See the current Perl documentation for lib:Opcode.
Here is our local, out-dated (pre-5.6) version:
Opcode - Disable named opcodes when compiling perl code
Perl code is always compiled into an internal format before execution.
Evaluating perl code (e.g. via ``eval'' or ``do 'file''') causes the code
to be compiled into an internal format and then, provided there was no
error in the compilation, executed. The internal format is based on many
By default no opmask is in effect and any code can be compiled.
The Opcode module allow you to define an operator mask to be in effect when perl next compiles any code. Attempting to compile code which contains a masked
opcode will cause the compilation to fail with an error. The code will not
The Opcode module is not usually used directly. See the ops pragma and Safe
modules for more typical uses.
The authors make no warranty, implied or otherwise, about the suitability of this software for safety
or security purposes.
The authors shall not in any case be liable for special, incidental,
consequential, indirect or other similar damages arising from the use of
Your mileage will vary. If in any doubt do not use it.
The canonical list of operator names is the contents of the array op_name
defined and initialised in file opcode.h of the Perl source distribution (and installed into the perl library).
Each operator has both a terse name (its opname) and a more verbose or
recognisable descriptive name. The opdesc function can be used to return a
list of descriptions for a list of operators.
Many of the functions and methods listed below take a list of operators as
parameters. Most operator lists can be made up of several types of element.
Each element can be one of
- an operator name (opname)
Operator names are typically small lowercase words like enterloop,
leaveloop, last, next, redo etc. Sometimes they are rather cryptic like
gv2cv, i_ncmp and ftsvtx.
- an operator tag name (optag)
Operator tags can be used to refer to groups (or sets) of operators. Tag
names always begin with a colon. The Opcode module defines several optags
and the user can define others using the define_optag function.
- a negated opname or optag
An opname or optag can be prefixed with an exclamation mark, e.g., !mkdir.
Negating an opname or optag means remove the corresponding ops from the
accumulated set of ops at that point.
- an operator set (opset)
An opset as a binary string of approximately 43 bytes which holds a set or zero or
The opset and opset_to_ops functions can be used to convert from a list of
operators to an opset and vice versa.
Wherever a list of operators can be given you can use one or more opsets.
See also Manipulating Opsets below.
The Opcode package contains functions for manipulating operator names tags
and sets. All are available for export by the package.
In a scalar context opcodes returns the number of opcodes in this version
of perl (around 340 for perl5.002).
In a list context it returns a list of all the operator names. (Not yet implemented, use
- opset (OP, ...)
Returns an opset containing the listed operators.
- opset_to_ops (OPSET)
Returns a list of operator names corresponding to those operators in the
- opset_to_hex (OPSET)
Returns a string representation of an opset. Can be handy for debugging.
Returns an opset which includes all operators.
Returns an opset which contains no operators.
- invert_opset (OPSET)
Returns an opset which is the inverse set of the one supplied.
- verify_opset (OPSET, ...)
Returns true if the supplied opset looks like a valid opset (is the right
length etc) otherwise it returns false. If an optional second parameter is
true then verify_opset will croak on an invalid opset instead of returning
Most of the other Opcode functions call verify_opset automatically and will
croak if given an invalid opset.
- define_optag (OPTAG, OPSET)
OPTAG as a symbolic name for
OPSET. Optag names always start with a colon
The optag name used must not be defined already (define_optag will croak if
it is already defined). Optag names are global to the perl process and
optag definitions cannot be altered or deleted once defined.
It is strongly recommended that applications using Opcode should use a
leading capital letter on their tag names since lowercase names are
reserved for use by the Opcode module. If using Opcode within a module you
should prefix your tags names with the name of your module to ensure
uniqueness and thus avoid clashes with other modules.
- opmask_add (OPSET)
Adds the supplied opset to the current opmask. Note that there is currently no mechanism for unmasking ops once they have been masked. This is
Returns an opset corresponding to the current opmask.
- opdesc (OP, ...)
This takes a list of operator names and returns the corresponding list of
- opdump (PAT)
STDOUT a two column list of op names and op
descriptions. If an optional pattern is given then only lines which match
the (case insensitive) pattern will be output.
It's designed to be used as a handy command line utility:
perl -MOpcode=opdump -e opdump
perl -MOpcode=opdump -e 'opdump Eval'
Opsets may be manipulated using the perl bit vector operators & (and),
| (or), ^ (xor) and ~ (negate/invert).
However you should never rely on the numerical position of any opcode
within the opset. In other words both sides of a bit vector operator should
be opsets returned from Opcode functions.
Also, since the number of opcodes in your current version of perl might not
be an exact multiple of eight, there may be unused bits in the last byte of
an upset. This should not cause any problems (Opcode functions ignore those
extra bits) but it does mean that using the ~ operator will typically not
produce the same 'physical' opset 'string' as the invert_opset function.
$bool = opset_eq($opset1, $opset2) true if opsets are logically eqiv
$yes = opset_can($opset, @ops) true if $opset has all @ops set
@diff = opset_diff($opset1, $opset2) => ('foo', '!bar', ...)
null stub scalar pushmark wantarray const defined undef
rv2av aassign aelem aelemfast aslice av2arylen
rv2hv helem hslice each values keys exists delete
preinc i_preinc predec i_predec postinc i_postinc postdec i_postdec
int hex oct abs pow multiply i_multiply divide i_divide
modulo i_modulo add i_add subtract i_subtract
left_shift right_shift bit_and bit_xor bit_or negate i_negate
lt i_lt gt i_gt le i_le ge i_ge eq i_eq ne i_ne ncmp i_ncmp
slt sgt sle sge seq sne scmp
substr vec stringify study pos length index rindex ord chr
ucfirst lcfirst uc lc quotemeta trans chop schop chomp schomp
match split qr
list lslice splice push pop shift unshift reverse
cond_expr flip flop andassign orassign and or xor
warn die lineseq nextstate unstack scope enter leave
rv2cv anoncode prototype
entersub leavesub return method -- XXX loops via recursion?
leaveeval -- needed for Safe to operate, is safe without entereval
These memory related ops are not included in :base_core because they can
easily be used to implement a resource attack (e.g., consume all available
concat repeat join range
Note that despite the existance of this optag a memory resource attack may
still be possible using only :base_core ops.
Disabling these ops is a very heavy handed way to attempt to prevent a memory resource attack. It's
probable that a specific memory limit mechanism will be added to perl in
the near future.
These loop ops are not included in :base_core because they can easily be used to implement a resource attack (e.g., consume all available
last next redo
These ops enable filehandle (rather than filename) based input and output. These are safe on the
assumption that only pre-existing filehandles are available for use. To
create new filehandles other ops such as open would need to be enabled.
readline rcatline getc read
formline enterwrite leavewrite
print sysread syswrite send recv
eof tell seek sysseek
readdir telldir seekdir rewinddir
These are a hotchpotch of opcodes still waiting to be considered
gvsv gv gelem
padsv padav padhv padany
rv2gv refgen srefgen ref
bless -- could be used to change ownership of objects (reblessing)
pushre regcmaybe regcreset regcomp subst substcont
sprintf prtf -- can core dump
getppid getpgrp setpgrp getpriority setpriority localtime gmtime
entertry leavetry -- can be used to 'hide' fatal errors
These ops are not included in :base_core because of the risk of them being used to generate floating point exceptions (which would have to be caught using a
atan2 sin cos exp log sqrt
These ops are not included in :base_core because they have an effect beyond
the scope of the compartment.
These ops are related to multi-threading.
A handy tag name for a reasonable default set of ops. (The current ops allowed are unstable while development
continues. It will change.)
:base_core :base_mem :base_loop :base_io :base_orig :base_thread
If safety matters to you (and why else would you be using the Opcode
module?) then you should not rely on the definition of this, or indeed any
stat lstat readlink
ftatime ftblk ftchr ftctime ftdir fteexec fteowned fteread
ftewrite ftfile ftis ftlink ftmtime ftpipe ftrexec ftrowned
ftrread ftsgid ftsize ftsock ftsuid fttty ftzero ftrwrite ftsvtx
ghbyname ghbyaddr ghostent shostent ehostent -- hosts
gnbyname gnbyaddr gnetent snetent enetent -- networks
gpbyname gpbynumber gprotoent sprotoent eprotoent -- protocols
gsbyname gsbyport gservent sservent eservent -- services
gpwnam gpwuid gpwent spwent epwent getlogin -- users
ggrnam ggrgid ggrent sgrent egrent -- groups
A handy tag name for a reasonable default set of ops beyond the :default optag. Like :default (and indeed all
the other optags) its current definition is unstable while development
continues. It will change.
The :browse tag represents the next step beyond :default. It it a superset
of the :default ops and adds :filesys_read the :sys_db. The intent being
that scripts can access more (possibly sensitive) information about your
system but not be able to change it.
:default :filesys_read :sys_db
sysopen open close
open_dir closedir -- other dir ops are in :base_io
link unlink rename symlink truncate
utime chmod chown
fcntl -- not strictly filesys related, but possibly as dangerous?
glob -- access to Cshell via <`rm *`>
exec exit kill
time tms -- could be used for timing attacks (paranoid?)
This tag holds groups of assorted specialist opcodes that don't warrant
having optags defined for them.
SystemV Interprocess Communications:
msgctl msgget msgrcv msgsnd
semctl semget semop
shmctl shmget shmread shmwrite
socket getpeername ssockopt
bind connect listen accept shutdown gsockopt getsockname
sleep alarm -- changes global timer state and signal handling
sort -- assorted problems including core dumps
tied -- can be used to access object implementing a tie
pack unpack -- can be used to create/use memory pointers
entereval -- can be used to hide code from initial compile
caller -- get info about calling environment and args
dbstate -- perl -d version of nextstate(ment) opcode
This tag is simply a bucket for opcodes that are unlikely to be used via a
tag name but need to be tagged for completness and documentation.
syscall dump chroot
ops(3) -- perl pragma
interface to Opcode module.
Safe(3) -- Opcode and
namespace limited execution compartments
Originally designed and implemented by Malcolm Beattie, firstname.lastname@example.org as part
of Safe version 1.
Split out from Safe module version 1, named opcode tags and other changes
added by Tim Bunce.