Hash randomization in Perl 5

Question

When Perl 5.8.1 came out it added hash randomization. When Perl 5.8.2 came out, I thought, it removed hash randomization unless an environment variable (PERL_HASH_SEED) was present. It now seems as if I am gravely mistaken as

PERL_HASH_SEED=$SEED perl -MData::Dumper -e 'print Dumper{map{$_,1}"a".."z"}'

Always kicks back the same key ordering regardless of the value of $SEED.

Did hash randomization go completely away, am I doing something wrong, or is this a bug?

Answer 1

See Algorithmic Complexity Attacks:

In Perl 5.8.1 the hash function is randomly perturbed by a pseudorandom seed which makes generating such naughty hash keys harder. [...] but as of 5.8.2 it is only used on individual hashes if the internals detect the insertion of pathological data.

So randomization doesn't always happen, only when perl detects that it's needed.

Answer 2

At a minimum there have been some sloppy documentation updates. In the third paragraph of perlrun's entry for PERL_HASH_SEED it says:

The default behaviour is to randomise unless the PERL_HASH_SEED is set.

which was true only in 5.8.1 and contradicts the paragraph immediately preceding it:

Most hashes by default return elements in the same order as in Perl 5.8.0. On a hash by hash basis, if pathological data is detected during a hash key insertion, then that hash will switch to an alternative random hash seed.

perlsec's entry for Algorithmic Complexity Attacks gets this right:

In Perl 5.8.1 the random perturbation was done by default, but as of 5.8.2 it is only used on individual hashes if the internals detect the insertion of pathological data.

perlsec goes on to say

If one wants for some reason emulate the old behaviour [...] set the environment variable PERL_HASH_SEED to zero to disable the protection (or any other integer to force a known perturbation, rather than random).

[emphasis added]

Since setting PERL_HASH_SEED does not effect the hash order, I'd call it a bug. Searching for "PERL_HASH_SEED" on rt.perl.org didn't return any results, so it doesn't appear to be a "known" issue.