You are viewing the version of this documentation from Perl 5.40.0. View the latest version



perlhacktips - Tips for Perl core C code hacking


This document will help you learn the best way to go about hacking on the Perl core C code. It covers common problems, debugging, profiling, and more.

If you haven't read perlhack and perlhacktut yet, you might want to do that first.


Perl source now permits some specific C99 features which we know are supported by all platforms, but mostly plays by ANSI C89 rules. You don't care about some particular platform having broken Perl? I hear there is still a strong demand for J2EE programmers.

Perl environment problems


Starting from 5.35.5 we now permit some C99 features in the core C source. However, code in dual life extensions still needs to be C89 only, because it needs to compile against earlier version of Perl running on older platforms. Also note that our headers need to also be valid as C++, because XS extensions written in C++ need to include them, hence member structure initialisers can't be used in headers.

C99 support is still far from complete on all platforms we currently support. As a baseline we can only assume C89 semantics with the specific C99 features described below, which we've verified work everywhere. It's fine to probe for additional C99 features and use them where available, providing there is also a fallback for compilers that don't support the feature. For example, we use C11 thread local storage when available, but fall back to POSIX thread specific APIs otherwise, and we use char for booleans if <stdbool.h> isn't available.

Code can use (and rely on) the following C99 features being present

Code explicitly should not use any other C99 features. For example

If you want to use a C99 feature not listed above then you need to do one of

Likely you want to repeat the same plan as we used to get the current C99 feature set. See the message at for the C99 probes we used before. Note that the two most "fussy" compilers appear to be MSVC and the vendor compiler on VMS. To date all the *nix compilers have been far more flexible in what they support.

On *nix platforms, Configure attempts to set compiler flags appropriately. All vendor compilers that we tested defaulted to C99 (or C11) support. However, older versions of gcc default to C89, or permit most C99 (with warnings), but forbid declarations in for loops unless -std=gnu99 is added. The alternative -std=c99 might seem better, but using it on some platforms can prevent <unistd.h> declaring some prototypes being declared, which breaks the build. gcc's -ansi flag implies -std=c89 so we can no longer set that, hence the Configure option -gccansipedantic now only adds -pedantic.

The Perl core source code files (the ones at the top level of the source code distribution) are automatically compiled with as many as possible of the -std=gnu99, -pedantic, and a selection of -W flags (see cflags.SH). Files in ext/ dist/ cpan/ etc are compiled with the same flags as the installed perl would use to compile XS extensions.

Basically, it's safe to assume that Configure and cflags.SH have picked the best combination of flags for the version of gcc on the platform, and attempting to add more flags related to enforcing a C dialect will cause problems either locally, or on other systems that the code is shipped to.

We believe that the C99 support in gcc 3.1 is good enough for us, but we don't have a 19 year old gcc handy to check this :-) If you have ancient vendor compilers that don't default to C99, the flags you might want to try are







Symbol Names and Namespace Pollution

C reserves for its implementation any symbol whose name begins with an underscore followed immediately by either an uppercase letter [A-Z] or another underscore. C++ further reserves any symbol containing two consecutive underscores, and further reserves in the global name space any symbol beginning with an underscore, not just ones followed by a capital. We care about C++ because header files (*.h) need to be compilable by it, and some people do all their development using a C++ compiler.

The consequences of failing to do this are probably none. Unless you stumble on a name that the implementation uses, things will work. Indeed, the perl core has more than a few instances of using implementation-reserved symbols. (These are gradually being changed.) But your code might stop working any time that the implementation decides to use a name you already had chosen, potentially many years before.

It's best then to:

Don't begin a symbol name with an underscore; (e.g., don't use: _FOOBAR)
Don't use two consecutive underscores in a symbol name; (e.g., don't use FOO__BAR)

POSIX also reserves many symbols. See Section 2.2.2 in Perl also has conflicts with that.

Perl reserves for its use any symbol beginning with Perl, perl, or PL_. Any time you introduce a macro into a header file that doesn't follow that convention, you are creating the possiblity of a namespace clash with an existing XS module, unless you restrict it by, say,

#ifdef PERL_CORE
#  define my_symbol

There are many symbols in header files that aren't of this form, and which are accessible from XS namespace, intentionally or not, just about anything in config.h, for example.

Having to use one of these prefixes detracts from the readability of the code, and hasn't been an actual issue for non-trivial names. Things like perl defining its own MAX macro have been problematic, but they were quickly discovered, and a #ifdef PERL_CORE guard added.

So there's no rule imposed about using such symbols, just be aware of the issues.

Choosing good symbol names

Ideally, a symbol name name should correctly and precisely describe its intended purpose. But there is a tension between that and getting names that are overly long and hence awkward to type and read. Metaphors could be helpful (a poetic name), but those tend to be culturally specific, and may not translate for someone whose native language isn't English, or even comes from a different cultural background. Besides, the talent of writing poetry seems to be rare in programmers.

Certain symbol names don't reflect their purpose, but are nonetheless fine to use because of long-standing conventions. These often originated in the field of Mathematics, where i and j are frequently used as subscripts, and n as a population count. Since at least the 1950's, computer programs have used i, etc. as loop variables.

Our guidance is to choose a name that reasonably describes the purpose, and to comment its declaration more precisely.

One certainly shouldn't use misleading nor ambiguous names. last_foo could mean either the final foo or the previous foo, and so could be confusing to the reader, or even to the writer coming back to the code after a few months of working on something else. Sometimes the programmer has a particular line of thought in mind, and it doesn't occur to them that ambiguity is present.

There are probably still many off-by-1 bugs around because the name "av_len" in perlapi doesn't correspond to what other -len constructs mean, such as "sv_len" in perlapi. Awkward (and controversial) synonyms were created to use instead that conveyed its true meaning ("av_top_index" in perlapi). Eventually, though, someone had the better idea to create a new name to signify what most people think -len signifies. So "av_count" in perlapi was born. And we wish it had been thought up much earlier.

Writing safer macros

Macros are used extensively in the Perl core for such things as hiding internal details from the caller, so that it doesn't have to be concerned about them. For example, most lines of code don't need to know if they are running on a threaded versus unthreaded perl. That detail is automatically mostly hidden.

It is often better to use an inline function instead of a macro. They are immune to name collisions with the caller, and don't magnify problems when called with parameters that are expressions with side effects. There was a time when one might choose a macro over an inline function because compiler support for inline functions was quite limited. Some only would actually only inline the first two or three encountered in a compilation. But those days are long gone, and inline functions are fully supported in modern compilers.

Nevertheless, there are situations where a function won't do, and a macro is required. One example is when a parameter can be any of several types. A function has to be declared with a single explicit

Or maybe the code involved is so trivial that a function would be just complicating overkill, such as when the macro simply creates a mnemonic name for some constant value.

If you do choose to use a non-trivial macro, be aware that there are several avoidable pitfalls that can occur. Keep in mind that a macro is expanded within the lexical context of each place in the source it is called. If you have a token foo in the macro and the source happens also to have foo, the meaning of the macro's foo will become that of the caller's. Sometimes that is exactly the behavior you want, but be aware that this tends to be confusing later on. It effectively turns foo into a reserved word for any code that calls the macro, and this fact is usually not documented nor considered. It is safer to pass foo as a parameter, so that foo remains freely available to the caller and the macro interface is explicitly specified.

Worse is when the equivalence between the two foo's is coincidental. Suppose for example, that the macro declares a variable

int foo

That works fine as long as the caller doesn't define the string foo in some way. And it might not be until years later that someone comes along with an instance where foo is used. For example a future caller could do this:

#define foo  bar

Then that declaration of foo in the macro suddenly becomes

int bar

That could mean that something completely different happens than intended. It is hard to debug; the macro and call may not even be in the same file, so it would require some digging and gnashing of teeth to figure out.

Therefore, if a macro does use variables, their names should be such that it is very unlikely that they would collide with any caller, now or forever. One way to do that, now being used in the perl source, is to include the name of the macro itself as part of the name of each variable in the macro. Suppose the macro is named SvPV Then we could have

int foo_svpv_ = 0;

This is harder to read than plain foo, but it is pretty much guaranteed that a caller will never naively use foo_svpv_ (and run into problems). (The lowercasing makes it clearer that this is a variable, but assumes that there won't be two elements whose names differ only in the case of their letters.) The trailing underscore makes it even more unlikely to clash, as those, by convention, signify a private variable name. (See "Choosing legal symbol names" for restrictions on what names you can use.)

This kind of name collision doesn't happen with the macro's formal parameters, so they don't need to have complicated names. But there are pitfalls when a a parameter is an expression, or has some Perl magic attached. When calling a function, C will evaluate the parameter once, and pass the result to the function. But when calling a macro, the parameter is copied as-is by the C preprocessor to each instance inside the macro. This means that when evaluating a parameter having side effects, the function and macro results differ. This is particularly fraught when a parameter has overload magic, say it is a tied variable that reads the next line in a file upon each evaluation. Having it read multiple lines per call is probably not what the caller intended. If a macro refers to a potentially overloadable parameter more than once, it should first make a copy and then use that copy the rest of the time. There are macros in the perl core that violate this, but are gradually being converted, usually by changing to use inline functions instead.

Above we said "first make a copy". In a macro, that is easier said than done, because macros are normally expressions, and declarations aren't allowed in expressions. But the STMT_START .. STMT_END construct, described in perlapi, allows you to have declarations in most contexts, as long as you don't need a return value. If you do need a value returned, you can make the interface such that a pointer is passed to the construct, which then stores its result there. (Or you can use GCC brace groups. But these require a fallback if the code will ever get executed on a platform that lacks this non-standard extension to C. And that fallback would be another code path, which can get out-of-sync with the brace group one, so doing this isn't advisable.) In situations where there's no other way, Perl does furnish "PL_Sv" in perlintern and "PL_na" in perlapi to use (with a slight performance penalty) for some such common cases. But beware that a call chain involving multiple macros using them will zap the other's use. These have been very difficult to debug.

For a concrete example of these pitfalls in action, see

Portability problems

The following are common causes of compilation and/or execution failures, not common to Perl as such. The C FAQ is good bedtime reading. Please test your changes with as many C compilers and platforms as possible; we will, anyway, and it's nice to save oneself from public embarrassment.

Also study perlport carefully to avoid any bad assumptions about the operating system, filesystems, character set, and so forth.

Do not assume an operating system indicates a certain compiler.

Problematic System Interfaces

Security problems

Last but not least, here are various tips for safer coding. See also perlclib for libc/stdio replacements one should use.


You can compile a special debugging version of Perl, which allows you to use the -D option of Perl to tell more about what Perl is doing. But sometimes there is no alternative than to dive in with a debugger, either to see the stack trace of a core dump (very useful in a bug report), or trying to figure out what went wrong before the core dump happened, or how did we end up having wrong or unexpected results.

Poking at Perl

To really poke around with Perl, you'll probably want to build Perl for debugging, like this:

./Configure -d -DDEBUGGING

-DDEBUGGING turns on the C compiler's -g flag to have it produce debugging information which will allow us to step through a running program, and to see in which C function we are at (without the debugging information we might see only the numerical addresses of the functions, which is not very helpful). It will also turn on the DEBUGGING compilation symbol which enables all the internal debugging code in Perl. There are a whole bunch of things you can debug with this: perlrun lists them all, and the best way to find out about them is to play about with them. The most useful options are probably

l  Context (loop) stack processing
s  Stack snapshots (with v, displays all stacks)
t  Trace execution
o  Method and overloading resolution
c  String/numeric conversions

For example

$ perl -Dst -e '$x + 1'
(-e:1)	gvsv(main::x)
    =>  UNDEF
(-e:1)	const(IV(1))
    =>  UNDEF  IV(1)
(-e:1)	add
    =>  NV(1)

Some of the functionality of the debugging code can be achieved with a non-debugging perl by using XS modules:

-Dr => use re 'debug'
-Dx => use O 'Debug'

Using a source-level debugger

If the debugging output of -D doesn't help you, it's time to step through perl's execution with a source-level debugger.

To fire up the debugger, type

gdb ./perl

Or if you have a core dump:

gdb ./perl core

You'll want to do that in your Perl source tree so the debugger can read the source code. You should see the copyright message, followed by the prompt.


help will get you into the documentation, but here are the most useful commands:

You may find it helpful to have a "macro dictionary", which you can produce by saying cpp -dM perl.c | sort. Even then, cpp won't recursively apply those macros for you.

gdb macro support

Recent versions of gdb have fairly good macro support, but in order to use it you'll need to compile perl with macro definitions included in the debugging information. Using gcc version 3.1, this means configuring with -Doptimize=-g3. Other compilers might use a different switch (if they support debugging macros at all).

Dumping Perl Data Structures

One way to get around this macro hell is to use the dumping functions in dump.c; these work a little like an internal Devel::Peek, but they also cover OPs and other structures that you can't get at from Perl. Let's take an example. We'll use the $x = $y + $z we used before, but give it a bit of context: $y = "6XXXX"; $z = 2.3;. Where's a good place to stop and poke around?

What about pp_add, the function we examined earlier to implement the + operator:

(gdb) break Perl_pp_add
Breakpoint 1 at 0x46249f: file pp_hot.c, line 309.

Notice we use Perl_pp_add and not pp_add - see "Internal Functions" in perlguts. With the breakpoint in place, we can run our program:

(gdb) run -e '$y = "6XXXX"; $z = 2.3; $x = $y + $z'

Lots of junk will go past as gdb reads in the relevant source files and libraries, and then:

Breakpoint 1, Perl_pp_add () at pp_hot.c:309
1396    dSP; dATARGET; bool useleft; SV *svl, *svr;
(gdb) step
311           dPOPTOPnnrl_ul;

We looked at this bit of code before, and we said that dPOPTOPnnrl_ul arranges for two NVs to be placed into left and right - let's slightly expand it:

#define dPOPTOPnnrl_ul  NV right = POPn; \
                        SV *leftsv = TOPs; \
                        NV left = USE_LEFT(leftsv) ? SvNV(leftsv) : 0.0

POPn takes the SV from the top of the stack and obtains its NV either directly (if SvNOK is set) or by calling the sv_2nv function. TOPs takes the next SV from the top of the stack - yes, POPn uses TOPs - but doesn't remove it. We then use SvNV to get the NV from leftsv in the same way as before - yes, POPn uses SvNV.

Since we don't have an NV for $y, we'll have to use sv_2nv to convert it. If we step again, we'll find ourselves there:

(gdb) step
Perl_sv_2nv (sv=0xa0675d0) at sv.c:1669
1669        if (!sv)

We can now use Perl_sv_dump to investigate the SV:

(gdb) print Perl_sv_dump(sv)
SV = PV(0xa057cc0) at 0xa0675d0
PV = 0xa06a510 "6XXXX"\0
CUR = 5
LEN = 6
$1 = void

We know we're going to get 6 from this, so let's finish the subroutine:

(gdb) finish
Run till exit from #0  Perl_sv_2nv (sv=0xa0675d0) at sv.c:1671
0x462669 in Perl_pp_add () at pp_hot.c:311
311           dPOPTOPnnrl_ul;

We can also dump out this op: the current op is always stored in PL_op, and we can dump it with Perl_op_dump. This'll give us similar output to CPAN module B::Debug.

(gdb) print Perl_op_dump(PL_op)
13  TYPE = add  ===> 14
    TARG = 1
        TYPE = null  ===> (12)
          (was rv2sv)
11          TYPE = gvsv  ===> 12
            FLAGS = (SCALAR)
            GV = main::b

# finish this later #

Using gdb to look at specific parts of a program

With the example above, you knew to look for Perl_pp_add, but what if there were multiple calls to it all over the place, or you didn't know what the op was you were looking for?

One way to do this is to inject a rare call somewhere near what you're looking for. For example, you could add study before your method:


And in gdb do:

(gdb) break Perl_pp_study

And then step until you hit what you're looking for. This works well in a loop if you want to only break at certain iterations:

for my $i (1..100) {
    study if $i == 50;

Using gdb to look at what the parser/lexer are doing

If you want to see what perl is doing when parsing/lexing your code, you can use BEGIN {}:

print "Before\n";
BEGIN { study; }
print "After\n";

And in gdb:

(gdb) break Perl_pp_study

If you want to see what the parser/lexer is doing inside of if blocks and the like you need to be a little trickier:

if ($x && $y && do { BEGIN { study } 1 } && $z) { ... }


Various tools exist for analysing C source code statically, as opposed to dynamically, that is, without executing the code. It is possible to detect resource leaks, undefined behaviour, type mismatches, portability problems, code paths that would cause illegal memory accesses, and other similar problems by just parsing the C code and looking at the resulting graph, what does it tell about the execution and data flows. As a matter of fact, this is exactly how C compilers know to give warnings about dubious code.


The good old C code quality inspector, lint, is available in several platforms, but please be aware that there are several different implementations of it by different vendors, which means that the flags are not identical across different platforms.

There is a lint target in Makefile, but you may have to diddle with the flags (see above).


Coverity ( is a product similar to lint and as a testbed for their product they periodically check several open source projects, and they give out accounts to open source developers to the defect databases.

There is Coverity setup for the perl5 project:

HP-UX cadvise (Code Advisor)

HP has a C/C++ static analyzer product for HP-UX caller Code Advisor. (Link not given here because the URL is horribly long and seems horribly unstable; use the search engine of your choice to find it.) The use of the cadvise_cc recipe with Configure ... -Dcc=./cadvise_cc (see cadvise "User Guide") is recommended; as is the use of +wall.

cpd (cut-and-paste detector)

The cpd tool detects cut-and-paste coding. If one instance of the cut-and-pasted code changes, all the other spots should probably be changed, too. Therefore such code should probably be turned into a subroutine or a macro.

cpd ( is part of the pmd project ( pmd was originally written for static analysis of Java code, but later the cpd part of it was extended to parse also C and C++.

Download the () from the SourceForge site, extract the pmd-X.Y.jar from it, and then run that on source code thusly:

java -cp pmd-X.Y.jar net.sourceforge.pmd.cpd.CPD \
 --minimum-tokens 100 --files /some/where/src --language c > cpd.txt

You may run into memory limits, in which case you should use the -Xmx option:

java -Xmx512M ...

gcc warnings

Though much can be written about the inconsistency and coverage problems of gcc warnings (like -Wall not meaning "all the warnings", or some common portability problems not being covered by -Wall, or -ansi and -pedantic both being a poorly defined collection of warnings, and so forth), gcc is still a useful tool in keeping our coding nose clean.

The -Wall is by default on.

It would be nice for -pedantic) to be on always, but unfortunately it is not safe on all platforms - for example fatal conflicts with the system headers (Solaris being a prime example). If Configure -Dgccansipedantic is used, the cflags frontend selects -pedantic for the platforms where it is known to be safe.

The following extra flags are added:

The following flags would be nice to have but they would first need their own Augean stablemaster:

The -Wtraditional is another example of the annoying tendency of gcc to bundle a lot of warnings under one switch (it would be impossible to deploy in practice because it would complain a lot) but it does contain some warnings that would be beneficial to have available on their own, such as the warning about string constants inside macros containing the macro arguments: this behaved differently pre-ANSI than it does in ANSI, and some C compilers are still in transition, AIX being an example.

Warnings of other C compilers

Other C compilers (yes, there are other C compilers than gcc) often have their "strict ANSI" or "strict ANSI with some portability extensions" modes on, like for example the Sun Workshop has its -Xa mode on (though implicitly), or the DEC (these days, HP...) has its -std1 mode on.


NOTE 1: Running under older memory debuggers such as Purify, valgrind or Third Degree greatly slows down the execution: seconds become minutes, minutes become hours. For example as of Perl 5.8.1, the ext/Encode/t/Unicode.t test takes extraordinarily long to complete under e.g. Purify, Third Degree, and valgrind. Under valgrind it takes more than six hours, even on a snappy computer. Said test must be doing something that is quite unfriendly for memory debuggers. If you don't feel like waiting, you can simply kill the perl process. Roughly valgrind slows down execution by factor 10, AddressSanitizer by factor 2.

NOTE 2: To minimize the number of memory leak false alarms (see "PERL_DESTRUCT_LEVEL" for more information), you have to set the environment variable PERL_DESTRUCT_LEVEL to 2. For example, like this:

env PERL_DESTRUCT_LEVEL=2 valgrind ./perl -Ilib ...

NOTE 3: There are known memory leaks when there are compile-time errors within eval or require; seeing S_doeval in the call stack is a good sign of these. Fixing these leaks is non-trivial, unfortunately, but they must be fixed eventually.

NOTE 4: DynaLoader will not clean up after itself completely unless Perl is built with the Configure option -Accflags=-DDL_UNLOAD_ALL_AT_EXIT.


The valgrind tool can be used to find out both memory leaks and illegal heap memory accesses. As of version 3.3.0, Valgrind only supports Linux on x86, x86-64 and PowerPC and Darwin (OS X) on x86 and x86-64. The special "test.valgrind" target can be used to run the tests under valgrind. Found errors and memory leaks are logged in files named testfile.valgrind and by default output is displayed inline.

Example usage:

make test.valgrind

Since valgrind adds significant overhead, tests will take much longer to run. The valgrind tests support being run in parallel to help with this:

TEST_JOBS=9 make test.valgrind

Note that the above two invocations will be very verbose as reachable memory and leak-checking is enabled by default. If you want to just see pure errors, try:

VG_OPTS='-q --leak-check=no --show-reachable=no' TEST_JOBS=9 \
    make test.valgrind

Valgrind also provides a cachegrind tool, invoked on perl as:

VG_OPTS=--tool=cachegrind make test.valgrind

As system libraries (most notably glibc) are also triggering errors, valgrind allows to suppress such errors using suppression files. The default suppression file that comes with valgrind already catches a lot of them. Some additional suppressions are defined in t/perl.supp.

To get valgrind and for more information see


AddressSanitizer ("ASan") consists of a compiler instrumentation module and a run-time malloc library. ASan is available for a variety of architectures, operating systems, and compilers (see project link below). It checks for unsafe memory usage, such as use after free and buffer overflow conditions, and is fast enough that you can easily compile your debugging or optimized perl with it. Modern versions of ASan check for memory leaks by default on most platforms, otherwise (e.g. x86_64 OS X) this feature can be enabled via ASAN_OPTIONS=detect_leaks=1.

To build perl with AddressSanitizer, your Configure invocation should look like:

sh Configure -des -Dcc=clang \
   -Accflags=-fsanitize=address -Aldflags=-fsanitize=address \
   -Alddlflags=-shared\ -fsanitize=address \

where these arguments mean:

See also

Dr Memory

Dr. Memory is a tool similar to valgrind which is usable on Windows and Linux.

It supports heap checking like memcheck from valgrind. There are also other tools included.



Depending on your platform there are various ways of profiling Perl.

There are two commonly used techniques of profiling executables: statistical time-sampling and basic-block counting.

The first method takes periodically samples of the CPU program counter, and since the program counter can be correlated with the code generated for functions, we get a statistical view of in which functions the program is spending its time. The caveats are that very small/fast functions have lower probability of showing up in the profile, and that periodically interrupting the program (this is usually done rather frequently, in the scale of milliseconds) imposes an additional overhead that may skew the results. The first problem can be alleviated by running the code for longer (in general this is a good idea for profiling), the second problem is usually kept in guard by the profiling tools themselves.

The second method divides up the generated code into basic blocks. Basic blocks are sections of code that are entered only in the beginning and exited only at the end. For example, a conditional jump starts a basic block. Basic block profiling usually works by instrumenting the code by adding enter basic block #nnnn book-keeping code to the generated code. During the execution of the code the basic block counters are then updated appropriately. The caveat is that the added extra code can skew the results: again, the profiling tools usually try to factor their own effects out of the results.

Gprof Profiling

gprof is a profiling tool available in many Unix platforms which uses statistical time-sampling. You can build a profiled version of perl by compiling using gcc with the flag -pg. Either edit or re-run Configure. Running the profiled version of Perl will create an output file called gmon.out which contains the profiling data collected during the execution.

quick hint:

$ sh Configure -des -Dusedevel -Accflags='-pg' \
    -Aldflags='-pg' -Alddlflags='-pg -shared' \
    && make perl
$ ./perl ... # creates gmon.out in current directory
$ gprof ./perl > out
$ less out

(you probably need to add -shared to the <-Alddlflags> line until RT #118199 is resolved)

The gprof tool can then display the collected data in various ways. Usually gprof understands the following options:

For more detailed explanation of the available commands and output formats, see your own local documentation of gprof.

GCC gcov Profiling

basic block profiling is officially available in gcc 3.0 and later. You can build a profiled version of perl by compiling using gcc with the flags -fprofile-arcs -ftest-coverage. Either edit or re-run Configure.

quick hint:

$ sh Configure -des -Dusedevel -Doptimize='-g' \
    -Accflags='-fprofile-arcs -ftest-coverage' \
    -Aldflags='-fprofile-arcs -ftest-coverage' \
    -Alddlflags='-fprofile-arcs -ftest-coverage -shared' \
    && make perl
$ rm -f regexec.c.gcov regexec.gcda
$ ./perl ...
$ gcov regexec.c
$ less regexec.c.gcov

(you probably need to add -shared to the <-Alddlflags> line until RT #118199 is resolved)

Running the profiled version of Perl will cause profile output to be generated. For each source file an accompanying .gcda file will be created.

To display the results you use the gcov utility (which should be installed if you have gcc 3.0 or newer installed). gcov is run on source code files, like this

gcov sv.c

which will cause sv.c.gcov to be created. The .gcov files contain the source code annotated with relative frequencies of execution indicated by "#" markers. If you want to generate .gcov files for all profiled object files, you can run something like this:

for file in `find . -name \*.gcno`
do sh -c "cd `dirname $file` && gcov `basename $file .gcno`"

Useful options of gcov include -b which will summarise the basic block, branch, and function call coverage, and -c which instead of relative frequencies will use the actual counts. For more information on the use of gcov and basic block profiling with gcc, see the latest GNU CC manual. As of gcc 4.8, this is at

callgrind profiling

callgrind is a valgrind tool for profiling source code. Paired with kcachegrind (a Qt based UI), it gives you an overview of where code is taking up time, as well as the ability to examine callers, call trees, and more. One of its benefits is you can use it on perl and XS modules that have not been compiled with debugging symbols.

If perl is compiled with debugging symbols (-g), you can view the annotated source and click around, much like Devel::NYTProf's HTML output.

For basic usage:

valgrind --tool=callgrind ./perl ...

By default it will write output to callgrind.out.PID, but you can change that with --callgrind-out-file=...

To view the data, do:

kcachegrind callgrind.out.PID

If you'd prefer to view the data in a terminal, you can use callgrind_annotate. In its basic form:

callgrind_annotate callgrind.out.PID | less

Some useful options are:

profiler profiling (Cygwin)

Cygwin allows for gprof profiling and gcov coverage testing, but this only profiles the main executable.

You can use the profiler tool to perform sample based profiling, it requires no special preparation of the executables beyond debugging symbols.

This produces sampling data which can be processed with gprof.

There is limited documentation on the Cygwin web site.

Visual Studio Profiling

You can use the Visual Studio profiler to profile perl if you've built perl with MSVC, even though we build perl at the command-line. You will need to build perl with CFG=Debug or CFG=DebugSymbols.

The Visual Studio profiler is a sampling profiler.

See the visual studio documentation to get started.



If you want to run any of the tests yourself manually using e.g. valgrind, please note that by default perl does not explicitly clean up all the memory it has allocated (such as global memory arenas) but instead lets the exit() of the whole program "take care" of such allocations, also known as "global destruction of objects".

There is a way to tell perl to do complete cleanup: set the environment variable PERL_DESTRUCT_LEVEL to a non-zero value. The t/TEST wrapper does set this to 2, and this is what you need to do too, if you don't want to see the "global leaks": For example, for running under valgrind

env PERL_DESTRUCT_LEVEL=2 valgrind ./perl -Ilib t/foo/bar.t

(Note: the mod_perl Apache module uses this environment variable for its own purposes and extends its semantics. Refer to the mod_perl documentation for more information. Also, spawned threads do the equivalent of setting this variable to the value 1.)

If, at the end of a run, you get the message N scalars leaked, you can recompile with -DDEBUG_LEAKING_SCALARS (Configure -Accflags=-DDEBUG_LEAKING_SCALARS), which will cause the addresses of all those leaked SVs to be dumped along with details as to where each SV was originally allocated. This information is also displayed by Devel::Peek. Note that the extra details recorded with each SV increase memory usage, so it shouldn't be used in production environments. It also converts new_SV() from a macro into a real function, so you can use your favourite debugger to discover where those pesky SVs were allocated.

If you see that you're leaking memory at runtime, but neither valgrind nor -DDEBUG_LEAKING_SCALARS will find anything, you're probably leaking SVs that are still reachable and will be properly cleaned up during destruction of the interpreter. In such cases, using the -Dm switch can point you to the source of the leak. If the executable was built with -DDEBUG_LEAKING_SCALARS, -Dm will output SV allocations in addition to memory allocations. Each SV allocation has a distinct serial number that will be written on creation and destruction of the SV. So if you're executing the leaking code in a loop, you need to look for SVs that are created, but never destroyed between each cycle. If such an SV is found, set a conditional breakpoint within new_SV() and make it break only when PL_sv_serial is equal to the serial number of the leaking SV. Then you will catch the interpreter in exactly the state where the leaking SV is allocated, which is sufficient in many cases to find the source of the leak.

As -Dm is using the PerlIO layer for output, it will by itself allocate quite a bunch of SVs, which are hidden to avoid recursion. You can bypass the PerlIO layer if you use the SV logging provided by -DPERL_MEM_LOG instead.

Leaked SV spotting: sv_mark_arenas() and sv_sweep_arenas()

These functions exist only on DEBUGGING builds. The first marks all live SVs which can be found in the SV arenas with the SVf_BREAK flag. The second lists any such SVs which don't have the flag set, and resets the flag on the rest. They are intended to identify SVs which are being created, but not freed, between two points in code. They can be used either by temporarily adding calls to them in the relevant places in the code, or by calling them directly from a debugger.

For example, suppose the following code was found to be leaking:

while (1) { eval '\(1..3)' }

A gdb session on a threaded perl might look something like this:

$ gdb ./perl
(gdb) break Perl_pp_entereval
(gdb) run -e'while (1) { eval q{\(1..3)} }'
Breakpoint 1, Perl_pp_entereval ....
(gdb) call Perl_sv_mark_arenas(my_perl)
(gdb) continue
Breakpoint 1, Perl_pp_entereval ....`
(gdb) call Perl_sv_sweep_arenas(my_perl)
Unmarked SV: 0xaf23a8: AV()
Unmarked SV: 0xaf2408: IV(1)
Unmarked SV: 0xaf2468: IV(2)
Unmarked SV: 0xaf24c8: IV(3)
Unmarked SV: 0xace6c8: PV("AV()"\0)
Unmarked SV: 0xace848: PV("IV(1)"\0)

Here, at the start of the first call to pp_entereval(), all existing SVs are marked. Then at the start of the second call, we list all the SVs which have been since been created but not yet freed. It is quickly clear that an array and its three elements are likely not being freed, perhaps as a result of a bug during constant folding. The final two SVs are just temporaries created during the debugging output and can be ignored.

This trick relies on the SVf_BREAK flag not otherwise being used. This flag is typically used only during global destruction, but also sometimes for a mark and sweep operation when looking for common elements on the two sides of a list assignment. The presence of the flag can also alter the behaviour of some specific actions in the core, such as choosing whether to copy or to COW a string SV. So turning it on can occasionally alter the behaviour of code slightly.


If compiled with -DPERL_MEM_LOG (-Accflags=-DPERL_MEM_LOG), both memory and SV allocations go through logging functions, which is handy for breakpoint setting.

Unless -DPERL_MEM_LOG_NOIMPL (-Accflags=-DPERL_MEM_LOG_NOIMPL) is also compiled, the logging functions read $ENV{PERL_MEM_LOG} to determine whether to log the event, and if so how:

$ENV{PERL_MEM_LOG} =~ /m/           Log all memory ops
$ENV{PERL_MEM_LOG} =~ /s/           Log all SV ops
$ENV{PERL_MEM_LOG} =~ /c/           Additionally log C backtrace for
                                    new_SV events
$ENV{PERL_MEM_LOG} =~ /t/           include timestamp in Log
$ENV{PERL_MEM_LOG} =~ /^(\d+)/      write to FD given (default is 2)

Memory logging is somewhat similar to -Dm but is independent of -DDEBUGGING, and at a higher level; all uses of Newx(), Renew(), and Safefree() are logged with the caller's source code file and line number (and C function name, if supported by the C compiler). In contrast, -Dm is directly at the point of malloc(). SV logging is similar.

Since the logging doesn't use PerlIO, all SV allocations are logged and no extra SV allocations are introduced by enabling the logging. If compiled with -DDEBUG_LEAKING_SCALARS, the serial number for each SV allocation is also logged.

The c option uses the Perl_c_backtrace facility, and therefore additionally requires the Configure -Dusecbacktrace compile flag in order to access it.

DDD over gdb

Those debugging perl with the DDD frontend over gdb may find the following useful:

You can extend the data conversion shortcuts menu, so for example you can display an SV's IV value with one click, without doing any typing. To do that simply edit ~/.ddd/init file and add after:

! Display shortcuts.
Ddd*gdbDisplayShortcuts: \
/t ()   // Convert to Bin\n\
/d ()   // Convert to Dec\n\
/x ()   // Convert to Hex\n\
/o ()   // Convert to Oct(\n\

the following two lines:

((XPV*) (())->sv_any )->xpv_pv  // 2pvx\n\
((XPVIV*) (())->sv_any )->xiv_iv // 2ivx

so now you can do ivx and pvx lookups or you can plug there the sv_peek "conversion":

Perl_sv_peek(my_perl, (SV*)()) // sv_peek

(The my_perl is for threaded builds.) Just remember that every line, but the last one, should end with \n\

Alternatively edit the init file interactively via: 3rd mouse button -> New Display -> Edit Menu

Note: you can define up to 20 conversion shortcuts in the gdb section.

C backtrace

On some platforms Perl supports retrieving the C level backtrace (similar to what symbolic debuggers like gdb do).

The backtrace returns the stack trace of the C call frames, with the symbol names (function names), the object names (like "perl"), and if it can, also the source code locations (file:line).

The supported platforms are Linux, and OS X (some *BSD might work at least partly, but they have not yet been tested).

This feature hasn't been tested with multiple threads, but it will only show the backtrace of the thread doing the backtracing.

The feature needs to be enabled with Configure -Dusecbacktrace.

The -Dusecbacktrace also enables keeping the debug information when compiling/linking (often: -g). Many compilers/linkers do support having both optimization and keeping the debug information. The debug information is needed for the symbol names and the source locations.

Static functions might not be visible for the backtrace.

Source code locations, even if available, can often be missing or misleading if the compiler has e.g. inlined code. Optimizer can make matching the source code and the object code quite challenging.


You must have the BFD (-lbfd) library installed, otherwise perl will fail to link. The BFD is usually distributed as part of the GNU binutils.

Summary: Configure ... -Dusecbacktrace and you need -lbfd.


The source code locations are supported only if you have the Developer Tools installed. (BFD is not needed.)

Summary: Configure ... -Dusecbacktrace and installing the Developer Tools would be good.

Optionally, for trying out the feature, you may want to enable automatic dumping of the backtrace just before a warning or croak (die) message is emitted, by adding -Accflags=-DUSE_C_BACKTRACE_ON_ERROR for Configure.

Unless the above additional feature is enabled, nothing about the backtrace functionality is visible, except for the Perl/XS level.

Furthermore, even if you have enabled this feature to be compiled, you need to enable it in runtime with an environment variable: PERL_C_BACKTRACE_ON_ERROR=10. It must be an integer higher than zero, telling the desired frame count.

Retrieving the backtrace from Perl level (using for example an XS extension) would be much less exciting than one would hope: normally you would see runops, entersub, and not much else. This API is intended to be called from within the Perl implementation, not from Perl level execution.

The C API for the backtrace is as follows:



If you see in a debugger a memory area mysteriously full of 0xABABABAB or 0xEFEFEFEF, you may be seeing the effect of the Poison() macros, see perlclib.

Read-only optrees

Under ithreads the optree is read only. If you want to enforce this, to check for write accesses from buggy code, compile with -Accflags=-DPERL_DEBUG_READONLY_OPS to enable code that allocates op memory via mmap, and sets it read-only when it is attached to a subroutine. Any write access to an op results in a SIGBUS and abort.

This code is intended for development only, and may not be portable even to all Unix variants. Also, it is an 80% solution, in that it isn't able to make all ops read only. Specifically it does not apply to op slabs belonging to BEGIN blocks.

However, as an 80% solution it is still effective, as it has caught bugs in the past.

When is a bool not a bool?

There wasn't necessarily a standard bool type on compilers prior to C99, and so some workarounds were created. The TRUE and FALSE macros are still available as alternatives for true and false. And the cBOOL macro was created to correctly cast to a true/false value in all circumstances, but should no longer be necessary. Using (bool) expr> should now always work.

There are no plans to remove any of TRUE, FALSE, nor cBOOL.

Finding unsafe truncations

You may wish to run Configure with something like

-Accflags='-Wconversion -Wno-sign-conversion -Wno-shorten-64-to-32'

or your compiler's equivalent to make it easier to spot any unsafe truncations that show up.

The .i Targets

You can expand the macros in a foo.c file by saying

make foo.i

which will expand the macros using cpp. Don't be scared by the results.


This document was originally written by Nathan Torkington, and is maintained by the perl5-porters mailing list.