C:\>perl -MData::Dumper -MCGI -e"die Dumper( CGI->new( { 1..10 }) ) "
$VAR1 = bless( {
                 '.charset' => 'ISO-8859-1',
                 '1' => [
                          2
                        ],
                 '3' => [
                          4
                        ],
                 'escape' => 1,
                 '5' => [
                          6
                        ],
                 '7' => [
                          8
                        ],
                 '.parameters' => [
                                    '7',
                                    '9',
                                    '1',
                                    '3',
                                    '5'
                                  ],
                 '9' => [
                          10
                        ],
                 '.fieldnames' => {}
               }, 'CGI' );

C:\>
[download]

C:\>perl -MData::Dumper -MCGI -e"warn Dumper( $a=CGI->new );die Dumper
+(scalar $a->Vars() ) " a= b= c= d= e= f= g=
$VAR1 = bless( {
                 '.charset' => 'ISO-8859-1',
                 'a' => [
                          ''
                        ],
                 'escape' => 1,
                 'b' => [
                          ''
                        ],
                 'c' => [
                          ''
                        ],
                 'd' => [
                          ''
                        ],
                 'e' => [
                          ''
                        ],
                 'f' => [
                          ''
                        ],
                 'g' => [
                          ''
                        ],
                 '.parameters' => [
                                    'a',
                                    'b',
                                    'c',
                                    'd',
                                    'e',
                                    'f',
                                    'g'
                                  ],
                 '.fieldnames' => {}
               }, 'CGI' );
$VAR1 = {
          'a' => '',
          'b' => '',
          'c' => '',
          'd' => '',
          'e' => '',
          'f' => '',
          'g' => ''
        };
[download]

update: Why not just post the example?

 

______crazyinsomniac_____________________________ Of all the things I've lost, I miss my mind the most. perl -e "$q=$_;map({chr unpack qq;H*;,$_}split(q;;,q*H*));print;$q/$q;"

The keys aren't going into a single bucket above. The Vars() is just stripping out the non-parameter keys that CGI.pm stores inside of itself. The 'a', 'b' parameters are there in the object.

The way to determine what is happening inside a hash is evaluating it in scalar context. That gives you the number of buckets being used. tilly wrote a program that uses this feature to generate a list of colliding keys. This algorithm is fast and doesn't depend on reverse engineering the Perl hash algorithm.

I ran some tests on a 10,000 keys generated by tilly's method. Both inserting them into a hash and parsing the query string with CGI. It takes over 20 seconds to parse the query string in the pathological case versus less than a second for 10,000 normal strings. I haven't been willing to wait long enough to let 100,000 strings run. For a sample, here are the first 10 integers that collide and the scalar hash value showing they all go in one bucket.

8
14
22
30
38
46
54
62
70
78
86
1/8
[download]