|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #65724 unserialize doesn't always restore referenced objects
Submitted: 2013-09-20 12:34 UTC Modified: 2013-10-05 15:53 UTC
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:1 (100.0%)
From: niko dot sams at gmail dot com Assigned:
Status: Not a bug Package: *General Issues
PHP Version: 5.5.4 OS: Linux
Private report: No CVE-ID: None
 [2013-09-20 12:34 UTC] niko dot sams at gmail dot com
when doing another unserialize that creates objects in an 
Serializable::unserialize implementation things break, the 'parent' isn't 
unserialized correctly.

ok: PHP 5.3.3-7+squeeze14
ok: PHP 5.3.10-1ubuntu3.6
fail: PHP 5.4.4-14+deb7u2
fail: PHP 5.5.3

See phpt test script:

Test script:
class Bar {}
class Foo implements Serializable {
    public $test;
    public function __construct($test) { $this->test = $test; }
    public function serialize()
        return $this->test;
    public function unserialize($serialized)
        //the following line causes problems
        $this->test = $serialized;
$foo1 = new Foo('foo1');
$foo2 = new Foo('foo2');
$foo3 = new Foo('foo3');
$ar = array(
        'instance' => $foo1,
        'instance' => $foo2,
        'instance' => $foo3,
        'parent' => $foo2
$ar = serialize($ar);
$ar = unserialize($ar);

Expected result:
[parent] => Foo Object ( [test] => foo2 ) )

Actual result:
[parent] => foo2


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2013-09-20 15:16 UTC] bixuehujin at gmail dot com
Had a test on commit @8f146c2(, segfault occurred.
 [2013-10-04 14:09 UTC]
-Status: Open +Status: Not a bug
 [2013-10-04 14:09 UTC]
We have a recursive context for Serializable, thus if you unserialize unrelated strings in the unserialize callback, you literally throw bricks into the stream.
 [2013-10-05 15:53 UTC] niko dot sams at gmail dot com
Ok, if this is not a bug which workaround do you suggest?

In my use case the unserialize method tiggers access to a config object which is cached and lazily loaded. So it can happen that loading the config is triggered inside unserialize.
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Thu Aug 05 10:01:24 2021 UTC