as perl5 believes in.</p>

<p>More discussion at <a href="https://github.com/google/highwayhash/issues/28">https://github.com/google/highwayhash/issues/28</a> and <a href="https://github.com/google/highwayhash/issues/29">https://github.com/google/highwayhash/issues/29</a>.</p>

<h2 id="Warn-on-metasploit-CVE-2015-1592">Warn on metasploit CVE-2015-1592</h2>

<p>Detection of the destructive attack against Movable-Type, the third vector only, which tries to delete <i>mt-config.cgi</i> was added to was added to <a href="/cperl/lib/Storable.html">Storable</a> 3.01c.</p>

<p>Calls <code>warn_security(&quot;Movable-Type CVE-2015-1592 Storable metasploit attack&quot;)</code>, but does not protect against it.</p>

<h2 id="Warn-on-metasploit-reverse-shells">Warn on metasploit reverse shells</h2>

<p>Detect the metasploit payload unix/reverse_perl and some existing variants. This is just a dumb match at startup against existing exploits in the wild, but not future variants. Calls <code>warn_security(&quot;metasploit reverse/bind shell payload&quot;)</code>, but do not protect against it. This warning is thrown even without <code>-w</code>.</p>

<p>Also detects the CVE-2012-1823 reverse/bind shell payload, which is widely exploited too. The security warning is called &quot;CVE-2012-1823 reverse/bind shell payload&quot;.</p>

<h2 id="syscalls-warnings-also-security">syscalls warnings also security</h2>

<p>With a warnings &#39;syscalls&#39; violation, i.e. detecting <code>\0</code> in arguments to C API syscalls, the new &#39;security&#39; warnings category overrides the &#39;syscalls&#39; category. I.e. the warning is produced by the <a href="/cperl/perlapi.html#warn_security">&quot;warn_security&quot; in perlapi</a> API, and to turn it off, you have to turn off both categories.</p>

<h1 id="Deprecations">Deprecations</h1>

<p>See the new <a href="/cperl/perldeprecation.html">perldeprecation</a> pod.</p>

<p>Many old deprecations got now a fixed final date, but several perl5 deprecations were undeprecated in cperl and rather fixed. <i>(as in previous cperl releases.)</i></p>

<h2 id="do_open-do_close-macros">do_open, do_close macros</h2>

<p>Those macros clash on darwin XTools with the system iostream <code>_OutputIterator</code> methods. We need to use the fullname <b>Perl_do_open</b> and <b>Perl_do_close</b> functions whenever perl needs to be embedded into C++ projects.</p>

<p>With the system C++ compiler on darwin <code>do_open</code>, <code>do_close</code> are now undefined. See <a href="https://github.com/perl11/cperl/issues/227">[cperl #227]</a></p>

<h2 id="Removed-as-package-seperator">Removed &#39; as package seperator</h2>

<p>Made something like <code>sub foo&#39;bar;</code> a syntax error. <code>&#39;</code> is not replaced by <code>::</code> anymore when used as package seperator. This was deprecated 10 years ago.</p>

<p>cperl fixed the <a href="#c2ph">&quot;c2ph&quot;</a> core utility using this last remaining perl4&#39;ism, and removed the <code>isn&#39;t</code> method from <a href="/cperl/lib/Test/More.html">Test::More</a>. In a later versions <code>&#39;</code> can be reenabled as proper IDContinue character for identifiers, e.g. for Test::More <code>isn&#39;t</code>.</p>

<p>See <a href="https://github.com/perl11/cperl/issues/217">[cperl #217]</a>.</p>

<h2 id="New-items-in-perldeprecation">New items in <a href="/cperl/perldeprecation.html">perldeprecation</a></h2>

<ul>

<li><p>Attribute &quot;locked&quot; is deprecated, and will disappear in Perl 5.28</p>

</li>
<li><p>Attribute &quot;unique&quot; is deprecated, and will disappear in Perl 5.28</p>

</li>
<li><p>Constants from lexical variables potentially modified elsewhere are deprecated. This will not be allowed in Perl 5.32</p>

</li>
<li><p>Deprecated use of my() in false conditional. This will be a fatal error in Perl 5.30</p>

</li>
<li><p>File::Glob::glob() will disappear in perl 5.30. Use File::Glob::bsd_glob() instead.</p>

</li>
<li><p>%s() is deprecated on :utf8 handles. This will be a fatal error in Perl 5.30</p>

</li>
<li><p>$* is no longer supported. Its use will be fatal in Perl 5.30</p>

</li>
<li><p>$* is no longer supported. Its use will be fatal in Perl 5.30</p>

</li>
<li><p>Opening dirhandle %s also as a file. This will be a fatal error in Perl 5.28</p>

</li>
<li><p>Opening filehandle %s also as a directory. This will be a fatal error in Perl 5.28</p>

</li>
<li><p>Setting $/ to a reference to %s as a form of slurp is deprecated, treating as undef. This will be fatal in Perl 5.28</p>

</li>
<li><p>Unescaped left brace in regex is deprecated here (and will be fatal in Perl 5.30), passed through in regex; marked by <span style="white-space: nowrap;">&lt;-- HERE</span> in m/%s/</p>

</li>
<li><p>Unknown charname &#39;&#39; is deprecated. Its use will be fatal in Perl 5.28</p>

</li>
<li><p>Use of bare &lt;&lt; to mean &lt;&lt;&quot;&quot; is deprecated. Its use will be fatal in Perl 5.28</p>

</li>
<li><p>Use of code point 0x%s is deprecated; the permissible max is 0x%s. This will be fatal in Perl 5.28</p>

</li>
<li><p>Use of comma-less variable list is deprecated. Its use will be fatal in Perl 5.28</p>

</li>
<li><p>Use of inherited AUTOLOAD for non-method %s() is deprecated. This will be fatal in Perl 5.28</p>

</li>
<li><p>Use of strings with code points over 0xFF as arguments to %s operator is deprecated. This will be a fatal error in Perl 5.28</p>

</li>
</ul>

<h1 id="Incompatible-Changes">Incompatible Changes</h1>

<h2 id="String-delimiters-that-arent-stand-alone-graphemes-are-illegal">String delimiters that aren&#39;t stand-alone graphemes are illegal</h2>

<p>In order for Perl to eventually allow string delimiters to be Unicode grapheme clusters (which look like a single character, but may be a sequence of several ones), we stop allowing a single char delimiter that isn&#39;t a grapheme by itself. These are unlikely to exist in actual code, as they would typically display as attached to the character in front of them.</p>

<p>E.g. <code>qr &#x302;foobar&#x302;;</code> is now an error, it is only deprecated with v5.25.9 upstream and will be illegal in perl5 v5.30. cperl only.</p>

<h2 id="for-state-loops-still-illegal">for state loops still illegal</h2>

<p>perl5.25.3 started allowing state variables in loops. cperl still disallows them.</p>

<pre><code>    perl5.25.3 -E&#39;use feature &quot;declared_refs&quot;,&quot;refaliasing&quot;;
                 for state \$x (\$y) { print $x }&#39;
    =&gt; warnings: Declaring references is experimental at -e line 1.
    Aliasing via reference is experimental at -e line 1.

    cperl5.25.3 -E&#39;use feature &quot;declared_refs&quot;,&quot;refaliasing&quot;;
                 for state \$x (\$y) { print $x }&#39;
    =&gt; error: Missing $ on loop variable at -e line 1.</code></pre>

<p>and without declared_refs:</p>

<pre><code>    perl5.25.3 -E&#39;for state $x ($y) { print $x }&#39;

    cperl5.25.3 -E&#39;for state $x ($y) { print $x }&#39;
    =&gt; error: Missing $ on loop variable at -e line 1.</code></pre>

<h2 id="scalar-hash-return-value-changed"><code>scalar(%hash)</code> return value changed</h2>

<p>The value returned for <code>scalar(%hash)</code> will no longer show information about the buckets allocated in the hash. It will simply return the count of used keys. It is thus equivalent to <code>0+keys(%hash)</code>.</p>

<p>A form of backwards compatibility is provided via <code>Hash::Util::bucket_ratio()</code> which provides the same behavior as <code>scalar(%hash)</code> provided prior to Perl 5.25.</p>

<h2 id="keys-returned-from-an-lvalue-subroutine"><code>keys</code> returned from an lvalue subroutine</h2>

<p><code>keys</code> returned from an lvalue subroutine can no longer be assigned to in list context.</p>

<pre><code>    sub foo : lvalue { keys(%INC) }
    (foo) = 3; # death
    sub bar : lvalue { keys(@_) }
    (bar) = 3; # also an error</code></pre>

<p>This makes the lvalue sub case consistent with <code>(keys %hash) = ...</code> and <code>(keys @_) = ...</code>, which are also errors. <a href="https://rt.perl.org/Public/Bug/Display.html?id=128187">[perl #128187]</a></p>

<h1 id="Performance-Enhancements">Performance Enhancements</h1>

<dl>

<dt id="Faster-scalar-assignments">Faster scalar assignments</dt>
<dd>

<p>Seperate an unlikely codepath in scalar assignments (ASSIGN_CV_TO_GV) to another function, helping the CPU instruction cache. 10% faster on Intel.</p>

</dd>
<dt id="Bigger-lexer-buffers-allowing-faster-memcmp">Bigger lexer buffers allowing faster memcmp</dt>
<dd>

<p>Ensure that the lexer always sees large enough buffers to do fast wordwise memcmp comparisons, esp. with constant lengths.</p>

</dd>
<dt id="Less-initial-array-elements">Less initial array elements</dt>
<dd>

<p>The initial size of empty arrays went in cperl from 4 to 2, AvMAX = 1. Array speed is 2-15% faster on perlbench, overall speed the fastest of all so far. Memory win: &lt;0.1%</p>

</dd>
<dt id="if-length-str-is-faster">if length($str) is faster</dt>
<dd>

<p>length in boolean context without get magic doesn&#39;t need to calculate the utf8 length, it only needs to check if SvCUR field is empty. And it doesn&#39;t need to allocate a new IV for the result, just use the existing sv_yes or sv_no. Analog to <a href="https://github.com/perl11/cperl/issues/245">[cperl #245]</a> for ref. cperl only.</p>

</dd>
<dt id="if-ref-is-faster">if ref() is faster</dt>
<dd>

<p>ref in boolean context doesn&#39;t need to allocate a string. 2-3x faster. See <a href="https://github.com/perl11/cperl/issues/245">[cperl #245]</a> and <a href="https://rt.perl.org/Public/Bug/Display.html?id=78288">[perl #78288]</a> cperl only. in perl5 announced for 5.28.</p>

</dd>
<dt id="readline-is-faster">readline is faster</dt>
<dd>

<p>Reading from a file line-by-line with <code>readline()</code> or <code>&lt;&gt;</code> should now typically be faster due to a better implementation of the code that searches for the next newline character.</p>

</dd>
<dt id="ref1-ref2-has-been-optimized"><code>$ref1 = $ref2</code> has been optimized.</dt>
<dd>

</dd>
<dt id="Array-and-hash-assignment-are-faster">Array and hash assignment are faster</dt>
<dd>

<p>e.g.</p>

<pre><code>    (..., @a) = (...);
    (..., %h) = (...);</code></pre>

<p>especially when the RHS is empty.</p>

<p>Note that perl5 hash assignment is still inferior to cperl hash assignment.</p>

</dd>
<dt id="Less-SvSCREAM">Less SvSCREAM</dt>
<dd>

<p>Reduce the number of odd special cases for the SvSCREAM flag.</p>

</dd>
<dt id="Better-do_vop">Better do_vop</dt>
<dd>

<p>Avoid <code>sv_catpvn()</code> in <code>do_vop()</code> when unneeded.</p>

</dd>
<dt id="Better-COW-in-Regex">Better COW in Regex</dt>
<dd>

<p>Enhancements in Regex concat COW implementation.</p>

</dd>
<dt id="Speed-up-AV-and-HV-clearing-undeffing">Speed up AV and HV clearing/undeffing.</dt>
<dd>

</dd>
<dt id="Converting-a-single-digit-string-to-a-number-is-now-substantially-faster">Converting a single-digit string to a number is now substantially faster.</dt>
<dd>

</dd>
<dt id="Simplified-split">Simplified split</dt>
<dd>

<p>The internal op implementing the <code>split</code> builtin has been simplified and sped up. Firstly, it no longer requires a subsidiary internal <code>pushre</code> op to do its work. Secondly, code of the form <code>my @x = split(...)</code> is now optimised in the same way as <code>@x = split(...)</code>, and is therefore a few percent faster. This required B::* compiler changes.</p>

</dd>
<dt id="Constant-fold-with-barewords">Constant fold with barewords</dt>
<dd>

<p>Bareword constant strings are now permitted to take part in constant folding. They were originally exempted from constant folding in August 1999, during the development of Perl 5.6, to ensure that <code>use strict &quot;subs&quot;</code> would still apply to bareword constants. That has now been accomplished a different way, so barewords, like other constants, now gain the performance benefits of constant folding.</p>

<p>This also means that void-context warnings on constant expressions of barewords now report the folded constant operand, rather than the operation; this matches the behaviour for non-bareword constants.</p>

</dd>
<dt id="Less-NULL-ops">Less NULL ops</dt>
<dd>

<p>Most NULL ops are now removed in the peephole optimizer. Check for <code>#if defined(PERL_REMOVE_OP_NULL)</code> in your XS module if you hardcoded any NULL-sensitive op-tree structure. See how many with <code>-Dk</code>.</p>

</dd>
<dt id="DPERL_FAKE_SIGNATURE">-DPERL_FAKE_SIGNATURE</dt>
<dd>

<p><code>-DPERL_FAKE_SIGNATURE</code> is now default, making most function calls 2x faster. See <a href="#fake_signatures">&quot;fake_signatures&quot;</a></p>

</dd>
<dt id="flto-support">-flto support</dt>
<dd>

<p>The new compiler option support allows generation of much faster code. I.e. clang-4.0 with -flto or zapcc produce ~20% faster code.</p>

</dd>
<dt id="for-loops">for loops</dt>
<dd>

<p>for loops got several enhancements:</p>

<p>new special <b>iter_ary</b> <code>for (@ary)</code> and <b>iter_lazyiv</b> <code>for (0..9)</code> ops to avoid a run-time switch in the generic iter op.</p>

<p>more aelem_u optimizations, less run-time out of bounds checks for shaped arrays in loops. E.g. in <code>my @a[5]; $a[$_] for (0..4);</code> the compilers knows that the max index for <code>@a</code> will be <code>4</code>, which is within the allowed shape of <code>@a</code>.</p>

</dd>
<dt id="omit-bounds-checks-for-multideref">omit bounds checks for multideref</dt>
<dd>

<p>The <code>multideref</code> OP has a new <code>MDEREF_INDEX_uoob</code> flag. This is used for unchecked out-of-bounds checks for arrays, to use the previous AvSHAPED array optimizations (aelem_u, aelemfast_lex_u) or loop out-of-bounds elimination with multideref OPs also. Such multideref ops appear pretty often even with single indices. E.g. in <code>my @b=(0..4); for (0..$#b) { $b[$_] = 0; }</code> <code>$b[$_]</code> is converted to a multideref, which previously was not optimized.</p>

<p>Those optimized indices are marked with a new &quot; _u&quot; suffix in the dumped multideref stringification.</p>

<p><code>MDEREF_MASK</code> changed to 0x10F, the <code>MDEREF_SHIFT</code> size from 7 to 8. The shift can also use faster intrinsics now.</p>

<p>The loop out-of-bounds elimination was fixed for simple lexical indices (e.g. <code>for my $i (0..$#a){ $a[$i] }</code>, which leads now to more aelem_u ops and subsequent mderef_u optimizations also.</p>

</dd>
<dt id="strEQc-strNEc">strEQc, strNEc</dt>
<dd>

<p>The new <code>strEQc</code>/<code>strNEc</code> macros are used instead of <code>strEQ(s,&quot;constant&quot;)</code>. This enables word-wise comparison via memcpy, in opposite of byte-wise comparisons via strcmp with already known sizes. This is a 10% performance improvement under most optimization levels.</p>

<p>Use more <code>strEQc</code>, <code>strNEc</code> macros, when safe to use, i.e. the left buffer is big enough, now with Address Sanitizer fallbacks.</p>

<p>The new fast buffer comparison macros <code>strEQc</code> and <code>strNEc</code> compare a full string including the final <code>\0</code>, <code>memEQc</code> and <code>memNEc</code> just the start of a buffer, with constants strings. Note that valgrind and Address Sanitizer will complain about out of range access of the left side of the buffer. To access these buffers however is safe and will not lead to SIGBUS on stricter platforms. To prevent valgrind from warning on this, you may want to define <code>-DVALGRIND</code>, which uses a safe and slower fallback macro.</p>

</dd>
<dt id="padnames">padnames</dt>
<dd>

<p>Make all padnames not UTF8 per default, only the ones which are really UTF8. See <a href="#Internal-Changes">&quot;Internal Changes&quot;</a> and <a href="https://github.com/perl11/cperl/issues/208">[cperl #208]</a></p>

</dd>
<dt id="av_fetch">av_fetch</dt>
<dd>

<p>Improvements when reading from arrays have been imported from perl5. <code>av_fetch()</code> uses less branches reading from the end (negative indices), and a branch checking for freed <code>@_</code> elements has been removed,</p>

</dd>
<dt id="hv_common_magical">hv_common_magical</dt>
<dd>

<p>Extract <code>hv_common_magical()</code> to a seperate function. Extracts uncommon magical code in hot code to an extra static function to help keep the icache smaller. Only in rare cases this branch is taken. I.e filling ENV at startup, or using tied hashes.</p>

<p>Measured 2-15% faster with normal scripts, not using tied hashes.</p>

</dd>
<dt id="pre-allocated-hash-sizes-with-aassign">pre-allocated hash sizes with aassign</dt>
<dd>

<p>aassign: pre-allocate needed hash size with aassign, similar to arrays, avoiding run-time hash splits. e.g. <code>my %h = (.. =</code> .., .. =&gt; ..)&gt;</p>

<p>This version is 30% faster overall in the <a>Mail::SpamAssassin</a> testsuite than cperl-5.25.0.</p>

</dd>
<dt id="pre-allocate-more-hashes-and-stashes">pre-allocate more hashes and stashes</dt>
<dd>

<p>Pre-extend internal hashes and stashes to avoid unnecessary boot-time hash splits. <code>%warnings::</code>, <code>%Config::</code>, <code>%utf8::</code>, <code>%version::</code>.</p>

</dd>
<dt id="Faster-get_-sah-vs-API">Faster get_[sah]vs API</dt>
<dd>

<p>Added new <code>get_svs</code>, <code>get_avs</code>, <code>get_hvs</code> macros, and accompanied <code>get_[ash]vn_flags</code> API functions, to omit the run-time <code>strlen(name)</code> for constant names. (#191)</p>

</dd>
</dl>

<h1 id="Modules-and-Pragmata">Modules and Pragmata</h1>

<h2 id="New-Modules-and-Pragmata">New Modules and Pragmata</h2>

<dl>

<dt id="types-0.01">types 0.01</dt>
<dd>

<p>Controls the type-checker. See <a href="/cperl/lib/types.html">types</a> or <a href="/cperl/perltypes.html">perltypes</a>.</p>

</dd>
</dl>

<h2 id="Updated-Modules-and-Pragmata">Updated Modules and Pragmata</h2>

<dl>

<dt id="Archive-Tar-2.24">Archive-Tar 2.24</dt>
<dd>

<p>Better 09_roundtrip.t tests.</p>

<p>Handle tarballs compressed with pbzip2 (RT #119262)</p>

<p>Add missing strict/warnings pragma to Constants.pm</p>

<p>Check for gzip/bzip2 before round tripping gz/bz2 files in tests</p>

</dd>
<dt id="B-1.68_06">B 1.68_06</dt>
<dd>

<p>Use op_class API</p>

<p>Allow a 2nd optional CV argument for B::OP::aux_list, fixing B::Deparse and thereby Data::Dumper and Test2 is_deeply.</p>

<p>use the new get_svs, get_avs, get_hvs macros.</p>

</dd>
<dt id="B-C-1.55_02">B-C 1.55_02</dt>
<dd>

<p>Fixes for PERL_OP_PARENT: moresib, sibling, parent.</p>

<p>Fix hints/522_patched.pl dependency on C.so <a href="https://rt.cpan.org/Ticket/Display.html?id=120161">[cpan #120161]</a></p>

<p>PUSHRE replaced by SPLIT, no xpad_cop_seq, SVpbm_VALID</p>

<p>Improved dl_module_to_sofile without 2nd arg</p>

<p>Fixed IsCOW savepvn, store the last cowrefcnt.</p>

<p>Fixed wrong savepvn length, failing with asan.</p>

<p>Optimized mro_isa_changed_in initialization.</p>

<p>Better CopFILE_set, Fixup arenasize refcnt. Delay cvref to init2, properly set a SvRV to a XS sub. Optimize constpv for CvFILE (less constants to merge for gcc). Improve NV precision by one digit. Fix to compile in utf8_heavy.pl, abstract and set %INC. Fix generation of @B::C::Config::deps on Windows. Fix !C99 precedence bug (e.g. MSVC). Minor refactor to simplify save_hek. Use the new get_svs, get_avs, get_hvs macros. perlcc add --debug|-D Improve endav XSUB bump Abstract RITER_T and HVMAX_T for the various sizes, compat HEK_STATIC Defer REGCOMP for \P{} properties Change $sv-&gt;EXTFLAGS to compflags since 5.22 for CALLREGCOMP(). Turn off MGf_REFCOUNTED. global-buffer-overflow with dynamic COW strings, wrong savepvn args.</p>

</dd>
<dt id="B-Debug-1.24">B-Debug 1.24</dt>
<dd>

<p>Support 5.25.6 split optimization</p>

</dd>
<dt id="bignum-0.47c">bignum 0.47c</dt>
<dd>

<p>See <a href="https://github.com/rurban/bignum/commits/cperl">https://github.com/rurban/bignum/commits/cperl</a></p>

</dd>
<dt id="B::Terse-1.07">B::Terse 1.07</dt>
<dd>

<p>Update deprecation message</p>

</dd>
<dt id="Carp-1.42c">Carp 1.42c</dt>
<dd>

<p>Handle chunk errors phrases</p>

</dd>
<dt id="Config::Perl::V-0.27_01">Config::Perl::V 0.27_01</dt>
<dd>

</dd>
<dt id="Compress-Raw-Bzip2-2.074">Compress-Raw-Bzip2 2.074</dt>
<dd>

<p>Need Fix for Makefile.PL depending on . in @INC <a href="https://rt.cpan.org/Ticket/Display.html?id=120084">RT #120084</a></p>

</dd>
<dt id="Compress-Raw-Zlib-2.074">Compress-Raw-Zlib 2.074</dt>
<dd>

<p>Comment out unused variables &amp; remove C++-ism. <a href="https://rt.cpan.org/Ticket/Display.html?id=120272">RT #120272</a></p>

</dd>
<dt id="CPAN::Meta-2.150010c">CPAN::Meta 2.150010c</dt>
<dd>

<p>And merge <i>cpan/Parse-CPAN-Meta</i> into it. <i>cpan/Parse-CPAN-Meta</i> is gone.</p>

<p>Parse-CPAN-Meta security: set $YAML::XS::DisableCode, $YAML::XS::DisableBlessed.</p>

<p>Add support for all known YAML and JSON modules: *::Syck, JSON::MaybeXS, Mojo::JSON. But JSON::Any is broken.</p>

<p>fixed UTF-8 issues, passes now all Test-CPAN-Meta tests.</p>

</dd>
<dt id="CPAN-2.17">CPAN 2.17</dt>
<dd>

<p>with full cperl support. reapply most of our patches. skip cperl builtin prereqs.</p>

<p>See <a href="https://github.com/andk/cpanpm/pull/109">https://github.com/andk/cpanpm/pull/109</a></p>

</dd>
<dt id="CPAN-Meta-Requirements">CPAN-Meta-Requirements</dt>
<dd>

<p>Moved from cpan to dist. <a href="https://github.com/perl11/cperl/issues/154">[cperl #154]</a>.</p>

</dd>
<dt id="Cpanel-JSON-XS-3.0231">Cpanel-JSON-XS 3.0231</dt>
<dd>

<p>- Fix need() overallocation (#84 Matthew Horsfall) and missing need() calls.</p>

<p>- Fix decode_prefix offset when the string was re-allocated. rather return the relative offset not the pointer to the old start.</p>

<p>- Fixes for g++-6, stricter -fpermissive and -Wc++11-compat.</p>

<p>- Added tests for ill-formed utf8 sequences from Encode.</p>

<p>- modfl() mingw 4.0 runtime bug [perl #125924]</p>

<p>- Tested with the comprehensive JSON decode spectests from http://seriot.ch/parsing_json.html. Not added to core. #72</p>

<p>- decode with BOM: UTF-8, UTF-16, or UTF-32.</p>

<p>- fixed detection of final \0 as illegal non-whitespace garbage. Fixes spectest &#39;n_number_then_00&#39;. #72</p>

<p>- warn with unicode noncharacters as in core when not in relaxed mode. #74</p>

<p>- fail decode of non-unicode raw characters above U+10FFFF when not in relaxed mode.</p>

<p>- New stringify_infnan(3) infnan_mode.</p>

<p>- Fix inf/nan detection on HP-UX and others.</p>

<p>- Use faster strEQc macros.</p>

<p>- Prefer memEQ for systems without memcmp, to use bcmp there.</p>

<p>- Add more expect_false() to inf/nan branches.</p>

<p>- Fix av and hv length types: protect from security sensitive overflows, add HVMAX_T and RITER_T</p>

<p>- Add new &quot;Hash key too large&quot; error. perl5 silently truncates it, but we prefer errors.</p>

</dd>
<dt id="Config-6.22">Config 6.22</dt>
<dd>

<p>protect sv in END during global destruction, esp. with B::C. fixes for missing . in @INC (cperl or -Dfortify_inc).</p>

</dd>
<dt id="Cwd-4.65c">Cwd 4.65c</dt>
<dd>

<p>Fix -Wc++11-compat warnings</p>

</dd>
<dt id="Data-Dumper-2.163">Data-Dumper 2.163</dt>
<dd>

<p>Fix -Wc++11-compat warnings</p>

<p>strEQc improvements</p>

<p>fix correct indentation for utf-8 key hash elements, [perl #128524].</p>

</dd>
<dt id="Devel-NYTProf-6.04">Devel-NYTProf 6.04</dt>
<dd>

<p>Fix -Wc++11-compat warnings, and various minor issues.</p>

</dd>
<dt id="Devel::Peek-1.23_02">Devel::Peek 1.23_02</dt>
<dd>

<p>use the new get_svs, get_avs, get_hvs macros. The flags where harmonized, missing names were added, most fields are now print in natural order as in the struct.</p>

</dd>
<dt id="Devel-PPPort-3.35_02">Devel-PPPort 3.35_02</dt>
<dd>

<p>Fix -Wc++11-compat warnings</p>

</dd>
<dt id="Digest::SHA-5.96">Digest::SHA 5.96</dt>
<dd>

<p>prevented shasum from possibly running malicious code, remove &#39;.&#39; from @INC before module loading RT #116513, namespace cleanup (RT #105371 and #105372), minor code and documentation tweaks</p>

</dd>
<dt id="DB_File-1.840">DB_File 1.840</dt>
<dd>

<p>unused arg warnings <a href="https://rt.cpan.org/Ticket/Display.html?id=107642">RT #107642</a></p>

<p>The other 2 fixes were already in cperl, plus a fix for reproducible builds.</p>

</dd>
<dt id="DynaLoader-2.07c">DynaLoader 2.07c</dt>
<dd>

<p>Fixed dl_findfile refcounts, &quot;panic: attempt to copy freed scalar&quot; errors.</p>

<p>Fixed build dependency for <i>dlboot.c</i>. No excessive rebuilds anymore.</p>

<p>no mathoms: call_sv instead of call_pv, get_cvs where available.</p>

<p>use the new get_svs, get_avs, get_hvs macros.</p>

</dd>
<dt id="Encode-2.88">Encode 2.88</dt>
<dd>

<p>various upstream fixes. plus g++-6 -fpermissive and -Wc++11-compat fixes. our local make -s silent patches and various others are now all upstream.</p>

</dd>
<dt id="Exporter">Exporter</dt>
<dd>

<p>Exporter remained unchanged. But CORE support for the &quot;used only once&quot; warnings has been to restricted to the four magic names &quot;EXPORT&quot;, &quot;EXPORT_OK&quot;, &quot;EXPORT_FAIL&quot; and &quot;EXPORT_TAGS&quot;. Other names starting with &quot;EXPORT&quot; will now throw the &quot;used only once&quot; warning as all other symbols.</p>

</dd>
<dt id="ExtUtils-Constant-0.23_08">ExtUtils-Constant 0.23_08</dt>
<dd>

<p>Fix ProxySubs to generate code also valid for 5.6 - 5.14. Add testcases for all ProxySubs options.</p>

<p>Fix -Wc++11-compat warnings in generated const-xs.inc code.</p>

</dd>
<dt id="ExtUtils::MakeMaker">ExtUtils::MakeMaker</dt>
<dd>

<p>fix \Q$archname\E in t/basic.t</p>

<p>skip cperl builtin prereqs.</p>

<p>ExtUtils::Liblist::Kid:</p>

<p>one more darwin fix for the wrong no library found warning for symlinked darwin libSystem.dylib libraries.</p>

</dd>
<dt id="ExtUtils::Install-2.04_01">ExtUtils::Install 2.04_01</dt>
<dd>

<p>support make -s =&gt; PERL_INSTALL_QUIET</p>

</dd>
<dt id="ExtUtils::ParseXS-3.34_02">ExtUtils::ParseXS 3.34_02</dt>
<dd>

<p>XS_EXTERNAL does now extern &quot;C&quot;</p>

<p>Fix visibility declaration of XS_EXTERNAL for <code>-flto</code> and <code>-fvisibility=hidden</code>.</p>

</dd>
<dt id="feature-1.47_01">feature 1.47_01</dt>
<dd>

<p>Revise documentation of eval and evalbytes</p>

</dd>
<dt id="File::DosGlob-1.12_01">File::DosGlob 1.12_01</dt>
<dd>

<p>use the new get_svs, get_avs, get_hvs macros.</p>

</dd>
<dt id="File::Fetch-2.52">File::Fetch 2.52</dt>
<dd>

<p>* Set a cleaned env when running git clone * Changed git repository link in tests * Removed consistently failing httpbin.org tests * Require Module::Load::Conditional 0.66 * Fix FTP tests for ipv6</p>

</dd>
<dt id="File::Glob-1.28">File::Glob 1.28</dt>
<dd>

<p>Deprecated File::Glob::glob()</p>

<p>use the new get_svs, get_avs, get_hvs macros.</p>

</dd>
<dt id="Filter-1.57">Filter 1.57</dt>
<dd>

<p>added 2 more pure tests</p>

<p>Fixes for . in @INC</p>

<p>added filter-util.pl to t/</p>

<p>fixed INSTALLDIRS back to site since 5.12 [gh #2]</p>

</dd>
<dt id="Getopt::Std-1.12">Getopt::Std 1.12</dt>
<dd>

<p>Changed pod NAME to follow convention.</p>

</dd>
<dt id="Getopt::Long-2.49.1">Getopt::Long 2.49.1</dt>
<dd>

<p>* RT #114999 fix :number * RT #113748 fix VersionMessage ignores -output argument * RT #39052 sanify gnu_getopt</p>

</dd>
<dt id="HTTP::Tiny-0.070">HTTP::Tiny 0.070</dt>
<dd>

<p>Many fixes und improvements</p>

</dd>
<dt id="Internals::DumpArenas-0.12_07">Internals::DumpArenas 0.12_07</dt>
<dd>

<p>fix for PERL_GLOBAL_STRUCT_PRIVATE Fix -Wc++11-compat warnings</p>

</dd>
<dt id="IO-Compress-2.074">IO-Compress 2.074</dt>
<dd>

<p>ISA fixes for c3 <a href="https://rt.perl.org/Public/Bug/Display.html?id=120239">[perl #120239</a></p>

</dd>
<dt id="IO::Socket::IP-0.39_01">IO::Socket::IP 0.39_01</dt>
<dd>

<p>protect sv in END during global destruction, esp. with B::C. fixes for missing . in @INC (cperl or -Dfortify_inc).</p>

<p>From <a href="https://github.com/atoomic/IO-Socket-IP/">https://github.com/atoomic/IO-Socket-IP/</a>:</p>

<p>- Support setting custom socket options with new Sockopts constructor parameter</p>

<p>- Restore blocking mode after -&gt;connect errors <a href="https://rt.cpan.org/Ticket/Display.html?id=112334">RT #112334</a></p>

<p>- Keep demand-load Carp patch. https://jira.cpanel.net/browse/CPANEL-4359</p>

</dd>
<dt id="IPC::Cmd-0.96">IPC::Cmd 0.96</dt>
<dd>

<p>set $Module::Load::Conditional::FORCE_SAFE_INC = 1</p>

</dd>
<dt id="JSON::PP-2.27400_02">JSON::PP 2.27400_02</dt>
<dd>

<p>Fixed true/false redefinition warnings.</p>

</dd>
<dt id="Locale-Codes-3.51">Locale-Codes 3.51</dt>
<dd>

<p>Added Czech republic aliases back in. Lot of new codes and code changes.</p>

<p>Made many private API calls public. See <a>Locale::Codes::Changes</a></p>

</dd>
<dt id="Locale::Maketext-1.28">Locale::Maketext 1.28</dt>
<dd>

<p>Fix optional runtime load for CVE-2016-1238</p>

<p>Add blacklist and whitelist support, with <a href="https://rt.perl.org/Public/Bug/Display.html?id=127923">[perl #127923</a> priority. See <a href="/cperl/lib/Locale/Maketext.html#BRACKET-NOTATION-SECURITY">&quot;BRACKET NOTATION SECURITY&quot; in Locale::Maketext</a></p>

</dd>
<dt id="Math-BigInt-1.999811_01">Math-BigInt 1.999811_01</dt>
<dd>

<p>Merged CPAN updates with stricter tests and . in @INC fixes. <a href="https://github.com/rurban/Math-BigInt">https://github.com/rurban/Math-BigInt</a></p>

</dd>
<dt id="Math-BigInt-FastCalc-0.5006">Math-BigInt-FastCalc 0.5006</dt>
<dd>

<p>Updated from CPAN:</p>

<p>2 new tests files from Math-BigInt.</p>

<p>Math::BigInt::FastCalc is now a subclass of Math::BigInt::Calc, so remove aliases like *Math::BigInt::FastCalc::_xxx = \&amp;Math::BigInt::Calc::_xxx.</p>

<p>Use OO-calls rather than function calls. (i.e slower but overridable)</p>

</dd>
<dt id="Math-BigRat-0.2612">Math-BigRat 0.2612</dt>
<dd>

<p>Updated from CPAN: No functional changes, and the few actual changes in the test lib were for the worse. The <i>bigfltpm.inc</i> tests are still broken and skipped, however I improved it.</p>

</dd>
<dt id="Module-Load-Conditional-0.68">Module-Load-Conditional 0.68</dt>
<dd>

<p>Fix unconditional @INC localisation, Add FORCE_SAFE_INC option to fix CVE-2016-1238.</p>

</dd>
<dt id="Module-Metadata-1.000033">Module-Metadata 1.000033</dt>
<dd>

<p>- Fix file operation in tests for VMS</p>

<p>- use a more strict matching heuristic when attempting to infer the &quot;primary&quot; module name in a parsed .pm file</p>

<p>- only report &quot;main&quot; as the module name if code was seen outside another namespace, fixing bad results for pod files (RT#107525)</p>

</dd>
<dt id="Net-Ping-2.59">Net-Ping 2.59</dt>
<dd>

<p>Stabilized test, geocities.com is down.</p>

<p>Return the port num as 5th return value with ack (jfraire).</p>

<p>Todo 010_pingecho.t on EBCDIC and os390. Skip udp ping tests on more platforms: hpux, irix, aix (all from perl5)</p>

<p>Fixed missing <code>_unpack_sockaddr_in</code> family, which took AF_INET6 for a AF_INET addr in <i>t/500_ping_icmp.t</i> and <i>t/500_ping_icmp_ttl.t</i>. Use now a proper default. Detected by the new gitlab ci.</p>

<p>Fixed <code>_pack_sockaddr_in</code> for a proper 2nd argument type, hash or packed address.</p>

<p>Improved <i>500_ping_icmp.t</i> to try <code>sudo -n</code> for tests requiring root, plus adding -n fir fixing [RT #118451]. Relaxed more tests failing with firewalled icmp on localhost. [RT #118441]</p>

<p>Fixed <code>ping_external</code> argument type, either packed ip or hostname. [RT #113825]</p>

<p>Fixed wrong skip message in <i>t/020_external.t</i></p>

</dd>
<dt id="NEXT-0.67">NEXT 0.67</dt>
<dd>

<p>Doc and meta changes only.</p>

</dd>
<dt id="libnet-3.10">libnet 3.10</dt>
<dd>

<p>- Remove . from @INC when loading optional modules. [Tony Cook, Perl RT#127834, CVE-2016-1238]</p>

<p>- Increased minimum required version of IO::Socket::IP to 0.25 to hopefully stop t/pop3_ipv6.t hanging. [CPAN RT#104545]</p>

<p>- Debug output now includes decoded (from base64) negotiation for SASL. [Philip Prindeville, PR#27]</p>

<p>- plus the suse utf8 fixes for Net::Cmd, see 5bd7010cb and our darwin performance fix for hostname.</p>

</dd>
<dt id="Opcode-1.35_01c">Opcode 1.35_01c</dt>
<dd>

<p>New iter_ary and iter_lazyiv ops.</p>

<p>Add avhvswitch op</p>

</dd>
<dt id="parent-0.236">parent 0.236</dt>
<dd>

<p>improved t/parent-pmc.t, excluded new xt tests</p>

</dd>
<dt id="open-1.11-item-PerlIO-1.10">open 1.11 =item PerlIO 1.10</dt>
<dd>

<p>pod: Suggest to use strict :encoding(UTF-8) PerlIO layer over not strict :encoding(utf8) For data exchange it is better to use strict UTF-8 encoding and not perl&#39;s utf8.</p>

</dd>
<dt id="PathTools-4.67c">PathTools 4.67c</dt>
<dd>

<p>Add security note to File::Spec::no_upwards <a href="https://rt.perl.org/Public/Bug/Display.html?id=123754">[RT #123754</a></p>

</dd>
<dt id="PerlIO::encoding-0.24_01">PerlIO::encoding 0.24_01</dt>
<dd>

<p>use the new get_svs, get_avs, get_hvs macros.</p>

</dd>
<dt id="PerlIO::via-0.17">PerlIO::via 0.17</dt>
<dd>

<p>Omit wrong if (gv) check, detected by coverity.</p>

</dd>
<dt id="Perl-OSType-1.010">Perl-OSType 1.010</dt>
<dd>

<p>Added msys</p>

</dd>
<dt id="Pod::Html-2.23002c">Pod::Html 2.23002c</dt>
<dd>

<p>fix cache races with parallel tests. add the PID to the temp. cache file See <a href="https://rt.cpan.org/Ticket/Display.html?id=118416">[RT #118416]</a>.</p>

<p>Removed deprecated <code>--libpods</code> option.</p>

</dd>
<dt id="podlators-4.09">podlators 4.09</dt>
<dd>

<p>Add the t/data/snippets tests.</p>

<p>Use Pod::Simple&#39;s logic to determine the native code points for NO BREAK SPACE and SOFT HYPHEN instead of hard-coding the ASCII values. Hopefully fixes the case of mysterious disappearing open brackets on EBCDIC systems. (#118240)</p>

<p>Many Pod::Man bugfixes and new tests, see <a href="https://metacpan.org/changes/distribution/podlators">https://metacpan.org/changes/distribution/podlators</a></p>

</dd>
<dt id="Pod-Perldoc-3.28">Pod-Perldoc 3.28</dt>
<dd>

<p>Fix broken test on Windows and FreeBSD (RT#116551) Fix CVE-2016-1238 by temporarily removing &#39;.&#39; from @INC in world writable directories. Fix =head3 appearing in some perlfunc lookups AmigaOS patches (RT#106798) (RT#110368) Fall back to an English perlfunc if translation doesn&#39;t exist (RT#104695) FreeBSD has mandoc too, with UTF-8 support. -U now documented and implied with -F (RT#87837) Fixes less -R flags insertion on Windows [perl #130759]</p>

</dd>
<dt id="Pod-Simple-4.35c">Pod-Simple 4.35c</dt>
<dd>

<p>Updated from CPAN 3.35: Turn off utf8 warnings when trying to see if a file is UTF-8 or not</p>

<p>Merged with our cperl signature modernizations, tracked at <a href="https://github.com/rurban/pod-simple/tree/cperl">https://github.com/rurban/pod-simple/tree/cperl</a>.</p>

<p>Moved from cpan to dist. <a href="https://github.com/perl11/cperl/issues/154">[cperl #154]</a>.</p>

</dd>
<dt id="POSIX-1.76_02">POSIX 1.76_02</dt>
<dd>

<p>changed speed_t to unsigned long. cannot be negative.</p>

<p>Fix -Wc++11-compat warnings</p>

<p>Several defects in making its symbols exportable. <a href="https://rt.perl.org/Public/Bug/Display.html?id=127821">[perl #127821]</a></p>

<p>The <code>POSIX::tmpnam()</code> interface has been removed, see <a>&quot;POSIX::tmpnam() has been removed&quot; in perl5251delta</a>.</p>

<p>Trying to import POSIX subs that have no real implementations (like <code>POSIX::atend()</code>) now fails at import time, instead of waiting until runtime.</p>

<p>use the new get_svs, get_avs, get_hvs macros.</p>

</dd>
<dt id="Safe-2.40_02c">Safe 2.40_02c</dt>
<dd>

<p>Documentation only</p>

</dd>
<dt id="Scalar-List-Util-1.47_01">Scalar-List-Util 1.47_01</dt>
<dd>

<p>Bumped version because upstream is still years behind: lexical $_ support, binary names, various other fixes.</p>

<p>Improved taint test.</p>

<p>sum/min/max need to call SvGETMAGIC</p>

<p>set_subname memory fix by @bluhm from Sub::Name 0.20 <a href="https://rt.cpan.org/Ticket/Display.html?id=117072">RT #117072</a></p>

<p>Fixes for older perls, esp. lexical $_ support.</p>

<p>Reinstate the &amp;DB::sub setter, but no UTF8 support yet.</p>

</dd>
<dt id="Socket-2.024_05">Socket 2.024_05</dt>
<dd>

<p>Fix -Wc++11-compat warnings</p>

<p>Merge cpan 2.024 with our 2.021_02, plus fix some problems in their new code.</p>

<p>Fixes for OpenBSD: Probe for <i>netinet/in_systm.h</i> Removed <code>i_netinet6_in6</code> probe. This was never used due to a typo. It cannot be used due to RFC 2553.</p>

</dd>
<dt id="Storable-3.05_12">Storable 3.05_12</dt>
<dd>

<p>From <a href="https://github.com/rurban/Storable">https://github.com/rurban/Storable</a></p>

<p>Added some I32_MAX checks for tainted integers.</p>

<p>Fixed 3 null ptr dereferences leading to segfaults. <a href="https://rt.perl.org/Public/Bug/Display.html?id=130098">[perl #130098]</a></p>

<p>Fixed some important security bugs with reading from Storable files or memory, directly controlling the stack (not the perl stack). See <a href="#Storable-stack-overflow-or-exit">&quot;Storable stack overflow or exit&quot;</a>.</p>

<p>Another stack-overflow fix is for <a href="https://rt.cpan.org/Ticket/Display.html?id=97526">[cpan #97526]</a>, limiting the maximal number of nested hash or arrays to a computed number, ~3000-8000. Cpanel::JSON::XS has it at 512.</p>

<p>Fixed up early huge buffer and index support from 3.00c, which was failing with wrong malloc errors due to silently overwrap &gt;2GB. <i>t/huge.t</i> works now correctly. Note that 2 cases are not relevant since v5.25.1c/v5.24.1c anymore as with these releases we limit the maximum number of elements for hashes and arrays, and fail with &quot;Too many elements&quot; before. Bumped up PERL_TEST_MEMORY requirements to 8 and 16 for arrays and hashes. In reality the VMM subsystem will kill the process on perl5 before. <code>$a[9223372036854]=0</code> or <code>%a=(0..4294967296)</code> are easy ways to DoS a perl5 system. Only cperl is safe.</p>

<p>Skip or croak when reading or writing 64bit large objects on 32bit systems.</p>

<p>Fixed wrong recursion depth error with large arrays containing another array. Probe for valid max. stack sizes, and added 2 APIs. <a href="https://github.com/perl11/cperl/issues/257">[cperl #257]</a></p>

<p>Update documentation from the CPAN version.</p>

<p><a href="#Warn-on-metasploit-CVE-2015-1592">&quot;Warn on metasploit CVE-2015-1592&quot;</a></p>

</dd>
<dt id="Sys-Syslog-0.35">Sys-Syslog 0.35</dt>
<dd>

<p>CVE-2016-1238: avoid loading optional modules from default . (Tony Cook). Patch rewrote to no longer depend upon @INC. See <a href="https://metacpan.org/changes/distribution/Sys-Syslog">https://metacpan.org/changes/distribution/Sys-Syslog</a></p>

<p>Kept our smoker logic in <i>t/syslog.t</i>, for slow darwin systems, the suse patch and disabled the lexical filehandle patch.</p>

</dd>
<dt id="Term-ANSIColor-4.06">Term-ANSIColor 4.06</dt>
<dd>

<p>Add aliases ansi16 through ansi255 and on_ansi16 through on_ansi255 (plus the corresponding constants) for the grey and rgb colors so that one can refer to all of the 256 ANSI colors with consistent names. These are aliases; the colors returned by uncolor will still use the grey and rgb names. (#118267)</p>

</dd>
<dt id="Term::ReadKey-2.37_01">Term::ReadKey 2.37_01</dt>
<dd>

<p>ReadKey.pm renamed to ReadKey_pm.PL, expand blockoptions specific variants already at installation, no load-time eval, demand-load Carp, remove unneeded AutoLoader, harmonize formatting.</p>

<p>patch: use faster StructCopy and fixup the XS.</p>

</dd>
<dt id="Test-Harness-3.39_01">Test-Harness 3.39_01</dt>
<dd>

<p>Keeping our cperl and XSConfig fixes. See <a href="https://github.com/rurban/Test-Harness/tree/cperl-rebased">https://github.com/rurban/Test-Harness/tree/cperl-rebased</a></p>

</dd>
<dt id="Test-Simple">Test-Simple</dt>
<dd>

<p>Add doc and support for optional subtest @args.</p>

<p>Moved from cpan to dist. <a href="https://github.com/perl11/cperl/issues/154">[cperl #154]</a>.</p>

</dd>
<dt id="Test::More-1.401015c">Test::More 1.401015c</dt>
<dd>

<p>Removed the deprecated <code>isn&#39;t</code> method, using the <code>&#39;</code> package seperator.</p>

</dd>
<dt id="threads-2.15">threads 2.15</dt>
<dd>

<p>Remove extra terminating semicolon. Clean up temporary directories after testing.</p>

</dd>
<dt id="Thread-Queue-3.12">Thread-Queue 3.12</dt>
<dd>

<p>Calling any of the dequeue methods with COUNT greater than a queue&#39;s limit will generate an error.</p>

<p>But still have to keep our test fixes for . in @INC</p>

</dd>
<dt id="Thread-Semaphore-2.13">Thread-Semaphore 2.13</dt>
<dd>

<p>Added <code>down_timed</code> method.</p>

</dd>
<dt id="threads-shared-1.55">threads-shared 1.55</dt>
<dd>

<p>ifdef clang</p>

<p>Documentation</p>

</dd>
<dt id="Time-Local-1.25">Time-Local 1.25</dt>
<dd>

<p>Less runtime memory: demand-load Carp, Config.</p>

</dd>
<dt id="Time-HiRes-1.9742_01">Time-HiRes 1.9742_01</dt>
<dd>

<p>Fix -Wc++11-compat warnings Keep our better C++ fixes Keep our t/usleep.t, t/alarm.t, t/utime.t fixes. Keep our do_openn improvements in typemap.</p>

<p>from upstream:</p>

<p>- El Capitan compatibility - use CLOCK_REALTIME for clock_nanosleep scan - include file consistency in scans - use clockid_t consistently - use hv_fetchs() - scan for clockid_t (needed for macos Sierra) - darwin lacks clockid_t <a href="https://rt.cpan.org/Ticket/Display.html?id=129789">[cpan #129789]</a></p>

<p>More Darwin thread fixes for clock_gettime, Sierra support, test improvements, skip the t/utime.t on ext2/ext3</p>

</dd>
<dt id="Unicode-Collate-1.19">Unicode-Collate 1.19</dt>
<dd>

<p>Many new locales. Some major fixes.</p>

</dd>
<dt id="version-0.9917_02c">version 0.9917_02c</dt>
<dd>

<p>Merge latest version with the &#39;_&#39; lyon concensus with the cperl extension of the optional final &#39;c&#39; suffix. Extend version::regex for cperl. Now also parse the &#39;c&#39; natively.</p>

</dd>
<dt id="YAML::XS-0.75">YAML::XS 0.75</dt>
<dd>

<p>merged with upstream libyaml 0.1.7 avoid duplicate checks against NULL fix libyaml clang -Wlogical-op warnings fix libyaml clang -Wlogical-not-parentheses warnings</p>

<p>fixed encoding issues: fixed wrong $YAML::XS::Encoding and $YAML::XS::LineBreak comparison logic. fixed utf8 input as handled as UTF8, non-utf8 honors $YAML::XS::Encoding.</p>

<p>fixed -Wunused value warnings</p>

<p>merged with upstream YAML-LibYAML, implemented $DisableBlessed (security).</p>

</dd>
<dt id="XS::APItest-0.80_02">XS::APItest 0.80_02</dt>
<dd>

<p>use the new get_svs, get_avs, get_hvs macros.</p>

</dd>
<dt id="XSLoader-1.03c">XSLoader 1.03c</dt>
<dd>

<p>coverity detected invalid branch: if (!module) is always false. we need to check if (!modlibname) instead.</p>

</dd>
</dl>

<h2 id="Removed-Modules-and-Pragmata">Removed Modules and Pragmata</h2>

<dl>

<dt id="I18N-Collate-1.02">I18N-Collate 1.02</dt>
<dd>

<p>Compared 8-bit scalar data according to the current locale.</p>

<p>Deprecated with 5.003_06. Its functionality was integrated into the Perl core language in the release 5.003_06.</p>

<p>See <a href="/cperl/perllocale.html">perllocale</a> for further information.</p>

</dd>
</dl>

<h1 id="Documentation">Documentation</h1>

<h2 id="New-Documentation">New Documentation</h2>

<h3 id="perldeprecation"><a href="/cperl/perldeprecation.html">perldeprecation</a></h3>

<p>This file documents all upcoming deprecations, and some of the deprecations which already have been removed. The purpose of this documentation is two-fold: document what will disappear, and by which version, and serve as a guide for people dealing with code which has features that no longer work after an upgrade of their perl.</p>

<h2 id="Changes-to-Existing-Documentation">Changes to Existing Documentation</h2>

<h3 id="perlobj"><a href="/cperl/perlobj.html">perlobj</a></h3>

<ul>

<li><p>Added a section on calling methods using their fully qualified names.</p>

</li>
<li><p>Do not discourage manual @ISA.</p>

</li>
</ul>

<h3 id="perlop"><a href="/cperl/perlop.html">perlop</a></h3>

<ul>

<li><p>Clarify behavior single quote regexps.</p>

</li>
</ul>

<h3 id="perllocale"><a href="/cperl/perllocale.html">perllocale</a></h3>

<ul>

<li><p>Some locales aren&#39;t compatible with Perl. Note the potential bad consequences of using them.</p>

</li>
</ul>

<h3 id="perldiag"><a href="/cperl/perldiag.html">perldiag</a></h3>

<ul>

<li><p>Deprecations are to be marked with a D. <code>&quot;%s() is deprecated on :utf8 handles&quot;</code> use a deprecation message, and as such, such be marked <code>&quot;(D deprecated)&quot;</code> and not <code>&quot;(W deprecated)&quot;</code>.</p>

</li>
</ul>

<h3 id="perldtrace"><a href="/cperl/perldtrace.html">perldtrace</a></h3>

<ul>

<li><p>Describe which system have Dtrace. Changes in cperl. New examples.</p>

</li>
</ul>

<h3 id="perlguts"><a href="/cperl/perlguts.html">perlguts</a></h3>

<ul>

<li><p>add pTHX_ to magic method examples.</p>

</li>
</ul>

<h3 id="perlvar"><a href="/cperl/perlvar.html">perlvar</a></h3>

<ul>

<li><p>Document @ISA. Was documented other places, not not in perlvar.</p>

</li>
</ul>

<h3 id="perlootut"><a href="/cperl/perlootut.html">perlootut</a></h3>

<ul>

<li><p>Tidy the document.</p>

</li>
<li><p>Mention Moo more.</p>

</li>
</ul>

<h3 id="perlhack"><a href="/cperl/perlhack.html">perlhack</a></h3>

<ul>

<li><p>Describe the <a href="/cperl/perlhack.html#CPERL">&quot;CPERL&quot; in perlhack</a> development model, with always updated branches, <code>git rerere</code> and <i>cp-rb</i>.</p>

</li>
<li><p>Document Tab VS Space.</p>

</li>
</ul>

<h3 id="perlre"><a href="/cperl/perlre.html">perlre</a></h3>

<ul>

<li><p>Several minor enhancements to the documentation.</p>

</li>
</ul>

<h3 id="perlinterp"><a href="/cperl/perlinterp.html">perlinterp</a></h3>

<ul>

<li><p><a href="/cperl/perlinterp.html">perlinterp</a> has been expanded to give a more detailed example of how to hunt around in the parser for how a given operator is handled.</p>

</li>
</ul>

<h3 id="perlcall"><a href="/cperl/perlcall.html">perlcall</a></h3>

<ul>

<li><p>Removed redundant <code>dSP</code> from an example.</p>

</li>
</ul>

<h3 id="perltie"><a href="/cperl/perltie.html">perltie</a></h3>

<ul>

<li><p>Updated documentation of <code>scalar(%hash)</code>. See <a href="#scalar-hash-return-value-changed">&quot;scalar(%hash) return value changed&quot;</a> above.</p>

</li>
</ul>

<h3 id="perldata"><a href="/cperl/perldata.html">perldata</a></h3>

<ul>

<li><p>Use of single character variables, with the variable name a non printable character in the range \x80-\xFF is no longer allowed. Update the docs to reflect this.</p>

</li>
<li><p>Updated documentation of <code>scalar(%hash)</code>. See <a href="#scalar-hash-return-value-changed">&quot;scalar(%hash) return value changed&quot;</a> above.</p>

</li>
<li><p>Described the <a href="http://www.unicode.org/reports/tr39/#General_Security_Profile">Moderately Restrictive level</a> for unicode identifiers.</p>

</li>
<li><p>Added new cperl v5.25.2c restrictions for <a href="/cperl/perldata.html#Identifier-parsing">&quot;Identifier parsing&quot; in perldata</a>: No undeclared mixed scripts, normalization to NFC and no binary symbols.</p>

</li>
</ul>

<h3 id="perlexperiment-and-perlref"><a href="/cperl/perlexperiment.html">perlexperiment</a> and <a href="/cperl/perlref.html">perlref</a></h3>

<ul>

<li><p>Documented new feature: See <a href="#Declaring-a-reference-to-a-variable">&quot;Declaring a reference to a variable&quot;</a> above.</p>

<p>Document removed experiments: <a href="/cperl/perlsub.html#Lexical-Subroutines">&quot;Lexical Subroutines&quot; in perlsub</a> is now default. <code>Array and hash container functions accept references</code> removed.</p>

</li>
</ul>

<h3 id="perlfunc"><a href="/cperl/perlfunc.html">perlfunc</a></h3>

<ul>

<li><p>Defined on aggregates is no longer allowed. Perlfunc was still reporting it as deprecated, and that it will be deleted in the future.</p>

</li>
<li><p>Clarified documentation of <a href="/cperl/perlfunc.html#seek"><code>seek()</code></a>, <a href="/cperl/perlfunc.html#tell"><code>tell()</code></a> and <a href="/cperl/perlfunc.html#sysseek"><code>sysseek()</code></a>. <a href="https://rt.perl.org/Public/Bug/Display.html?id=128607">[perl #128607]</a></p>

</li>
<li><p>Removed obsolete documentation of <a href="/cperl/perlfunc.html#study"><code>study()</code></a>.</p>

</li>
</ul>

<h3 id="perlunicode"><a href="/cperl/perlunicode.html">perlunicode</a></h3>

<ul>

<li><p>Documented change to <code>\p{<i>script</i>}</code> to now use the improved Script_Extensions property. See <a href="#Use-of-p-script-uses-the-improved-Script_Extensions-property">&quot;Use of \p{script} uses the improved Script_Extensions property&quot;</a> above.</p>

</li>
<li><p>Updated the text to correspond with changes in Unicode UTS#18, concerning regular expressions, and Perl compatibility with what it says.</p>

</li>
</ul>

<h3 id="perlvar1"><a href="/cperl/perlvar.html">perlvar</a></h3>

<ul>

<li><p>Removed obsolete documentation of <code>${^ENCODING}</code>. See <a href="#ENCODING-has-been-removed">&quot;${^ENCODING} has been removed&quot;</a> above.</p>

</li>
</ul>

<h3 id="perlcommunity"><a href="/cperl/perlcommunity.html">perlcommunity</a></h3>

<ul>

<li><p>All references to Usenet have been removed.</p>

</li>
</ul>

<h3 id="perldelta"><a href="/cperl/perldelta.html">perldelta</a></h3>

<ul>

<li><p>All references to Usenet have been removed.</p>

</li>
</ul>

<h3 id="perllocale1"><a href="/cperl/perllocale.html">perllocale</a></h3>

<ul>

<li><p>Document NUL collation handling.</p>

</li>
</ul>

<h3 id="perlmodinstall"><a href="/cperl/perlmodinstall.html">perlmodinstall</a></h3>

<ul>

<li><p>All references to Usenet have been removed.</p>

</li>
</ul>

<h3 id="perlmodlib"><a href="/cperl/perlmodlib.html">perlmodlib</a></h3>

<ul>

<li><p>Updated the mirror list.</p>

</li>
<li><p>All references to Usenet have been removed.</p>

</li>
</ul>

<h3 id="perlnewmod"><a href="/cperl/perlnewmod.html">perlnewmod</a></h3>

<ul>

<li><p>All references to Usenet have been removed.</p>

</li>
</ul>

<h3 id="perlintern-and-perlapi"><a href="/cperl/perlintern.html">perlintern</a> and <a href="/cperl/perlapi.html">perlapi</a></h3>

<ul>

<li><p>Added documentation for all <i>op</i> functions.</p>

</li>
</ul>

<h3 id="perlsec"><a href="/cperl/perlsec.html">perlsec</a></h3>

<ul>

<li><p>Describe the <a href="/cperl/perlsec.html#Taint-mode">&quot;Taint mode&quot; in perlsec</a> differences (<i>hash keys, use re &#39;taint&#39;</i>), added a <a href="/cperl/perlsec.html#use-warnings-security">&quot;use warnings &#39;security&#39;&quot; in perlsec</a> paragraph.</p>

</li>
<li><p>For hashes describe the different <b>PERL_PERTURB_TOP</b> strategy regarding <b>Bucket Order Perturbance</b>, add more text to <a href="/cperl/perlsec.html#Alternative-Hash-Functions">&quot;Alternative Hash Functions&quot; in perlsec</a> and add a new <a href="/cperl/perlsec.html#cperl-hash-security">&quot;cperl hash security&quot; in perlsec</a> paragraph.</p>

</li>
</ul>

<h1 id="Diagnostics">Diagnostics</h1>

<p>The following additions or changes have been made to diagnostic output, including warnings and fatal error messages. For the complete list of diagnostic messages, see <a href="/cperl/perldiag.html">perldiag</a>.</p>

<h2 id="New-Diagnostics">New Diagnostics</h2>

<p>Added a new warnings category <b>security</b> which is default ON, using a special message.</p>

<p>A &quot;SECURITY: &quot; prefix, and as suffix the username, REMOTE_ADDR, full pathname to implement a service similar to fail2ban. Bypass <code>$SIG{__WARN__}</code> handlers. Prints to STDERR and if available to syslog.</p>

<p>A new <code>-Dmv</code> debugging mode for verbose arena memory debugging was added, similar to <code>-Dm</code> and <code>env PERL_MEM_LOG=s</code>.</p>

<h3 id="New-Errors">New Errors</h3>

<ul>

<li><p>The <a href="/cperl/perldiag.html#Too-many-elements">Too many elements</a> error is now triggered when accessing or extending an out of bounds array index or trying to insert too many hash keys. This is to prevent from silent hash or array overflows. Previously extending a hash beyond it&#39;s capable size was silently ignored, leading to performance degradation with overly high fill factors and extending an array failed only on memory exhaustion, but the signed index led to an index overflow between I32 and U32, resp. I64 and U64.</p>

<p>Even worse, accessing overflown unsigned array indices would silently access the signed counterpart, indices at the end.</p>

<p>Note that the out of bound error message with shaped arrays is different.</p>

</li>
<li><p>The <a href="/cperl/perldiag.html#panic:-hash-key-too-long-u">Panic: hash key too long</a> error is now thrown with overlarge hash keys in every <code>hv_common</code> access and in <a href="/cperl/lib/Cpanel/JSON/XS.html">Cpanel::JSON::XS</a>. perl5 still silently ignores those failures, and truncates the keys.</p>

<p>Many more similar <code>panic: (file|keyword|mro|stash)? name too long</code> errors were added to the parser, compiler and runtime to protect from overlong names (&gt; I32_MAX, 2147483647, 2GB), or counts.</p>

</li>
<li><p>Invalid for range iterator (%d .. %d)</p>

<p>(F) A range with constant integers as a for loop cannot be reversed.</p>

<p>We check now at compile-time that a range with <code>for</code> loops with constant integers is incremental, the 2nd number must be higher. We don&#39;t support reverse loops with ranges, i.e. <code>for (9..0)</code> is invalid, but <code>for (0..$#ary)</code> with <code>$#ary</code> being <code>-1</code> is valid.</p>

<p>Reverse constant strings ranges are still valid and lead to an empty loop. i.e. <code>for (&#39;z&#39;..&#39;a&#39;)</code> is currently valid.</p>

</li>
<li><p>Using the empty pattern (which re-executes the last successfully-matched pattern) inside a code block in another regex, as in <code>/(?{ s!!new! })/</code>, has always previously yielded a segfault. It now produces an error: <a href="/cperl/perldiag.html#Infinite-recursion-via-empty-pattern">Infinite recursion via empty pattern</a>, (was <code>Use of the empty pattern inside of a regex code block is forbidden</code>).</p>

</li>
<li><p><a href="/cperl/perldiag.html#The-experimental-declared_refs-feature-is-not-enabled">The experimental declared_refs feature is not enabled</a></p>

<p>(F) To declare references to variables, as in <code>my \%x</code>, you must first enable the feature:</p>

<pre><code>    no warnings &quot;experimental::declared_refs&quot;;
    use feature &quot;declared_refs&quot;;</code></pre>

</li>
<li><p><a href="/cperl/perldiag.html#Version-control-conflict-marker">Version control conflict marker</a></p>

</li>
<li><p><a href="/cperl/perldiag.html#Unescaped-left-brace-in-regex-is-deprecated-here-passed-through-in-regex-marked-by----HERE-in-m-s">Unescaped left brace in regex is deprecated here, passed through in regex; marked by <span style="white-space: nowrap;">&lt;-- HERE</span> in m/%s/</a></p>

<p>Unescaped left braces are already illegal in some contexts in regular expression patterns, but, due to an oversight, no deprecation warning was raised in other contexts where they are intended to become illegal. This warning is now raised in these contexts.</p>

</li>
<li><p><a href="/cperl/perldiag.html#Malformed-UTF-8-character-in-compose-empty-string">Malformed UTF-8 character in compose (empty string)</a></p>

<p><a href="/cperl/perldiag.html#Malformed-UTF-8-character-in-compose-empty-string">Malformed UTF-8 character in decompose (empty string)</a></p>

<p><a href="/cperl/perldiag.html#Malformed-UTF-8-character-in-compose-empty-string">Malformed UTF-8 character in reorder (empty string)</a></p>

<p>New unicode identifier normalization errors.</p>

</li>
</ul>

<h3 id="New-Warnings">New Warnings</h3>

<ul>

<li><p>The new <code>S security</code> warning &quot;Hash flood&quot; was added. See <a href="#Protect-and-warn-on-hash-flood-DoS">&quot;Protect and warn on hash flood DoS&quot;</a>.</p>

</li>
<li><p>The new <code>S security</code> warnings &quot;metasploit reverse/bind shell payload&quot; and &quot;CVE-2012-1823 reverse/bind shell payload&quot; were added, detecting the existing metasploit/libxploit and phpcgi CVE-2012-1823 reverse and bind shells. See <a href="#Warn-on-metasploit-reverse-shells">&quot;Warn on metasploit reverse shells&quot;</a></p>

</li>
<li><p><a href="/cperl/perldiag.html#Declaring-references-is-experimental">Declaring references is experimental</a></p>

<p>(S experimental::declared_refs) This warning is emitted if you use a reference constructor on the right-hand side of <code>my()</code>, <code>state()</code>, <code>our()</code>, or <code>local()</code>. Simply suppress the warning if you want to use the feature, but know that in doing so you are taking the risk of using an experimental feature which may change or be removed in a future Perl version:</p>

<pre><code>    no warnings &quot;experimental::declared_refs&quot;;
    use feature &quot;declared_refs&quot;;
    $fooref = my \$foo;</code></pre>

</li>
<li><p><a href="/cperl/perldiag.html#Invalid-script-s-in-identifier-for-U-04">Invalid script %s in identifier for U+%04</a></p>

</li>
<li><p><a href="/cperl/perldiag.html#Invalid-0-character-in-string-for-SYMBOL:-s">Invalid \0 character in string for SYMBOL: %s</a></p>

</li>
<li><p><a href="/cperl/perldiag.html#Invalid-script-s-in-identifier-cannot-be-mixed-with-s">Invalid script %s in identifier, cannot be mixed with %s</a></p>

</li>
</ul>

<h2 id="Changes-to-Existing-Diagnostics">Changes to Existing Diagnostics</h2>

<p>As of Perl 5.25.9, all new deprecations will come with a version in which the feature will disappear. And with a few exceptions, most existing deprecations will state when they&#39;ll disappear. As such, most deprecation messages have changed.</p>

<ul>

<li><p>Improve error for missing tie() package/method. This brings the error messages in line with the ones used for normal method calls, despite not using call_method().</p>

</li>
<li><p>Make the sysread()/syswrite/() etc :utf8 handle warnings default. These warnings were under &#39;deprecated&#39; previously.</p>

</li>
<li><p>&#39;do&#39; errors now refer to &#39;do&#39; (not &#39;require&#39;).</p>

</li>
<li><p>Details as to the exact problem have been added to the diagnostics that occur when malformed UTF-8 is encountered when trying to convert to a code point.</p>

</li>
<li><p>Executing <code>undef $x</code> where <code>$x</code> is tied or magical no longer incorrectly blames the variable for an uninitialized-value warning encountered by the tied/magical code.</p>

</li>
<li><p><a href="/cperl/perldiag.html#Unescaped-left-brace-in-regex-is-illegal-here-in-regex-marked-by----HERE-in-m-s">Unescaped left brace in regex is illegal here in regex; marked by <span style="white-space: nowrap;">&lt;-- HERE</span> in m/%s/</a></p>

<p>The word &quot;here&quot; has been added to the message that was raised in v5.25.1. This is to indicate that there are contexts in which unescaped left braces are not (yet) illegal.</p>

</li>
</ul>

<h1 id="Configuration-and-Compilation">Configuration and Compilation</h1>

<p>All changes but default_inc_excludes_do are cperl-only.</p>

<dl>

<dt id="sysincpath-syslibpth">sysincpath, syslibpth</dt>
<dd>

<p>Those two new Config keys are needed for properly identifying the true compiler header and library search paths. The old libpth just assumed paths based in the calculated incpth. Several compilers have not matching search paths, which lead to wrong precedence orderings of e.g. <i>/usr/local/</i> vs <i>/opt/local</i>, conflicting in ccflags and ldflags. syslibpth is now computed. The new keys don&#39;t add extra ccflags or ldflags directcories if they already exist in the compiler search paths. See [cperl #267] for more. Note that this doesn&#39;t fix other ordering issues, as -I and -L is evaluated before the system search paths.</p>

<p>This fixes serious problems with updated libraries in <i>/usr/local/lib</i> on macports, but probably everywhere with bad compiler search paths.</p>

</dd>
<dt id="rebuild_storable">rebuild_storable</dt>
<dd>

<p>Added a post-dynamic rule for Storable, to probe for the max. stacksize and re-compile it with that.</p>

</dd>
<dt id="dlopen">dlopen</dt>
<dd>

<p>Fixed <b>dlopen</b> probe and compilation with c++.</p>

<p>The dlopen probe with C++ needs <code>-fPIC -shared</code>, otherwise <code>dlopen()</code> will not be found. This will set <code>ld=ld</code>, leading to the problem below:</p>

</dd>
<dt id="ld">ld</dt>
<dd>

<p><code>ld -f</code> may not be used without <code>-shared</code></p>

<p>Check <code>ld=ld</code> (caused by the failing dlopen probe from above) and <code>ldflags</code> without <code>-shared</code> and disable adding <code>-fstack-protector</code> to it.</p>

</dd>
<dt id="default_inc_excludes_do">default_inc_excludes_do</dt>
<dd>

<p>Added <code>default_inc_excludes_dot</code> to <code>perl -V</code> and <i>myconfig</i>.</p>

</dd>
<dt id="arflags">arflags</dt>
<dd>

<p>Probe for arflags, which do support <code>D</code> for deterministic static archives without member timestamps. On darwin we currently only have <i>llvm-ar-mp-3.9</i> (since 3.7) which does support this.</p>

<p>ranlib is probed for the <code>-D</code> flag for reproducible build determinism.</p>

</dd>
<dt id="fixed-longdblinfbytes-probe">fixed longdblinfbytes probe</dt>
<dd>

<p>With Intel long double it didn&#39;t clean random excess garbage bytes after the 10th byte.</p>

</dd>
<dt id="cperl-build-helper-scripts">cperl build helper scripts</dt>
<dd>

<p>Added the following release scripts to <i>Porting:</i> <i>do-conf-clean</i> <i>do-conf-cperl-release</i> <i>do-make-cperl-release</i> <i>do-make-srctarball</i> <i>perl_version</i> for Linux (debian and rpm) and Darwin.</p>

<p>Those builds are now reproducible, see below.</p>

</dd>
<dt id="reproducible-builds">reproducible builds</dt>
<dd>

<p>cperl has now support for automatic reproducible builds on most platforms. A new <b>cf_epoch</b> config key was added.</p>

<p>The config key <b>cf_time</b> is now based on: 1. SOURCE_DATE_EPOCH, 2. with .git the newest file in the repository, or 3. the newest file in the MANIFEST.</p>

<p>Builds are done with <code>LC_ALL=C</code> and <code>PERL_HASH_SEED=0</code>, but builds are still LANGUAGE or compiler specific.</p>

<p>Those builds are reproducible when done on the same machine and user. Otherwise set the keys: cf_by, cf_email, mydomain, myhostname, myuname also.</p>

<p>See <a href="https://github.com/perl11/cperl/issues/169">[cperl #169]</a>.</p>

</dd>
<dt id="passcat">passcat</dt>
<dd>

<p>This suspicious Config key was removed from cperl. If you have a NIS database use <code>ypcat passwd</code>. passcat is not used in any public CPAN module.</p>

</dd>
<dt id="fake_signatures">fake_signatures</dt>
<dd>

<p>Ask for <a href="/cperl/lib/fake_signatures.html">fake_signatures</a> being compiled in as default or not. Defaults to yes with cperl, no without. Sets <code>$Config{fake_signatures}</code> and defines <code>PERL_FAKE_SIGNATURE</code>.</p>

</dd>
<dt id="d_llabs">d_llabs</dt>
<dd>

<p>Probe for <code>llabs()</code> needed for PERL_IABS on 32bit with -Duse64bitint, the default on mingw/cygwin. Defines <code>HAS_LLABS</code>.</p>

</dd>
<dt id="d_setenv">d_setenv</dt>
<dd>

<p>Probe for <code>setenv()</code> needed on some platforms with strict linkage or <code>-fvisibility=hidden</code>.</p>

</dd>
<dt id="d_attribute_always_inline">d_attribute_always_inline</dt>
<dd>

<p>Probe for <code>__attribute__((always_inline))</code>, which is helpful with <code>clang -flto=thin</code> for exported mathoms (b) and inlined functions.</p>

<p>The problem is that <code>__attribute__((used))</code> functions are not inlined. With always_inline + global visibility, but not <code>__attribute__((used))</code> we get inlined variants plus exported copies for the API. Add <code>PERL_MATHOM_CALLCONV</code> to use it.</p>

</dd>
<dt id="sanitize_address">sanitize_address</dt>
<dd>

<p>Added a new <code>sanitize_address</code> config entry and probe, and matching <code>USE_SANITIZE_ADDRESS</code> <i>config.h</i> definition.</p>

</dd>
<dt id="d_attribute_used">d_attribute_used</dt>
<dd>

<p>Added a new <code>d_attribute_used</code> config entry and probe, and matching <code>HASATTRIBUTE_USED</code> <i>config.h</i> definition.</p>

</dd>
<dt id="i_netinet_in_systm">i_netinet_in_systm</dt>
<dd>

<p>Added a new <code>i_netinet_in_systm</code> config entry and probe, and matching <i>config.h</i> define for <a href="/cperl/lib/Socket.html">Socket</a>.</p>

</dd>
<dt id="i_netinet6_in6">i_netinet6_in6</dt>
<dd>

<p>Removed the <code>i_netinet6_in6</code> Config entry and probe, and matching <code>I_NETINET6_I6</code> <i>config.h</i> define, which was a typo. This was added with cperl-5.22.2 and was never used due to the typo. It cannot be used due to RFC 2553.</p>

</dd>
<dt id="d_builtin_prefetch">d_builtin_prefetch</dt>
<dd>

<p>Fixed the <code>__builtin_prefetch</code> probe, not yet used.</p>

</dd>
<dt id="d_builtin_ctz">d_builtin_ctz</dt>
<dd>

<p>Added a new <code>__builtin_ctz</code> probe, <code>$Config{d_builtin_ctz} key</code>, used for faster <code>DO_HSPLIT()</code> calculations. About 30% faster for hash intensive tests.</p>

</dd>
</dl>

<h1 id="Testing">Testing</h1>

<ul>

<li><p>Fixed <i>t/re/regexp.t</i> handling of compile-time errors, if combined with other result flags. cperl only.</p>

</li>
<li><p>Added <i>t/comp/parser_run.t</i> for parser tests requiring <i>test.pl</i>.</p>

</li>
<li><p>Added <i>t/lib/warnings/toke_l1</i> for toke warnings tests with binary characters.</p>

</li>
<li><p>Added <i>t/porting/embedcpp.t</i> to check for perl.h C++ compatibility with a modern C++ compiler. There must be no fatal compilation errors in the <code>-c</code> step from C++ incompatibilities in any perl header file.</p>

<p>Note that Microsoft Visual C++ still throws errors. You cannot use that yet. See <a href="https://github.com/perl11/cperl/issues/227">[cperl #227]</a>.</p>

<p>This is related to the new <code>-Wc++11-compat</code> and <code>-fpermissive</code> fixes. cperl only.</p>

</li>
<li><p><code>make minitest</code> has been vastly improved. cperl only.</p>

</li>
<li><p>Fix tests for the optional <code>-DNODEFAULT_SHAREKEYS</code> configuration. cperl only.</p>

</li>
<li><p>Relax some timing sensitive smoker failures on overly slow systems, such as darwin on Travis with DEBUGGING. cperl only.</p>

<p>Time-HiRes: skip nanosleep test,</p>

<p>Sys-Syslog with not responding syslogd.</p>

</li>
</ul>

<h1 id="Utility-Changes">Utility Changes</h1>

<h2 id="c2ph"><a>c2ph</a></h2>

<ul>

<li><p>Removed all the old <code>&#39;</code> package seperators, and lexicalized most internal variables from <b>c2ph</b>. But it is not yet completely strict safe. See <a href="#Removed-as-package-seperator">&quot;Removed &#39; as package seperator&quot;</a> and <a href="https://github.com/perl11/cperl/issues/217">[cperl #217]</a>.</p>

</li>
</ul>

<h1 id="Platform-Support">Platform Support</h1>

<h2 id="Platform-Specific-Notes">Platform-Specific Notes</h2>

<dl>

<dt id="Windows">Windows</dt>
<dd>

<ul>

<li><p>Support for compiling perl on Windows using Microsoft Visual Studio 2015 (containing Visual C++ 14.0) has been added.</p>

<p>This version of VC++ includes a completely rewritten C run-time library, some of the changes in which mean that work done to resolve a socket close() bug in <a href="https://rt.perl.org/Public/Bug/Display.html?id=120091">[perl #120091</a> and <a href="https://rt.perl.org/Public/Bug/Display.html?id=118059">[perl #118059</a> is not workable in its current state with this version of VC++. Therefore, we have effectively reverted that bug fix for VS2015 onwards on the basis that being able to build with VS2015 onwards is more important than keeping the bug fix. We may revisit this in the future to attempt to fix the bug again in a way that is compatible with VS2015.</p>

<p>These changes do not affect compilation with GCC or with Visual Studio versions up to and including VS2013, i.e. the bug fix is retained (unchanged) for those compilers.</p>

<p>Note that you may experience compatibility problems if you mix a perl built with GCC or VS &lt;= VS2013 with XS modules built with VS2015, or if you mix a perl built with VS2015 with XS modules built with GCC or VS &lt;= VS2013. Some incompatibility may arise because of the bug fix that has been reverted for VS2015 builds of perl, but there may well be incompatibility anyway because of the rewritten CRT in VS2015 (e.g. see discussion at <a href="http://stackoverflow.com/questions/30412951">http://stackoverflow.com/questions/30412951</a>).</p>

</li>
<li><p>Tweaks for Win32 VC vs GCC detection makefile code. This fixes issue that CCHOME depends on CCTYPE, which in auto detect mode is set after CCHOME, so CCHOME uses the uninit CCTYPE var. Also fix else vs .ELSE in makefile.mk</p>

</li>
<li><p>Fix some breakage, add &#39;undef&#39; value for default_inc_excludes_dot in build scripts.</p>

</li>
<li><p>Preserve the <code>Systemroot</code> env var during env wipe for Win32 in <i>t/op/magic.t</i></p>

<p>This fixes a test fail with VC 2005 and VC 2008 on WinXP. The <code>Systemroot</code> env var is required on WinXP to load SXS tracked DLLs, VC 2005 and 2008&#39;s MS libc&#39;s are SXS tracked (before and after are not), so once %ENV is wiped and systemroot is deleted the <code>require Win32</code> cant load the XS DLL because the XS DLL is linked against the SXS tracked libc specific to 2005/2008.</p>

<p><a href="https://rt.perl.org/Public/Bug/Display.html?id=126041">[perl #126041]</a></p>

</li>
<li><p>Added strupr() and more ENV_IS_CASELESS helper functions for non-Win32/Netware builds with ENV_IS_CASELESS being defined to easier test caseless windows ENV handling on non-windows platforms.</p>

</li>
<li><p>fp definitions have been updated.</p>

</li>
</ul>

</dd>
<dt id="Mingw">Mingw</dt>
<dd>

<ul>

<li><p>Compilation under mingw (32 and/or 64bit) was fixed by removing a duplicate <i>pp_sys.c</i> entry in <i>win32/GNUMakefile</i>.</p>

</li>
</ul>

</dd>
<dt id="Linux">Linux</dt>
<dd>

<ul>

<li><p>Drop support for Linux a.out Linux has used ELF for over twenty years.</p>

</li>
<li><p>Check for null in pp_ghostent et al.</p>

<p>On some platforms (such as Gentoo Linux with torsocks), hent-&gt;h_aliases (where hent is a struct hostent *) may be null after a gethostent call.</p>

<p><a href="https://rt.perl.org/Public/Bug/Display.html?id=128740">RT#128740</a></p>

</li>
</ul>

</dd>
<dt id="VMS">VMS</dt>
<dd>

<ul>

<li><p>The path separator for the <code>PERL5LIB</code> and <code>PERLLIB</code> environment entries is now a colon (<code>:</code>) when running under a Unix shell. There is no change when running under DCL (it&#39;s still <code>|</code>).</p>

</li>
<li><p>Remove some VMS-specific hacks from <code>showlex.t</code>. These were added 15 years ago, and are no longer necessary for any VMS version now supported.</p>

</li>
<li><p>Move _pDEPTH and _aDEPTH after config.h otherwise DEBUGGING may not be defined yet.</p>

</li>
<li><p>VAXC has not been a possibility for a good long while, and the versions of the DEC/Compaq/HP/VSI C compiler that report themselves as &quot;DEC&quot; in a listing file are 15 years or more out-of-date and can be safely desupported.</p>

</li>
<li><p>Fix some breakage, add &#39;undef&#39; value for default_inc_excludes_dot in build scripts.</p>

</li>
</ul>

</dd>
<dt id="Hurd">Hurd</dt>
<dd>

<p>The hints for Hurd have been improved enabling malloc wrap and reporting the GNU libc used (previously it was an empty string when reported). <a href="https://rt.perl.org/Public/Bug/Display.html?id=128954">[perl #128954]</a></p>

</dd>
<dt id="VAX">VAX</dt>
<dd>

<p>VAX floating point formats are now supported.</p>

</dd>
<dt id="FreeBSD">FreeBSD</dt>
<dd>

<ul>

<li><p>Similar to darwin with v5.25.2c the <code>do_open</code> and <code>do_close</code> macros are now undefined on clang++, which FreeBSD uses. do_close clashes on C++ with <i>locale</i>. We need to use the fullname <b>Perl_do_open</b> and <b>Perl_do_close</b> functions whenever perl needs to be embedded into C++ projects. See <a href="https://github.com/perl11/cperl/issues/227">[cperl #227]</a></p>

<p>Also affected is <i>modperl_io.c</i>, which is not used with C++.</p>

</li>
<li><p><i>t/uni/overload.t</i>: Skip hanging test on FreeBSD.</p>

</li>
</ul>

</dd>
<dt id="Darwin-macOS">Darwin/macOS</dt>
<dd>

<ul>

<li><p>Fixed setting <code>MACOSX_DEPLOYMENT_TARGET=10.3</code> for OS X 10.3.x - 10.5.x. This is irrelevant for cperl since cperl uses ldflags and cflags <code>-mmacosx-version-min=10.x</code></p>

</li>
<li><p>Don&#39;t treat -Dprefix=/usr as special, instead require an extra option -Ddarwin_distribution to produce the same results.</p>

</li>
<li><p>OS X El Capitan doesn&#39;t implement the clock_gettime() or clock_getres() APIs, emulate them as necessary.</p>

</li>
<li><p>Deprecated syscall(2) on macOS 10.12.</p>

</li>
</ul>

</dd>
<dt id="EBCDIC">EBCDIC</dt>
<dd>

<p>Several tests have been updated to work (or be skipped) on EBCDIC platforms.</p>

</dd>
<dt id="HP-UX">HP-UX</dt>
<dd>

<p><a href="/cperl/lib/Net/Ping.html">Net::Ping</a> UDP test is skipped on HP-UX.</p>

</dd>
<dt id="OpenBSD-6">OpenBSD 6</dt>
<dd>

<p>OpenBSD 6 still does not support returning pid, gid or uid with SA_SIGINFO. Make sure this is accounted for.</p>

</dd>
<dt id="Solaris">Solaris</dt>
<dd>

<p>With the SunPro cc compiler we use now the <code>__global</code> declaration for exported functions, similar to Windows <code>__declspec(dllexport)</code>.</p>

<p>This is hidden under the new <code>GLOBAL</code> macro.</p>

</dd>
</dl>

<h1 id="Internal-Changes">Internal Changes</h1>

<ul>

<li><p>Fixed many instances of wrong or missing dVAR declarations, relevant for <code>-Accflags=-DPERL_GLOBAL_STRUCT_PRIVATE</code>.</p>

</li>
<li><p>The <code>op_class()</code> API function has been added. This is like the existing <code>OP_CLASS()</code> macro, but can more accurately determine what struct an op has been allocated as. For example <code>OP_CLASS()</code> might return <code>OA_BASEOP_OR_UNOP</code> indicating that ops of this type are usually allocated as an <code>OP</code> or <code>UNOP</code>; while <code>op_class()</code> will return <code>OPclass_BASEOP</code> or <code>OPclass_UNOP</code> as appropriate.</p>

</li>
<li><p>The output format of the <code>op_dump()</code> function (as used by <code>perl -Dx</code>) has changed: it now displays an &quot;ASCII-art&quot; tree structure, and shows more low-level details about each op, such as its address and class.</p>

<p>The initial indent level is controlled by the global <code>PL_dumpindent</code>, which is 4, and in Devel::Peek and B::C set to 2. With cperl the indent-level between the ops is hardcoded to 2, in perl5 to 4.</p>

</li>
<li><p>The lexer <i>toke.c</i> is now guaranteed to work on a <code>linestr</code> buffer SV with minimal PTRSIZE (4 or 8 byte) length, which enables to use fast word-wise comparison memcmp builtins. cperl only.</p>

</li>
<li><p>The <b>negate</b> op has now it&#39;s own <b>ck_negate</b> callback.</p>

</li>
<li><p>Forbid attaching magic to 4 builtin SV sentinels.</p>

<p>The unique sv_undef, sv_yes, sv_no and sv_placeholder SV values are compared by pointer. Adding magic to it will break that and is now silently skipped. If you need to magicalize sv_yes or sv_no, turn it into a normal IV before.</p>

</li>
<li><p>New public SV_YES and SV_NO macros were added, representing &amp;PL_sv_yes and &amp;PL_sv_no, plus new macros for CORE only: UNDEF and PLACEHOLDER. They cannot be used in headers, as they are used with extensions also.</p>

</li>
<li><p>Two internal debugging helpers <code>av_dump</code> and <code>hv_dump</code> had been added, to print all array elements and hash keys (and optional values).</p>

</li>
<li><p>New versions of macros like <code>isALPHA_utf8</code> and <code>toLOWER_utf8</code> have been added, each with the suffix <code>_safe</code>, like <code>isSPACE_utf8_safe</code>. These take an extra parameter, giving an upper limit of how far into the string it is safe to read. Using the old versions could cause attempts to read beyond the end of the input buffer if the UTF-8 is not well-formed, and ther use now raises a deprecation warning. Details are at <a href="/cperl/perlapi.html#Character-classification">&quot;Character classification&quot; in perlapi</a>.</p>

</li>
<li><p>Calling macros like <code>isALPHA_utf8</code> on malformed UTF-8 have issued a deprecation warning since Perl v5.18. They now die. Similarly, macros like <code>toLOWER_utf8</code> on malformed UTF-8 now die.</p>

</li>
<li><p>Calling the functions <code>utf8n_to_uvchr</code> and its derivatives, while passing a string length of 0 is now asserted against in DEBUGGING builds, and otherwise returns the Unicode REPLACEMENT CHARACTER. If you have nothing to decode, you shouldn&#39;t call the decode function.</p>

</li>
<li><p>The functions <code>utf8n_to_uvchr</code> and its derivatives now return the Unicode REPLACEMENT CHARACTER if called with UTF-8 that has the overlong malformation, and that malformation is allowed by the input parameters. This malformation is where the UTF-8 looks valid syntactically, but there is a shorter sequence that yields the same code point. This has been forbidden since Unicode version 3.1.</p>

</li>
<li><p>The functions <code>utf8n_to_uvchr</code> and its derivatives now accept an input flag to allow the overflow malformation. This malformation is when the UTF-8 may be syntactically valid, but the code point it represents is not capable of being represented in the word length on the platform. What &quot;allowed&quot; means in this case is that the function doesn&#39;t return an error, and advances the parse pointer to beyond the UTF-8 in question, but it returns the Unicode REPLACEMENT CHARACTER as the value of the code point (since the real value is not representable).</p>

</li>
<li><p>The meanings of some internal SV flags have been changed</p>

<p>OPpRUNTIME, SVpbm_VALID, SVpbm_TAIL, SvTAIL_on, SvTAIL_off, SVrepl_EVAL, SvEVALED</p>

</li>
<li><p>Change <code>hv_fetch(&hellip;, &quot;&hellip;&quot;, &hellip;, &hellip;)</code> to <code>hv_fetchs(&hellip;, &quot;&hellip;&quot;, &hellip;)</code></p>

<p>The dual-life dists all use Devel::PPPort, so they can use this function even though it was only added in 5.10.</p>

</li>
<li><p>The function <code><a href="/cperl/perlapi.html#utf8n_to_uvchr">&quot;utf8n_to_uvchr&quot; in perlapi</a></code> has been changed to not abandon searching for other malformations when the first one is encountered. A call to it thus can generate multiple diagnostics, instead of just one.</p>

</li>
<li><p>A new function, <code><a href="/cperl/perlapi.html#utf8n_to_uvchr_error">&quot;utf8n_to_uvchr_error&quot; in perlapi</a></code>, has been added for use by modules that need to know the details of UTF-8 malformations beyond pass/fail. Previously, the only ways to know why a sequence was ill-formed was to capture and parse the generated diagnostics, or to do your own analysis.</p>

</li>
<li><p>Several new functions for handling Unicode have been added to the API: <code><a href="/cperl/perlapi.html#is_strict_utf8_string">&quot;is_strict_utf8_string&quot; in perlapi</a></code>, <code><a href="/cperl/perlapi.html#is_c9strict_utf8_string">&quot;is_c9strict_utf8_string&quot; in perlapi</a></code>, <code><a href="/cperl/perlapi.html#is_utf8_string_flags">&quot;is_utf8_string_flags&quot; in perlapi</a></code>, <code><a href="/cperl/perlapi.html#is_strict_utf8_string_loc">&quot;is_strict_utf8_string_loc&quot; in perlapi</a></code>, <code><a href="/cperl/perlapi.html#is_strict_utf8_string_loclen">&quot;is_strict_utf8_string_loclen&quot; in perlapi</a></code>, <code><a href="/cperl/perlapi.html#is_c9strict_utf8_string_loc">&quot;is_c9strict_utf8_string_loc&quot; in perlapi</a></code>, <code><a href="/cperl/perlapi.html#is_c9strict_utf8_string_loclen">&quot;is_c9strict_utf8_string_loclen&quot; in perlapi</a></code>, <code><a href="/cperl/perlapi.html#is_utf8_string_loc_flags">&quot;is_utf8_string_loc_flags&quot; in perlapi</a></code>, <code><a href="/cperl/perlapi.html#is_utf8_string_loclen_flags">&quot;is_utf8_string_loclen_flags&quot; in perlapi</a></code>, <code><a href="/cperl/perlapi.html#is_utf8_fixed_width_buf_flags">&quot;is_utf8_fixed_width_buf_flags&quot; in perlapi</a></code>, <code><a href="/cperl/perlapi.html#is_utf8_fixed_width_buf_loc_flags">&quot;is_utf8_fixed_width_buf_loc_flags&quot; in perlapi</a></code>, <code><a href="/cperl/perlapi.html#is_utf8_fixed_width_buf_loclen_flags">&quot;is_utf8_fixed_width_buf_loclen_flags&quot; in perlapi</a></code>.</p>

<p>These functions are all extensions of the <code>is_utf8_string_*()</code> functions, that apply various restrictions to the UTF-8 recognized as valid.</p>

</li>
<li><p>A new API function <code>sv_setvpv_bufsize()</code> allows simultaneously setting the length and allocated size of the buffer in an <code>SV</code>, growing the buffer if necessary.</p>

</li>
<li><p>A new API macro <code>SvPVCLEAR()</code> sets its <code>SV</code> argument to an empty string, like Perl-space <code>$x = &#39;&#39;</code>, but with several optimisations.</p>

</li>
<li><p>All parts of the internals now agree that the <code>sassign</code> op is a <code>BINOP</code>; previously it was listed as a <code>BASEOP</code> in <i>regen/opcodes</i>, which meant that several parts of the internals had to be special-cased to accommodate it. This oddity&#39;s original motivation was to handle code like <code>$x ||= 1</code>; that is now handled in a simpler way.</p>

</li>
<li><p>Several new internal C macros have been added that take a string literal as arguments, alongside existing routines that take the equivalent value as two arguments, a character pointer and a length. The advantage of this is that the length of the string is calculated automatically, rather than having to be done manually. These routines are now used where appropriate across the entire codebase.</p>

<p>Note that these upstream changes are still inferior to the cperl specific memEQc and strEQc macros, which do faster word-wordwise comparisons at run-time.</p>

</li>
<li><p>The code in <i>gv.c</i> that determines whether a variable has a special meaning to Perl has been simplified.</p>

</li>
<li><p>The <code>DEBUGGING</code>-mode output for regex compilation and execution has been enhanced.</p>

</li>
<li><p>Several macros and functions have been added to the public API for dealing with Unicode and UTF-8-encoded strings. See <a href="/cperl/perlapi.html#Unicode-Support">&quot;Unicode Support&quot; in perlapi</a>.</p>

</li>
<li><p>Use <code>my_strlcat()</code> in <code>locale.c</code>. While <code>strcat()</code> is safe in this context, some compilers were optimizing this to <code>strcpy()</code> causing a porting test to fail that looks for unsafe code. Rather than fighting this, we just use <code>my_strlcat()</code> instead.</p>

</li>
<li><p>Perl no longer panics when switching into some locales on machines with buggy <code>strxfrm()</code> implementations in their libc. <a href="https://rt.perl.org/Public/Bug/Display.html?id=121734">[perl #121734]</a></p>

</li>
<li><p>Support for clang <code>-flto</code> and the new <code>-flto=thin</code> optimization was added, via <code>GLOBAL</code> declaration and <code>__attribute__global__</code> for global visibility for all exported API functions, even if not used, and <code>-DLTO</code>. Note that is not needed for <code>gcc -flto</code>, and the clang variant produces slower code.</p>

<p>Rudimentary support for <code>-fsanitize=cfi</code> was also added, which is safer than the old <code>-fstack-protector-strong</code>, but this is not yet finished.</p>

<p><a href="/cperl/lib/ExtUtils/ParseXS.html">ExtUtils::ParseXS</a> adds now a correct visibility declaration of <code>XS_EXTERNAL</code> for <code>-flto</code> and <code>-fvisibility=hidden</code>, which is needed for <code>-fsanitize=cfi</code> support.</p>

<p><code>Perl_xs_handshake</code> is now properly exported, which is needed for <code>clang -flto=thin</code>.</p>

</li>
<li><p><code>XS_EXTERNAL</code> and <code>XSPROTO</code> were simplified to use the new <code>GLOBAL</code> declaration and <code>__attribute__global__</code> attribute, for easier platform abstractions.</p>

</li>
<li><p>Added many OP read-write field accessor macros, like <code>OpFIRST</code>, <code>OpLAST</code>, <code>OpOTHER</code>, <code>OpKIDS</code>, <code>OpSPECIAL</code>, <code>OpSTACKED</code>, <code>OpDEREF</code>, <code>OpWANT_VOID</code>, <code>OpWANT_SCALAR</code>, <code>OpWANT_LIST</code>. And shorter type checks: <code>IS_TYPE</code>, <code>ISNT_TYPE</code>, <code>NO_OP_TYPE_OR_WASNT</code>.</p>

<p>rpeep uses now consistently the local <code>o</code>, and not the global <code>PL_op</code> variable. See <a href="https://github.com/perl11/cperl/issues/219">[cperl #219]</a>.</p>

</li>
<li><p><a href="/cperl/perlapi.html#repeatcpy">&quot;repeatcpy&quot; in perlapi</a> changed the type of the 4th count argument from IV to UV.</p>

</li>
<li><p>Added a new <a href="/cperl/perlapi.html#newPADNAMEpvn_flags">&quot;newPADNAMEpvn_flags&quot; in perlapi</a> function which disables UTF8 via <code>flags</code> of <code>0</code>, a new <a href="/cperl/perlapi.html#PadnameUTF8">&quot;PadnameUTF8&quot; in perlapi</a> macro, and new <code>PADNAMEt_UTF8</code> and <code>padadd_UTF8</code> bits.</p>

</li>
<li><p>The maximal size of hashes has been reduced from 63 bit back to 32 bit on 64-bit systems, as with perl5 upstream and as with cperl-5.22. The only problem with 63 bit was the performance overhead of having to calculate 64-bit hashes for each string, which was not worth it. For overlarge hashes use tie to an external library which handle bigger sizes and external maps.</p>

<p>This affects <code>xhv_keys</code>, <code>xhv_max</code>, <code>xhv_riter</code>, <code>xhv_fill_lazy</code>, placeholders and the return values and arguments of most <code>hv_</code> functions and macros. <code>xhv_riter</code> is now a full <code>U32</code>, thus the previous tombstone value <code>-1</code> is now <code>U32_MAX</code>, so contrary to perl5 you can still iterate over the full keys range, and not just the half of it.</p>

</li>
<li><p><code>PL_maxo</code> is now tracked/incremented in <code>custom_op_register()</code>.</p>

<p>The static number of OPs is determined by the static <code>MAXO</code> definition, but users can add custom ops.</p>

<p>Note that perl5.25.4 removes the dynamic part <code>maxo</code>. We find it useful, as only <code>maxo</code> returns the number of current ops.</p>

</li>
<li><p><code>HVhek_MASK</code> is now only 0x03, sames as <code>HVhek_ENABLEHVKFLAGS</code>, which is not needed anymore.</p>

<p><code>HVhek_MASK</code> is only needed during hash collision comparisons. There we only need the 2 HEK UTF8 bits: <code>HVhek_UTF8</code> and <code>HVhek_WASUTF8</code>, but not the 3 others: UNSHARED, TAINTED, STATIC. (the 2 last being cperl-only)</p>

</li>
</ul>

<h1 id="Selected-Bug-Fixes">Selected Bug Fixes</h1>

<dl>

<dt id="No-double-free-of-_-in-loops">No double-free of $_ in loops</dt>
<dd>

<p>Fixed <a href="https://rt.perl.org/Ticket/Display.html?id=131101">[perl #131101]</a> crash with something like</p>

<pre><code>  map /x/g, (%h = (&quot;y&quot;, 0)), (%h = (&quot;y&quot;, 0))</code></pre>

<p>cperl-only</p>

</dd>
<dt id="packaging:-protect-sitelib-dirs-from-being-uninstalled">packaging: protect sitelib dirs from being uninstalled</dt>
<dd>

<p>The cperl packaging recipe in <i>do-make-cperl-release</i> allowed empty directories to be created, which is a huge problem with debian/rpm like installations, potentially removing all files and subdirectories manually installed via cpan into sitelib and sitearch when updating or removing the package.</p>

</dd>
<dt id="type-check-list-assignments-and-types">type-check list assignments and types</dt>
<dd>

<p>These list assignments now properly type check:</p>

<pre><code>  package Bla;
  my Bla @a;
  my int $i = $a[0];
  # =&gt; Type of scalar assignment to $i must be int (not Bla)
  $i = shift @a;
  # =&gt; Type of scalar assignment to $i must be int (not Bla)

  # implicit shift
  (my int $j) = @a;
  # =&gt; Type of list assignment to $j must be int (not Bla)</code></pre>

<p>i.e. we descend into many list (array/hash) ops. mderef not yet.</p>

<p>Also more builtin variables are now type-checked, such as <code>@ARGV</code> as <code>:Array(:Str)</code> and as <code>:Str</code> <code>$ARGV</code>, <code>$0</code> and <code>$^X</code>. Previously only <code>$^O</code>. These added types do now more internal type optimizations, e.g. using <code>s_eq</code> instead of the generic <code>eq</code> when comparing with constants.</p>

<p>See <a href="https://github.com/perl11/cperl/issues/258">[cperl #258]</a>.</p>

</dd>
<dt id="d-with-tailcalls">-d with tailcalls</dt>
<dd>

<p>Implemented a workaround for the debugger (<code>-d</code>) to step into most functions with signatures. Until the root cause with debugging tailcalls is fixed, we convert back a signature to old-style assignments under the debugger. This was the only perl5 regression. See <a href="https://github.com/perl11/cperl/issues/167">[cperl #167]</a>.</p>

</dd>
<dt id="Restore-C-compatibility">Restore C++ compatibility</dt>
<dd>

<p>perl5 is compileable with recent C++ compilers, but cperl since v5.24.0c not so. We fixed more wrong goto&#39;s and wrong const declarations leading to C++ errors with <code>-fpermissive</code>, which is basically used as stricter C mode.</p>

<p>E.g. error: invalid conversion from &#39;const HEK* {aka const hek*}&#39; to &#39;HEK* {aka hek*} [-fpermissive]. error: jump to label &#39;float_ipow&#39;. crosses initialization of &#39;unsigned int diff&#39;</p>

<p>Regression since v5.24.0c, a cperl problem only. <a href="https://github.com/perl11/cperl/issues/224">[cperl #224]</a></p>

</dd>
<dt id="name-leak"><code>$-{$name}</code> leak</dt>
<dd>

<p><code> $-{$name} </code> would leak an <code>AV</code> on each access if the regular expression had no named captures. The same applies to access to any hash tied with <a href="/cperl/lib/Tie/Hash/NamedCapture.html">Tie::Hash::NamedCapture</a> and <code>all =&gt; 1</code>. <a href="https://rt.perl.org/Public/Bug/Display.html?id=130822">[perl #130822]</a></p>

</dd>
<dt id="split-under-use-unicode_strings">split &#39; &#39; under use unicode_strings</dt>
<dd>

<p><code>split &#39; &#39;</code> now handles the argument being split correctly when in the scope of the <a href="/cperl/lib/feature.html#The-unicode_strings-feature"><code>unicode_strings</code></a> feature. Previously, when a string using the single-byte internal representation contained characters that are whitespace by Unicode rules but not by ASCII rules, it treated those characters as part of fields rather than as field separators. This resolves <a href="https://rt.perl.org/Public/Bug/Display.html?id=130907">[perl #130907]</a>.</p>

</dd>
<dt id="Fix-use-after-free-or-buffer-overflow">Fix $# use after free or buffer overflow</dt>
<dd>

<p>Attempting to use the deprecated variable <code>$#</code> as the object in an indirect object method call could cause a heap use after free or buffer overflow. <a href="https://rt.perl.org/Public/Bug/Display.html?id=129274">[perl #129274]</a></p>

</dd>
<dt id="Fix-lexer-with-indirect-object-method-calls">Fix lexer with indirect object method calls</dt>
<dd>

<p>When checking for an indirect object method call in some rare cases the parser could reallocate the line buffer but then continue to use pointers to the old buffer. <a href="https://rt.perl.org/Public/Bug/Display.html?id=129190">[perl #129190]</a></p>

</dd>
<dt id="Forbid-glob-as-format-argument">Forbid glob as format argument</dt>
<dd>

<p>Supplying a glob as the format argument to <a href="/cperl/perlfunc.html#formline">&quot;formline&quot; in perlfunc</a> would cause an assertion failure. <a href="https://rt.perl.org/Public/Bug/Display.html?id=130722">[perl #130722]</a></p>

</dd>
<dt id="Fix-optimized-match-to-qr">Fix optimized match to qr</dt>
<dd>

<p>Code like <code> $value1 =~ qr/.../ ~~ $value2 </code> would have the match converted into a qr// operator, leaving extra elements on the stack to confuse any surrounding expression. <a href="https://rt.perl.org/Public/Bug/Display.html?id=130705">[perl #130705]</a></p>

</dd>
<dt id="Fix-pad-access-in-regex-eval-code-blocks">Fix pad access in regex eval code blocks</dt>
<dd>

<p>Since 5.24.0 in some obscure cases, a regex which included code blocks from multiple sources (e.g. via embedded via qr// objects) could end up with the wrong current pad and crash or give weird results. <a href="https://rt.perl.org/Public/Bug/Display.html?id=129881">[perl #129881]</a></p>

</dd>
<dt id="Fix-local-in-regex-eval-code-blocks">Fix local in regex eval code blocks</dt>
<dd>

<p>Occasionally <code>local()</code>s in a code block within a patterns weren&#39;t being undone when the pattern matching backtracked over the code block. <a href="https://rt.perl.org/Public/Bug/Display.html?id=126697">[perl #126697]</a></p>

</dd>
<dt id="Fix-substr-with-a-magic-variable">Fix substr with a magic variable</dt>
<dd>

<p>Using <code>substr()</code> to modify a magic variable could access freed memory in some cases. <a href="https://rt.perl.org/Public/Bug/Display.html?id=129340">[perl #129340]</a></p>

</dd>
<dt id="Fix-some-missing-Malformed-UTF-8-character-warnings">Fix some missing Malformed UTF-8 character warnings</dt>
<dd>

<p>Perl 5.25.9 was fixed so that under <code>use utf8</code>, the entire Perl program is checked that the UTF-8 is wellformed. It turns out that several edge cases were missed, and are now fixed. <a href="https://rt.perl.org/Public/Bug/Display.html?id=126310">[perl #126310]</a> was the original ticket.</p>

</dd>
<dt id="SvREADONLY_off:-allow-calls-as-argument">SvREADONLY_off: allow calls as argument</dt>
<dd>

<p>No multiple evaluation of its argument anymore.</p>

</dd>
<dt id="ref-assert">ref assert</dt>
<dd>

<p>Fixed an assertion error with DEBUGGING builds in the <code>ref</code> op, detected with <code>-T</code> in pod testing. Turn off taint magic for the return value of <code>ref</code> with fixed ref names. <a href="https://github.com/perl11/cperl/issues/254">[cperl #254]</a>.</p>

</dd>
<dt id="c3-linerarization">c3 linerarization</dt>
<dd>

<p>Fix c3 ISA linearization with deleted ISA elements, leaving &quot;main&quot; plus an empty name.</p>

<pre><code>    cperl -Mmro=c3 -e&#39;
        @ISACLEAR::ISA=qw/XX YY ZZ/;
        $ISACLEAR::ISA[1]=undef;
        print join&quot;,&quot;,@{mro::get_linear_isa(&#39;ISACLEAR&#39;)}&#39;
    =&gt; XX,main,,ZZ # wrong</code></pre>

<p><a href="https://github.com/perl11/cperl/issues/251">[cperl #251]</a>.</p>

</dd>
<dt id="sv_dump">sv_dump</dt>
<dd>

<p>Fix and explain sv_dump (also via Devel::Peek Dump) that maxnested means also maxelems, by printing now &quot;... (skipping Elt 5-20)&quot;. <a href="https://github.com/perl11/cperl/issues/243">[cperl #243]</a>.</p>

</dd>
<dt id="use-utf8">use utf8</dt>
<dd>

<p>Under <code>use utf8</code>, the entire Perl program is now checked that the UTF-8 is wellformed. <a href="https://rt.perl.org/Public/Bug/Display.html?id=126310">[perl #126310]</a>.</p>

</dd>
<dt id="SvIMMORTAL">SvIMMORTAL</dt>
<dd>

<p>Handle SvIMMORTALs in LHS of list assign. <a href="https://rt.perl.org/Public/Bug/Display.html?id=129991">[perl #129991]</a></p>

</dd>
<dt id="user-defined-Unicode-properties-broke-texinfo">user-defined Unicode properties broke texinfo</dt>
<dd>

<p><a href="https://rt.perl.org/Public/Bug/Display.html?id=130010">[perl #130010]</a> a5540cf breaks texinfo</p>

<p>This involved user-defined Unicode properties.</p>

</dd>
<dt id="Fix-error-message-for-unclosed-N-in-regcomp">Fix error message for unclosed <code>\N{</code> in regcomp.</dt>
<dd>

<p>An unclosed <code>\N{</code> could give the wrong error message <code>&quot;\N{NAME} must be resolved by the lexer&quot;</code>.</p>

</dd>
<dt id="Fix-scalar-lvalues-in-list-assignment">Fix scalar lvalues in list assignment</dt>
<dd>

<p>List assignment in list context where the LHS contained aggregates and where there were not enough RHS elements, used to skip scalar lvalues. Previously, <code>(($a,$b,@c,$d) = (1))</code> in list context returned <code>($a)</code>; now it returns <code>($a,$b,$d)</code>. <code>(($a,$b,$c) = (1))</code> is unchanged: it still returns <code>($a,$b,$c)</code>. This can be seen in the following:</p>

<pre><code>    sub inc { $_++ for @_ }
    inc(($a,$b,@c,$d) = (10))</code></pre>

<p>Formerly, the values of <code>($a,$b,$d)</code> would be left as <code>(11,undef,undef)</code>; now they are <code>(11,1,1)</code>.</p>

</dd>
<dt id="Fix-s">Fix /(?{ s!!! })/</dt>
<dd>

<p><a href="https://rt.perl.org/Public/Bug/Display.html?id=129903">[perl #129903]</a></p>

<p>The basic problem is that code like this: /(?{ s!!! })/ can trigger infinite recursion on the C stack (not the normal perl stack) when the last successful pattern in scope is itself. Since the C stack overflows this manifests as an untrappable error/segfault, which then kills perl.</p>

<p>We avoid the segfault by simply forbidding the use of the empty pattern when it would resolve to the currently executing pattern.</p>

</dd>
<dt id="Fix-utf8-parsing">Fix utf8 parsing</dt>
<dd>

<p>Avoid reading beyond the end of the line buffer when there&#39;s a short UTF-8 character at the end. <a href="https://rt.perl.org/Public/Bug/Display.html?id=128997">[perl #128997]</a></p>

</dd>
<dt id="Fix-firstchar-bitmap-under-utf8-with-prefix-optimisation">Fix firstchar bitmap under utf8 with prefix optimisation.</dt>
<dd>

<p><a href="https://rt.perl.org/Public/Bug/Display.html?id=129950">[perl #129950]</a></p>

</dd>
<dt id="Carp-t-arg_string.t:-be-liberal-in-f-p-formats"><i>Carp/t/arg_string.t</i>: be liberal in f/p formats.</dt>
<dd>

<p><a href="https://rt.perl.org/Public/Bug/Display.html?id=129954">[perl #129954]</a></p>

</dd>
<dt id="Make-do-a-0b-fail-silently-instead-of-throwing">Make <code>do &quot;a\0b&quot;</code> fail silently instead of throwing.</dt>
<dd>

<p><a href="https://rt.perl.org/Public/Bug/Display.html?id=129928">[perl #129928]</a></p>

</dd>
<dt id="Fix-nested-forward-sub-declarations">Fix nested forward sub declarations</dt>
<dd>

<p>A sub containing a &quot;forward&quot; declaration with the same name (e.g., <code>sub c { sub c; }</code>) could sometimes crash or loop infinitely. <a href="https://rt.perl.org/Public/Bug/Display.html?id=129090">[perl #129090]</a></p>

</dd>
<dt id="regex-crash-utf8-utf8">regex crash utf8 =~ utf8</dt>
<dd>

<p>A crash in executing a regex with a floating UTF-8 substring against a target string that also used UTF-8 has been fixed.</p>

<p><a href="https://rt.perl.org/Public/Bug/Display.html?id=129350">[perl #129350]</a></p>

</dd>
<dt id="perl--i-u-vs.--u">#!perl -i u vs. -u</dt>
<dd>

<p>Previously, a shebang line like <code>#!perl -i u</code> could be erroneously interpreted as requesting the <code>-u</code> option. This has been fixed.</p>

<p><a href="https://rt.perl.org/Public/Bug/Display.html?id=129336">[perl #129336]</a></p>

</dd>
<dt id="Wrong-regex-backtracking">Wrong regex backtracking</dt>
<dd>

<p>The regex engine was previously producing incorrect results in some rare situations when backtracking past a trie that matches only one thing; this showed up as capture buffers (<code>$1</code>, <code>$2</code>, etc) erroneously containing data from regex execution paths that weren&#39;t actually executed for the final match. <a href="https://rt.perl.org/Public/Bug/Display.html?id=129897">[perl #129897]</a></p>

</dd>
<dt id="regex_sets-assertions">regex_sets assertions</dt>
<dd>

<p>Certain regexes making use of the experimental <code>regex_sets</code> feature could trigger an assertion failure. This has been fixed.</p>

<p><a href="https://rt.perl.org/Public/Bug/Display.html?id=129322">[perl #129322]</a></p>

</dd>
<dt id="Invalid-ref-assignments">Invalid ref assignments</dt>
<dd>

<p>Invalid assignments to a reference constructor (e.g., <code>\eval=time</code>) could sometimes crash in addition to giving a syntax error. <a href="https://rt.perl.org/Public/Bug/Display.html?id=125679">[perl #125679]</a></p>

</dd>
<dt id="evalbytes-bareword-crash">evalbytes bareword crash</dt>
<dd>

<p>The parser could sometimes crash if a bareword came after <code>evalbytes</code>. <a href="https://rt.perl.org/Public/Bug/Display.html?id=129196">[perl #129196]</a></p>

</dd>
<dt id="Wrong-Use-of-inherited-AUTOLOAD-for-non-method-warning">Wrong Use of inherited AUTOLOAD for non-method warning</dt>
<dd>

<p>Autoloading via a method call would warn erroneously (&quot;Use of inherited AUTOLOAD for non-method&quot;) if there was a stub present in the package into which the invocant had been blessed. The warning is no longer emitted in such circumstances. <a href="https://rt.perl.org/Public/Bug/Display.html?id=47047">[perl #47047]</a></p>

</dd>
<dt id="Fix-crash-with-illegal-splice">Fix crash with illegal splice</dt>
<dd>

<p>The use of <code>splice</code> on arrays with nonexistent elements could cause other operators to crash. <a href="https://rt.perl.org/Public/Bug/Display.html?id=129164">[perl #129164]</a></p>

</dd>
<dt id="Fix-re_untuit_start-overflow">Fix re_untuit_start overflow</dt>
<dd>

<p>Fixed case where <code>re_untuit_start</code> will overshoot the length of a utf8 string. <a href="https://rt.perl.org/Public/Bug/Display.html?id=129012">[perl #129012]</a></p>

</dd>
<dt id="Improve-deb_stack_all">Improve deb_stack_all</dt>
<dd>

<p>Handle <code>CXt_SUBST</code> better in <code>Perl_deb_stack_all</code>, previously it wasn&#39;t checking that the <i>current</i> <code>cx</code> is the right type, and instead was always checking the base <code>cx</code> (effectively a noop). <a href="https://rt.perl.org/Public/Bug/Display.html?id=129029">[perl #129029]</a></p>

</dd>
<dt id="Fixed-some-UAF-bugs-in-yylex">Fixed some UAF bugs in yylex</dt>
<dd>

<p>Fixed two possible use-after-free bugs in <code>Perl_yylex</code>. <code>Perl_yylex</code> maintains up to two pointers into the parser buffer, one of which can become stale under the right conditions.</p>

<p><a href="https://rt.perl.org/Public/Bug/Display.html?id=129069">[perl #129069]</a></p>

</dd>
<dt id="Fixed-s-l-crash-with-utf8">Fixed s///l crash with utf8</dt>
<dd>

<p>Fixed a crash with <code>s///l</code> where it thought it was dealing with UTF-8 when it wasn&#39;t. <a href="https://rt.perl.org/Public/Bug/Display.html?id=129038">[perl #129038]</a></p>

</dd>
<dt id="Unexpected-binary-operator-with-no-preceding-operand-in-regex">Unexpected binary operator &#39;+&#39; with no preceding operand in regex</dt>
<dd>

<p>Fixed place where regex was not setting the syntax error correctly. <a href="https://rt.perl.org/Public/Bug/Display.html?id=129122">[perl #129122]</a></p>

</dd>
<dt id="Fixed-.-assert-with-utf8-and-missing-nul-byte">Fixed &amp;. assert with utf8 and missing nul byte</dt>
<dd>

<p>The <code>&amp;.</code> operator (and the <code>&amp;</code> operator, when it treats its arguments as strings) were failing to append a trailing null byte if at least one string was marked as utf8 internally. Many code paths (system calls, regexp compilation) still expect there to be a null byte in the string buffer just past the end of the logical string. An assertion failure was the result. <a href="https://rt.perl.org/Public/Bug/Display.html?id=129287">[perl #129287]</a></p>

</dd>
<dt id="Check-pack_sockaddr_un">Check pack_sockaddr_un</dt>
<dd>

<p>Check <code>pack_sockaddr_un()</code>&#39;s return value because <code>pack_sockaddr_un()</code> silently truncates the supplied path if it won&#39;t fit into the <code>sun_path</code> member of <code>sockaddr_un</code>. This may change in the future, but for now check the path in the<code>sockaddr</code> matches the desired path, and skip if it doesn&#39;t. <a href="https://rt.perl.org/Public/Bug/Display.html?id=128095">[perl #128095]</a></p>

</dd>
<dt id="Fix-scan_heredoc">Fix scan_heredoc</dt>
<dd>

<p>Make sure <code>PL_oldoldbufptr</code> is preserved in <code>scan_heredoc()</code>. In some cases this is used in building error messages. <a href="https://rt.perl.org/Public/Bug/Display.html?id=128988">[perl #128988]</a></p>

</dd>
<dt id="Fix-IN_LC">Fix IN_LC</dt>
<dd>

<p>Check for null PL_curcop in IN_LC() <a href="https://rt.perl.org/Public/Bug/Display.html?id=129106">[perl #129106]</a></p>

</dd>
<dt id="Fix-parser-error-with-:attr-foo">Fix parser error with :attr(foo</dt>
<dd>

<p>Fixed the parser error handling for an &#39;<code>:attr(foo</code>&#39; that does not have an ending &#39;<code>)</code>&#39;.</p>

</dd>
<dt id="Fix-delimcpy">Fix delimcpy</dt>
<dd>

<p>Fix <code>Perl_delimcpy()</code> to handle a backslash as last char, this actually fixed two bugs, <a href="https://rt.perl.org/Public/Bug/Display.html?id=129176">[perl #129064]</a> and <a href="https://rt.perl.org/Public/Bug/Display.html?id=129176">[perl #129176]</a>.</p>

</dd>
<dt id="Fix-gv_fetchmethod_pvn_flags-seperator-parsing">Fix gv_fetchmethod_pvn_flags seperator parsing</dt>
<dd>

<p><a href="https://rt.perl.org/Public/Bug/Display.html?id=129267">[perl #129267]</a> rework gv_fetchmethod_pvn_flags separator parsing to prevent possible string overrun with invalid len in gv.c</p>

</dd>
<dt id="Fix-some-in-place-array-sorts-cases">Fix some in-place array sorts cases</dt>
<dd>

<p>Problems with in-place array sorts: code like <code>@a = sort { ... } @a</code>, where the source and destination of the sort are the same plain array, are optimised to do less copying around. Two side-effects of this optimisation were that the contents of <code>@a</code> as visible to to sort routine were partially sorted, and under some circumstances accessing <code>@a</code> during the sort could crash the interpreter. Both these issues have been fixed, and Sort functions see the original value of <code>@a</code>.</p>

</dd>
<dt id="Wrong-Attempt-to-pack-pointer-to-temporary-value-warning">Wrong Attempt to pack pointer to temporary value warning</dt>
<dd>

<p><code>pack(&quot;p&quot;, ...)</code> used to emit its warning (&quot;Attempt to pack pointer to temporary value&quot;) erroneously in some cases, but has been fixed.</p>

</dd>
<dt id="Wrong-used-once-warning-in-the-debugger">Wrong used once warning in the debugger</dt>
<dd>

<p><code>@DB::args</code> is now exempt from &quot;used once&quot; warnings. The warnings only occurred under <b>-w</b>, because <i>warnings.pm</i> itself uses <code>@DB::args</code> multiple times.</p>

</dd>
<dt id="Wrong-Possible-unintended-interpolation...-warnings">Wrong Possible unintended interpolation... warnings</dt>
<dd>

<p>The use of built-in arrays or hash slices in a double-quoted string no longer issues a warning (&quot;Possible unintended interpolation...&quot;) if the variable has not been mentioned before. This affected code like <code>qq|@DB::args|</code> and <code>qq|@SIG{&#39;CHLD&#39;, &#39;HUP&#39;}|</code>. (The special variables <code>@-</code> and <code>@+</code> were already exempt from the warning.)</p>

</dd>
<dt id="Fixed-gethostent-checks-for-NUL-bytes-regression">Fixed gethostent checks for NUL bytes regression</dt>
<dd>

<p><code>gethostent</code> and similar functions now perform a null check internally, to avoid crashing with torsocks. This was a regression from 5.22. <a href="https://rt.perl.org/Public/Bug/Display.html?id=128740">[perl #128740]</a></p>

</dd>
<dt id="Fix-some-defined-typeglob-leaks">Fix some defined typeglob leaks</dt>
<dd>

<p><code>defined *{&#39;!&#39;}</code>, <code>defined *{&#39;[&#39;}</code>, and <code>defined *{&#39;-&#39;}</code> no longer leak memory if the typeglob in question has never been accessed before.</p>

</dd>
<dt id="fchown">fchown</dt>
<dd>

<p>In 5.25.4 <code>fchown()</code> was changed not to accept negative one as an argument because in some platforms that is an error. However, in some other platforms that is an acceptable argument. This change has been reverted <a href="https://rt.perl.org/Public/Bug/Display.html?id=128967">[perl #128967]</a>.</p>

</dd>
<dt id="Wrong-constant-assertion-with-sub-ub-0-ub-ub">Wrong constant assertion with sub ub(){0} ub ub</dt>
<dd>

<p>Mentioning the same constant twice in a row (which is a syntax error) no longer fails an assertion under debugging builds. This was a regression from 5.20. <a href="https://rt.perl.org/Public/Bug/Display.html?id=126482">[perl #126482]</a></p>

</dd>
<dt id="Many-hexadecimal-floating-point-printing-fixes">Many hexadecimal floating point printing fixes</dt>
<dd>

<p>Many issues relating to <code>printf &quot;%a&quot;</code> of hexadecimal floating point were fixed. In addition, the &quot;subnormals&quot; (formerly known as &quot;denormals&quot;) floating point anumbers are now supported both with the plain IEEE 754 floating point numbers (64-bit or 128-bit) and the x86 80-bit &quot;extended precision&quot;. Note that subnormal hexadecimal floating point literals will give a warning about &quot;exponent underflow&quot;. <a href="https://rt.perl.org/Public/Bug/Display.html?id=128843">[perl #128843]</a>, <a href="https://rt.perl.org/Public/Bug/Display.html?id=128889">[perl #128889]</a>, <a href="https://rt.perl.org/Public/Bug/Display.html?id=128890">[perl #128890]</a>, <a href="https://rt.perl.org/Public/Bug/Display.html?id=128893">[perl #128893]</a>, <a href="https://rt.perl.org/Public/Bug/Display.html?id=128909">[perl #128909]</a>, <a href="https://rt.perl.org/Public/Bug/Display.html?id=128919">[perl #128919]</a>.</p>

</dd>
<dt id="tr-N-U-...-foo-regression">tr/\N{U+...}/foo/ regression</dt>
<dd>

<p>A regression in 5.24 with <code>tr/\N{U+...}/foo/</code> when the code point was between 128 and 255 has been fixed. <a href="https://rt.perl.org/Public/Bug/Display.html?id=128734">[perl #128734]</a>.</p>

</dd>
<dt id="S__invlist_len-assertion">S__invlist_len assertion</dt>
<dd>

<p>A regression from the previous development release, 5.23.3, where compiling a regular expression could crash the interpreter has been fixed. <a href="https://rt.perl.org/Public/Bug/Display.html?id=128686">[perl #128686]</a>.</p>

</dd>
<dt id="Invalid-utf8-string-delimiters">Invalid utf8 string delimiters</dt>
<dd>

<p>Use of a string delimiter whose code point is above 2**31 now works correctly on platforms that allow this. Previously, certain characters, due to truncation, would be confused with other delimiter characters with special meaning (such as <code>?</code> in <code>m?...?</code>), resulting in inconsistent behaviour. Note that this is non-portable, and is based on Perl&#39;s extension to UTF-8, and is probably not displayable nor enterable by any editor. <a href="https://rt.perl.org/Public/Bug/Display.html?id=128738">[perl #128738]</a></p>

</dd>
<dt id="x-n-crash">@{x\n crash</dt>
<dd>

<p><code>@{x</code> followed by a newline where <code>x</code> represents a control or non-ASCII character no longer produces a garbled syntax error message or a crash. <a href="https://rt.perl.org/Public/Bug/Display.html?id=128951">[perl #128951]</a></p>

</dd>
<dt id="assertion">%: = 0 assertion</dt>
<dd>

<p>An assertion failure with <code>%: = 0</code> has been fixed. <a href="https://rt.perl.org/Public/Bug/Display.html?id=128238">[perl #128238]</a></p>

</dd>
<dt id="foo::-bar-vs-foo-::-bar-5.18-parsing-regression">&quot;$foo::$bar&quot; vs &quot;$foo\::$bar&quot; 5.18 parsing regression</dt>
<dd>

<p>In Perl 5.18, the parsing of <code>&quot;$foo::$bar&quot;</code> was accidentally changed, such that it would be treated as <code>$foo.&quot;::&quot;.$bar</code>. The previous behavior, which was to parse it as <code>$foo:: . $bar</code>, has been restored. <a href="https://rt.perl.org/Public/Bug/Display.html?id=128478">[perl #128478]</a></p>

</dd>
<dt id="x-off-by-one-5.20-regression">-x off by one 5.20 regression</dt>
<dd>

<p>Since Perl 5.20, line numbers have been off by one when perl is invoked with the <b>-x</b> switch. This has been fixed. <a href="https://rt.perl.org/Public/Bug/Display.html?id=128508">[perl #128508]</a></p>

</dd>
<dt id="delete-My::-Foo::-My::Foo::foo-no-longer-crashes">delete $My::{&quot;Foo::&quot;}; \&amp;My::Foo::foo no longer crashes</dt>
<dd>

<p>Vivifying a subroutine stub in a deleted stash (e.g., <code>delete $My::{&quot;Foo::&quot;}; \&amp;My::Foo::foo</code>) no longer crashes. It had begun crashing in Perl 5.18. <a href="https://rt.perl.org/Public/Bug/Display.html?id=128532">[perl #128532]</a></p>

</dd>
<dt id="Wrong-sub-and-filehandle-deletion-crashes">Wrong sub and filehandle deletion crashes</dt>
<dd>

<p>Some obscure cases of subroutines and file handles being freed at the same time could result in crashes, but have been fixed. The crash was introduced in Perl 5.22. The cperl fix doesn&#39;t hurt run-time performance as the perl5.26 fix does. <a href="https://rt.perl.org/Public/Bug/Display.html?id=128597">[perl #128597]</a></p>

</dd>
<dt id="No-ISA-0-0-assertion">No $ISA[0][0] assertion</dt>
<dd>

<p>Code that looks for a variable name associated with an uninitialized value could cause an assertion in cases where magic is involved, such as <code>$ISA[0][0]</code>. This has now been fixed. <a href="https://rt.perl.org/Public/Bug/Display.html?id=128253">[perl #128253]</a></p>

</dd>
<dt id="No-Subroutine-STASH::NAME-redefined-crash">No Subroutine STASH::NAME redefined crash</dt>
<dd>

<p>A crash caused by code generating the warning &quot;Subroutine STASH::NAME redefined&quot; in cases such as <code>sub P::f{} undef *P::; *P::f =sub{};</code> has been fixed. In these cases, where the STASH is missing, the warning will now appear as &quot;Subroutine NAME redefined&quot;. <a href="https://rt.perl.org/Public/Bug/Display.html?id=128257">[perl #128257]</a></p>

</dd>
<dt id="No-format-deprecation-assertions">No format deprecation assertions</dt>
<dd>

<p>Fixed an assertion triggered by some code that handles deprecated behavior in formats, e.g. in cases like this:</p>

<pre><code>    format STDOUT =
    @
    0&quot;$x&quot;</code></pre>

<p><a href="https://rt.perl.org/Public/Bug/Display.html?id=128255">[perl #128255]</a></p>

</dd>
<dt id="Fixed-divide-by-zero-crash-on-windows-with-collate">Fixed divide by zero crash on windows with collate</dt>
<dd>

<p>A possible divide by zero in string transformation code on Windows has been avoided, fixing a crash when collating an empty string. <a href="https://rt.perl.org/Public/Bug/Display.html?id=128618">[perl #128618]</a></p>

</dd>
<dt id="Fixed-assertions-with-or">Fixed assertions with /(?&lt;=/ or /(?&lt;!/</dt>
<dd>

<p>Some regular expression parsing glitches could lead to assertion failures with regular expressions such as <code>/(?&lt;=/</code> and <code>/(?&lt;!/</code>. This has now been fixed. <a href="https://rt.perl.org/Public/Bug/Display.html?id=128170">[perl #128170]</a></p>

</dd>
<dt id="Non-ASCII-string-delimiters-are-now-reported-correctly-in-error-messages-for-unterminated-strings">Non-ASCII string delimiters are now reported correctly in error messages for unterminated strings</dt>
<dd>

<p><a href="https://rt.perl.org/Public/Bug/Display.html?id=128701">[perl #128701]</a></p>

</dd>
<dt id="Allow-lvalue-keys-hash">Allow lvalue keys %hash</dt>
<dd>

<p>Scalar <code>keys %hash</code> can now be assigned to consistently in all scalar lvalue contexts. Previously it worked for some contexts but not others.</p>

</dd>
<dt id="Fixed-vec-h-0-1-substr-h-0">Fixed ${\vec %h, 0, 1}, ${\substr %h, 0}</dt>
<dd>

<p><code> ${\vec %h, 0, 1} </code> and <code> ${\substr %h, 0} </code> do not segfault anymore, rather the lvalue context is propagated, and list context properly handled. <a href="https://rt.perl.org/Public/Bug/Display.html?id=128260">[perl #128260]</a></p>

</dd>
<dt id="Fixed-the-range-unicode-bug">Fixed the range unicode bug</dt>
<dd>

<p>When the right side of the range is a UTF-8 encoded string, but the left side not, downgrade the right side to native octets. E.g.</p>

<pre><code>    my $r = chr 255; utf8::upgrade $r; my $num = (&quot;a&quot; .. $r);
    print $num</code></pre>

<p>should print 26 but does 702, because the utf-8 repr. of <code>\x{ff}</code> is <code>&quot;\303\277&quot; [UTF8 &quot;\x{ff}&quot;]</code>, and the range was incremented from &quot;a&quot; to &quot;\x{c3}\x{bf}&quot; instead. See <a href="https://github.com/perl11/cperl/issues/218">[cperl #218]</a>.</p>

</dd>
<dt id="Fixed--Duseshrplib-a-shared-libcperl.-so">Fixed -Duseshrplib, a shared libcperl.$so</dt>
<dd>

<p>Fixed several issues with <code>-Duseshrplib</code>, a shared <i>libcperl.$so</i>: install it (!!), fix ExtUtils::Embed and B-C compilation and testing, fix tests on darwin, fix configuration probe of Term::ReadKey.</p>

</dd>
<dt id="Fixed-sv_dump-of-VALID-EVALED">Fixed sv_dump of VALID,EVALED</dt>
<dd>

<p>Fixed <code>sv_dump</code> of fbm-magic strings which did previously contain the wrong &quot;VALID,EVALED&quot; string for a flag which is either VALID or EVALED. cperl only.</p>

</dd>
<dt id="Fixed-cperl-signatures-with-default-blocks">Fixed cperl signatures with default blocks</dt>
<dd>

<p>Fixed a cperl-only failure in signatures with default blocks introducing a new lexical variable. As in <code>sub t151($a,$b=do{my $f},$c=1){} t151($x,$x,$x)</code>. This failure was only fatal on 32bit + -Duse64bitint systems.</p>

<p><code>SIGNATURE_arg_default_op</code> does not have a items arg. See <a href="https://github.com/perl11/cperl/issues/164">[cperl #164]</a>. and <a href="https://github.com/perl11/cperl/issues/213">[cperl #213]</a>.</p>

</dd>
<dt id="v-strings-with-a-c-suffix-can-now-be-parsed-natively">v-strings with a &#39;c&#39; suffix can now be parsed natively</dt>
<dd>

<p>In <code>scan_vstring()</code>. See <a href="https://github.com/perl11/cperl/issues/211">[cperl #211]</a>.</p>

</dd>
<dt id="More-I32-IV-SSize_t-fixes">More <b>I32/IV/SSize_t fixes</b></dt>
<dd>

<p>against huge data (2GB) overflows on 64bit.</p>

<p>We are now in a 64bit world and need to get rid of all the wrong 32bit (2GB) size limits. Some of these fixes seem to be even security relevant, as in the last 2GB series from <a href="https://github.com/perl11/cperl/issues/123">[cperl #123]</a>.</p>

<p>chop/chomp of only half of overlarge arrays.</p>

<p>Or ~&quot;a&quot;x2G complement of overlarge strings, silently processing only the half - as with overlong hash keys.</p>

<p>There was also a smartmatch Array - CodeRef rule, which passed only over half the array elements. The Hash part was also wrong, but the wrong number was not used.</p>

<p>regex match group of &gt;2GB string len.</p>

<p>Allow repeat count &gt;2GB and don&#39;t silently cap it at IV_MAX. Which was at least better then silent wrap around.</p>

<p>Missing optimization of inplace substitution via clen overflow.</p>

</dd>
<dt id="Fixed-several-heap-buffer-overflows-detected-by-asan">Fixed several <b>heap-buffer-overflows</b> detected by asan</dt>
<dd>

<p>use-after-free in Dynaloader (ReadKey probe with -DDEBUG_LEAKING_SCALAR), heap-overflow in gv_fetchfile (t/comp/parser.t), heap-overflow with signatures, heap-overflow in XSLoader, invalid memEQc in toke.c missing out on parsing #!perl -opts, B-C global-buffer-overflow with dynamic COW strings, wrong savepvn args.</p>

<p>There are still heap-use-after-free problems with perlcc and PERL_DESTRUCT_LEVEL=2.</p>

<p>See <a href="https://github.com/perl11/cperl/issues/207">[cperl #207]</a></p>

</dd>
<dt id="Fix--DNODEFAULT_SHAREKEYS-regression-from-5.9">Fix -DNODEFAULT_SHAREKEYS regression from 5.9</dt>
<dd>

<p>Fixed overwriting the <code>HVhek_UNSHARED</code> bit in the hash loop broken with v5.9.</p>

<p>This fixed <code>-DNODEFAULT_SHAREKEYS</code>. In the default configuration without NODEFAULT_SHAREKEYS since 5.003_001 all hash keys are stored twice, once in the hash and once again in <code>PL_strtab</code>, the global string table, with the benefit of faster hash loops and copies. Almost all hashtables get the SHAREKEYS bit. With <code>-Accflags=-DNODEFAULT_SHAREKEYS</code> simple scripts are 20-30% faster. <a href="https://github.com/perl11/cperl/issues/201">[cperl #201]</a></p>

</dd>
<dt id="Fix-HEK_TAINTED-check-for-HEf_SVKEY-values">Fix HEK_TAINTED check for HEf_SVKEY values</dt>
<dd>

<p>A HEf_SVKEY hek has no tainted flag, the pointed to SV has. This is a cperl-only security feature.</p>

</dd>
<dt id="Only-clear-LS_COLORS-for-glob">Only clear LS_COLORS for glob</dt>
<dd>

<p>When miniperl calls csh to implement glob(), we cleared %ENV temporarily to avoid csh dying on invalid values for things like LS_COLORS. That has proven to have far too many problems, since many system-dependent env vars are necessary for calling an external process. See the <a href="https://rt.perl.org/Public/Bug/Display.html?id=126041">[perl #126041]</a> ticket for details.</p>

<p>A better solution is temporarily to clear only those vars that are known to be problematic and make csh possibly fail. There only hap- pens to be one of those at present, namely LS_COLORS.</p>

</dd>
<dt id="Fixed-error-in-error-during-global-destruction">Fixed error in error during global destruction</dt>
<dd>

<p>A SEGV in mess_sv during global destruction with a DEBUGGING perl and -DS been fixed, occuring when we wanted to report the location of an error when curcop has already been freed.</p>

<p>Testcase: <code>./miniperl -DS -e &#39;$_=&quot;f&quot;; s/./&quot;&amp;&quot;.$&amp;/ee&#39;</code></p>

<p><a href="https://rt.perl.org/Public/Bug/Display.html?id=129027">[perl #129027]</a></p>

</dd>
<dt id="Fixed-ck_chift-segfault">Fixed ck_chift segfault</dt>
<dd>

<p>A SEGV in ck_shift with an empty/wrong current function, caused by a syntax error has been fixed. The syntax error is now reported lateron. Testcase: <code>&#39;qq{@{sub{q}}]]}}; s0{shift&#39;</code></p>

<p><a href="https://rt.perl.org/Public/Bug/Display.html?id=125351">[perl #125351]</a></p>

</dd>
<dt id="Handle-missing-Unicode-heredoc-terminators-correctly">Handle missing Unicode heredoc terminators correctly</dt>
<dd>

<p>E.g. <code>perl -CS -e &#39;use utf8; q&laquo;&#39;</code> prints now <code>Can&#39;t find string terminator &quot;&laquo;&quot; anywhere before EOF at -e line 1.</code></p>

<p><a href="https://rt.perl.org/Public/Bug/Display.html?id=128701">[perl #128701]</a></p>

</dd>
<dt id="Syntax-warnings-with-until-x-1">Syntax warnings with until ($x = 1) { ... }</dt>
<dd>

<p><code> until ($x = 1) { ... } </code> and <code> ... until $x = 1 </code> now properly warn when syntax warnings are enabled. <a href="https://rt.perl.org/Public/Bug/Display.html?id=127333">[perl #127333]</a></p>

</dd>
<dt id="Fixed-require-:-parsing">Fixed require : parsing</dt>
<dd>

<p><code>require</code> followed by a single colon (as in <code>foo() ? require : ...</code> is now parsed correctly as <code>require</code> with implicit <code>$_</code>, rather than <code>require &quot;&quot;</code>. <a href="https://rt.perl.org/Public/Bug/Display.html?id=128307">[perl #128307]</a></p>

</dd>
</dl>

<h1 id="Known-Problems">Known Problems</h1>

<p>For open cperl problems see <a href="https://github.com/perl11/cperl/issues/">[issues]</a>.</p>

<p>Some of these fixes also can to be backported from perl5.25.x upstream.</p>

<ul>

<li><p>The perl debugger doesn&#39;t yet work fully with signatures. See e.g. <a href="https://github.com/perl11/cperl/issues/167">[cperl #167]</a></p>

</li>
<li><p><i>t/op/taint.t</i> contained a test with signatures and 6 default arguments, which on some 32 bit systems led to random &quot;Reference parameter cannot take default value at op/taint.t line 2461&quot; compile-time failures. This test has been rewritten to ony use 4 arguments.</p>

<p>See <a href="https://github.com/perl11/cperl/issues/164">[cperl #164]</a></p>

</li>
<li><p><code>clang -flto=thin</code> and on some systems even <code>gcc -flto</code> with <code>-O3</code> or <code>-finline</code> leads to invisible symbols which were inlined and not exported, even if they should be declared as public API. Work is ongoing in the <i>feature/gh186-lto-thin</i> branch, but there the inlining is disabled by the <code>used</code> attribute, leading to a 10% performance regression. On the other hand a working <code>clang-3.9 -flto</code> leads to 20% performance improvements.</p>

</li>
<li><p><code> until ($x = 1) { ... } </code> and <code> ... until $x = 1 </code> should warn when syntax warnings are enabled. <a href="https://rt.perl.org/Public/Bug/Display.html?id=127333">[perl #127333]</a></p>

</li>
<li><p><code> ${\vec %h, 0, 1} </code> and <code> ${\substr %h, 0} </code> should not segfault, rather the lvalue context should be propagated, and list context properly handled. <a href="https://rt.perl.org/Public/Bug/Display.html?id=128260">[perl #128260]</a></p>

</li>
</ul>

<h1 id="Errata-From-Previous-Releases">Errata From Previous Releases</h1>

<ul>

<li><p>Parsing bad POSIX charclasses no longer leaks memory. This was fixed in Perl 5.25.2 <a href="https://rt.perl.org/Public/Bug/Display.html?id=128313">[perl #128313]</a></p>

</li>
<li><p>Fixed issues with recursive regexes. The behavior was fixed in Perl 5.24.0. <a href="https://rt.perl.org/Public/Bug/Display.html?id=126182">[perl #126182]</a></p>

</li>
</ul>

<h1 id="Obituary">Obituary</h1>

<p>Jon Portnoy (AVENJ), a prolific Perl author and admired Gentoo community member, has passed away on August 10, 2016. He will be remembered and missed by all those with which he came in contact and enriched with his intellect, wit, and spirit.</p>

<h1 id="Acknowledgements">Acknowledgements</h1>

<p>cperl 5.26.0 represents approximately 1 year of development since Perl 5.24.2c and contains approximately 420,000 lines of changes across 2,800 files from 75 authors.</p>

<p>Excluding auto-generated files, documentation and release tools, there were approximately 260,000 lines of changes to 1,900 .pm, .t, .c and .h files.</p>

<p>The following people are known to have contributed the improvements that became cperl 5.26.0:</p>

<p>Reini Urban, Karl Williamson, David Mitchell, Father Chrysostomos, Yves Orton, Jarkko Hietaniemi, Aaron Crane, Tony Cook, Abigail, Dan Collins, Lukas Mai, Craig A. Berry, James E Keenan, Hugo van der Sanden, Andy Lester, Dagfinn Ilmari Manns&aring;ker, Jim Cromie, Matthew Horsfall, Sawyer X, Aristotle Pagaltzis, H.Merijn Brand, Daniel Dragan, Steve Hay, Niko Tyni, Pali, Zefram, Dominic Hargreaves, Chris &#39;BinGOs&#39; Williams, Renee Baecker, Ricardo Signes, E. Choroba, Petr P&iacute;sa&#x159;, Steffen M&uuml;ller, John Lightsey, Nicolas Rochelemagne, Karen Etheridge, Shlomi Fish, Dave Rolsky, Smylers, Christian Hansen, Yaroslav Kuzmin, Misty De Meo, &AElig;var Arnfj&ouml;r&eth; Bjarmason, Alex Vandiver, Stefan Seifert, Tomasz Konojacki, James Raspass, Ed Avis, Steven Humphrey, Neil Bowers, Rafael Garcia-Suarez, Theo Buehler, Thomas Sibley, Doug Bell, Jerry D. Hedden, Samuel Thibault, Unicode Consortium, J. Nick Koston, Colin Newell, Sergey Aleynikov, Leon Timmermans, Maxwell Carey, Christian Millour, Chase Whitener, Pino Toscano, Peter Avalos, Salvador Fandi&ntilde;o, Dave Cross, Andrew Fresh, Andreas Voegele, Hauke D, Rick Delaney, Fran&ccedil;ois Perrad, Richard Levitte, vendethiel.</p>

<p>The list above is almost certainly incomplete as it is automatically generated from version control history. In particular, it does not include the names of the (very much appreciated) contributors who reported issues to the Perl bug tracker.</p>

<p>Many of the changes included in this version originated in the CPAN modules included in Perl&#39;s core. We&#39;re grateful to the entire CPAN community for helping Perl to flourish.</p>

<p>For a more complete list of all of Perl&#39;s historical contributors, please see the <i>AUTHORS</i> file in the Perl source distribution.</p>

<p>Generated with:</p>

<pre><code>    cperl Porting/acknowledgements.pl cperl-5.24.2..HEAD</code></pre>

<h1 id="Reporting-Bugs">Reporting Bugs</h1>

<p>If you find what you think is a bug, you might check the articles recently posted to the comp.lang.perl.misc newsgroup and the perl bug database at <a href="https://rt.perl.org/">https://rt.perl.org/</a> . There may also be information at <a href="http://www.perl.org/">http://www.perl.org/</a> , the Perl Home Page.</p>

<p>If you believe you have an unreported bug, please run the <a>perlbug</a> program included with your release. Be sure to trim your bug down to a tiny but sufficient test case. Your bug report, along with the output of <code>perl -V</code>, will be sent off to perlbug@perl.org to be analysed by the Perl porting team.</p>

<p>If you think it&#39;s a cperl specific bug or trust the cperl developers more please file an issue at <a href="https://github.com/perl11/cperl/issues">https://github.com/perl11/cperl/issues</a>.</p>

<p>If the bug you are reporting has security implications which make it inappropriate to send to a publicly archived mailing list, then see <a href="/cperl/perlsec.html#SECURITY-VULNERABILITY-CONTACT-INFORMATION">&quot;SECURITY VULNERABILITY CONTACT INFORMATION&quot; in perlsec</a> For details of how to report the issue.</p>

<h1 id="SEE-ALSO">SEE ALSO</h1>

<p>The <i>Changes</i> file for an explanation of how to view exhaustive details on what changed.</p>

<p>The <i>INSTALL</i> file for how to build Perl.</p>

<p>The <i>README</i> file for general stuff.</p>

<p>The <i>Artistic</i> and <i>Copying</i> files for copyright information.</p>


</body>

</html>